(Part of) What I Shared with the FBI

On July 28, 2016, something happened that would eventually lead me to the FBI.

I’m going to explain part of that story now. I’m explaining it for several reasons. I had promised myself I wouldn’t let another election pass without sharing what happened. Even now, I can’t entirely make sense of it — that was part of the point, confusion. But the release of documents in the wake of the Mueller investigation has provided a great number of public details (some of which I laid out in my Rat-Fucker Rashomon series) with which this story might be consistent. I can’t prove that this story explains the unanswered questions about the Roger Stone story (and Bill Barr’s intervention in the Stone sentencing seems to have shut down some parts of any ongoing investigation to do so). But at least I can share details that may provide an explanation.

It started with a several-day dispute about attribution, starting on July 26, 2016, which included discussions about Guccifer and Crowdstrike. A guy I will refer to by the pseudonym Phil and I were texting on Signal debating that attribution. On the 27th, Phil disputed the Crowdstrike report that APT 28, which had done the hack, was GRU, “Russia didn’t write this APT damnit.”

I told him, vaguely, that I knew that entities external to both the DNC and Crowdstrike had evidence confirming the GRU attribution. I had a well-placed source who knew Phil was wrong. He seemed not only sure he could convince me otherwise, but intent on learning what I knew, which I didn’t share.

The next day, July 28, 2016, Phil made up an excuse for wanting me to tell him what his IP address was–it was a bullshit excuse and doesn’t matter for the purpose of this story. “Can you see an ip on your website,” he asked. “Yeah I can get logs.” I said, “Easiest obviously is fr a comment.” (I was wrong about my ability to see the IP address, and he may have known that, because he had been testing how requests to my site worked for months.) “Now,” he said, as he left a comment. 

I forgot about the request until the next day, July 29, when another of the people who can approve first-time comments at the site emailed me with the comment, which had been posted moments after he had told me, “Now.” “I debated about approving that comment by icelanderia in DNC Hack sourcing post,” the person said. “But didn’t because of the email addy attached to it.” To readers of the public site, the comment read, “Just one phrase. Show me the metadata.” It was signed “Icelanderia.” Visible only to those of us with backstage access, however, it was signed [email protected]

Much later, Phil told me he liked leaving comments at my site as a, “Great outlet to talk to my usg pals.” Until late 2017, we kept getting comments at the site which were consistent with disinformation deliberately left in the first Guccifer 2.0 releases, but which might or might not have been him.

But I knew that first one, [email protected] was Phil, purportedly left to find out what IP address his comments would show up as. He never did follow up to ask me whether I could see his IP address. And so I was left trying to figure out why the hell he signed a comment with the name of the persona who was trying to obfuscate what really happened with the DNC hack.

Normally, I don’t think twice about comments left at my site under obviously fake names. Lots of people choose not to use their real email addresses when leaving comments at this site. Unsurprisingly, we’ve had a ton of comments claiming to use NSA email addresses. And from time to time — though, given how chummy and long-established emptywheel’s comments section is and how closely we moderate obvious trolls, not all that often — people try to get funny with their log-in names. 

In this case I did take notice. I did so, partly, because of how he had left it, giving me a heads up that it was him, but doing so in such a way that only I would know it was him (as noted, he never did ask me what IP he had come in under and, as I said, I was never able to determine that). But it also made me rethink stuff that had happened between us going back to fall 2015 and earlier, especially because of what had happened starting on June 14, 2016, the day that the Democrats publicly announced they had been hacked by the Russians, when he tried to get me to change my operational security even as he seemed to be debating about going forward with something, which he referred to in terms of “tapping out.”

On June 14, 2016, the same day the Washington Post reported that the DNC had been hacked by Russia, Phil called me up and asked me to delete notes of conversations we had had going back to December 2015, notes telling a story about his life and motivations for being angry with the government that he had wanted me to tell after he died, which he claimed — starting in December 2015 — was going to be imminent. The next day, he claimed he believed he was being investigated by the FBI for the way he had narced out some people in April, which was his explanation for escalating levels of paranoia. That same day, he asked me to shift our comms to the Silent Circle text service, which would have put the texts beyond the reach of US law enforcement. This was at least the fourth effort he had made to shift to more secure comms than Signal and PGP email with me, including a highly inappropriate suggestion earlier that spring; each time, including this one, I blew off the request, because I didn’t believe these conversations were that sensitive or interesting. 

Starting at 3:12PM on June 21, the weirdness resumed. He asked me to change my PGP key, inventing a bullshit excuse, while explaining he was flipping his own keys. He showed me a traceroute on my site he had done, reflecting my recent addition of Cloudflare to protect the site (he had concocted an earlier traceroute in May 2016 that–I’m certain–was designed to make me paranoid). He advised me that when using a VPN, one should always choose a Swiss or even a Russian server. He told me he worked for a company owned by FSB’s founding fathers. 

Around 8:12PM on June 21, he claimed, “I am getting DDOSed like a motherfucker–is it you or ‘Gucifer’?” 

As far as I knew, he had no website to be DDOSed. As he surely knew, I didn’t have the capability to DDOS anything. It was just word salad invoking the newly unveiled GRU persona, but amid the other weirdness I didn’t make too much of it.

He then called me and repeated much of the story he had told me over the past six months, the story the notes of which he had, just a week earlier, asked me to destroy. In that retelling of the story, he would include several details about Russia (on top of the FSB founding fathers comment). He described a meeting he attended months before, overseas, one that (he claimed) members of Russian intelligence had also attended, where he had been physically beat up. Before that June 21 conversation, he had told me a version of that overseas meeting story at least 6 times, including telling me about the meeting in real time (in just two of those tellings do I remember him mentioning Russian intelligence, and precisely who in Russian intelligence he said attended was inconsistent). I’m not attesting that his claims about the meeting were true, I’m describing that he kept telling me about the meeting over the course of more than six months. 

Another detail in that June 21 conversation was the way he insisted to me, as he had at least once before June 14, almost plaintively, that he hates Russia. Phil told me that two of his most cherished possessions were trophies from interactions with Russia. At the time, I didn’t understand why he felt it was so urgent to convince me he really did hate Russia, but after the fact it seemed to be an effort to excuse himself, like emphasizing that he had been physically beaten.

