Hunter Biden’s Matryoshka Cell Phone: How the IRS and Frothers Got Hunter’s Encrypted iPhone Content

Believe it or not, what sent me down the rabbit hole of Hunter Biden’s “laptop” was not the laptop itself.

It was a cell phone.

Or, more specifically, it was two details in purported IRS whistleblower Gary Shapley’s testimony. First, after introducing summaries from some Hunter Biden WhatsApp chats — summaries that, Abbe Lowell claimed, got the most basic details wrong — Shapley explained that the chats didn’t come from the laptop itself, they came from a warrant served on Apple for the iCloud backup to which they were saved.

Q Could you tell us about this document, what is it, and how was it obtained —

A Sure. So there was an electronic search warrant for iCloud backup, and these messages were in that backup and provided —

Q Okay.

A — from a third party, from iCloud.

This appears to be the search warrant return obtained — again, per Shapley’s testimony — in August 2020.

For example, in August 2020, we got the results back from an iCloud search warrant. Unlike the laptop, these came to the investigative team from a third-party record keeper and included a set of messages. The messages included material we clearly needed to follow up on.

Shapley’s disclosure that there were WhatsApp texts saved to iCloud stunned me. That’s because, for all the material produced from the laptop itself — which even frothers have treated as all the content in Hunter Biden’s iCloud account — I had never seen WhatsApp texts.

Plus, there’s a technical issue. WhatsApp texts, like Signal texts, don’t automatically back up to iCloud. If one really wants to use their end-to-end encryption to best advantage, one doesn’t store them in the cloud, because then the only easy way to get the texts would be directly from someone’s phone. These texts purported to involve a Chinese national (though, as noted, Lowell says that’s false) whose phone would presumably be inaccessible overseas. And at the time the IRS obtained these texts, Hunter Biden didn’t know about the investigation into himself. They hadn’t seized his phone.

For Shapley’s description to be true, then, Hunter Biden would have had to back up the texts to his iCloud. But if he had, they should have shown up on the laptop itself, right along with every other scrap of the President’s son’s private life.

There were crumbs of an explanation for this in Shapley’s notes from the October 22, 2020 meeting on the government’s treatment of the laptop attributed to Hunter Biden.

In the meeting, Whistleblower X — who by his own description saw things online that he hadn’t obtained via the laptop directly, even though DOJ warned the agents not to do that — kept prodding about whether the investigative team had been provided all the messages on the laptop.

29. SA [Whistblower X] asked if all information on the hard drive had been reviewed…the answer is that they did not look at all of that SA [Whistleblower X] questions if Dillon reviewed all iMessage’s that wore relevant and not privileged. They would find the answer.

As Shapley recorded, on February 27, 2020, the forensics people provided all messages from the hard drive of material John Paul Mac Isaac restored from the laptop.

30. 2/27/2020 DE3 with all messages from the hard drive were provided by computer forensics— via USB Drive

That production included iPad and MacBook messages, but no iPhone messages.

32. 227 Productions

DE3 USB containing exported messages (ipad and macbook messages) No iphone messages

They didn’t get messages off any iPhone until they found a password, conveniently written on a business card, and with that password, were able to get into encrypted iPhone content on the laptop.

Laptop — iphone messages were on the hard drive but encrypted they didn’t get those messages until they looked at laptop and found a business card with the password on it so they were able to get into the iphone messages [my emphasis]

This still didn’t answer my question — how was the IRS able to get WhatsApp texts from iCloud when they weren’t on the iCloud content that appears on the Hunter Biden laptop.

But a detail on the fourth of Guy Dimitrelos’ reports on Hunter Biden’s laptop may explain it.

In his first report, Dimitrelos explained that the 5 million artifacts found on the hard drive were connected to Hunter Biden’s iCloud account, which he says was tied to the email [email protected].

  1. The hard drive contained approximately 5,791,819 files and system artifacts and was connected to and authenticated on an Apple iCloud account of [email protected] which is owned by Robert Hunter Biden (RHB).


