Posts

“Ridiculous:” Durham’s Failed Clinton Conspiracy Theory

I put together a very rough list of the interviews that John Durham included in his Report and a table showing the organization of his report.

I’d like to describe what appears to have happened with the investigation. Remember a few things about this list: It won’t include everything. Even just among witnesses who testified at trial, Durham was known to have done initial interviews, then threatened them with prosecution, in an often successful attempt to shade their testimony (see this post for an example). With others, Durham is being affirmatively misleading by stating that people who did appear before the grand jury were unwilling to be interviewed.

This list is just a list of interviews that actually support his narrative.

2019: Manufacturing a new origin story

As noted, most of the junkets that Durham and Barr did in the first year of the investigation don’t appear. The only overseas investigative steps noted in 2019 include the Legal Attaché personnel in London and the two Australian sources, Alexander Downer and Erika Thompson (described as Australian Diplomat-1), behind the original tip on George Papadopoulos. Durham did two separate interviews with the Australians, done on the same day, months before the DOJ IG Report determined the investigation was properly predicated.

Durham relies heavily on Downer, instead of Thompson, and claims to have discovered a conflict in their two accounts.

The Australian account reflects that two meetings of a casual nature took place with Papadopoulos. 215 These meetings were documented by Downer on May 11, 2016 and by Australian Diplomat-I later in the month. 216 Both diplomats advised that prior to the Spring of 2016, Papadopoulos was unknown to them. 217 Notably, the information in Paragraph Five does not include any mention of the hacking ofthe DNC, the Russians being in possession of emails, or the public release of any emails. In addition, when interviewed by the Office, Downer stated that he would have characterized the statements made by Papadopoulos differently than Australian Diplomat-1 did in Paragraph 5. According to Downer, Papadopoulos made no mention of Clinton emails, dirt or any specific approach by the Russian government to the Trump campaign team with an offer or suggestion of providing assistance. Rather, Downer’s recollection was that Papadopoulos simply stated “the Russians have information” and that was all. 218

As recounted to the FBI on August 2, 2016, by Australian Diplomat-1, the substance of Paragraph Five was written in a “purposely vague” way. 219 This was done because Papadopoulos left a number of things unexplained and “did not say he had direct contact with the Russians.” 220 The impression Papadopoulos made on the Australian diplomats was wide ranging. On the one hand, he “had an inflated sense of self,” was “insecure,” and was “trying to impress.” 221 On the other hand, he was “a nice guy,” was “not negative,” and “did not name drop.” 222

Downer noted that he

was impressed Papadopoulos acknowledged his lack of expertise and felt the response was uncommon for someone of Papadopoulos’ age, political experience and for someone thrust into the spotlight overnight. Many people in a similar position would represent themselves differently and [Downer] would have sniffed them out. If [Downer] believed Papadopoulos was a fraud [he] would not have recorded and reported on the meeting [he] had with Papadopoulos. 223

Downer also said that he “did not get the sense Papadopoulos was the middle-man to coordinate with the Russians.” 224 The Australian diplomats would later inform the FBI, and subsequently the Office, that the impetus for passing the Paragraph Five information in late-July was the public release by WikiLeaks ( on July 22, 2016) of email communications that had been hacked from the DNC servers. 225

215 We note there is an inconsistency in the statements given by Australian Diplomat-1 and former-High Commissioner Downer to the Crossfire Hurricane interviewers in August 2016 and what they told the Office when interviewed in October 2019. Australian Diplomat-1 and Downer were interviewed together in August 2016, and, according to the FD-302 prepared afterward by Supervisory Special Agent- 1, Papadopoulos made the statements about the Russians during the May 6, 2016 introductory meeting when he met only with Australian Diplomat-1. When the two diplomats were interviewed separately by the Office in October 2019, investigators were advised that Papadopoulos made the statements in front of both Australian Diplomat-1 and Downer during the second meeting on May 10, 2016.

216 The meetings with Papadopoulos took place on May 6 and 10, 2016. Australia 302 at 1- 2. The Australian diplomats documented the meetings in two cables dated May 11 and May 16, 2016; OSC Report of Interview ofAlexander Downer on Oct. 9, 2019 at 2; OSC Report of Interview ofAustralian Diplomat-1 on Oct. 9, 2019 at 3.

217 OSC Report of Interview of Alexander Downer on Oct. 09, 2019 at 1; OSC Report of Interview of Australian Diplomat-I on Oct. 09, 2019 at 1-2.

218 OSC Report of Interview of Alexander Downer on Oct. 09, 2019 at 2 (and related field notes); Downer also is reported to have stated in an interview that in talking with Papadopoulos there was “no suggestion that there was collusion between Donald Trump or Donald Trump’s campaign and the Russians.” Brooke Singman, Diplomat Who Helped Launch Russia Probe Speaks Out, Defends Role, Fox News (May 10, 2019), https://www.foxnews.com/politics/forrner-ausralian-diplomat-alexander-downer-defendswork-pushes-back-on-claim-he-tried-to-trap-papadopoulos. 219 Australia 302 at 2.

There’s no conflict.

Papadopoulos appears to have told the story about advance notice of Russia’s help to Thompson twice, once on May 6 and again, with Downer present, on May 10. She explains that not everything Papadopoulos said made it into her report. It’s likely Papadopoulos said more at the first meeting (I believe the record reflects that he drank more at the first meeting).

But by relying on Downer instead of Thompson, Durham claims that there was less to the tip than Thompson appears to have taken from it.

Having manufactured an alternate story about the initial predication, it’s no wonder Durham pushed Michael Horowitz not to say the investigation was fully predicated.

Durham also appears to have investigated why it took so long for the Steele reports to make their way from New York to DC. This is a fairly remarkable and sustained part of his report, because Durham is basically complaining that the pee tape report wasn’t immediately taken seriously.

Finally, from the very first year, Durham started doing investigations into the treatment of the Clinton Foundation investigation. As I have noted, his report leaves out really important details of that investigation: that agents who exhibited every bit as much bias as Durham finds in Peter Strzok, Lisa Page, or Kevin Clinesmith were running a key informant on the investigation, something no one has alleged happened with investigations into Trump’s associates.

That silence is all the more important given how Durham compares the predication of the Crossfire Hurricane investigation with that of Clinton Foundation, which relied in significant part on the Steve Bannon-linked Clinton Cash book which was every bit as shoddy as the Christopher Steele dossier, with a much more aggressive bias.

Once again, the investigative actions taken by FBI Headquarters in the Foundation matters contrast with those taken in Crossfire Hurricane. As an initial matter, the NYFO and WFO investigations appear to have been opened as preliminary investigations due to the political sensitivity and their reliance on unvetted hearsay information (the Clinton Cash book) and CHS reporting. 388 By contrast, the Crossfire Hurricane investigation was immediately opened as a full investigation despite the fact that it was similarly predicated on unvetted hearsay information. Furthermore, while the Department appears to have had legitimate concerns about the Foundation investigation occurring so close to a presidential election, it does not appear that similar concerns were expressed by the Department or FBI regarding the Crossfire Hurricane investigation. Indeed, in short order after opening the Crossfire Hurricane file and its four subfiles, the FBI was having one of its long-time CHSs meet not with just one Trump campaign associate, but meet and record conversations with three such insiders. And a little more than a month after opening the Crossfire Hurricane file on Page, a “senior U.S. law enforcement official” was publicly reported as confirming for Michael Isikoff and Yahoo! News that the FBI had Page on its radar screen. 389

Durham says two Australians who had no stake in the election (and who likely didn’t want to create a row with a major political candidate) have the same credibility as a long term political hoaxster paid by Trump’s ultimate campaign manager.

And in making this comparison, Durham doesn’t consider the urgency of the ongoing Russian attack on democracy (something that he generally ignores throughout the report). The underlying crime behind the Papadopoulos tip was potential (and real, in the case of both Paul Manafort and Roger Stone) ongoing involvement in Russia’s efforts to interfere in the election.

2020: Laying the ground work for the Clinton conspiracy

Early in 2020, Barr made Durham a Special Counsel, giving him authority to use a grand jury.

The very next day, he met with Jim Baker.

In cross-examination at the Sussmann trial, Baker lawyer Sean Berkowitz situated this meeting and another, in June 2020, when Baker’s story about the Sussmann meeting was still radically different than the one he told at trial, in terms of a leak investigation into Baker that had just closed. Baker had recently been criminally investigated by Durham, he knew that Durham would come after him again on the Russian investigation, and that February 2020 meeting was the first after the close of the leak investigation.

Q. So you know what it’s like to be under criminal investigation. Right?

A. Yes.

Q. You know what it’s like to be under criminal investigation by this man?

A. Yes.

Q. That’s Mr. Durham?

A. Yes.

Q. In fact, sir, in March of 2017 Mr. Durham was appointed by the Department of Justice to conduct a criminal investigation of the unauthorized disclosure of classified information to a reporter. Correct?

A. I don’t remember exactly when he was appointed, but that’s roughly correct based on my recollection of the timeframe.

Q. And you were a subject of that investigation?

A. I was never told that I was a subject.

Q. Is it fair to say that your lawyer refused to let you answer questions before Congress because you were under investigation?

A. He did object to certain questions — certain questions — because I was under investigation. That’s correct.

Q. Under criminal investigation. Right?

A. It was a criminal investigation was my understanding, yes.

Q. And you refused to answer those questions on the gounds that it might incriminate you?

A. I refused to answer those questions on advice of counsel, and it was a voluntary interview so I could refuse to answer any questions that I didn’t want to answer.

Q. And the investigation took place between 2017 and 2018. correct:

A. Say that again.

Q. The investigation took place between 2017 and 2019. correct?

A. I think it was not closed until 2020 by the Department.

[snip]

Q. And you, sir, were aware that Mr. Baker was — I mean, Mr. Durham was reappointed as special counsel, correct, in or around 2019?

A. For this matter?

Q. Yes.

A. Yes.

Q. And when that happened, you were concerned, were you not?

A. Concerned about what?

Q. That Mr. Durham might come and investigate you more?

A. I wasn’t concerned about it. I expected it.

[snip]

Q. It’s the first time you saw him after you were the subject of the criminal investigation by him?

A. Again, I was never told that I was a subject.

Q. Was that the first time?

A. Yeah, I think that was the first time.

In June 2020, Baker’s story started to evolve until ultimately, he testified, claiming 100% certainty about a story that had changed at least four times, to precisely the story Durham would want him to.

Most of the early 2020 interviews relied on by Durham in his report pertain to two topics: His reinvestigation of how the Clinton Foundation investigation proceeded, and his pursuit of a claim that Hillary framed Donald Trump (marked as “Russian intelligence” in the timeline).

Starting in June 2020, Durham appears to have started focusing on Igor Danchenko, burning him as a source, reviewing the long-dormant counterintelligence investigation into him, and focusing the same kind of pressure on Danchenko handler Kevin Helson (whom Durham seems to have referred for further investigation, on a date he doesn’t provide, for his handling of Danchenko). In July 2020, Barr provided Lindsey Graham the interview transcripts for Danchenko, which would lead to (or provide the excuse for) Danchenko’s exposure. In September 2020, the Senate Judiciary Committee would stage a FISA hearing to expose Danchenko’s past counterintelligence investigation.

None of these were effective investigative steps. Most witnesses didn’t testify at trial, and the one who did — Helson — was a devastating witness against Durham’s case (which may be why he was referred for further investigation). Those investigative steps did make Danchenko far more insecure, both legally and financially.

On September 29, John Ratcliffe would also share the report and, a week later, the underlying intelligence, around which Durham would build his Clinton conspiracy theory: A Russian intelligence Report that Hillary’s complaints about Trump’s pro-Russian bias stemmed from an attempt to cover up her email scandal and not from real concern about Russia or frustration with being victimized by a nation-state hack during an election.

On October 19, after Nora Dannehy disrupted Durham’s plan to release an initial report before the election, Barr made him Special Counsel so he could stick around for two more years to try to build the case he hadn’t done by 2020.

One of the most telling things about Durham’s actions in 2020 is that he didn’t do any of the ground work he needed to do to investigate the accusations he would make in late 2021. His primary work on the Alfa Bank case was making Danchenko far, far more vulnerable. He records virtually no obvious investigative work on the Alfa Bank allegations in 2020. He did little work on the dossier allegations. Some key investigative steps — getting a technical review of the Alfa Bank allegation and trying to secure Sergei Millian’s make-or-break testimony — waited until 2022, well after he had actually indicted these cases.

2021: Preparing actual indictments to hang failed conspiracy theories on

And it’s not just those two indictments Durham neglected in 2020. Here’s something Carter Page should think seriously about: John Durham did not do the investigation into the problems with his FISA application until the statutes of limitation started to expire in 2021. Given that investigative history, it’s fairly clear that Durham was never going to charge FBI agents in conjunction with those applications. Never. He had other priorities.

Instead, in 2021, he started making belated attempts to substantiate his Clinton conspiracy, with interviews to set up Charles Dolan as a witness.

Durham did no apparent interviews into Sergei Millian in 2021.

He did begin the effort — one paralleled and assisted by Alfa Bank lawsuit against the researchers in question, which to a DC judge seemed,”almost like they were written by the same people in some way,” — to spin the research into DNS anomalies into a deliberate plan by Hillary’s team.

In Durham’s investigations, however, there were obvious basic investigative failures. Durham didn’t interview people from Cendyn and Listrak until after the Sussmann indictment (and in the latter case, it’s not clear whether Durham spoke to anyone authoritative or even got the name of all the people interviewed).

I’ve already laid out how Durham didn’t even ask Michael Horowitz for relevant evidence until after the indictment. It was several months later before he asked Jim Baker to check his iCloud for the exculpatory communications that Sussmann correctly predicted would be there.

Durham didn’t interview Sergei Millian — and even then, he only did so remotely, with no agreement he would testify at trial — until February 2022, three months after indicting Danchenko.

These indictments — both of which could only have worked if charged as conspiracy indictments for which Durham had no evidence — were always bound to fail. They were bound to fail because they weren’t the result of an investigation, the logical progression from a clear crime committed. They were instead legal clothes hangers on which he could try to hang a conspiracy theory. They might have worked if Sussmann or Rodney Joffe or Danchenko had caved to the economic and legal pressure Durham was applying (as he did with Danchenko, Durham also got Joffe discontinued as an FBI source, but that had no financial repercussions for Joffe). But the charges were so flimsy Sussmann and Danchenko mounted a fairly clearcut defense.

Late 2021 to 2022: Chasing Clinton conspiracies

There’s a detail, though, that is all the more revealing given Durham’s failure to conduct an adequate investigation into these charges before indicting. As I noted last year, even after Sussmann was indicted, Durham refused the former Clinton lawyer’s demand for a list of the people on the Clinton campaign with whom he had coordinated his Alfa Bank efforts. It wasn’t until months later that it became clear — as Sussmann laid out in a filing — that Durham hadn’t even interviewed any of the people Sussmann purportedly coordinated with until after the indictment.

[T]he Special Counsel has alleged that Mr. Sussmann met with the FBI on behalf of the Clinton Campaign, but it was not until November 2021—two months after Mr. Sussmann was indicted—that the Special Counsel bothered to interview any individual who worked full-time for that Campaign to determine if that allegation was true.

Here’s what those interviews look like, as laid out in the Durham Report:

11/10/21: Jennifer Palmieri

11/12/21: Jake Sullivan

1/19/22: John Podesta (Russian Intelligence)

5/11/22: Hillary Clinton (Russian Intelligence)

Those questions weren’t focused on Sussmann, though. They were focused on Durham’s Clinton conspiracy, the claim that she had made a plan to frame Donald Trump.

During an interview of former Secretary Clinton, the Office asked if she had reviewed the information declassified by DNI Ratcliffe regarding her alleged plan to stir up a scandal between Trump and the Russians. 44 ° Clinton stated it was “really sad,” but “I get it, you have to go down every rabbit hole.” She said that it “looked like Russian disinformation to me; they’re very good at it, you know.” Clinton advised that she had a lot of plans to win the campaign, and anything that came into the public domain was available to her.

In addition, the Office interviewed several other former members of the Clinton campaign using declassified materials441 regarding the purported “plan” approved by Clinton.

The campaign Chairperson, John Podesta, stated that he had not seen the declassified material before, characterized the information as “ridiculous,” and denied that the campaign was involved in any such “plan.”442 Jake Sullivan, the campaign Senior Policy Advisor, stated that he had not seen the intelligence reporting before and had no reaction to it other than to say, “that’s ridiculous.”443 Although the campaign was broadly focused on Trump and Russia, Sullivan could not recall anyone articulating a strategy or “plan” to distract negative attention away from Clinton by tying Trump to Russia, but could not conclusively rule out the possibility. 444 The campaign Communications Director, Jennifer Palmieri, who was shown the Referral Memo, 445 stated that she had never seen the memorandum before, found its contents to be “ridiculous,” and could not recall anything “like this” related to the campaign. 446 She stated that Podesta, Mook, Sullivan and herself were aware of a project involving ties between Trump and Russia being conducted by Perkins Coie, the campaign law firm, but she did not think Clinton was aware of it, nor did she receive any direction or instruction from Clinton about the project.447

Another foreign policy advisor (“Foreign Policy Advisor-2”) confirmed that the campaign was focused on Trump and Russia, but that focus was due to national security concerns and not designed to distract the public from Clinton’s server issue. 448

Every single one of them called Durham’s conspiracy theories “ridiculous.”

For good reason. As I’ve laid out, the timeline Durham obscures, in which Trump’s rat-fucker had contact with Russia weeks before Hillary purportedly ginned up this plan, disproves the conspiracy theory.

