DOJ Got All the Proud Boy Telegram Texts from Ethan Nordean’s Phone

Judge Tim Kelly just wrapped up a status hearing with three of the four Leadership Proud Boy conspiracy defendants: Ethan Nordean, Joe Biggs, and Charles Donohoe (Zach Rehl’s attorney is still arranging her appearance before the DC court).

A really important detail came out about the Telegram texts that have been central to the conspiracy case against the defendants: According to Nordean’s attorney Nick Smith, they call came from Nordean’s phone.

He said that, in part, to anticipate some of the challenges he’ll make to the evidence. First, he’s going to claim the search was illegal and move to suppress it based off a ruling that the government has dropped that theory of crime (that won’t work under Fourth Amendment precedents, but you have to try).

More importantly, he said the government had gotten into the phone — rather than be forced to crack it, as they are doing with everyone else’s phone — because Nordean’s wife gave the FBI the passcode.

It had seemed like someone listed as Unindicted Co-Conspirator 1 may have shared them with the government. That person says some pretty damning things in the chats.

39. On after Chairman’s January 4, 2021, shortly after Proud Boys Chairman’s arrest pursuant to a warrant issued by D.C. Superior Court, DONOHOE expressed concern that encrypted communications that involved Proud Boys Chairman would be compromised when law enforcement examined Proud Boys Chairmans’ phone. DONOHOE then created a new channel on the encrypted messaging application, entitled, “New MOSD,” and took steps to destroy or “nuke” the earlier channel. After its creation, the “New MOSD” channel included NORDEAN, BIGGS, REHL, DONOHOE, and a handful of additional members.

40. On January 4, 2021, at 7:15 p.m., DONOHOE posted a message on various encrypted messaging channels, including New MOSD, which read, “Hey have been instructed and listen to me real good! There is no planning of any sorts. I need to be put into whatever new thing is created. Everything is compromised and we can be looking at Gang charges.” DONOHOE then wrote, “Stop everything immediately” and then “This comes from the top.”

41. On January 4, 2021, at 8:20 p.m., an unindicted co-conspirator (“UCC-1”) posted to New MOSD channel: “We had originally planned on breaking the guys into teams. Let’s start divying them up and getting baofeng channels picked out.”

42. On January 5, 2021, at 1:23 p.m., a new encrypted messaging channel entitled “Boots on the Ground” was created for communications by Proud Boys members in Washington, D.C. In total, over sixty users participated in the Boots on the Ground channel, including NORDEAN, BIGGS, REHL, DONOHOE, and UCC-1.

That, in turn, had led to speculation, and in no way just from me, that UCC1 had already flipped on his buddies and was cooperating.

What was said today appears to be inconsistent with that. Indeed, it seems all the talk of four informants from the Proud Boys working with the FBI mostly pertained to helping Attorney General Billy Barr gin up claims against Antifa, and not (yet, at least) informing on each other.

Rudy Giuliani’s Going To Go Through Some Things

The NYT is breaking the news that Rudy Giuliani’s home was searched this morning and his devices seized.

Federal investigators in Manhattan executed a search warrant on Wednesday at the Upper East Side apartment of Rudolph W. Giuliani, the former New York City mayor who became President Donald J. Trump’s personal lawyer, stepping up a criminal investigation into Mr. Giuliani’s dealings in Ukraine, three people with knowledge of the matter said.

One of the people said the investigators had seized Mr. Giuliani’s electronic devices.

The story explains that this arises out of the investigation into Rudy’s foreign influence peddling with Ukraine.

The federal authorities have been largely focused on whether Mr. Giuliani illegally lobbied the Trump administration in 2019 on behalf of Ukrainian officials and oligarchs, who at the same time were helping Mr. Giuliani search for dirt on Mr. Trump’s political rivals, including President Biden, who was then a leading candidate for the Democratic presidential nomination.

The NYT doesn’t mention that several of these Ukrainians have since been sanctioned by Treasury as Russian agents.

But once they get Rudy’s phones, there’s the possibility they’ll find evidence of all Rudy’s other crimes. For example, in January, Rudy was in contact with James Sullivan, who is the brother of accused January 6 insurrectionist John Sullivan and who himself has ties to the Proud Boys.

This is a lot of information exchange (and a good degree of familiarity) with someone so closely tied to an attack on the Capitol.

So who knows? It might all coalesce: Rudy’s work for Russian Agents in Ukraine to undermine democracy, paving the way for a violent attack on the Capitol.

Update: They searched Victoria Toensing’s home too.

F.B.I. agents on Wednesday morning also executed a search warrant at the Washington-area home of Victoria Toensing, a lawyer close to Mr. Giuliani who had dealings with several Ukrainians involved in the effort to find damaging information about the Bidens, according to people with knowledge of that search. Ms. Toensing has represented Dmitry Firtash, a Ukrainian oligarch under indictment in the United States whose help Mr. Giuliani sought.

Update: Fixed the timing of the search. h/t JM.

Avril Haines Committed to Reviewing Past Redactions of Intelligence on Russia’s Support for Trump

In the wake of the confirmation that Konstantin Kilimnik did, in fact, share campaign data with Russian Intelligence, some people are asking whether Trump withheld information confirming that fact from Mueller or SSCI.

There are other possible explanations. After all, DOJ stated publicly in 2019 they were still working on decrypting communications involving Manafort and Kilimnik. There are likely new sources of information that have become available to the government.

It’s also certain that the government did share some information with SSCI that was not publicly released in its report last year. Indeed, we’re still waiting on information in the SSCI Report that probably will be made public.

Ron Wyden complained about the overclassification of the report when it came out, and — in his typical fashion — provided bread crumbs of what we might learn with further declassification.

(U) The report includes new revelations directly related to the Trump campaign’s cooperation with Russian efforts to get Donald Trump elected. Yet significant information remains redacted. One example among many is the report’s findings with regard to the relationship between Trump campaign manager Paul Manafort and Russian intelligence officer Konstantin Kilimnik.

(U) The report includes significant information demonstrating that Paul Manafort’s support for Russia and pro-Russian factions in Ukraine was deeper than previously known. The report also details extremely troubling information about the extent and nature of Manafort’s connection with Kilimnik and Manafort’s passage of campaign polling data to Kilimnik. Most troubling of all are indications that Kilimnik, and Manafort himself, were connected to Russia’s hack-and-leak operations.

(U) Unfortunately, significant aspects of this story remain hidden from the American public. Information related to Manafort’s interactions with Kilimnik, particularly in April 2016, are the subject of extensive redactions. Evidence connecting Kilimnik to the GRU’s hack-and-leak operations are likewise redacted, as are indications of Manafort’s own connections to those operations. There are redactions to important new information with regard to Manafort’s meeting in Madrid with a representative of Oleg Deripaska. The report also includes extensive information on Deripaska, a proxy for Russian intelligence and an associate of Manafort. Unfortunately, much of that information is redacted as well.