There was a third story, too, another story about an interaction with Russia more alarming than the others, another one he had told me once prior to June 14. The story involved a moment when Russians held “a gun to [his] head.” I believe the story, as he told it to me, was a well-rehearsed lie, one he had told others. But if the lie served to explain away something else, it would be the kind of thing that might mean his comment might not be a joke, that he might have a role in the Guccifer 2.0 operation. 

In June, this felt somewhat stalkerish. I still had no idea why he was telling me this, aside from the fact he wanted me to tell the story of his grievances with the government, but he was also in a bad place and I was trying to make sense of it. The next day, June 22, between 12 and 5PM ET, we spoke again on and off. When I suggested I might be under surveillance to see how he’d react, he said there were no rules, saying that no one could back out of a deal (I had no idea what deal he was talking about). “360 degress of no rules, tap out is not an option unless (Apparently) you are a politician. But even then…”

The next day, June 23, just after 5PM, he told me he had been contemplating a line from a Cormac McCarthy screenplay: “The world in which you seek to undo the mistakes that you make, is different from the world where the mistakes were made.” He added, within that same hour, “I’m done. I don’t re-decide.” Phil was, obviously, a mess, but he was also done talking about ways out of whatever mess he was in. 

I broke off communication at that point for a period, but a week later, at 6:51PM on June 30, he was back. He told me he had “unfucked his problems.”

As weird as all this was, in those days in June, I was just observing, trying to figure out what had caused the sudden bout of paranoia, and honestly trying to figure out what he wanted out of me. I sure as hell didn’t think, at the time, there was a tie between all that and the DNC hack (remember, he was claiming — probably another lie — that the FBI was investigating him, which I assumed was what all the weirdness was about). 

But when I remembered all this on July 29, it made me reconsider whether there was a tie. As I’ve alluded to publicly in the past, it is why I spent six months on my part to test the Russian attribution for myself, to decide for myself whether the IC and Crowdstrike, along with people in tech companies and individuals who fought this hack personally with whom I’d spoken — were correct, that it had been the Russians, or whether what I took to be Phil’s suggestion that he or people he knew, without the Russians, may have been involved. Absent such an effort, I assume that certain other people who’ve interacted with Phil have, instead, taken the existence of an American body claiming to have been involved as enough to deny Russian involvement. That may be what happened with Roger Stone.

Once I was convinced about the Russian attribution in December 2016 and given a growing certainty I couldn’t test key parts of this story myself, I began to consider sharing it with the government in a way that protected both my identity and Phil’s. 

As I noted in the title, these events were just one part of the reason I went to the FBI in 2017, and not actually the most urgent reason at the time, nor the one I had most confidence in. There’s another part of the election year attack — one few people know is related — that I believed (and still believe) he may have had a role in, too. Those other parts of this story were, in 2017, an escalating, ongoing threat, which is part of why I ultimately chose to meet with two FBI cyber agents and a prosecutor from DOJ’s National Security Division, to stop ongoing damage if I was right. 

Now, four years later, it’s clear the details Phil shared with me in 2016 might be consistent with several details discovered in the Roger Stone investigation. Indeed, starting in August 2018, Mueller’s team appears to have investigated whether Stone had been co-present, in the US, with someone involved in this operation, and they also appear to have confirmed, after the Mueller team shut down, that Stone met with someone face-to-face at the RNC who gave Stone advance warning of the DNC drop. On July 15, 2016, Phil described to me flying east from the West Coast. 

More interesting still is the way that Phil’s activities over a key weekend in August 2016 overlap with Roger Stone’s. I won’t yet lay out how this timeline looks (I’ll return to it). For now, compare the one I did in this post to the timeline I lay out here. 

On August 12, 2016, the night that Guccifer 2.0 released DCCC documents the timing of which Jerome Corsi had predicted, Phil texted me at 11:32PM and told me he was thinking of going to the Trump rally that was scheduled — inexplicably, from a campaign strategy standpoint — in Roger Stone and Paul Manafort’s home state of Connecticut the next day. “Should I stay or should I go…” he said, but he already had a ticket. At 9:46 AM the next morning, he said it again. “Trump rally [in CT] tonight, thinking of swinging by.”

He did go, and made sure I had abundant contemporaneous record of it. At 4:21PM he told me he was close to the protest venue. At 4:33PM he told me he had put together an IMSI catcher for the event to track where the Secret Service had Stingrays.

Amid those texts, I told him that I had freed up the Guccifer comment at my site; I wanted to see how he’d react. “Haha-the mouthpiece,” he responded. “‘they’ are clueless as I’m fond of saying…” he added, which I took not only as confirmation that he did leave the comment, but also to mean that he believed the authorities misunderstood the Guccifer persona. 

It was an hour, though, before the calls started. From 5:57PM to 6:58PM, he kept calling me and sharing video of what he was doing at a protest close to the rally (as well as a screenshot of the IMSI catcher).

At the time, I thought he was hoping to film himself picking a confrontation with the cops that would go viral. I thought it was really stupid and started ignoring his calls. It was actually years before I reviewed all these videos. When I did, I realized that he was not interacting with any of the protestors. He was, instead, just badgering the cops, in really controlled fashion. He was filming the confrontations so as to catch their name badges. And then, each of several times he did this, he would back off and thank the cops for what they were doing. Those interactions would have left a handful of cops, whose names I’d have, who would have remembered him as the obnoxious guy at an event protesting Donald Trump. 

At 9:59PM, he told me the rally itself was done, he was not in jail, and his phone was intact. He showed me a document that he had picked up at the rally.

The next morning, August 14, at 7:22AM, he texted me a picture to let me know he was in NYC. That was the day Jerome Corsi claims he started a file named “Podesta,” that would eventually become posts that integrated documents publicly released in October. 

Again, I didn’t make much of this, as I didn’t make much of earlier events. 

Except that just over a week later, as part of a conversation from 7:56 to 8:28PM on August 21 (and so hours after Stone’s famous “time in the barrel” comment), he emphasized to me that I was the only one whom he had sent videos from the August 13 protest. Then he said there were more. “I have like 20 more vids before and after no one gets,” he told me. Something was interesting enough, both from before and after he attended the protest of the Trump rally, that was not only worth filming, but that was more sensitive than these protest videos.