  1. Since this Apple MacBook Pro model was not released until 2017, all data prior to 2017 was stored (backed-up) to the [email protected] account and then downloaded to the MacBook Pro hard drive Downloads folder as illustrated in paragraph 30.

In his fourth report — basically 133 pages into his sequential reporting — Dimitrelos noted that Hunter Biden had another iCloud account, one tied to one of the emails he identified on page 4 of his report: [email protected].

In fact, at least according to the unreliable emails released at BidenLaptopEmails dot com (AKA MarcoPolo), that’s the account to which the laptop believed to be the one that ended up at Mac Isaac’s shop was registered to, not the [email protected] account.

At the Marco Polo site, there are 453 pages of emails from the [email protected] account (so around 22650). They include some of the most interesting in the collection, the ones directly with the Biden family and others indicating sensitive travel. There are 269 from the [email protected] account (so around 13,450) — but it’s the latter that seems to have been taken over in early 2019. I’ve described that the droidhunter88 gmail account effectively took over control of the iCloud account in that period (though I need to go back to the timeline and distinguish which events happened on one iCloud account and which on the other), and I think that’s right. But importantly, at times, the RosemontSeneca email is linked into it. That is, a RosemontSeneca email was used on both iCloud accounts.

As to the phone, Dimitrelos describes that he found a phone registered to the [email protected] account in an encrypted container in an iTunes backup.

I identified an encrypted container located within Apple’s MobileSync iTunes default backup folder.


I identified the iOS backup to be an iPhone with the phone number below and Apple id of

[email protected] which is one of Robert Hunter Biden’s iCloud accounts.

Part two of Dimitrelos’ report described finding passwords for the iTunes account in two places. First, a picture of a partly rumpled lined piece of paper stored in a Hidden Album. This picture included Amazon, WiFi, iTunes, GMail, and Apple ID passwords, all registered to a different Gmail account. And then, associated with an iPad registered to still a third iCloud account, registered to a Gmail account.

The latter shows that Hunter Biden’s iTunes password was changed on January 30, 2019, solidly in the middle of the period I’ve argued that his account was taken over by the DroidHunter gmail account.

And screencaps in parts two and four of Dimitrelos’ report show that both the iPad and the iPhone were backed up during this same period, on February 6, 2019. Someone changed the iTunes password, and backed up these two devices, where they were found on the laptop. All in this same period where Hunter Biden seems to have lost control over his laptop.

In part four of Dimitrelos’ report, he describes that there were, indeed, WhatsApp messages on the iPhone, registered to that entirely different iCloud account, seemingly backed up to iTunes on the [email protected] account.

I can’t be sure about this, because I’m not a forensics expert, both Shapley and Dimitrelos are deliberately unreliable narrators, and even they don’t have all the data to understand what went on here. But it appears that the reason why there were no WhatsApp texts on the laptop itself, which had all the content in the [email protected] iCloud account, is that they weren’t used by a device registered to the [email protected] iCloud account. They were used by a device registered to the [email protected] account, which was (as Shapley’s notes reflect) stored in encrypted fashion on the laptop.

There’s one more very important point about this.

The government had a warrant. If they really did find a business card (one not described anywhere I’ve seen in Dimitrelos’ report) with a password, they were able to get the encrypted content (though oftentimes prosecutors will recommend you go back and get a second warrant for that). From there, it seems, the IRS got another warrant for the other iCloud account, the [email protected] one. That’s how they got a legally sound copy of the WhatsApp texts in August 2020.

But for people like Rudy Giuliani or Garrett Ziegler or John Paul Mac Isaac, taking a laptop they purport to have been abandoned, and then using a password found on that laptop to access an encrypted container — especially one of a different iCloud account — is legally another level of conduct.

Update: I screwed up the number of emails; I’ve corrected that now.

88 replies
  1. Rugger_9 says:

    It is the chain of events that will preclude any success in prosecuting Hunter Biden. Even if these were his communications (very doubtful as noted above) any competent defense lawyer will exploit the holes, gaps and (assuming I read the last paragraph correctly) failure to follow any rules of investigations.