Which explains something about the Sussmann trial — led by Andrew DeFilippis, the same AUSA who had willingly attempted to trump up a crime against John Kerry. Over and over, Durham’s prosecutors willfully ignored Judge Christopher Cooper’s orders, thereby introducing evidence with no evidentiary basis. They did so most blatantly when, minutes after Cooper ordered DeFilippis not to read from a paragraph of a Hillary Tweet calling on FBI to investigate the Alfa Bank allegations, he did so anyway, predictably leading the same outlets that wrote supine reviews of the Durham report to focus exclusively on something not before the jury.

After Judge Cooper said he would reserve his decision, Berkowitz noted that in fact, DeFilippis planned to use the tweet to claim the campaign wanted to go to the FBI when the testimony at trial (from both Elias and Mook) would establish that going to the FBI conflicted with the campaign’s goals.

[T]hey are offering the tweet for the truth of the matter, that that’s what the campaign desired and wanted and that it was a accumulation of the efforts.

Number one, it’s not the truth; and in fact, it’s the opposite of the truth. We expect there to be testimony from the campaign that, while they were interested in an article on this coming out, going to the FBI is something that was inconsistent with what they would have wanted before there was any press. And in fact, going to the FBI killed the press story, which was inconsistent with what the campaign would have wanted.

And so we think that a tweet in October after there’s an article about it is being offered to prove something inconsistent with what actually happened.

Then, after both Elias and Mook had testified that they had not sanctioned Sussmann going to the FBI, DeFilippis renewed his assault on Cooper’s initial exclusion, asking to introduce it through Mook’s knowledge that the campaign had tried to capitalize on the Foer story.

Having ruled in the past that the tweet was cumulative and highly prejudicial, Cooper nevertheless permitted DeFilippis to introduce the tweet if he could establish that Mook knew that the campaign tried to capitalize on the Foer story.

But Cooper set two rules: The government could not read from the tweet and could not introduce the part of the tweet that referenced the FBI investigation. (I explained what DeFilippis did at more length in this post.)

THE COURT: All right. Mr. DeFilippis, if you can lay a foundation that he had knowledge that a story had come out and that the campaign decided to issue the release in response to the story, I’ll let you admit the Tweet. However, the last paragraph, I agree with the defense, is substantially more prejudicial than it is probative because he has testified that had neither — he nor anyone at the campaign knew that Mr. Sussmann went to the FBI, no one authorized him to go to the FBI, and there’s been no other evidence admitted in the case that would suggest that that took place. And so this last paragraph, I think, would unfairly suggest to the jury, without any evidentiary foundation, that that was the case. All right?

MR. DeFILIPPIS: Your Honor, just two brief questions on that.

THE COURT: Okay.

MR. DeFILIPPIS: Can we — so can we use — depending on what he says about whether he was aware of the Tweet or the public statement, may we use it to refresh him?

THE COURT: Sure. Sure.

MR. DeFILIPPIS: Okay. And then, as to the last paragraph, could it be used for impeachment or refreshing purposes as well in terms of any dealings with the FBI?

THE COURT: You can use anything to refresh.

MR. DeFILIPPIS: Okay.

THE COURT: But we’re not going to publish it to the jury. We’re not going to read from it. And let’s see what he says. [my emphasis]

Having just been told not to read the tweet, especially not the part about the FBI investigation, DeFilippis proceeded to have Mook do just that.

The exhibit of the tweet that got  to the jury had that paragraph redacted and that part of the transcript was also redacted. But, predictably, the press focused on little but the tweet, including the part that Cooper had explicitly forbidden from coming into evidence.

In his report, Durham obscures the timeline of all this to falsely suggest that Hillary endorsed going to the FBI in September, before Sussmann met with the FBI, and not days before the election, when Franklin Foer reported the story.

On October 31, 2016 – about one week before the election – multiple media outlets reported that the FBI had received and was investigating the allegations concerning a purported secret channel between the Trump Organization and Alfa Bank. For example, Slate published an article that discussed at length the allegations that Sussmann provided to the FBI. 1530

Also on that day, the New York Times published an article titled Investigating Donald Trump, F.B.f Sees No Clear Link to Russia. 1531 The article discussed information in the possession of the FBI about ··what cyber experts said appeared to be a mysterious computer back channel between the Trump Organization and the Alfa Bank.” 1532 The article further reported that the FBI had “spent weeks examining computer data showing an odd stream of activity to a Trump Organization server,” and that the newspaper had been provided computer logs that evidenced this activity. The article also noted that at the time of the article, the FBI had not found “any conclusive or direct link” between Trump and the Russian government and that “Hillary Clinton’s supporters … pushed for these investigations.” 1533

As noted above, in the months prior to the publication of these articles, Sussmann had communicated with the media and provided them with the Alfa Bank data and allegations. 1534 Sussmann also kept Elias apprised of his efforts. 1535 Elias, in tum, communicated with the Clinton campaign’s leadership about potential media coverage of these issues. 1536

In addition, on September 15, 2016, Elias provided an update to the Clinton campaign regarding the Alfa Bank allegations and the not-yet-published New York Times article, sending an email to Jake Sullivan (HFA 154 ° Chief Policy Advisor), Robby Mook (HF A Campaign Manager), John Podesta (HF A Campaign Chairman), and Jennifer Palmieri (HFA Head of Communications), which he billed to the Clinton campaign as “email correspondence with J. Sullivan, R. Mook, J. Podesta, J. Palmieri re: Alfa Bank Article.” 1541

On the same day that these articles were published, the Clinton campaign posted a tweet through Hillary Clinton’s Twitter account which stated: “Computer scientists have apparently uncovered a covert server linking the Trump Organization to a Russian-based bank.” 1542 The tweet included a statement from Clinton campaign advisor Jake Sullivan which made reference to the media coverage article and stated, in relevant part, that the allegations in the article “could be the most direct link yet between Donald Trump and Moscow[,] that “[t]his secret hotline may be the key to unlocking the mystery ofTrump’s ties to Russia[,]” and that”[w ]e can only assume that federal authorities will now explore this direct connection between Trump and Russia as part oftheir existing probe into Russia’s meddling in our elections.”

In context, Durham falsely leaves the impression that Hillary supported going to the FBI in advance, even though both Robby Mook and Marc Elias testified that the last thing Hillary wanted to do was let the FBI get more involved in her campaign. In context, Durham falsely leaves the impression that Sussmann had sustained contacts with the NYT starting in September and never stopping, when the evidence he cites pertains exclusively to early September communications, after which Sussmann worked with the FBI to kill the story.

In a follow-up post, I will lay out just how grotesque Durham’s conspiracy theory is — the digital equivalent of slut-shaming a rape victim.

But for now, consider the abundant evidence that Durham didn’t investigate the charges he ultimately charged. He was far too busy, instead, pursuing this Clinton conspiracy theory he started chasing at least as early as February 2020.

Update: Added table showing the organization of Durham’s Report.


Dates

5/13/19: Preliminary review 

5/28/19: UK Legat-1

6/4/19: UK ALAT-1

6/17/19: SSA-1 (Steele Reports, Papadopoulos)

6/17/19: CIA Employee-1 (Page FISA)

6/18/19: SSA-1 (bias)

6/19/19: Case Agent-1 (defensive briefing, Steele Reports, Papadopoulos)

7/2/19: Handling Agent-1 (Page FISA)

7/2/19: NYFO ASAC-1 (Page FISA)

7/3/19: Michael Harpster (Steele Reports)

8/1/19: Mike Rogers

8/6/19: NYFO ADC-1

8/12/19: Randall Coleman (Clinton Foundation, Steele Reports)

8/12/19: Diego Rodriquez (Clinton Foundation)

8/14/19: HQ Analyst-3 

9/16/19: Cyber Agent-2 (Alfa)

10/17/19: SSA-2 (Clinesmith, Papadopoulos)

8/21/19: Case Agent-1

8/29/19: OGC Unit Chief-1 (bias, Australia referral, Page FISA)

9/5/19: NYFO Case Agent-1 (Page FISA)

10/9/19: Erika Thompson; Alexander Downer

12/9/19: DOJ IG Report

12/10/19: HQ Analyst-3 

1/6/20: David Johnson (Steele Reports)

1/15/20: NYFO Case Agent-1 (Clinton Foundation)

1/16/20: Diego Rodriquez (Clinton Foundation)

1/28/20: HQ Unit Chief-3 (Clinton Foundation)

2/6/20: Special Attorney to Attorney General (may reflect grand jury)

2/7/20: Jim Baker (defensive briefing)

2/13/20: Cyber Agent-3 (Alfa)

2/19/20: HQ Analyst-3 (Page FISA)

2/25/20: HQ Analyst-2 (Russian Intelligence, Clinesmith)

2/28/20: Jonathan Moffa (Russian Intelligence)

3/18/20: Paul Abbate (Clinton Foundation)

4/14/20: Field Office-1 Handling Agent-3 

4/23/20 Field Office-1 Handling Agent (Clinton Foundation)

4/23/20: Michael Harpster (Steele Reports)

5/1/20: Mueller SSA-1

5/5/20 Field Office-1 Handling Agent (Clinton Foundation)

5/6/20: Steele Reports

5/28/20: HQ SSA-4 (Clinton Foundation)

6/11/20: Jim Baker (Russian Intelligence)

6/18/20: Jim Baker (Russian Intelligence)

6/25/20: SA-2 (Steele Reports)

6/29/20: Michael Steinbach (initial EC)

6/30/20: Referral regarding existing counterintelligence investigation

7/1/20: OI Attorney (Page FISA)

7/8/20: Ray Hülser (Clinton Foundation)

7/14/20: Kevin Helson (Page FISA)

7/22/20: SSA-1 (Russian intelligence, Steele Report) 

7/23/20: OGC Unit Chief-1 (Page FISA)

7/28/20: Baltimore Special Agent-2 (Danchenko)

8/13/20: Baltimore Case Agent-1 (Danchenko)

8/13/20: CIA Employee-2 (Alfa)

8/19/20: IC Officer #6 (Russian Intelligence)

8/20/20: WFO Clinton Foundation Case Agent-1 

8/21/20: John Brennan (Russian Intelligence)

9/9/20: Acting OGC Section Chief-1 (Clinton Foundation)

9/10/20: Field Office-1 SAC

9/22/20: Field Office-1 Handling Agent-3

9/29/20: Patrick Fallon (Clinton Foundation)

9/29/20: John Ratcliffe shares Russian Intelligence with Lindsey Graham

10/19/20: Special Counsel appointment

10/27/20: OI Unit Chief-1 (Page FISA)

11/24/20: Kevin Helson (Danchenko)

12/8/20: HQ Supervisory Analyst-1 (Danchenko)

12/15/20: HQ SSA-3 (Alfa)

12/18/20: Baltimore Special Agent-1 (Danchenko)

12/21/20: Designation to use classified information

12/23/20: IC Officer#12 (Russian Intelligence)

12/20: Referral regarding accuracy of info in non-Page FISA (possibly Millian?)

2/2/21: Tech Company-1 Employee 1 (Alfa)

2/11/21: DARPA Program Manager-1 (Alfa)

2/25/21: Tech Company-1 Employee 1 (Alfa)

3/3/21: SSA-1 signed statement on Steele Reports

3/18/21: SSA-3 (Page FISA)

3/21/21: SA-1 (Page FISA)

4/8/21: Field Office-1 SSA-1

4/13/21: US Person-1 (Dolan Associate) (Danchenko)

4/14/21: Research Exec-1 (Alfa)

4/22/21: HQ Unit Chief-2

5/5/21: SSA-2  (bias, Page FISA, Danchenko, Clinesmith, Papadopoulos)

5/5/21: Field Office-1 Handling Agent-2 (second CI investigation)

6/21/21: David Archey (Defensive briefings)

6/29/21: CIA Employee-3 (Alfa)

6/30/21: OGC Attorney-1 (Page FISA)

6/30/21: Danchenko Employer-1 Exec-1 

7/7/21: Field Office-1 ASAC-1

7/9/21: Jennifer Boone

7/9/21: Tech Company-1 Employee 1 (Alfa)

7/21/21: Foreign Policy Advisor-1 (Russian Intelligence)

7/21/21: SSA-1 (Page FISA)

7/22/21: University-1 Researcher-1 (Alfa)

7/26/21: Brian Auten (bias, Russian Intelligence, Steele Reports)

7/27/21: Kevin Helson (Danchenko)

8/21: University-1 Researcher-2 (Alfa) [appears to be one 302 on more than one conversation]

8/9/21: NJ-Based Company Exec (Danchenko)

8/10/21: University-1 Researcher-3

8/11/21: Handling Agent-1 (Page FISA)

8/16/21: Mueller Analyst-1 (Danchenko)

8/12/21: Tech Company-3 Exec-1 (Alfa)

8/31/21: Charles Dolan (Danchenko)

8/31/21: Mueller SSA-1 (Danchenko)

9/7/21: Charles Dolan (Danchenko)

9/16/21: Michael Sussmann indictment

9/17/21: Brookings Fellow-1 (Danchenko)

10/21/21: UCE-1 (Papadopoulos)

10/27/21: Listrak Employee-1 and personnel (Alfa)

10/29/21: Mueller Analyst-1 (Danchenko)

11/1/21: Charles Dolan (Danchenko)

11/3/21: Danchenko indictment

11/17/21: Cendyn CEO and CTO (Alfa)

11/9/21: Jonathan Winer (Steele Reports)

11/10/21: Jennifer Palmieri

11/12/21: Jake Sullivan

11/16/21: Brookings Fellow-2 (Danchenko)

11/17/21: Cendyn CEO and CTO (Alfa)

12/2/21: HQ Analyst-3 (Steele)

11/20/21: Victoria Nuland

11/30/21: Victoria Nuland (Steele Reports)

12/13/21: James Clapper

1/19/22: John Podesta (Russian Intelligence, Alfa)

2/2/22: David Cohen

2/5/22: Sergei Millian (Danchenko)

3/1/22: Handling Agent-1 (Page FISA)

3/28/22: Foreign Policy Advisor-2

5/11/22: Hillary Clinton (Russian Intelligence)

6/22/22: SSA-1 (Russian Intelligence)

8/9/22: Ritz GM (Danchenko)

12/14/22: Referral to DOD IG on DARPA

How the Government Proved Their Case against John Podesta’s Hacker

We’re almost seven years past the hack of the DNC, and self-imagined contrarians are still clinging to conspiracy theories about the attribution of that and related hacks. In recent weeks, both Matt Taibbi and Jeff Gerth dodged questions about the attribution showing Russia’s role in the hack-and-leak by saying that the Mueller indictment of twelve GRU officers would never be tested in court (even while, especially in Gerth’s case, relying on unsubstantiated claims in John Durham indictments from his two failed prosecutions).

And while’s it’s likely true that DOJ will never extradite any of those twelve men to stand trial, DOJ did successfully convict one of their co-conspirators on a different hack: the hack-and-trade conspiracy involving Vladimir Klyushin and accused John Podesta hacker, Ivan [Y]Ermakov.

(The Mueller indictment and Ermakov’s second US indictment, for hacking anti-doping agencies, transliterated his name with a Y, the Boston one does not.)

That trial provides a way to show how DOJ would prove the 2018 indictment if one of the twelve men charged ever wandered into a jurisdiction with an extradition treaty with the US.

As laid out at trial, between 2018 and 2020, the co-conspirators hacked two securities filing agencies, Toppan Merrill and Donnelly Financial, to obtain earnings statements in advance of their filing, then traded based off advance knowledge of earnings. Klyushin was one of seven people (two charged in a separate indictment, three who were clients of Klyushin’s company M-13) who did the trading. Ermakov didn’t trade under his own name. He may have been compensated for Klyushin’s side of the trades with a Moscow home and a Porsche. But at least as early as May 9, 2018, forensic evidence introduced at trial shows, an IP address at which Ermakov’s iTunes account had just gotten updates was used to steal some of the filings.

Ermakov did not show up in a courtroom in Boston to stand trial and Klyushin has launched a challenge to his conviction that rests entirely on a challenge to venue there. But the jury did convict Klyushin on the hacking charge along with the trading charges, meaning a jury has now found DOJ proved Ermakov’s hacking beyond a reasonable doubt.

And they did it using the same kind of evidence cited in the Mueller indictment.

The crime scene

Start with the crime scene: the servers of the two filing agencies victimized in the hack-and-trade, Toppan Merrill and Donnelly Financial.

According to the trial record, neither figured out they had been hacked on their own. As the FBI had tried to do for months beforehand in the case of the DNC, a government agency, the SEC, had to tell them about it. The SEC had seen a number of Russians making big, improbable stock trades from clients of the two filing agencies, all in the same direction, and wanted to know why. So it sent subpoenas to both companies.

As the DNC did with CrowdStrike in 2016, both filing agencies hired an outside incident response contractor — Kroll Cyber in the case of Toppan Merrill, Ankura in the case of Donnelly Financial — to conduct an investigation.

The lead investigators from those two contractors were the first witnesses at trial. Each explained how they had been brought in in 2019 and described what they found as they began investigating the available logs, which went back six months, a year, and two years, depending on the type and company. The witness from Kroll described finding signs of hacking in Toppan Merrill’s logs:

The Ankura witness described how they first found the account of employee Julie Soma had been compromised, then used the IP addresses associated with that compromise to find other employees whose accounts were used to download reports or other unauthorized activity.

In sum, the two incident response witnesses described providing the FBI with the forensic details of their investigation — precisely the same thing that CrowdStrike provided to FBI from the DNC hack. There’s not even evidence that they shared a full image of the filing agencies’ servers (though an FBI agent described going back to Donnelly to search for the domain names behind the intrusions that Kroll had found at Toppan Merrill), which was one of the first conspiracy theories about the DNC hack Republicans championed: that the FBI failed to adequately investigate the DNC hack because it didn’t insist on seizing the actual victim servers during the middle of an election.

