Alfa-Trump Redux: Full Spectrum Circumstance

The Trump Tower – Alfa Bank story is back!

Back in October 2016, Franklin Foer wrote about some metadata analysis showing that a marketing server paid for by Trump Organization was messaging with a server at Russia’s Alfa Bank. The story, as Foer presented it, was quickly challenged. I myself focused on a side angle to the story: that in addition to communications with Alfa Bank, the Trump marketing server was also communicating with Grand Rapids’ Spectrum Health, which (the original public pitch of the story suggested) might show a tie between the DeVos family — or maybe Erik Prince — and Trump. From the vantage of October 2016, that didn’t make sense, as the DeVoses (as distinct from Betsy’s brother Erik) were actually remarkably hesitant to support Trump until after the DNS lookups ended.

Dexter Filkins has now reexamined the story. It concludes — via a proliferating set of academics and cybersecurity experts departing from the norm in both those fields and insisting on hiding their identities — that there must be some kind of communication going on.

(Max and his colleagues did not see any D.N.S. evidence that the Trump Organization was attempting to access the server; they speculated that the organization was using a virtual private network, or V.P.N., a common security measure that obscures users’ digital footprints.)

If this was a communications mechanism, it appeared to have been relatively simple, suggesting that it had been set up spontaneously and refined over time. Because the Trump Organization did not have administrative control of the server, Paul and Leto theorized that any such system would have incorporated software that one of the parties was already using. “The likely scenario is not that the people using the server were incredibly sophisticated networking geniuses doing something obscure and special,” Max said. “The likely scenario is that they adapted a server and vender already available to them, which they felt was away from prying eyes.” Leto told me that he envisioned “something like a bulletin-board system.” Or it could have been an instant-messaging system that was part of software already in use on the server.

Kramer, of Listrak, insisted that his company’s servers were used exclusively for mass marketing. “We only do one thing here,” he told me. But Listrak’s services can be integrated with numerous Cendyn software packages, some of which allow instant messaging. One possibility is Metron, used to manage events at hotels. In fact, the Trump Organization’s October, 2016, statement, blaming the unusual traffic on a “banking customer” of Cendyn, suggested that the communications had gone through Metron, which supports both messaging and e-mail.

The parties might also have been using Webmail—e-mail that leaves few digital traces, other than D.N.S. lookups. Or, Paul and Leto said, they could have been communicating through software used to compose marketing e-mails. They might have used a method called foldering, in which messages are written but not sent; instead, they are saved in a drafts folder, where an accomplice who also has access to the account can read them. “This is a very common way for people to communicate with each other who don’t want to be detected,” Leto told me.

I hope to return to some of the moves Filkins makes in his story generally after I come home from this trip. But for now, I just want to look at how Filkins deals with the Spectrum Health tie, which Filkins focuses on even more than Foer. Here’s how he introduces the connection:

Only one other entity seemed to be reaching out to the Trump Organization’s domain with any frequency: Spectrum Health, of Grand Rapids, Michigan. Spectrum Health is closely linked to the DeVos family; Richard DeVos, Jr., is the chairman of the board, and one of its hospitals is named after his mother. His wife, Betsy DeVos, was appointed Secretary of Education by Donald Trump. Her brother, Erik Prince, is a Trump associate who has attracted the scrutiny of Robert Mueller, the special counsel investigating Trump’s ties to Russia. Mueller has been looking into Prince’s meeting, following the election, with a Russian official in the Seychelles, at which he reportedly discussed setting up a back channel between Trump and the Russian President, Vladimir Putin. (Prince maintains that the meeting was “incidental.”) In the summer of 2016, Max and the others weren’t aware of any of this. “We didn’t know who DeVos was,” Max said.

This is a remarkable paragraph, repeating a lot of the shitty link analysis that people always do when they try to explain the Spectrum tie. In it, a children’s hospital named after Dick DeVos’ mother is the smoking gun in an international spy plot. Then, having utterly ignored the status of the relationship between the DeVoses and Trump at the time of the DNS lookups, Filkins looks at what has happened since: the appointment of close Mike Pence ally and leading GOP education ideologue Betsy to be Education Secretary, and Erik Prince’s covert meeting with an entirely different — and far more suspect — bank, using means that are precisely the kinds of means you’d expect Erik Prince to use (and not using the network of a hospital that his brother-in-law chairs but doesn’t run, because why the fuck would a Navy Seal use more covert methods that Navy Seals know well instead of using a server with an easily subpoenaed footprint in the US??).

