Posts

OpSec Confusion on the Oath Keeper Conspiracy

I write a lot about the comms the Oath Keepers used to plan insurrection. There was the post about how they figured out, too late, not to plan an insurrection on Facebook; of the five counts of obstruction on the Oath Keeper indictment released Sunday, two pertain to Facebook. Then there was the post where I cataloged how many social media platforms were described in the last iteration of the indictment against them.

  • leadership list on Signal they appear to have obtained from either Watkins and/or Kelly Meggs
  • Open channels on Zello, possibly separate ones for each large event
  • Telephony chats and texts, including during January 6
  • MeWe accounts
  • Way too much blabbing on Facebook, followed by a foolish belief they could delete such content
  • Parler for further blabbing
  • Stripe for payment processing (possibly for dues)
  • GoToMeeting for operational planning

The remaining three obstruction charges pertain to this social media activity, one — for Joshua James — specifically describing his attempt to delete and burn the “[S]ignal comms about the op.”

Add hand-written ProtonMail attachments to the toolchest

It turns out I should have included ProtonMail in that list, because both the addresses to which Laura Steele sent her vetting application to join the Oath Keepers on January 3 were ProtonMail addresses, but the government only laid that out in their unsuccessful bid to keep her detained, in an attempt to use its encryption to ascribe to her that operational security.

On the evening of January 3, 2021, Defendant Steele emailed a membership application and vetting form to the Oath Keepers of Florida.4 She copied Defendant Young on the email, and wrote: “My brother, Graydon Young told me to submit my application this route to expedite the process.” Under the section for “CPT Skill Sets (Community Preparedness Team) Experience or Interests,” she checked “Security.” Under “Skillsets,” she wrote: “I have 13 years of experience in Law Enforcement in North Carolina. I served as a K-9 Officer and a SWAT team member. I currently work Private Armed Security for [company name redacted]. I am licensed PPS through the North Carolina Private Protective Services.”

Within 10 minutes, Defendant Steele sent another email, this one directly to Defendant Kelly Meggs’s email account at Proton Mail, again copying Defendant Young. She again attached her application and vetting form, and wrote: “My brother, Graydon Young told me to send the application to you so I can be verified for the Events this coming Tuesday and Wednesday.”

The following day (January 4), Defendant Steele sent the same materials to yet another Oath Keepers email address at Proton Mail. On her email, she copied co-defendants Kelly Meggs and Graydon Young.

4 The email recipient was actually a Florida Oath Keepers account at “protonmail.com.” Proton Mail is housed overseas (in Switzerland) and offers end-to-end encryption. “Even the company hosting your emails has no way of reading them, so you can rest assured that they can’t be read by third parties either.” Mindaugas Jancis, ProtonMail review: have we found the most secure email provider in 2021?, CyberNews, Mar. 4, 2021, at https://cybernews.com/secure-email-providers/protonmail-review.

But Proton is not going to help if one side of a communication is on Gmail or some other email service on which FBI can serve a subpoena. Which may explain how the government obtained this email from the newly indicted Joseph Hackett in the latest superseding.

41. On December 19, 2020, HACKETT sent an email to YOUNG with a subject line “test.” The body of the email stated: “I believe we only need to do this when important info is at hand like locations, identities, Ops planning.” The email had a photo attached; the photo showed cursive handwriting on a lined notepad that stated: “Secure Comms Test. Good talk tonight guys! Rally Point in Northern Port Charlotte at Grays if transportation is possible. All proton mails. 7 May consider [a rally point] that won’t burn anyone. Comms – work in progress. Messages in cursive to eliminate digital reads. Plans for recruitment and meetings.”

7 Based on the investigation, “proton mails” appears to refer to the company “ProtonMail,” which offers encrypted email services.

I’ve not seen anything that suggests the government has obtained Proton Mails from the Oath Keepers conducted entirely on the platform; that may have to wait until someone involved decides to cooperate. But I’m not sure how writing the most sensitive messages on what sounds like dead tree paper before sending it adds to the security.

DOJ’s selective understanding of encryption

One of the more aggravating pieces of confusion in the new indictment, however, comes not from the alleged conspirators but from the government.

The last item in a list of Manner and Means employed in the conspiracy is the use of “secure and encrypted communications.”

Using secure and encrypted communications applications like Signal3 and Zello4 to develop plans and later communicate during the January 6 operation.