    Of course, Defendant-1 is demanding the death penalty for Hunter Biden, without trial like he still does for the Central Park Five (who were actually innocent).

    • emptywheel says:

      I think that may be the case: That there was a meritorious IRS case against him, but the case was so badly tainted they couldn’t bring it to trial.

      • Ginevra diBenci says:

        It might help if the IRS agent investigating this hadn’t displayed such a singular obsession with sex workers, sex partners, and sex in general, none of which ended up being germaine to any case in chief.

        • Wajimsays says:

          IRS agents with sexual obsessions? Luxury! Problem really is as children they lived in a lake and then got up and had to clean the lake, eat a handful of hot gravel, and spank Hunter Biden’s laptop

        • Wajimsays says:

          OMG, I’m in moderation again. What, was it the hot gravel? Wait, comment purgatory was brief. Heaven now . . . whew. Did see John Paul there, though

          [FYI — I won’t go into specifics but you may have hit upon a keyword which triggers auto-moderation to prevent right-wing trollbots from swarming the site. Thanks for your patience. /~Rayne]

        • Wajim says:

          Thanks, Rayne. Appreciate you, and I get it. I will, though, swear on a stack of John Birch tracts on an 8kun post that I am not a right-wing troll bot. Double super secret swear

      • Spencer Dawkins says:

        I can imagine that the situation as described here is EXACTLY what Trump is hoping for. He gets to make increasingly unhinged accusations about both Bidens, fundraise off those accusations, never see those accusations evaluated in court, and blather about how the Deep State is still in place, and only he can fix it.

        Perhaps the last thing Trump would have wanted is for the IRS
        to have handled this investigation perfectly.

      • Doug R100 says:

        I’m not a fan of prison time for a year or two of tax dodging-penalties and fines and yearly audits for a few years should do it.
        Unless you’ve fraudulently represented asset prices for decades, then it’s another story.

        • bmaz says:

          Against any normal citizen, this would not have even been a “case”. HB paid it back with fines, The “he had a gun while using drugs” is laughable. The discourse on Hunter is stupid.

  2. boloboffin says:

    Separate iClouds! /Big Lebowski rookie cop

    Giuliani and the gang are making the Plumbers look like pros.

    • Rayne says:

      For a moment I thought you were writing a haiku which began with the line, “Separate iClouds!”

    • Djfnyc says:

      As for a search warrant, has anyone described probable cause of a crime being committed? For the IRS, why couldn’t they simply ask for Hunter’s financial records? I’ve never read the pretext for these searches.

      [Welcome to emptywheel. Please choose and use a unique username with a minimum of 8 letters. We are moving to a new minimum standard to support community security. Thanks. /~Rayne]

    • Theodora30 says:

      The White House Plumbers were pros. Frank Sturgis, James McCord and E. Howard Hunt were CIA operatives and G Gordon Liddy was ex-FBI. That is what I always found so strange because they surely didn’t act like they were pros. E. Howard Hunt was a prominent OSS and CIA operative and was Dulles executive assistant yet he was the guy who chose to wear a cheap red wig as a disguise for the break-ins.

  3. P J Evans says:

    The number of red flags attached to this whole thing is amazing. It looks like a May Day parade in the PRC.

  4. Datnotdat says:

    The iClouds are seeded
    and the rain descends.
    Who knows where the flood waters go?

    ( Nota bene; Marcy knows!)

    • Rayne says:

      Tsk-tsk. Nice try but points docked for non-haiku format, which is 5-7-5 syllable count per line.

        • Rayne says:

          The rules here are 5-7-5 format for a total 17 syllables. I may have called it haiku though it’s in actuality senryū which is still 5-7-5 format.

          Datnotdat’s still doesn’t qualify because it exceeds 17 syllables. Probably should have gone for kyōka instead.

          Anyhow, let’s get back on the topic.

