Posts

The Hacking Hole Where John Bolton Should Be

/6 Comments/in , , /by

Unless DOJ disguised him, the hack of John Bolton described in his indictment didn’t show up in the Iranian hack-and-leak indictment. It should have. After listing the 2022 attempt to assassinate Bolton (where he is described as “a former US National Security Advisor,” the indictment lists a slew of people that Iran IRGC attempted to hack (starting in 2020) and (starting in 2021) nine people it succeeded in hacking before it hacked Roger Stone and four other Trump flunkies.

Bolton should have, could have, been included along with those nine people.

As the (nifty color-coded) timeline below makes clear, Bolton told the FBI about the hack of him, on July 6, 2021, just as the Iranian hackers were setting up infrastructure to hack a set of people that include those, like Bolton, who played a role in the Qasem Soleimani assassination and Trump’s hardline first term approach with Iran.

To be sure, there are potentially good reasons why Bolton is not in there. There’s a sealed notice of related case in the Bolton docket (at docket entry 6), which could reflect charges against the people who hacked him, charges that might have been filed shortly after he alerted the FBI about the hack. Prosecutors could have left Bolton out to obscure that he told the FBI about the hack (and that therefore the FBI had been working backwards from that ever since, which is consistent with the timeline). Prosecutors could have left Bolton out because the criminal investigation into him remained open.

All plausible reasons to leave him out.

But when you put the hack and assassination targeting of Bolton on the same timeline as the hack-and-leak targeting first fellow Iran hawks and then the Trump campaign, as well as the second alleged assassination attempt by Asif Merchant, all presumed to be IRGC, it raises further questions.

First, one reason I was interested in Merchant’s disclosure yesterday that he was under surveillance from the moment he arrived in the US in April 2024 is because it suggests US spies were already well aware of the efforts to retaliate for the Soleimani killing. Indeed, the timeline explains how the FBI was magically able to get CHSes in both the Shahram Poursafi and the Asif Merchant attempt to hire hit squads to target Bolton and others: the FBI identified those people via those intercepts and flipped them early on in the plot.

It does raise questions about whether the FBI also knew of the hack-and-leak targeting Bolton in advance. The FBI would have been tracking the IRGC closely after their 2020 effort to attack Democrats under the guise of the Proud Boys (an earlier plot that makes the targeting of Proud Boy ally Roger Stone more interesting).

There is some separation between these two plots. While Poursafi eventually had access to non-public intelligence targeting Bolton, he didn’t even know Bolton’s home address at first, which he would have known if he had the emails stolen from Bolton available to him. But the hack-and-leak indictment, at least, lists as one of the goals of the hacking campaign, “to advance the IRGC’s malign activities, including ongoing efforts to avenge the death of Qasem Soleimani,” and the first hack included, of someone at State who led the Abraham Accords, implies that’s how they used, “travel, lodging and other information” from someone who was “a senior U.S. Department of State official at the time of Qasem Soleimani’s death and therefore of interest to the IRGC.” Near the tail end of the Poursafi complaint, so just weeks before the hack of that victim, Poursafi turned to another target.

But that’s the other reason this timeline is of such interest. The progression with Bolton went Hack > Extortion > Assassination Attempt. Bolton could simply have cooperated with the IRGC, but instead he went to the FBI (which has now led to his prosecution).

Trump, however did not.

It was over two months between the time hackers got into Roger Stone’s Hotmail account in May 2024 and the time the hack became public. In July, when they first became aware of the hack, the campaign affirmatively decided not to report it to the FBI.

Trump’s mistrust of federal agencies has complicated the investigation into Iran’s cyberattack on his campaign. When a technology firm first discovered the breach, campaign aides huddled to discuss what they should do. After hours of discussions in July, they decided they trusted the software experts to handle the matter and did not call the FBI. Co-campaign manager Susie Wiles, whose email account was targeted, was among those who questioned whether they could trust the Justice Department. The fears centered on giving federal officials access to campaign email servers and whether they would leak information out publicly.

As I noted at the time, Trump made that decision after relentlessly (and falsely) accusing the FBI of failing to get the server from the DNC hack. The decision was understandable (once you account for Trump’s venality and paranoia), because according to the initial reports, the hackers claim to have gotten information on Trump’s legal cases, not just his campaign.

The sender would not speak on the telephone with a Post reporter but indicated they had access to additional information, including internal campaign emails and documents related to Trump’s court cases.

And one reason that’s interesting is because — as Reuters disclosed only this summer — the lawyer targeted in the attack was Lindsey Halligan, who had no public role on the campaign but who did represent Trump on the stolen documents case.

In online chats with Reuters on Sunday and Monday, the hackers, who go by the pseudonym Robert, said they had roughly 100 gigabytes of emails from the accounts of White House Chief of Staff Susie Wiles, Trump lawyer Lindsey Halligan, Trump adviser Roger Stone and porn star-turned-Trump antagonist Stormy Daniels.

Which brings me back to Merchant, to the delay in turning over his own conversations until October 28.

Two public things might explain that delay (there are no doubt a bunch of secret things that could too): The conviction of Ryan Routh, who did have Iranian ties, though no Iranian role in his assassination attempt was publicly disclosed, and the indictment of Bolton, which disclosed that Bolton alerted the FBI to this hack back in 2021, just months before the FBI would preempt an assassination effort targeting Bolton as well.

The FBI took far greater efforts to rein in any publication of the materials stolen from Trump’s people than they ever have on another leak save WikiLeaks’ biggest document dumps. I can’t help but wonder whether there’s more about the Trump hack we weren’t told.

Timeline

December 19, 2018: Hackers establish account using Israeli politician’s name.

April 15, 2019: IRGC designated as FTO.

January 3, 2020: Trump kills Qasem Soleimani.

April 11, 2020: Hackers get an account in the name of a SCOTUS spouse.

October 22, 2020: Treasury sanctions IRGC for tampering in 2020 election.

June 16, 2021: Bolton and DOJ enter settlement on book.

July 6, 2021: Bolton representative tells FBI Iran has hacked Bolton.

July 7, 2021: Hackers register fake domain mailerdaemon.online.

July 25, 2021: Hacker threatens to release Bolton materials.

I do not think you would be interested in the FBI being aware of the leaked content of John’s email (some of which have been attached), especially after the recent acquittal. 

