Posts

Biden Administration Negotiates Release of Evan Gershkovich and Others

/52 Comments/in , /by

As many outlets have been reporting since dawn my time, there has been a massive prisoner exchange between the US, Russia, and five European allies.

President Biden issued this release, emphasizing the import of allies.

Today, three American citizens and one American green-card holder who were unjustly imprisoned in Russia are finally coming home: Paul Whelan, Evan Gershkovich, Alsu Kurmasheva, and Vladimir Kara-Murza.

The deal that secured their freedom was a feat of diplomacy. All told, we’ve negotiated the release of 16 people from Russia—including five Germans and seven Russian citizens who were political prisoners in their own country. Some of these women and men have been unjustly held for years. All have endured unimaginable suffering and uncertainty. Today, their agony is over.

I am grateful to our Allies who stood with us throughout tough, complex negotiations to achieve this outcome— including Germany, Poland, Slovenia, Norway, and Turkey. This is a powerful example of why it’s vital to have friends in this world whom you can trust and depend upon. Our alliances make Americans safer.

And let me be clear: I will not stop working until every American wrongfully detained or held hostage around the world is reunited with their family. My Administration has now brought home over 70 such Americans, many of whom were in captivity since before I took office. Still, too many families are suffering and separated from their loved ones, and I have no higher priority as President than bringing those Americans home.

Today, we celebrate the return of Paul, Evan, Alsu, and Vladimir and rejoice with their families. We remember all those still wrongfully detained or held hostage around the world. And reaffirm our pledge to their families: We see you. We are with you. And we will never stop working to bring your loved ones home where they belong.

WSJ has a very long story about the lead-up to this release, focused on Gershkovich’s mother’s activism.

The Insider has a list of all the people exchanged, which include an assassin, two spies caught in Slovenia, and three people prosecuted in the US.

Readers of this blow will remember Putin associate, Vladislav Klyushin, who conspired with the former GRU hacker who targeted John Podesta in an insider trading scheme.

On September 7, 2023, a court in Boston, Massachusetts, found the Russian businessman Vladislav Klyushin guilty of insider trading and sentenced him to nine years in prison.

Klyushin was arrested in Switzerland in March 2021 and later extradited to the U.S. He was accused of participating in a scheme that involved the illegal use of confidential information for financial gain in the securities market. According to the indictment, the insider trading scheme, orchestrated outside the U.S., generated $93 million in profits for its participants.

Here’s a post I did on how they found Klyushin.

“That’s How … You End Up as a Defendant in a Court Room:” Some Days in the Life of a Named-and-Shamed Former GRU Hacker, Ivan Ermakov

/5 Comments/in , , , /by

In early 2018, Ivan [Y]Ermakov,* one of the hackers alleged to have stolen John Podesta’s emails two years earlier, was living it up.

For his April 10 birthday that year, he went on a stunning heli-ski trip with his future co-conspirator, Vladislav Klyushin (Ermakov is on the left in this picture, Klyushin, on the right and in the Featured Image picture).

In summer 2018, they were enjoying the Sochi World Cup together, too.

Just days after this trip to Sochi, however, on July 13, 2018, Robert Mueller would indict Ermakov, along with eleven of his former GRU colleagues, for hacking the DNC, DCCC, Hillary Clinton, election vendors, and registration websites, as well as orchestrating the release of the stolen files.

By the time of that first indictment against him — the first of three known indictments against the Russian hacker so far — Ermakov had already made one of the fatal slip-ups that would form part of the proof against Klyushin at trial, this time for a hack-and-trade scam. On May 9, 2018, Yermakov received three updates from his Apple iTunes account to the IP address 119.204.194.11. Just four minutes later, someone using that IP address downloaded an SEC filing using credentials stolen from a Donnelly Financial employee named Julie Soma. That download occurred hours before the report would be publicly filed with the SEC, one of dozens of such thefts of SEC filings that formed the basis of the hacking and securities fraud charges against the men.

So months before Mueller’s indictment alerted Ermakov that the FBI had discovered who he was and that they believed he was one of the hackers behind the 2016 hack, he had already left proof in US-based servers that would tie to him to a follow-up crime, the hack-and-insider trading conspiracy for which Klyushin was convicted in February.

Klyushin has challenged the verdict, largely based on a technical challenge to the venue of the charges in Massachusetts.

Per trial testimony, Ermakov left those tell-tale forensic tracks four months before Klyushin would first get involved in the hack-and-trade scheme, in August 2018. The scheme was doomed from the start — at least, it would be doomed if any of the identified co-conspirators traveled to a jurisdiction that would extradite to the US, as Klyushin did in March 2021.

In fact, there’s something curious about that.

One thing submitted as evidence at trial was a picture of a May 22, 2017 Reuters article reporting the US sentence for Ukrainian hacker Vadym Iermolovych, one of ten people prosecuted for a hack-and-trade conspiracy similar to the one for which Klyushin was convicted.

According to the FBI agent who introduced the exhibit, the picture itself was taken in August 2018. Someone printed out the article and packaged it up in a plastic folder over a year after the fact. That suggests Klyushin was in discussion with a very well-connected friend about the possibility of such charges in the same month that Klyushin first got involved in the scheme.

The possibility of prosecution hung over the conspiracy from the start.