The first overt act describes Stewart Rhodes laying out what I am calling the “Antifa foil” on a GoToMeeting meeting.

At a GoToMeeting5 held on November 9, 2020, PERSON ONE told those attending the meeting, “We’re going to defend the president, the duly elected president, and we call on him to do what needs to be done to save our country. Because if you don’t guys, you’re going to be in a bloody, bloody civil war, and a bloody – you can call it an insurrection or you can call it a war or fight.”

As a result, the following footnotes appear on the bottom of the same page.

3 Signal is an encrypted messaging service.

4 Zello is an application that emulates push-to-talk walkie-talkies over cellular telephone networks. Zello can be used on electronic communication devices, like cellular telephones and two-way radios.

5 GoToMeeting is an online meeting site that allows users to host conference calls and video conferences via the Internet in real time.

Start with Zello: It can be secure. But it wasn’t, as used by the Oath Keepers, the day of the insurrection, because it was an open channel. Indeed, the reason we know about it is because journalist Micah Loewinger was following along in real time. Plus, anything saved onto a phone will be accessible once the phone is compromised, just like Signal will. (From the discovery letters shared with the Oath Keepers — the most recent of which is over a month old — the government appears to have initially relied on WNYC’s published versions of the Zello chats. But this superseding indictment includes time stamps from Watkins’ Zello exchanges, which suggests they’ve obtained a more reliable copy since then.

Signal, DOJ says, is encrypted. I have no problem with that. But they started compromising the Signal chats as soon as they exploited Jessica Watkins’ phone. And the latest indictment seems to rely on the exploitation from another of the more involved participants — it’s where the new details on the Quick Reaction Force come from (here’s my rough capture of the communications we’ve seen referenced to date).

What I find annoying is that, after treating Signal and Zello as super spooky applications, DOJ then treats GoToMeeting like a normal tool, just “an online meeting site that allows users to host conference calls and video conferences via the Internet in real time.”

But it is also end-to-end encrypted and has a number of other security features that are necessary for its use by mainstream businesses and health care providers. That said, it is centralized and probably responds eagerly to legal process, which is the distinction DOJ really intends by this. That is, it’s not encryption that makes the use of these apps a useful marker of a conspiracy, it’s decentralized security, security that the Oath Keepers didn’t use with Zello the day of the insurrection. Plus, for a conspiracy indictment, as opposed to other criminal charges, the use of G2M suggests a bureaucratization that should be more useful to prove the case.

In any case, with this fourth indictment, DOJ added content from G2M that was probably meant to be secure: Stewart Rhodes’ “Antifa foil” comments. An initial production of G2M had been provided to defendants by April 9, with a second attempt on April 23. So it may be that it has taken some time to reconstruct whatever full production they might receive from the various Oath Keeper accounts.

The money is the metadata

That said, it is amusing seeing the conspirators try to add a layer of security to the already secure ProtonMail while they’re laying a trail of travel plans that knots them all up into a network. Here are just some of the fleshed out details from the indictment:

79. On January 4, 2021, HARRELSON and DOLAN departed Florida together in a vehicle rented by DOLAN and traveled to the Washington, D.C., metropolitan area.

[snip]

82. On January 4, 2021, PERSON TEN checked into the Hilton Garden Inn in Vienna, Virginia. The room was reserved and paid for using a credit card in PERSON ONE’s name.

[snip]

85. On January 5, 2021, PERSON ONE and MINUTA separately traveled to the Washington, D.C., metropolitan area and checked into the Hilton Garden Inn in Vienna, Virginia.

[snip]

90. KELLY MEGGS paid for two rooms, each for two people, at the Comfort Inn Ballston from January 5-6, 2021. The rooms were reserved under the name of PERSON THREE.

90. KELLY MEGGS paid for two rooms, each for two people, at the Comfort Inn Ballston from January 5-6, 2021. The rooms were reserved under the name of PERSON THREE.

91. KELLY MEGGS also booked two rooms at the Hilton Garden Inn in Washington, D.C., from January 5-7, 2021. KELLY MEGGS paid for both of the rooms, using two different credit cards.

[snip]

93. HACKETT paid for a room at the Hilton Garden Inn in Washington, D.C., from January 5-7, 2021. The room was booked in the name of PERSON SIXTEEN.