(U) The report is of urgent concern to the American people, in part due to its relevance to the 2020 election and Russia’s ongoing influence activities. The public version of the report details how Kilimnik disseminated propaganda claiming Ukrainian interference in the 2016 election, beginning even before that election and continuing into late 2019. [one sentence redacted] And the report includes information on the role of other Russian government proxies and personas in spreading false narratives about Ukrainian interference in the U.S. election. This propaganda, pushed by a Russian intelligence officer and other Russian proxies, was the basis on which Donald Trump sought to extort the current government of Ukraine into providing assistance to his reelection efforts and was at the center of Trump’s impeachment and Senate trial. That is one of the reasons why the extensive redactions in this section of the report are so deeply problematic. Only when the American people are informed about the role of an adversary in concocting and disseminating disinformation can they make democratic choices free of foreign interference.

Redactions suggest there was more to an April exchange of information between Kilimnik and Manafort involving Oleg Deripaska than has been made public, describing something else that happened almost simultaneously with that exchange. SSCI learned about that even without obtaining information from Manafort’s email server, which Kilimnik was using long after he stopped working for Manafort and which they subpoenaed unsuccessfully, but Mueller did obtain it.

There’s also a very long redacted passage in the more general Additional Views from Democrats on the committee that laid out the significance of the SSCI findings for the 2020 election (ostensibly what yesterday’s sanctions addressed).

Also in typical Wyden fashion, he already took steps to liberate such information as could be released. In his Questions for the Record for both Avril Haines and William Burns, Wyden asked that this information be declassified. He also asked that more information behind Treasury’s sanctions imposed on Andrii Derkach last September be declassified. Haines committed to ordering a new declassification review of both.

QUESTION 150: If confirmed, will you review the Committee’s Report on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election, in particular Volume 5, for additional declassification?

Yes, if confirmed, I will order a review of the Committee’s report to determine whether additional declassification is possible consistent with the need to protect national security.

QUESTION 151: If confirmed, will you review intelligence related to foreign interference in the 2020 U.S. election, including with regard to Russian agents referenced in the Treasury Department’s September 10, 2020, sanctions announcement, for additional declassification and public release?

Yes, if confirmed I will order a review of these materials to determine whether additional declassification is possible consistent with the need to protect national security.

So we should be getting a newly declassified version of the SSCI Report that will reveal what the Trump Administration did share, but buried under redactions.

Which will also reveal what Trump knew about Manafort’s affirmative ties to Russian intelligence when he pardoned Manafort to pay off Manafort’s silence about all that during the Mueller investigation.

Treasury States as Fact that Konstantin Kilimnik Shared Polling Data with Russian Intelligence

Today, the Biden Administration rolled out a package of new sanctions against Russia. The package includes new authorities, including limitations on doing business with Russia’s Sovereign Debt. It sanctions some companies with ties to Russian intelligence, including for their role in the Solar Winds breach, which is the kind of precedent that may backfire against the US. As Russia expands its military presence in or just outside Ukraine, it imposes sanctions on Russians involved in Crimea. It expands sanctions for disinformation, targeting both Yevgeniy Prigozhin’s fronts and his money laundering vehicles as well as a GRU front.

A number of those measures will be controversial. And the imposition of sanctions on Prigozhin without an accompanying criminal complaint (as happened under Trump) may suggest a change of strategy.

But one of the bigger pieces of news is that the Treasury press release states as fact that Konstantin Kilimnik shared the polling data that Paul Manafort gave to him (or had Rick Gates pass on) with unnamed Russian intelligence.

Konstantin Kilimnik (Kilimnik) is a Russian and Ukrainian political consultant and known Russian Intelligence Services agent implementing influence operations on their behalf. During the 2016 U.S. presidential election campaign, Kilimnik provided the Russian Intelligence Services with sensitive information on polling and campaign strategy. Additionally, Kilimnik sought to promote the narrative that Ukraine, not Russia, had interfered in the 2016 U.S. presidential election. In 2018, Kilimnik was indicted on charges of obstruction of justice and conspiracy to obstruct justice regarding unregistered lobbying work. Kilimnik has also sought to assist designated former President of Ukraine Viktor Yanukovych. At Yanukovych’s direction, Kilimnik sought to institute a plan that would return Yanukovych to power in Ukraine.

Kilimnik was designated pursuant to E.O. 13848 for having engaged in foreign interference in the U.S. 2020 presidential election. Kilimnik was also designated pursuant to E.O. 13660 for acting for or on behalf of Yanukovych. Yanukovych, who is currently hiding in exile in Russia, was designated in 2014 pursuant to E.O. 13660 for his role in violating Ukrainian sovereignty. [my emphasis]

This comes just one month after the Intelligence Community associated Kilimnik with FSB rather than GRU, as had previously been alleged.

This announcement could be particularly interesting for pardoned Trump campaign manager Paul Manafort. As Andrew Weissmann pointed out at the time, Manafort’s pardon only includes the stuff he was convicted of, arguably leaving open the possibility of prosecution even for stuff he admitted but was not convicted of.

But Manafort’s role in feeding Russia information that was useful for their election operation in 2016 was only ever addressed in Manafort’s plea breach hearing. He was never charged for his lies to protect Kilimnik during the period he was supposed to be cooperating. Just as interesting, around the time (in June and August of last year) that FBI was offering $250,000 for information leading to Kilimnik’s arrest and adding him to their Most Wanted list, a lawsuit by media outlets for Manafort’s breach filings died out with no explanation. One possible explanation for that (it’s not the only one) is that DOJ weighed in and said those filings could not be released because of the ongoing investigation that would lead Treasury to have more confidence about what Kilimnik did with that information.

Yes, it’s interesting that the government now seems to have more clarity about what Russian agency Kilimnik worked for and what he did with Trump campaign information. But it may be acutely interesting for Paul Manafort.

Days after an Oath Keeper Event with Roger Stone, Kelly Meggs Described Having “Organized an Alliance” with the Proud Boys

I had been waiting for the moment when DOJ would unveil some of the Facebook content that Graydon Young attempted to delete when he shut down Facebook on January 7. I had similarly been waiting to see how DOJ rolled out Roger Stone as a key pivot between the Florida Oath Keepers (which Kelly Meggs led, and which Stone bodyguards Roberta Minuta and Joshua James were part of) and the Proud Boys (whose key leaders Enrique Tarrio and Joe Biggs live in Florida).

Overnight, in its response to Meggs’ attempt to get bail, the government did both. Ostensibly, they did so to show that Meggs’ interview with the FBI had not been entirely truthful about (among other things) being in DC to protect the cops and vetting Oath Keeper members.

