Accused Vault 7 Leaker Joshua Schulte Planned to Have WikiLeaks Publish Disinformation to Help His Defense

When WikiLeaks announced its publication of the CIA’s hacking tools in March 2017, the first tool it highlighted was an effort called Umbrage, which it claimed the CIA used to “misdirect attribution.”


The CIA’s hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a “fingerprint” that can be used by forensic investigators to attribute multiple different attacks to the same entity.

This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution.

The CIA’s Remote Devices Branch‘s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.

UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.

Experts noted at the time that Umbrage served mostly to save time by reusing existing code. Nevertheless, the representation that the CIA would sometimes use other nation’s tools was immediately integrated into conspiracy theories denying that Russia carried out the 2016 hacks on Democrats. Because the CIA sometimes obscured its own hacks, denialists have said since, the CIA must have been behind the 2016 hacks, part of a Deep State operation to frame Russia and in so doing, undermine Trump.

Documents released this week reveal that Joshua Schulte, who is accused of leaking those documents to WikiLeaks, believed he could get WikiLeaks to publish disinformation to help his case.

Several documents submitted this week provide much more clarity on Schulte’s case. On Monday, the government responded to a Schulte effort to have his communications restrictions (SAMs) removed; their brief not only admitted — for what I believe to be the first time in writing — that the CIA is the victim agency, but described an Information War Schulte attempted to conduct from jail using contraband phones and a slew of social media accounts.

Yesterday, in addition to requesting that Schulte’s child porn charges be severed from his Espionage ones, his defense team moved to suppress the warrants used to investigate his communication activities in jail based on a claim the FBI violated Schulte’s attorney-client privilege. During the initial search, agents reviewed notebooks marked attorney-client with sufficient attention to find non-privileged materials covered by the search warrant, and only then got a privilege team to go through the notebooks in more detail. The privilege team confirmed that 65% of the contents of the notebooks was privileged. In support of the suppression motion, Schulte’s lawyers released most of the warrants used to conduct those searches, including the downstream one used to access three ProtonMail accounts discovered by the government and another downstream one used to access his ten social media accounts (see below for a list of all of Schulte’s accounts). Effectively, they’re arguing that the FBI would have never found this unbelievably incriminating communications activity, which will make it fairly easy for the government to prove that Schulte is the Vault 7 leaker without relying on classified information, without accessing those notebooks marked privileged.

But along the way, the documents released this week show that the guy accused of leaking that Umbrage file that denialists have relied on to claim the 2016 hack was a false flag operation framing Russia himself planned false flag activities to proclaim his innocence.

The government’s SAMs response describes in cursory fashion and the affidavits for the warrants as a whole describe in more detail how Schulte planned to adopt two fake identities — a CIA officer and an FBI Agent — to proclaim his innocence. The idea behind the latter was to corroborate two claims Schulte posted on his JoshSchulte WordPress sites on October 1, 2018 — that the FBI had planted the child porn discovered on his computer.

i. “I now believe the government planted the CP after their search warrants turned up empty-not only to save their jobs and investigation, but also to target and decimate my reputation considering my involvement in significant information operations and covert action.”

As noted above, in the Fake FBI Document in the Schulte Cell Documents, a purported FBI “whistleblower” claimed that the FBI had placed child pornography on Schulte’s computer after its initial searches of the device were unsuccessful in recovering evidence. See supra~ 14(a)(iii).

ii. “So who’s responsible for Vault 7? The CIA’s own version of the FBI’s Peter Strzok and Lisa Page,”

As noted above, in the September Tweet in the Schulte Cell Documents, a purported former CIA colleague of Schulte (but who was in fact simply Schulte himself) claimed that two other CIA former colleagues, one of whom Schulte described as the “Peter Strzok of the CIA,” had conspired to blame Schulte for Vault 7, WikiLeaks’ disclosure of the CIA material.