        • Rayne says:

          Yes, you’re right — I was thinking of parody when I said kyōka, but that’s a form of tanka.

          Danke. LOL

        • Wajimsays says:

          Man, you guys lost me there, and I have an MFA in poetry from UM Missoula. Guess I got off the Narrow Road Road to the Deep North a bit early

        • strawberybanke says:

          Tanka means “short poem” and in it’s modern form, at least, is 5-7-5-7-7. There are historically lots of variations. Haikai used to be practiced in teams with one person providing the 5-7-5 and another responding with a 7-7, but seasonal allusions as well as allusions to classical poetry that every sophisticated person should know were required. Poetry was as often a group sport as it was an individual endeavor in medieval and early modern Japan. Senryū are haiku without the rules of seasonal allusions, etc., so they are really what we think of as haiku. Check out sarariman senryū for some fun stuff (5-7-5 poems written by beleaguered white collar workers often submitted to newspapers for publication once a week). Sorry for this. It’s all I can contribute to a website by a person who actually does important work.

        • strawberybanke says:

          *I’m going from memory as historian and not literary expert, but I think the linked verse were called “renga” and each 5-7-5+7-7 were haikai. Anyway, here is the English translation of one of my favorite genuine haiku:

          Summer grass–
          All that remains
          Of warriors’ dreams

          (Natsu kusaya
          tsuwamono domo ga
          yume no ato)


        • Wajimsays says:

          Yes, and the defining feature of Renga is the strict collaborative form, featuring multiple poets, kinda like these EW comment threads, I suppose

        • Alan Charbonneau says:

          I thought Senryū was a miracle knife that sliced tomatoes so thinly, one could last a whole summer.

  5. pseudonymous in nc says:

    fwiw, *if* you do the optional iCloud backup *and* you’re logged into the same iCloud account on your desktop *and* you have iCloud Drive turned on *and* you have “optimize iCloud storage” switched off (“optimize” is the default) then you *may* have a copy of your backup as an encrypted sqlite database in a very hidden folder under ~/Library/Mobile Documents.

    *If* you use WhatsApp Desktop — which I suspect is fairly uncommon — then there’s a local cache of recent messages (no older than 30 days, I think) in an encrypted sqlite file under ~/Library/Application Support.

    You can also export messages as HTML but you can’t re-import them.

    Going via an encrypted backup of an iOS device is very much a different route. I’m not sure how much of this writeup from 2017 was still operative in 2020 but it talks about using iTunes backups:

    My other thought — a speculative one — is what might happen if you restore one of those iTunes backups to a clean iOS device. Would that step around the need to decrypt the database?

    • emptywheel says:

      I really really am just posting stuff and hope to sic a bunch of tech people at it. But the other thing I can’t understand is why there would be 2017 WhatsApp texts, as the ones in question were, on a phone first used in 2018.

      • Rayne says:

        I admit to not being as deep into the Case of Hunter Biden’s Electronic Devices as I probably should be, but after reading this post I have a question: did any US govt agency whether IRS or FBI/DOJ ever issue a warrant to Facebook/Meta for the account from which these subject WhatsApp texts were written?

        Everything I can recall reading so far mentions Apple and iCloud but not Facebook/Meta which is the parent of WhatsApp.

        • Rayne says:

          None, as in no metadata or dates accounts were opened/used/closed, whether Facebook, Instagram, or in this case, WhatsApp?

        • Rayne says:

          So it apparently never occurred to those who were relying on these WhatsApp messages which were a wholly different product to see if there were any other potentially related messages sent but not saved to iCloud in the cloud or on devices. Never occurs to them to validate when the account which sent these messages was created and from what IP address.

          O-kay. That seems awfully convenient.

        • emptywheel says:

          I see what you’re saying: they didn’t check Meta to make sure the WhatsApp texts match the messages.

          As I said here, I’m more curious whether someone just renamed Hunter’s American Z colleague Zhao and in the process totally changed the connotation of the text.