Even as Stone and the persona Guccifer 2.0 were chatting away on Twitter over the weekend of August 12, a guy who’d just covertly signed his name “Guccifer2” on my site was at the Trump rally, taking videos of … something.

 Not immediately, but over time, I’ve wondered what might be on those videos.

On January 1, 2017, in the wake of Trump boasting that, “I also know things that other people don’t know,” about the Russian hack, I did a post wondering if what Trump thought he knew was the same thing that Craig Murray believed — that there was an American involved in this operation. I wrote, “I have a suspicion that Trump’s campaign did meet with such a person (I even have a guess about when it would have happened).” I had the rally in mind. Within 30 minutes after I published the post, after having not spoken to me in weeks (he later told me he had been overseas), Phil called me, but hung up before we spoke. 

Indeed, events that the investigation have since made public — including the confirmation that Roger Stone set about getting Julian Assange a pardon no later than 7 days after Trump won the election — made me revisit additional texts from July 29, ones I hadn’t even paid attention to in real time. 

On July 29, 2016 — the same day I was trying to figure out why this guy had just made a big deal of signing a comment guccifer2 — we had another conversation, one I believed at the time was unrelated, a discussion about what motivated Julian Assange. Revenge, I argued: the guy hates Hillary, going back to 2010. “Yes” Phil conceded, “but he has a puppeteer too — IDK who and maybe it’s just $ but.” Again, I was sure this was “sheer retaliation for him.” “You might be right,” Phil responded, “but there’s a political or $ way to get him out — please don’t lose sight of that…” I still didn’t buy it, and asked again why. “B/C if ‘I’ wanted badly enough for him to release that data in a manner that benefitted me, I could get him out and he’s damn sure in prison — where people do desperate things.”

On that day in July 2016, no one in public knew there’d be a second dump. Certainly, no one knew that, on that day and the next, Roger Stone was in conversations with Trump’s campaign manager planning how to optimize the next dump. “Good shit happening,” Stone told Manafort just over an hour before this exchange, before the old friends spent 67 minutes on the phone together on July 30, their longest conversation of the year. No one knew that Stone would turn immediately to getting Assange out of the Embassy at least as early as November 15, probably even before. 

But Phil, who had just made sure I knew he signed a comment Guccifer2, seemed to be sure of it before it all started. 

image_print
168 replies
    • BobCon says:

      There’s a guy on a public, general discussion list I read who reminds me of this guy. Not in the interests, which are mostly music as far as this guy talks about, but the same weirdly solicitous and antagonistic way he communicates.

      He’s dropped hints he also hangs out in the nasty corners of Reddit and the Chans, and there is definitely a type — I suspect he is at least making a stab at recruiting, but he also just has issues.

  1. lastoneawake says:

    Trying to infect you with their madness, involve you and compromise you.

    Glad you’re safely somewhere in Ireland.

    • emptywheel says:

      If I was right about this, Ireland is no safer. But at least Stone’s bullies aren’t starting riots in my state capital.

      • PieIsDamnGood says:

        Chorus feels relevant.

        Should I stay or should I go now?
        Should I stay or should I go now?
        If I go, there will be trouble
        And if I stay it will be double
        So come on and let me know

            • vvv says:

              ?
              It’s on *Combat Rock*, along with the song, “Straight to Hell”.

              I can’t verify the accent, but will note that they sing about Andalucía in “Spanish Bombs (*London Calling*) and named an album, *Sandinista!*

              • klynn says:

                Correct! My old brain got the album title wrong!

                I do remember an interview with Eddie. He said he and his mom sang the background vocals. He also noted their being Ecuadorian and that they sang the backgrounds in Ecuadorian Spanish.

      • John Paul Jones says:

        Huh. Interesting. To be honest, all I was thinking was it might pin down his age a bit; people soak up pop in their teens and twenties, mostly, and it tends to stick. So, hypothetically in his twenties in the early 80s.

        • DNA says:

          Pop? It was a popular song, but pop it ain’t. The only pop in The Clash came after that bastard Bernie Rhodes ousted Mick Jones and took over.

          Weird coincidence: Combat Rock is one of my absolute favorite albums, and it’s thanks to a post by Marcy a year ago, about the charges Roger Stone could have faced, that I realized municipal officials in my town committed federal crimes. Some day, I’ll thank her publicly.

      • Playing Thru says:

        Fun game, though possibly not for you. If his name starts with M, you, he and another prominent person gave too many hints in the last week or so.

        First time responding – been reading for about a year. I’m an architect, not a mind reader, but I do love a puzzle.

        Keep up the good work.

    • earlofhuntingdon says:

      Yep, not a question that Billy Joel or anyone who ever fell out of love would ask. Do agents fall in and out of love with their contacts or their projects? Asking for a drook.

  2. Rugger9 says:

    In a twisted way they felt you were enough of an influencer to “honor” you with this stuff. AFAIK you handled this well, and once Biden takes office this will be pursued again.

    • phred says:

      EW has a long history of attracting top tier trolls.

      Gotta hand it to you, EW, you hit the jackpot this time. Last time all we got was some good beer ; )

        • phred says:

          Yep : )

          Admittedly a flippant comment, given this post. But I couldn’t help myself ; )

          I am sincerely at a loss for anything intelligent to say about this new troll, though. He sounds simultaneously unwell (as in crazy), super anxious about your skill set (as in worried about being exposed), and yet yearning for someone to appreciate his genius/exploits. It’s hard to know what to make of it all. I hope in the end someone gets to the bottom of this whole mess… and I hope I live long enough to read about it : )

          • emptywheel says:

            You are, as always, wise, Phred. That describes him quite well. Whether or not there’s a tie between him and the operation.

            • phred says:

              Thanks for the compliment : )

              I look forward to the next part, I suspect that will shed more light, even if there remains more to learn…

            • Peterr says:

              That’s also a good description of someone who’d be a prime target for recruitment into an operation like this . . . yearning to be told how smart/important he is, nervous at being caught out (and therefore would try hard not to be caught), and less-than-mentally healthy (because if you were sane you’d head for the hills).

          • BobCon says:

            He sounds very much like the kind of person who follows the supposed deep thinkers Bari Weiss lauded as the Intellectual Dark Web.