Thanks to Klyushin’s promiscuous storage of damning evidence in his iCloud account, from which many of the pictures and chats in this post were obtained by the FBI, the Klyushin case offers an unprecedented public glimpse into the effect that US indictments against nation-state hackers like Ermakov might have on one of the target’s lives. In Ermakov’s case, it didn’t stop him from hacking US targets. Indeed, it’s possible that others used the indictments to pressure Ermakov to use his hacking skills for them.

Since 2014, DOJ has been indicting nation-state hackers in what have always been assumed to be name-and-shame documents, indictments that would never lead to trial. Indeed, that’s what the two earlier indictments of Ermakov have always been assumed to be: a public accusation that would never lead to Ermakov’s imprisonment. The wisdom of indicting nation-state hackers has never been obvious. Yevgeniy Prigozhin’s exploitation of his own name-and-shame indictment has revealed the potential perils of the policy. And Russian denialists brush off the July 2018 indictment charging Ermakov and others with the election year hack (as Matt Taibbi did in his recent congressional testimony), arguing that since the indictment will never be tested at trial, it could be mere government propaganda.

At least in the case of the 2016 Russian operation, the indictment has done little to persuade denialists, who simply refuse to read about the many places where the hackers left evidence.

In a follow-up, I’ll show how DOJ proved their case against Klyushin using the same kind of evidence they used in the earlier indictments against Ermakov and his colleagues, largely metadata and content obtained from US-based and a few foreign servers. DOJ may never get a chance to prove the first two indictments against Ermakov, but using the same investigative techniques, they did prove the case against Ermakov’s co-conspirator, Klyushin.

This case, where a sealed complaint ultimately led to the trial of one co-conspirator of a hacker previously charged, also provides a glimpse of what happened after one nation-state hacker got name-and-shamed in the US.

It’s not clear from the trial record when Ermakov left the GRU or who his formal employer was before he joined Klyushin’s M-13, an information services company with ties to Putin’s office that offered, among its services, pen testing.

The FBI found a contact card for Igor Sladkov, with whom Ermakov may have started the hack-and-trade scheme at least as early as October 2017, in Ermakov’s own iCloud account, one of the only interesting pieces of evidence they found there. It was dated November 16, 2016, just over a week after Donald Trump got elected with Ermakov’s help. Sladkov — whose iCloud OpSec was just as shoddy as Klyushin’s — had a bunch of photos of Ermakov in his iCloud account, including the hacker’s passport, a 2016 picture of Ermakov sitting before an enormous plate of some animal flesh, and a picture from Ermakov’s 2018 ski trip, as well as a picture of Klyushin’s yacht that Ermakov had shared.

Before trial, Klyushin’s team argued that Ermakov never worked for Klyushin’s company, bolstering the claim with a chat from May 2019 in which Ermakov bitched about his job to Klyushin and a certificate from the Russian tax service claiming that [Y]Ermakov never worked at M-13.

But days after that chat, per another pre-trial filing, Ermakov spoke longingly of being able to travel like Klyushin could. Klyushin responded that he would get Ermakov new identity papers so the two could travel to Europe together, but not — Klyushin conceded — London or America. Klyushin seemingly used that discussion as background to press Ermakov to get back to work, with the implication being he should get back to the hack-and-trade scheme.

That is, Ermakov appears to have included Klyushin in the hack-and-trade scheme while still working for someone else. And Klyushin seems to have used his promise to help Ermakov mitigate the risks created by those earlier indictments to pressure Ermakov to keep hacking. If that’s right, the vulnerability created by the earlier indictments gave Klyushin leverage to get Ermakov to keep hacking.

But Ermakov did eventually join M-13, at least informally. The government introduced an M-13 employee list reflecting Ermakov’s participation in specific project at trial. And they submitted a picture, from December 2019, showing Ermakov with an M-13 sticker, within days of the time when a staging server similar to the one used in the 2016 hack of the Democrats was set up.

Klyushin may have even incorporated Sladkov into M-13. The FBI found a proposal for a data analysis service, dated September 4, 2019, which M-13 would introduce on October 28, 2020, as well as encrypted communications from an M-13 chat application, in Sladkov’s iCloud account.

Klyushin fought hard to exclude one of the most telling pieces of evidence that the hacking scheme came to be tied to M-13 — the four Porsches that, Klyushin bragged to an investor, he had bought for himself, Ermakov, and one other co-conspirator with the proceeds of the insider trading.

But this currency — expensive gifts — seems to have been at least part of the way Erkamov was compensated for his role in the scheme.

Ermakov did not engage in any trading himself. Instead, two men in St. Petersburg, two associated with M-13 (including Klyushin himself), and three clients of M-13, profited off documents [Y]Ermakov seems to have stolen.

But in addition to the Porsche, on August 17, 2020, ten days before the delivery of the Porsches, Ermakov took possession of a Moscow house worth millions, the loan agreement for which Klyushin reportedly ripped up. Months earlier, Klyushin had tied paying for the house with continued hacking — which, Klyushin joked, amounted to just turning on the computer and thinking about making money.

Ermakov was effectively printing money for Klyushin, and his reward was that house.

In September 2020, the hack-and-trade scheme would be shut down for good.

Throughout the time it was going, however, those co-conspirators knew of the indictment against Ermakov. Sladkov downloaded Ermakov’s wanted poster from the FBI website on October 5, 2018, just a day after Ermakov was charged in the 2016 hack-and-leak of anti-doping agencies while Ermakov was still a GRU officer.

And on October 4, 2020, Klyushin took a screencap of Ermakov’s wanted poster from the FBI website.

