The Year Long Trump Flunky Effort to Free Julian Assange

The NYT has an unbelievable story about how Paul Manafort went to Ecuador to try to get Julian Assange turned over. I say it’s unbelievable because it is 28 paragraphs long, yet it never once explains whether Assange would be turned over to the US for prosecution or for a golf retirement. Instead, the story stops short multiple times of what it implies: that Manafort was there as part of paying off Trump’s part of a deal, but the effort stopped as soon as Mueller was appointed.

Within a couple of days of Mr. Manafort’s final meeting in Quito, Robert S. Mueller III was appointed as the special counsel to investigate Russian interference in the 2016 election and related matters, and it quickly became clear that Mr. Manafort was a primary target. His talks with Ecuador ended without any deals.

The story itself — which given that it stopped once Mueller was appointed must be a limited hangout revealing that Manafort tried to free Assange, complete with participation from the spox that Manafort unbelievably continues to employ from his bankrupt jail cell — doesn’t surprise me at all.

After all, the people involved in the election conspiracy made multiple efforts to free Assange.

WikiLeaks kicked off the effort at least by December, when they sent a DM to Don Jr suggesting Trump should make him Australian Ambassador to the US.

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

Weeks later, Hannity would go to the Embassy to interview Assange. Assange fed him the alternate view of how he obtained the DNC emails, a story that would be critical to Trump’s success at putting the election year heist behind him, if it were successful. Trump and Hannity pushed the line that the hackers were not GRU, but some 400 pound guy in someone’s basement.

Then the effort actually shifted to Democrats and DOJ. Starting in February through May 2017, Oleg Deripaska and Julian Assange broker Adam Waldman tried to convince Bruce Ohr or Mark Warner to bring Assange to the US, using the threat of the Vault 7 files as leverage. In February, Jim Comey told DOJ to halt that effort. But Waldman continued negotiations, offering to throw testimony from Deripaska in as well. He even used testimony from Christopher Steele as leverage.

This effort has been consistently spun by the Mark Meadows/Devin Nunes/Jim Jordan crowd — feeding right wing propagandists like John Solomon — as an attempt to obstruct a beneficial counterintelligence discussion. It’s a testament to the extent to which GOP “investigations” have been an effort to spin an attempt to coerce freedom for Assange.

Shortly after this effort failed, Manafort picked it up, as laid out by the NYT. That continued until Mueller got hired.

There may have been a break (or maybe I’m missing the next step). But by the summer, Dana Rohrabacher and Chuck Johnson got in the act, with Rohrabacher going to the Embassy to learn the alternate story, which he offered to share with Trump.

Next up was Bill Binney, whom Trump started pushing Mike Pompeo to meet with, to hear Binney’s alternative story.

At around the same time, WikiLeaks released the single Vault 8 file they would release, followed shortly by Assange publicly re-upping his offer to set up a whistleblower hotel in DC.

Those events contributed to a crackdown on Assange and may have led to the jailing of accused Vault 7 source Joshua Schulte.

In December, Ecuador and Russia started working on a plan to sneak Assange out of the Embassy.

A few weeks later, Roger Stone got into the act, telling Randy Credico he was close to winning Assange a pardon.

These efforts have all fizzled, and I suspect as Mueller put together more information on Trump’s conspiracy with Russia, not only did the hopes of telling an alternative theory fade, but so did the possibility that a Trump pardon for Assange would look like anything other than a payoff for help getting elected. In June, the government finally got around to charging Schulte for Vault 7. But during the entire time he was in jail, he was apparently still attempting to leak information, which the government therefore obtained on video.

Ecuador’s increasing crackdown on Assange has paralleled the Schulte prosecution, with new restrictions, perhaps designed to provide the excuse to boot Assange from the Embassy, going into effect on December 1.

Don’t get me wrong: if I were Assange I’d use any means I could to obtain safe passage.

Indeed, this series of negotiations — and the players involved — may be far, far more damning for those close to Trump. Sean Hannity, Oleg Deripaska, Paul Manafort, Chuck Johnson, Dana Rohrabacher, Roger Stone, and Don Jr, may all worked to find a way to free Assange, all in the wake of Assange playing a key role in getting Trump elected. And they were conducting these negotiations even as WikiLeaks was burning the CIA’s hacking tools.

Time Machine: 2011 to 2012 WikiLeaks Is not 2018 WikiLeaks

Since DOJ confirmed last week that it does have at least one sealed criminal complaint against Julian Assange, WikiLeaks has adopted a notable defense strategy. In most of their responses, WikiLeaks has claimed a continuity between what it has done in the last two years and what it was doing in 2010, when the US government first took aggressive action against WikiLeaks.

For example, this timeline claims vindication of persistent claims among WikiLeaks supporters that Assange had already been indicted, even while linking to reports that make it clear DOJ has changed its approach recently (and ignoring, entirely, the NYT report that says the charge dates to this summer and which WikiLeaks’ Twitter feed attacks elsewhere).

November: US prosecutors inadvertently reveal that Julian has been charged under seal (i.e., confidentially) in the US – something which WikiLeaks and others have long said but which has been denied by some US officials. The document making the admission was written by Assistant US Attorney Kellen S Dwyer. The Wall Street Journal reports that “over the past year, US prosecutors have discussed several types of charges they could potentially bring against Mr. Assange”. It notes that charges against Julian could include violating the US Espionage Act, which criminalises releasing information regarding US national defence.

Assange’s UK lawyer, Jennifer Robinson, did the same in an appearance with MSNBC. She claimed  that the charge came out of the investigation started in 2010 in response to WikiLeaks’ publication of US Diplomatic cables, the Iraq war logs, the Afghan war logs, which she argues (correctly, I’d agree) was demonstrated to be in the public interest and had been published by other media outlets, including the NYT. She says this criminal charge proves it was correct for Assange to have sought asylum from Ecuador. And she emphasized that Assange would be extradited “for publishing truthful information.” She repeated “public interest” over and over.

Another Tweet RTed by WikiLeaks claims that Assange had been indicted as early as 2011 and the Australian government knew about it.

Finally, another Tweet purports to lay out the possible charges against Assange, which it describes as:

  • Espionage: 18 U.S.C. § 793(d) – imprisonment up to 10 years
  • Conspiracy to commit espionage: 18 U.S.C. § 793(g) – imprisonment up to 10 years
  • The theft or conversion of property belonging to the United States government: 18 U.S.C. § 641 – imprisonment up to 10 years
  • Violation of the Computer Fraud and Abuse Act: 18 U.S.C. § 1030 – imprisonment up to 10 years
  • (general) Conspiracy: 18 U.S.C. § 371 – imprisonment up to 5 years

It bases that claim on this post from early 2015 describing the late 2014 notice to WikiLeaks of warrants served on Google two and a half years earlier (so around June 2012, which is when Assange first took refuge in the Ecuadorian embassy).

In other words, WikiLeaks is working public opinion by pretending it is being prosecuted for the stuff it did in 2011, even to the point of claiming that news of a recent complaint proves that Assange has been indicted all this time. It is true that the prosecutor who made the cut-and-paste error that revealed the existence of a complaint, Kellen Dwyer, has reportedly been on the WikiLeaks investigative team for years. But that doesn’t mean, at all, that the US prosecution is in any way related to those earlier actions.

The reports of both the WSJ and NYT seem to prove the opposite. Whether because the Trump Administration that WikiLeaks worked so hard to elect turned out to be far less respectful of freedom of the press than the Obama Administration, or because the US started collecting more aggressively on WikiLeaks and therefore learned more about its operations, or because the nature of Assange’s more recent actions are fundamentally different from what he did in 2011, DOJ came to charging Assange this summer when Eric Holder refused to do so. Indeed, while no one has confirmed this one way or another, the assumption has been that Assange’s charges relate either to his involvement in the 2016 Russian hack-and-leak (though that would presumably be charged in DC) or his involvement in the 2017 Vault 7 and Vault 8 files as well as his exploitation of them.

The possible crimes may have expanded, too. Espionage is definitely still a possibility, particularly given how DOJ charged accused Vault 7 leaker Joshua Schulte, including possibly suggesting his leaks were designed to help another nation (presumably Russia). If Assange had advance knowledge of any of the Russian hacks (or the Peter Smith negotiated efforts to obtain Hillary’s server emails), he might be exposed to CFAA as well. And if he is charged by Mueller, he will surely be charged with at least one conspiracy charge as well; WikiLeaks was already described as an unindicted co-conspirator in the GRU indictment.