This could be the biggest scandal since Hillary’s emails were leaked, but this time on the GOP side!

Contact me before it’s too late…

July 28, 2021: Bolton representative tells FBI about threat.

July 29, 2021: Bolton rep tells FBI he would delete account.

August 5, 2021: Iran threatens Bolton again.

OK John … As you want (apparently), we’ll disseminate the expurgated sections of your book by reference to your leaked email…

October 22, 2021: Shahram Poursafi asks Individual A to photograph Bolton. Individual A suggests CHS.

November 9, 2021: Hackers register fake domain mailer-daemon.live. CHS contacts Poursafi; Poursafi asks if he could hire someone to “eliminate someone.”

November 14: Poursafi tells CHS he doesn’t need pictures anymore. After searching for it online, Poursafi provides Bolton’s DC office address with name of scheduling assistant.

November 18: Poursafi note with Bolton’s name, website, social media handle, and former title.

November 19: CHS asks for home address and asks how to do it.

November 21: Poursafi ups the payment to $300,000.

November 23: CHS tells Poursafi he traveled from Texas to DC; Poursafi still did not have home address, but that Bolton walked or was driven to work.

December 7, 2021: Poursafi says because of a recent failed operation, Iran did not approve payment.

December 10, 2021: Poursafi told the CHS that Bolton didn’t go outside often.

December 12, 2021: Hackers register tinyurl.ink.

December 14, 2021: Hackers create persona based on DC think tank employee and phish State employee (Victim 1). 

December 16, 2021: Poursafi asked CHS to refer to Bolton by name “Benham.”

December 20, 2021: With Bolton’s consent, CHS sent pictures of Bolton leaving his office.

December 22, 2021: Poursafi sends picture of cash he claims is for CHS.

January 3, 2022: Iranian President Ebrahim Raisi says Trump and other high ranking Trump officials need to face trial for Soleimani killing. Poursafi tells CHS the murder was not timed to coincide with anniversary of Soleimani death. Poursafi says he has a source who says Bolton is at home.

January 5, 2022: CHS tells Poursafi he would do the job on January 16 or 17.

January 7, 2022: IRGC head Esmail Ghani promises revenge.

January 10, 2022: CHS asks if Ghani’s speech was a reference to this job.

January 15, 2022: CHS claims to have three vans. Poursafi warns not to talk operational details on phone, instructs CHS to crush phone and/or change Poursafi contact to “Mark” in it.

January 18, 2022: CHS sent Poursafi public information stating that Bolton might be traveling; Poursafi said that Bolton was not. “The information does not appear to have been publicly available. POURSAFI did not specify whether his source was a person conducting surveillance, a cyber intrusion, or another type of source.”

January 20, 2022: Poursafi told CHS Bolton did not have a body guard, had not yet left town.

January 28, 2022: Poursafi instructs CHS to get surveillance cameras for Bolton’s home and office.

January 29, 2022: Poursafi instructs CHS to restore social media account.

February 1, 2022: Poursafi told CHS the area around Bolton’s home was clear.

April 13, 2022: Poursafi pushes CHS to do a second job.

April 28, 2022: Poursafi told CHS to finish the second job in six days.

April 30, 2022: Hackers create another persona, persona 3.

May 9, 2022: Jalili accesses persona 3 account, other hackers arrive in office, send test message to book author.

May 31, 2022: Hackers register mailer-daemon.me.

June 18, 2022: Hackers create persona 4, phish victim 1.

August 2, 2022: Hackers create spoof of think tank, with two more personas.

August 5, 2022: Shahram Poursafi complaint.

August 6, 2022: Hackers start stealing from victim 1, including his passport.

Early August 2022: Hackers create persona based on DC journalist/think tanker (victim 4).

August 23, 2022: Victim 4 responds to phish.

August 29, 2022 through October 5, 2022: Hackers hack former Homeland Security Advisor (Victim 5).

October 4, 2022: Hackers pose as assistant to Victim 1 to contact peace organization employee (Victim 2), using stolen passport and get Victim 2 to buy business class ticket for Victim 1.

October 26, 2022: Hackers used Victim 1 passport to query about UAE conference.

November 23, 2022: Hackers create persona based on UAE embassy employee in DC, then use account to invite Victim 1, a former senior CIA person (Victim 6), a former US Ambassador to Israel (Victim 7), and a former Deputy CIA Director (Victim 8) as well as other targeted persons to a party at UAE embassy.

December 20, 2022 to January 23, 2022: Hackers compromise Victim 6’s personal email.

January 16, 2023: Hackers create encrypted app account in the name of DC think tank employee and phish Iranian Human Rights worker (Victim 9).

April 2024: Hackers try to phish Victim 5.

April 13, 2024: Merchant arrives in Houston.

April 22, 2024: Merchant pitches CHS on business.

May 23, 2024: Hackers attempt to log into Roger Stone’s account.

May 24 ,2024: Hackers use recovery code to access Stone’s account.

June 3-4, 2024: Merchant presents plan.

June 10, 2024: Merchant and CHS meet fake hitmen.

June 12, 2024: Hackers access Stone’s account and access campaign official (Victim 11).

June 13, 2024: Merchant establishes code.

June 15, 2024: Hackers use Stone’s account to attempt to phish Victim 13 (Susie Wiles?).

June 18, 2024: Merchant arranges payment with US-based associate.

June 20, 2024: Hackers hack a second Stone account.

June 21, 2024: Via WhatsApp Merchant’s cousin arranges payment.

June 27, 2024: Hackers send Trump debate prep to two people on Biden’s campaign; neither responded.

July 3, 2024: Hackers send Trump info to another Biden associate; that person did not respond.

July 12, 2024: Merchant arrest.

July 20, 2024: Hackers use 2FA hack to access Trump lawyer [Lindsey Halligan?], Victim 12.

July 22, 2024: Hackers started pitching content to journalists, including by pitching one journalist on things campaign official said to Susie Wiles about that journalist’s reporting.

August 9, 2024: Microsoft report on Iran hack.

August 10, 2024: Politico reports hack; WaPo follows.

August 13, 2024: Hackers ousted from Victim 11 account and Victim 12 account.

August 14, 2024: Google report on Iran hack.

August 31, 2024: Hackers pitch more journalists (including me).

September 24, 2024: Iran hack-and-leak indictment.