On the first point, yes, Defendant Meggs made a statement to the FBI in the hours following his arrest. But that fact was known at the time of Defendant Meggs’s first detention hearing, and, regardless, simply speaking with law enforcement does not mean that a person is not a danger. This is especially so when some of the statements Defendant Meggs made to the FBI appear to be in conflict with the evidence.

[snip]

This sentiment appears in conflict with Defendant Meggs’s allegation in his motion (and what he stated to the FBI upon his arrest) that he was at the Capitol to help “protect” police officers. (ECF 82 at ¶ 15.)

[snip]

On the evening of January 3, 2021, co-defendant Steele sent an email to Defendant Meggs’s email account at Proton Mail,8 copying co-defendant Young. Steele attached her application and vetting form, and wrote: “My brother, Graydon Young told me to send the application to you so I can be verified for the Events this coming Tuesday and Wednesday.” Defendant Meggs appears to have provided instructions to co-defendant Steele, because the following day (January 4), Steele again sent her application and vetting form to another Oath Keepers email address at Proton Mail. On her email, she copied Defendant Meggs. In contrast to this evidence, Defendant Meggs inexplicably told the FBI that “the only person I’ve ever vetted” was a man six months earlier. Interview Tr. at 28-29.

In a filing that revealed details of Meggs’ Facebook, Signal, ProtonMail, and GoToMeeting use, it described Meggs writing on December 19 — five days after his wife and Young did “security” for Roger Stone at a Stop the Steal rally, evidence of which the government presented (the picture below) in their response to Meggs’ wife’s bid for bond — that he had “organized an alliance between the Oath Keepers, Florida 3%ers, and Proud Boys” to “shut this shit down.”

On December 26, Meggs called this insurrection (albeit in response to Trump’s order) explicitly.

On Christmas, Meggs specifically tied protection, almost certainly of Stone, and coordination with a Proud Boy, almost certainly Tarrio, in the same text.

DOJ included some (not all though: there was one called ““florida dc op planning chat” they don’t seem to have included) of the planning meetings on GoToMeeting.

A week ago, DOJ was content to prove that Connie Meggs’ claims that she didn’t know any of these people by introducing the picture where she and Graydon Young posed with Stone on December 14.

And Defendant Meggs obviously was acquainted with other members of the Oath Keepers group who stormed the Capitol with her on January 6; the photo below, which was shared on Facebook on December 15, 2020, shows Defendant Meggs (red oval) posing at a book signing with several other individuals, including co-defendant Graydon Young (green oval):

Yesterday, prosecutors in this case had to get chewed out because former Acting US Attorney Michael Sherwin blabbed his mouth (completely inappropriately) on 60 Minutes, discussing what at that point had been merely a suggestion, that DOJ’s conspiracy case would integrate three different militia groups.

And the bulk of those cases are federal criminal charges, and significant federal felony charges. Five, 10, 20-year penalties. Of those 400 cases, the majority of those, 80, 85%, maybe even 90, you have individuals, both inside and outside the Capitol, that breached the Capitol, trespassed. You also have individuals, roughly over 100, that we’ve charged with assaulting federal officers and local police officers. The 10% of the cases,  I’ll call the more complex conspiracy cases where we do have evidence, it’s in the public record where individual militia groups from different facets: Oath Keepers, Three Percenters, Proud Boys, did have a plan. We don’t know what the full plan is, to come to D.C., organize, and breach the Capitol in some manner.

By the end of the day (having had their secret blown), DOJ showed that not only had the guy in charge of the Stack been thinking in terms of “insurrection” for over a week, but was also thinking about coordinated action among the different militia.

There’s still a problem with this conspiracy, as constructed. The Oath Keepers had a plan — which DOJ has now presented evidence they coordinated with two other militia groups. But the plan wasn’t limited to preventing vote certification (in part, because when they traveled to DC, they still believed that Trump or Mike Pence might make such an action unnecessary). The plan was insurrection.

But that only makes it more likely DOJ will be forced to charge it as such.

The Three Key Details the Proud Boy Unindicted Co-Conspirator Likely Revealed to Prosecutors

By March 1, the government had three pieces of evidence that form a key part of a conspiracy indictment accusing Ethan Nordean, Joe Biggs, Zachary Rehl, and Charles Donohoe of conspiring to breach the Capitol and by doing so, delaying the certification of the vote:

  • The Proud Boys used Baofeng radios set to a specific channel (which channel prosecutors knew)
  • After Enrique Tarrio’s arrest, Ethan Nordean got put in charge of the January 6 operation
  • The gang had a plan to split up to optimize the chances of success

A detention motion for Nordean submitted on that day included all three of these details. It described how the Proud Boys distributed Baofeng radios to use in the operation.

Arrangements were made to program and distribute multiple Baofeng radios5 for use by Proud Boys members to communicate during the event. Baofeng is a Chinese communications equipment manufacturer. Baofeng radios can be programmed to communicate on more than 1,000 different frequencies, making them far more difficult to monitor or overhear than common “walkie talkie” type radios. Specific radio frequencies were communicated to the Proud Boys.

5 Law enforcement recovered a Baofeng radio from Defendant’s home during the execution of a search warrant—the Baofeng radio recovered from Defendant’s home was still tuned to frequency that had been communicated to the group.

[snip]

The group led by Defendant arrived at the east side of the Capitol before noon. Several of the men in the group were holding Baofeng radios. Others had them clipped to their belts or jackets.

It described how Nordean was put in charge after Tarrio’s arrest.

Moreover, following the arrest of the Proud Boys’ Chairman on January 4, 2021, Defendant was nominated from within to have “war powers” and to take ultimate leadership of the Proud Boys’ activities on January 6, 2021.

[snip]

On January 4, 2021, Henry “Enrique” Tarrio, the self-proclaimed “Chairman” of the Proud Boys was arrested shortly after arriving in Washington, D.C., pursuant to a warrant issued by D.C. Superior Court. In communications between Proud Boys members following Tarrio’s arrest, it was acknowledged that Defendant would be among those that led the Proud Boys on the ground on January 6, 2021.

And it described a decision to split people up in an effort to increase the likelihood of actually shutting down the certification of the vote.

As noted more fully below, Defendant—dressed all in black, wearing a tactical vest—led the Proud Boys through the use of encrypted communications and military-style equipment, and he led them with the specific plans to: split up into groups, attempt to break into the Capitol building from as many different points as possible, and prevent the Joint Session of Congress from Certifying the Electoral College results.

[snip]

In order to increase the odds that their plan would succeed, Defendant and those Proud Boys following him dressed “incognito” and spread out to many different locations from which they could force entry into the Capitol. Defendant and others responsible for the January 6 Proud Boys event likely knew from experience that their typical tactic of marching in “uniform,” and in unison, would draw a concentrated law enforcement response to their location. By blending in and spreading out, Defendant and those following him on January 6 made it more likely that either a Proud Boy—or a suitably-inspired “normie”—would be able to storm the Capitol and its ground in such a way that would interrupt the Certification of the Electoral College vote

Even after prosecutors shared these damning claims, their bid to keep Nordean in jail failed. Nordean’s wife filed a declaration stating in part that Nordean obtained the radio on January 7 and, to her knowledge, he did not possess such a radio before that date.