The forensic evidence wasn’t the only evidence submitted at trial from the crime scene. One after another of the employees whose credentials had been misused testified. Each described why they normally accessed customer records, if at all, how and when they would normally access such records, and from what locations they might access corporate servers remotely, including their use of the corporate VPN. Julie Soma — the Donnelly employee whose credentials were used most often to download customer filings — described that she would never have done what was done in this case, download one after another filing from Donnelly customers in alphabetical order.

Q. Would you ever go from client to client and alphabetically access those types of documents?

A. No.

Both interview records from the Mueller investigation (one, two, three) and documents from the Michael Sussmann case show that the FBI did similar interviews in the DNC hack. The Douglass Mackey trial, too, featured witnesses describing how the Hillary campaign identified that attack on the campaign as well.

In proving their case against John Podesta’s hacker, DOJ presented witness testimony that eliminated insiders as the culprit.

Fingerprinting

Having established the forensic data tied to intruders through the incident response contractors, prosecutors then called FBI agents as witnesses to describe how — largely through the use of IP addresses obtained using subpoenas or pen registers and the materials found in the suspects’ iCloud accounts — they tied Klyushin’s company, M-13, to both the hacking and the trading.

The trading was fairly easy: the co-conspirators accessed the two online brokers used to execute the trades under their own names and from IP addresses tied to M-13. An SEC witness described in detail how trades always shortly followed hacks but preceded the public filing of earnings statements.

Tying M-13 to the hacking took a few more steps.

For the hacking conducted via the domains Kroll identified, the FBI first found the account that registered the domains. Each was registered under a different name, but each of the names were based on a Latvian-based email service and used similar naming conventions. Each had been accessed from the same set of 3 IP addresses.

For IPs that Kroll identified, the FBI found BitLaunch servers created by an account in the name of Andrea Neumann, which was controlled from one of the same IP addresses that had registered the domain names. The FBI got search warrants to obtain images of those BitLaunch servers.

Another IP address used to steal filings, several FBI agents explained, was from an Italian-run VPN, AirVPN. The FBI used a pen register to show that someone accessed AirVPN from the M-13 IP address during the same period when the AirVPN IP was stealing records from the filing companies. The FBI also showed that Klyushin had accessed his bank at the same time from that same IP address. The FBI also showed that eight common IP addresses had accessed Ermakov’s iTunes account and the AirVPN IP address (in this case, the access was not at the same time because the FBI only had a pen register on the VPN for two months in 2020). While FBI witnesses couldn’t show that the specific activity tied to an AirVPN IP at the victim companies tied back to M-13, they did show that both Klyushin and Ermakov routinely used AirVPN.

Plus there were the filing thefts — noted above — that were done on May 9, 2018 using the same IP address that, four minutes earlier, had downloaded an Apple update from Ermakov’s iTunes account. As I’ve noted repeatedly, before Ermakov was first indicted by Mueller, he had already left a smoking gun in the servers at Donnelly in the form of IP activity that the FBI obtained over a year later inside the US.

In fact, much of the evidence used to prove this case (particularly establishing the close relationship between the conspirators) came from Apple, including WhatsApp chats saved in Klyushin and other co-conspirators’ iCloud accounts. We know Mueller used the same source of evidence. In March of this year, emails stolen by hacktivists revealed, Apple informed another of the GRU officers charged in the DNC hack that the FBI had obtained material from his Apple account in April 2018, in advance of the Mueller indictment.

The indictment likely also relied on warrants served on Google, especially on Ermakov’s account. The Mueller indictment (as well as the later anti-doping one) attributes much of the reconnaissance conducted in advance of the hacks to Ermakov: the names of some victims; information on the DNC, the Democratic Party, and Hillary; how to use PowerShell (which would be used against Toppan Merrill); and CrowdStrike’s reporting on GRU tools. If he did this research via Google, it would all be accessible with a warrant served on the US tech company.

The getaway car

One pervasive conspiracy theory about the Mueller indictment stems from testimony that Shawn Henry gave to the House Intelligence Committee in December 2017, describing that Crowdstrike did not see the data exfiltrated from the DNC servers. Denialists claim that is proof that the information was never exfiltrated by the GRU hackers. The conspiracy theory is ridiculous in any case, since there were so many other Russian hacks involving so many other servers, including servers run by Google and Amazon that had a different kind of visibility on the hack (something that Henry alluded to in his testimony), and since the indictment describes that the DNC hackers destroyed logs to cover their tracks.

But the Klyushin trial featured testimony about a tool used in the hack-and-trade conspiracy that has a parallel in the DNC hack: the AMS panel, hidden behind an overseas middle server, which the Mueller indictment described this way:

X-Agent malware implanted on the DCCC network transmitted information from the victims’ computers to a GRU-leased server located in Arizona. The Conspirators referred to this server as their “AMS” panel. KOZACHEK, MALYSHEV, and their co-conspirators logged into the AMS panel to use X-Agent’s keylog and screenshot functions in the course of monitoring and surveilling activity on the DCCC computers. The keylog function allowed the Conspirators to capture keystrokes entered by DCCC employees. The screenshot function allowed the Conspirators to take pictures of the DCCC employees’ computer screens.

[snip]

On or about April 19, 2016, KOZACHEK, YERSHOV, and their co-conspirators remotely configured an overseas computer to relay communications between X-Agent malware and the AMS panel and then tested X-Agent’s ability to connect to this computer. The Conspirators referred to this computer as a “middle server.” The middle server acted as a proxy to obscure the connection between malware at the DCCC and the Conspirators’ AMS panel. On or about April 20, 2016, the Conspirators directed X-Agent malware on the DCCC computers to connect to this middle server and receive directions from the Conspirators.

[snip]

For example, on or about April 22, 2016, the Conspirators compressed gigabytes of data from DNC computers, including opposition research. The Conspirators later moved the compressed DNC data using X-Tunnel to a GRU-leased computer located in Illinois.

In the hack-and-trade conspiracy, the hackers set up a similar structure, using the servers given names like “developingcloud” and “finshopland” as reverse proxies, with a final server behind them all executing orders on the hacked servers at Toppan Merrill (and the implication is, Donnelly, though the forensics came from Toppan Merrill via Kroll). The “computers numbered 1 through 7” in what follows are the servers identified by Kroll stealing earnings filings from Toppan Merrill.

A. So this is a digital depiction of the servers that I examined on the right there, so they each have a number on them, 1 through 9.

Q. Let me focus you first on the computers numbered 1 through 7. Do you see them there?

A. Yes.

Q. Are they kind of in a sideways V configuration?

A. Yes.

Q. Okay. And what do computers 1 through 7 show on this Exhibit DDD?

A. They functioned as gatekeepers for the furthest machine to the right, server number 8.

Q. And when you say “gatekeeper,” is there a technical term for that?

A. Yes. So the technical term is a “reverse proxy.”

Q. Can you explain to the jury, in a easy for me to understand way, what a reverse proxy or gatekeeper is in this chart, 1 through 7.

A. Yes. So in this chart, it would function — so the seven that are in that V formation, they would pass traffic to server number 8, if it was coming from an infected machine; and if it was something else, it would send the traffic to some other website.

This structure would have made it impossible for Toppan Merrill to understand the source or function of the anomalous traffic on its servers because any attempt to do so would be redirected away from the control server.

But not the FBI, because they obtained images of the servers with a warrant.

The forensic witness describing this structure showed, command by command, that the forensic clues identified by Kroll on the Toppan Merrill servers were controlled via that final server running PowerShell (the same tool that Mueller alleged Ermakov researched during the DNC hacks in 2016).

Q. And is there something on this log that you found that tells you the name of the program that was running on the victim’s computer at Toppan Merrill?

A. Yes, the process name line, and that reads rdtevc.

Q. And is process another name for computer program?

A. Yes.

Q. So this is a log that shows that a program named RDTEVC was running on a Toppan Merrill computer, right?

A. Yes.

Q. But it’s stored in the hacker computer?

[snip]

Q. And what does PowerShell do? You can call it anything, right? You can call it RDTEVC?

A. That’s probably a randomly chosen name.

Q. But no matter what it’s called, what does it do?

A. So it allows it to be remotely controlled and accessed.

Q. Allows what to be remotely controlled and accessed?

A. The infected machine.

The same forensic expert explained that he didn’t find any downloads of stolen files.

But he also explained why.

He had also found secure tunnels, readily available but similar in function to a proprietary GRU tool Crowdstrike found in the DNC server. As he described, these would be used to transfer data in encrypted form, making it impossible to identify the content of the data while it was in transit.

Q. Mr. Uitto, are you familiar with the concept of exfiltration?

A. Yes.

Q. Big word, but what does it mean?

A. It means to steal data, take data.

Q. And in your review, did you find evidence — you told Mr. Nemtsev you didn’t find evidence of the taking of data from the victim computers to these particular hacker servers; is that right?

A. That’s right, but I did see secure tunnels that were created.

Q. So when you say there were secure tunnels, were you able to tell what was going through those secure tunnels?

A. No.

Q. Those were encrypted, right?

A. Yes.

Q. So you actually don’t know whether or not there was financial information in those tunnels?

A. That’s correct.

Q. Or sports scores or anything?

A. That’s correct.

Q. It’s encrypted.

A. Yes.

[snip]

Q. What role does encryption serve in this hacker architecture?

[snip]

A. Yes, so it can be used to hide data or information.

Q. So if it’s encrypted, we can’t know what’s being passed?

To prove the hack, you would have to — and FBI did, in both cases — prove that the stolen data made it to the end point.

This testimony is important for more than explaining where you’d need to look to find proof of a hack (at the end points). It shows the import of understanding not just the crime scene and those end points, but the infrastructure used to control the hack and exfiltrate the data. With both the hack-and-trade conspiracy and the hack of the DNC, the FBI got forensics about the victim from the incident response contractors, but they obtained the data from these external servers directly, with warrants.

The denialists looking for proof in the DNC server were focused on just the crime scene, but not what I’ve likened to a getaway car, one to which the FBI had direct access but Crowdstrike did not.

Follow the money

Another specialized kind of fingerprint prosecutors used to prove the case against Klyushin parallels the one in the Mueller indictment (and, really, virtually all hacking cases these days): the cryptocurrency trail. As the Mueller indictment explained, the hackers who targeted the DNC used the same cryptocurrency account to pay for different parts of their infrastructure, thereby showing they were all related.

The funds used to pay for the dcleaks.com domain originated from an account at an online cryptocurrency service that the Conspirators also used to fund the lease of a virtual private server registered with the operational email account [email protected]. The dirbinsaabol email account was also used to register the john356gh URL-shortening account used by LUKASHEV to spearphish the Clinton Campaign chairman and other campaign-related individuals.

[snip]

For example, between on or about March 14, 2016 and April 28, 2016, the Conspirators used the same pool of bitcoin funds to purchase a virtual private network (“VPN”) account and to lease a server in Malaysia. In or around June 2016, the Conspirators used the Malaysian server to host the dcleaks.com website. On or about July 6, 2016, the Conspirators used the VPN to log into the @Guccifer_2 Twitter account. The Conspirators opened that VPN account from the same server that was also used to register malicious domains for the hacking of the DCCC and DNC networks.

By following the money, prosecutors were able to show the jury how these pieces of infrastructure fit together.

In the case of the hack-and-trade, the conspirators did nothing fancy to launder the cryptocurrency used in the operation. The servers obtained in the name of Andrea Neumann were paid using three successive cryptocurrency accounts, each with different names but accessed from the same IP address. The third name was Wan Connie. An interlocked Wan Connie email account had been accessed from M-13’s IP address. So while the cryptocurrency itself couldn’t tie the conspirators to the hack, the interlocked infrastructure did.

The conspiracy

To prove the hack, prosecutors at trial showed how the FBI had used evidence from the crime scene, the “getaway” car, the money trail, and evidence obtained at the end point from iCloud accounts to tie the hack back to Ermakov personally and M-13 more generally. The biggest smoking gun came from matching the IP addresses to which Ermakov got his iTunes updates to the infrastructure used in the hack (or, in the case of the May 9, 2018 thefts, directly to someone exploiting Julie Soma’s stolen credentials.

All that was left in the Klyushin case was proving the conspiracy, showing that Klyushin and others had used this stolen information to make millions by trading in advance of earnings announcements. This would be the functional equivalent of tying the records stolen from Democrats (and some Republicans) to their release via Guccifer 2.0, dcleaks, and WikiLeaks.

At Klyushin’s trial, the government proved the conspiracy via two means: an SEC analyst presented a bunch of coma-inducing analysis showing how the trades attributed to online brokerage accounts that Klyushin and others had in their own names lined up with the thefts. The analyst explained that odds of seeing those trading patterns would be virtually impossible.

More spectacularly, prosecutors introduced Klyushin’s role with a bunch of pictures establishing that he was “besties” with Ermakov (and, eventually, that there were unencrypted and encrypted communications, along with a picture of Klyushin’s yacht, sent via Ermkaov to two guys in St. Petersburg who didn’t work for M-13 but who were making the same pattern of trades); I looked at some of that evidence here. One picture found in Klyushin’s account showed Ermakov, crashed on a chair, wearing an M-13 sticker, taken in the same period as some of the logs provided by Kroll showed hacking activity. About the only thing the FBI found in Ermakov’s iCloud account was the online brokerage account used to execute the insider trading, in Klyushin’s name, but that tied him to the trading side of the conspiracy.

As their trades began to attract attention, Ermakov and another M-13 employee attempted to craft cover stories, evidence of which prosecutors found via Apple. Prosecutors even introduced Threema chats in which Ermakov told Klyushin, his boss, not to share details about their trading clients or he might end up a defendant in a trial.

He did.

And at that trial, prosecutors were able to prove a hacking conspiracy against Klyushin using evidence and victim testimony from the crime scene, but also from other data readily available with a subpoena or warrant inside the US.

Update: Tweaked language describing secure tunnels.

“I wanted to infect everything:” The Curiously Expert Pathologies of FBI Informant, Microchip

I’ve now read the substantive transcripts in the trial of Douglass Mackey, the far right troll who was convicted last month of conspiring to violate the voting rights of Hillary voters in the 2016 election.

As I noted in my first write-up of the verdict, the case has lessons that remain quite pressing, as loud boys on, who own, and claim to be interested in regulating Twitter attempt to make the site more welcoming to far right election disinformation. I plan to write that up.

Before I do, though, I want to talk about Microchip, the cooperating witness who pled guilty to the same conspiracy as part of a cooperation agreement in 2022.

We first learned the FBI had a cooperating witness on March 8 of this year, when Judge Nicholas Garaufis ordered the government to unseal its request to keep its informant’s identity secret. The filings in that discussion did not describe much about the timing or scope of his cooperation, other than that those he is targeting have the technical skills that might lead to him being hacked if he were discovered.

The fact of the CW’s cooperation is sure to be seen by many in that community as a profound betrayal, with the result that, at a minimum, online harassment is bound to follow the CW should his or her identity become a matter of public record. That harassment can have negative consequences in and of itself. In addition, to claim that intense online attacks do not endanger a person’s physical safety is to ignore the reality of our current world, as evinced in common newspaper headlines. See, e.g., Sheera Frenkel, The Storming of Capitol Hill Was Organized on Social Media, N.Y. TIMES, Jan. 6, 2021, available at https://www.nytimes.com/2021/01/06/us/politics/protesters-storm-capitol-hillbuilding.html; Eric Lipton, Man Motivated by “Pizzagate” Conspiracy Theory Arrested in Washington Gunfire, N.Y. TIMES, Dec. 5, 2016, available at https://www.nytimes.com/2016/12/05/us/pizzagate-comet-ping-pong-edgar-maddisonwelch.html. It is simply (and regrettably) a fact of the times that many acts of politically motivated violence in current society arise from campaigns of online harassment.

Beyond the risk to the CW, the potential consequences include the disruption of the CW’s ongoing work with the FBI. It is certainly true that the nature of this work is online and anonymous, but, if the CW’s name and location were to become known, the CW would become a target for all who believe that they might be under investigation (whether they are or not). Given the technical proficiency of those with whom the CW associates, it is not difficult to envision multiple scenarios in which the CW’s online work could be jeopardized by way of a cyberattack (at a minimum).

Microchip’s identity can’t be that well protected. As soon as this pre-trial discussion was posted, Mackey’s lawyer, Andrew Frisch, contacted the government to tell them he had learned of the informant’s real identity independently (possibly via Anthime “Baked Alaska” Gionet) and at least one researcher I’ve spoken with since seems to have a plausible theory as to his real identity.

But I assumed, based on those filings, that Microchip had flipped in advance of Mackey’s arrest.

The actual details are more complicated — and a bit unpersuasive, as AUSA William Gullotta got Microchip to explain in his testimony on March 23.

The thing I find most unbelievable is Microchip’s claim that he only joined Twitter — in any capacity — in July 2015, just months before he started playing a central and expert role in expanding the reach of anti-Hillary trolling.

Q When did you start using Twitter?

A Back in around July of 2015.

Q When did you start using the alias Microchip on Twitter?

A Anywhere from November 2015 through March 2016, somewhere around there.

I find this claim so surprising because, in his description of his trolling, Microchip described the kind of Twitter expertise that normally takes years to build. And two 2017 articles celebrating Microchip’s expertise (Buzzfeed, Politico) describe that he exhibited expertise from the start of his identity in November 2015.

For example, Microchip described how — the implication is all of his engagement was Microchip — he used various levels of operational security to succeed in creating new accounts anonymously, from the start.