October 2, 2024: FISA notice in Merchant prosecution.

December 20, 2024: Initial CIPA request in Merchant prosecution.

July 1, 2025: Hackers attempt to sell Susie Wiles, Lindsey Halligan, Stone, and Stormy Daniel emails.

July 11, 2025: CIPA filing in Merchant prosecution.

August 11, 2025: CIPA meeting in Merchant prosecution.

September 23, 2025: Ryan Routh guilty verdict.

October 18, 2025: Bolton indicted.

October 28, 2025: Delayed discovery provided in Merchant prosecution.

November 12, 2025: Ex parte communication in Merchant prosecution.

 

Purple: Shahram Poursafi complaint

Blue: Iran hack-and-leak indictment

Pink: Asif Merchant complaint

Green: Bolton prosecution

 

Share this entry

Asif Merchant Says EDNY Screwed Up Its Intercepts

/3 Comments/in /by

Asif Merchant wants EDNY to provide all the spying the FBI did targeting him — or at least the spying that they say matches the calls he made while they were surveilling him.

As you’ll recall, Merchant is the Pakistani guy that EDNY arrested in July 2024 for allegedly soliciting someone to kill political targets, possibly including Donald Trump. Since then, Merchant has been sitting in prison, under communication restrictions, awaiting trial, which is currently scheduled for February 23, 2026. On October 2, 2024, DOJ informed Merchant they used FISA to find him. Just over a year ago, on December 20, 2024, DOJ kicked off the Classified Information Procedures Act (CIPA) process. It filed a CIPA Section 4 motion (where the government asks to withhold certain materials that aren’t relevant or helpful to the defense) on July 11, and met with Judge Eric Komitee about it on August 11, after which point Komitee ordered the government to provide the materials they had discussed with the Court Information Security Officer.

In a letter asking the judge to intervene in a discovery dispute, Merchant’s lawyers reveal that the initial story DOJ told — that the guy Merchant asked to help him find a hit squad simply went to the FBI which is where the FBI first learned of the plot — is inaccurate. In fact, Merchant was under FISA surveillance even before he arrived in the United States in April 2024 and he was closely surveilled the entire time he was in the US.

Discovery has revealed that Asif was under investigation before he arrived in the United States, and he was under surveillance from the moment he arrived in this country. In addition, Asif was the subject of electronic surveillance under the Foreign Intelligence Surveillance Act (“FISA”). (See Notice of Intent to Use ForeignIntelligence Surveillance Act, Docket Entry No. 20). As a result, the government is in possession of his communications which it obtained through this electronic surveillance. In addition, Asif was also under surveillance by teams of agents. The government produced reports from these surveillance teams, which indicate that Asif was constantly speaking on his phone. In addition, Asif was also under surveillance by teams of agents. The government produced reports from these surveillance teams, which indicate that Asif was constantly speaking on his phone. The government also set-up a hidden camera in a hotel room where he stayed for a number of days, which also indicates that Asif made a number of calls on his cellphone (though the calls can be difficult to hear). Both the surveillance reports and the hidden camera cover only a portion of the time between Asif’s entry into the United States and his arrest. 

On November 8, 2024, the government produced five recordings of Asif’s intercepted telephone calls. On October 28, 2025,1 Defendant received sixty-four additional audio-recordings of Asif’s telephone calls from the government. These sixty-nine recordings, however, do not match up with the phone calls noted in the surveillance reports. Moreover, given the frequency with which Asif used his phone while under surveillance and while his phone was subject to monitoring (as can be observed on the surveillance videos produced by the government, for example), the government is likely in possession of many additional recordings that have not been produced. In addition to the sixty-four recordings, the October 21, 2025, production included a number of FBI reports that were redacted.

1 The government’s cover-letter is dated October 21, 2025. (See Docket Entry No.60).

Among the many concerns Merchant’s lawyers raised was why they didn’t get this discovery until October 28 (with a letter dated October 21).

During the November 25, 2025, meet and confer, the Defense (1) expressed concerns about the timing of the October 28, 2025, production and asked why the government had not produced the recordings at an earlier date, since they appear to have been in the government’s possession throughout the pendency of this case;

But his attorneys are also asking for all the intercepts of Merchant, particularly those that match with the surveillance of him.

Both the surveillance reports and the camera recording indicate that he used his cellphone constantly. The recordings produced by the government, however, do not match the communications which occurred during the surveillance. In other words, many more recordings of Asif should exist that correspond to telephone calls noted in the reports or indicated by the footage. Second, the additional recordings are material. Asif is accused of coordinating anti-American activity and assassinations on behalf of a foreign government over the course of the approximately three months he was in the United States. The content of the recordings is relevant to show his actual activity during that time period, and the government’s refusal to produce the recordings implies that these communications do not constitute evidence of the alleged plot. On the other hand, the additional recordings would show him engaging in activity and discussing matters unrelated to the allegations in this case.

Probably, these problems simply reflect a delayed CIPA decision that they had to share the intercepts and incompetence, possibly arising from the competence drain under Trump.

But the revelation that the FBI was watching Merchant when he arrive in April 2024 is interesting for a slew of reasons, which I’ll return to.

Share this entry

Don’t Make the Same Mistake with Iran that Denialists Made with Russia

/60 Comments/in , /by

I read the book by Aaron Zebley, James Quarles, and Andrew Goldstein on the Mueller investigation. Regarding the investigation itself, there were no new details. Where the book does break new ground is in describing the discussions with Trump’s attorneys and DOJ officials, especially with regards to the debate about whether to subpoena Trump. I’ll return to those details in a follow-up.

But I want to point to something they said in their afterward. They describe that Barr’s treatment of the report helped sow doubt about the import of the Russian attack on US democracy in 2016.

Perhaps the most significant casualty of Barr’s handling of the report was the truth about Russia’s attack on the United States during the 2016 election. The Russian government interfered in our democracy in sweeping and systematic fashion. Those are the first substantive words of our report. This statement is beyond dispute, and yet many in America do not know that, and still others deny it.

As detailed in volume I of our report, Russian operatives working for the Internet Research Agency visited the United States in 2014 to gather intelligence for what they called “information warfare” against the United States. They returned to Russia and—sitting at their desks in Saint Petersburg—planned and advertised rallies to support Trump at specific US locations, invited Americans to attend, provided banners for Americans to wave, and then handed off logistical responsibilities for the events to real Americans. The goal of these activities, along with their yearslong campaign of false-name social media accounts, was to further divide Americans and cause them to think and behave in particular ways—including at the voting booth in 2016.