An indictment against Nordean obtained on March 3 to comply with the Speedy Trial Act (but not released publicly until after the detention hearing) mentioned none of that.

And at the March 3 detention hearing before Beryl Howell, according to Zoe Tillman, the government withdrew the claim that Nordean had the Proud Boys split into groups as a factor for that detention hearing. In what the WaPo described as, “a remarkable stumble for prosecutors,”Judge Howell released Nordean to home detention, saying there was little evidence that Nordean played that leadership role.

Nordean “was a leader of a march to the Capitol. But once he got there it is not clear what leadership role this individual took at all for the people who went inside,” Howell said. “Evidence that he directed other defendants to break into or enter the Capitol is weak, to say the least.”

Nordean’s release marked a stumble for prosecutors, who have cast him as a key figure based on what Howell agreed were “ominous” communications before Jan. 6 that they said indicated he and other Proud Boys were planning “violent action” to overwhelm police and force entry to the Capitol. The judge’s decision sets back for now the government’s efforts to establish that there was a wider plot to that end.

[snip]

“The government has backed down from saying that he directly told them to split into groups and that they had this strategic plan,” Howell remarked.

Howell said that although Nordean’s release was a “close call,” she agreed with the defense that “there’s no allegation that the defendant caused injury to any person, or that he even personally caused damage to any particular property.”

Prosecutors claimed they had this evidence on March 1. But after failing to present it at that March 3 hearing, Nordean got released.

On March 15, the judge assigned to the case after Nordean got indicted, Timothy Kelly, issued an order delaying the arraignment scheduled for the next day. He offered no explanation.

What didn’t become clear until this week is that, on March 10, the government obtained the superseding indictment against Nordean and others. And then, on March 12, the government asked Judge Kelly to delay Nordean’s arraignment on his original indictment because of the superseding indictment. Prosecutors explained that revealing the indictment ahead of time would risk alerting Rehl and Donohoe before they could be arrested and their houses searched.

On March 10, 2021, a federal grand jury sitting in the District of Columbia returned a Superseding Indictment charging Defendant, and three co-defendants (two of whom were not previously charged), with Conspiracy, in violation of 18 U.S.C. § 371; Obstruction of an Agency Proceeding, in violation of 18 U.S.C. §§ 1512(c)(2), and 2; Obstructing Law Enforcement During a Civil Disorder, in violation of 18 U.S.C. §§ 231(a)(3), and 2; 18 U.S.C. §§ 1361, and 2; Entering and Remaining in a Restricted Building or Grounds, in violation of 18 U.S.C. § 1752(a)(1); and Disorderly and Disruptive Conduct in a Restricted Building or Grounds, in violation of 18 U.S.C. § 1752(a)(2).

The Superseding Indictment is under seal, pending the arrest of newly charged defendants and the execution of search warrants. Law Enforcement anticipates executing the arrests and search warrants of the new defendants in a coordinated operation on Wednesday, March 17, 2021. Once the arrests are executed, the Superseding Indictment will be unsealed.

The evidence the superseding indictment provides to substantiate claims first made on March 1 may explain an even bigger reason why prosecutors didn’t provide their evidence for those three claims in time to keep Nordean in custody: They had an unindicted co-conspirator (presumably someone cooperating with prosecutors) who was, along with the four conspiracy defendants, on an encrypted channel created after Enrique Tarrio’s arrest on January 4 that Proud Boy leaders used to continue planning for January 6. That unindicted co-conspirator was personally involved in all three details included in that detention memo against Nordean. He helped divvy up the Proud Boys to be spread out during the January 6 operation.

39. On after Chairman’s January 4, 2021, shortly after Proud Boys Chairman’s arrest pursuant to a warrant issued by D.C. Superior Court, DONOHOE expressed concern that encrypted communications that involved Proud Boys Chairman would be compromised when law enforcement examined Proud Boys Chairmans’ phone. DONOHOE then created a new channel on the encrypted messaging application, entitled, “New MOSD,” and took steps to destroy or “nuke” the earlier channel. After its creation, the “New MOSD” channel included NORDEAN, BIGGS, REHL, DONOHOE, and a handful of additional members.

40. On January 2021, at 7:15 p.m., DONOHOE posted a message on various encrypted messaging channels, including New MOSD, which read, “Hey have been instructed and listen to me real good! There is no planning of any sorts. I need to be put into whatever new thing is created. Everything is compromised and we can be looking at Gang charges.” DONOHOE then wrote, “Stop everything immediately” and then “This comes from the top.”

41. On January 4, 2021, at 8:20 p.m., an unindicted co-conspirator (“UCC-1”) posted to New MOSD channel: “We had originally planned on breaking the guys into teams. Let’s start divying them up and getting baofeng channels picked out.”

Note: If “New MOSD” was a channel of State leaders of the Proud Boys, it would likely have included Nicholas Ochs, who heads the Hawaii chapter of the Proud Boys. Ochs was the first senior Proud Boy to be arrested, on January 7, at the airport when he arrived back in Hawaii (and therefore carrying anything he had with him at the insurrection, potentially including his cell phone and any radios he kept). Kathryn Rakoczy, who has since moved onto the team prosecuting the Oath Keepers, was the original prosecutor on Ochs’ case. But now Christopher Berridge, who is on all the other Proud Boy cases but not the Nordean and Biggs one, is prosecuting Ochs. Ochs is charged in a parallel conspiracy indictment, with the very same goal and many of the same means as the Nordean and Biggs one, but which for some reason was not identified as a related case to the other three Proud Boy ones and so was not assigned to Judge Kelly; Judge Howell is presiding over Ochs’ case. Ochs has a superb defense attorney, Edward McMahon. Many of these details, which make the curious treatment of the Ochs-DeCarlo conspiracy indictment clear, are in this post or this expanded table.

Whoever the unindicted co-conspirator is, he’s the one who set the channel of the Baofeng radios the night before the insurrection. And he’s the one who stated that Nordean was in charge.

46. At 9:03 p.m., REHL notified NORDEAN, BIGGS, DONOHOE and others that he had arrived in Washington, D.C. DONOHOE responded by requesting one of the radios that REHL had brought.

47.  At 9:09 p.m., UCC-1 broadcast a message to MOSD and Boots on the Ground channels that read: “Stand by for the shared baofeng channel and shared zello channel, no Colors, be decentralized and use good judgement until further orders” UCC-1 also wrote, Rufio is in charge, cops are the primary threat, don’t get caught by them or BLM, don’t get drunk until off the street.” UCC-1 then provided a specific radio frequency of 477.985.