But there may well be other charges, starting with extortion or something akin to it for the way Assange tried to use the threat of the release of the Vault 7 documents to obtain a pardon. Some of his actions might also amount to obstruction. Yochai Benkler’s latest post also imagines Assange may have coordinated more closely with Russian intelligence, which might lead to different charges.

WikiLeaks’ attempts to rest on its earlier laurels is telling, for several reasons. It suggests they and their supporters don’t seem to want to defend Assange’s more recent actions. I find it remarkable, for example, that Robinson didn’t mention how many stories the NYT and WaPo wrote based on the 2016 files, which would support her argument that the files were newsworthy.

The attempt to pretend Assange is being prosecuted for his earlier actions seems to serve another purpose — to defend his years of asylum claims, which are also the basis for his claims to be a victim of US political targeting (and the premise for his demands for immunity on threat of releasing the Vault 7 files). Don’t get me wrong. I think some of the things DOJ is known or suspected to have done in 2010 and 2011 are problematic. But those did not directly merit an asylum claim (and in fact they preceded Assange’s asylum claim by over a year).

That may, in turn, serve to obscure what Assange wanted immunity for in coercive negotiations that started in 2017: Was it 2011, his role in publishing the State cables? Or was it 2016, as his offers to explain what (he claims) really happened in 2016 would suggest?

Whichever it is, WikiLeaks seems to have a lot staked on making a defense of Assange’s 2011 activities. Which suggests they’re a lot less confident they can defend his 2016 and 2017 activities.

The Theory of Prosecution You Love for Julian Assange May Look Different When Applied to Jason Leopold

The WaPo confirmed something Seamus Hughes disclosed last night: Sometime before August 22, EDVA had filed a sealed complaint (not indictment) against Julian Assange.

WikiLeaks founder Julian Assange has been charged under seal, prosecutors inadvertently revealed in a recently unsealed court filing — a development that could significantly advance the probe into Russian interference in the 2016 election and have major implications for those who publish government secrets.

The disclosure came in a filing in a case unrelated to Assange. Assistant U.S. Attorney Kellen S. Dwyer, urging a judge to keep the matter sealed, wrote that “due to the sophistication of the defendant and the publicity surrounding the case, no other procedure is likely to keep confidential the fact that Assange has been charged.” Later, Dwyer wrote the charges would “need to remain sealed until Assange is arrested.”

Dwyer is also assigned to the WikiLeaks case. People familiar with the matter said what Dwyer was disclosing was true, but unintentional.

The confirmation closely follows a WSJ story describing increased confidence that the US will succeed in extraditing Assange for trial.

The confirmation that Assange has been charged has set off a frenzy, both among Assange supporters who claim this proves their years of claims he was indicted back in 2011 and insisting that charging him now would amount to criminalizing journalism, and among so-called liberals attacking Assange lawyer Barry Pollack’s scolding of DOJ for breaking their own rules.

I’ve long been on record saying that I think most older theories of charging Assange would be very dangerous for journalism. More recently, though, I’ve noted that Assange’s actions with respect to Vault 7, which had original venue in EDVA where the Assange complaint was filed (accused leaker Joshua Schulte waived venue in his prosecution), go well beyond journalism. That said, I worry DOJ may have embraced a revised theory on Assange’s exposure that would have dire implications for other journalists, most urgently for Jason Leopold.

There are, roughly, four theories DOJ might use to charge Assange:

  • Receiving and publishing stolen information is illegal
  • Conspiring to release stolen information for maximal damage is illegal
  • Soliciting the theft of protected information is illegal
  • Using stolen weapons to extort the US government is illegal

Receiving and publishing stolen information is illegal

The first, theory is the one that Obama’s DOJ rejected, based on the recognition that it would expose NYT journalists to prosecution as well. I suspect the Trump Administration will have the same reservations with such a prosecution.

Conspiring to release stolen information for maximal damage is illegal

The second imagines that Assange would be charged for behavior noted in the GRU indictment — WikiLeaks’ solicitation, from someone using the persona of Guccifer 2.0, of material such that it would be maximally damaging to Hillary Clinton.

On or about June 22, 2016, Organization 1 sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” On or about July 6, 2016, Organization 1 added, “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after.” The Conspirators responded, “ok . . . i see.” Organization 1 explained, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.”

After failed attempts to transfer the stolen documents starting in late June 2016, on or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent Organization 1 an email with an attachment titled “wk dnc link1.txt.gpg.” The Conspirators explained to Organization 1 that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. On or about July 18, 2016, Organization 1 confirmed it had “the 1Gb or so archive” and would make a release of the stolen documents “this week.”

Significantly, WikiLeaks (but not Roger Stone) was referred to in the way an unidicted co-conspirator normally is, not named, but described in such a way to make its identity clear.

This is a closer call. There is a Supreme Court precedent protecting journalists who publish stolen newsworthy information. But it’s one already being challenged in civil suits in ways that have elicited a lot of debate. Prosecuting a journalist for trying to do maximal damage actually would criminalize a great deal of political journalism, starting with but not limited to Fox. Note that when the founders wrote the First Amendment, the norm was political journalism, not the so-called objective journalism we have now, so they certainly didn’t expect press protections to be limited to those trying to be fair to both sides.

Such a charge may depend on the degree to which the government can prove foreknowledge of the larger agreement with the Russians to damage Hillary, as well as the illegal procurement of information after WikiLeaks expressed an interest in information damaging Hillary.

Mueller might have evidence to support this (though there’s also evidence that WikiLeaks refused to publish a number of things co-conspirators leaked to them, including but not limited to the DCCC documents). The point is, we don’t know what the fact pattern on such a prosecution would look like, and how it would distinguish the actions from protected politically engaged journalism.

Soliciting the theft of protected information is illegal

Then there’s the scenario that Emma Best just hit on yesterday: that DOJ would prosecute Assange for soliciting hacks of specific targets. Best points to Assange’s close coordination with hackers going back to at least 2011 (ironically, but in a legally meaningless way, with FBI’s mole Sabu).

This is, in my opinion, a possible way DOJ would charge Assange that would be very dangerous. I’m particularly worried because of the way the DOJ charged Natalie Mayflower Edwards for leaking Suspicious Activity Reports to Jason Leopold. Edwards was charged with two crimes: Unauthorized Disclosure of Suspicious Activity Reports and Conspiracy to Make Unauthorized Disclosures of Suspicious Activity Reports (using the same Conspiracy charge that Mueller has been focused on).

In addition to describing BuzzFeed stories relying on SARs that Edwards saved to a flash drive by October 18, 2017 and then January 8, 2018, it describes a (probably Signal) conversation from September 2018 where Leopold — described in the manner used to describe unindicted co-conspirators — directed Edwards to conduct certain searches for material that ended up in an October story on Prevezon, a story published the day before Edwards was charged.

As noted above, the October 2018 Article regarded, among other things, Prevezon and the Investment Company. As recently as September 2018, EDWARDS and Reporter-1 engaged in the following conversation, via the Encrypted Application, in relevant part:

EDWARDS: I am not getting any hits on [the CEO of the Investment Company] do you have any idea what the association is if I had more information i could search in different areas

Reporter-1: If not on his name it would be [the Investment Company]. That’s the only other one [The CEO] is associated with Prevezon Well not associated His company is [the Investment Company]

Based upon my training and experience, my participation in the investigation, and my conversations with other law enforcement agents familiar with the investigation, I believe that in the above conversation, EDWARDS was explaining that she had performed searches of FinCEN records relating to Prevezon, at Reporter-l’s request, in order to supply SAR information for the October 2018 Article.

Edwards still has not been indicted, two weeks after her arraignment. That suggests it’s possible the government is trying to persuade her to plead and testify against Leopold in that conspiracy, thereby waiving indictment. The argument, in that case, would be that Leopold went beyond accepting stolen protected information, to soliciting the theft of the information.

This is the model a lot of people are embracing for an Assange prosecution, and it’s something that a lot of journalists not named Jason Leopold also do (arguably, it’s similar but probably more active than what James Rosen got dubbed a co-conspirator in the Stephen Jin-Woo Kim case).