[snip]

95. MINUTA, using his personal email address and his personal home address, reserved three rooms at the Mayflower Hotel in Washington, D.C., under the names of MINUTA, JAMES, and PERSON TWENTY. A debit card associated with PERSON FIFTEEN was used to pay for the room reserved under MINUTA’s name. A credit card associated with JAMES was used to pay for the room reserved under JAMES’s name.

Kelly Meggs, by paying for what appears to be the QRF room and another for Person 3 to tend the weapons, would tie the Floridians staying in the DC Hilton Garden with a group coming from at least three states at the Ballston Comfort Inn (and that’s before you consider the surveillance footage that shows others dropping off weapons). Minuta, by reserving three rooms at the Mayflower, would tie Joshua James, Person Twenty, and Person Fifteen to the group, including Minuta, staying at the Vienna Hilton Garden, which includes Rhodes and Person Ten. And there’s at least one known payment — from some unidentified person to James’ wife — that doesn’t show up here.

Post 9/11, it’s hard to hide hotel travel, especially retroactively, after engaging in a terrorist attack, but it doesn’t help that the Oath Keepers didn’t compartment their network at all. So all the encrypted messaging and meeting apps in the world could not hide that this was a network that spanned (thus far, but I’m holding out hope they’ll roll out the first Mississippi defendants any day!) at least seven states.

Update: I’ve taken out a reference to the Ohioans walking Isaacs back to a hotel in DC. They did separate early but it was not to take him back. Thanks to Benny Bryant for the correction.

Crystalizing Conspiracies: Fourth Superseding, James Breheny, Puma’s GoPro, [Redacted], and the Willard Hotel

Since I’ve acquired new readers with my January 6 coverage and since the financial stress of COVID is abating for many, it seems like a good time to remind people this is not a hobby: it is my day job, and I’d be grateful if you support my work.

In this post, I used the imminent guilty plea of Paul Allard Hodgkins to illustrate that we really don’t know what evidence of conspiracy prosecutors are looking at, which means that we can’t really say whether the January 6 investigation will ultimately hold those who incited the violence accountable. I explained how a PhD in Comp Lit might be useful training to see the gaps in prosecution filings that show what secrets they’re holding in abeyance. And, as I further explained, if those most responsible for January 6 are going to be held accountable, it will likely be (at least in part) via conspiracies with the Oath Keepers and Proud Boys, including the multiple ties Roger Stone has with both militias.

This post is meant to be read in tandem with that one.

This one will look at four developments in the case against the Oath Keepers in the last week or so.

The superseding indictment turns the screws

Most spectacularly, the government rolled out a fourth superseding Oath Keeper indictment yesterday. The ostensible purpose of it was to add four new defendants: Joseph Hackett, Jason Dolan, and William Isaacs, all from Florida, along with a fourth, accused of just three crimes, whose name is redacted.

The indictment broadens the kinds of communications used to communicate during the conspiracy, including Signal along with Zello, as well as orders to write key details in cursive, then send them via Proton Mail.

It adds a comment Stewart Rhodes made on November 9 laying out what I’ll call the “Antifa foil” — an affirmative plan, laid out months before the insurrection, to use the “threat” of Antifa as the excuse to come armed and a means to foment violence.

At a GoToMeeting5 held on November 9, 2020, PERSON ONE told those attending the meeting, “We’re going to defend the president, the duly elected president, and we call on him to do what needs to be done to save our country. Because if you don’t guys, you’re going to be in a bloody, bloody civil war, and a bloody – you can call it an insurrection or you can call it a war or fight.” PERSON ONE called upon his followers to go to Washington, D.C., to let the President know “that the people are behind him.” PERSON ONE told his followers they needed to be prepared to fight Antifa, which he characterized as a group of individuals with whom “if the fight comes, let the fight come. Let Antifa – if they go kinetic on us, then we’ll go kinetic back on them. I’m willing to sacrifice myself for that. Let the fight start there. That will give President Trump what he needs, frankly. If things go kinetic, good. If they throw bombs at us and shoot us, great, because that brings the president his reason and rationale for dropping the Insurrection Act.” PERSON ONE continued, “I do want some Oath Keepers to stay on the outside, and to stay fully armed and prepared to go in armed, if they have to . . . . So our posture’s gonna be that we’re posted outside of DC, um, awaiting the President’s orders. . . . We hope he will give us the orders. We want him to declare an insurrection, and to call us up as the militia.” WATKINS, KELLY MEGGS, HARRELSON, HACKETT, PERSON THREE, PERSON TEN, and others known and unknown attended this GoToMeeting. After PERSON ONE finished speaking, WATKINS and KELLY MEGGS asked questions and made comments about what types of weapons were legal in the District of Columbia.