The paragraph misses some other details of note. For example, after Dick got on a commercial puddle jumper to fly to interview with Trump, he was appointed to the FAA Advisory Board, another position for which he is an obvious and arguably well-qualified pick. It also doesn’t note that Prince — who is a separate political entity from his sister and brother-in-law — was threatening anti-Trump Republicans both before and after the election, something that might support this theory except for all the other more obvious ways Prince accomplished such efforts.

Which is to say that, while the piece acknowledges that to conclude the Trump – Alfa Bank records are suspect, you also have to explain why the Spectrum ones would be, it does no reporting to discern why that would be the case.

Later in the piece, after trying to explain DNC lookups involving a third entity that had previously only been alluded to (and only alluded to because without explanation, it would have and did problematize past claims), Filkins strains further to suggest the ties between Spectrum and Trump have been proven by events that have taken place since.

In one tranche of data that he gave them, they noticed that a third entity, in addition to Alfa Bank and Spectrum Health, had been looking up the Trump domain: Heartland Payment Systems, a payments processor based in Princeton. Of the thirty-five hundred D.N.S. queries seen for the Trump domain, Heartland made only seventy-six—but no other visible entity made more than two. Heartland had a link to Alfa Bank, but a tenuous one. It had recently been acquired by Global Payments, which, in 2009, had paid seventy-five million dollars for United Card Services, Russia’s leading credit-card-processing company; two years later, United Card Services bought Alfa Bank’s credit-card-processing unit. (A spokesperson for Global Payments said that her company had never had any relationship with the Trump Organization or with Alfa Bank, and that its U.S. and Russia operations functioned entirely independently.)

Spectrum Health has a similarly indirect business tie to Alfa Bank. Richard DeVos’ father co-founded Amway, and his brother, Doug, has served as the company’s president since 2002. In 2014, Amway joined with Alfa Bank to create an “Alfa-Amway” loyalty-card program in Russia. But such connections are circumstantial at best; the DeVos family seems far more clearly linked to Trump than to Russia.

It’s this sentence — “the DeVos family seems far more clearly linked to Trump than to Russia” — that exemplifies this story, and its epistemology, for me. It treats the DeVos family — Dick, his wife Betsy Prince DeVos, his brother Doug, his charitable mother Helen, and his brother-in-law Erik Prince, to say nothing of the hospital administrators that actually run Spectrum — as a monolith they’re simply not, reads their current varied relationships with Trump back into a history where only Erik’s relationship resembled his current one, and then concludes that a link with Dick through Helen-Betsy-Erik is all you need to explain why these presumed conspirators would use a hospital rather than any of the many entities the DeVoses privately hold (and therefore more directly manage) or the Prince entities that already have built-in covert channels with a proven past ability to reach out to oligarchs discretely.

I mean, I absolutely think there’s a place for more journalism on what Erik was doing during the election, his role as a cut-out to Trump, and how he has helped to discipline the Republican party since. Or, if you want to pursue some theory of nefarious plot explaining how the originally reluctant DeVoses came to become close Trump associates, you’d explore far more about Mike Pence’s obvious role in it all (to say nothing of Pence’s frequent meetings with the DeVoses since), something Jean Camp is well situated to do from Indiana.

But one thing any such journalism would show is that Prince has the ability to conduct convert communications via much more effective channels, and Betsy and Dick DeVos have the network to achieve their political goals via means that don’t require hijacking a hospital server they don’t directly control.

Meanwhile, the story doesn’t explore the tangential role of Alfa Bank, via Alex van der Zwaan, in the Skadden Arps part of the Paul Manafort story, and doesn’t explain that any focus on Alfa Bank prior to Trump’s inauguration might have distracted from the sanctioned Russian banks that, at least as far as is currently known, are the actual key players in the Trump Russia story. It also doesn’t explain that key events in any conspiracy between Trump and Russia were communicated via insecure Trump Organization hosted email, often (in Manafort’s case, for long after he had been indicted) backed up to the iCloud.

This Trump Tower – Alfa Bank story continues to spin journalists, not to mention academics and infosec experts, into uncharacteristic habits that don’t appear to be leading to any real clarity about the topic at hand.

40 replies
  1. Domye West says:

    This is so confusing, when I read his story I said “Prince has way better ways than that”, and the DeVos link seems super flimsy. So confusing.