Q When you would set up your accounts, did you set them up anonymously?

A I did.

Q How do you go about doing that?

A Using virtual private networks or proxy IP address services.

Q What’s a virtual private network?

A It’s, basically, somebody who sets up servers across the world in different locations and then you can tie into that service so you appear as if you are at that location and then they feed the internet through that.

Q So it would mask your true location from Twitter?

A That’s right.

Q What other information did you need to provide to Twitter to set up a new account?

A Yes, you need an email address or a phone number or both.

Q So would you just set up anonymous email addresses —

A Oh, yeah, through Google, Gmail, you set up a account and then you set up a Google Voice account and then if you need to change a phone number on that, you pay ten bucks and you get a new phone Number.

His description of various means to exploit Twitter to inject extremist views into the mainstream come off as pathological … but extremely savvy.

Q And why would you want it to be on a trending list?

A Because I wanted our message to move from Twitter into regular society and part of that would be — well it’s based on the idea that, you know, back then maybe — I don’t know, 10 to 30 percent of the US population was on Twitter, but I wanted everybody to see it, so I had figured out that back then, news agencies, other journalists would look at that trending list and then develop stories based on it.

Q What does it mean to hijack a hashtag?

A So I guess I can give you an example, is the easiest way. It’s like if you have a hashtag — back then like a Hillary Clinton hashtag called “I’m with her,” then what that would be is I would say, okay, let’s take “I’m with her” hashtag, because that’s what Hillary Clinton voters are going to be looking at, because that’s their hashtag, and then I would tweet out thousands of — of tweets of — well, for example, old videos of Hillary Clinton or Bill Clinton talking about, you know, immigration policy for back in the ’90s where they said: You know, we should shut down borders, kick out people from the USA. Anything that was disparaging of Hillary Clinton would be injected into that — into those tweets with that hashtag, so that would overflow to her voters and they’d see it and be shocked by it.

Q Is it safe to say that most of your followers were Trump supporters?

A Oh, yeah.

Q And so by hijacking, in the example you just gave a Hillary Clinton hashtag, “I am with her,” you’re getting your message out of your silo and in front of other people who might not ordinarily see it if you just posted the tweet?

A Yeah, I wanted to infect everything.

Q Was there a certain time of day that you believed tweeting would have a maximum impact?

A Yeah, so I had figured out that early morning eastern time that — well, it first started out with New York Times. I would see that they would — they would publish stories in the morning, so the people could catch that when they woke up. And some of the stories were absolutely ridiculous — sorry. Some of the stories were absolutely ridiculous that they would post that, you know, had really no relevance to what was going on in the world, but they would still end up on trending hashtags, right? And so, I thought about that and thought, you know, is there a way that I could do the same thing.

And so what I would do is before the New York Times would publish their — their information, I would spend the very early morning or evening seeding information into random hashtags, or a hashtag we created, so that by the time the morning came around, we had already had thousands of tweets in that tag that people would see because there wasn’t much activity on Twitter, so you could easily create a hashtag that would end up on the trending list by the time morning came around.

Perhaps most chilling is his description of how participants in this anti-Hillary trolling knew there was nothing to the John Podesta emails they made the focus of their October 2016 trolling.

It didn’t matter. They didn’t care.

They were aiming to cause chaos to hurt Hillary’s chances of winning.

Q What was it about Podesta’s emails that you were sharing?

A That’s a good question.

So Podesta ‘s emails didn’t, in my opinion, have anything in particularly weird or strange about them, but my talent is to make things weird and strange so that there is a controversy. So I would take those emails and spin off other stories about the emails for the sole purpose of disparaging Hillary Clinton.

T[y]ing John Podesta to those emails, coming up with stories that had nothing to do with the emails but, you know, maybe had something to do with conspiracies of the day, and then his reputation would bleed over to Hillary Clinton, and then, because he was working for a campaign, Hillary Clinton would be disparaged.

Q So you’re essentially creating the appearance of some controversy or conspiracy associated with his emails and sharing that far and wide.

A That’s right.

Q Did you believe that what you were tweeting was true?

A No, and I didn’t care.

Q Did you fact- check any of it?

A No.

Q And so what was the ultimate purpose of that? What was your goal?

A To cause as much chaos as possible so that that would bleed over to Hillary Clinton and diminish her chance of winning.

Microchip was actually one of the people who, on October 30, 2016, brought the idea of getting Hillary voters to vote from home from 4Chan to the War Room where anti-Hillary trolls workshopped ways to make it more realistic and ensure that Trump voters wouldn’t also fall for the meme.

Text telling Hillary voters to tweet Hillary on November 8.

And, as he described it, during 2016, Microchip was paying up to $500 a month, between two services, to use bots to expand the reach of right wing trolling.

A Yeah, so one of the first services to kind of seed the followers was a service called Add Me Fast, A-D-D, M-E, F-A-S-T, and that service is kind of like a peer networking service where I would insert the tweet into that service, somebody else would insert a tweet and then, we would retweet each other’s information, right? And you could gain points doing that and, if you accumulate points, you can then expend those on likes, followers, retweets. So that service, I would spend sometimes $300 a month on it. That would give you around a thousand to three thousand retweets, likes, or follows.

[snip]

Another step is using Fast Followerz and that’s F-A-S-T and then F-O-L-L – – Q O-W-E-R-S? A Yeah, but it’s with a “Z,” it’s with a Z at the end. .com, yeah. And that service you spends like, a monthly fee of, you know, a hundred to two hundred, sometimes three hundred bucks a month. And they have control of all the bots, so you don’t actually retweet anything, but you put in your Twitter handle or you put in a tweet that you want to get retweeted, and the service that I would use would be 50 to a hundred followers, something like that, a day, and then those followers would also retweet or “like” my tweets anywhere from three to five times.

No one explained where Microchip came up with $500 a month to make anti-Hillary trolling go viral.

On cross-examination, however, Mackey’s lawyer, Frisch, did get Microchip to admit that when he started cooperating with the FBI on this case in 2021, he had both IRS and bankruptcy debts.

Also on cross, Microchip described that he’s not paid for any of the assistance he provides to the FBI — though as he prepared for the trial in February, he described liking the “structure” working with the FBI provided his life.

Q Without telling us what you’re doing, how often do you do this work for the FBI?

A As often as needed, essentially.

Q You’re not getting paid for it; right?

A That’s right.

Q In fact — in fact, you met with the FBI on or about February 23, 2023, earlier, about a month ago; do you remember that? Mr. Paulson was there, Mr. Gullotta was there. All three prosecutors were there.

A Yeah, I think that was here in Brooklyn.

Q And you asked — you said — you said — do you recall saying that you wanted to keep working with the FBI because the FBI provided a structure that was valuable to you?

[Frisch refreshes his memory with his 302]

Q And that’s what you said; right?

A Yes.

While the trial showed that Mackey was important to the effort to suppress the votes of Black and Latino Hillary voters because he had so much reach, particularly among the more general public in 2016, Microchip — who claims to have been a newB Twitter user in July 2015 — seems to have played a more important role in professionalizing all aspects of the anti-Hillary campaign.

Mackey made these memes popular; Microchip made them work.

Which makes the timeline more curious. By all appearances, the FBI knew of Microchip long before they charged Mackey, starting in 2018 (about eight months after Mackey was first IDed). That’s when he first offered to cooperate with the FBI.

A No. I talked to the FBI about being useful to them when they came and actually talked to me the first time. I discussed with the FBI in the car at my residence at the time. We actually sat in the car outside of my home, and I talked to them about my use of technology and how it could possibly be useful to whatever they might be working on.

They seem to have paid him a visit, as well, as they prepared to charge Mackey in December 2020. But even in spite of the fact that his key role in preparing anti-Hillary memes would have been readily obvious in warrants served on Twitter in advance of charging Mackey, the FBI didn’t charge Microchip along with Mackey in January 2021.

And only as they looked closer after he reached out did they decide they needed him to plead guilty.

Timeline

July 2015: Microchip joins Twitter

November 2015: Microchip starts to create his persona

April 5, 2017: Buzzfeed article quoting Microchip claiming, “it’s all us, not Russians” describing he turned to Twitter in response to November 2015 terror attacks in Paris

August 9, 2017: Politico article describing Microchip as an “early player” in hard-right Twitter chatrooms starting in November 2015

December 17, 2018: FBI questions Microchip about July 2018 online threat

December 15, 2020: Second contacts with FBI, including Megan Rees (about which Microchip tells Baked Alaska), Microchip lawyers up

January 27, 2021: Mackey arrest

February 4, 2021: Microchip’s lawyer reaches out to FBI, broaches cooperation

April 22, 2021: Formal proffer with government

June 2021: First of several agreements to toll statutes of limitation

April 14, 2022: Guilty plea

“That’s How … You End Up as a Defendant in a Court Room:” Some Days in the Life of a Named-and-Shamed Former GRU Hacker, Ivan Ermakov

In early 2018, Ivan [Y]Ermakov,* one of the hackers alleged to have stolen John Podesta’s emails two years earlier, was living it up.

For his April 10 birthday that year, he went on a stunning heli-ski trip with his future co-conspirator, Vladislav Klyushin (Ermakov is on the left in this picture, Klyushin, on the right and in the Featured Image picture).

In summer 2018, they were enjoying the Sochi World Cup together, too.

Just days after this trip to Sochi, however, on July 13, 2018, Robert Mueller would indict Ermakov, along with eleven of his former GRU colleagues, for hacking the DNC, DCCC, Hillary Clinton, election vendors, and registration websites, as well as orchestrating the release of the stolen files.

By the time of that first indictment against him — the first of three known indictments against the Russian hacker so far — Ermakov had already made one of the fatal slip-ups that would form part of the proof against Klyushin at trial, this time for a hack-and-trade scam. On May 9, 2018, Yermakov received three updates from his Apple iTunes account to the IP address 119.204.194.11. Just four minutes later, someone using that IP address downloaded an SEC filing using credentials stolen from a Donnelly Financial employee named Julie Soma. That download occurred hours before the report would be publicly filed with the SEC, one of dozens of such thefts of SEC filings that formed the basis of the hacking and securities fraud charges against the men.

So months before Mueller’s indictment alerted Ermakov that the FBI had discovered who he was and that they believed he was one of the hackers behind the 2016 hack, he had already left proof in US-based servers that would tie to him to a follow-up crime, the hack-and-insider trading conspiracy for which Klyushin was convicted in February.

Klyushin has challenged the verdict, largely based on a technical challenge to the venue of the charges in Massachusetts.

Per trial testimony, Ermakov left those tell-tale forensic tracks four months before Klyushin would first get involved in the hack-and-trade scheme, in August 2018. The scheme was doomed from the start — at least, it would be doomed if any of the identified co-conspirators traveled to a jurisdiction that would extradite to the US, as Klyushin did in March 2021.

In fact, there’s something curious about that.

One thing submitted as evidence at trial was a picture of a May 22, 2017 Reuters article reporting the US sentence for Ukrainian hacker Vadym Iermolovych, one of ten people prosecuted for a hack-and-trade conspiracy similar to the one for which Klyushin was convicted.

According to the FBI agent who introduced the exhibit, the picture itself was taken in August 2018. Someone printed out the article and packaged it up in a plastic folder over a year after the fact. That suggests Klyushin was in discussion with a very well-connected friend about the possibility of such charges in the same month that Klyushin first got involved in the scheme.

The possibility of prosecution hung over the conspiracy from the start.

Thanks to Klyushin’s promiscuous storage of damning evidence in his iCloud account, from which many of the pictures and chats in this post were obtained by the FBI, the Klyushin case offers an unprecedented public glimpse into the effect that US indictments against nation-state hackers like Ermakov might have on one of the target’s lives. In Ermakov’s case, it didn’t stop him from hacking US targets. Indeed, it’s possible that others used the indictments to pressure Ermakov to use his hacking skills for them.

Since 2014, DOJ has been indicting nation-state hackers in what have always been assumed to be name-and-shame documents, indictments that would never lead to trial. Indeed, that’s what the two earlier indictments of Ermakov have always been assumed to be: a public accusation that would never lead to Ermakov’s imprisonment. The wisdom of indicting nation-state hackers has never been obvious. Yevgeniy Prigozhin’s exploitation of his own name-and-shame indictment has revealed the potential perils of the policy. And Russian denialists brush off the July 2018 indictment charging Ermakov and others with the election year hack (as Matt Taibbi did in his recent congressional testimony), arguing that since the indictment will never be tested at trial, it could be mere government propaganda.

At least in the case of the 2016 Russian operation, the indictment has done little to persuade denialists, who simply refuse to read about the many places where the hackers left evidence.

In a follow-up, I’ll show how DOJ proved their case against Klyushin using the same kind of evidence they used in the earlier indictments against Ermakov and his colleagues, largely metadata and content obtained from US-based and a few foreign servers. DOJ may never get a chance to prove the first two indictments against Ermakov, but using the same investigative techniques, they did prove the case against Ermakov’s co-conspirator, Klyushin.

This case, where a sealed complaint ultimately led to the trial of one co-conspirator of a hacker previously charged, also provides a glimpse of what happened after one nation-state hacker got name-and-shamed in the US.

It’s not clear from the trial record when Ermakov left the GRU or who his formal employer was before he joined Klyushin’s M-13, an information services company with ties to Putin’s office that offered, among its services, pen testing.

The FBI found a contact card for Igor Sladkov, with whom Ermakov may have started the hack-and-trade scheme at least as early as October 2017, in Ermakov’s own iCloud account, one of the only interesting pieces of evidence they found there. It was dated November 16, 2016, just over a week after Donald Trump got elected with Ermakov’s help. Sladkov — whose iCloud OpSec was just as shoddy as Klyushin’s — had a bunch of photos of Ermakov in his iCloud account, including the hacker’s passport, a 2016 picture of Ermakov sitting before an enormous plate of some animal flesh, and a picture from Ermakov’s 2018 ski trip, as well as a picture of Klyushin’s yacht that Ermakov had shared.

Before trial, Klyushin’s team argued that Ermakov never worked for Klyushin’s company, bolstering the claim with a chat from May 2019 in which Ermakov bitched about his job to Klyushin and a certificate from the Russian tax service claiming that [Y]Ermakov never worked at M-13.

But days after that chat, per another pre-trial filing, Ermakov spoke longingly of being able to travel like Klyushin could. Klyushin responded that he would get Ermakov new identity papers so the two could travel to Europe together, but not — Klyushin conceded — London or America. Klyushin seemingly used that discussion as background to press Ermakov to get back to work, with the implication being he should get back to the hack-and-trade scheme.

That is, Ermakov appears to have included Klyushin in the hack-and-trade scheme while still working for someone else. And Klyushin seems to have used his promise to help Ermakov mitigate the risks created by those earlier indictments to pressure Ermakov to keep hacking. If that’s right, the vulnerability created by the earlier indictments gave Klyushin leverage to get Ermakov to keep hacking.

But Ermakov did eventually join M-13, at least informally. The government introduced an M-13 employee list reflecting Ermakov’s participation in specific project at trial. And they submitted a picture, from December 2019, showing Ermakov with an M-13 sticker, within days of the time when a staging server similar to the one used in the 2016 hack of the Democrats was set up.

Klyushin may have even incorporated Sladkov into M-13. The FBI found a proposal for a data analysis service, dated September 4, 2019, which M-13 would introduce on October 28, 2020, as well as encrypted communications from an M-13 chat application, in Sladkov’s iCloud account.

Klyushin fought hard to exclude one of the most telling pieces of evidence that the hacking scheme came to be tied to M-13 — the four Porsches that, Klyushin bragged to an investor, he had bought for himself, Ermakov, and one other co-conspirator with the proceeds of the insider trading.

But this currency — expensive gifts — seems to have been at least part of the way Erkamov was compensated for his role in the scheme.

Ermakov did not engage in any trading himself. Instead, two men in St. Petersburg, two associated with M-13 (including Klyushin himself), and three clients of M-13, profited off documents [Y]Ermakov seems to have stolen.

But in addition to the Porsche, on August 17, 2020, ten days before the delivery of the Porsches, Ermakov took possession of a Moscow house worth millions, the loan agreement for which Klyushin reportedly ripped up. Months earlier, Klyushin had tied paying for the house with continued hacking — which, Klyushin joked, amounted to just turning on the computer and thinking about making money.

Ermakov was effectively printing money for Klyushin, and his reward was that house.

In September 2020, the hack-and-trade scheme would be shut down for good.

Throughout the time it was going, however, those co-conspirators knew of the indictment against Ermakov. Sladkov downloaded Ermakov’s wanted poster from the FBI website on October 5, 2018, just a day after Ermakov was charged in the 2016 hack-and-leak of anti-doping agencies while Ermakov was still a GRU officer.

And on October 4, 2020, Klyushin took a screencap of Ermakov’s wanted poster from the FBI website.

By the time Klyushin took this screencap, the victim filing agencies had finally shut down Ermakov’s access to the site, after eight months of trying. Perhaps Klyushin was contemplating what that would mean or how it had happened? According to trial evidence, DOJ didn’t identify the hack-and-trade scheme by tracking what Ermakov was doing. Rather, the investigation started when the SEC started tracking some large-scale trading by a bunch of Russians together, then asked the filing agencies if they had been hacked. At least according to the public record, the involvement of Ermakov was disclosed only after working backwards from the forensic evidence. But in October 2020, Klyushin may have considered the risks of entering into a hack-and-trade scheme with a hacker whose habits were already known within the FBI.