It is highly likely that prosecutors learned the three details included in that detention motion — that Nordean had been put in charge, that the Proud Boys were using Baofeng radios set to frequency 477.985, and that part of the plan was to disperse the men to increase chances of success — from the unindicted co-conspirator and or devices seized from him when he was first arrested.

And it took them less than two months to learn those details of the plot.

Update: The government has moved to detain both Nordean and Biggs now. Those motions cite from the Telegram chats the Proud Boys used to organize the day before the attack, including (I’ve combined them from both motions):

On January 5, between 9:30 – 9:32am [Biggs] stated “What are the teams. I keep hearing team [sic] are picked already.” A few minutes later, [Biggs] stated “Who are we going to be with. I have guys with me in other chats saying teams are being put together.”

On January 5, at 9:32am, a member of a Proud Boys Telegram group stated “It seems like our plan has totally broken down and rufio has taken control as a singke [sic] point of contact.”

On January 5, between 5:22 – 5:25pm, [Biggs] stated “Woth [sic] [coconspirator Ethan Nordean] trying to get numbers so we can make a plan.” Defendant then stated “Just trying to get our numbers. So we can plan accordingly for tonight and go over tomorrow’s plan.”

On January 5, at 5:52pm, [Biggs] stated “We are trying to avoid getting into any shit tonight. Tomorrow’s the day” and “I’m here with [co-conspirator Nordean] and a good group[.]”

On January 5, at 9:07pm, co-conspirator Charles Donohoe asked “Hey who’s boots on ground with a plan RN [ … ] Guys are asking.” A participant in the encrypted chat stated “Supposed to be Rufio.”

Within minutes, an unindicted co-conspirator broadcast a message to those in the group chat, “Rufio is in charge, cops are the primary threat, don’t get caught by them or BLM, don’t get drunk until off the street.”

On January 5, between 9:17 and 9:20pm, [Biggs] stated “We just had a meeting woth [sic] a lot of guys. Info should be coming out” and then “I was able to rally everyone here together who came where I said” and then, “We have a plan. I’m with [co-conspirator Nordean].”

On January 5, at 9:34pm [Biggs] told co-conspirator Charles Donohoe to communicate to Proud Boys members a message stating that the group in Washington, D.C. would meet at the Washington Monument at 10am on January 6.

On the morning of January 6, Donohoe stated that he was on his way to the Washington Monument, and “I have the keys until Rufio and [co-conspirator Zachary Rehl] show up.”

Update: As I note in a footnote to this post, Nicholas Ochs can’t be the unindicted co-conspirator. That’s true for two reasons. First, because DOJ does not believe UCC-1 was at the Capitol on January 6 (though doesn’t say where he was). DOJ knows Ochs was inside the Capitol. Also, DOJ has now started treating all the Proud Boy conspiracies as the same conspiracy. So Ochs could not, then, be considered un-indicted in that conspiracy.

How to Arrest Someone (Almost) Entirely Off Social Media

Brandon and Stephanie Miller are, like Jeremy Groseclose, really minor players who entered the Capitol on January 6 while there was an insurrection going on around them. The one amusing tidbit in the arrest affidavit for the married couple quoted Brandon, stating on Facebook the day after the riot, that he hadn’t yet gotten into trouble, two months before he would get into trouble.

“Went in the capital [sic] building.” This user asked Brandon Miller, “You didn’t get into any trouble,” to which he responded, “No not yet anyway lol I’m home now I’m banded on Facebook for me going live while I was there we just walked down the main hallway we did see the blood trail from the girl that got shot and killed then I just seen a post saying 3 people died not sure on that one tho.”

What’s interesting about the affidavit is it shows how the FBI arrested the two largely off their social media use.

A Facebook geofence

The investigation started when the FBI obtained Brandon’s Facebook ID in response to a request for everyone who had live-streamed or posted video from inside the Capitol — a kind of Facebook geofence I described likely was used in this post. So at the very start, they didn’t know who Brandon was, but they knew he had trespassed and created his own record of doing so.

The Federal Bureau of Investigations sought information from Facebook as part of the federal investigation that began in the aftermath of the January 6, 2021 events at the U.S. Capitol Building. Specifically, the FBI requested that Facebook identify any “Facebook Live” videos which may have been streamed and/or uploaded to Facebook from physically within the building of the U.S. Capitol during the time on January 6, 2021 that the mob had stormed and occupied the Capitol Building.

Facebook responded by providing the Object IDs for multiple videos linked to specific Facebook accounts/user IDs. Among the accounts provided by Facebook was Facebook account number 100011360648175.

The FBI presumably obtained the Facebook ID for everyone who posted from inside the Capitol that day. I suspect they immediately got preservation orders for everyone whose account came up, which wasn’t a problem here (the Millers did not attempt to delete any of this), but likely explains why others were unsuccessful in their efforts to delete damning evidence on Facebook.

Warrant on Facebook

Remember, virtually every outsider who was in the Capitol that day was trespassing. That made it easy for the FBI to say that anyone who had, like Brandon, uploaded video from inside the Capitol had probably been committing a crime (to say nothing that such videos might provide evidence of other people committing a crime), because by being there to livestream the content, they were trespassing. The FBI got a warrant return from Facebook by January 14 (meaning turnaround and seeking those warrants was almost immediate after the riot). That gave the FBI Brandon’s credit card information, his address, his phone number, and Stephanie’s name and status as Brandon’s spouse.

On or about January 14, 2021, Facebook provided a response to a search warrant for Brandon Miller’s Facebook. Subscriber information provided by Facebook included credit cards associated with the account. The credit card had a zip code of 45308, which resolves to Bradford, OH. Brandon Miller’s Facebook account listed him as living in Bradford, Ohio. The registered phone number to the account is was (***) ***-6025.

[snip]

His Facebook profile as indicated that Brandon Miller was married to Facebook user Stephanie Miller.

The FBI used this information to obtain their driver’s license records, one of the few things that didn’t come directly from social media.

Public commentary on January 6 on Facebook

Both Brandon and Stephanie had their Facebook content accessible to the public (but the FBI would have obtained Brandon’s with their warrant anyway). In addition to the comment, above, where Brandon said he was not yet in trouble, they posted a bunch of other things confirming that they had entered the Capitol. Among other things, though, they posted content that showed they did not have the intent to prevent the vote count (thereby saving themselves the felony charge others have gotten off their pre-January 6 postings).

On or about January 5, 2021, Brandon Miller, in direct messages with another Facebook user wrote, “Heading to DC for tomorrow the 6th the really not sure if you have seen anything about it but me and Stephanie are going to witness history.”

On or about January 6, 2021, Brandon Miller’s Facebook timeline showed he was with Stephanie Miller at a hotel in Washington, D.C. with the accompanying message: “Cant’ wait to witness history”

They were in DC to witness history, not to upend it.