  2. Buford says:

    hmmm…sorry…but I think that Prince, the Navy Seal, is using his government training to harm the USofA…there are not enough investigators working to get to all of the corruption…oy vey…

    • earlofhuntingdon says:

      That seems correct.  I think is EW asking how.  It’s unlikely he used the methods described in the Filkins article.  To what ends should also be questions journalists investigate.

  3. George Proust says:

    We’ll see.  But even people that should know better have done stupid things that revealed themselves.

    Like the mob link through the Kansas grocery store that brought the mob down.

    Or Trump’s uncle keeping every damn record over 50 years in his basement.

    Or Mike Flynn (former head of Def Intel??) having his comms spied on.

  4. Tracy says:

    I’m increasingly worried that we are not going to get to the truth at the end of all of this. I know that Marcy’s talking about journos, academics and infosec experts here – and not Mueller’s team – but how will we get to the bottom of the Alfa Bank issue, and there are other alarm bells, too:

    1 – This Politico piece reports that Manafort is still in the JDA w/ the pres and ~32 other people; that at least Rudy says that they were in contact in the days before and after Manafort pled guilty:
    “Legal experts say they’re perplexed by Giuliani’s public insistence that JDAs still exist for people known to be talking with federal prosecutors — a practice they say verges on unethical. Such arrangements are also almost guaranteed to raise the ire of Mueller, as prosecutors typically only strike cooperation deals with defendants on the condition that they withdraw from any joint defense setup.
    “’The only way they can still be in JDA is if they have told prosecutors [the defendant] has nothing on Trump and they believe him,’ a second defense lawyer working on the Russia investigation said of the Manafort situation.
    “But Giuliani’s comments also could be seen as a warning that the president’s lawyers are primed to challenge Mueller’s authority to use some of the evidence collected from Manafort — or other cooperating witnesses — through JDAs, as the bulk of information shared in this manner is supposed to be covered by attorney-client privileges.
    “That means Trump’s lawyers could try and block Mueller from using evidence in court if they believe the details were gleaned from attorneys operating under the terms of a JDA.”
    2 – Why didn’t Trump have an absolute meltdown when Manafort pled guilty? He was utterly silent, apart from one tweet. Ghouliani has said he was not worried about Manafort’s plea:

    I have wondered all along if Manafort has lied about DJT’s role, if 1) any evidence of DJT’s knowing about TT depends on a one-on-one meeting w/ Manafort, or 2) a meeting in which all of the other witnesses are also in the JDA and have been able to sew up a lie in defense.

    3 – Why are DJT and Rosenstein taking an AF1 trip together, after which Trump is beaming and saying that Rosenstein’s job is not in peril, and he thinks “we will be treated fairly”…?

    What do people make of all of this?

    Admittedly, in the wake of the sickening Kavanaugh stitch-up I am more skeptical than ever that justice can be done to hold the people in highest power in our land to account for their crimes.

    • mister bunny says:

      IANAL, but my understanding is that atty-client privilege doesn’t apply when it’s being used to cover up a crime. This JDA looks to me like a conspiracy of criminals to obstruct justice, which is a crime, which would invalidate the privilege.

      Yes/No, lawyer types?

    • JD12 says:

      The optics of the Trump-Rosenstein flight were not good, the Clinton-Lynch tarmac meeting did pop in my head. It’s a little different because Trump is his boss, but if I were Rosenstein I might’ve asked to meet in another setting.

      I think you just have to keep the faith and see how it turns out. As long as Trump’s in office he can’t really be brought to justice anyway. But the NY authorites looking at him as well, and they know a lot of what he’s done over the years. Chances are there will be justice of some sort, even if it’s delayed and inadequate.

      • Tracy says:

        I like these points you’ve all laid out that – the JDA does seem a massive obstruction operation in itself, keeping the faith is important (we don’t know all that Mueller knows, and even if Manafort if pulling the wool over people’s eyes, nothing that we can do about it, anyway – and there are multiple paths by which DJT may finally get caught for something), and RG is a spinner and liar.

  5. Saul Tannenbaum says:

    DeVoses … were actually remarkably hesitant to support Trump until after the DNS lookups ended.

    I just love that this is a sentence in our 2018 political sphere.