Charging Leopold in a bunch of leaks pertaining to Russian targets would be a nice way (for DOJ, not for journalism) to limit any claim that just Assange was being targeted under such a theory. Indeed, it would placate Trump and would endanger efforts to report on what Mueller and Congress have been doing. Furthermore, it would be consistent with the aggressive approach to journalists reflected in the prosecution of James Wolfe for a bunch of leaks pertaining to Carter Page, which involved subpoenaing years of Ali Watkins’ call records.

In short, pursuing Leopold for a conspiracy to leak charge would be consistent with — and for DOJ, tactically advantageous — the theory under which most people want Assange charged.

Using stolen weapons to extort the US government is illegal

Finally, there’s the fourth possibility, and one I think is highly likely: charging Assange for his serial efforts to extort a pardon from the US government by threatening to release the Vault 7 (and ultimately, a single Vault 8 live malware) files.

This post shows how, starting in January 2017, Assange (and Oleg Deripaska) representative Adam Waldman was reaching out to top DOJ officials trying to negotiate a deal and using the release of the Vault 7 documents as leverage.

This post shows how, the second time Assange tweeted Don Jr asking for an Ambassadorship, he included a threatening reference to Vault 8, WikiLeaks’ name for the actual malware stolen and leaked from CIA, the first file from which Assange had released days earlier.

[B]ack in November 2017, some outlets began to publish a bunch of previously undisclosed DMs between Don Jr and Wikileaks. Most attention focused on Wikileaks providing Don Jr access to an anti-Trump site during the election. But I was most interested in Julian Assange’s December 16, 2016 “offer” to be Australian Ambassador to the US — basically a request for payback for his help getting Trump elected.

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

In the wake of the releases, on November 14, 2017, Assange tweeted out a follow-up.

As I noted at the time, the offer included an implicit threat: by referencing “Vault 8,” the name Wikileaks had given to its sole release, on November 9, 2017 of an actual CIA exploit (as opposed to the documentation that Wikileaks had previously released), Assange was threatening to dump more hacking tools, as Shadow Brokers had done before it. Not long after, Ecuador gave Assange its first warning to stop meddling in other countries politics, explicitly pointing to his involvement in the Catalan referendum but also pointing to his tampering with other countries. That warning became an initial ban on visitors and Internet access in March of this year followed by a more formal one on May 10, 2018 that remains in place.

Notably, Ecuador may have warned Assange back then to stop releasing America’s malware from their Embassy; those warnings have laid the groundwork for the rigid gag rules recently imposed on Assange on risk of losing asylum.

Immediately after this exchange, accused Vault 7/8 leaker Joshua Schulte had some Tor accesses which led to him losing bail. They didn’t, however, lead BOP to take away his multiple devices (!?!?!). Which means that when they raided his jail cell on or around October 1, they found a bunch of devices and his activity from 13 email and social media accounts. Importantly, DOJ claims they also obtained video evidence of Schulte continuing his efforts to leak classified information.

The announcement of that raid, and the additional charges against Schulte, coincided with a period of increased silence from WikiLeaks, broken only by last night’s response to the confirmation Assange had been charged.

I think it possible and journalistically safe to go after Assange for releasing stolen weapons to extort a criminal pardon. But most of the other theories of prosecuting Assange would also pose real risks for other journalists that those rooting for an Assange prosecution appreciate and rely on.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

US Government Reveals It Has Video Evidence of Joshua Schulte Sharing Classified Information as Ecuador Restricts Assange’s Legal Visits

In a letter sent Thursday to Paul Crotty, the judge in the case of alleged Vault 7 WikiLeaks source, Joshua Schulte, prosecutors described the investigation conducted when, “in or about early October 2018,” they discovered he had been communicating clandestinely with third parties outside of the Metropolitan Corrections Center, where he has been held since December. They described discovering a truly stupendous amount of communications gear to store in a jail cell, amounting to multiple cell phones and other devices, from which Schulte was running 13 email and social media accounts.

In or about early October 2018, the Government learned that Schulte was using one or more smuggled contraband cellphones to communicate clandestinely with third parties outside of the MCC. The Government and the FBI immediately commenced an investigation into Schulte’s conduct at the MCC. That investigation involved, among other things, the execution of six search warrants and the issuance of dozens of grand jury subpoenas and pen register orders. Pursuant to this legal process, in the weeks following the Government’s discovery of Schulte’s conduct at the MCC, the FBI has searched, among other things, the housing unit at the MCC in which Schulte was detained; multiple contraband cellphones (including at least one cellphone used by Schulte that is protected with significant encryption); approximately 13 email and social media accounts (including encrypted email accounts); and other electronic devices.

Now, the prosecutors use that word “encrypted” twice, as if it means extra spooky, but these days, a cellphone with significant encryption could mean an iPhone (though in jail Schulte might be able to get state of the art spook or crook phones) and “encrypted email accounts” often means ProtonMail.

In any case, that’s a whole lot of legal process for a one month investigation of someone sitting in a jail cell (Schulte was moved to solitary when the investigation started on October 1), but then Schulte allegedly had a shit-ton of hardware. The 6 search warrants were presumably used for Schulte’s devices, and the “dozens of grand jury subpoenas and pen registers” would probably have been used for those email and social media accounts, perhaps with both used for each account (I have a working theory that for encrypted comms it may take more than one pen register to get the data).

Schulte was using all this hardware and software, according to the prosecutors, to — among other things — do two things: send details about the search warrants to investigate him, as well as yet more classified information, to third parties.

As a result of these searches and other investigative steps, the Government discovered that Schulte had, among other things, (i) transmitted classified information to third parties, including by using an encrypted email account, and (ii) transmitted the Protected Search Warrant Materials to third parties in direct contravention of the Court’s Protective Order and the Court’s statements at the May 21 conference.

The prosecutors included a superseding indictment with their letter, adding two extra counts to his already life sentence-threatening indictment: a new Count Eleven, which is contempt of court for blowing off the protective order covering his search warrant starting in April, and a new Count Four, which is another count of transmitting and attempting to transmit unlawfully possessed national defense information (793(e)) during the period he has been in MCC.

With regards to Count Eleven, on Monday a letter Schulte sent to Judge Crotty that was uploaded briefly to PACER (I believe this is the third time Schulte has succeeded in getting such letters briefly uploaded to the docket), revealing that he had been moved to solitary, but also complaining about corrections the government had made to his original search warrant:

I beg you Judge Crotty to read the first search warrant affidavit and the government’s Brady letter; the FBI outright lied in that affidavit and now acknowledge roughly half of these lies. Literally, they [sic] “error” on seeing dates of 3/7 where there were only 3/2 dates and developing their entire predicate based on fallacious reasoning and lies. They “error” in seeing three administrators where there were “at least 5” (ie. 10). They [sic] “error” in where the C.I. was stolen who had access, and how it could be taken — literally everything.

While I absolutely don’t rule out the government either focused on Schulte back in March 2017 for reasons not disclosed in the search warrant application, or that they parallel constructed the real reasons badly (both of which would be of significant interest, but both of which his very competent public defender can deal with), the docket suggests the Vault 7 case against him got fully substantiated after the porn case, perhaps because of the stuff he did last year on Tor that got him jailed in the first place. As I noted, that Tor activity closely followed one of Julian Assange’s more pubic extortion attempts using the Vault 8 material Schulte is accused of sharing, though Assange has made multiple private extortion attempts both before and since.

Which brings me to the second new charge, transmitting and attempting to transmit national defense information to a third party, with a time span of December 2017 to October 2018. Effectively, the government claims that even after Schulte was jailed last December, he continued to share classified information.

I’m particularly interested in the government’s use of “attempted” in that charge, not used elsewhere. The time period they lay out, after all, includes a period when Ecuador restricted Julian Assange’s communication. Effectively, the government revealed on Wednesday that they have video evidence of Schulte sharing classified information with … someone.

Meanwhile, in the Ecuadoran embassy in London, things have been heating up between Assange and his hosts.

About halfway through the period after which Schulte had been put into solitary so the government could investigate a bunch of communications devices they claim they didn’t know about before around October 1, Ecuador announced what seemed to be a relaxation of restrictions on Assange, but actually was more of an ultimatum. He could have visitors, but first they’d have to apply 3 days in advance and supply their social media handles and identifying details for any devices they wanted to bring with them. Assange, too, has to register all his devices, and only use Ecuador’s wifi. If anyone uses unapproved devices, they’ll be deemed a security threat to Ecuador under the protection of the UK, basically giving the UK reason to prosecute them to protect Ecuador. Assange has to have regular medical exams; if he has a medical emergency, he’ll be treated off site. Starting on December 1, he has to start paying for food and other supplies. He has to start cleaning up the joint. He has to start taking care of his cat.