          I’m just scratching the surface of what actually happened, so I’m not really prepared to say what account controlled what when yet.

        • Rayne says:


          – On the face of it with the information available sans warrant on Facebook/Meta, how would someone looking at the texts on the device(s) know with certainty they were from WhatsApp (a Facebook/Meta company).
          – How would they know that the texts they were looking at on the devices(s) were *all* the texts sent from that WhatsApp account, let alone from a single WhatsApp account.
          – How would they know that the WhatsApp account was one Hunter Biden had been using or whether it was one which just happened to be created between 2017-2019.

          I guess I have more than one question now that I’ve screwed on my thinking cap about WhatsApp.

          ADDER: This mess is just so much Baudrillard’s Simulacra and Simulation.

        • emptywheel says:

          re: Baudrillard, I guess that’s why I’m good at it.

          Really hard to overstate how a top-notch training in postmodernism is great background for this kind of shit.

        • WilliamOckham says:

          Baudrillard is a name I haven’t heard in a long time. I never really grokked his stuff. Your mention of his work in connection with all this is illuminating.
          Now I’m imagining some time traveler telling early 90’s me that “all this stuff will make sense thirty years from now when there’s a big political scandal involving one of Joe Biden’s kids.”

        • Rayne says:

          All I can say is that this WhatsApp text stuff is pure simulacra by the time House Ways and Means Chair Jason Smith displays what is purported to be WhatsApp text messages. The simulacra is real — real bullshit.

        • pseudonymous in nc says:

          “how would someone looking at the texts on the device(s) know with certainty they were from WhatsApp ”

          It’s a completely separate messaging app. It’s not like the Messages app where, say, texts from a phone and iMessage messages from a Mac get smushed together.

          (In passing, the primary identifier of a WhatsApp account is a phone number — as opposed to iCloud where it’s an email address — but it doesn’t have to be the number registered with the SIM on the device you’re using.)

        • Rayne says:

          And yet we’re talking about a situation where a device had an app installed called “Hunter,” and the forensics so far have been pathetically bad.

          Until Facebook/Meta metadata confirms it, I doubt we can be absolutely certain messages believed to be WhatsApp based are from WhatsApp (and not a spoofed app) let alone that they’re from an account which Hunter Biden created and was the sole user.

      • farmfresh says:

        When I change Android phones I always have the option to restore Whatsapp content from a cloud backup. I have threads from 2016 that have migrated across three or four devices by now from restored backups. I imagine iPhones are the same.

        • pseudonymous in nc says:

          Yeah, cloud backups aren’t ideal for privacy and security (though E2EE backups are now an option with WhatsApp) but if you want to preserve old conversations across devices then that’s what you’re working with.

      • timbozone says:

        Re how could old WhatsApp convos/meta data be on a new phone…

        Full phone backups of data to a computer or icloud from iOS contain all data, including apps, settings, and other third party files, etc. If you get a new phone and use your old phone’s backup to configure the new phone then all this data is restored onto the new phone. The third way this data could be transferred from the old iPhone to the new iPhone is if you do the migration directly from the old phone to the new phone.

        Note that whether such a data transfer to new hardware/OS triggers a user revalidation at the Whatsapp credential level is beyond my knowledge. I suspect it should but that doesn’t mean that it does. Also, some app developers invalidate their credentials when a user updates their app to a newer version, something that regularly occurs when restoring old phone data to a new iPhone, etc.

    • pseudonymous in nc says:

      “My other thought — a speculative one — is what might happen if you restore one of those iTunes backups to a clean iOS device. Would that step around the need to decrypt the database?”

      It occurs to me that if you were trying to obfuscate how you obtained a set of messages — for instance, if you read them on a phone after restoring a backup — you might write up a “summary” of what you scrolled through instead of having a clean export with metadata.

  6. ExRacerX says:

    Do Hunter’s dick pics
    Indicate some malfeasance
    By the President?

    Satisfying, though
    Seeing the Republicans
    Tie themselves in knots

    Those who will not kiss
    The orange sphincter of Trump
    Are shunned like lepers.