By then it was too late. Indeed, Ermakov had already warned his boss about his shoddy OpSec. On July 18, 2019, Kluyshin asked Ermakov and the other M-13 co-conspirator Nikolai Rumiantcev how the hack-and-trade was going. He included pictures of two of the M-13 investors. In response, Ermakov warned his boss that that kind of OpSec is the kind of thing that would land him as a defendant in a courtroom.

Q. Okay, thank you. And now can we move to 3980, please. And this date is?

A. This is July 18 of 2019.

Q. Would you begin with 3980.

A. “Vladislav Klyushin: So what did we earn today?”

Q. And then there’s an attachment?

A. Correct.

Q. And then he says what?

A. Ermakov responds: “About 350 and another 350 in the mind. Sasha the most among the rest. “Klyushin: Our comrades are wondering.”

MR. FRANK: Could we stop right there, and I realize it’s hard, Ms. Lewis, because we’re in the Excel, but could you please display Exhibits 52 and Exhibit 50.

Q. Those are the attachments, Special Agent. Have you had an opportunity to review those?

A. Yes.

Q. Who’s depicted in Exhibits 52 and 50?

A. On the left, 52 is Sergey Uryadov. On the right is Boris Varshavksiy in Exhibit 50.

MR. FRANK: I offer 52 and 50. (Exhibits 50 and 52 received in evidence.)

Q. Okay. So those are the two attachments Mr. Klyushin has just transmitted in the chat?

A. Yes.

Q. Can we go back to the chat and pick up where we left off. So Mr. Klyushin says, “What did we earn today? Our comrades are wondering.” Could you continue, please, at 3987.

A. After sending those pictures we just looked at, Ermakov replies: “Vlad, you are exposing our organization. This is bad.” Nikolai Rumiantcev: Vlad, stop sending to Threema.” Klyushin replies, “So sorry.” “Ermakov: And that’s how they get you and you end up as a defendant in a courtroom.”

Q. How does Mr. Klyushin respond?

A. Klyushin responds, “Removed. Open a chat with us already. “Ermakov: Go ahead and create. It was a bad move now. “Klyushin: Sorry. Did a dumb thing. “Rumiantcev: I suggest to recreate the chat with the deletion of attachments in Threema, or switch to ours if ready. “Klyushin: I will delete this one on my end.”

Klyushin did delete this chat. Rumiantcev left it in his iCloud account, where the FBI found it.

At the time, the men appear to have been shifting their trading discussions to the encrypted M-13 chat application found in all their iCloud accounts, finally taking measures to cover their tracks going forward, over eighteen months into the hack-and-trade conspiracy. Going forward, those working with Ermakov might not exhibit the kind of abysmal OpSec that produced abundant trial evidence against his co-conspirator. Maybe they learned their lesson, and they’ll be able to exploit Ermakov’s skill more safely going forward.

It remains to be seen whether the prosecution of Klyushin, with his ties to high even higher ranking Russians, does more than hold him accountable for millions in fraudulent trades. But that may have little effect on the life of John Podesta’s suspected hacker.

* The government has used two different transliterations for [Y]Ermakov’s last name. In 2018, they used the one that aids in pronunciation. In 2021, they used the direct transliteration from the Cyrillic. Because evidence submitted at Klyushin’s trial uses the initials “IE” to refer to Ermakov, I’ll adopt that spelling here.

How Adam Schiff Proves that Adam Schiff Is Lying that It Is “Unprecedented” for Congress to Be Ahead of DOJ

I had imagined I would write a post today introducing Andrew Weissmann — who like a lot of other TV lawyers has decided to weigh in on the January 6 investigation without first doing the least little bit of homework — to the multiple prongs of the DOJ investigation that he complains is not investigating multiple spokes at once.

Department of Justice January 6 investigations interview with Andrew Weissmann and Rep. Adam Schiff from R G on Vimeo.

But as I was prepping for that, I watched another of the Ari Melber pieces where he replicates this false claim.

Let me correct that. Melber actually doesn’t present Weissmann’s argument that the multiple pronged DOJ investigation should have multiple prongs, perhaps because since Weissmann first made it, it became clear he missed the Sidney Powell investigation entirely, the status of the investigations into Roger Stone and Rudy Giuliani, the influencers that DOJ has already prosecuted as part of the investigation into the crime scene, and that DOJ actually started the fake electors investigation months before it was previously known.

Rather, Melber presents Adam Schiff’s claim that it is “unprecedented” for a congressional committee to be “so far out ahead” of DOJ.

Melber: We haven’t seen this kind of — he called it a breakdown, you might put it differently, but whatever it is, between the Justice Department and the Committee, but it also reflects that you’ve gotten some witnesses first. Do you share Mr. Weissmann’s concern? Could the DOJ be doing more quickly?

Schiff: I very much share his concern and have been expressing a very similar concern really for months no. It is so unprecedented — and I’ve been a part of many Congressional investigations that have been contemporaneous with Justice Department investigations — but it is unprecedented for Congress to be so far out ahead of the Justice Department in a complex investigation because as he was saying, as Andrew was saying, they’ve got potent tools to get information. They can enforce their own subpoenas in a way we can’t.

Let me introduce Adam Schiff to the House Intelligence Committee investigation into the 2016 Russian attack, on which a guy named Adam Schiff was first Ranking Member, then Chair, and the Mueller investigation into the same, on which Andrew Weissmann was a senior prosecutor.

Donald Trump Jr.

Interviewed by HPSCI on December 6, 2017

Never interviewed by Mueller’s team

Roger Stone

Interviewed by HPSCI on September 26, 2017

Never interviewed by Mueller’s team

Jared Kushner

First interviewed by HPSCI on July 25, 2017

First interviewed by DOJ on November 1, 2017

Steve Bannon

First interviewed by HPSCI on January 16, 2018

First interviewed by Mueller on February 12, 2018

John Podesta

Interviewed by HPSCI in June and December, 2017

Interviewed by Mueller in May 2018

Jeff Sessions

Interviewed by HPSCI on November 30, 2017

Interviewed by Mueller on January 17, 2018

JD Gordon

Interviewed by HPSCI on July 26, 2017

First interviewed by Mueller on August 29, 2017

Michael Caputo

Interviewed by HPSCI on July 14, 2017

Interviewed by Mueller on May 2, 2018

Michael Cohen

Interviewed by HPSCI on October 24, 2017

First interviewed by Mueller on August 7, 2018

Now, Schiff, who claimed it was unprecedented for a congressional investigation to precede a DOJ one, might say that the HPSCI investigation into Russia doesn’t count as a clear precedent because it wasn’t all that rigorous because it was led by Devin Nunes (that’s partly right, but there were plenty of Democratic staffers doing real work on that investigation too). But even on the January 6 Committee, there are already multiple instances where the Committee has interviewed witnesses before DOJ has (or interviewed witnesses that DOJ never will, before charging them), but gotten less valuable testimony than if they had waited.

One example, Ali Alexander, is instructive. He at least claimed he was going to tell the January 6 Committee a story that had already been debunked by DOJ. But before DOJ interviewed Alexander, at least two people with related information had gotten cooperation recognition in plea agreements, and several direct associates — most notably Owen Shroyer — had had their phones fully exploited.

Weissmann would likely point to good reasons why Mueller took more time, too: because later interviews with people like Michael Caputo or Jared Kushner required a lot more work on content acquired with covert warrants first, or because with people like Michael Cohen there was an entire financial investigation that preceded the first interview, or because DOJ was just a lot more careful to lay the groundwork with subjects of the investigation.

But the same is true here. DOJ will likely never interview Rudy on this investigation. But Lisa Monaco took steps on her first day in office that ensured that at whatever time DOJ obtained probable cause against Rudy, they had the content already privilege-reviewed. And DOJ did a lot of investigation into Sidney Powell before they started subpoenaing witnesses.

Many of the other witnesses that HPSCI interviewed long (or even just shortly) before DOJ did on Russia lied to HPSCI.

As both these men know, and know well, it is simply false that Congress never gets ahead of DOJ. But there are good reasons for that, and one of those reasons is precisely the one that Weissmann claims should lead DOJ to go more quickly: that it has far more tools to use to ensure that interviews that happen will more robustly support prosecutions.

Where Was Doug Jensen Radicalized? Russia’s 2016 Election Tampering

Last May, I observed that QAnon had far more evident success in getting its adherents in places to obstruct the vote certification on January 6, 2021 than the organized militias did.

QAnon managed to get far more of their adherents to the Senate floor than either the Proud Boys (Joe Biggs and Arthur Jackman showed up after getting in with the help of people inside) or the Oath Keepers (Kelly Meggs and Joshua James showed up too late). QAnon held a prayer on the dais while the militias were still breaching doors.

While he didn’t make it to the Senate floor, that’s true, in part, because of the fervor with which QAnoner Doug Jensen sprinted up the stairs after Officer Eugene Goodman (though Jensen’s fervor was also one of the things that Goodman exploited to buy time to evacuate the Senate).

According to an FBI interview Jensen did just days after the insurrection (the transcript was released as part of a suppression motion that is unlikely to work), that was his stated intent.

He wanted QAnon to get credit for breaching the Capitol.

I wanted Q to get the attention.

Q. I see.

A. And that was my main intention basically —

Q. Um-hum.

A. — was to use my shirt. I basically intended on being the poster boy, and it really worked out.

The transcript is a tough read. It reveals (as the court filings associated with many of the January 6 defendants do) the urgency with which the US needs to address mental health treatment. It reveals how Trump’s propagandists won the allegiance of a blue collar union member who had previously voted Democratic.

But most vividly, it reveals how Jensen got radicalized into QAnon. And that started — as he repeatedly describes — from the files stolen from John Podesta released by WikiLeaks in advance of the 2016 election. He planned to vote for Hillary (!!!) until he came to believe the misrepresentations he read (pushed, in significant part, by accused Proud Boy leader Joe Biggs) of the Podesta files. When the flow of Podesta files ended, Jensen was left with a void, which Q drops filled shortly thereafter. After that, Jensen came to believe Trump’s lies that he had been shafted by the Deep State, by some guy (Peter Strzok) and his girlfriend whose name he couldn’t remember. Perhaps as a result, Jensen came to believe of Putin that, “this guy don’t seem so bad, you know.”

Also, Q said — Q has said things, okay, so like — and anonymous, okay. I follow that, Mayjan (ph.) and all that stuff, you know, because basically I was not into politics until the Wiki leaks dropped, and then when I realized about Haiti, and the Clinton Foundation, and the kidnappings all through the Clinton Foundation, and then I learned about Epstein Island and then I learned Mike Pence owns an island, right — or not Mike Pence, Joe Biden owns an island next door, and then I find that Hunter Biden and Bris Moldings (ph.) and all that, I knew about that a year or two ago.

[snip]

It all started with all the crap I found out about Hillary Clinton, John Podesta, you know, all of that stuff, and then so right before I was going to vote for Hillary, I was like, whoa, we’ve got to vote Trump in because we can’t have Hillary. And then I start finding things like we were supposed to be dead by now, and if Hillary would have won, we were going to be attacked by North Korea or Iran. We were going to go to war, and we would most likely — half of us wouldn’t be here right now if Trump wouldn’t have won that election is what I got from it.

[snip]

You guys have an FBI thing that you released all that Ben Swan who was on ABC years ago and he tried to expose pizza gate and he got fired that night from ABC, and he works for RT now.

[snip]

I am for America, and I feel like we are being taken over by communist China, you know, and the whole Russian collusion was fake. I don’t know what the deal with Russia is, but I don’t know, Vladimir Putin, he seems to be like a decent person, but I could be crazy, you know. But I think we were taught from a young age to hate Russia and all of this stuff. I’ve researched on Vladimir Putin. I was like this guy don’t seem so bad, you know, but I don’t know, you know.

[snip]

A. And all this information, and Trump’s taking down all these people, you know? And — well, firing them or whatever, you know? Like Brennan, Clapper, you know, that guy that I hate with his girlfriend, I can’t remember their names. Those texting back and forth. But they were all like top, you know, members, they’re high up and stuff.

Q. Yeah.

A. And you saw that they were out to destroy Trump, and they were members of our, you know, Central Intelligence or our FBI, you know?

[snip]

I did not preplan nothing. I am not a leader. I am just a hardcore patriot. I am a diehard — I believe all this stuff to be true, and I feel like Trump’s just got the absolute shaft from everything around, our own government, the media.

[snip]

So I voted both terms for Obama, and during the presidency, I thought he was a great president. The health thing. The health thing didn’t benefit me and my family because I had union health insurance. So I got no benefits from it, but I was happy that all those people got insurance, you know? And so I was happy with him. And then I was going to vote for Hillary because I’ve been a democrat my whole life.

Q. Yeah.

A. And then the WikiLeaks thing happened and I had to start questioning where I was getting my info from. And that’s when I realized, you know, holy cow, I can’t vote for this woman. And then it became — like I started telling everybody I know about WikiLeaks and everything else back then. And then that died off when Trump won. And then I didn’t really have anything. I was happy Trump won, you know? And then all of a sudden Q drops started. And it was just — that’s all I did —

Q. Yeah.

A. — was follow those Q drops. [my emphasis]

This is a narrative of how an information operation started by Russia six years ago continues to poison American politics, up to and including persuading Americans to affiliate with the architect of that information operation.

After that radicalization process — Jensen described to the FBI — he readily responded to the propagandists trying to help Trump steal an election: Lin Wood, Sidney Powell, and Rudy Giuliani, as well as the December 19, 2020 Trump tweet that arose out of their machinations. And so he drove all night from Iowa to answer Trump’s call.

Q. How’d you find out about the rally?

A. Well, I found out from the rally from all the different people I follow.

Q. I see.

A. Which — so like — I’m not saying it’s JFK, Jr., but one of the people I follow on Twitter, his name’s John F. Kennedy, Jr., and then Linwood. Linwood’s new. Like everything Linwood has dropped in the last couple weeks is old news, like that’s all old new to me, and so Linwood got me fired up, Sidney Powell got me fired up. Rudy Giuliani got me fired up, you know, and then I go to this Trump rally and I was just hoping it was show time basically, and then he gets done with this rally and I’m just kind of like — he’s like, oh, let’s all go march down peacefully, you know. He didn’t tell us to go storm the building, okay.

[snip]

A. Trump’s posts. Trump posted make sure you’re there, January 6 for the rally in Washington, D.C., I’ll have some great info, and so that to me was, oh, here it comes, because — and then, you know, all he said, well, where’s Hillary? Well, where? I already know that. Q said where’s Hillary four months ago, you know, so I was kind of like that’s all you got, where’s Hillary? You know, he — and then he got us all fired up to go to that White House, and then it just all happened so quick and I just wanted to make sure that I wanted to be in the front. Basically I wanted to get that Q shirt the attention —

Q. Right.

A. — is what my goal was. [my emphasis]

There are few better summaries of the damage done by the sustained information operations that both Russia and Trump pursued — with the Burisma attacks, at least, provably in coordination — over the last six years. The self-described poster boy for the insurrection got there as a result of a sustained series of information operations that started with Russia’s attempt to tamper in the 2016 election.

Only, Doug Jensen makes it clear: Russian didn’t just tamper in the election. It tampered with the American psyche.

John Durham’s Top Prosecutor, Andrew DeFilippis, Allegedly Miffed that DARPA Investigated Guccifer 2.0

Vladimir Putin’s invasion of Ukraine and the sanctions imposed as a result has led lawyers in the US to drop the now-sanctioned Alfa Bank and its owners, leading to the dismissal of the John Doe, BuzzFeed, and Fusion GPS lawsuits filed by Alfa Bank or its owners. That has, for now, brought an end to a sustained Russian effort to use lawfare to discover “U.S. cybersecurity methods and means” (as some of Alfa’s targets described the effort).

But the dismissal of the Alfa Bank suits hasn’t halted the effort to expose US cybersecurity efforts in the guise of pursuing right wing conspiracy theories. Both Federalist Faceplant Margot Cleveland and “online sleuths” goaded, in part, by Sergei Millian have picked up where Alfa Bank left off. In recent days, for example, documents obtained via a Federalist FOIA to Georgia Tech exposed the members of a cybersecurity sharing group, including a bunch at Three-Letter Agencies, which has little news value but plenty of intelligence value to America’s adversaries (these names were released even while someone — either Georgia Tech or the Federalist — chose to redact the contact information for Durham’s investigators, some of which is otherwise public).

Even while doing her part to make America less safe (raising the perennial question of who funds the Federalist), Cleveland has continued to do astounding work misrepresenting Durham’s investigation. From the same FOIA release, she published a document in which research scientist Manos Antonakakis described that chief Durham AUSA Andrew DeFilippis insinuated to him that it was abusive for DARPA to try to discover the network behind the Guccifer 2.0 persona.

Finally, I will leave you with an anecdote and a thought. During one of my interviews with the Special Counsel prosecutor, I was asked point blank by Mr. DeFilippis, “Do you believe that DARPA should be instructing you to investigate the origins of a hacker (Guccifer_2.0) that hacked a political entity (DNC)?” Let that sync for a moment, folks. Someone hacked a political party (DNC, in this case), in the middle of an election year (2016), and the lead investigator of DoJ’s special council would question whether US researchers working for DARPA should conduct investigations in this matter is “acceptable”! While I was tempted to say back to him “What if this hacker hacked GOP? Would you want me to investigate him then?”, I kept my cool and I told him that this is a question for DARPA’s director, and not for me to answer.

Assuming this is an accurate description, this is a shocking anecdote, a betrayal of US national security.

It suggests that Durham’s lead prosecutor doesn’t believe the government should throw its most innovative research at a hostile nation-state attack while that nation-state is attempting to influence an election. Sadly, though, it’s not surprising.