Assange immediately sued over the new rules. But he lost that suit on Monday. But even as he appeals that verdict, according to Courage Foundation, Ecuador has restricted even legal visits, something that hadn’t been the case before. Those restrictions appear to have been put in place on Wednesday, the same day the new Schulte charges were rolled out. They’ll remain in place until Monday.

A piece by Ryan Goodman and Bob Bauer renewed discussion this morning about the First Amendment limits on suing or prosecuting WikiLeaks for conspiring with Russia to swing the 2016 election; I hope to respond to it later, but wrote about the same lawsuit in this post. I think their view dangerously risks political journalism.

But I also think that you don’t necessarily need to charge WikiLeaks in the conspiracy to sustain a conspiracy charge; you can make them unindicted co-conspirators, just like Trump would be. I have long noted that you could charge Assange, instead, for his serial attempts to extort the United States, an effort that has gone on for well over 18 months using the very same files that Schulte is alleged to have leaked to WikiLeaks (extortion attempts which may also involve Roger Stone). Assange has accomplished those extortion attempts, in part, with the assistance of his lawyers, who up until this week (as far as I understand from people close to Assange) were still permitted access to him.

Say. Have I observed yet that these events are taking place in the last days before Mueller’s election season restrictions end?

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The Universe of Hacked and Leaked Emails from 2016: Podesta Emails

When Mueller’s team released George Papadopoulos’ plea deal last year, I noted that the initial denials that Papadopoulos had advance warning of the emails the Russians were preparing to hack and leak did not account for the entire universe of emails known to have been stolen. A year and several Mueller indictments later, we still don’t have a complete understanding of what emails were being dealt when. Because that lack of understanding hinders understanding what Mueller might be doing with Roger Stone, I wanted to lay out what we know about four sets of emails. This series will include posts on the following:

  • DNC emails
  • Podesta emails
  • DCCC emails
  • Emails Hillary deleted from her server

The series won’t, however, account for two more sets of emails, anything APT 29 stole when hacking the White House and State Department starting in 2015, or anything released via the several FOIAs of the Hillary emails turned over to the State Department from her home server. It also won’t deal with the following:

  • Emails from two Hillary staffers who had their emails released via dcleaks
  • The emails of other people released by dcleaks, which includes Colin Powell, some local Republican parties (including some 2015 emails Peter Smith sent to the IL Republican party), and others with interests in Ukraine
  • A copy of the Democrats’ analytics program copied on AWS
  • The NGP/VAN file, which was not directly released by Guccifer 2.0, but is central to one of the skeptics’ theories about an alternative source other than Russia

Meuller remains coy about how the Podesta emails were released by WikiLeaks

My post on the DNC emails noted some timing curiosities about when and how the DNC emails got shared with WikiLeaks.

The curiosities about the Podesta emails, however, are far more important for questions about Roger Stone’s knowledge of the process.

As a number of people have observed, while Mueller’s GRU indictment provides extensive details describing how Podesta was hacked and showing that the infrastructure to hack him was used for other parts of the operation, the indictment is far more coy about how the Podesta emails got to WikiLeaks.

In or around 2016, LUKASHEV sent spearphishing emails to members of the Clinton Campaign and affiliated individuals, including the chairman of the Clinton Campaign.

[snip]

For example, on or about March 19, 2016, LUKASHEV and his co-conspirators created and sent a spearphishing email to the chairman of the Clinton Campaign. LUKASHEV used the account “john356gh” at an online service that abbreviated lengthy website addresses (referred to as a “URL-shortening service”). LUKASHEV used the account to mask a link contained in the spearphishing email, which directed the recipient to a GRU-created website. LUKASHEV altered the appearance of the sender email address in order to make it look like the email was a security notification from Google (a technique known as “spoofing”), instructing the user to change his password by clicking the embedded link. Those instructions were followed. On or about March 21, 2016, LUKASHEV, YERMAKOV, and their co-conspirators stole the contents of the chairman’s email account, which consisted of over 50,000 emails.

[snip]

The funds used to pay for the dcleaks.com domain originated from an account at an online cryptocurrency service that the Conspirators also used to fund the lease of a virtual private server registered with the operational email account [email protected] The dirbinsaabol email account was also used to register the john356gh URL-shortening account used by LUKASHEV to spearphish the Clinton Campaign chairman and other campaign-related individuals.

[snip]

On or about October 7, 2016, Organization 1 released the first set of emails from the chairman of the Clinton Campaign that had been stolen by LUKASHEV and his co-conspirators. Between on or about October 7, 2016 and November 7, 2016, Organization 1 released approximately thirty-three tranches of documents that had been stolen from the chairman of the Clinton Campaign. In total, over 50,000 stolen documents were released.

Mueller’s silence, thus far, about how the Podesta emails got shared with WikiLeaks is intriguing for several reasons, even aside from the fact that (as noted in the last post) the first documents Guccifer 2.0 shared were billed as DNC emails but (as far as have been identified) are actually Podesta ones. Perhaps Mueller doesn’t know how those emails were passed on. Perhaps the sources and methods by which the FBI learned about how they were shared are too sensitive to put in an indictment. Perhaps Mueller has reserved that story for a later indictment.

The August to September timing on receipt of the emails

The publicly known timing is no more clear.

The Roger Stone tweet on which suspicions of advance knowledge of WikiLeaks’ releases rest — warning “Trust me, it will soon [sic] the Podesta’s time in the barrel” — is dated August 21, 2016.

That date is significant, because it’s not at all clear WikiLeaks had the Podesta emails by that point (and if so, may have just obtained them).

Raffi Khatchadourian cites a WikiLeaks staffer saying they received the emails in “late summer” but also points to an August 24 Fox News interview where Assange described processing “a variety of documents, from different types of institutions that are associated with the election campaign,” which doesn’t necessarily narrow down those emails to Podesta’s.

A pattern that was set in June appeared to recur: just before DCLeaks became active with election publications, WikiLeaks began to prepare another tranche of e-mails, this time culled from John Podesta’s Gmail account. “We are working around the clock,” Assange told Fox News in late August. “We have received quite a lot of material.” It is unclear how long Assange had been in possession of the e-mails, but a staffer assigned to the project suggested that he had received them in the late summer: “As soon as we got them, we started working on them, and then we started publishing them. From when we received them to when we published them, it was a real crunch. My only wish is that we had the equivalent from the Republicans.”

As we’ll see later in this series, there was more certainty that by August 24 WikiLeaks had other hacked emails than that they had Podesta’s.

Khatchadourian also notes that the raw files are all dated September 19 and describes Assange “weaponizing” the release of the data a week or two before the files were released starting on October 7.

All of the raw e-mail files that WikiLeaks published from Podesta’s account are dated September 19th, which appears to indicate the day that they were copied or modified for some purpose. Assange told me that in mid-September, a week or two before he began publishing the e-mails, he devised a way to weaponize the information. If his releases followed a predictable pattern, he reasoned, Clinton’s campaign would be able to prepare. So he worked out an algorithm, which he called the Stochastic Terminator, to help staff members select e-mails for each day’s release. He told me that the algorithm was built on a random-number generator, modified by mathematical weights that reflected the pattern of the news cycle in a typical week. By introducing randomness into the process, he hoped to make it impossible for the Clinton war room “to adjust to the problem, to spin, to create antidote news beforehand.”

That timing lines up in interesting ways with the date when retired British diplomat Craig Murray claims he got a handoff of something (he’s never explained precisely what it was, though it sounded like it could be an encryption key) relating to the Podesta emails when he was in DC to attend the Sam Adams Award ceremony on September 25.

All of which suggests significant events relating to the transfer to WikiLeaks and preparation of the Podesta emails happened after the Stone tweet.

Still later, according to a recent WSJ report, Peter Smith indicated that he knew Podesta emails were coming ahead of time (the reporting is not clear whether this was before or after the fact).

The person familiar with Mr. Smith recalled him repeatedly implying that he knew ahead of time about leaks of Mr. Podesta’s emails.

That claim is all the more interesting when you tie it to the email shared with Smith via foldering on October 11, seemingly reflecting happiness about emails already released, which would seem to point to the Podesta emails that started to drop four days earlier.