    When the smoke has cleared
    Who will remain standing and
    Who will be devoured?

  7. derelict says:

    seems more and more like a complete setup; regardless of the veracity of any of the dirt dug up, a lot of effort went into making sure it got attention. no wonder right wing media seems so latched on to this — the public gave the ultimate snub. all this effort to make hunter a patsy, and no one cares. it’s not that they couldn’t convince folks that the provenance was legit, it’s that it doesn’t add up to anything.

    is right wing attachment to the hunter biden fiasco really a form of sunk cost fallacy?

    this of course assumes a level of explicit or implicit synchronicity between the original plotters all the way down to the media talking heads. which may or may not exist.

    • Ebenezer Scrooge says:

      I agree that the public doesn’t care about Hunter Biden. I think that the VRWC knows this, and they’ve given up on Plan A. They’re now in Plan B: tying Hunter to Joe. One argument is that since Hunter didn’t get the death penalty from the US Attorney, the fix was in from above. Another argument is that Joe is a bad person because granddaughter something. I don’t think that this is going anywhere either. But it’s not the same thing as an attack on Hunter.

      • bmaz says:

        Lol, the only thing different about Hunter Biden’s treatment is that he was treated “more” harshly than any common defendant would have been.

    • FrictionBlistered says:

      It does seem that this started as a setup, the earliest tipoff being the ridiculous cast of characters involved. Regardless of the ineptitude of the tainted peddlers of the product, they were successful in terms of getting the (mis/dis)information out there.

      The magical laptop didn’t have the power that its fabricators hoped for, but desperate politicians and operatives intend to continue flogging it for whatever confusion, delay, and damage they can achieve.

      The Republicans face looming justice and elections if they don’t succeed in destroying the people in their way. They truly believe that Joe Biden is old and tired and cares more than he should about what’s left of his family. And they are even more sure that if Hunter Biden is truly in recovery (I’m sure some doubt it), then focused, relentless pressure will break him. If beating the laptop doesn’t get the Bidens into court, then breaking either Biden or both, in public, would actually be even juicier.

      And the laptop, whether soberly solid evidence or flamboyantly phony, is only one of the angles of attack. They aim to break the Bidens for practical reasons, but also for the spectacle, and they have lots of volunteers.

      • derelict says:

        yeah i think that’s what gets me — the lines between ‘conspiracy’, ‘opportunism’, ‘volunteers’, and ‘rubes’ are hard to spot. who was in on the initial plot, and who is just using it to their advantage, those who just like the sport of tribally-loyal partisan debate, and those content with spoon-fed worldviews…
        there seems to be some wholly nasty stuff going on initially under the hood, but it remains to be seen who was ‘in on it’ at what levels.

  8. David_12JUL2023_1537h says:

    “… all data prior to 2017 was stored (backed-up) to the [email protected] account and then downloaded to the MacBook Pro hard drive Downloads folder…”

    This makes zero sense.

    There is no iCloud “backup” for macOS.

    iCloud Drive provides online storage space for Macs, where modern applications may create a folder which becomes a default Save location, that synchronizes with Finder on the Mac.

    And when enabled (it’s off by default), the “Desktop & Documents Folders” feature will also synchronize the contents of those two folders, which often contains the majority of user’s saved files on their computers.

    But nobody, ever, anywhere, would download the contents of iCloud Drive to a Mac’s Downloads folder, since all that information is already accessible in the iCloud section of the machine!

    And if a user signs out of iCloud or otherwise disables iCloud Drive, and specifically opts to “Download to this Mac” the resulting files are placed in its own folder in the user’s Home folder (~), NOT in the Downloads folder.

    Someone is making shit up.