It is consistent with things we’ve seen from Durham’s team throughout. It’s consistent with Durham’s treatment of a loose tie between an indirect and unwitting Steele dossier source and the Hillary campaign as a bigger threat than multiple ties to Russian intelligence (or Dmitry Peskov’s office, which knew that Michael Cohen and Donald Trump were lying about the former’s secret communications with Peskov’s office). It is consistent with Durham’s more recent suggestion that the victim of such a nation-state attack must wait until after an election to report a tip that might implicate her opponent.

I almost feel like DeFilippis will eventually say Hillary should have just laid back and enjoyed being hacked in 2016.

DeFilippis, and Durham generally, have consistently treated Hillary as a far graver threat than Russia, even now, even as Russia conducts a barbaric invasion of a peaceful democracy.

But Antonakakis’ anecdote is all the more troubling because it suggests that DeFilippis seems to misunderstand what happened with the DARPA contract in question in 2016. The Enhanced Attribution RFP’s description of the hacking campaigns it was targeting — “multiple concurrent independent malicious cyber campaigns, each involving several operators” — pretty obviously aims to tackle Advanced Persistent Threats, of which APT 28 and 29 (both of which targeted the DNC) were among the most pressing in 2016. DARPA presumably didn’t ask Antonakakis to focus on Guccifer 2.0 — a persona which didn’t exist when the contract was put up for bid in April 2016, much less in the months earlier when it was originally conceived. Rather, by description, they were asking bidders to look at APTs, and looking at APT 28 would have happened to include looking at Guccifer 2.0, the DNC hack, and a number of hacks elsewhere in the US and the world.  The reason DARPA would ask Georgia Tech to look at APT 28 is because APT 28 was hacking a lot of targets in the time period, all of which provided learning sets for a researcher like Antonakakis. DeFilippis, then, seems miffed that the APT that DARPA wanted to combat happened to be one of two that targeted Hillary.

That’s a choice Russia made, not DARPA.

While I think Cleveland did serious damage with some of her releases, I’m glad she released this document because it provides a way for Michael Sussmann to make DeFilippis’ troubling views on national security a central issue at trial, something that normally is difficult to do.

It also provided Cleveland another opportunity to faceplant in spectacular trademark Federalist fashion. Cleveland used this document to rile up the frothers by suggesting this is proof that Durham is investigating the DNC attribution.

Exclusive: Special Counsel’s Office Is Investigating The 2016 DNC Server Hack

The U.S. Department of Defense tasked the same Georgia Tech researcher embroiled in the Alfa Bank hoax with investigating the “origins” of the Democratic National Committee hacker, according to an email first obtained by The Federalist on Wednesday. That email also indicates the special counsel’s office is investigating the investigation into the DNC hack and that prosecutors harbor concerns about the DOD’s decision to involve the Georgia Tech researcher in its probe.

[snip]

The public storyline until now had been that CrowdStrike, the cybersecurity firm Sussmann hired in April 2016, had concluded Russians had hacked the DNC server, and that the FBI, which never examined the server, concurred in that conclusion. Intelligence agencies and former Special Counsel Robert Mueller likewise concluded that Russian agents were behind the DNC hack, but with little public details provided.

It now appears that DARPA had some role in that assessment, or rather Antonakakis did on behalf of DARPA, which leads to a whole host of other questions, including whether DARPA had access to the DNC server and data and, if so, from whom did the DOD’s research arm get that access? Was it Sussmann?

There’s no reason to believe this and every reason to believe that — as I said — DeFilippis is pissed that DARPA prioritized their research on a target that was badly affecting national security (and not just in US, but also in allied countries) in 2016, one that happened to attempt to help Trump get elected.

But look how many errors Faceplant’s Cleveland made in the process:

Cleveland repeats the Single Server Fallacy, imagining that the DNC, DCCC, and Hillary had just one server between them to be hacked and all the servers that got hacked were in the possession of one of those victims. That’s, of course, ridiculous. The server that GRU hacked to get John Podesta’s emails belonged to Google. The server that GRU hacked to get Hillary’s analytics belonged to AWS. There was a staging server in AZ; I have been told that the FBI seized at least one US-based server that did not belong to the DNC (that server is why the frothy right’s focus on what Shawn Henry testified to HPSCI is so painfully ignorant — because it ignores that the FBI had access to servers that Henry did not that did show exfiltration).

Cleveland apparently doesn’t know that FBI knew who was hacking the DNC when they warned them starting in September 2015 they were being hacked. The FBI’s awareness of that not only explains why APT 29 and 28 would have been included in DARPA’s targets for EA, but proves that the government was tracking these hacking groups above and beyond the attack on Hillary. This was never just a reaction to the election year hack.

Cleveland claims Mueller’s attribution of the DNC hack to the GRU provided “little public details,” when in fact the Mueller Report showed 29 sources other than CrowdStrike, including:

  • Gmail
  • Linked-In
  • Microsoft
  • Facebook
  • Twitter
  • WordPress
  • ActBlue
  • AWS
  • AOL
  • Smartech Corporation
  • URL shortening service
  • Bitcoin exchanges
  • VPN services

According to Mueller’s report, all these sources also corroborated the GRU attribution. And Mueller’s list doesn’t include a number of other known entities that corroborated the attribution, including NSA and Dutch intelligence, which couldn’t be named in a public DOJ document. Mueller’s list doesn’t include Georgia Tech either, but it wouldn’t need to, because there was so much other evidence.

The Mueller Report described obtaining almost 500 warrants, but the released list — from which FBI’s Cyber Division successfully withheld those pertaining to the GRU investigation — only includes around 370-400 warrants (based on an 156 pages of warrants with roughly three per page), suggesting there may be 100 warrants tied to the GRU attribution alone.

By the time Antonakakis started looking at the DNC hack as part of EA, multiple entities, including several Infosec contractors, non-US intelligence services, and non-governmental entities like tech giants (including at least three of the ones on Mueller’s list), had plenty of evidence that the Guccifer 2.0 campaign was run by the APT 28. Including Guccifer 2.0 as part of the research set would simply be part of the existing targeting of a dangerous APT.

But apparently neither DeFilippis nor Cleveland understand that 2016 was part of an ongoing identified threat to US national security.

One thing Putin did in 2016 was to use disinformation to train the frothy right to favor Russia more than fellow Americans from the opposing party. Even as Russia attacks Ukraine, that still seems to be true.

Guccifer 20uble Entendre

As people continue to unravel the various parties involved in the January 6 insurrection, including Roger Stone and his repurposed group, Stop the Steal, I want to finish unpacking the Mueller-related files liberated by BuzzFeed last month.

Before I do that though, I want to lay out one potential implication of some things I said as part of my Rat-Fucker Rashomon series on Roger Stone’s prosecution.

In the post from that series on Jerome Corsi’s prescience that WikiLeaks would dump John Podesta’s emails, I showed that Ted Malloch, Rick Gates, and Paul Manafort all testified that Stone had advance knowledge of the Podesta drop in August — and according to Gates, he had that knowledge before August 14.

According to the SSCI Report, in part of Rick Gates’ October 25, 2018 interview that remains redacted,

Gates recalled Stone advising him, prior to the release of an August 14 article in The New York Times about Paul Manafort’s “secret ledger,” that damaging information was going to be released about Podesta. 1579 Gates understood that Stone was referring to nonpublic information. Gates further recalled later conversations with Stone about how to save Manafort’s role on the Campaign, and that Stone was focused on getting information about John Podesta, but said that Stone did not reveal the “inner workings” of that plan to Gates. 1580

An unredacted part of that 302 — which is likely the continuation of the discussion cited in SSCI — explains,

Gates said there was a strategy to defend Manafort by attacking Podesta. The idea was that Podesta had baggage as well. Gates said it was unfortunate the information did not come out in time to defend Manafort from his ultimate departure from the campaign.

In a September 27, 2018 interview, Manafort provided details of two conversations that he placed in August 2016, one of which provided specific details (which remain redacted, purportedly to protect Podesta’s privacy!) about John Podesta’s alleged ties with Russia.

Manafort was sure he had at least two conversations with Stone prior to the October 7, 2016 leak of John Podesta’s emails.

In the one conversation between Stone and Manafort, Stone told Manafort “you got fucked.” Stone’s comment related to the fact that Manafort had been fired. The conversation was either the day Manafort left the campaign or the day after.

In the other conversation, Stone told Manafort that there would be a WikiLeaks drop of emails with Podesta, and that Podesta would be “in the barrel” and Manafort would be vindicated. Manafort had a clear memory of the moment because of the language Stone used. Stone also said Manafort would be pleased with what came out. It was Manafort’s understanding that WikiLeaks had Podesta’s emails and they were going to show that [redacted] Manafort would be vindicated because he had to leave the campaign for being too pro-Russian, and this would show that Podesta also had links to Russia and would have to leave.

Manafort’s best recollection was the “barrel” conversation was before he got on the boat the week of August 28, 2016.

Roger Stone’s longtime friend Paul Manafort, at a time when he lying to protect key details about what happened in 2016, nevertheless confirmed that Stone had detailed knowledge not just that the Podesta files would drop, but what Russian-based attacks they would make of them.

In the piece arguing that Guccifer 2.0, not Julian Assange, was Roger Stone’s go-between with the Russian operation, I noted that SSCI believes Roger Stone had obtained his advance knowledge that WikiLeaks would later release John Podesta files by mid-day August 15, 2016.

Indeed, the Mueller Report describes that Corsi told Ted Malloch later in August that, “Stone had made a connection to Assange and that the hacked emails of John Podesta would be released prior to Election Day,” not that he himself had.

[snip]

At 8:16AM on August 15, Corsi texted and then at 8:17 AM Corsi emailed Stone the same message, telling him there was “more to come than anyone realizes”:

Appearing in the midst of a story about Stone’s lies about his go-between with WikiLeaks, the texts and emails are fairly innocuous. Though the SSCI Report does seem to believe Corsi’s story that this moment — and the 24 minute call between Corsi and Stone at 12:14PM on August 15 — is when Corsi told Stone about what the Podesta files would include.

(U) The Committee is uncertain how Corsi determined that Assange had John Podesta’s emails. Corsi initially explained in an interview with the SCO that during his trip to Italy, someone told him Assange had the Podesta emails. Corsi also recalled learning that Assange was going to “release the emails seriatim and not all at once.”1572 However, Corsi claimed not to remember who provided him with this information, saying he could only recall that “it feels like a man” who told him.1573

(U) Corsi further recalled that on August 15, after he returned from Italy, he conveyed this information to Stone by phone.1574 According to Corsi, the information was new to Stone. Stone seemed “happy to hear it,” and the two of them “discussed how the emails would be very damaging” to Clinton. 1575 Corsi also reiterated by both text and email to Stone on August 15 that there was “[m]ore to come than anyone realizes. Won’t really get started until after Labor Day.”1576

So three witnesses sympathetic to Stone say he had advance knowledge of the Podesta dump, and the neutral observers at SSCI believe that happened by mid-day on August 15, 2016.

If that’s the case, I pointed out in the Guccifer 2.0 post, then it means when the persona asked the rat-fucker whether Stone had found anything interesting in the documents he posted, it would appear to be a reference to the DCCC documents released days earlier, but would actually be reference to the Podesta files.

August 15, 2016 (unknown time): Guccifer 2.0 DMs Stone: “thank u for writing back . . . do u find anyt[h]ing interesting in the docs i posted?”

So long as the WikiLeaks story is kept separate from the Guccifer 2.0 one, that August 15 DM from Guccifer 2.0 to Stone appears to be a question about the DCCC emails posted on August 12, and so, as Stone claimed, totally innocuous. But given the evidence that Corsi and Stone acquired advance knowledge of the content of select Podesta emails by August 15 — particularly given Stone’s claim, reportedly made before July 22, to have been in touch with Guccifer 2.0 and his apparent foreknowledge of the GRU personas — that August 15 DM appears to be a comment on the Podesta files.

That is, that August 15 was not innocuous at all. It appears to have been, rather, the GRU’s persona asking Stone whether he liked what he had received in advance.

That is, it would be a kind of double entendre, a comment that seemed to have an innocuous public meaning, but in fact was a public marker of direct coordination between the Russian operation and the Trump campaign.

Consider the implications if that were true of the other comments from Guccifer 2.0 to Roger Stone. There were two such comments that have been made public. On August 16, Roger Stone linked a piece of his, talking about “How the election can be rigged against Donald Trump,” part of Stone’s Stop the Steal campaign that would eventually morph into the January 6 insurrection. Via DM, Stone asked G2 to RT it, which the persona did, saying he was “paying u back.”

Then on August 17, G2 buttered Stone up a bit, then offered to help him.

Starting at 1AM on August 18, Roger Stone himself buttered up the new replacement campaign manager for Donald Trump, offering him some way to win the election. “I do know how to win this but it ain’t pretty,” a similar pitch as Stone made to Paul Manfort just weeks earlier.

Affidavits show that Stone and Bannon continued to talk.

On August 19, 2016, Bannon sent Stone a text message asking if he could talk that morning. On August 20, 2016, Stone replied, “when can u talk???”

Bannon testified under oath at Stone’s trial that this conversation might have pertained to “the tougher side of politics” that the Trump campaign might use to “make up some ground,” possibly relating to Stone’s role as envoy to WikiLeaks.

Q. When Mr. Stone wrote to you, “I do know how to win this but it ain’t pretty,” what in your mind did you understand that to mean?

A. Well, Roger is an agent provocateur, he’s an expert in opposition research. He’s an expert in the tougher side of politics. And when you’re this far behind, you have to use every tool in the toolbox.

Q. What do you mean by that?

A. Well, opposition research, dirty tricks, the types of things that campaigns use when they have got to make up some ground.

Q. Did you view that as sort of value added that Mr. Stone could add to the campaign?

A. Potentially value added, yes.

Q. Was one of the ways that Mr. Stone could add value to the campaign his relationship with WikiLeaks or Julian Assange?

A. I don’t know if I thought it at the time, but he could — you know, I was led to believe that he had a relationship with WikiLeaks and Julian Assange.

This is the testimony Stone is threatening to sue Bannon over.

The next day, Stone tweeted his famous “Podesta time in the barrel” tweet.

The communication between Stone and Bannon continued; I’ll return to it in a follow-up post. But first, there was one more DM exchange between G2 and Stone: When, on September 9, G2 wrote Stone seemingly out of the blue and asked, “what do u think of the info on the turnout model for the democrats entire presidential campaign”?

Stone did’t respond at first. G2 probed again: “?” Then G2 sent HelloFL’s post on the Florida turnout model that G2 had sent Aaron Nevins. And G2 lectured the rat-fucker about a topic on which Stone is an expert: the import of voter turnout.

“Pretty standard,” Stone correctly said of the base level oppo research that G2 had sent Nevins.

And for years, that exchange made perfect sense. The Nevins data was the only publicly known turnout data that G2 might have had (indeed, it’s still the only data that most people know about). And so it made sense: G2 was just trying to fluff up his value with the candidate’s rat-fucker by pointing to data the quality of which the rat-fucker already had easy access.

Except, that data was not — as G2 referenced — “the turnout model for the democrats entire presidential campaign.” It pertained only to Florida.

But GRU had obtained data that may have provided a way to reconstruct the turnout model for the Democrats’ entire Presidential campaign: starting on September 5, they started hacking Hillary’s analytics, hosted on AWS. As the DNC described it in their lawsuit targeting (among others) Stone, this data was among the most valuable for the campaign. The hackers made several snapshots of the testing clusters the DNC used to test their analytics program.

On September 20, 2016, CrowdStrike’s monitoring service discovered that unauthorized users—later discovered to be GRU officers—had accessed the DNC’s cloud-computing service. The cloud-computing service housed test applications related to the DNC’s analytics. The DNC’s analytics are its most important, valuable, and highly confidential tools. While the DNC did not detect unauthorized access to its voter file, access to these test applications could have provided the GRU with the ability to see how the DNC was evaluating and processing data critical to its principal goal of winning elections. Forensic analysis showed that the unauthorized users had stolen the contents of these virtual servers by making exact duplicates (“snapshots”) of them and moving those snapshots to other accounts they owned on the same service. The GRU stole multiple snapshots of these virtual servers between September 5, 2016 and September 22, 2016. The U.S. government later concluded that this cyberattack had been executed by the GRU as part of its broader campaign to damage to the Democratic party.

In 2016, the DNC used Amazon Web Services (“AWS”), an Amazon-owned company that provides cloud computing space for businesses, as its “data warehouse” for storing and analyzing almost all of its data.

To store and analyze the data, the DNC used a software program called Vertica, which was run on the AWS servers. Vertica is a Hewlett Packard program, which the DNC licensed. The data stored on Vertica included voter contact information, such as the names, addresses, phone numbers, and email addresses of voters, and notes from the DNC’s prior contacts with these voters. The DNC also stored “digital information” on AWS servers. “Digital information” included data about the DNC’s online engagement, such as DNC email lists, the number of times internet users click on DNC advertisements (or “click rates”), and the number of times internet users click on links embedded in DNC emails (or “engagement rates”). The DNC also used AWS to store volunteer information—such as the list of people who have signed up for DNC-sponsored events and the number of people who attended those events.

[snip]

The DNC’s Vertica queries and Tableau Queries that allow DNC staff to analyze their data and measure their progress toward their strategic goals—collectively, the DNC’s “analytics,”—are its most important, valuable, and highly confidential tools. Because these tools were so essential, the DNC would often test them before they were used broadly.