“[A]n email in the ‘Robert Tyler’ [foldering] account [showing] Mr. Smith obtained $100,000 from at least four financiers as well as a $50,000 contribution from Mr. Smith himself.” The email was dated October 11, 2016 and has the subject line, “Wire Instructions—Clinton Email Reconnaissance Initiative.” It came from someone calling himself “ROB,” describing the funding as supporting “the Washington Scholarship Fund for the Russian students.” The email also notes, “The students are very pleased with the email releases they have seen, and are thrilled with their educational advancement opportunities.”

The email apparently linking the contemporaneous release of the Podesta emails to a future hoped for release of deleted Hillary ones is significant for several reasons. First, it shows that other geriatric rat-fuckers, in addition to Stone, linked the two. The reflection of pleasure with emails on October 11 is significant given that that was the day WikiLeaks released two Podesta emails Smith associate Jerome Corsi and Stone would use to advance an attack on Podesta pertaining to his ties with Joule Unlimited, an attack that the right wing had been pushing since August (and working on since March). The WSJ notes that both Corsi and Charles Ortel (to the latter of whom Stone now ties some of his WikiLeaks claims) were tied to both Smith and Stone, though Stone claims to have been unaware of the Smith effort.

Stone’s three different explanations for his tweet and the import of Joule emails

In this post, I looked in detail at how epically shitty Stone’s current excuse for his August 21 Podesta tweet is. Over time, Stone has basically offered at least three excuses for it.

First he adopted an explanation offered in March 2017 by Jerome Corsi. In that explanation, Corsi basically conflated two efforts: an attack on John Podesta based on his service on the board of Joule Unlimited from 2010 to 2014, and an effort to respond to mid-August reports on Paul Manafort’s corrupt ties to Russia by focusing instead on Tony Podesta.

The Joule attack research was started (per web access dates recorded in this report) two days before Podesta was spearphished, on March 17, and first rolled out publicly in a Steve Bannon-affiliated Government Accountability Insitute report on August 1.  Corsi and Stone resuscitated the attack starting on October 6 (the day before the Podesta emails started coming out), seemingly correctly anticipating the WikiLeaks email releases that Stone and Corsi would use to advance the attack.

The Corsi explanation that Stone once adopted conflated that attack with a report that Corsi did for Stone (starting at PDF 39), which largely projected onto Tony Podesta the corrupt ties to Ukraine and Russia that Paul Manafort had; the report only tangentially focused on John. The date on the Corsi report is August 31, ten days after Stone’s tweet, but Corsi claims he and Stone started it on August 14.

Stone offered a slightly different explanation when he testified under oath to the House Intelligence Committee. There, he generalized the attack on “the Podesta brothers” and attributed his tweet to “early August” discussions about the August 31 Corsi report. In his prepared statement, he made no mention of Joule.

In the wake of Corsi’s interview on September 6 and grand jury appearance on September 21 (in conjunction with which he reportedly shared a bunch of documents that would substantiate when he and Stone were talking about Joule and when about Tony Podesta), Stone changed his tune again, now only admitting publicly for the first time that Charles Ortel forwarded him an email showing James Rosen promising “a massive dump of HRC emails relating to the CF in September,” but also attributing any August 14 interest to something besides Corsi, a Breitbart post that may be this one.

Stone, however, says that the tweet was based on “an August 14th article in Breitbart News by Peter Schweitzer that reported that Tony Podesta was working for the same Ukrainian Political Party that Paul Manafort was being excoriated for,” and that “the Podesta brothers extensive business dealings with the Oligarchs around Putin pertaining to gas, banking and uranium had been detailed in the Panama Papers in April of 2016.”

Stone’s explanations seem to attempt to do three things:

  • Provide non-incriminating explanations for any foreknowledge of WikiLeaks — first pointing to Randy Credico and now to James Rosen
  • Offer explanations for discussions about Podesta that he may presume Mueller has that took place around August 14
  • Shift the focus away from Joule and the remarkable prescience with which the right wing anticipated that WikiLeaks would be able to advance an attack first rolled out on August 1

With that in mind, I find the timeline of Stone’s tweets mentioning either Podesta instructive. It shows Stone never mentioned either brother until August 15 — the day after the first of the stories on Manafort’s Ukraine corruption and after that August 14 date he seems so worried about. That tweet, “@JohnPodesta makes @PaulManafort look like St. Thomas Aquinas Where is the @NewYorkTimes?” may prove as interesting as the August 21 one.

Stone mentioned John Podesta again in that August 21 tweet.

Then he remained silent on Twitter about Clinton’s campaign chairman until the day after the Podesta emails started coming out, whereupon Stone started claiming that Podesta had been money laundering for Russia.

Stone’s first tweet as the Podesta emails dropped pointed back to an earlier Corsi post reporting that the Podesta Group was also under investigation. That same day, he pointed to the Corsi post that seemed to anticipate the Joule attack would be returning. Yet, in an interview done after the release on October 11 of the Podesta emails that both he and Corsi would later rely on to extend the Joule attack, Stone made no mention of those emails or the Joule attack. By the next day, however, Stone was relying on (but not linking) those emails.

In other words, at least as measured by his Twitter feed, Stone was uninterested in the Joule attack when it came out in August. He didn’t mention it at all in his two Podesta tweets that month (nor does he in his currently operative explanation). But he did become interested in the story in advance of the release of emails by WikiLeaks pertaining to the attack.

This is probably a good time to recall that many of the Stone associates Mueller has interviewed did research for Stone, and others had access to his social media accounts. Note that even this selection of his tweets show the use of multiple clients — Twitter Web Client, Tweetdeck, and Twitter for iPhone — that may reflect different people posting from his account.

Stone’s claims about WikiLeaks — and his outreach to Guccifer 2.0 — took place as Manafort started to panic about his own Russian ties

Given some of Stone’s explanations (and his apparent concern with offering some explanation for discussions about Podesta on August 14), I also find it notable the way this timeline overlaps with Manafort’s increasingly desperate efforts to stave off bankruptcy even while working for Trump for “free.” Part of those efforts, of course, involved criminal efforts to hide his ties to Russia in the wake of reporting on those ties in mid-August.

It’s unclear when Manafort knew for sure his ties with Russia would blow up. In the wake of the first WikiLeaks dump on July 27, he got asked about his and Trump’s ties to Russia, a question he struggled with before responding by pointing to Hillary’s deleted emails. In spite of the risk of his own Russian ties, Manafort met on August 2 with Konstantin Kilimnik, talking (among other things) about unpaid bills and the presidential election. Sometime in early August, in advance of the first NYT story substantiating his Russian ties, he was reportedly blackmailed over the secret ledgers of his work with Ukrainian oligarchs.

Remarkably, just as attention to Trump and Manafort’s ties to Russia started becoming an issue, Republicans had that GAI report insinuating a tie between Hillary and Russia all ready to go on August 1. That insinuation went through John Podesta and his ties to Joule. Before laying out that relationship, however, the GAI report suggested there must be more dirt on the topic in the emails Hillary deleted.

More recently, in January, 2015, Podesta became the campaign chairman of Hillary Clinton’s campaign for the 2016 presidential bid.85

During Hillary Clinton’s tenure as Secretary of State, he was in regular contact with her and played an important role in shaping U.S. policy. For one thing, he sat on the State Department’s Foreign Affairs Policy Board, appointed by Hillary. (The board was established in December 2011.)86

The full extent of Podesta’s email communication cannot ultimately be known because Hillary Clinton deleted approximately half of her emails after she left the State Department.

So along with everything else the report did, it built expectations that Hillary’s deleted emails would reveal secret dirt about Russia she was suppressing to win the campaign.

By the time the report came out, we know that Stone was already interested in what WikiLeaks might have, as Charles Ortel BCCed him on an email suggesting that WikiLeaks had Clinton Foundation emails to dump in September in late July.

Then, precisely as the Russian attack on Podesta was rolling out, Stone flip-flopped on his claimed belief about who hacked Hillary Clinton. Between August 1 and August 5, on the same days he was claiming to have dined with Julian Assange when he was instead in Southern California meeting his dark money associates, he started claiming that Guccifer 2.0 was just a hacktivist, not Russians. That stated belief has always been central to his claims not to have conspired with Russia.