By the time Klyushin took this screencap, the victim filing agencies had finally shut down Ermakov’s access to the site, after eight months of trying. Perhaps Klyushin was contemplating what that would mean or how it had happened? According to trial evidence, DOJ didn’t identify the hack-and-trade scheme by tracking what Ermakov was doing. Rather, the investigation started when the SEC started tracking some large-scale trading by a bunch of Russians together, then asked the filing agencies if they had been hacked. At least according to the public record, the involvement of Ermakov was disclosed only after working backwards from the forensic evidence. But in October 2020, Klyushin may have considered the risks of entering into a hack-and-trade scheme with a hacker whose habits were already known within the FBI.

By then it was too late. Indeed, Ermakov had already warned his boss about his shoddy OpSec. On July 18, 2019, Kluyshin asked Ermakov and the other M-13 co-conspirator Nikolai Rumiantcev how the hack-and-trade was going. He included pictures of two of the M-13 investors. In response, Ermakov warned his boss that that kind of OpSec is the kind of thing that would land him as a defendant in a courtroom.

Q. Okay, thank you. And now can we move to 3980, please. And this date is?

A. This is July 18 of 2019.

Q. Would you begin with 3980.

A. “Vladislav Klyushin: So what did we earn today?”

Q. And then there’s an attachment?

A. Correct.

Q. And then he says what?

A. Ermakov responds: “About 350 and another 350 in the mind. Sasha the most among the rest. “Klyushin: Our comrades are wondering.”

MR. FRANK: Could we stop right there, and I realize it’s hard, Ms. Lewis, because we’re in the Excel, but could you please display Exhibits 52 and Exhibit 50.

Q. Those are the attachments, Special Agent. Have you had an opportunity to review those?

A. Yes.

Q. Who’s depicted in Exhibits 52 and 50?

A. On the left, 52 is Sergey Uryadov. On the right is Boris Varshavksiy in Exhibit 50.

MR. FRANK: I offer 52 and 50. (Exhibits 50 and 52 received in evidence.)

Q. Okay. So those are the two attachments Mr. Klyushin has just transmitted in the chat?

A. Yes.

Q. Can we go back to the chat and pick up where we left off. So Mr. Klyushin says, “What did we earn today? Our comrades are wondering.” Could you continue, please, at 3987.

A. After sending those pictures we just looked at, Ermakov replies: “Vlad, you are exposing our organization. This is bad.” Nikolai Rumiantcev: Vlad, stop sending to Threema.” Klyushin replies, “So sorry.” “Ermakov: And that’s how they get you and you end up as a defendant in a courtroom.”

Q. How does Mr. Klyushin respond?

A. Klyushin responds, “Removed. Open a chat with us already. “Ermakov: Go ahead and create. It was a bad move now. “Klyushin: Sorry. Did a dumb thing. “Rumiantcev: I suggest to recreate the chat with the deletion of attachments in Threema, or switch to ours if ready. “Klyushin: I will delete this one on my end.”

Klyushin did delete this chat. Rumiantcev left it in his iCloud account, where the FBI found it.

At the time, the men appear to have been shifting their trading discussions to the encrypted M-13 chat application found in all their iCloud accounts, finally taking measures to cover their tracks going forward, over eighteen months into the hack-and-trade conspiracy. Going forward, those working with Ermakov might not exhibit the kind of abysmal OpSec that produced abundant trial evidence against his co-conspirator. Maybe they learned their lesson, and they’ll be able to exploit Ermakov’s skill more safely going forward.

It remains to be seen whether the prosecution of Klyushin, with his ties to high even higher ranking Russians, does more than hold him accountable for millions in fraudulent trades. But that may have little effect on the life of John Podesta’s suspected hacker.

* The government has used two different transliterations for [Y]Ermakov’s last name. In 2018, they used the one that aids in pronunciation. In 2021, they used the direct transliteration from the Cyrillic. Because evidence submitted at Klyushin’s trial uses the initials “IE” to refer to Ermakov, I’ll adopt that spelling here.

Alleged DNC Hacker’s Co-Conspirator, Vladislav Klyushin, Convicted of Cheating Elon Musk and Others

/22 Comments/in , /by

One article of faith of “Russiagate” propagandists is that DOJ couldn’t convict any of the hackers involved in the 2016 Russian operation if one happened to wander into a friendly jurisdiction and get arrested.

Today in Boston, a jury convicted Vladislav Klyushin, the co-conspirator and boss of one of the men charged in the 2016 hack of the DNC. Klyushin was arrested and extradited from Switzerland two years ago.

The jury found Klyushin guilty on charges of hacking, wire fraud, securities fraud, and a conspiracy to hack.

Here’s how I described the hack-and-insider trade scheme after Klyushin’s extradition.

The insider trader scheme works like this: Klyushin (the guy in US custody) and Yermakov (a key person involved in the 2016 DNC hack, described in DOJ’s press release as a “former” GRU officer), along with one other guy from M-13, are[] accused of hacking at least two US filing agents to obtain earnings reports before they were officially released. They conducted trades for a handful of clients — along with Borodaev and Uryadov, Boris Varshavskiy is mentioned. Klyushin also conducted trades for himself.

As noted, one guy the jury found that Klyushin conspired with — in fact, the guy who hacked two US filing companies to obtain the information to use in insider trading — is Ivan Yermakov [Ermakov]. Before he went to work for Klyushin, he worked for Russian military intelligence, where he is alleged to have phished Democratic targets in 2016 and then exfiltrated data. Among other things, Mueller accused Yermakov of being one of two people who stole John Podesta’s emails.