As noted above, two of the documents found in Schulte’s cell mixed in with the attorney-client material show how Schulte planned to create false identities to spread the same stories. One was an article he planned to send to WikiLeaks, claiming to be from an FBI whistleblower describing how Schulte was framed.

iii. A document that appears to be an article for release by (“WikiLeaks”), in which a purported FBI “whistleblower” claimed to have provided the discovery in this case to WikiLeaks and that the FBI had planted evidence of child pornography on Schulte’s computer to frame him (the “Fake FBI Document”).

The documents also include his plans to release a fake CIA tweet claiming he was framed for the Vault 7 leak.

iv. Drafts of a tweet (the “Fake CIA Tweet”) that appear to have been drafted around August 30, 2018,3 in which Schulte pretending to be a former CIA colleague claimed that two other former CIA colleagues, both of whom Schulte referred to by full name and one of whom he described as the “Peter Strzok of the CIA,” had “set up” Schulte and used him as a “scapegoat” for “Vault 7,” which is the name of WikiLeaks serial disclosures of CIA material that began on or about March 7, 2017 and which forms the basis of some of the current charges against Schulte. On the following page of the Schulte Cell Documents appears the text “Just to authenticate me fast” followed by other apparent draft tweets that discussed the CIA’s alleged activities and methods, some of which appear to be classified (the “Fake Authentication Tweets”).4 . . I believe that Schulte planned to potentially publish the Fake Authentication Tweet before the Fake CIA Tweet in an effort to purportedly verify the author’s employment with the CIA and knowledge of the information in the Fake CIA Tweet.

Finally, the FBI also found Schulte’s to do list of how he planned to share both the fake FBI document and his discovery with WikiLeaks.

What appears to be a “to-do” list dated September 12, 2018, in which Schulte wrote that on September 17 and 18, he would “DL Disc. UL WL,” and.that on September 19, 20, and 21, he would “schedule tweets[.]” I believe that here, “DL Disc. UL WL” means that Schulte planned to download his discovery (”DL Disc.”) from the Schulte Laptop and upload that discovery to WikiLeaks (“UL WL”). As noted above, in another place in the Schulte Cell Documents, Schulte drafted the Fake FBI Document, a purported statement by a supposed FBI “whistleblower” who provided Schulte’s discovery to WikiLeaks and claimed that the FBI had planted evidence of child pornography on Schulte’s computer.

From a legal standpoint, Schulte’s lawyers have disclosed all these warrant materials in an urgent effort to suppress everything the government found after first accessing his notebooks from jail. The FBI investigation proceeded from those notebooks to the WordPress site showing him claiming something identical to disinformation he was packaging up to share with WikiLeaks. They also got from those notebooks to ProtonMail accounts where Schulte offered to share what may or may not be classified information with a journalist. The reason why the defense is pushing to suppress this — one of the only challenges they’re making in his prosecution thus far — is because the stuff Schulte did in prison is utterly damning and seems to confirm both his familiarity with WikiLeaks and his belief that he needed to create disinformation to claim to be innocent.

We’ll see whether this Fourth and Sixth Amendment challenge works.

But along the way, the defense has released information — the provenance of which they’re not disputing in the least — that shows that Schulte planned to use WikiLeaks to conduct a disinformation campaign. But it wouldn’t be the first time Schulte had gotten WikiLeaks to carry out his messaging. A year ago today — in the wake of Schulte being charged with the Vault 7 leak — WikiLeaks linked to the diaries that Schulte was writing and posting from his jail cell, possibly showing that Schulte continued to communicate with WikiLeaks — either via a family member or directly — even after he had been put in jail. Those diaries are among the things seized in the search.

In a follow-up, I think I can show that Schulte did succeed in using WikiLeaks as part a disinformation campaign.

Social media accounts Joshua Schulte accessed from jail

ProtonMail: annon1204, presumedguilty, freejasonbourne

Twitter: @freejasonbourne (created September 1, 2018 and used through October 2, 2018)

Buffer (used to schedule social media posts): (created September 3, 2018, used through September 7, 2018)

WordPress:,, (all created August 14, 2018)

Gmail: [email protected], [email protected] (created April 15, 2018), [email protected],

Outlook: [email protected]

Facebook: ‘who is JOHN GALT? (created April 17, 2018)

Update: The government also believed at the time that an account in the name Conj Khyas was used by Schulte to receive classified information at his annon1204 account. It was not listed in these warrants, but would amount to a 14th account.