In significant part because he flip-flopped publicly, he and Guccifer 2.0 started communicating, first about Stone’s claim that Guccifer 2.0 had nothing to do with Russia, then about Guccifer 2.0 being shut down on Twitter:

August 12: Guccifer 2.0:   thanks that u believe in the real

August 13: Stone: @WL @G2 Outrageous! Clintonistas now nned to censor their critics to rig the upcoming election.

Stone: @DailyCaller Censorship ! Gruciffer2 is a HERO.

August 14: Guccifer 2.0 Here I am! They’ll have to try much harder to block me!

Stone: First #Milo, now Guccifer 2.0 – why are those exposing the truth banned? @RealAlexJones @infowars #FreeMilo

Stone: @poppalinos @RealAlexJones @infowars @GUCCIFER_2 Thank You, SweetJesus. I’ve prayed for it.

That’s when Stone moved their conversations to DM.

That conversation, including Guccifer 2.0’s question whether Stone found “anything interesting in the docs I posted?” (which, in public context at least, would refer to some DCCC documents Guccifer had posted on WordPress on August 12) took place even as Stone was continuing to speak about knowing what was in the next WikiLeaks dump and as he responded badly to his childhood friend becoming the target of NYT’s attention on August 14.

As noted, Stone seems to be struggling to answer why he was discussing John Podesta on August 14.

To be sure, Stone was talking to Corsi on August 14 or 15. On August 15, Corsi published an interview with Stone, in which he claimed to have been badly hacked and described what he expected would come next from WikiLeaks.

But nothing in the interview mentions Podesta.

Stone’s descriptions of what WikiLeaks might dump next in that interview could reflect the BCCed James Rosen email reporting that WikiLeaks would dump Clinton Foundation documents in September, but the information he laid out went far beyond that email (and promised an October surprise, not a September dump).

“In the next series of emails Assange plans to release, I have reason to believe the Clinton Foundation scandals will surface to keep Bill and Hillary from returning to the White House,” he said.

[snip]

In a speech Southwest Broward Republican Organization in Florida, published Aug. 9 by David Brock’s left-wing website Media Matters, Stone said he had “communicated with Assange.”

“I believe the next tranche of his documents pertain to the Clinton Foundation, but there is no telling what the October surprise may be,” he said.

Stone told WND that Assange “plans to drop at various strategic points in the presidential campaigns Hillary Clinton emails involving the Clinton Foundation that have yet to surface publically.”

“Assange claims the emails contain enough damaging information to put Hillary Clinton in jail for selling State Department ‘official acts’ in exchange for contributions to the Clinton Foundation and as a reward for Clinton Foundation donors becoming clients of Teneo, the consulting firm established by Bill Clinton’s White House ‘body man’ Doug Band,” he said.

That same day, August 15, is the first time Stone ever mentioned Podesta on Twitter.

Stone claims (and claimed, in sworn testimony) that his focus on John Podesta was a response to the allegations against Manafort. That makes the confluence of all these events all the more interesting.

Corsi’s lawyer claims he avoided criminal liability

As noted above, Jerome Corsi has explained what he knows of all this in a September 21 grand jury appearance, a grand jury appearance that Mueller seems to have been working towards since having Ted Malloch questioned way back in March.

In advance of that testimony, Corsi’s attorney David Grey seemed to suggest that Corsi declined to participate in certain activities involving Stone that might have exposed him to criminal liability.

Gray said he was confident that Corsi has done nothing wrong. “Jerry Corsi made decisions that he would not take actions that would give him criminal liability,” he added, declining to elaborate.

Asked if Corsi had opportunities to take such actions, Gray said, “I wouldn’t say he was offered those opportunities. I would say he had communications with Roger Stone. We’ll supply those communications and be cooperative. My client didn’t act further that would give rise to any criminal liability.”

But Mueller is apparently now chasing down Corsi’s associates.

FBI agents have recently been seeking to interview Corsi’s associates, according to the person.

One other key player in the Podesta hand-off conflated the Podesta brothers

The close ties between how Stone focused on both Podesta brothers in response to the public allegations against Manafort is interesting for another reason.

Former Ambassador Craig Murray, the only one not denying some role in the handoff of the Podesta emails (again, he has said he didn’t get the emails themselves, which he believed were already with WikiLeaks, but something associated with them).

Murray told Scott Horton that his source had obtained whatever he received from a figure in American national security with legal access to the information.

[H]e says “The material was already, I think, safely with WikiLeaks before I got there in September,” though other outlets have suggested (with maps included!) that’s when the hand-off happened. In that account, Murray admits he did not meet with the person with legal access; he instead met with an intermediary.

But the explanation of his source’s legal access and motivation not only doesn’t make sense, but seems to parrot what Stone was saying at the time.

I also want you to consider that John Podesta was a paid lobbyist for the Saudi government — that’s open and declared, it’s not secret or a leak in a sense. John Podesta was paid a very substantial sum every month by the Saudi government to lobby for their interests in Washington. And if the American security services were not watching the communications of the Saudi government paid lobbyist then the American intelligence services would not be doing their job. Of course it’s also true that the Saudis’ man, the Saudis’ lobbyist in Washington, his communications are going to be of interest to a great many other intelligence services as well.

As Stone did, this conflates John and Tony. It wrongly suggests that US national security officials would be collecting all of Tony Podesta’s emails, or that collecting on Tony would obtain all of John’s emails. All the more interesting, this conflation would have come in a period when Manafort’s lifelong buddy, Stone, was trying to distract attention from Manafort’s own corruption — which included telling Tony not to disclose the influence-peddling he had done for Manafort in the legally required manner — by projecting Manafort’s corruption onto Tony.

One more point about Murray. Murray has ties (including through the Sam Adams Association the awards ceremony for which he was in DC attending) to NSA whistleblowers Bill Binney (Murray received the award in 2005 and Binney received it in 2015) and Kirk Wiebe. This claim that US law enforcement would collect everything (including Hillary’s deleted emails) is the kind of line that Binney was pushing at the time, including to Andrew Napolitano, who was CCed on the email Stone received about WikiLeaks’ plans in July. Napolitano is one of the people who has championed that Binney line about the hack.

In other words, it’s not just that Murray was telling a similar story as Stone, even though they’re politically very different people. It’s that he was not that distant from the network of Republicans talking about what WikiLeaks might have had.

Update: Emma Best just wrote up something she’s been tracking for some time: there are four different numbers on how many Podesta mails there are.

WikiLeaks’ own data gives us five different totals for the number of Podesta emails:

  1. 50,866
  2. 57,153
  3. 58,660
  4. 59,258
  5. 59,188

The two most authoritative answers to the question come from WikiLeaks and the Special Counsel’s office, and both indicate that the total exceeded 50,000. While WikiLeaks’ stated there were “well over 50,000” emails, the Special Counsel’s indictment simply said that “over 50,000 stolen documents were released.” Since “documents” can be construed to include both the emails and their various attachments, the SC’s total is even more vague and less definitive than WikiLeaks’.

Ultimately, he best answer to the question of how many Podesta emails there are appears to be 59,188.

This raises the possibility that Stone or Corsi saw copies that WikiLeaks didn’t publish. Mueller’s distinction between how many emails were stolen and how many released suggests FBI may know what WikiLeaks chose not to public, if in fact they did.