According to court filings, the FBI didn’t get involved in this case until one of the filing companies that were targeted reported a hack in 2020. But the investigation relied on information that dated back years earlier.

Of particular note, Yermakov got a smart phone update on May 9, 2018 at the same IP address used to steal some earnings reports used in the insider trading scheme on that same day.

Based on a review of records obtained from a U.S.-based technology company (the “Tech Company”), I have learned that on or about May 9, 2018, at 3:44 a.m. (ET), an account linked to ERMAKOV received an update for three native applications associated to the Tech Company. Records show that the May 9, 2018 application updates were associated to IP address 119.204.194.11 (the “119 IP Address”).

Based on my review of a log file from FA 2, I learned that on or about that same day, May 9, 2018, starting at 3:46 a.m. (ET)–approximately two minutes after ERMAKOV received application updates from the Tech Company–the FA 2 employee’s compromised login credentials were used to gain unauthorized access to FA 2’s system from the same 119 IP Address, and to view and/or download earnings-related files of four companies: Cytomx Therapeutics, Horizon Therapeutics, Puma Biotechnology, and Synaptics.7 All four companies reported their quarterly earnings later that day.

Two months later, in July 2018, Mueller would charge Yermakov and others in the DNC hack.

Three months after that, on October 24, 2018, the co-conspirators targeted Tesla’s earnings announcement.

Klyushin bragged about knowing that Tesla would spike in value after its earnings statement. “Pay attention to shares of Tesla now and tomorrow after 16:30 and on how much they go up,” Klyushin advised some guys he let in on the racket. After the earning statement came out, Klyushin noted,

It was 288 but after the close it was already 308, and tomorrow will most likely hit 330 that’s 10. And with a shoulder 2-3 times its almost 25. But such deals don’t happen often in a quarter.

In precisely that time period, Elon Musk was consolidating his 20% ownership stake in Tesla. He bought $30 million in Tesla stock in the days and weeks after Klyushin and his co-conspirators front-loaded Tesla.

The following year, Klyushin and Yermakov would joke about how much cash they were accumulating by insider trading on companies like Tesla.

Below are photographs that the defendant shared with his co-defendant and employee, Ermakov, in August 2019. The pictures, taken at different times, show a single safe containing an increasing amount of U.S. one hundred dollar bills. Based on the amount of currency in the safe on the right, and a comment that the defendant made to Ermakov that the amount in the safe is about “3,” investigators believe that safe—whose exact location is unknown—may have contained as much as $3 million in cash

To add insult to injury, these are the cars that Klyushin and Yermkov bought with the proceeds they made from from insider trading on Tesla and other companies.

The picture was submitted at trial to prove the tie between Yermakov and Klyushin, demonstrated by the reference to their company incorporated into the vanity plates.

It’s absolutely the case that Ivan Yermakov is not going to arrive for prosecution in the United States any time soon. In fact, prosecutors found both WhatsApp chats between the two men, in 2019, describing Yermakov’s inability to leave Russia — and Klyushin’s promises to try to help — as well as a screen shot of the FBI wanted poster for Yermakov, taken in October 2020.

But a guy just convicted of conspiring with him did. And a jury found him guilty of hacking US targets.

Five Years after WikiLeaks Exposed CIA Identities in Vault 7, UK Moves Closer to Assange Extradition

/9 Comments/in , , , /by

Last November, in response to an order from Judge Jesse Furman, DOJ said that they were fine with accused Vault 7 leaker Joshua Schulte’s request for a delay before his retrial. In fact, they didn’t think a Schulte retrial could start before March 21.

Although the Government is available for trial at any time in the first or second quarters of 2022, the Government does not believe it would be practical to schedule the trial prior to March 2022. In particular, although the Government believes that the Court’s prior rulings pursuant to Section 6 of CIPA address the vast majority of questions concerning the use of classified information at trial in this matter, it appears likely that the defendant will seek to use additional classified information beyond that previously authorized by the Court. The process for pretrial consideration of that application pursuant to Section 6 is necessarily complex, entailing both briefing and hearings in a classified setting. To the extent the Court authorizes the defendant to use additional classified information, implementation of the Court’s rulings can also take time, such as through either declassification of information or supplemental briefing regarding the application of Section 8 of CIPA (authorizing the admission of classified evidence without change in classification status). The proposed trial date also takes into consideration matters discussed in the Government’s ex parte letter submitted on August 4, 2021. Accordingly, in order to afford sufficient time both for the likely upcoming CIPA litigation and for the parties to prepare for trial with the benefit of any supplemental CIPA rulings, the Government believes that the earliest practical trial date for this matter would be March 21, 2022.

Part of this delay was to revisit the Classified Information Procedures Act decisions from the first trial because, now that he’s defending himself, Schulte likely wanted to use more classified information than Sabrina Shroff had used in the first trial. It turns out March 21 was overly optimistic for CIPA to be done. Because of an extended debate over how to alter the protective order, the government will only file its CIPA motion tomorrow (it just asked to submit a much longer filing than originally permitted, and got permission to file a somewhat longer one).