One live witness from Facebook — probably IDed on Facebook

FBI then did the one thing that isn’t obviously from Facebook, but probably is: interview one of the Millers’ family members, twice.

On or about January 26, 2021, a witness, (hereinafter referred to as “W-1”), was interviewed by the FBI. W-1 informed the FBI that he was a family member of Brandon and Stephanie Miller’s. W-1 had heard from another family member that Brandon and Stephanie Miller were at the Capitol and went inside. W-1 observed a Facebook Live video on Brandon Miller’s Facebook account that showed himself and Stephanie Miller inside the Capitol. W-1 provided both Brandon and Stephanie Miller’s phone number as (***) ***-6025. W-1 also provided an address for the Millers in Bradford, Ohio, which matched the Miller’s address in their respective BMV records.

In a subsequent interview, W-1 was shown the photograph above from Brandon Miller’s Facebook. W-1 identified the man in the foreground of the photo as “Brandon Miller” and the woman behind him as “Stephanie Miller” by writing their names next to their respective images. W-1 also viewed the below photograph taken inside the Capitol. W-1 identified the woman in the foreground of the photo as “Stephanie Miller” by writing her name next to her image.

This person honestly told the FBI that they knew the couple had been to the Capitol, had seen Brandon’s Live video, and corroborated all the other data the FBI had already collected off Facebook. The same witness subsequently confirmed the IDs of the pictures that would have been identifiable from Facebook anyway.

The FBI could have IDed this person via many means (such as public records). But Facebook would probably be the easiest and most likely way they did so. Moreover, by doing so using Facebook, the FBI would have known precisely what answers a particular witness could answer, such as their awareness that the couple had been inside the Capitol. Effectively, when they did those interviews, they knew every single answer they’d get, and they knew the witness knew the answers.

FBI could ID family members from tags, pictures, and Facebook content, and then get those family members to corroborate everything made clear in Facebook anyway.

A Google Geofence tour around the Capitol

Then the FBI took two steps to obtain a Google Geofence showing Stephanie (likely with Brandon at her side) wandering around the Capitol. First, by February 4, they got Brandon and Stephanie’s Google identities, using either their phone number and/or Google IDs that would have been returned by Facebook. This would have been a subpoena. Then they used that information to get a warrant for the Geofence showing where Stephanie went in the Capitol, likely with Brandon walking by her side.

Obtain cell site location within the Capitol

The FBI agent who did this work must be really anal (or maybe he’s just showing the work that every agent is doing), because after having obtained location data from Google and Facebook placing the couple inside the Capitol, he obtained cell site location data placing them … in the Capitol.

According to records obtained through a search warrant which was served on AT&T on January 6, 2021, in and around the time of the incident at the U.S. Capitol Building, the cellphones associated with phone numbers (***) ***-5898 and (***) ***-6025 were identified as having utilized a cell site consistent with providing service to a geographic area that included the interior of the U.S. Capitol Building.

The agent got this information two days after the subscriber information from Google, February 6, one month after the riot.

At this point, the agent had three pieces of evidence — the Facebook “geofence,” the Google geofence, and the AT&T location data — placing them inside the Capitol.

Match all that location data to security footage

Then, on February 11, the agent got security footage corresponding with all that location data. Sure enough, they were walking together through the Capitol, gaping at history, just like they said they were going to.

This is what you can do with the power of social media with two people who were doing nothing to hide their actions. Lucky for them, everything they said corroborated their claim they were just there to see history. The FBI has obligingly given them more souvenir pictures for their trouble … and two misdemeanor charges. Along with a very good lesson about how intrusive social media can be.

Remember: this entire process was predicated off the reasonable suspicion that someone live-streaming from the Capitol on January 6 was trespassing. The very act of live-streaming was, in virtually all cases, either evidence from victims or evidence of a misdemeanor. That’s what makes this reasonable rather than a privacy nightmare.

But it’s also a ready lesson about what kind of privacy nightmare it could be, if the FBI were to come up with some other, less obvious basis for probable cause.

Update: After I wrote this I realized I wasn’t as clear about something as I’d like. This data is not — as might be imagined from reading how it served to capture this couple in misdemeanor trespassing charges — worthless data for the larger project of figuring out what plans to overthrow democracy people had coming in. Not only was this social media approach really useful in collecting on the Oath Keepers, who have been charged in a conspiracy to prevent the vote certification, but many of these techniques were first obvious, though not explicitly explained, in the first William Chrestman cell affidavit. This same granular data helped the FBI identify precisely where Proud Boy Chrestman was at any given time he was in the Capitol, who was with him, and what measures they were taking that put members of Congress a significant risk. With the Millers this might seem like overkill. But with a bunch of militia groups that FBI should have had investigations on but didn’t, this data is proving key to being able to reconstruct what happened.

News from the Election Front: Russia Attacked Joe Biden Through “Prominent US Individuals, Some of Whom Were Close to Former President Trump”

Back in 2018, President Trump signed an Executive Order 13848, designed to stave off a law mandating sanctions in the event of election interference. The order nevertheless required reporting on election interference and provided the White House discretion to impose sanctions in the event of interference. Yesterday, the Director of Homeland Security and Director of National Intelligence released the reports mandated by an Executive Order, describing the known efforts to interfere in last year’s election.

Trump’s Intelligence Community Debunks Trump

Though Trump failed to comply publicly in 2019, his own EO mandates deadlines for — first — the DNI report assessing a broader range of possible election interference and then, 45 days later, the DHS/DOJ report describing interference with election infrastructure or influence operations.

(a) Not later than 45 days after the conclusion of a United States election, the Director of National Intelligence, in consultation with the heads of any other appropriate executive departments and agencies (agencies), shall conduct an assessment of any information indicating that a foreign government, or any person acting as an agent of or on behalf of a foreign government, has acted with the intent or purpose of interfering in that election. The assessment shall identify, to the maximum extent ascertainable, the nature of any foreign interference and any methods employed to execute it, the persons involved, and the foreign government or governments that authorized, directed, sponsored, or supported it. The Director of National Intelligence shall deliver this assessment and appropriate supporting information to the President, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, and the Secretary of Homeland Security.

(b) Within 45 days of receiving the assessment and information described in section 1(a) of this order, the Attorney General and the Secretary of Homeland Security, in consultation with the heads of any other appropriate agencies and, as appropriate, State and local officials, shall deliver to the President, the Secretary of State, the Secretary of the Treasury, and the Secretary of Defense a report evaluating, with respect to the United States election that is the subject of the assessment described in section 1(a):

(i) the extent to which any foreign interference that targeted election infrastructure materially affected the security or integrity of that infrastructure, the tabulation of votes, or the timely transmission of election results; and

(ii) if any foreign interference involved activities targeting the infrastructure of, or pertaining to, a political organization, campaign, or candidate, the extent to which such activities materially affected the security or integrity of that infrastructure, including by unauthorized access to, disclosure or threatened disclosure of, or alteration or falsification of, information or data.