Timeline

July 18-21: Stone meets Nigel Farage while at RNC

July 25: Stone gets BCCed on an email from Charles Ortel that shows James Rosen reporting “a massive dump of HRC emails relating to the CF in September;” Stone now claims this explains his reference to a journalist go-between

July 27: Paul Manafort struggles while denying ties to Russia, instead pointing to Hillary’s home server

July 31: GAI report on From Russia with Money claiming Viktor Vekselberg’s Skolkovo reflects untoward ties; it hints that a greater John Podesta role would be revealed in her deleted emails and claims he did  not properly disclose role on Joule board when joining Obama Administration

August 1: Steve Bannon and Peter Schweitzer publish a Breitbart version of the GAI report

August 1: Stone NYC > LA

August 2: Manafort and Konstantin Kilimnik meet in the Grand Havana Room in Jared’s 666 Park Avenue and “talked about bills unpaid by our clients, about [the] overall situation in Ukraine . . . and about the current news,” including the presidential campaign

August 2, 2016: Stone dines with dark money funder, John Powers Middleton in West Hollywood

August 3 and 4: Manafort obtains the bio of Steve Calk, from whom he was getting a $16 million mortgage in tacit exchange for a role in the Trump administration

August 3: Stone claims to Sam Nunberg to have dined with Assange

August 3-4: Stone takes a red-eye from LAX to Miami

August 4: Stone flip-flops on whether the Russians or a 400 pound hacker are behind the DNC hack and also tells Sam Nunberg he dined with Julian Assange; first tweet in the fall StopTheSteal campaign

August 5: Trump names Calk to his advisory committee

August 5: Stone column in Breitbart claiming Guccifer 2.0 is individual hacker

August 7: Stone starts complaining about a “rigged” election, claims that Nigel Farage had told him Brexit had been similarly rigged

August 8: Stone tells Broward Republicans he has communicated with Assange, expects next tranche to pertain to Clinton Foundation

August 10: Manafort tells his tax preparer that he would get $2.4 million in earned income collectable from work in Ukraine in November

August 10: Stone asserts that Hillary’s deleted emails will be coming out

Early August: Manafort gets blackmail threat pertaining to secret ledgers

August 12: Guccifer 2.0 publicly tweets Stone

August 13: Stone claims to have been hacked

August 14: NYT publishes story on secret ledgers

August 14: Stone DMs Guccifer 2.0

August 14: Corsi claims to have started research on response to NYT story

August 14: Breitbart piece suggesting NYT was ignoring Hillary’s own ties to Russia; this may be Stone’s latest explanation for interest in Podesta on that date

August 15: Manafort and Gates lie to the AP about their undisclosed lobbying, locking in claims they would make under oath later that fall

August 15: In first tweet mentioning John Podesta, Stone claims John Podesta “makes Paul Manafort look like St. Thomas Aquinas”

August 15: Corsi reports Stone’s prediction that WikiLeaks will release deleted Hillary emails (also reports on claimed hack)

August 17: AP publishes story on Manafort’s unreported Ukraine lobbying, describing Podesta Group’s role at length

August 17: Trump adds Steve Bannon and Kellyanne Conaway to campaign leadership team (Manafort’s daughter claims he hired them)

August 19: Manafort resigns from campaign

August 21: Stone tweets it will soon be Podesta’s time on the barrel

August 26: Rebekka Mercer asks Alexander Nix whether Cambridge Analytica or GAI could better organize the leaked Hillary emails

September 12: Following further reporting in the Kyiv Post, Konstantin Kilimnik contacts Alex Van der Zwaan in attempt to hide money laundering to Skadden Arps

September 28: Corsi post (later linked on Twitter by Stone) noting that Podesta Group also under investigation

October 6: Corsi repeats the Joule/GAI claims

October 11: Release of Podesta email allegedly backing Joule story (December 31, 2013 resignation letter, January 7, 2014 severance letters)

October 11: Foldering email among Peter Smith operatives that may included coded satisfaction with emails released thus far

October 12: Roger Stone interview with the Daily Caller responding to Podesta’s allegations he knew of release in advance, which makes no mention of Joule attack

October 13: In response to accusations he knew of Podesta emails in advance, Stone repeats Joule story falsely claiming this WikiLeaks email, released October 11, substantiates it; Corsi also posts a story on Joule, like Stone not linking to the underlying WikiLeaks emails

October 17: Corsi post that actually links the WikiLeaks releases relied on in his and Stone’s October 13 posts

October 30: Additional Joule letter (including actual transfer signatures) released

October 31: Additional Joule letter released

November 1: Additional Joule letter released

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The Universe of Hacked and Leaked Emails from 2016: DNC Emails

When Mueller’s team released George Papadopoulos’ plea deal last year, I noted that the initial denials that Papadopoulos had advance warning of the emails the Russians were preparing to hack and leak did not account for the entire universe of emails known to have been stolen. A year and several Mueller indictments later, we still don’t have a complete understanding of what emails were being dealt when. Because that lack of understanding hinders understanding what Mueller might be doing with Roger Stone, I wanted to lay out what we know about four sets of emails. This series will include posts on the following:

  • DNC emails
  • Podesta emails
  • DCCC emails
  • Emails Hillary deleted from her server

The series won’t, however, account for two more sets of emails, anything APT 29 stole when hacking the White House and State Department in 2015, or anything released via the several FOIAs of the Hillary emails turned over to the State Department from her home server. It also won’t deal with the following:

  • Emails from two Hillary staffers who had their emails released via dcleaks
  • The emails of other people released by dcleaks, which includes Colin Powell, some Republican party officials (including some 2015 emails Peter Smith sent to the IL Republican party), and others with interests in Ukraine
  • A copy of the Democrats’ analytics program copied on AWS
  • The NGP/VAN file, which was not directly released by Guccifer 2.0, but is central to one of the skeptics’ theories about an alternative source other than Russia

DNC Emails

The “DNC emails” are generally thought of as the 44,000 emails WikiLeaks released on July 22, 2016. The GRU indictment describes the theft and conveyance of those emails this way:

Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.

[snip]

On or about June 22, 2016, Organization 1 sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” On or about July 6, 2016, Organization 1 added, “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after.” The Conspirators responded, “ok . . . i see.” Organization 1 explained, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.”

After failed attempts to transfer the stolen documents starting in late June 2016, on or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent Organization 1 an email with an attachment titled “wk dnc link1.txt.gpg.” The Conspirators explained to Organization 1 that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. On or about July 18, 2016, Organization 1 confirmed it had “the 1Gb or so archive” and would make a release of the stolen documents “this week.”

On or about July 22, 2016, Organization 1 released over 20,000 emails and other documents stolen from the DNC network by the Conspirators. This release occurred approximately three days before the start of the Democratic National Convention. Organization 1 did not disclose Guccifer 2.0’s role in providing them. The latest-in-time email released through Organization 1 was dated on or about May 25, 2016, approximately the same day the Conspirators hacked the DNC Microsoft Exchange Server.

Raffi Khatchadourian (who has done as much work as anyone else on the known universe of emails) noted that by the time the July 14 exchange had happened, Julian Assange had already said he had emails and Guccifer 2.0 had already said he had shared them with WikiLeaks.

On June 12th, three days before the creation of Guccifer 2.0, Assange announced that he had a substantial trove of Clinton-related e-mails that were pending publication. Likewise, Guccifer 2.0 proclaimed, on its very first post on the WordPress site, “The main part of the papers, thousands of files and mails, I gave to Wikileaks. They will publish them soon.” Again and again, the G.R.U. officers tried to drive home this point—which, of course, was evidently the main point of creating the persona. “I sent a big part of docs to WikiLeaks,” Guccifer 2.0 told the editor of the Smoking Gun that same day. On June 17th, Guccifer 2.0 said in another e-mail, “I gave WikiLeaks the greater part of the files.” (For e-mail, the G.R.U. gave Guccifer 2.0 another fake identity: Stephan Orphan.)

In other words, both the G.R.U. and Assange appear to have confessed to the transmission and reception of a large trove of Clinton-related e-mails in mid-June, before Guccifer 2.0 was apparently created. The indictment does not address this. There is no way to say precisely what that trove was—if it was the Podesta archive given to WikiLeaks much earlier than is generally presumed, or the D.N.C. e-mails, or both, or something else. (There is also the possibility that both parties were not speaking truthfully.) But, if Assange did have the D.N.C. e-mails before Guccifer 2.0 was created, then the details in the indictment take on new meaning. Some version of the following may be true: it is mid-June, with the convention approaching, and Assange is about to release a bombshell, when he notices the sudden appearance of Guccifer 2.0, a “hacker” edging into his turf, inviting journalists to write in. So he writes in, asking for material that interests him. He has already gone through the D.N.C. e-mails and has recognized that the trove highlights conflict within the Democratic Party. He signals that he wants more on that specific issue. The G.R.U. is happy to comply, through its new cutout. Perhaps some of it overlaps with what the G.R.U. already provided, making Guccifer 2.0’s confessions literally accurate. Perhaps it is the same irrelevant dross that Guccifer 2.0 fed to others.