  6. viget says:

    Also, what is to be made of the NYT report that our good buddy Rick Gates was talking with Israeli PsyOps folks about online manipulation strategies, at least during the primary season? Apparently, the PsyGroup folks were interviewed by Mueller, and are not “targets” of the investigation, but still an interesting connection.

  7. orionATL says:

    the boys of the press, as ever, writing up their short fiction for their readers’ pleasure.

    so just for emphasis:

    “… the sanctioned Russian banks that … are the actual key players in the Trump Russia story. It also doesn’t explain that key events in any conspiracy between Trump and Russia were communicated via insecure Trump Organization hosted email, often (in Manafort’s case, for long after he had been indicted) backed up to the iCloud…”

    you read it at the emptywheel website.

  8. Allison Holland says:

    i admit to being confused about the spectrum server connection. i believe in decoys but i dont believe that the government puts a psyche controlling substance in the vapor trails of jet engines… so i am hoping that i might be ahead of the game as far as belief in conspiracies go. i do think, having known navy seals, that they like games and obfuscation. they need always to have a private joke known only to the team. i am always disappointed in the medias desire to present two sides of any and every coin. sometimes there is only one side. conspiracy has no equivalence unless one one notes that the republicans conspired with russia and laundered campaign funds and bribes and stolen money through alpha bank while the democrats remained patriotic. and i am often upset that they all too often seem to miss the point of a real crisis while focusing on the shallow point of view. i know that they are all human. but there are so many times when i wish a robot would just report the facts.

  9. CaliLawyer says:

    This data point always seemed like an outlier, but it’s also exactly the kind of communications the NSA hoovers up, so I’m sure Mueller’s been in the loop on the contents for a while. Smith was definitely whacked. I think the Isreali angle in all of this has gotten way too little attention. The Trump agenda benefits both Putin and Netanyahu. With all of the cut-outs and plausible deniability scheming, this is going to take quite a while to unravel.

  10. pseudonymous in nc says:

    In fairness wrt sourcing, part of the anonymity/pseudonymity here surrounds the question of who has access to real-time global DNS lookup data and how it’s collected, which is pretty murky stuff even if it’s being done (ostensibly) for defensive purposes, e.g. to identify domains being used for botnet command and control.

    But DNS traffic alone is such a weak data source from which to build a forensic hypothesis. It’s like scrying from clouds. The deletion of the A record and its replacement with another is a curiosity, especially without a PTR record to remap the IP to the new domain, but I don’t know how many curiosities would bubble up from access to global lookup data combined with focus on one or two things.

  11. Charlie says:

    Dear Marcy
    Welcome to this side of “the pond” though sorry about the reason for your having to be here.
    It would be great if we had somebody like you to investigate the shenanigans going on with Brexit, Bannon and “stuff”.
    May the weather be with you!
    Wishing you all the very best.


  12. JD12 says:

    I know the Devoses were late to come around publicly, but Trump had already been the nominee. It could’ve been a relationship of convenience at that point in time.

    The database replication theory was pretty persuasive I thought. Is it possible that the Alfa connection made it look nefarious when it really was incidental? Could the Devoses simply have been sharing lists of donors and other Republicans for the Trump campaign to blast emails to and/or vice versa?

  13. JD12 says:


    I mean, I absolutely think there’s a place for more journalism on what Erik was doing during the election

    Remember that ridiculous interview he did with Breitbart just before the election?

    “They found State Department emails. They found a lot of other really damning criminal information, including money laundering, including the fact that Hillary went to this sex island with convicted pedophile Jeffrey Epstein. Bill Clinton went there more than 20 times. Hillary Clinton went there at least six times,” he said.

    Weiner and Huma Abedin, his wife – the closest adviser of Hillary Clinton for 20 years – have both flipped. They are cooperating with the government. They both have – they see potential jail time of many years for their crimes, for Huma Abedin sending and receiving and even storing hundreds of thousands of messages from the State Department server and from Hillary Clinton’s own homebrew server, which contained classified information. Weiner faces all kinds of exposure for the inappropriate sexting that was going on and for other information that they found.”

  14. maybe ryan says:

    >how he has helped to discipline the Republican party since

    Can anyone provide more information this?

  15. Pete says:

    Thinking of you and your family. I believe you have mentioned your hubby is Irish so I assume it is his family – perhaps a parent. It doesn’t matter all family all the best.

  16. maybe ryan says:

    Slightly off-topic, though some people theorize it’s directly relevant – I have a question about campaign use of Facebook data. I had believed that FB provided enough data for micro-targeting – using demographics and interests to tightly hone in on a person’s sense of identity and craft tailored messages.