These deadlines should have been, for the DNI Report, December 18, and for the DHS/DOJ report, February 1.

The declassified DNI report released yesterday was finished and distributed, in classified form, on January 7.

The document is a declassified version of a classified report that the IC provided to the President, senior Executive Branch officials, and Congressional leadership and intelligence oversight committees on January 7, 2021.

It was based off intelligence available as of December 31.

The DHS report was completed in February.

Which is to say that these reports were done substantially under the Trump Administration.

DHS Debunks the Kraken

The DHS report, based off the classified report completed in February, finds that while Russian and Iran breached some election infrastructure, they did not manage to change any votes. It also finds that those two countries plus China managed to compromise party or campaign infrastructure, with unknown goals, but that none of the countries that accessed information that could have been used in influence operations used the information.

The most important result, however, was that after checking via multiple different measures, the government found no evidence that dead Hugo Chavez or anyone else that Sidney Powell invoked in service of the Big Lie succeeded in changing any votes.

We are aware of multiple public claims that one or more foreign governments—including Venezuela, Cuba, or China—owned, directed, or controlled election infrastructure used in the 2020 federal elections; implemented a scheme to manipulate election infrastructure; or tallied, changed, or otherwise manipulated vote counts. Following the election, the Department of Justice, including the FBI, and the Department of Homeland Security, including CISA, investigated the public claims and determined that they are not credible.

We have no evidence—not through intelligence collection on the foreign actors themselves, not through physical security and cybersecurity monitoring of voting systems across the country, not through post-election audits, and not through any other means—that a foreign government or other actors compromised election infrastructure to manipulate election results.

DNI (Mostly) Debunks the DNI

Last summer, the Director of National Intelligence John Ratcliffe responded to Democratic concerns about Russia interfering in the election again by stating that China was too. This report largely debunks that claim.

We assess that China did not deploy interference efforts and considered but did not deploy influence efforts intended to change the outcome of the US presidential election. We have high confidence in this judgment. China sought stability in its relationship with the United States and did not view either election outcome as being advantageous enough for China to risk blowback if caught. Beijing probably believed that its traditional influence tools, primarily targeted economic measures and lobbying key individuals and interest groups, would be sufficient to achieve its goal of shaping US policy regardless of who won the election. We did not identify China attempting to interfere with election infrastructure or provide funding to any candidates or parties.

  • The IC assesses that Chinese state media criticism of the Trump administration’s policies related to China and its response to the COVID-19 pandemic remained consistent in the lead-up to the election and was aimed at shaping perceptions of US policies and bolstering China’s global position rather than to affect the 2020 US election. The coverage of the US election, in particular, was limited compared to other topics measured in total volume of content.
  • China has long sought to influence US politics by shaping political and social environments to press US officials to support China’s positions and perspectives. We did not, however, see these capabilities deployed for the purpose of shaping the electoral outcome. [Bold original]

The report describes that the National Intelligence Officer for Cyber had moderate confidence that China was trying to help Joe Biden win.

Minority View The National Intelligence Officer for Cyber assesses that China took at least some steps to undermine former President Trump’s reelection chances, primarily through social media and official public statements and media. The NIO agrees with the IC’s view that Beijing was primarily focused on countering anti-China policies, but assesses that some of Beijing’s influence efforts were intended to at least indirectly affect US candidates, political processes, and voter preferences, meeting the definition for election influence used in this report. The NIO agrees that we have no information suggesting China tried to interfere with election processes. The NIO has moderate confidence in these judgments.

This view differs from the IC assessment because it gives more weight to indications that Beijing preferred former President Trump’s defeat and the election of a more predictable member of the establishment instead, and that Beijing implemented some-and later increased-its election influence efforts, especially over the summer of 2020. The NIO assesses these indications are more persuasive than other information indicating that China decided not to intervene. The NIO further assesses that Beijing calibrated its influence efforts to avoid blowback.

That said, the day after this report was initially disseminated in classified form on January 7, Ratcliffe made clear that the Ombud believed this was a politicized view, and that more than just the Cyber NIO agreed (though didn’t mention that the Ombud believed Russian intelligence had been politicized even worse).

President Trump’s political appointees clashed with career intelligence analysts over the extent to which Russia and China interfered or sought to interfere in the 2020 election, with each side accusing the other of politicization, according to a report by an intelligence community ombudsman.

The findings by Barry A. Zulauf, the “analytic ombudsman” for the Office of the Director of National Intelligence (ODNI), describe an intelligence community afflicted by a “widespread perception in the workforce about politicization” of analysis on the topic of foreign election influence — one that he says threatens the legitimacy of the agencies’ work.

[snip]

Citing Zulauf’s report, Director of National Intelligence John Ratcliffe, chosen for the position by Trump last year, charged Thursday that career analysts in a recently completed classified assessment failed to capture the full scope of Chinese government influence on the election — a charge that some current and former officials say illustrates the issue of politicization, because it downplays the much larger role of Russia.

As late as October, then, another Intelligence Officer had some confidence that what this report deems China’s regular influence-peddling had an electoral component, but (as Ratcliffe complained in January) it did not show up in this report, which was entirely produced after the Ombud weighed in.

The IC Now Associates Konstantin Kilimnik with FSB, not GRU

The long section on Russia’s efforts to influence the election get pretty damned close to saying that the events surrounding Trump’s first impeachment and even the Hunter Biden laptop were Russian backed (which is consistent with intelligence warnings that were broadly shared). It might as well have named Rudy Giuliani (among others).

We assess that President Putin and the Russian state authorized and conducted influence operations against the 2020 US presidential election aimed at denigrating President Biden and the Democratic Party, supporting former President Trump, undermining public confidence in the electoral process, and exacerbating sociopolitical divisions in the US. Unlike in 2016, we did not see persistent Russian cyber efforts to gain access to election infrastructure. We have high confidence in these judgments because a range of Russian state and proxy actors who all serve the Kremlin’s interests worked to affect US public perceptions. We also have high confidence because of the consistency of themes in Russia’s influence efforts across the various influence actors and throughout the campaign, as well as in Russian leaders’ assessments of the candidates. A key element of Moscow’s strategy this election cycle was its use of people linked to Russian intelligence to launder influence narratives–including misleading or unsubstantiated allegations against President Biden–through US media organizations, US officials, and prominent US individuals, some of whom were close to former President Trump and his administration.

[snip]

Derkach, Kilimnik, and their associates sought to use prominent US persons and media conduits to launder their narratives to US officials and audiences. These Russian proxies met with and provided materials to Trump administration-linked US persons to advocate for formal investigations; hired a US firm to petition US officials; and attempted to make contact with several senior US officials. They also made contact with established US media figures and helped produce a documentary that aired on a US television network in late January 2020. [Bold original, italics added]

The report likens what Russian entities were doing post-election with what Russia had planned in 2016.