    [Welcome to emptywheel. Please choose and use a unique username with a minimum of 8 letters. We are moving to a new minimum standard to support community security. Because your username is far too common (there are quite a few community members named “David”) it will be temporarily changed to match the date/time of your first known comment until you have a new compliant username. Thanks. /~Rayne]

    • emptywheel says:

      Dimitrelos was paid to say that this Hunter account was a Hunter account. He wasn’t paid to assess whether Hunter was hacked. So I think there are a lot of things he describes, probably biting his tongue about what things really mean — like this second iCloud account — but describing them partially, but accurately.

  9. ShallMustMay08 says:

    Ok. The thing that struck me 1st last week was the missing time date data in post. I looked at org docs but confident that Marcy is putting forth what she has so I presume the data was not supplied. Which is the 1st problem. Forensic data missing time date? Yeah – No, not the way it works. So someone’s keeping it out for whatever reason.

    But I’m glad there is further conversation about how Mac and iCloud with and without multiple accounts has been mentioned. Libraries, iTunes back ups, etc.

    No idea on the Meta what’s app or fb … won’t go near. But the Mac stuff is valuable. Hopefully more to come because I can’t help much but maybe others.

    Bottom line though is – No way they didn’t provide the date time stamps.

    [Heads up — I need you to confirm whether your email address has an O or a zero in it. The email in your first and most recent comment doesn’t match the one you used today. No need to spell out the email address in Reply, just confirm O or zero. Thanks. /~Rayne]

    • ShallMustMay08 says:

      “O” like the tree but with e. No numbers on my email.

      Thanks. I was wondering because it auto filled and I thought I had that turned off. But my username came over as all caps too and so I did over-ride that.

      Appreciate your diligence.

      [Thanks for the confirmation. /~Rayne]

  10. ShallMustMay08 says:

    Ok. The thing that struck me 1st last week was the missing time date data in post. I looked at org docs but confident that Marcy is putting forth what she has so I presume the data was not supplied. Which is the 1st problem. Forensic data missing time date? Yeah – No, not the way it works. So someone’s keeping it out for whatever reason.

    But I’m glad there is further conversation about how Mac and iCloud with and without multiple accounts has been mentioned. Libraries, iTunes back ups, etc.

    No idea on the Meta what’s app or fb … won’t go near. But the Mac stuff is valuable. Hopefully more to come because I can’t help much but maybe others.

    Bottom line though is – No way they didn’t provide the date time stamps.

    • John Paul Jones says:

      At the risk of stating the obvious: Probably because they see their prospective audience as not particularly adept at computers. I’ve used Macs all my working life, pretty much, and consider myself well-enough-versed in how to run them and fix simple problems, but even so, a lot of the stuff discussed re: the Phantom Laptop is just over my head (I don’t use those features). So I imagine a bevy of Fox News viewers might easily be confused, or, dare I say, foxed, by all this, therefore, willing to take what they’re fed on faith.

  11. Upisdown says:

    Seems like a lot of effort with little payoff. John Paul Mac Isaac says he spotted evidence of white collar crimes right off the bat, and he’s at least half blind.

    • Shadowalker says:

      Isaac’s story has changed so many times, anything he says is unreliable. He could have even been a patsy used to inject the payload into the FBI.

  12. bgThenNow says:

    The posts here by EW are so great, thank you, Marcy!

    I wonder if the laptop became so slow and was operating so poorly that “HB” took it in to find out what was up, not realizing that many “others” were using it? I wonder if “he” described any of the issues “he” was having to the “repair” guy and that was a tip off to look into the contents? I think the repair techs that have worked on my Macs would be able to look into some of that, and who knows how much would remain “confidential” in this kind of circumstance.

    Was the whole thing a set up? Was the business card with a password a photo conveniently dropped into the computer by one of the other users? Certainly even a blind tech guy would realize that the ostensible owner was not just any random guy but the (ostensible) son of the former VP/Pres Candidate and if tech guy had certain “leanings” would be looking for extra cash as “HB” had not returned to get it. I can’t recall if anyone ever ascertained if HB was actually the person who turned it in for “repair.” Are there legit HB files from a time recent to when it was delivered for “repair?” Could those have been imported from another computer he had by that point?