23 replies
  1. P J Evans says:

    I can’t decide if he’s really smart or really stupid. Stupid, at least, for being so obvious about what he was trying, and thinking that he wouldn’t be found out.

  2. viget says:

    Why do these tactics sound SO familiar? Hmmm…….

    I want to know who his handler was. Probably that’s highly classified info re: CIA damage assessment.

    And please, John Galt? Jason Bourne? Can we say passive aggressive superiority complex? What is this guy’s life story?

    • P J Evans says:

      He sounds like someone who thinks he’s the hero in his own self-written story. A “Marty Stu” complex, I guess.

    • DMM says:

      Right? Even the presidents of college libertarian student associations find that lame.

      His little scheme here is so fantastical and cartoonish that it does make one wonder how he ever got into such a sensitive position at CIA. Surely he could keep that simple plan in his head, but he had to write it down — like a genius superspy! But of course he did so in code. Not like with actual encryption or anything, but with super-clever superspy code. ” ‘DL Disc. UL WL’ — these inferior minds will never crack that!” It’s Mitty-esque in its delusion.

      • RS says:

        He got into that position by being top of his class. He was working at Langley long before he graduated.
        You can make the argument that while Josh is brilliant , he’s not too bright.
        Yeah it looks damming but it also looks desperate and scared.

        • earlofhuntingdon says:

          Brilliant and stupid, not unheard of. Kris Kobach graduated summa cum laude from Harvard College, has a doctorate from Oxford and a law degree from Yale. Those are the sort of credentials one would find in a shortlist for the Supreme Court. That is, if it weren’t for his spotty career, perverse priorities, and lack of judgment.

          Those are so limited that as SecState for Kansas, he made the unusual decision to personally litigate a voter fraud case. The presiding judge found his courtroom skills incompetent and his ignorance of the rules of evidence breathtaking. She ordered him to undertake remedial education classes.

  3. Buqueley says:

    Date fix in 7th graf of main text, 2nd sentence: 2019 to 2018? Fine to delete this post.

    “The idea behind the latter was to corroborate two claims Schulte posted on his JoshSchulte WordPress sites on October 1, 2019 — that the FBI had planted …”

  4. AndTheSlithyToves says:

    Great reportage, Marcy! My fears about what would become of the first generation raised on video games and ubiquitous electronic/internet connections is now being “Bourne” out.

  5. mospeck says:

    ew, love that you are always so pushing on the US law to be getting faster and better. Things need to be changing quickly now in order to adapt against the clever tech-savvy crooks.

  6. Rugger9 says:

    OT but important. It seems that Pompeo is trying to make the Taliban (a HYPER-Sunni group) into a proxy of the Iranians (hyper-Shiite with imams) hoping that no one would pay attention to the fact that the two Islamic sects have been at loggerheads for almost 1350 years now and much unpleasantness in the 1990s and 2000s. More recently, they did work together on the ISIL problem but even the WP admits there’s no political value for the Iranians to operate in Kabul where the car bomb was. This is where the red line including Iran “and its proxies” needs better definition. Given how the Taliban generally feel about America, doing this solely as a favor for Iran is stretching the intel.

    This is in contrast to the Qatar border closure that happened just when Jared needed the Qatari sovereign wealth fund to bail out his 666 property in NYC. When the Qataris balked at sending good money after bad the Saudis called them terrorist sympathizers, closed the border and threatened to invade the country where we have a very large base.

    It’s clear that Kaiser Quisling and the Palace need a war to divert attention from Hope Hicks’ transcript expected to come out on Friday among other bad news. Too bad the MSM and MAGA trolls will fall for it, again.

    • Rugger9 says:

      Until this gets covered here, continuing the OT with an explainer from Juan Cole on why Pompeo’s claim is utter BS. I also note that there was a drone shot down by the Iranians in and uncertain location (Iranian airspace versus international airspace – it depends where the ADIZ lines are declared versus where they are legally allowed). Kaiser Quisling want’s his deflection war very very badly.