It’s the other part of the government’s interest in delay — its references to “matters discussed” in a sealed letter from August 4 — that I’ve been tracking with interest, particularly as the Assange extradition proceeded. As I noted earlier, that August 4 letter would have been sent five years to the day after Schulte started searching on WikiLeaks, Edward Snowden, and Shadow Brokers (according to the government theory of the case, Schulte stole and leaked the CIA’s hacking tools earlier, in late April and early May 2016).

Since those mentions of a sealed letter last year, the government has asked for and gotten two meetings to discuss classified information with Judge Fruman under section 2 of CIPA, first for February 8 (after which a sealed document was lodged in Chambers), and the second one for March 9.

Section 2 provides that “[a]t any time after the filing of the indictment or information, any party may move for a pretrial conference to consider matters relating to classified information that may arise in connection with the prosecution.” Following such a motion, the district court “shall promptly hold a pretrial conference to establish the timing of requests for discovery, the provision of notice required by Section 5 of this Act, and the initiation of the procedure established by Section 6 (to determine the use, relevance, or admissibility of classified information) of this Act.”

That second CIPA Section 2 meeting, on March 9, would have taken place days after the five year anniversary for the first Vault 7 publication, and with it the publication of the names or pseudonyms and a picture of several colleagues Schulte had vendettas against.

Schulte acknowledged that publication in a recently-released self-justification he wrote to an associate after the Vault 7 release (it’s unclear when in 2017 or 2018 he wrote it), one he’s making a renewed attempt to suppress.

The names that were allegedly un-redacted were pseudonyms — fake names used internally in case a leak happened. Those of us who were overt never used last names anyway; This was an unwritten rule at the agency — NEVER use/write true last names for anyone. So I was convinced that there was little personal information revealed besides a picture of an old boss of mine that was mistakenly released with the memes.

Not long after he acknowledged the rule against using people’s names in that self-justification, Schulte used the names of the three colleagues he was most angry at: His boss Karen, his colleague “Jeremy Weber,” and another colleague, Amol, names that were also central to his efforts to leak from jail. If the FBI could ever develop evidence that Weber’s name was deliberately left in WikiLeaks’ Vault 7 publication, both Schulte and anyone else involved would be exposed to legal liability for violating the Intelligence Identities Protection Act, among other crimes.

On Monday, one week short of the day DOJ thought might be a realistic start day for the retrial, the British Supreme Court refused Assange’s bid to appeal a High Court decision accepting (flimsy) US assurances that Assange would not be held under Special Administrative Measures, finding that the appeal “does not raise an arguable point of law.”

Given the timing of the sealed filings in the Schulte case and the way the 2020 superseding indictment accuses Assange of “exhort[ing a Chaos Computer Club] audience to join the CIA in order to steal and provide information to WikiLeaks,” effectively teeing up Schulte’s alleged theft, I would be unsurprised if one of the things DOJ was delaying for weren’t this moment, some resolution to the Assange extradition.

To be sure: the Assange extradition is not over, not by a long shot. As a letter from his attorneys explains, this decision will go back to Vanessa Baraitser, who will then refer the extradition to Home Secretary Priti Patel. Assange will have four weeks to try to persuade Patel not to extradite him.

And, as the same letter notes in classically British use of the passive voice, Assange could still appeal Baraitser’s original ruling.

It will be recollected that Mr Assange succeeded in Westminster Magistrates’ Court on the issue subsequently appealed by the US to the High Court. No appeal to the High Court has yet been filed by him in respect of the other important issues he raised previously in Westminster Magistrates’ Court. That separate process of appeal has, of course, has yet to be initiated.

But an appeal on these issues would be decidedly more difficult now than they would have been two years ago.

That’s true, in part, because the Biden Administration’s continuation of Assange’s prosecution has debunked all the bullshit claims Assange made about being politically targeted by Donald Trump.

I also expect at least one of the purportedly exculpatory stories WikiLeaks has been spamming in recent months to be exposed as a complete set-up by WikiLeaks — basically an enormous hoax on WikiLeaks’ boosters and far too many journalist organizations. WikiLeaks has become little more than a propaganda shop, and I expect that to become clearer in the months ahead.

Finally, if the US supersedes[d] the existing indictment against Assange or obtains[ed] a second one in the last seven months, it will badly undermine any remaining claim Assange has to doing journalism. That’s true for a slew of reasons.

As I laid out here, the part of the Baraitser ruling that distinguished Assange’s actions from journalism based on his solicitation of hacks relied heavily on the language that directly teed up the hack-and-leak Schulte is accused of.

Mr. Assange, it is alleged, had been engaged in recruiting others to obtain information for him for some time. For example, in August 2009 he spoke to an audience of hackers at a “Hacking at Random” conference and told them that unless they were a serving member of the US military they would have no legal liability for stealing classified information and giving it to Wikileaks. At the same conference he told the audience that there was a small vulnerability within the US Congress document distribution system stating, “this is what any one of you would find if you were actually looking”. In October 2009 also to an audience of hackers at the “Hack in the Box Security Conference” he told the audience, “I was a famous teenage hacker in Australia, and I’ve been reading generals’ emails since I was 17” and referred to the Wikileaks list of “flags” that it wanted captured. After Ms. Manning made her disclosures to him he continued to encourage people to take information. For example, in December 2013 he attended a Chaos computer club conference and told the audience to join the CIA in order to steal information stating “I’m not saying don’t join the CIA; no, go and join the CIA. Go in there, go into the ballpark and get the ball and bring it out”. [emphasis Baraitser’s]

If the government proves what is publicly alleged, Schulte’s actions have nothing to do with whistleblowing and everything to do with vindictive hacking to damage the CIA, precisely what Assange was eliciting. Plus, even if such a hypothetical superseding indictment added just Vault 7/Vault 8 charges against Assange, it could put extortion and IIPA on the table (the latter of which would be a direct analogue to the UK’s Official Secrets Act), to say nothing of the still unexplained fate of the CIA source code which — as Schulte himself acknowledged — would have provided an unbelievable benefit had Russia had received it.