        • readerOfTeaLeaves says:

          I always took Jody (or was it Jodi?) for a Rove subcontractor.
          ‘Phil’ almost sounds like a gamer employed by Erik Prince, or RNC subcontractor that coordinated with Stone, Manafort.
          Phred’s perceptions seem astute.

          I prefer the old Jody/i, who seemed like a personality disordered loon in simpler times.

          I do find it weird that ‘Phil’ showed up after you rolled out a new site; as if trying to test the new system. Uber creepy.
          These waters are too deep for me.

          • Ken says:

            Yeah, when I was reading her account, I was thinking he is of the “private contractor” persuasion. I wouldn’t be shocked to find out he is one of the guys going to different cities inciting/performing vandalism to discredit BLM while dressed up as “Anitifa.” I put it in quotes, because it’s not an actual organization with a set of defined leaders and goals.

  3. omphaloscepsis says:

    Spooky.

    Perfect story for Hallowe’en.

    Jamie Lee Curtis would make a great MTW in the film version.

    Donald Pleasence is no longer available, but couldn’t be nearly creepy enough to play Phil.

    • earlofhuntingdon says:

      Alan Cumming, with a little acid, without his sense of humour, and riffing off his Golden Eye persona.

  4. AndTheSlithyToves says:

    OMG, Marcy! You have nerves of steel and the patience of Job. I’m about halfway through Strzok’s book, and I still can’t believe how close to the precipice we still are.
    Apropos of nothing, Trump’s 70th birthday was June 14, 2016. Maybe Stone thought his Hillary rat-f*ckery would be the kind of “funny” birthday gift a dementia-addled, mobbed-up narcissistic sociopath like Trump would get off on.

  5. N.E. Brigand says:

    Well, that’s a lot to take in. I can see why you held off on sharing this information publicly for so long, and despite your being so thorough, it’s hard for me to know what to make of all this.

    One thing that strikes me again, as a Clevelander, is how much skullduggery was apparently going on here in July 2016. I work downtown, not too far from where the RNC was held (just outside of what was a restricted zone), but we gave our staff off that week (instead of the usual week off we give them around July 4th) so that no one would have to deal with protests or counter-protests. That turned out not to be much of an issue. I had to pop into the office a couple times, which presented no difficulties, and early on the evening Trump was due to give his acceptance speech, I took a ten-block stroll just to see the goings on. There wasn’t much to see: far more police than participants, probably a couple dozen stationed on every street corner and looking bored. I bought a cheap “RNC 2016 CLE” button from a street vendor.

    In fact, the only hint I got of any machinations behind the scenes–and these were of a different kind entirely–came a few days earlier. Returning on an overnight Greyhound from NYC on the Saturday evening preceding the convention, I traded seats with one of a group of Never-Trump Republicans. (I remember joking that I would do so only if one of them would agree to vote for Clinton.) I wasn’t going to sleep well on a bus regardless, but the experience was even more miserable because they spent the whole eight-hour trip talking just behind me: they were strategizing what sounded like plans to block Trump’s nomination. Obviously that didn’t work out.

    • emptywheel says:

      Yeah, I’m not saying this is proof. It totally lines up with the Stone timeline. But that’s not proof (and I think my rat-fucker rashomon “proof” that they had the Podesta files on August 14 (or at least by August 28, as Manafort said) is not yet proven until one has the forensics.

      • BeingThere says:

        There was some simultaneous activity on 28 Aug 2016 across in Europe, so about 7h ahead of EST. Something was going on with Kushner, McFarland, Gorka, Kislyak.

        Re your expressed interest here:
        https://www.emptywheel.net/2018/12/29/someone-has-already-been-charged-for-most-of-the-actions-the-steele-dossier-attributes-to-michael-cohen/#comment-765557
        The Eastern Europe boats and planes has been of interest since 28 Aug 2016 after observing the above group who turned up in hotel lounge in Budapest late morning of 28 Aug 2016. Their party appeared to comprise of J Kushner, KT McFarland, two who closely resembled S Gorka and Kyslyak (speaking Russian together), and an elusive firth person (a couple of guesses as to who from appearance & research). Their conversation on arrival was about what Trump wanted, needed, and what they had got to do for him – KT McFarland stating “Trump wants this. Trump needs this. We’ve got to do this for Trump.” Discussions continued for around an hour.

        The Rybolovlev plane fits into the timeline, it’s mentioned in the released House’s Simpson interview (pages 113-115 of the PDF), with its trip from the Hamptons area to Nice, Dubrovnik, and Budapest.
        https://docs.house.gov/meetings/IG/IG00/20180118/106796/HMTG-115-IG00-20180118-SD002.pdf

        An interesting aside here there’s a lot if common activity between Brexit (that had just happened), the US election, and Orban’s upcoming election (which used identical billboard artwork from Cambridge Analytica backed brexit pro-leave movement but with text replaced for Hungarian). The hotel above overlooks the Hungarian parliament building across the Danube.

  6. Savage Librarian says:

    Of the various Trump-Russia figures we have become acquainted with over the years, the first that popped into my head when I heard this story about Phil is Sergei Millian. Then, when I thought about the name Phil, I thought of the infamous British double agent, Kim Philby. Yikes. Obviously, I could be totally wrong. Hopefully, things will settle down before too long.

  7. elise says:

    thanks, marcy. my headache’s gone now!
    {loving the “one step” affidavit post, too.}
    “Project: Roger Stone Trial” – still locked ?
    would love to be able to access. regards.

    • ButteredToast says:

      Probably tied to the EV of Nebraska’s 2nd Congressional District, which is competitive (Nebraska and Maine both award an EV for each of their districts).

    • Pardon my French says:

      Maybe because “Honestly, it’s not for everyone” is one of the slogans used for promoting this State. Or because large portions are flat and thus you can see your ennemies coming from afar. And it’s rather central. Or simply because there is a lot of fishing and hunting to be done. Or because ‘Nebraska’ sounds like Russian.

      [Welcome back to emptywheel. Please use the same username each time you comment so that community members get to know you. This is your second user name; your nom de plume last used was “Frenchie.” Thanks. /~Rayne]

    • LowPlainsGrifter says:

      Not only NE2, but also its close proximity to IA4, Steve King’s old district. TV coverage goes across state lines.