    I was not aware that FB provided personally identifying information to advertisers. I had thought that was part of the Cambridge Analytica scandal – that PII data provided supposedly for academic purposes was hijacked for the Trump campaign.

    Today, I received a complaint from someone who had applied for an absentee ballot. A campaign then placed a FB ad saying “getting your ballot is the biggest hurdle. Now all you have to do is mail it back.” This seems to imply they’re able to connect his application (public information in my state) to his individual FB profile.

    Is that in-bounds? Can campaigns get this data, but only for those who’ve friended the campaign? Or a related organization? Or can they get it for anyone? Or are they mining publically available profile data in order to come up with likely matches?

  17. Eureka says:

    From an Irish/Celtic blessing/song, for you and yours:

    May the long time sun shine upon you
    All love surround you
    And the pure light within you
    Guide your way on

  18. Harold Bridges says:

    The Alfa-Trump connection story has sounded bogus to me from day one.  Trying to understand any relationship between Alfa and Trump from DNS records is like reading Rohrshach test, i.e. just hallucination.  I heard Dexter Filkins on Rachel Maddow’s show imply that 2500 such DNS lookups from Alfa about the Trump server over the summer of 2016 is suspicious.  Really, what’s your baseline expectation for random DNS lookups?  How many times does one corporation generate DNS lookups in the thousands without any significant relationship between the two?

    Junk reporting.

  19. Yette says:

    Why do I sense that Eric Prince and Mike Flynn are going to do zero jailtime? I’m guessing they see themselves as patriots; I view them both as traitors to our country, conspiring with Russians to achieve government control and power. I will never feel right about a Mueller probe that does not include significant jailtime for both of these individuals, one of whom has laready plead guilty of multiple crimes.

    • bmaz says:

      No, Flynn pled guilty to a single count of §1001 false statements, a crime that, if you have no prior convictions, has a presumed sentence of 0-6 months. That would be prison time, not jail. Given that Flynn accepted responsibility and gave substantial cooperation, it is not only quite likely, but correct that he receive a probation sentence with no incarceration. Emotions do not criminal law make.

  20. Andy says:

    The only thing we know for sure is that Trump is a scatter brain. I think it did not matter who walked into his office with a suggestion or plan during the campaign, Trump would go with any idea that caught his short attention span at the moment. He is no evil “genius” and was surrounded by the gang that could not shoot straight.  I think a lot of these avenues are poorly thought out attempts to collude and conspire with everybody and anybody who would help him in anyway possible, legal or otherwise. Most probably failed because they were stupid or badly executed. We are misled when we try to look for a clever or well thought out master plan. He is an idiot.

  21. dpa says:

    This is something that I’ve followed since it first appeared, as it is in my lane professionally. It’s all seemed a little fishy, and I was especially puzzled at how it disappeared from the news almost over night. Don’t know the reputation of these folks but I bookmarked the link a couple of years ago:

    Is that the right way to do links? Anyway, their appraisal seems credible to me.


    • kisch says:

      Hi dpa,

      I’ve also been following all those reports about the suspicious DNS queries; I know the technical background quite well.

      About the “database replication” story that you mention I’m afraid I’ve got to disappoint you. That’s pure speculation; the available data doesn’t provide the tiniest hint in that direction. The author doesn’t understand that DNS queries are only very loosely related to actual network communication. He’s not the first to notice the hourly temporal pattern of the queries, but every knowledgable expert would point out that this is the expected result of the 1-hour validity time span of the DNS replies.

      In fact I’ve come to use the “Trump server DNS logs” as a touchstone of the reliability of analysts. Everyone who touts those logs as the final damning proof of Trump’s malfeasance lets his zeal conquer his objectivity. I’m glad to see how emptywheel cooly cuts through the hype.

      Any proper analysis of the DNS logs would first have to explain why the logs are evidently not authentic. The format of the lines has multiple subtle errors. So the data is at least manipulated, and it cannot be excluded that it’s wholesale fabricated. Link: (section “What is wrong with the DNS logs?”) That blogger proves his conclusions with facts, diving into DNS server source code, which I’ve cross-checked and found correct.

      – kisch

  22. Jonathan says:

    Is the relevant DNS data publicly available anywhere? I have some questions about timing of the correspondence

Comments are closed.