And that assumes that Vault 7/Vault 8 would be the only thing the US wanted to supersede with. When Jeremy Hammond asked prosecutors why they hadn’t charged Assange for helping Russia tamper in US elections, they appeared to respond by describing the long time it would take to extradite Assange, implying that they still had time to charge Assange. To be sure, Mueller concluded that he “did not have admissible evidence that was probably sufficient to obtain and sustain a Section 1030 conspiracy conviction of WikiLeaks [or] Assange.” But the implication was that Mueller had evidence, just not stuff that could be submitted at trial. The extradition of Vladislav Klyushin — whose lawyer believed the US was particularly interested in his knowledge of the 2016 operation — might change that. (Like Assange, Klyushin’s extradition was also pending when DOJ submitted that first sealed filing; Klyushin’s case has been continued to share more discovery.)

There are several other operations WikiLeaks was involved in in 2015 and afterwards that would undermine any claim of being a journalistic outlet — and would add to the evidence that Assange had, at least by those years, been working closely to advance the interests of the Russian government.

It would be very hard to argue that Assange was being prosecuted for doing journalism if the US unveiled more credible allegations about the multiple ways Assange did Russia’s bidding in 2016 and 2017, even in normal times. All the more so as Russia is continuing its attack on democracy with its invasion of Ukraine.

And that’s what Assange faces as he attempts to stay out of the US.

Vladislav Klyushin Traveled Freely in Europe, Until He Didn’t Travel in Europe Freely

/45 Comments/in , /by

Bloomberg has a fascinating update on the case of Vladislav Klyushin, the guy who ran a pen-testing company for Vladimir Putin extradited to Boston on charges of insider trading last month. It states that Klyushin has (present tense) access to documents on the 2016 Russian hack and suggests he might be leveraged to share this information to get out of the lengthy insider trading sentence he faces.

According to people in Moscow who are close to the Kremlin and security services, Russian intelligence has concluded that Klyushin, 41, has access to documents relating to a Russian campaign to hack Democratic Party servers during the 2016 U.S. election. These documents, they say, establish the hacking was led by a team in Russia’s GRU military intelligence that U.S. cybersecurity companies have dubbed “Fancy Bear” or APT28. Such a cache would provide the U.S. for the first time with detailed documentary evidence of the alleged Russian efforts to influence the election, according to these people.

There’s a problem with this claim, though, at least as stated. The US already has documentary proof that GRU was behind the hack-and-leak. These documents would not be the first. And given the evidence cited in the indictment against Klyushin and Ivan Yermakov, the hacker cited in both this case and two GRU hack-and-leak cases, they collected more information from Yermakov over the last several years.

So such documents must go beyond mere confirmation of GRU’s role, if reports of Kremlin concerns are true.

Some insight about what the US might be after comes elsewhere in the story. It describes that on two earlier occasions, Western intelligence tried to recruit Klyushin.

U.S. and British intelligence tried twice to recruit Klyushin, according to Ciric, the attorney in Switzerland. U.S. intelligence attempted to engage him in summer 2019 in the south of France and British intelligence approached him in March 2020 in Edinburgh, Ciric said.

Klyushin memorialized that second meeting in a note he wrote a few weeks after the encounter and saved on his computer, according to Ciric. It took place at Edinburgh’s airport, as Klyushin was taking a flight back to Russia, according to the memo, which was submitted to the Swiss courts as part of his appeal against extradition. Klyushin wrote that the two British intelligence agents — one from MI5 and the other from MI6 — spoke to him for a few minutes in a room where he was led after a passport check.

The two Russian-speaking officers, a man and a woman, asked him if he would “cooperate” with U.K. secret services and took his phone number to set up a meeting on his next trip to London planned for May, according to the previously unreported document, which was reviewed by Bloomberg. Klyushin wrote that while he didn’t respond to the cooperation offer, he said he would be willing to see the agents again to discuss selling M-13 products to British intelligence.

It’s unclear whether Klyushin informed Russian intelligence about the U.S. and British recruitment efforts.

On top of the detail that US and British intelligence had targeted Klyushin for recruitment (and believed they had some reason to convince him to do so by summer 2019), this reveals that Klyushin has been traveling without arrest in recent years, both after the time in January 2020 that the indictment parallel constructs the investigation start date to, and well after the May 9, 2018 date when the US seems to have pinpointed Yermakov’s phone. It’s a point Klyushin himself made.

While in the Swiss prison, Klyushin told Bloomberg, through his lawyer, that he didn’t know why he was arrested in March and not before, saying that he had previously traveled freely to Europe. He blamed his detention on an “operation mounted by the U.S. in cooperation with Swiss authorities” to obtain “certain confidential information the American authorities consider” he has.

That is, it’s possible that the US waited to arrest him until they were done with their investigation, but these past interactions with western spooks suggest something else was behind the timing of his arrest. Similarly, the explanation offered by the Swiss lawyer — that the US only learned of Klyushin’s trip to Switzerland by an auspiciously timed hack of his phone — makes no sense, given the access to travel records the US would routinely have even without having someone targeted under Section 702, as Klyushin easily could have been.