Meanwhile, Russian military intelligence hacked into email accounts belonging to the Democratic team supporting Hillary Clinton in 2016, and then dumped emails and other documents they had stolen at specific times during the campaign to harm Clinton and bolster Trump. The Russians also leveraged WikiLeaks to release the stolen information, and, like the Russians, WikiLeaks timed its releases to favor Trump’s candidacy.

While these operations were underway, Russian government officials and their proxies reached out to multiple Trump campaign officials. George Papadopoulos was one example. A month after Trump appointed him as a foreign policy adviser in March 2016, Papadopoulos received word about a Russian government offer to assist the Trump campaign through the anonymous release of information information damaging to Clinton—“dirt” in the form of “thousands of emails.” This offer coincided with the Russian military’s then secret hack-and-dump operation.

It is beyond dispute that the Russians interfered in the 2016 election to support Trump—that was no hoax. They worked to secure his win. Our investigation of this work was no witch hunt.

[snip]

It has not seemed to matter, for instance, that our hack-and-dump indictment, which was backed by financial, email, and other records, demonstrated irrefutably that the Russian military executed this operation. Three days after the indictment came out, Trump dismissed it all in a press conference in Helsinki, Finland, after Putin—standing a few feet to Trump’s left—told him, “It’s not Russia.” Trump and his advocates declared it all a hoax, taking Putin’s word over the plain facts. And millions of Americans have taken this as truth, siding with Kremlin propaganda over the US Department of Justice.

We are now heading into another election. Russia interfered before, Russia is emboldened, and Russia is interfering again. Bob described Russia’s actions as one of the most serious attacks on democracy he has seen in his career—chilling words from the person who helped lead America’s fight against terrorism following the 9/11 attacks. As he put it in his 2019 testimony, the Russians are interfering in our democracy “as we sit here, and they expect to do it during the next campaign.”

I’ve obviously written a lot about this. It’s the central focus of the Ball of Threads podcast that LOLGOP and I are doing.

I fear that, because of the polarization Trump has deliberately stoked, many lefties are doing the same thing that Trump’s MAGAts did with Russia: treat credible allegations that Iran is targeting him, both for hacking and assassination, as a hoax.

Regarding the hacking, as happened in 2016, it is not just the Intelligence Community (one, two) attributing the hack in real time. Both Microsoft and Google have described the operation. As I explained repeatedly regarding the 2016 Russian attack, big American tech companies have a similar kind of global reach as the NSA, and when someone uses their infrastructure to target someone, they have both the tools and an independent incentive to get the attribution right. There’s really no reason to doubt the attribution, from three of the entities with the best global reach in the world, that Iran targeted Trump’s campaign.

Regarding Iran’s attempt to assassinate Trump, there’s also no reason to doubt that. While the case against Asif Merchant, whom DOJ accused of trying to solicit a variety of operations targeting Trump, does rely on undercover FBI employees posing as wannabe hitmen, the underlying tip — from the guy Merchant allegedly asked for help recruiting a hit team — appears to be organic, just someone calling the cops. Plus, the effort bears certain resemblance to the effort to solicit assassins for John Bolton, arising from the same motive of revenge for the Qassem Soleimani killing.

According to court documents, on Oct. 22, 2021, Poursafi asked Individual A, a U.S. resident whom Poursafi previously met online, to take photographs of the former National Security Advisor, claiming the photographs were for a book Poursafi was writing. Individual A told Poursafi that he/she could introduce Poursafi to another person who would take the pictures for $5,000-$10,000. Individual A later introduced Poursafi to an associate (referred to in court documents as the confidential human source or CHS).

On Nov. 9, 2021, Poursafi contacted the CHS on an encrypted messaging application, and then directed the CHS to a second encrypted messaging application for further communications. Poursafi offered the CHS $250,000 to hire someone to “eliminate” the former National Security Advisor. This amount would later be negotiated up to $300,000. Poursafi added that he had an additional “job,” for which he would pay $1 million.

As I noted in my first post on the Merchant arrest, the Pakistani man took 20 minutes before he let the FBI in to arrest him, meaning he may have had time to destroy evidence. There’s no reason to assume Merchant’s efforts to hire assassins was limited to the NYC source who called the FBI, nor is there reason to assume that Merchant was the only one recruiting assassins.

Indeed, as I keep noting, we can’t rule out that Ryan Routh (who was indicted yesterday and will face trial before Aileen Cannon, and whose son was arrested Monday after the FBI found CSAM at his house while conducting a search presumably related to his father) was recruited by Iran. His sympathy for Iran and his antipathy for Trump were both public, he imagined himself a fighter, and he had international ties from his efforts to recruit fighters for Ukraine. Both the Bolton efforts and the Merchant plot relied on secure digital operational security, and the six phones Routh had in his truck indicate he was communicating in unusual ways, even for — especially for — a person with possible mental illness. And the timing of Routh’s movements — he left North Carolina August 14 and traveled to Florida, scoped out Trump events in August, September, and October, and conducted reconnaissance for much of the month leading up to his arrest — match the planned timing of the Merchant plot. For a variety of reasons (not least that Routh has due process rights and an incentive to flip, if he did have co-conspirators), if the FBI did suspect an Iranian tie, they wouldn’t say more than they already have done, including references to Iran in his detention memo.

In the wake of Routh’s indictment yesterday, the IC briefed Trump on ongoing assassination threats from Iran. And while his comments to Fox — suggesting that Kamala Harris was weak on Iran — were typical Trump garbage, Trump’s Xitter account posted something that — for him — is downright gracious, recognizing the bipartisan support to expand Secret Service funding.

It is perfectly reasonable to call out the double standards of Trump himself, in responding stupidly to the hacking attempt, in ignoring his own role in the stalking of Barack Obama and pretending he has faced unique threats, in media outlets refusing to publish stolen emails.

Trump’s narcissistic behavior is one reason it’s so easy for hostile countries like Russia and Iran to stoke division.