  8. joe says:

    Wait! Gucifer 2, or G2, or GG, short for Glenn Greenwald! What if Greenwald has been playing the idiot to disguise himself!

    • Doctor My Eyes says:

      I read a memorable post from a site I can’t find now comparing the mild treatment of GG after the Snowden leaks with the consistently vicious treatment of a line of other people who had facilitated leaks. Sorry I can’t give a link.

      • Doctor My Eyes says:

        Meant to say, I pray for your safety, Marcy, and I pray for our country and indeed all of humanity. I’m awake at night a lot these days, fretting over so many troubling indications of malevolent forces at work. Here’s to basic decency and to good, brave people like you.

  9. Tom R. says:

    I do not understand the bit about the IP address. Was he trying to impress you with his ability to obfuscate his IP address? Did he think that qualifies him as some sort of dark wizard? It doesn’t impress me. It suggests to me that he’s a gormless poseur.

    It makes me wonder who *his* puppeteer is.

      • Peterr says:

        “But wait for the follow-up bc there’s another possibility.”

        When Marcy gives a heads-up like this about a future post, it is usually not good news for somebody. Or several somebodys.

      • tvor_22 says:

        My first thought was they were trying to prove to you that metadata can be faked? But there was no follow up, and it all just amounted to creepiness? Reassuring to know there’ll be a follow-up post!

          • tvor_22 says:

            Reticent? With regards to what?

            His post (in the screenshot) literally says “One phrase. Show me the metadata.” then by including the g2 email and considering you mentioned conversations disputing g2’s attributions, isn’t it clear they’re trying to prove that metadata can be faked?

            If by reticent you mean lack of response to this article I’m still digesting it. I’ve read it about three times and and going over everything I have. I already made it clear I’d stop throwing shit at the wall WRT asking about who this might be ages ago. If anything this has made me rule people out in the circle of people I think could have been involved, except for a couple of VIPS people, one of whom also happened to be at the Dec 10 2015 trip to Russia with Stein and Michael Flynn, etc, but his name is left out of the Steel report on the subject. Again I don’t want to just throw out names like some kind of weird quizz or something. I’ve been patient for, what, three years now?

            • Rayne says:

              Marcy will answer when and how she wants to, but I’m going to stick my two cents in here and remind you and anyone else chomping at the bit about content and answers to questions this site owes no one anything.

              • tvor_22 says:

                Sorry. I got overly defensive with being called reticent. I wish I could edit my comment and delete the last paragraph (just a stream of impotent frustration at myself, really) and dejerkify my tone.

          • Alan Charbonneau says:

            I’m not sure where he’s going or if this is relevant, but the Seth Rich hoax was fueled, in part, by the GRU manipulating metadata to try and prove that the emails could have been stolen by an insider at the DNC.

            computerweekly: 31 Jul 2018 9:25
            “Briton ran pro-Kremlin disinformation campaign that helped Trump deny Russian links”

    • cleek says:

      i assume the whole point of that was to make sure emptywheel had the IP and knew how to find it. he wanted to know she could identify his messages by IP because he was deliberately leaving a trail. just like the cop videos were a way to tag him at a place in time (you can verify those particular cops were there at the time, if you needed to). it’s all about providing ways to establishing that he (or this persona, at least) did this, said this, at this time and this place.

  10. Valley girl says:

    I see GG is mentioned above, but not in the way I was thinking. More like “were Phil and Greenwald also regularly in communication?” …and Greenwald bought off on it?

      • Valley girl says:

        so… was GG an actor (I mean as a force, not one who is “acting), a dupe, or…??? in Phil’s mind games (or whatever)? and more, of course

      • earlofhuntingdon says:

        Or another potential source, or outlet for planted views. With hindsight, and unexpectedly, GG seems more susceptible than EW.

          • earlofhuntingdon says:

            No. I misspoke by using the wrong comparison. That you are Not susceptible was never in doubt.

            What was surprising was that a former NYC litigator and First Amendment absolutist was susceptible and now, apparently, welcomes whatever it brings him. His recent work suggests he’s been persuaded those talking points are accurate and newsworthy, and that any criticism of them proves them true.

            I have no explanation for that or for the work of the other two members of the strangely popular three-person anti-Russia conspiracy godhead: Matt Taibbi and Aaron Mate.

            • earlofhuntingdon says:

              Carrots and sticks are often involved.

              As for the popularity of their alternative three-person-in-one-god bit, I am dumbfounded that on some normally rational sites, they are regarded as infallible and able to walk on water.

              • Eureka says:

                I’m just LOLing because poor M Tracey can’t even get into this conversation (Western things do come in threes, after all, squeezing him out of this tier), just like he couldn’t get in to see Bon Jovi at the Biden rally.

            • Ken Muldrew says:

              My guess is that he went all in as an advocate for some higher purpose than his own reputation. What it is, I have no idea, but he probably thinks that when the dust is settled, he can recover his integrity because he was only performing as an advocate, not as an ideologue.

              Different venues have different rules, however, and this isn’t a courtroom.

          • Xboxershorts says:

            I’d say less susceptible to being drawn into an influence operation.

            I have my own reasons for believing the Crowdstrike report. Not because I have any sort of measurable insight into cloak and dagger operations. But because I do network engineering for a range of clients who all use Firewalls and all those firewalls take advantage of Crowdstrike professional security services and in the realm I work in, reputation is EVERYTHING. And Crowdstrike would not make a false attribution for a security event as public as the the DNC/Podesta/DCCC hack.

            But GG has made a cottage industry out of obfuscating and throwing shade at Crowdstrike’s attribution, and though I had made that point many times directly to him, re Reputation being Everything, he ignored me.

            Of course, why respond, I am, literally, nobody…except to my family and clients.

            GG has much more of a story to tell, of this I have no doubt. But Crowdstrike’s reputation is firmly intact. GG’s is not.

            I have him on permanent ignore now.

  11. d4v1d says:

    I won’t say what I think this was (because I’d probably be wrong, and I would be deep into Dunning Krugerland) – but I would be very surprised, as I manage several websites and administer more, if you couldn’t locate the IP logs if looking with some intention. But as a stalker he was using a vpn or tor so whatever IP was logged wouldn’t mean much without some law enforcement superpowers, so it would have been a waste of your time digging them up – your work here is far more important!