The story leaves big questions about whether Klyushin wanted to be turned over or not. In addition to the open question about whether Klyushin told Russian authorities about the recruitment attempts, Bloomberg describes that Klyushin’s Swiss lawyer mailed his appeal of the extradition to the European Court of Human Rights rather than faxing it, with the result that the appeal arrived only after he had already been transferred to US custody.

But it’s hard to believe that Klyushin wanted to be extradited when he was arrested last March. That’s because his family returned to Russia at the end of their 10-day luxury vacation, which they wouldn’t have done if Klyushin had been planning to defect to the US (if one can start using the term again). So if Klyushin came to decide he wanted to be extradited over the nine months while he was held in Switzerland, he may have only come to that conclusion upon receiving more details about the charges against him, possibly including details that might expose him to the ire of the Kremlin.

It is true, however, that the Russian-speaking attorney Klyushin hired in Boston, Maksim Nemtsev, is not one of the ones (such as Igor Litvak) that Russian nationals retain when they’re refusing to cooperate; Nemtsev appears appropriate to the insider trading charges against Klyushin.

There may be a better explanation for the timing than an auspicious hack, though. As described, Klyushin’s trip to Switzerland was likely his first trip to a US extradition partner after Merrick Garland was sworn in as Attorney General on March 11, 2021, eight days before FBI obtained the arrest warrant for Klyushin.

And while the US has documentary evidence that GRU did the hack, what they hadn’t yet obtained when DOJ obtained the indictment against Yermakov and other GRU officers in 2018 was something far more important: what Russia did with two sets of data — the campaign strategy and polling information turned over from Paul Manafort and the analytics stolen from Hillary through the entire month of September. There’s certainly reason to believe DOJ knows more now than they did in 2018. Last April (so shortly after the arrest warrant for Kluyshin), Treasury stated as fact that the information Konstantin Kilimnik obtained from Manafort did get shared with Russian intelligence, even while asserting that Kilimnik was himself a spook. But how that information was shared and what happened with it has not been made public.

And those are the kinds of questions you might not raise aggressively until after Trump was gone.

Behind the Arrest of Putin’s Pen-Tester, Vladislav Klyushin

/21 Comments/in , , , /by

There’s a gratuitous passage in the March 20, 2021 complaint charging Vladislav Klyushin, Ivan Yermakov, Igor Sladkov, Mikhail Irzak, and Nikolay Rumyantev with conspiracy to violate the Computer Fraud and Abuse Act. It describes that Klyushin — the guy just extradited to the US on the charges — possessing a picture of Alexander Borodaev and Sergey Uryadov posing in front of Scotland Yard in London.

Thus far, it’s unclear who the guys in the picture are, other than customers of M-13’s “investment services,” for which they paid extortionate 60% commissions to benefit from the insider trading scheme allegedly run by Klyushin and Yermakov. But, in addition to alerting Klyushin to how many of his personal files the FBI has obtained, folks back in Russia will have a taste of the kind of information at risk now that Klyushin is in US custody.

That is, this passage, and a host of others in the charging documents, appear designed to maximize the discomfort of a number of people involved, as much as justifying the arrest and extradition of the guy who led a company that provided services that amount to information operations to Vladimir Putin. As the DOJ presser explained,

M-13’s website indicated that the company’s “IT solutions” were used by “the Administration of the President of the Russian Federation, the Government of the Russian Federation, federal ministries and departments, regional state executive bodies, commercial companies and public organizations.” In addition to these services, Klyushin, Ermakov and Rumiantcev also allegedly offered investment management services through M-13 to investors in exchange for up to 60 percent of the profit

The insider trader scheme works like this: Klyushin (the guy in US custody) and Yermakov (a key person involved in the 2016 DNC hack, described in DOJ’s press release as a “former” GRU officer), along with one other guy from M-13, area accused of hacking at least two US filing agents to obtain earnings reports before they were officially released. They conducted trades for a handful of clients — along with Borodaev and Uryadov, Boris Varshavskiy is mentioned. Klyushin also conducted trades for himself. The three M-13 figures were indicted on conspiracy, hacking, wire fraud, and securities fraud charges on April 6, 2021, an indictment that formalized the extradition request for Klyushin, who had already been arrested in Switzerland.

Then there are two apparent private citizens who live in St. Petersburg, Michail Irzak and Igor Sladkov. They were indicted on May 6, 2021 on conspiracy to hack and hacking charges, along with securities fraud. That indictment (like the complaint) focuses on some different trades than the Klyushin one (and because neither is likely to be extradited anytime soon, the second indictment may shield some portion of evidence from discovery).

Actions attributed elsewhere to Yermakov are attributed to Co-Conspirator 1 in that indictment, and it is on that basis that Irzak and Sladkov are exposed to the hacking charges. Irzak and Sladkov don’t appear to have been paying the extortionate 60% fees that the other M-13 clients were, which makes me wonder whether Yermakov was helping buddies get rich on the side. Worse still, Sladkov had some epically bad operational security; the indictment describes he had in his possession pictures showing:

  • A picture of a black Acer computer, with a blue Russian Olympic Committee sticker over the camera, showing a press release with Snap’s 2017 earnings that was not released publicly until 8 hours later.
  • A picture showing the same Acer computer with the same blue sticker showing his own trading activity on BrokerCreditService on May 2, 2018
  • A picture taken on July 24, 2018 at 2:05PM (ET) showing himself and Irzak sitting at a brown table; Irzak had Facebook running at the time, which showed him to be in the vicinity of Sladkov’s house
  • A picture dated July 25, 2018 showing him trading in a bunch of shares the earnings reports of which had been illegally accessed the day before
  • A picture dated October 14, 2018 showing a hand-written note instructing to “short” three shares, which Irzak did short two days later

In other words, Sladkov documented much of his insider training in photographs (perhaps to share the instructions with Irzak), and left all those photographs somewhere accessible to the US government.