But that doesn’t mean you should make it easier for them, by doubting the word of neutral parties who attest the threat to Trump is real. The Russian attack continues to do real damage, to this day, because the investigation into it led to such polarization. If I’m right about the Steele dossier (Ball of Thread version), some of that was by design, while some of it was the auspicious upside (from the perspective of Russia) of targeting a narcissist. But the result is the same: By targeting Trump, you can elicit the tribalism that damages the US, regardless of Iran’s (or Russia’s) other efforts. A great deal of the polarization in the US, a great deal of the conspiracism on the part of Trump supporters, and therefore a great deal of the extremism, stems from the response to the Russian attack and investigation.

Whether a country backs Trump or wants revenge against him, the goal is the same: to end US hegemony and extend authoritarianism. There are public, rational reasons to believe that Iran really is targeting Trump. There are no good reasons to instead irrationally doubt those public attributions.

Update: In an appearance in North Carolina, Trump said there could be a tie to Iran, and complained that DOJ had not yet broken into the six phones found in Routh’s truck.

Share this entry

Ryan Routh’s Eleven Phones and Two Iran Mentions

/69 Comments/in /by

DOJ has submitted a detention memo for Ryan Routh, the man held on suspicion that he was trying to assassinate Donald Trump.

The memo cites a letter, left in a box with a neighbor months ago, that seems to confirm that he was trying to assassinate Trump (and offering six figures to anyone else who would accomplish the task). That same letter describes that Trump, “ended relations with Iran like a child and now the Middle East has unraveled.” The detention memo also cites the passage from Routh’s manuscript that I noted here, apologizing to Iran for voting for Trump.

I am man enough to say that I misjudged and made a terrible mistake and Iran I apologize. You are free to assassinate Trump as well as me for that error in judgment and the dismantling of the deal.

The memo describes a number of other things that suggest an operational security far exceeding that of a mentally ill man seeking glory. As I noted in the earlier post, the phone he had on his person while surveilling the golf course was one for which he had posted the WhatsApp number while Asif Merchant, charged in an attempt to recruit hitmen to target Trump, was still at large on July 10.

But in addition to that phone, Routh had six cellphones in his truck, at least two of which used different carriers, and four more cell phones in the box he left at a neighbor’s. As I mentioned, Merchant provided the informant in that case instructions on acquiring secure phones.

As previous reports described, the license plats on his truck were stolen, and he had two other sets of plates in the truck. One of the phones in the truck had been used to search for directions to Mexico.

Again, it certainly may be that Routh was simply disturbed. But more of this looks like Iran may have been involved.

Share this entry

The Concerning Paragraph in the Ryan Routh Complaint

/114 Comments/in /by

Of all the coverage on Ryan Routh — the seemingly unbalanced man who fled Trump’s golf course after being spotted with a gun yesterday — just the NYT (that I’ve seen) notes that Routh’s various statements seeming to express regret about the US’ worsening relationship with Iran.

In one convoluted passage, Mr. Routh vented his anger at Mr. Trump’s dismantling of the Obama administration’s nuclear deal with Iran.

After writing “Iran, I apologize,” Mr. Routh added, “you are free to assassinate Trump” — although he moves freely in the book between addressing his general readers and specific subjects.

Mr. Trump and his allies have long warned about the threat posed by Iran to the former president’s personal safety. In August, the Justice Department charged a Pakistani man who had recently visited Iran with trying to hire a hit man to assassinate political figures in the United States. Investigators believe that those potential targets likely included Mr. Trump.

Most journalists report that there have been two seeming assassination plots against Trump. Not so, if you count Asif Merchant’s efforts to hire a hit man, purportedly to go after Donald Trump. That would be a third.

Unless there’s a tie between Merchant’s efforts and Routh’s.

That’s almost certainly not the case.

Routh seems like someone who keep searching for grandiose meaning in his life.

Still, I keep thinking about this paragraph from the complaint charging Routh with owning a gun as a felon.

Routh was offering a public way to contact him, via WhatsApp, on the phone he had with him yesterday, a phone he seems to have carried on his person even though the gun he had and the truck he drove both had identifying information obscured.

Routh was doing so on July 10, on a day when Merchant remained at large (Merchant was arrested on July 12).

One aspect of Merchant’s planning involved requiring the EDNY informant — whom Merchant believed would help him find a hit squad — to get him a new phone.

On or about June 10, 2024, Merchant met with the purported hitmen, who were in fact undercover U.S. law enforcement officers (the “UCs”) whom the CS introduced to Merchant at Merchant’s request. Merchant advised the UCs that he was looking for three services from them, including killing a “political person.” During the meeting, Merchant presented himself as the “representative” in the U.S., indicating that there were other people he worked for outside the U.S. Merchant told the UCs that he wanted to pay the hitmen in cash through “hawalas”—an informal and unregulated method of transferring money—in Istanbul and Dubai. Merchant also stated that he would give the hitmen instructions on who to kill either the last week of August 2024 or the first week of September 2024, after he returned to Pakistan. Merchant requested that the UCs provide him with a secure cellular phone so they could communicate, and the UCs said they would do so. The UCs also told Merchant that they would be in touch about how much their services would cost.

On or about June 12, 2024, Merchant met the UCs again and obtained the cellular phone from the UCs to use in furtherance of the assassination plot. During the meeting, Merchant agreed to pay the UCs a $5,000 advance payment for the plot. Following the meeting with the UCs, Merchant met with the CS again in furtherance of the plot.

On or about June 13, 2024, Merchant wrote out coded language on a piece of paper that he instructed the CS to copy down and use when communicating with him in the future. Merchant wrote that the word “tee-shirt” would mean a “protest,” which he described as the “lightest work.” The phrase “flannel shirt” would mean “stealing,” which was “heavier work.” The phrase “fleece jacket,” the heaviest work, would mean “the third task . . . commit the act of the game,” indicating murder as previously discussed. The phrase “denim jacket” referred to “sending money.” Merchant told the CS to use the code words only orally on the phone and not to text them. [my emphasis]

So even in the plot the FBI thwarted, Merchant had a plan to set up a dedicated device for his efforts.

Again, I think it most likely that Routh is just a mentally ill person looking to give his life meaning.

But I don’t rule out that Iran tried to find more potential recruits to target Trump. Routh’s public profile would make it clear he wanted to recruit and be recruited, and his beliefs were so quirky, he might well allow himself to be recruited by Iran.

Which is to say, it’s early yet. Routh’s story may well be more complicated than it seems.