    • emptywheel says:

      Both my developer and another security person tried but were not able to recover it. I assume it’s possible but at that time we had just rolled out the new site, with Cloudflare, and so my settings weren’t such that the IP transferred in.

      But you’re right: he was a master VPN user, so it would have been useless UNLESS he wanted me to know what VPN he was coming in from. Stay tuned.

      • Tom R. says:

        1) VPN is not appropriate technology to defeat tracing. It’s hardly better than no obfuscation at all, especially for somebody who thinks the FBI and/or FSB are interested in him.

        2) Anybody who plays this game in the Tee-Ball Division or higher would use Tor to obfuscate their IP address. The Tails portable operating system is the easiest good way to do that.

        3) Tangentially related: Journalists who want to communicate with confidential sources should set up SecureDrop. Tor is the main ingredient, but there’s more to it. It’s not particularly easy to set up, but once it’s set up it’s easy to use, for both sender and receiver.

        • earlofhuntingdon says:

          It was “Phil” who went on about using a VPN as a security measure, an elementary step. I’m pretty sure EW and those she relies on for IT security could give you a seminar on the subject.

          If Phil had been working for Russian interests, it’s unlikely he would suggest EW take steps that would be hard for him or his patrons to get around.

  12. subtropolis says:

    Fascinating. I think I’ll need to re-read, though. I’m probably not alone there.

    I don’t consider Phil’s remarks about springing Assange in return for hosting the files to be all that noteworthy. There’d been plenty of speculation about that when WikiLeaks first joined the anti-Clinton ratfuckery.

    Have you ever met “Phil” in person? Are you certain that he is an American? Does Shaltai Boltai mean anything to you?

    “I had promised myself I wouldn’t let another election pass without sharing what happened.” In fact, i had the approaching election in mind when I prodded you about this a couple of weeks ago. Whether my query had anything to do with today’s post is neither here nor there, though. (At least I got called a prick by angry bmaz for doing so. Badge of honour!)

      • Molly Pitcher says:

        An American who used to be in the IC at some level that ultimately was not the level he wanted. Was this a play for respect that had been denied or revenge ?

      • Molly Pitcher says:

        I find his presentation of the sparkly thing that is his ” visit to the Trump rally” interesting. He seems to me to be trying awfully hard to establish an alibi. Or at least the appearance of his appearance somewhere he possibly was not.

        What do you think he thought you would do with this information ?

        • BeingThere says:

          Match up those shared video clips with various officer’s body-cam footage, to get a face ID perhaps?

        • emptywheel says:

          I think alibi is one possibility. One of the things that made this very confusing is he was ALWAYS very anti-Trump. So I could never believe he would be involved in something that would help Trump.

    • BobCon says:

      I ‘ve been struck by the number of jerks on Twitter who treated this as a simple case of ratting someone out, which didn’t make sense from the beginning, and now is clearly not what was going on. Obviously this was a tough situation and decision.

      • tvor_22 says:

        This has always been interesting, because said jerks are acting like they have inside information–like this Phil person has been providing them an explanatory narrative behind the scenes–one that has poor old Phil being unjustly thrown under the buss.

  13. PhoneInducedPinkEye says:

    It certainly sounds like someone suppressing glee over some action they are itching to boast about but can’t.

    Their faith in VPNs and Tor to cover their tracks from presumably nation state intelligence services is cute.

  14. Mulder says:

    “…Those other parts of this story were, in 2017, an escalating, ongoing threat, which is part of why I ultimately chose to meet with two FBI cyber agents and a prosecutor from DOJ’s National Security Division, to stop ongoing damage if I was right.”

    Standing by to find out if you were right about the threat and that if so it was indeed stopped.

  15. Mflat00 says:

    Is the ongoing escalating threat you mention the Shadow Brokers? From your disclosure footnotes at the beginning of the year I became convinced they were involved. Fits the timeline, and they are a part of the election attack.

    I’m at long time reader, first time poster. Thank you for all the work you do.

  16. Joe S says:

    Regardless of whether Phil is a good person and/or tips the waitstaff well, he was right that you should roll your PGP keys regularly.

  17. earlofhuntingdon says:

    The Senate gives its consent to ACB joining the Supremes. She will be a member as soon as Trump signs her commission and she’s sworn in, presumably this evening at the White House.

    Ms. Pelosi avoids, at length, answering Chris Hayes’s question about what she would support in response to it. Every politician is avoiding questions like that until after the election. But an awful lot of them will keep finding some reason to avoid them period. We’ll have to keep up the pressure to make that a politically unsustainable position.

    • P J Evans says:

      I hope voters remember them rolling over and playing dead for Mitch and the Federalists.
      I also hope that everyone involved remembers that she was never vetted, particularly when her past comes back to bite her.

      • Marc in Denver says:

        The revenge of the Ghost of Abe Fortas? Maybe to be visited on her and Bart (who paid his debts?)?

    • P J Evans says:

      For those interested: 51-48, Harris not voting. Murkowski and Collins voted against, as their votes weren’t needed to push the nomination through.

      • earlofhuntingdon says:

        The de facto fence sitting by Collins and Murkowski should be dealt with severely by their home state voters.

      • Peterr says:

        It was 52-48 and Harris did vote, with only Collins voting against. (Your numbers/names were from Sunday’s cloture vote. Murkowski voted against as a statement about the process, but once the process hurdle was passed, she had no problem seating ACB.)

    • PhoneInducedPinkEye says:

      For sure, need to pester our reps about this. Some of them still think there is a ‘process’ electorate. Some of them have been in office too long.

    • earlofhuntingdon says:

      Swearing in at the White House – a Trump feature – destroys another norm. Justices are normally sworn in at the Court, signalling that they join an independent branch of government. In TrumpWorld, all that counts is fealty, hence, the new justices come to the White House to receive their laurel leaves.

      The Senate vote count I have is 52-48.

    • harpie says:

      Mark Joseph Stern is ALARMED:

      https://twitter.com/mjs_DC/status/1320873994032205824
      7:44 PM · Oct 26, 2020

      Holy shit—Brett Kavanaugh just endorsed Rehnquist’s concurrence in Bush v. Gore, which was too extreme for Kennedy or O’Connor. This is a red alert. I can’t believe he put it in a footnote. This is terrifying. [link] [screenshot] [THREAD]

      To keep from raging on here, I’ll be adding this to my bunches of comments on Rayne’s Debate post.