    I had a very trashed Mac that I left for a long time at the shop, not a priority for me or them to get it going again as I had another computer by that point. (They did eventually get around to restoring it.) Why not get a new computer and start from scratch? Were all the password change notices not going to HB on “his” computer because they were being masked in a different storage system HB was not aware of? Or had he lost the computer for so long he wasn’t looking for it at that point? It’s not like an iPhone with a “find my computer” app.

    The whole thing is more and more strange, and thanks again, Marcy for all the time you have spent doing the work. I so hope this work is being used by people who can make hay with it.

  13. DinnerAtAntoine’s says:

    On that last point – yes, the external accessing of passwords via data to access *new data. IMO accessing the laptop (alleged) data was illegal under DE law, & HB has a lawsuit on that right now (presuming it wasn’t hacked/stolen). – And then there’s accessing the iCloud by JPMI (allegedly), which IMO, is illegal. But then also there’s a voicemail that the GOP has circulated that was only acquired via taking a password off the email data, which again seems like yet another level of illegally accessed data. & now this with the WhatsApp data, also IMO illegal.

  14. WilliamOckham says:

    I put three of those emails into By the way, that’s a top notch excellent site.

    (domain names omitted here)
    exposed in multiple data breaches as far back as 2013
    was exposed in 2019, but that wasn’t public until earlier this year.
    also exposed in the same incident in 2019

    • Rayne says:

      Very interesting. Thanks for that. Wish I could think of another angle of approach to check the account age.

      All of this sure makes the breach of Equifax take on a different spin, hmm?

    • bgThenNow says:

      When was the Ashley B theft? It could have been a precursor to this entire incident. Someone was speculating on EW a while back on the reason the laptop ended up in MA, suggesting perhaps the timeline for a fix in a place like LA might have been long. What if it was just outright purloined and left in a place convenient to someone being tipped off to pick it up from the blind tech? What a mess!

    • emptywheel says:

      FWIW, if you’ve got sex workers recruited for this operation, you really don’t need to pwn the email accounts by phishing. You’ve got humans doing that work.

  15. Fedupin10 says:

    Thank you Marcy and all commenters. It’s literally an enlightening conversation on all subjects here at EW.
    William brings up the thought I’ve had all along re Hunter Biden: to truly grasp these machinations you have to go back to when HB was first made a Director at Burisma, May, 2014. When he was appointed, Joe Biden, as current VP, was the likely Democratic candidate for 2016. I believe the HB shit storm was to be part of the 2016 election. Then Beau died in May 2015 and Joe didn’t have it in him to run. The Plan was scrapped and the HRC email investigation starts up 7/2015. Fast forward to 2019 and Joe can be seen on the horizon as a formidable likely 2020 candidate. The sunk costs of the HB setup are pulled from the shelf and handed to Rudy to make a big deal about it.
    Conservatives are long term schemers. Their fruits of today go back to the Birchers’ efforts of the 50s / 60s.
    Just my 2 cents.

    • emptywheel says:

      I don’t think you need Burisma to be all about elections. Hell, Joe was lead on Ukraine policy at the time. It was a win-win pick for Burisma with lots of down-stream possibilities.

      • Upisdown says:

        I think Burisma was buying name recognition, not influence. Individual members of boards of directors don’t have that much power, and Hunter Biden wasn’t getting enough money for Joe to kneecap US policy just to keep his son’s paychecks coming.

        Burisma was probably in the market to add a well known name to their annual reports, and Frank Stallone wasn’t available.

        • Shadowalker says:

          Burisma doesn’t operate like American corps. They select board members who they think will help in dealing with the regime in power. Before Putin’s puppet was run out of both office and country, the board was full of Putin’s people. It’s the way they were used to do doing business. From everything I’ve seen, Burisma reached out to Hunter and not the other way around, which is probably why they are pushing the WhatsApp crap as more proof of strong arming foreign corps. It’s ironic that they have been trying to move away from the Soviet style corruption only to be taught American style corruption with Giuliani as the teacher.

Comments are closed.