If Yermakov was sharing this information with these guys without permission, then Sladkov’s role in providing the US government really damning information that would form the basis for an arrest warrant for Klyushin, then things might get really hot.

But it’s not like Klyushin or Yermakov did much better. In addition to the pictures of the clients, above, and some screencaps that got sent showing trading activity (though with less obvious evidence of insider trading), there’s a bunch of messaging from both, including an oblique reference to messages Yermakov and Borodaev sent on November 19, 2020 that have nothing to do with the context of the indictment but happens to be after the US election. There are even pictures Klyushin shared with Yermakov, “showing a safe that contained growing stacks of U.S. one hundred dollar bills.”

Yermakov appears to have used one of his messaging accounts via multiple devices, because on December 3, 2018, when he “forgot telephone at work,” he was still able to message Klyushin about closing out a trade. Using the same messaging app across platforms would offer one means of compromise, especially if the FBI had gotten into Yermakov’s device updates. The indictment doesn’t mention a warrant for such messaging that you would expect if it took place on Facebook.

Again, this indictment seems to aim to cause discomfort and recriminations based on information in US possession.

But then there’s the question of how it came about, how it landed in Massachusetts rather than DC (where the lead FBI agent is from) or NY (where the trades get done) or Pittsburgh, where one of the prior indictments against Yermakov was done.

The indictments and complaint base the MA jurisdiction on the fact that the culprits used a VPN that used a server in MA on several occasions. At a presser the other day, Acting US Attorney Nathaniel Mendell suggested the case had been assigned to MA because of its good securities prosecution teams.

As to how it came about, purportedly, the story starts in January 2020, when two filing agents allegedly hacked by the men, FA1 and FA2, reported being hacked at virtually the same time. Someone had used an FA1 employee’s credentials on January 21, 2020 to access the earnings data for IBM, Steel Dynamics, and Avnet before those results were publicly announced the following day, but no similar transaction noted with respect to F2 (indeed, a list of accesses involving F2 have a gap from November 2019 through May 2020). The investigation determined that FA1 had first been hacked by November 2018 and that FA2 had first been hacked by October 2017.

FA1 and FA2 discovered this compromise just months after the third M-13 employee, Rumyantev, was blocked by his Russian-based brokerage account for suspicious transactions. Months after FA1 and FA2 reported their compromise, Rumyantev and Klyushin lied to a Denmark bank that they were working entirely off of public information. By that point, in other words, banks in at least two countries were onto them.

Then, the story goes, the FBI investigated those hacks — through domains hosted by Vultr Holdings to a hosting company in Sweden to a user account under the name Andrea Neumann. From there, the FBI tracked back through some Bitcoin transactions made in October and November 2018 to the IP address for M-13 where they just happened to discover one of the very same hackers that was behind the 2016 hack of the DNC was also behind this hack. Mendell sounded pretty sheepish when he offered that explanation at the press conference.

Perhaps it’s true, but another key piece of evidence dates to actions Yermakov took on May 9, 2018, when he was under very close scrutiny as part of the twin investigations into his role in the hacks of the DNC and doping agencies, but before the first indictment against him was obtained.

Based on a review of records obtained from a U.S.-based technology company (the “Tech Company”), I have learned that on or about May 9, 2018, at 3:44 a.m. (ET), an account linked to ERMAKOV received an update for three native applications associated to the Tech Company. Records show that the May 9, 2018 application updates were associated to IP address 119.204.194.11 (the “119 IP Address”).

Based on my review of a log file from FA 2, I learned that on or about that same day, May 9, 2018, starting at 3:46 a.m. (ET)–approximately two minutes after ERMAKOV received application updates from the Tech Company–the FA 2 employee’s compromised login credentials were used to gain unauthorized access to FA 2’s system from the same 119 IP Address, and to view and/or download earnings-related files of four companies: Cytomx Therapeutics, Horizon Therapeutics, Puma Biotechnology, and Synaptics.7 All four companies reported their quarterly earnings later that day.

It would be rather surprising if the FBI agents investigating the DNC hack had not at least attempted to ID the IP associated with Yermakov’s phone (or other device) back in 2018. Whether or not they watched him engage in insider trading for years after that — all the while collecting evidence from co-conspirators flaunting the proof of their insider trading — we may never learn. The discovery on this case, featuring evidence explaining how the FBI tracked the insider trading of Putin’s pen-tester, will certainly feature a number of law enforcement sensitive techniques that Klyushin would love to bring back to Putin.

But it’s possible these techniques were what the FBI used to target these guys four years ago now, and the insider trading that Yermakov was doing in addition to whatever he spent the rest of his time doing has now provided a convenient way to bring Putin’s pen-tester to the United States for a spell.

Update: Included the pictures of the safe included with his detention memo, as well as earnings reports from Sladkov’s computer. Note the detention memo says the latter came from an ISP.