Even after the election, Russian online influence actors continued to promote narratives questioning the election results and disparaging President Biden and the Democratic Party. These efforts parallel plans Moscow had in place in 2016 to discredit a potential incoming Clinton administration, but which it scrapped after former President Trump’s victory.

Perhaps the most interesting detail — on top of revealing that Paul Manafort’s former employee remained involved in all this — is that this report suggests Kilimnik has ties to FSB, not GRU (though the report describes GRU’s efforts as well).

A network of Ukraine-linked individuals–including Russian influence agent Konstantin Kilimnik–who were also connected to the Russian Federal Security Service (FSB) took steps throughout the election cycle to damage US ties to Ukraine, denigrate President Biden and his candidacy, and benefit former President Trump’s prospects for reelection.

The most recent public reporting on Kilimnik was the SSCI Report. And that suggested that Kilimnik (along with at least one other Oleg Deripaska deputy) was linked to GRU. Indeed, Kilimnik has been described as a former GRU officer. This suggests he may have ties, as well or more recently, to FSB, which would have interesting implications for the 2016 operation.

Update, 11/26/23: Link replaced.

The FBI Was Still Collecting Evidence Yesterday that Might Explain Brian Sicknick’s Death

I want to make some observations about timing that may help to explain why the government wasn’t prepared to charge Julian Khater and George Tanios in Brian Sicknick’s death, if indeed they ever will be able to, when they arrested the men yesterday.

The investigation really seems to have come together in recent weeks and the FBI seems to have spent much of the last ten days investigating Tanios, who brought the substance Khater allegedly sprayed at Sicknick to the Capitol.

The arrest affidavit suggests it would have been difficult to have IDed Khater (much less establish probable cause) without the footage from MPD Officer Chapman’s body camera.

On the video, KHATER continues to talk animatedly with TANIOS. At approximately 2:20 p.m., KHATER walks through the crowd to within a few steps of the bike rack barrier. KHATER is standing directly across from a line of law enforcement officers to include U.S. Capitol Police (“USCP”) Officers B. Sicknick and C. Edwards, and Metropolitan Police Department (“MPD”) Officer D. Chapman, who was equipped with a functioning body worn camera (“BWC”) device.

Officer Chapman’s BWC shows that at 2:23 p.m., the rioters begin pulling on a bike rack to Chapman’s left, using ropes and their hands to pull the rack away. Seconds later, KHATER is observed with his right arm up high in the air, appearing to be holding a canister in his right hand and aiming it in the officers’ direction while moving his right arm from side to side. Officer Chapman’s BWC confirms that KHATER was standing only five to eight feet away from the officers.

That’s some of the video that has taken longest to exploit (or longest for the FBI to be willing to share publicly), not least because there wasn’t a publicly curated set like the Parler videos released by ProPublica that allowed open source investigation.

Chapman’s BWC video would permit the FBI to ID Khater (the guy who actually used the spray). Still, he’s got a fairly late FBI Be On the Lookout number: 190, meaning it took some time for the FBI to isolate a still to release.

Once the FBI IDed Khater, though, they would have seen that he was clearly working in tandem with Tanios (which is effectively what the arrest affidavit says). Not only was Khater working with him, but Tanios was the guy carrying the bear spray, and so is more likely to be the guy who’d have another can of the substance in his backpack at home or receipts to identify precisely what was used.

The FBI tweeted out Tanios’ BOLO on March 4 (they released it with the pictures of two other guys; I’m not sure what to make of that).

The arrest warrant for the two men was approved on March 6, which would be quick work if they really were working off a BOLO released March 4 (though they likely got a warrant as soon as they obtained probable cause in case they had to arrest the men quickly).

That said, the arrest warrant wasn’t executed until March 14. That’s not that surprising–the FBI would have wanted to get this arrest right, coordinating teams so that both men would be arrested at the same time. This warrant for Tanios’ house, business, car, and devices, shows that the FBI was physically surveilling Tanios from March 5 through March 8 to identify his movements, his home, his business, and his car.

As late as March 14, the day FBI obtained the warrant, they were still waiting to receive returns from a warrant served on AT&T for Tanios’ phone records. Interestingly, Tanios called Khater at 2:42PM on January 6, less than twenty minutes after Khater allegedly sprayed Sicknick and others (another cop sprayed Khater, so he may have been recovering from pepper spray himself, but Tanios didn’t stick around to help Khater — they were separated by then).

Still, the FBI has been working all of these January 6 cases on an arrest first, further investigate later basis, partly because of the timing of the attack, and partly because FBI had done so little investigation into almost all the subjects of investigation. As Chris Wray said in testimony recently, the arrest of these subjects (sometimes just for trespass crimes) is often just the beginning of the investigation into them. With virtually all the defendants, the FBI is getting enough to arrest them, then doing the kind of investigation that normally precedes in an arrest, such as subpoenaing social media, to say nothing of searching the smart phones where subjects store much of the evidence about intent.

All of which is to say that the FBI likely only obtained evidence that would be needed to charge Khater and Tanios in Sicknick’s death yesterday — including, possibly, identifying what substance Khater allegedly sprayed at Sicknick — and that will take some weeks to fully exploit.

So it’s too soon to know whether the FBI will be able to tie that bear spray to Sicknick’s death.

Two Arrested in Officer Sicknick Assault

On Sunday, the government arrested two men, Julian Elie Khater and George Pierre Tanios, on charges of conspiring to attack three police officers, including Brian Sicknick.

According to the affidavit in support of the criminal complaint, Khater and Tanios were at the U.S. Capitol on Jan. 6, 2021, and were observed in video footage working together to assault law enforcement officers with an unknown chemical substance by spraying officers directly in the face and eyes.  During the investigation, it is alleged that law enforcement discovered video that depicted Khater asking Tanios to “give me that bear s*it.” Tanios replied, “Hold on, hold on, not yet, not yet… it’s still early.”  Khater then retrieved a canister from Tanios’ backpack and walked through the crowd to within a few steps of the police perimeter.  The video shows Khater with his right arm up high in the air, appearing to be holding a canister in his right hand and aiming it at the officers’ direction while moving his right arm from side to side.  The complaint affidavit states that Officers Sicknick, Edwards, and Chapman, who were all standing within a few feet of Khater, each reacted to being sprayed in the face.  The officers retreated, bringing their hands to their faces and rushing to find water to wash out their eyes.

The substance Khater allegedly sprayed caused scabs on the face of one of the officers hit, Officer Edwards, for weeks. All struck with it said the substance was as strong as anything they’ve encountered in their experience as police officers. In addition to assault charges, both were charged with conspiracy to assault police reflecting a degree of planning and intentionality.