      • earlofhuntingdon says:

        Let’s ask again. Around the time of his appointment to the Supremes, who paid over a million and a half for Brett Kavanaugh’s home mortgage (about $1.2 million) and credit card (about $250K) debt, and country club dues (about $100K)?

        • Dopey-o says:

          I would be interested in Sen. Whitehouse leading the charge on Kavanaugh’s financial windfalls. I’d also like to see the 93,000 pages of hidden legal writings. And Ms. Blasey-Ford might like to come back and bring some witnesses.

          I’m not saying we should …. impeach ….. Kavanaugh, but sunlight is reputed to be the best disinfectant.

          And it’s quicker than the whole de-compress the Court controversy.

  18. Worried says:

    Can’t thank everyone here at emptywheel enough for the amount of knowledge and wit that is shared.
    I anxiously await the next installment of this saga and hope the illumination of the dark spaces in the tale helps to explain what we all have witnessed these past 4 years.
    Today I was inspired to check out Jabberwocky, review CrowdStike, The Clash (one of my all time favorites), gormless, Signal, Cloudflare, DDOS, etc.
    Thank you Marcy and the rest.

    • rosalind says:

      (definitely heading to my office today to spend time with my record collection and my “Combat Rock” LP…)

  19. dadidoc1 says:

    I get the feeling that Glenn Greenwald is somehow compromised and that Emptywheel might know how. It troubles me that the discussion that Emptywheel had with the FBI agents and DOJ are known by Bill Barr and his minions.

    • earlofhuntingdon says:

      You raise two separate questions: whether GG is somehow compromised by powerful forces, and whether EW knows about it. You can have one without the other or neither.

      • readerOfTeaLeaves says:

        I feel like a dolt about many things in life, one of them being that I’d assumed GG legit.
        Bad judgement on my part 8^((

          • readerOfTeaLeaves says:

            O.M.G.
            You are a treasure.
            I love singing your poems to myself ;^)))))))))))

            As for GG, “Fool me once, WTF were you thinking trying to fool me twice, you absolute PO$#1T”.
            Now that we’ve unloaded that asshat from our collective information zone, perhaps we can hope for more clarity going forward. We’re going to need it.

  20. BeingThere says:

    Marcy, the comment in the screenshot after “Starting at 3:12PM on June 21” includes a phrase “Quadruple blind -“. Any thoughts if this is abbreviated / translated slightly differently could be tied with the Q anon misinformation?

    • dadidoc1 says:

      According to gomerpedia.com: A quadruple-blind study is type of clinical trial where no one knows what the f**k is going on: not the patients, not the clinicians, not the statisticians, no one.

  21. PhoneInducedPinkEye says:

    2017… Assange, Stone, ongoing threat…

    Does Vault 7 & attempted leverage for a pardon/commutation come into play in this scenario?

    • Eureka says:

      I assumed that (Schulte case) was the implicit reference (was also wondering if ew suspects Phil as courier for that operation).

  22. Eureka says:

    All I could think of when you relate that July 29th convo re Assange motives was your post (I think 2019 but can’t find it rn) on how Assange really wanted that exclusive over Emma Best (the post itself left me with the sense that Assange needed to keep hold of that power/leverage).

    I continue to wish for your continued safety and security. Heavy stuff. Heavy, heavy stuff.

    And I’d wanted to add that I really have loved your “Rat-Fucker Rashomon” series. I felt the pace/tone/style changing, but never would have guessed it would route into this.


    Apropos of the change in Trump’s tone then, just wanted to mention the August 12, 2016 Altoona Rally (filed @ hippo as the “Altoona Looney Tunes Rally”). Came back to mind during your RFR series. He went nuts with the Manafort MO rhetoric (then that weekend (@ party in Hamptons, I think) is when Mercer (pere?) et al. convinced Trump to bring in Bannon and Conway. Don’t have my links handy to pull these back up. Maybe the the campaign was frisky with diabolical excitement…

    Point being, I have always seen that as a turning point (and there were A LOT that weekend and into the next week) independently of your news here, and given that news re Phil’s behavior around the next day’s CT rally, it rears up as possibly meaningful in the big pix.

  23. Oxcart says:

    Jesus.

    Phil’s reference to a “tap out” is really suggestive. Someone with personal background in wrestling, and probably an understanding of the importance of wrestling and martial arts in certain Russian circles.

    Considered with Phil’s performative, attention-seeking behavior at the protest (well-practiced) and love for The Clash, along with some other details and Phil’s written voice, it does make me think.

    You weren’t kidding when you said that people would be surprised by the identity of your source.

    Thank you for your work. Stay safe. Try not to look for stolen paintings over there, okay?

    • BobCon says:

      There are a lot of ironic wrestling fans among online Scott Adams types. They feel validated by dropping hints that they get Kayfabe in a way that lesser minds don’t.

      • Oxcart says:

        That’s true, but one of the people I’m thinking about was a wrestler when he was young. He was pretty good at it. He’s a wannabe in other respects, somewhat desperately so.

      • John Lehman says:

        …but…but…when we got our red hats, you’d only get one if ya knew pro wrestling was real…there’s no such thing as Kayfabe

        “….some of the people all of the time “

    • tvor_22 says:

      Huh. The reference to trophies and Russia makes me think you’re right. I thought “tap out” might also have been to do with taking their own life (a common psychopathic way of getting sympathy and manipulating people).

      The more I read this article the more I realize I probably have no fucking clue who this person might be.

  24. punaise says:

    Oh, my. All of this cloak and dagger intrigue far exceeds my capacity to comprehend. *Fascinating* is probably too glib. Thanks for sharing what you can, Marcy.

    • John Lehman says:

      “All of this cloak and dagger”,… smoke and mirrors, spy vs spy, mental illness’s….”intrigue far exceeds my capacity to comprehend.”
      Mine too.

      God bless you Marcy for all your wonderful efforts to explain and expose the truth.