Share this entry

Kamala Harris Is Not Goading Journalists to Publish Emails Iran Stole from Roger Stone

/33 Comments/in , , /by

As I’ve alluded to a few times, I was sent what I believe to be three of the files Iran puportedly stole from Trump’s team. I received them after I explained why I thought this hack-and-leak was different than the Hillary one in ways that should influence considerations about publishing:

  • Trump doesn’t compartment his campaign from his crimes, meaning Iran could be — could have been trying, could have succeeded in — stealing information about the Iran-related documents Trump took when he left the White House. The report that Susie Wiles was the intended target of the hack confirms that risk. In addition to running Trump’s campaign, Wiles decided who would be provided defense attorneys paid by the campaign. Aside from the classified information Trump shared with her, she should never have had anything implicating classified discovery and the classified discovery itself should never have left the SCIFs in which it was provided to defense attorneys. But she is likely to know some of what — for example — witnesses like Kash Patel said about classified information.
  • In addition to the hack, Iran allegedly was also trying to solicit a hit squad to kill Trump (indeed, the alleged recruiter, Asif Merchant, was just indicted on Wednesday). That makes the possibility of Iran exploiting internal information from Trump’s campaign (such as travel details) far more dangerous.

I had decided it wasn’t worth participating. And then I got sent files I believe to be those vetting files.

In the last few days, Google has slapped a phishing warning on the files I got sent.

Even though I offered that explanation a month ago, I still get questions from people about why I, and why other outlets, haven’t published the documents.

Don’t get me wrong, other outlets are, without a doubt, exercising a double standard in choosing not to publish these documents, or at least reviewing whether the JD Vance vetting document includes some of the really damning videos surfaced since Trump picked him. It’s not just the Hillary emails in 2016. Every single outlet known to have received these files has also chased the Hunter Biden laptop, even though they never succeeded in implicating Joe Biden in anything found in the laptop. The dick pics were enough to sustain many outlets for a year (and longer, in the case of the NYPost).

But there’s one other big, big difference — one that I think explains the entire difference.

As far as I know, no one in the Kamala Harris campaign is goading journalists to post the documents.

Compare that to 2016, where Trump’s top people were strategizing how to maximize attention on John Podesta’s risotto recipe. Somebody who may be Don Jr was getting all his trolls to push hashtags so “liberal news forced to cover it.” Or 2020, when Trump’s personal lawyer flew around the world, even meeting with known Russian spies, looking for dirt on Joe Biden’s kid. And when a laptop of dick pics dropped in Rudy Giuliani’s lap, like magic, the far right demanded that private social media companies let those dick pics disseminate like wild, because — they claimed — the dissemination of distractions about Hunter Biden was absolutely crucial to Trump’s election strategy.

If I’m right that Kamala Harris has never encouraged journalists to post these documents, there would be a very good reason why not, even beyond the considerable national security risks of encouraging hack-and-leak operations from hostile intelligence services.

Kamala has just 107 days to win an election. And she has a story that she is very very busy telling.

Hack-and-leak operations are about attention, about distraction. If she focused on these stolen documents, she would distract from her own campaign, from the story she is busy telling.

In 2016, Trump used the documents Russia stole to suck up media attention, which served to distract from his own corruption. That’s what he tried in 2020, too. And media outlets have, quite literally, argued that they could avoid accusations of liberal bias by printing error-riddled stories about Hunter Biden, still sucking on that dick pic, three years later.

Hack-and-leak operations help someone like Donald Trump, because too much scrutiny of his own actions might sink his campaign.

But Harris is doing something different than Trump. She’s trying to convince voters that government can improve their lives. She’s trying to convince voters that she cares about their issues and plans to [try to] address them. She needs to sustain their attention long enough to tell that story.

She doesn’t have the time to chase distraction with documents stolen from Trump.

Besides, the press has barely scratched the surface of the corruption or right wing extremism of Trump and his running mate, just sitting in plain sight, such as JD’s claim that we’re still fighting the Civil War and he’s fighting on the side of the south, or Trump rolling out another effort to cash in on his campaign, just weeks before the election.

There’s no shortage of dirt on Donald Trump. Nothing Iran has offered, thus far, at all compares to the stuff sitting out in plain sight.

There is, however, a shortage of time. And wasting time on stolen emails would squander what little time there is.

Share this entry

The Trump Hack Could Extend Far Beyond a Hack-and-Leak

/127 Comments/in , , , /by

When news first broke that Donald Trump’s campaign says it has been hacked, I started drafting a post on applying the lessons of past ratfucks.

The alleged hack was first reported by Politico, which says some person using an AOL account reached out and shared documents, including the vetting materials pertaining to JD Vance and Marco Rubio.

On July 22, POLITICO began receiving emails from an anonymous account. Over the course of the past few weeks, the person — who used an AOL email account and identified themselves only as “Robert” — relayed what appeared to be internal communications from a senior Trump campaign official. A research dossier the campaign had apparently done on Trump’s running mate, Ohio Sen. JD Vance, which was dated Feb. 23, was included in the documents. The documents are authentic, according to two people familiar with them and granted anonymity to describe internal communications. One of the people described the dossier as a preliminary version of Vance’s vetting file.

The research dossier was a 271-page document based on publicly available information about Vance’s past record and statements, with some — such as his past criticisms of Trump — identified in the document as “POTENTIAL VULNERABILITIES.” The person also sent part of a research document about Florida Sen. Marco Rubio, who was also a finalist for the vice presidential nomination.

Trump’s bouncer-spox, Steven Cheung, claims the hack was done by Iran, citing a Microsoft report released Friday describing the compromise by Iran of the email account of a “former senior advisor,” which the IRGC then used to attempt to compromise a current high-level official.

Yet another Iranian group, this one connected with the Islamic Revolutionary Guard Corps, or IRGC, sent a spear phishing email in June to a high-ranking official on a presidential campaign from the compromised email account of a former senior advisor. The email contained a link that would direct traffic through a domain controlled by the group before routing to the website of the provided link. Within days of this activity, the same group unsuccessfully attempted to log into an account belonging to a former presidential candidate. We’ve since notified those targeted.

A pity for the Trump campaign that Cheung is a habitual liar, so we can’t trust anything he says, and Politico’s authentication appears to rely exclusively on word of mouth from those who have the documents, not digital authentication.