      • P J Evans says:

        Pompeo and the Mustache of Doom certainly want it. Tom Cotton has been pushing for it for a couple of years. (He ought to have to go fight.)

      • P J Evans says:

        I wish the people who are supposedly our leaders weren’t a bunch of idjit war-mongers plus an orange coward.

    • Democritus says:

      Not just a very large base, the largest US AFB in the Mid East. Lots of the missions for OEF and OIF were flown from there from what I read. When the blockade happened Tillerson said the US was opposed while Trump said we were fine with it. Sketchy as hell.

      I’m still flummoxed that the Saudi and UAE angles are continually ignored. Corruption I guess.

      I do NOT trust the orange twitler.

  7. MattyG says:

    Sorry for the OT – I know it’s not an open thread – but what the hell is Pelosi playing at? Does she have a game? Or, as it’s looking more and more like – no game at all? I get the strong impression she’s actually scared of setting the House lumbering into motion on impeachment – too far outside her finger-wagging comfort zone. Schumer is useless. I like Nagler and feisty Dems like Lieu, Swalwell and others but Jesus, can someone stand up already?

    Why aren’t we hearing a blizzard from Pelosi about GOP standing down on election protection? It’s unreal.

    • JamesJoyce says:

      “…well can someone stand up already?”

      Joe McCarthy a demagogue destroyed himself. He kept taking the rope.

      Gravity does
      not discriminate and is fatal if your an oversized egg 🥚 sitting atop a narrow wall.

      Propaganda’s dissemination has always been
      aided by tech.

      From papyrus paper to radio to train, then plane, motion picture and now “executive tweet,” from an oversized handheld device with max font settings Tweeting Tobacco Twitter-verse Commercials at light speed…

      How can one be so blind….

    • Democritus says:

      I think she wants to wait until fall. Not saying it’s the right choice, but I’ve been thinking about it and I think she wants to get some of the opening moves and get done with the attempts to reach accommodations so they can show the courts they tried first.

      Also so she can go I didn’t want to impeach but Trumps continual disregard for the Rule of Law has left us no choice.

      They need to get started soon though, and I worry that they will wait too long. Who says our 2020 elections will be free and fair, best put people on notice now and make them think twice about the more egregious rat fucking the GOP is known for.

    • Vicks says:

      I visualize Pelosi standing there with a mirror reflecting the will of the people.
      In case anyone has missed it, the point that has been made clearly, concisely and repeatedly on this site is; this next part is on us.
      You can point fingers at Pelosi or wring your hands because the senate will “never” impeach DJT but seriously, that’s bullsh*t. TRUE power is still in the hands of the people. Hoping or expecting (first Mueller and now) Pelosi and her crew to save us, is leaving ALL of that power on the table. Everyone on this site knows how high the stakes are; telling ourselves we are doing our part by reading the news carefully and posting our angst on various websites is not just foolish, it’s inexcusable.
      It’s time to turn the question of why congress isn’t doing anything on ourselves.
      There are all sorts of ways to try and save your country, starting with contacting your local representatives and let them know exactly what you think, all the information is on their websites you can call, e-mail AND snail mail. Do it every day. Let them know your serious. If they have town hall meetings show up, if they do group calls get on the list not just to be connected to the call but to ask a question. Check Facebook and apps like “meetup” to see when like- minded people are getting together and join them. Bring some friends. If there aren’t groups in your area start one. Meet for coffee, give your group a name, tell everyone to bring friends and become a force. It’s time to get loud folks, if that’s not your style, suck it up and do it anyway.

  8. tjallen says:

    re. presumptionofinnocence-dot-net, is this a wordpress account? Or a purchased dot-net domain name?

    • tjallen says:

      A quick WHOIS look-up reveals that the domain name presumptionofinnocence-dot-net was created 2018-08-16, updated 2018-08-17, purchased from the reseller, and pointed at wordpress servers like NS1-dot-WORDPRESS-dot-COM, presumably passing through to a wordpress blog. Other info is obscured by the cleverly named anonymizing service, Knock Knock WHOIS Not There, LLC.

Comments are closed.