The indictment provides more evidence of a plan to have Oath Keepers from North Carolina stationed as a Quick Reaction Force to pick up weapons from one of two locations in DC and deliver them to others already there (a recent filing arguing Thomas Caldwell needs to keep informing pretrial services of his movements included surveillance video from the Ballston Comfort Inn of the conspirators carrying around presumed guns draped in sheets).

On the evening of January 2, 2021, at about 5:43 p.m., KELLY MEGGS posted a map of Washington, D.C., in the Leadership Signal Chat, along with the message, “1 if by land[,] North side of Lincoln Memorial[,] 2 if by sea[,] Corner of west basin and Ohio is a water transport landing !!” KELLY MEGGS continued, “QRF rally points[.] Water of the bridges get closed.”

[snip]

On January 4, 2021, CALDWELL emailed PERSON THREE several maps along with the message, “These maps walk you from the hotel into D.C. and east toward the target area on multiple roads running west to east including M street and P street, two of my favorites . . . .”

[snip]

On January 4, 2021, WATKINS wrote in the Florida Signal Chat, “Where can we drop off weapons to the QRF team? I’d like to have the weapons secured prior to the Op tomorrow.”

On the morning of January 5, 2021, HARRELSON asked in the Florida Signal Chat for the location of the “QRF hotel,” and KELLY MEGGS responded by asking for a direct message.

It provides more details about what the Oath Keepers did in the Capitol (including descriptions of how the kitted out veterans folded — retreated — as soon as they were hit with some tear gas).

When officers responded by deploying a chemical spray, the mob—including CROWL, WATKINS, SANDRA PARKER, YOUNG, and ISAACS—retreated.

[snip]

JAMES briefly breached the Rotunda but was expelled by at least one officer who aimed chemical spray directly at JAMES, and multiple officers who pushed him out from behind.

Importantly, the superseding indictment adds civil disorder charges against six of the Oath Keepers for interactions they had with cops inside the Capitol. It adds an assault charge against Joshua James for his physical interaction with cops. It adds obstruction charges against Kelly Meggs, Kenneth Harrelson, and James for deleting comms. Some of these charges were expected; it’s just that adding four new defendants was a convenient time to add them.

As these defendants are sitting here, though, their legal jeopardy is getting worse. Which is likely part of the point. They might stave off any further charges if they decide to cooperate with prosecutors.

When the government first charged this conspiracy, they were way over their skis, with detention requests and claims of danger that they did not yet have (or were not yet willing to show) evidence to support. That’s no longer true, and I wouldn’t be surprised if the government tries to detain a few more of these defendants when they are arraigned on the new charges this week.

James Breheny’s inter-militia network

One of the interesting details of this indictment is the exclusion of Oath Keeper James Breheny from it. Unlike the Proud Boys, all the Oath Keepers have been charged on one conspiracy indictment. The sole exception is Jon Schaffer, who from very early on was cultivated to flip, which he did on April 16. Remarkably, it’s not clear that Schaffer’s cooperation shows up in the new superseding indictment.

Now Breheny joins Schaffer in being charged (at least for now) on his own, which means, as of now, he’s only on the hook for his own crimes, not those of 16 co-conspirators. Breheny is an Oath Keeper from New Jersey who self-surrendered (suggesting ongoing discussions involving a lawyer) on May 20.

Breheny’s charging documents are interesting on several points. First, the affidavit excerpts a post Stewart Rhodes published on December 14, calling on Trump to invoke the Insurrection Act, including this paragraph:

You must act NOW as a wartime President, pursuant to your oath to defend the Constitution, which is very similar to the oath all of us veterans swore. We are already in a fight. It’s better to wage it with you as Commander-in-Chief than to have you comply with a fraudulent election, leave office, and leave the White House in the hands of illegitimate usurpers and Chinese puppets. Please don’t do it. Do NOT concede, and do NOT wait until January 20, 2021. Strike now.

This Rhodes post doesn’t appear in the Oath Keeper conspiracies, though it is a continuation of the November 9 comment from Rhodes also calling for insurrection, and it provides context for a comment he made on January 6 about what he expected Trump to do.