The tests were conducted using “testing clusters”—designated portions of the AWS servers where the DNC tests new pieces of software, including new Tableau and Vertica Queries. To test a new query, a DNC engineer could use the query on a “synthetic” data set—mock-up data generated for the purpose of testing new software—or a small set of real data. For example, the DNC might test a Tableau query by applying the software to a set of information from a specific state or in a specific age range. Thus, the testing clusters housed sensitive, proprietary pieces of software under development. As described above, the DNC derives significant value from its proprietary software by virtue of its secrecy: if made public, it would reveal critical insights into the DNC’s political, financial, and voter engagement strategies and services, many of which are used or intended for use in interstate commerce.

[snip]

On September 20, 2016, CrowdStrike’s monitoring service discovered that unauthorized users had breached DNC AWS servers that contained testing clusters. Further forensic analysis showed that the unauthorized users had stolen the contents of these DNC AWS servers by taking snapshots of the virtual servers, and had moved those replicas to other AWS accounts they controlled. The GRU stole multiple snapshots of these servers between September 5, 2016 and September 22, 2016. The U.S. later concluded that this cyberattack had been executed by the GRU as part of its broader campaign to damage to the Democratic party. The GRU could have derived significant economic value from the theft of the DNC’s data by, among other possibilities, selling the data to the highest bidder.

The software would also be usable as executable code by DNC opponents, who could attempt to re-create DNC data visualizations or derive DNC strategy decisions by analyzing the tools the DNC uses to analyze its data.

So by the time G2 asked Stone what he thought of “the info on the turnout model for the democrats entire presidential campaign” on September 9, three weeks after having offered to help Stone, the GRU had started stealing snapshots relating to Hillary’s analytics four days earlier. If, as seems may have been the case with G2’s August 15 question, this question was meant to be a double entendre with a  hidden meaning, it might suggest that GRU had shared this, a way to reconstruct Hillary’s crown jewels, with Trump’s rat-fucker (and in any case would have provided incredibly valuable information for whomever received the campaign strategy information that Konstantin Kilimnik was passing on).

Which is even more interesting given the conversations about data that Stone and Bannon were having at the time.

Ron Johnson Grasping at Chum

Russian disinformation purveyor Ron Johnson and Chuck Grassley continue to serially demand and release documents from FBI in hopes of sustaining a buzz suggesting that Hillary was treated better than Donald Trump.

The latest batch is a hodgepodge. It purports to be,

messages from former FBI agent Peter Strzok related to Crossfire Hurricane, the FBI’s investigation of Trump campaign and administration officials, and the FBI’s “Midyear Exam” investigation of former Secretary of State Hillary Clinton’s use of a private email server.

But it is actually a hodgepodge, including texts pertaining to Guccifer 1.0, the ongoing hacks of the DNC, and other investigations pertaining to Russia, including the beginnings of a focus on Russia’s 2016 social media campaign. Some of the texts, such as one from October 21, 2016 about leaked Podesta emails involving Obama, don’t obviously involve Strzok at all.

There is no possible set of search terms that would return these texts. But they’re useful to compare with another more motivated set of texts released by the Jeffrey Jensen investigation that overlap with this one. Here’s a set of texts packaged up to justify blowing up the Flynn prosecution.

As a later filing to Judge Sullivan admitted, they were actually repackaged from the FBI original, and in the process an error was introduced into the document (adding the wrong time for the “Will do” text).

The set released to Johnson includes just a few of those texts, completely out of context.

But those texts reveal one reason why the Jensen texts were packaged up: to alter the UTC times to Eastern time, the kind of thing that, for trial exhibits, needs to be formally noticed. It’s the kind of thing Sullivan wouldn’t need to assess the evidence, but that would make the connections Jensen was trying to feed the public (some false) easier to put together.

Neither the Senators, their staff, nor the frothy right seem to have cared that these texts reflect a random grab bag to keep them occupied. Chuck Ross got himself in a tizzy, for example, because Strzok read the Michael Isikoff article reflecting information from Steele and determined that the Steele reports were “intended to influence as well as inform.”

In his rendition of the text, Ross claims that this means Strzok knew “Steele was a source” for the story. Of course, it means no such thing (and Ross had to mis-cite it to make the claim). It actually reflects that Strzok knew Steele’s reports were a source for the story, which was noticed to the FISA Court from the very first application, and so nothing we didn’t already know.

Then there’s the Federalist, which claims that this text proves the FBI was wiretapping calls between Fox News and George Papadopoulos.

The text is a copy of a text sent by someone else (that is, forwarded to the person who forwarded this to Strzok). It appears to come from Chicago (CG). Chicago was running an informant on Papadopoulos, who spoke quite a lot to him while being monitored. The most likely explanation for this is that after news about Sergei Millian was breaking (whose name is redacted in all these texts), Papadopoulos told the informant that Fox had reached out to him. In the same way Papadopoulos bragged falsely about meeting Russia’s ambassador and Putin’s niece, he may well have exaggerated the seniority of the person he spoke with.

Meanwhile, some of the texts provide needed content.

One text explains part of why Joe Pientka wrote up the briefing he gave Mike Flynn, Chris Christie, and Trump in August 2016: to capture what was said in case anyone leaked it.

He was wise to do so! Both Flynn and Trump would go on to make claims about what went on in the briefing, with Flynn falsely claiming that briefers said they disagreed with President Obama’s policies, claims that do not accord with the record — thus far — we’ve gotten of it.

And in January, amid a recurring discussion about how to organize the investigations — and exhibiting a concern that the multiple (Egypt, Flynn on Turkey, Papadopoulos and Israel) different CI concerns would turn into a Trump focused investigation rather than one focused on multiple legitimate concerns run by people with specific expertise to them — Strzok raised the risk of Flynn leaking. Flynn had a history of sharing classified information inappropriately. In one of the calls with Kislyak, Flynn offered up what kind of calls the Transition had been making (which might have been classified if it happened after inauguration).

Flynn: Yeah, there … there, I can tell you that there’s, uh, you know, a litany of countries that are … that we’re talking … I’m … I’m talking directly to. And … and that …

Kislyak: I see.

Flynn: Basically, just as I asked you.

With this disclosure, Flynn basically admitted to the Russians that Trump’s people were conducting a systematic effort to undermine Obama’s policy. And Kislyak just took at all in, letting Flynn run his mouth.

“I see.”

So at a time he would have been reviewing these transcripts and seeing how little filter Flynn had with a hostile country, Stzrok noted that the conversations with Kislyak or others could easily turn into an Espionage investigation, file code 65, if Flynn shared classified information.

There’s more, reflecting a real concern about the leaks that also (rightly) pissed off Trump, along with real efforts to chase them down.

But for now, DOJ and FBI appear to be throwing random shit Ron Johnson’s way to get through the end of the term, when he’ll no longer Chair HGSAC.

Rat-Fucker Rashomon: Getting the “Highest Level of Government” to Free Julian Assange

On June 10, 2017, according to affidavits submitted as part of the Mueller investigation, Roger Stone DMed Julian Assange and told him he was doing everything he could to “address the issues at the highest level of Government.”

57. On or about June 10, 2017, Roger Stone wrote to Target Account 2, “I am doing everything possible to address the issues at the highest level of Government. Fed treatment of you and Wikileaks is an outrage. Must be circumspect in this forum as experience demonstrates it is monitored. Best regards R.” Target Account 2 wrote back, “Appreciated. Of course it is!”

On June 19, 2017, according to the Mueller Report, the President dictated a message for Corey Lewandowski to take to Jeff Sessions, telling the (recused) Attorney General to meet with Robert Mueller and order him to limit his investigation only to future election meddling, not the election meddling that had gotten Trump elected.

During the June 19 meeting, Lewandowski recalled that, after some small talk, the President brought up Sessions and criticized his recusal from the Russia investigation.605 The President told Lewandowski that Sessions was weak and that if the President had known about the likelihood of recusal in advance, he would not have appointed Sessions.606 The President then asked Lewandowski to deliver a message to Sessions and said “write this down.” 607 This was the first time the President had asked Lewandowski to take dictation, and Lewandowski wrote as fast as possible to make sure he captured the content correctly.608 The President directed that Sessions should give a speech publicly announcing:

I know that I recused myself from certain things having to do with specific areas. But our POTUS . .. is being treated very unfairly. He shouldn’t have a Special Prosecutor/Counsel b/c he hasn’t done anything wrong. I was on the campaign w/ him for nine months, there were no Russians involved with him. I know it for a fact b/c I was there. He didn’t do anything wrong except he ran the greatest campaign in American history.609

The dictated message went on to state that Sessions would meet with the Special Counsel to limit his jurisdiction to future election interference:

Now a group of people want to subvert the Constitution of the United States. T am going to meet with the Special Prosecutor to explain this is very unfair and let the Special Prosecutor move forward with investigating election meddling for future elections so that nothing can happen in future elections.610

Days after Roger Stone told Julian Assange that he was trying to resolve matters at the highest level of government, the President of the United States tried to issue a back channel order that would shut down the investigation into Assange — and by association, Stone.

According to Lewandowski, neither he nor Rick Dearborn (on whom he tried to pawn off the task) actually delivered the message. But according to Andrew Weissmann, when he and Jeannie Rhee first got briefed on the investigation into how Russia released the documents it had stolen around that time, they learned no one was investigating it.

This effort didn’t start in June 2017, though. It started at least seven months earlier.

The SSCI Report reveals that the day before the Podesta emails got released, Stone probably had a six minute phone call with the candidate via Keith Schiller’s phone.

On the afternoon of October 6, Stone received a call from Keith Schiller’s number. Stone returned the call about 20 minutes later, and spoke-almost certainly to Trump–for six minutes.1663 The substance of that conversation is not known to the Committee. However, at the time, Stone was focused on the potential for a WikiLeaks release, the Campaign was following WikiLeaks’s announcements, and Trump’s prior call with Stone on September 29, also using Schiller’s phone, related to a WikiLeaks release. Given these facts, it appears quite likely that Stone and Trump spoke about WikiLeaks.

The SSCI Report and the affidavits reveal that Stone postponed a lunch with Jerome Corsi on October 8 to go meet with Trump.

On or about October 8, 2016, STONE messaged CORSI at Target Account 2, “Lunch postponed- have to go see T.” CORSI responded to STONE, “Ok. I understand.”

According to Mike Flynn, in the wake of the Podesta release, senior campaign officials discussed reaching out to WikiLeaks.

Beginning on October 7, 2016, WikiLeaks released emails stolen from John Podesta, the chairman of Hillary Clinton’s 2016 presidential campaign. The defendant relayed to the government statements made in 2016 by senior campaign officials about WikiLeaks to which only a select few people were privy. For example, the defendant recalled conversations with senior campaign officials after the release of the Podesta emails, during which the prospect of reaching out to WikiLeaks was discussed.

And then, days later, Roger Stone tried to reach out to WikiLeaks — seemingly in response to WikiLeaks’ public disavowal of any tie to Stone — only to be rebuffed.

On October 13, 2016, while WikiLeaks was in the midst of releasing the hacked Podesta emails, @RogerJStoneJr sent a private direct message to the Twitter account @wikileaks. This account is the official Twitter account of WikiLeaks and has been described as such by numerous news reports. The message read: “Since I was all over national TV, cable and print defending WikiLeaks and assange against the claim that you are Russian agents and debunking the false charges of sexual assault as trumped up bs you may want to rexamine the strategy of attacking me- cordially R.”

Less than an hour later, @Wikileaks responded by direct message: “We appreciate that. However, the false claims of association are being used by the democrats to undermine the impact of our publications. Don’t go there if you don’t want us to correct you.”

On October 16, 2016, @RogerJStoneJr sent a direct message to @Wikileaks: “Ha! The more you \”correct\” me the more people think you’re lying. Your operation leaks like a sieve. You need to figure out who your friends are.”

But after the election, it was WikiLeaks that reached out to Stone.

On November 9, 2016, one day after the presidential election, @Wikileaks sent a direct message to @RogerJStoneJr containing a single word: “Happy?” @Wikileaks immediately followed up with another message less than a minute later: “We are now more free to communicate.”

At Stone’s trial, Randy Credico testified that in that same period after the election, he put Roger Stone in touch with Margaret Kunstler, Credico’s tie to WikiLeaks and one of the 1,000 lawyers (per a snarky answer from Credico) who represented Assange, to discuss a pardon.

Q. Had you put Mr. Stone directly in touch with Ms. Kunstler after the election?

A. Yes, I did.

Q. And why had you done that?

A. Well, sometime after the election, he wanted me to contact Mrs. Kunstler. He called me up and said that he had spoken to Judge Napolitano about getting Julian Assange a pardon and needed to talk to Mrs. Kunstler about it. So I said, Okay. And I sat on it. And I told her–I told her–she didn’t act on it. And then, eventually, she did, and they had a conversation.

Credico is very evasive about the timing of all this. Texts between him and Stone, introduced as an exhibit at Stone’s trial, show that Credico raised asylum on October 3, three hours before he boasted that he was best friends with Assange’s lawyer, meaning Kunstler.

But when asked about the timing, Credico refused to answer, or even answer a yes or no question about whether discussions began before the election. Note, these texts were ones that neither Credico nor Stone provided at first, on Credico’s part because he no longer had them; the government ultimately subpoenaed them from Stone after Stone shared them with Chuck Ross. The texts Stone produced go through November 14, but the ones released at trial stop on October 3.

Later affidavits make clear, however, that on November 15, seven days after Trump won an election with Julian Assange’s help, Trump’s rat-fucker sent Kunstler a link to download Signal and asked her to call him, which she said she’d do. (This was the first day Stone was using the iPhone 7 on which he sent her these texts.)

Additionally, text messages recovered from Stone’s iCloud account revealed that on or about November 15, 2016, Stone sent an attorney with the ability to contact Julian Assange a link to download the Signal application. 15 Approximately fifteen minutes after sending the link, Stone texted the attorney, “I’m on signal just dial my number.” The attorney responded, “I’ll call you.”

15 This attorney was a close friend of Credico’s and was the same friend Credico emailed on or about September 20, 2016 to pass along Stone’s request to Assange for emails connected to the allegations against then-candidate Clinton related to her service as Secretary of State.

So the pardon discussions Credico testified about under oath began no later then a week after Assange helped Trump get elected and Credico refused to rule out that they started on November 9 or even earlier. The SSCI Report notes Credico had a 12 minute call with Stone on October 5 and five more calls on October 6.

After Trump was inaugurated in early 2017, via an attorney he shared with Oleg Deripaska, Assange tried to leverage CIA’s hacking tools believed to have been stolen the previous April to obtain an immunity deal. Even while those discussions were ongoing, on March 7, 2017, WikiLeaks released the first installment of CIA’s hacking tools, a release they called Vault 7. According to witnesses at the trial of the accused source, Joshua Schulte, the Vault 7 release brought CIA’s hacking-based spying virtually to a halt while the agency tried to figure out who would be compromised by the release.

But that didn’t stop the pardon discussions between WikiLeaks, including Assange personally, and Stone. After another spat about whether Stone had had a back channel to WikiLeaks which they aired on CNN, Stone returned to a discussion of a pardon on April 7.

On or about March 27, 2017, Target Account 1 wrote to Roger Stone, “FYI, while we continue to be unhappy about false \”back channel\” claims, today CNN deliberately broke our off the record comments.”

On March 27, 2017, CNN reported that a representative of WikiLeaks, writing from an email address associated with WikiLeaks, denied that there was any backchannel communication during the Campaign between Stone and WikiLeaks. The same article quoted Stone as stating: “Since I never communicated with WikiLeaks, I guess I must be innocent of charges I knew about the hacking of Podesta’s email (speculation and conjecture) and the timing or scope of their subsequent disclosures. So I am clairvoyant or just a good guesser because the limited things I did predict (Oct disclosures) all came true. ”

On or about April 7, 2017, Roger Stone wrote to Target Account 1, ” I am JA’s only hope for a pardon the chances of which are actually (weirdly) enhanced by the bombing in Syria (which I opposed) . You have no idea how much your operation leaks. Discrediting me only hurts you. Why not consider saying nothing? PS- Why would anyone listen to that asshole Daniel Ellsberg.”

On April 13, in the wake of the Vault 7 hack, Mike Pompeo declared WikiLeaks a non-state hostile intelligence service often abetted by Russia.

It is time to call out WikiLeaks for what it really is – a non-state hostile intelligence service often abetted by state actors like Russia. In January of this year, our Intelligence Community determined that Russian military intelligence—the GRU—had used WikiLeaks to release data of US victims that the GRU had obtained through cyber operations against the Democratic National Committee. And the report also found that Russia’s primary propaganda outlet, RT, has actively collaborated with WikiLeaks.

In response, Stone took to InfoWars on April 18, calling on Pompeo to either provide proof of those Russian ties or resign, defending the release of the Vault 7 tools along the way.

The Intelligence agencies continue to insist that Julian Assange is an active Russian Agent and that Wikileaks is a Russian controlled asset. The agencies have no hard proof of this claim whatsoever. Assange has said repeatedly that he is affiliated with no nation state but the Intelligence Agencies continue to insist that he is under Russian control because it fits the narrative in which they must produce some evidence of Russian interference in our election because they used this charge to legally justify and rationalize the surveillance of Trump aides, myself included.

[snip]

President Donald Trump said on Oct, 10, 2016 “I love Wikileaks” and Pompeo who previously had praised the whistleblowing operation now called Wikileaks “a non-state hostile Intelligence service often abetted by state actors like Russia”. Mr. Pompeo must be pressed to immediately release any evidence he has that proves these statements. If he cannot do so ,the President should discharge him.

[snip]

Julian Assange does not work for the Russians. Given the import of the information that he ultimately disclosed about the Clinton campaign, the Obama administration and the deep secrets in the CIA’s Vault 7, he has educated the American people about the tactics and technology the CIA has used to spy on ordinary Americans.