Still, it’s distinctly possible. The FBI certainly seems to believe the IRGC is trying to assassinate Trump.

The lessons I was going to propose in my draft post were the following:

  • Vice President Harris should eschew assigning her senior-most staff to exploiting these emails like Trump did in 2016.
  • But only after Trump, Don Jr, and Mike Pompeo apologize for their enthusiastic use of hacked emails in 2016.
  • The same 51 former spooks who warned that the Hunter Biden laptop had the earmarks of a foreign influence operation should write a similar letter here, emphasizing (as they did in their Hunter Biden letter) the import of resisting foreign efforts to influence a presidential election. Maybe Peter Strzok and Andy McCabe could join in. Chris Krebs, who already has weighed in validating the seriousness of the threat, but who was fired for telling the truth about the 2020 election, can join too. They should send it to Politico, which first reported this story, but CC Jim Jordan, who says even writing such a letter is an abuse of First Amendment protected free speech.
  • Donald Trump must provide all the affected servers to the FBI, stat.

It’s the last one that was going to be my punch line. Partly because of misleading (arguably inaccurate) Jim Comey testimony, and partly because a wide swath of people had an incentive to do Russia’s bidding, for eight years people, including many in Congress, have been suggesting that a hacking victim must give all the servers that were hacked to law enforcement — the actual servers, not forensic images — otherwise the FBI’s investigation would be suspect.

They were wrong on several counts. But they were loud and insistent.

Fine. Based on that precedent, Trump must hand over his campaign servers to the same FBI that has criminally investigated him, including his campaign finance shenanigans, immediately.

That’s what I was going to write when Politico’s Alex Isenstadt, who is not a journalist competent to report a hack-and-leak story, was the only one who had written this up.

But then WaPo wrote it up, with Trump-whisperer Josh Dawsey and horserace journo Isaac Arnsdorf bylined, but also Ellen Nakashima and Shane Harris, the latter two of whom are exceptional reporters for a story about hacking.

That story had two additional details that made me rethink the potential impact of this. First, it revealed that Trump didn’t tell the FBI about the hack.

People familiar with the matter said the campaign separately concluded earlier this summer its email system had been breached but did not disclose it publicly or to law enforcement. The people said some officials were told to take more protective measures on their email accounts. At the time, campaign officials communicated to others that they weren’t sure who hacked the emails.

It’s not even clear whether Trump got an outside contractor — and if so, if it was someone more competent than Rudy Giuliani, whom Trump once pitched as a cybersecurity expert — to help clean up this mess. It took Crowdstrike and the DNC over a month to attribute the Russian hack, but they never fully cleaned it up. And persistent attacks continued through the election. That is, even with a respected outside contractor, the Democrats were wasting energy on whack-a-mole defense efforts for the remainder of the election.

Against that background, WaPo’s description of what the persona shared becomes more alarming.

On Thursday, The Washington Post was also sent a 271-page document about Vance from a sender who called himself Robert and used an AOL email account. Dated Feb. 23 and labeled “privileged & confidential,” the document highlighted potential political vulnerabilities for the first-term senator. Two people familiar with the document confirmed it was authentic and was commissioned by the campaign from Brand Woodward, a law firm that represents a number of prominent Trump advisers in investigations by state and federal authorities.

The document drew from publicly available information, including past news reports and interviews with the senator. The campaign commissioned several reports of other candidates, too, the advisers said.

The sender would not speak on the telephone with a Post reporter but indicated they had access to additional information, including internal campaign emails and documents related to Trump’s court cases. [my emphasis]

First, Brand Woodward did the campaign’s vetting.

Stan Woodward represents, along with others, Walt Nauta, Kash Patel, and Peter Navarro in various Trump-related criminal investigations, as well as some seditionists. He’s a great fit for Trump insofar as he’s good at generating outrage over manufactured slights — though in front of regular judges, those complaints usually collapse. Multiple filings in the documents case suggest that Woodward has a tenuous relationship with digital technology.

The role of Stan Brand, Woodward’s partner, has been assiduously hidden, except insofar as he has made claims about cases to the press on-the-record without disclosing the tie to Woodward.

Now, WaPo has confirmed that the Microsoft description — of a former advisor pwned and using that person’s email account, an attempt to hack “a high-official” still on the campaign — pertained to the Trump campaign. Given that description, there’s no reason to believe that Woodward or Brand were affected.

But there’s nevertheless a problem with hiring Brand Woodward to do your candidate vetting. To be clear: Brand is absolutely qualified to do that kind of thing. He’s got a long record of doing so in congress. But even Trump appears to have concerns about major issues the vetting process missed, to say nothing of his donors.

Over the past two weeks, Mr. Trump has fielded complaints from donors about his running mate, JD Vance, as news coverage exploring Mr. Vance’s past statements unearthed — and then exhaustively critiqued — remarks including a lament that America was run by “childless cat ladies.”

Mr. Trump dismissed out of hand donors’ suggestions that he replace Mr. Vance on the ticket. But Mr. Trump privately asked his advisers whether they had known about Mr. Vance’s comments about childless women before Mr. Trump chose him.

There were better choices to vet candidates, but if Trump wants to let a thin team vet the surly troll he picked to be his running mate, that’s his own business.

My alarm about the news that Brand Woodward starts, however, by the way that the Trump campaign has muddled various functions, criminal and civil defense with campaign finance and, now, candidate vetting. It creates a legal morass, one that — if Trump loses this election — could lead to more legal trouble down the road.

Maybe that’s why Trump didn’t call the FBI.

But it also means that some people — most notably, Susie Wiles and Boris Epshteyn, along with Woodward and Brand — are playing multiple functions. Wiles is the one who decides who gets their criminal defense bills paid, she’s also the one who decides how to spend campaign cash, and she was a big backer of the JD pick.

When people play overlapping functions like that, it means that a hack targeted at them for one function — say, candidate vetting — may strike a gold mine of documents pertaining to another function — say, criminal defense.

WaPo’s reference to “documents related to Trump’s court cases” — Politico quoted the persona offering a “variety of documents from [Trump’s] legal and court documents to internal campaign discussions” — may ultimately pertain exclusively to Trump’s electoral court cases. If it does, those could be some of the most newsworthy out there, since Trump’s electoral court cases pose a direct threat to democracy.