Then, Breheny’s complaint describes him inviting Rhodes to “a leadership meeting of ‘multiple patriot groups'” in Quarryville, PA on January 3, 2021. His invite directed Rhodes not to bring a phone and explained,

This will be the day we get our comms on point with multiple other patriot groups, share rally points etc. This one is important and I believe this is our last chance to organize before the show. This meeting will be for leaders only.

Breheny’s complaint also explains that Rhodes only added Breheny to the leadership list for the Oath Keepers on January 6. In explaining that detail, a footnote explains,

numerous individuals affiliated with the Oath Keepers who have been alleged to have participated in the riots participated in this chat and have been indicted in US v. Caldwell et al, 21-cr-28-APM.

It’s a neat way of saying that Breheny conspired with those charged in the main Oath Keepers conspiracy and they conspired with him, without charging him in that conspiracy.

The rest of the complaint explains how Breheny lied to the FBI about what he did on January 6, but after the government got a warrant for his phone, they obtained pictures and texts showing he had done far more on January 6 than he admitted to cops, including fighting his way in the East Doors that all the other Oath Keepers entered.

The government has been selective about whom they’re charging with obstruction for lying and deleting evidence, but their case that Breheny deliberately attempted to obstruct the investigation is quite strong.

Anthony Puma’s GoPro is arrested

On May 27, a guy from Michigan named Anthony Puma was arrested, more than four months after the FBI interviewed him on January 14 and after, on January 17, he shared the SD card from the GoPro he wore on January 6.

On April 23, the government obtained Puma’s Facebook account, which provided video and text evidence that, in his January 14 interview, Puma dramatically downplayed his knowledge of events on January 6. Most notably, they found texts he posted on January 5, knowing that, and precisely when, “we are storming” the Capitol the next day.

Tomorrow is the big day. Rig for Red. War is coming

We are here. What time do we storm the House of Representatives?

Hopefully, we are storming the House of Representatives tomorrow at 100 pm.

There’s no hint in his charging documents that Puma has association with the Oath Keepers. Assuming he does not, it seems likely he was arrested, as I believe a number of other recent defendants were, so he can be forced to authenticate the important video evidence he shot on the day of the insurrection.

As a Comp Lit PhD who had to read a fuck-ton of postmodern theory, my favorite picture from his GoPro shows him filming himself shooting a video on his phone as he approached the Capitol.

But there are two other clips that I suspect are more important — one, showing what I believe to be a second stack of likely Oath Keepers preparing to breach the Capitol.

And another, showing presumed Oath Keepers on their golf cart race from the Willard Hotel to reinforce the Capitol, calling out, “We are inside, they need help, we’ve breached the Capitol.”

So whether or not Puma has a tie to the Oath Keepers, he now has reason to cooperate with prosecutors on making this video available for any trial.

[Redacted]

As noted, there were four people added to the Oath Keepers conspiracy indictment, but the name of one remains redacted.

It can’t be Roger Stone, as a lot of people are wishing, because Stone’s not an Oath Keeper.

But whoever [redacted] is, he almost certainly traveled with Roberto Minuta and Joshua James from the Willard Hotel where they were “guarding” Roger Stone and others to the Capitol.

I say that because of four paragraphs from the third superseding indictment describing the golf cart race to the Capitol, three are redacted in the fourth.

That doesn’t necessarily mean that [redacted] has had a child with Roger Stone or anything as exciting as that. It does mean that someone who was a likely witness to what happened on the Willard Hotel side of phone calls between Person Ten (who was the ground commander for the Oath Keepers that day) and James has been added to the conspiracy.

[redacted] appears to have entered the Capitol with Minuta and James, as what had been ¶104 describing their entrance “together with others known and unknown” in the third superseding is redacted as ¶154 in the fourth.

But the potentially more interesting actions of [redacted] appear in ¶¶76 and 77, which explain pre-insurrection communications and planning, as well as ¶99, which must explain what [redacted] did the morning of the insurrection, probably with James and Minuta. And ¶102 likely describes what the three of them were doing at the Willard Hotel while everyone else started breaching the Capitol.

As I said in this post, it takes more than four months to charge a complex conspiracy. But these four developments together add a December call for insurrection (in tandem with events that day in DC), places the Oath Keepers — including Stewart Rhodes — in a January 3 meeting coordinating with other militias, and it seemingly adds a third witness to what went on in the Willard Hotel the morning of the insurrection.