April 9, 2023 / by emptywheel


The Thug Shaker Leaks

Until someone comes up with something better, I’m going to call the leaks of printed out briefing slide decks via social media, described in updated reporting from NYT, WaPo, and Politico, the “Thug Shaker Leaks,” after the Discord server via which, Bellingcat reports, the earliest known instances of the leaks were known to be disseminated.

Bellingcat spoke to members of a separate Discord community who claimed that other images had been posted earlier on yet another, since deleted, server often called “Thug Shaker Central” but which also had several other names at different times. Image files shown to Bellingcat detailed a further document in the same style and formatting of those posted in the WowMao server that was dated to January 13.


The Thug Shaker Central server was originally named after its original founder, one member of the server with the username “Vakhi” told Bellingcat. Server administrator duties then passed through various users before a new member took on the responsibility and it went through one of many name changes. Vakhi did not want to name this person but said they were the original source of the leaked documents. According to Vakhi, and two other users who spoke to Bellingcat but declined to be identified by their usernames, the files that were leaked onto WowMao are only the “tip of the iceberg” compared to the quantity of documents posted onto Thug Shaker Central.


However, Bellingcat was able to confirm that Vakhi and the other users who spoke to Bellingcat, as well as another who shared documents on the WowMao server, were part of the Thug Shaker server given that they shared member lists with Bellingcat which matched in key details.

Their accounts of the server’s general nature also independently coincided. The name of the Thug Shaker server frequently changed, sometimes to that of a racial slur, and had around 20 active users making up a tight-knit community, members said. Posts and channel listings show that the server’s users were interested in video games, music, Orthodox Christianity, and fandom for the popular YouTuber “Oxide”.

This server was not especially geopolitical in nature, although its users had a staunchly conservative stance on several issues, members told Bellingcat. Racial slurs and racist memes were shared widely.

The leaks first received wide attention last week after some copies were distributed on Twitter and altered versions started circulating on Telegram. Those initial discoveries pertained to Ukraine, but as yesterday’s reporting lays out, there are also documents showing our spying on Israel and South Korea and other partners (though some Israelis, like Yossi Melman, deem the claims about Mossad backing the anti-Netanyahu protests to be a clear sign of disinformation).

I have only reviewed one document and I’m not chasing down the dissemination pattern.

But I wanted to make a few comments. First, this is one of the most damaging theft-and-leak campaign targeting the US Intelligence Community since Julian Assange was arrested four years ago (though there have been campaigns targeting cops and other parts of the NatSec establishment). It feels similar to Assange-adjacent leaks — the kinds of document someone cultivated by claims of the Deep State might be induced to steal with little to no understanding of what they’re taking.

And Bellingcat’s description of the culture of the Discord servers — conservatives with an interest in Orthodox Christianity with a propensity to use racist slurs — sounds like the kind of people who might be cultivated in the wake of Donald Trump. Indeed, it’s worth remembering that DOJ has arrested at least five members of the military who retained access to highly classified documents after the insurrection, including a Navy Reservist who worked at NRO who will be sentenced this week in EDVA for possessing some silencers, and three Marines who had expanded their access to SIGINT after the attack. Perhaps for investigative reasons, DOJ seems to take longer to arrest such people. And those are just the guys who decided to participate in the insurrection. There must be far more where they came from, and their allegiance to Trump may lead them to deliberately undermine US support of Ukraine. To be clear: there’s no hint that any of the known Jan6 defendants used their access to classified information to leak damaging information. They are, however, ready examples of the kind of disgruntled service members who have access to incredibly sensitive intelligence.

I think it’s at least possible that the form of the leaks — pictures of folded up documents with identifiable objects in the background — may be the opposite of what people take them for: opportunistic theft by someone unskilled who just released them on a lark. I think it’s at least possible that the form of the release — images that obscure the flat face of the documents and have background noise. in them — may make it harder for the IC to find them by scan.

And perhaps some of the most salient points about the leaks came from Mick Ryan, who describes not just how much time it’ll take the IC to do damage assessments and try to find the leaker, but notes that this will undermine the trust that the Biden Administration has fostered with allies, particularly Ukraine. A key part of the success in Ukraine thus far has derived from increased intelligence sharing. And this will put a sharp halt to some of that.

So in addition to telling adversaries — the Russians, but also the Iranians and Chinese — about US sources and methods, it will have a detrimental effect on the trust that has been a key part of US support for Ukraine in the last 14 months.

Copyright © 2023 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2023/04/09/the-thug-shaker-leaks/