  25. greengiant says:

    4 layers of indirection to which part of the FSB? The CDC of which 3 members Mikhaylov, Georgi Fomchenkov and Dmitry Dokuchaev were arrested in December 2016? https://krebsonsecurity.com/2017/01/a-shakeup-in-russias-top-cybercrime-unit/
    Kimberly Zenz is reported suspecting this was part of an internal FSB or FSB unit vs GRU conflict
    https://www.thedailybeast.com/kremlin-accused-her-of-being-a-us-spy-she-offered-to-go-to-moscow
    Only suggesting certain possibilities with out any implications of truth.

  26. nopseudo says:

    Dear Marcy,
    Love your analyses and that of your smart EW readers. First time commenting on the site, although I am myself an avid EW consumer.

    When thinking about GG, I keep coming back to Crowdstrike and the murky timeline of their initial work for the DNC (hired on April 29 but paid May 5 + unclear if anti-malware platform Falcon was installed on DNC’s computers on the 5th or before as discussed here: https://www.vpro.nl/argos/lees/nieuws/2018/Timeline-EN.html).

    As mentioned in the Argos timeline: “it stands out that more than half of the emails released by WikiLeaks is sent later than May 5: after CrowdStrike installs Falcon”. “In addition to Falcon, the DNC used Overwatch, a service where an elite team of CrowdStrike cybersecurity experts monitors the servers 24/7….. with Overwatch in place, CrowdStrike must have witnessed it if Fancy Bear created new malware and accessed the DNC server. And if thousands of emails were exfiltrated, they should have seen that as well.” All this to say that Crowdstrike seems to have done an exceptionally lousy job at protecting the DNC…to the extent that one might question the intent.

    I know that might sound crazy but what about Crowdstrike=GG ?

    A certain Crowdstrike CTO would fit some of the description you provided for Phil (not republican & not somebody who has any ties to Trump, male, American, you had a journalistic relationship with him as your tweets posted on a January 4 2017 EW entry attests, …). He would obviously be an excellent source of information about cybersecurity for the awesome reporting that you do, beyond the possible trolling and the potential digital threat considering his expertise. His senior fellow position on the Atlantic Council might have possibly provided him some insight/intel into the Flynn/Al-Assad Syria deal.

    I can’t reason why he would play such a double game.

    Anyhow, my 2 pennies and likely single comment on EW, as those deductions might be naïve and completely off target here. If that’s the case, please do not hesitate to trash my entry. If I am correct however, I now understand why you believed that reporting the story at the time might do more harm than good.

    Looking forward to reading more of your excellent analyses and insight.

  27. Mike Sax says:

    Fascinating info Marcy. Was ‘Phil’ originally just a commentor on EW? Certainly wonder what his cryptic suggestion that “I” have something on Assange was about. Do you think he could have a connection to the real G2?

    Look forward to any future revelations regarding this enigmatic story.

  28. Coyle says:

    I see two possibilities.

    In the first scenario, “Phil” has a serious nerd crush on our host, whom he sees as a kindred spirit. Unfortunately, because “Phil” is also a seriously messed up individual he can’t just come out say what’s on his mind. Instead, he engages in a kind of passive-aggressive mating display, hinting at information he may or may not have, showing off odd bits of high-tech hackery and spycraft and generally making a nuisance of himself — but not so much as to cause a complete break. Could be a a disillusioned Wikileaks hacker/programmer/supporter.

    In the second scenario, “Phil” is an actual operative specializing in political dirty tricks for the RNC, the Trump campaign, Russian intelligence, Erik Prince, Mossad, and/or the Turkish or Saudi governments. In this case, his goals are probably twofold: keeping tabs on someone with known sources inside the American IC while muddying the underlying narrative of Russian election interference.

    The scary thing here is that you have someone or more likely a group operating in the US with the goal of supporting foreign disinformation, etc. (Of course that pretty much describes the current US administration and GOP.)

    P.S. Is there any evidence of a Roger Stone-Alexander Torshin connection? Asking because Torshin has reputed ties to the FSB and the Russian mob, as well as the RNC and the NRA. He also had at least one other spy — Maria Butina — on his payroll.

  29. Malaclypse says:

    Thanks for the important work Marcy. I just set up a monthly subscription to support the work you’re doing, which I should have done long ago.

    • bmaz says:

      Chelsea Manning was held in contempt because she was truly in contempt. Ridiculous, illogical and total contempt.

    • emptywheel says:

      The superseding indictment against Assange adds additional overt acts involving Manning. In addition, it fixed a date from her sworn statement at the courtmartial. Both would be things they wanted her testimony on, thus a proved need for it.

  30. mike mckeown says:

    What ever happened to this “guy” this seems like a near smoking gun? Why wasn’t he arrested?

    • emptywheel says:

      TO be clear, I still don’t know whether I was right or not. When I called Mueller’s office, they took 5 days to answer, 3 of which were active discussion, involving multiple players on the team. So they took it very seriously in July 2018. Then they took a bunch of steps that would be consistent to investigate this.

      That said, this guys OpSec is good, and if Miller’s testimony corroborated this story, they didn’t get that at least until May 2019.

      • JPW says:

        I’m trying to make sense of how Andrew Miller’s testimony might corroborate the story about Phil.

        According to your 9/2/20 post the FBI asked Andrew Miller about someone who may have met with Roger Stone at the RNC in 2016, someone who Miller recognized but knew under a different name. In a post from 1/1/17 you wrote that “If [Craig] Murray met an American claiming to have done the hack, then Trump may have too….I have a suspicion that Trump’s campaign did meet with such a person [an American cut-out] (I even have a guess about when it would have happened).”

        Did you suspect (on 1/1/17) that Phil met Stone at the RNC in July 2016?

        From reading this post, however, I thought you might be implying that Phil met someone at the Trump campaign rally on August 13, 2016. Perhaps Stone, whose home state it was (and if so did Phil (secretly) video this meeting)? So that’s two possible contacts between Phil (the American cut-out) and the Trump campaign.

        Also, Phil was in NY on August 14, 2016, which (if I recall correctly) is where Jerome Corsi stayed for a week after his return from Italy on August 12. Did Phil meet Corsi in NY? And was it the same American cut-out who met Craig Murray in September 2016?

        Thanks for all your work.

  31. ckw says:

    I wish for those of us who don’t follow this very closely that you’d include a few lines for lay readers summing up the import as you see it.
    I did take away from this that you did not share the identity of “Phil” with the FBI and that you in fact took measures to protect him? Is that the case?

Comments are closed.