But what if they don’t? What if these documents pertain to what those overlap people — people like Wiles or Epshteyn, and they’re only two of the most obvious –know about Trump’s criminal cases? What if they pertain to claims that witnesses have made to the FBI about where documents got moved or what was included in them? What if they pertain to the actual documents Trump stole, starting with the US strategic plan against Iran that Trump shared with Mark Meadows’ ghost writers?

Trump has not firewalled his campaign from a criminal case involving the most sensitive documents of the US government, meaning a well-executed hack targeted at his campaign may turn into an intelligence bonanza.

If Iran plans to make things difficult for Trump, the problems may extend well beyond what documents get leaked. As they did in 2016, this could mean that Trump wastes resources having to serially defend against hacking attempts via a range of different platforms. It could mean that Iran does what Russia did, hack key strategic models to optimize other kinds of fuckery later in the election. Because — unlike Russia — Iran is actively trying to kill Trump, not just defeat him, hacked documents may also facilitate efforts like those charged against Asif Merchant, manufacturing fake protests to create distractions to facilitate an assassination attempt.

The question of how to approach this news, if it is further confirmed, goes well beyond the question of whether to publish the documents allegedly stolen by Iran. In significant part because Trump refuses to maintain boundaries between his political life and his criminal life, hacks from Iran could create real damage to the United States beyond what they do to Trump’s campaign.

So by all means, let’s pause for a moment of schadenfreude. Let’s review all the things Trump said and did in 2016 and 2020 (including with the Hunter Biden laptop) that invite his opponents to fully exploit stolen documents this time.

But as you do that, consider that this ratfuck may be far more dangerous to the US than those targeting Hillary and Hunter.

Share this entry

Trump Commends the Deep State; Media Buries That Fact

/32 Comments/in /by

The Trump press conference yesterday has left me thinking that goldfish might do a better job of covering this guy than the people currently doing so.

As I’ll describe, after covering it live, many outlets have chosen to bury what a blubbery mess the former President was. Then NYT, which assigned multiple reporters on any given day to repeat, “Joe Biden old,” had taken all stories about the presser off its front page by the time it released the Dead Tree version.

Admittedly, there wasn’t much news.

But there was a piece that I think merits more attention. Trump was apparently asked (the entire presser was set up such that Trump claimed not to be able to hear the questions, and they weren’t picked up on the coverage) whether the FBI had interviewed him as part of the investigation into the Thomas Crooks shooting attempt. He described:

They have. The FBI came to see me about the shooter. Uh, I think they’ve done a very good job. And I think they did a very good job with respect to this other lunatic that they have in custody.

The reference to “this other lunatic” is likely a reference to Asif Merchant, the Pakistani man accused of attempting to solicit paid killers to assassinate Trump on behalf of Iran.

This is newsworthy!

It’s newsworthy, because Trump’s allies in Congress are gunning for Chris Wray regarding the Crooks investigation.

And it is newsworthy, because Trump has spent years demonizing the Deep State, only to commend them when they preempt an attack on him.

Nevermind that (as LOLGOP and I laid out in one of our Ball of Threads episodes) almost everyone the FBI first targeted in Crossfire Hurricaine (including Carter Page, George Papadopoulos, Mike Flynn, and Paul Manafort) were, or were attempting to, monetize their access to Trump. Trump was, at first, one of the victims of that investigation too.

If you believe what Konstantin Kilimnik told Paul Manafort in December 2016, Page even went to Russia and claimed to be negotiating on Ukraine on behalf of Trump.

Trump could have viewed himself as a victim of that influence peddling, but his narcissism prevented that.

He undoubtedly does view himself as the victim here, rightly so. And because of that, he’s willing to commend the work the FBI does.

That answer deserves wider coverage, not least so the Trump mob that has been targeting the FBI might tone things down.

Alas, the media wants horserace, and to hell with US democracy and rule of law.

Update: ABC describes that during Trump’s victim interview, he quizzed them for more details about Crooks.

Share this entry

Fleece Jacket: The Assassination Plot against Trump

/21 Comments/in /by

Amid all the other excitement yesterday, EDNY revealed the arrest, on July 12, of an assassination plot believed to target Donald Trump. A Pakistani man with ties to Iran, Asif Merchant, pitched someone in the US — referred to only as Confidential Source — in April on what purported to be a clothing import business, with an opportunity to earn $100,000. The complaint suggests that Merchant had reason to believe CS had committed crimes in the past. But when meeting in person on June 3 about the business, Merchant described that the business involved killing.

On or about June 3, 2024, MERCHANT flew from Texas to LaGuardia Airport in New York. The CS picked up MERCHANT from the airport and drove him to a hotel in Nassau County, New York. While at the hotel, MERCHANT told the CS that the opportunity he had for the CS was not a one-time opportunity and would be ongoing. MERCHANT then made a “finger gun” motion with his hand, indicating that the opportunity was related to a killing. MERCHANT subsequently took the CS’s cellphone and put it in a drawer for security reasons, so they could discuss the plan. MERCHANT stated that he would give the CS more details about the plan the next day but that he needed the CS to arrange a meeting for MERCHANT to meet hitmen in New York.

The complaint is coy about when the CS got the Feds involved. But by the next day, the FBI had set up cameras that captured Merchant drawing up his plan on a napkin. And when CS introduced Merchant to people he believed to be hitmen on June 10, they were really undercover Feds.

On June 13, Merchant wrote up a code for CS, describing each of three types of crimes — stealing documents, starting a protest as cover, and assassinating someone — as different kinds of tops, with fleece jacket signifying the assassination.

Merchant must have made last minute plans to leave the country on July 12, because he was arrested even before the FBI wrote up the complaint on July 14 (the Texas docket describing the Houston arrest must still be sealed). Merchant seemed to be recruiting multiple people in the US, so I assume this all remained sealed for a month to provide the FBI opportunity to track down others.

According to the detention memo, Merchant refused to let the FBI in for 20 minutes, so he may have deleted evidence (though not the paper on which he wrote his fleece jacket code).

Notably, when the FBI arrived at his residence to execute the arrest as well as a search warrant for the residence, Merchant refused to exit his residence for approximately 20 minutes after the FBI announced their presence and the search warrant.

Which makes for some pretty eerie timing, given Thomas Crooks’ shooting of Trump on July 13.

Share this entry