Assange personally DMed Stone to thank him for the article, while claiming that Pompeo had stopped short of claiming that WikiLeaks had gotten the stolen DNC emails directly, thereby making WikiLeaks like any other media outlet.

On or about April 19, 2017, Assange, using Target Account 2, wrote to Stone, “Ace article in infowars. Appreciated. But note that U.S. intel is engages in slight of hand maoevers [sic]. Listen closely and you see they only claim that we received U.S. election leaks \”not directly\” or via a \”third party\” and do not know \”when\” etc. This line is Pompeo appears to be getting at with his \”abbeted\”. This correspnds to the same as all media and they do not make any allegation that WL or I am a Russia asset.”

It’s in that context — in the wake of Trump’s trusted CIA Director (and a former WikiLeaks booster himself) asserting serial cooperation between Russia and WikiLeaks — that Stone and Assange had the exchange that directly preceded Trump’s attempt to shut down any investigation into the leaks to WikiLeaks.

On June 4, Stone threatened to “bring down the entire house of cards” if the government moved on Assange (Stone kept a notebook during the campaign detailing all the calls he had had with Trump), then raised a pardon again, suggesting Assange had done nothing he needed to be pardoned for.

56. On or about June 4, 2017, Roger Stone wrote back to Target Account 2, “Still nonsense. As a journalist it doesn’t matter where you get information only that it is accurate and authentic. The New York Times printed the Pentagon Papers which were indisputably stolen from the government and the courts ruled it was legal to do so and refused to issue an order restraining the paper from publishing additional articles. If the US government moves on you I will bring down the entire house of cards. With the trumped-up sexual assault charges dropped I don’t know of any crime you need to be pardoned for – best regards. R.” Target Account 2 responded, “Between CIA and DoJ they’re doing quite a lot. On the DoJ side that’s coming most strongly from those obsessed with taking down Trump trying to squeeze us into a deal.”

57. On or about June 10, 2017, Roger Stone wrote to Target Account 2, “I am doing everything possible to address the issues at the highest level of Government. Fed treatment of you and Wikileaks is an outrage. Must be circumspect in this forum as experience demonstrates it is monitored. Best regards R.” Target Account 2 wrote back, “Appreciated. Of course it is!”

According to texts between Stone and Credico, Stone at least claimed to be pursuing a pardon in early 2018 (though he may have been doing that to buy Credico’s silence).

And it wasn’t just Stone involved in the discussions to free Assange.

Manafort’s Ecuador trip

While it’s not clear to what end, Paul Manafort took steps relating to Assange as well.

There’s the weird story by Ken Vogel, explaining that between those two Stone-Assange exchanges in April and June, 2017, long-time Roger Stone friend Paul Manafort went to Ecuador to negotiate Assange’s expulsion.

In mid-May 2017, Paul Manafort, facing intensifying pressure to settle debts and pay mounting legal bills, flew to Ecuador to offer his services to a potentially lucrative new client — the country’s incoming president, Lenín Moreno.

Mr. Manafort made the trip mainly to see if he could broker a deal under which China would invest in Ecuador’s power system, possibly yielding a fat commission for Mr. Manafort.

But the talks turned to a diplomatic sticking point between the United States and Ecuador: the fate of the WikiLeaks founder Julian Assange.

In at least two meetings with Mr. Manafort, Mr. Moreno and his aides discussed their desire to rid themselves of Mr. Assange, who has been holed up in the Ecuadorean Embassy in London since 2012, in exchange for concessions like debt relief from the United States, according to three people familiar with the talks, the details of which have not been previously reported.

They said Mr. Manafort suggested he could help negotiate a deal for the handover of Mr. Assange to the United States, which has long investigated Mr. Assange for the disclosure of secret documents and which later filed charges against him that have not yet been made public.

The story never explained whether Manafort wanted Assange handed over for trial, for a golf vacation, or for Russian exfiltration (as was reportedly planned for Assange later in 2017).

That Manafort went to Ecuador and negotiated for an Assange release accords, however, with the 302 of a witness who called in to Mueller’s team. The witness described that Manafort had told him or her, in real time, that he had gone to Ecuador, “to try to convince the incoming President to expel Assange from the Embassy in order to gain favor with the U.S.”

Neither of these stories should be considered reliable, as written. 302s that Bill Barr’s DOJ is willing to release in unredacted form, as this one is, tend to be false claims that make Trump look less suspect than he really is. And Manafort-adjacent sources were using Ken Vogel to plant less-damning cover stories during this period. Further, as we’ll see, the dates of them, November 28 and December 3, 2018, respectively, puts them in a period after Trump knew that Mueller was investigating efforts to pardon Assange.

Manafort went to Ecuador in May of 2017. At the time, his lifelong buddy Roger Stone was still pursuing some means to get Assange released. It’s unclear precisely what Manafort asked Lenín Moreno to do.

WikiLeaks cultivates Trump’s oldest son

A more interesting parallel timeline (one that becomes more interesting if you track the communications in tandem, as I do below) is the dalliance between Don Jr and WikiLeaks. The failson’s communications with WikiLeaks are one area where all of the Roger Stone stories withhold key details. The Mueller Report, for example, covers only three of the Don Jr-WikiLeaks exchanges, which it caveats by explaining that it addresses the ones “during the campaign period” (again, only the one where Don Jr accesses a non-public website using the private password WikiLeaks shared involved a prosecutorial decision and so needed to be included).

Like the Mueller Report, the SSCI Report describes in the body of the report Don Jr’s exchange with WikiLeaks in a period around the time that Trump and his closest advisors had discussed reaching out to WikILeaks.

(U) WikiLeaks also sought to coordinate its distribution of stolen documents with the Campaign. After Trump proclaimed at an October 10 rally, “I love WikiLeaks” and then posted about it on Twitter,1730 WikiLeaks resumed messaging with Trump Jr. On October 12, it said: “Strongly suggest your dad tweets this link if he mentions us … there’s many great stories the press are missing and we’re sure some of your follows [sic] will find it. btw we just released Podesta Emails Part 4.”1731 Shortly afterward, Trump tweeted: “Very little pick-up by the dishonest media of incredible information provided by WikiLeaks. So dishonest! Rigged System!”1732 Two days later, Donald Trump Jr. tweeted the link himself: “For those who have the time to read about all the corruption and hypocrisy all the @wikileaks emails are right here: wlsearch.tk.”1733 Trump Jr. admitted that this may have been in response to the request from WikiLeaks, but also suggested that it could have been part of a general practice of retweeting the. WikiLeaks releases when they came out. 1734

But it only presents one part of the exchange that Jr and WikiLeaks had on November 8 and 9, and it relegates that to a footnote.

1738 (U) Ibid., pp. 164-166. WikiLeaks continued to interact with Trump Jr. after the general election on November 8, 2016. On November 9, 2016, WikiLeaks wrote to Trump Jr.: “Wow. Obama people will surely try to delete records on the way out. Just a heads up.”

As to the affidavits, the warrant application for Julian Assange’s Twitter account described having earlier obtained Don Jr’s Twitter account, but didn’t refer to him by name. Instead, it referred to him as “a high level individual associated with the Campaign,” and described just the September exchange between the two of them.

After the Atlantic provided more of those DMs, Don Jr, as he had earlier with his June 9 emails, released them himself. The Election Day exchange of which SSCI made no mention pushes Don Jr to adopt a strategy Russia was also pushing — to refuse to concede (a strategy that Trump will undoubtedly adopt on November 4 if he loses).

Hi Don; if your father ‘loses’ we think it is much more interesting if he DOES NOT conceed [sic] and spends time CHALLENGING the media and other types of rigging that occurred–as he has implied that he might do. He is also much more likely to keep his base alive and energised this way and if he is going to start a new network, showing how corrupt the old ones are is helpful. The discussion about the rigging can be transformative as it exposes media corruption, primary corruption, PAC corruption etc. We don’t like corruption ither [sic] and our publications are effective at proving that this and other forms of corruption exists.

That doesn’t pertain to pardons (though it does demonstrate that WikiLeaks was not involved in a journalistic enterprise).

But a DM from December 16, 2016 the SSCI similarly excerpted in a footnote does discuss what amounts to a pardon:

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. Background: justice4assange.com

When these DMs were released on November 14, 2017, Assange tweeted out a follow-up to the December 2016 one, adding a threat by hashtagging, Vault8, the source code to the CIA files, a single example of which WikiLeaks had just released on November 9, 2017.

Meanwhile, the one other example where WikiLeaks provided the President’s son advice — a pitch for him to release his own June 9 emails via WikiLeaks in July 2017 — WikiLeaks explicitly suggested that Don Jr contact Margaret Kunstler, the same lawyer who had been discussing pardons with Assange nine months earlier.

There appears to be more — far more — to Margaret Kunstler’s role. Two 302s identifiable as hers have been released in response to the BuzzFeed FOIA, an interview on October 29, 2018 involving Stone prosecutor Aaron Zelinsky and Obstruction prosecutor Andrew Goldstein, and a second interview, this one by phone, on November 20, 2018, this one adding Russian prosecutor Rush Atkinson along with Zelinsky and Goldstein. Both 302s were released on October 1, 2020, the most recent release. In the first interview, only Kunstler’s response stating that she did not pass on Stone’s September request for information about Libya to Julian Assange was partly unsealed; there are at least five more paragraphs that remain redacted as part of an ongoing investigation. The second is eight pages long and appears to have at least four sub-topics with separate headings. Aside from the introductory paragraph, it remains entirely redacted, with over half covered by a b7A ongoing investigation exemption.

The investigation into much of Stone’s activities appears to have been shut down. But the investigation into the pardon discussions appears to have been ongoing just three weeks ago.

The Mueller question

The discussion of efforts to free Julian Assange appears, primarily, in two versions of the Roger Stone story. Prosecutors at Stone’s trial used the discussions to explain which of Stone’s threats — those naming Kunstler directly — worked most effectively to delay Credico’s cooperation. It also appears in affidavits, though with Don Jr’s identity obscured.

The SSCI report relegates both the Don Jr and Stone pardon discussions with WikiLeaks to footnotes and doesn’t quote Stone using the word “pardon” in the excerpts it includes. It does so even though the SSCI Report describes Dana Rohrabacher’s attempt to broker an Assange pardon in August 2017 in the body of the text.

The Mueller Report doesn’t discuss pardon efforts for Assange where you might expect it, along with discussions of pardons for Manafort, Flynn, Stone himself, and Michael Cohen. Mention of the effort to free Assange appears in just one place: amid the questions asked of Trump in an appendix.

Did you have any discussions prior to January 20, 2017, regarding a potential pardon or other action to benefit Julian Assange? If yes, describe who you had the discussion(s) with, when, and the content of the discussion(s).

I do not recall having had any discussion during the campaign regarding a pardon or action to benefit Julian Assange.

That appendix explains that Mueller’s team submitted these questions on September 17, 2018 (before both of Kunstler’s interviews) and Trump returned them on November 20, 2018.

In the interim period, on October 30, 2018, Don Jr’s close buddy, Arthur Schwartz, for the first time in years of having listened to former Sputnik employee Cassandra Fairbanks’ lobbying for Julian Assange in the right wing chat room they both (along with Ric Grenell) participated in responded by telling her that he would be charged and expelled from the embassy, that a pardon was not going to fucking happen and — at some point, if Fairbanks can be believed — suggesting someone with whom Schwartz was lifelong friends might be affected.

Arthur Schwartz warned me that people would be able to overlook my previous support for WikiLeaks because I did not know some things which he claimed to know about, but that wouldn’t be so forgiving now that I was informed. He brought up my nine year old child during these comments, which I perceived as an intimidation tactic.

He repeatedly insisted that I stop advocating for WikiLeaks and Assange, telling me that “a pardon isn’t going to fucking happen.” He knew very specific details about a future prosecution against Assange that were later made public and that only those very close to the situation would have been aware of. He told me that it would be the “Manning” case that he would be charged with and that it would not involve Vault 7 publication or anything to do with the DNC. He also told me that they would be going after Chelsea Manning. I also recollect being told, I believe, that it would not be before Christmas.

[snip]

The other persons who Schwartz said might also be affected included individuals who he described as “lifelong friends.”

Shortly after Trump submitted his answers, two stories — one public, one via witness testimony to Mueller — claimed that Manafort’s visit to Moreno, at a time when his buddy Stone was seeking a pardon, was actually an attempt to expel him from the embassy.

In spite of what Schwartz told Cassandra, however, the pardon discussions aren’t over. Just before Julian Assange’s extradition hearing started, Roger Stone’s buddy Tucker Carlson invited Glenn Greenwald on to make a three minute pitch — one in which Glenn explained what a good way this would be for Trump to stick it to the Deep State — for both Assange and Ed Snowden.

Timeline

September 20, 2016: WikiLeaks DMs Don Jr a link to putintrump site, including a password.

October 3, 2016: Credico raises asylum for Assange and tells Stone he’s best friends with Assange’s lawyer. WikiLeaks DMs Don Jr asking him to push a story about Hillary drone-striking Assange; Don Jr notes he has already done so and asks what is coming on Wednesday.

October 5, 2016: Credico and Stone speak for 12 minutes.

October 6, 2016: Stone probably has a six minute call with Trump. Stone has five calls with Credico.

October 7, 2016: The release of the Podesta email swamps the DHS/ODNI release attributing the DNC hack and tying WikiLeaks to Russia

October 8, 2016: Stone and Trump probably meet.

Shortly after Podesta release: Senior campaign officials discuss reaching out to WikiLeaks.

October 10, 2016: Trump tweets “I love WikiLeaks.”

October 12, 2016: WikiLeaks disavows any back channel with Stone. WikiLeaks also DMs Don Jr suggesting he get his father to tweet a link. Don Jr tweets it that day.

October 13, 2016: Stone and WikiLeaks exchange DMs.

October 14, 2016: Trump tweets the link WikiLeaks sent to Don Jr.

October 16, 2016: Stone tells WikiLeaks “You need to figure out who your friends are.”

October 21, 2016: WikiLeaks suggests that Don Jr release Trump’s tax returns to WikiLeaks.

November 8, 2016: WikiLeaks DMs Don Jr to suggest Trump not concede if he loses.

November 9, 2016: WikiLeaks DMs Don Jr to claim Obama’s people will delete records on the way out. WikiLeaks DMs Stone to say, “We are now more free to communicate.”

November 14, 2016: Stone gets a new phone.

November 15, 2016: Stone texts Margaret Kunstler a link to Signal and tells her to call him on it, which she said she would do.

December 16, 2016: WikiLeaks suggests that he ask his dad to suggest Australia appoint Assange as Ambassador to the US.

January 6, 2017: WikiLeaks DMs Don Jr a John Harwood tweet asking, Who do you believe, America?

March 7, 2017: WikiLeaks starts releasing the Vault 7 files, effectively halting CIA’s hacking capability for a period.

March 27, 2017: Stone and WikiLeaks exchange more complaints about whether Stone had a back channel.

April 7, 2017: Stone writes WikiLeaks that he is “JA’s only hope for a pardon.”

April 13, 2017: Mike Pompeo calls WikiLeaks a non-state hostile intelligence service often abetted by Russia.

April 18, 2017: Stone calls on Pompeo to release proof of WikiLeaks’ Russian ties or resign.

April 19, 2017: Assange thanks Stone for the attack on Pompeo, but claims that Pompeo has stopped short of calling WikiLeaks a Russian asset.

April 26, 2017: Assange DMs Don Jr some video on “Fake News.”

May 2017: Manafort meets in Ecuador with Lenín Moreno to discuss Assange.

June 4, 2017: Stone DMs Assange, threatening to “bring down the entire house of cards” if the US government moves on Assange.

June 10, 2017: Roger Stone tells Assange he is “doing everything possible … at the highest level of Government” to help Assange.

June 19, 2017: Trump tries to give a back channel order to Jeff Sessions to limit the Mueller investigation to future election meddling, not the meddling that helped him get elected.

July 11, 2017: WikiLeaks DMs Don Jr to suggest he release his June 9 emails via WikiLeaks, providing him Margaret Kunstler’s contact information as if she would take the submission.

October 12, 2017: Mueller’s team obtains Don Jr’s Twitter content.

November 6, 2017: Mueller’s team obtains WikiLeaks and Assange’s Twitter content.

November 14, 2017: Don Jr releases his Twitter DMs with WikiLeaks. Julian Assange publicly references the December 16 DM, suggests he can open “luxury immunity suites for whistleblowers,” and includes a Vault8 hashtag (referencing CIA’s source code).

December 21, 2017: Reported attempt to exfiltrate Assange from the embassy; DOJ charges Assange with CFAA conspiracy.

January 6, 2018: Stone claims “I am working with others to get JA a blanket pardon.”

September 17, 2018: Mueller submits questions to Trump, including one about a pardon for Assange.

October 29, 2018: Mueller’s team interviews Kunstler.

October 30, 2018: Arthur Schwartz tells Cassandra Fairbanks there’s not going to be a fucking Assange pardon.

November 20, 2018: Trump returns his questions to Mueller. Mueller’s team interviews Kunstler.


The movie Rashomon demonstrated that any given narrative tells just one version of events, but that by listening to all available narratives, you might identify gaps and biases that get you closer to the truth.

I’m hoping that principle works even for squalid stories like the investigation into Roger Stone’s cheating in the 2016 election. This series will examine the differences between four stories about Roger Stone’s actions in 2016:

As I noted in the introductory post (which lays out how I generally understand the story each tells), each story has real gaps in one or more of these areas:

My hope is that by identifying these gaps and unpacking what they might say about the choices made in crafting each of these stories, we can get a better understanding of what actually happened — both in 2016 and in the investigations. The gaps will serve as a framework for this series.