Last year, I visited Assange several times in the Ecuadorian Embassy in London. He often emphasized to me that the sourcing of his election publications was complex. I usually took this as a dodge. But the sourcing may indeed have been multilayered. There are many conceivable ways that G.R.U. officers could have provided e-mails to WikiLeaks before they created Guccifer 2.0. They could have used the WikiLeaks anonymous-submission system. They could have used a different fictitious online persona. They could have used a human intermediary. Last year, James Clapper told me, “It was done by a cutout, which of course afforded Assange plausible deniability.” In January, 2017, Clapper oversaw a formal intelligence assessment on Russian meddling. At the time, more than one news organization reported that a classified version of the assessment made clear that the intermediaries between the G.R.U. and WikiLeaks were already known. (Certainly, the intelligence community would also have been in possession of Guccifer 2.0’s Twitter D.M.s at that time, too.) One intelligence official, describing the report, indicated to Reuters last year that the e-mails relayed to WikiLeaks had followed a “circuitous route,” by a series of handoffs, on their journey from Moscow. Such a scenario seems to be at odds with the idea that Guccifer 2.0 merely sent WikiLeaks an encrypted link to download it all in one swoop.

An earlier Khatchadourian piece describes WikiLeaks experiencing some pressure to publish before the convention.

In early July, for example, Guccifer 2.0 told a Washington journalist that WikiLeaks was “playing for time.” There was no public evidence for this, but from the inside it was clear that WikiLeaks was overwhelmed. In addition to the D.N.C. archive, Assange had received e-mails from the leading political party in Turkey, which had recently experienced a coup, and he felt that he needed to rush them out. Meanwhile, a WikiLeaks team was scrambling to prepare the D.N.C. material. (A WikiLeaks staffer told me that they worked so fast that they lost track of some of the e-mails, which they quietly released later in the year.) On several occasions, and in different contexts, Assange admitted to me that he was pressed for time. “We were quite concerned about meeting the deadline,” he told me once, referring to the Democratic National Convention.

His original release date for the D.N.C. archive, he explained, was July 18th, the Monday before the Convention; his team missed the deadline by four days. “We were only ready Friday,” he said. “We had these hiccups that delayed us, and we were given a little more time—” He stopped, and then added, strangely, “to grow.”

Khatchadourian’s earlier mention of a July 18 deadline is quite interesting, given the response from WikiLeaks to a Guccifer 2.0 email, promising to publish that week, on the 18th.

Khatchadourian also describes WikiLeaks as doing significant work to verify the emails — more than they could have done in the time between July 14 and July 22.

Once they were in Assange’s hands, his overriding concern was to insure that they were genuine. “We had quite some difficulties to overcome, in terms of the technical aspects, and making sure we were comfortable with the forensics,” he recalled. As an Australian, he had only a vague grasp of the way the D.N.C. operated, which made deciphering the political significance of the e-mails difficult. “It’s like looking at a very complex Hieronymus Bosch painting from a distance,” he told me. “You have to get close and interact with it, then you start to get a feel.” Often, a first encounter with a WikiLeaks database submission can be overwhelming—as one former staffer told me, “My heart sinks a bit.”

To work on the material, Assange had to coördinate with operatives outside the building, and avoid surveillance inside it. “I have a lot of security issues in the Embassy,” he told me. “It’s not like you can be comfortable with your source material and read it.” He would not tell me how many people worked on the project, except that the number was small. “We’re all secret squirrels now,” he said.

All this raises questions about how much verification WikiLeaks did, and if instead this was a tale told to Khatchadourian, not to mention why they had confidence publishing them would not blow up on them.

Now, I have suggested that one possible second source of the emails — or at least one alternate explanation that Russia and WikiLeaks might claim that could provide GRU some plausible deniability — would be via the contents of email boxes stolen using passwords released just before the DNC hack from Yevgeniy Nikulin’s past hacks of Linked-In and MySpace. Nikulin has utterly stalled his prosecution until February by refusing not only to cooperate with his defense (though he has had repeated contacts from Russian diplomatic officials), but also with a competency evaluation. So we won’t learn anything (and Nikulin won’t be coerced to cooperate) anytime soon as a result of his extradition to the US.

But, as part of an effort to track changes to WikiLeaks’ website and the DNC emails, Emma Best identified what at first appeared to be a change in one email but ultimately just revealed that the cache includes both the sent and received copies of some emails.

After pointing this out on Twitter and listing the 36 known instances, one user checked a copy of the DNC emails they had retrieved months before. They found what appeared to be a modification to the email – a missing piece of metadata that identified the internal IP address that sent the email. After several hours of searching and comparing five different caches of DNC emails, the difference was both confirmed and explained – WikiLeaks’ copy of the DNC emails comes from several accounts, which resulted in some duplicates in their cache. The internal message ID for the duplicates would be the same, but differences in metadata would appear based on whether the email was being sent or received, and in the case of the former what device and client was sending the emails. Since the x-originating-ip metadata which seemed to appear and then disappear is added by the server when it’s sent, it would naturally be missing from the sender’s copy of the email. This addresses the most alarming question regarding the DNC emails, but does nothing to address the rest.

There are reasons to believe that this means the email in question comes from the Microsoft Exchange server and not from someone’s own mailbox (Update: though I may be 100% wrong on this point). Which, if my speculation that WikiLeaks might invoke the Nikulin alternate theory, might still show Assange got the emails in one batch early on, but then published what he got via the delivery identified in the indictment and didn’t spend much time vetting that delivery.

Meanwhile, it’s crucial to note, as Khatchadourian does in his earlier piece, that emails Guccifer 2.0 claimed were DNC documents when he released them the day after the WaPo revealed the DNC had been hacked didn’t come from the DNC; those that have been identified came, instead, from John Podesta. It wasn’t until July 6 that the Guccifer 2.0 documents billed as DNC ones actually were.

But then, on July 6th, just before Guccifer 2.0 complained that WikiLeaks was “playing for time,” this pattern of behavior abruptly reversed itself. “I have a new bunch of docs from the DNC server for you,” the persona wrote on WordPress. The files were utterly lacking in news value, and had no connection to one another—except that every item was an attachment in the D.N.C. e-mails that WikiLeaks had. The shift had the appearance of a threat. If Russian intelligence officers were inclined to indicate impatience, this was a way to do it.

The notion that the Guccifer 2.0 persona may have — in addition to discrediting the WaPo article and providing a quick cover for the Russian attribution of the hack — served to pressure Assange to keep to some kind of July 18 deadline raises more stakes on that detail from the GRU indictment, but also may relate to the kind of signaling we saw elsewhere.

Update: I should have laid out some of the logic behind emails we’ve got. First, WikiLeaks has claimed that all the emails they have come from the “accounts” of seven identified people.

The leaks come from the accounts of seven key figures in the DNC: Communications Director Luis Miranda (10520 emails), National Finance Director Jordon Kaplan (3799 emails), Finance Chief of Staff Scott Comer (3095 emails), Finanace Director of Data & Strategic Initiatives Daniel Parrish (1742 emails), Finance Director Allen Zachary (1611 emails), Senior Advisor Andrew Wright (938 emails) and Northern California Finance Director Robert (Erik) Stowe (751 emails).

Khatchadourian says they actually come from ten accounts.

The twenty thousand or so D.N.C. e-mails that WikiLeaks published were extracted from ten compromised e-mail accounts, and all but one of the people who used those accounts worked in just two departments: finance and strategic communications. (The single exception belonged to a researcher who worked extensively with communications.)

DNC automatically deleted emails after 30 days if they weren’t specifically saved (which is where this exfiltration estimate came from, which was off from the Mueller date by a week). Emails that precede the 30 day window (so April 19 or 25) or that weren’t part of one of the identified accounts may indicate another source.

As I disclosed July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The First Amendment Wall-Splat that Anticipates Any Defense of a Trump Conspiracy or WikiLeaks Charge

Last week, lawyers from Jones Day representing the Trump campaign submitted a response to a lawsuit by two Democratic donors and a DNC employee (the case is referred to as Cockrum after donor Roy Cockrum) that presents an interesting, but imperfect, preview of any defense of a Trump conspiracy and/or a WikiLeaks charge in the election hack-and-leak.

Effectively, the Democrats attempt to hold the Trump campaign responsible for having their private information (social security numbers in the case of the donors and more personal conversations in the case of DNC employee Scott Comer) posted in the emails released by WikiLeaks on July 22, 2016. They do so by arguing that the Trump campaign conspired with agents of Russia, agreeing to provide policy considerations in exchange for the assistance presented by the email release, which therefore makes them parties to the injury associated with the hack-and-leak.

The campaign isn’t responsible for information released as part of their conspiracy because the First Amendment protects it

In response, the Trump campaign (represented by Jones Day, and therefore by more competent lawyers than some of the clowns representing the president in the Mueller investigation) only secondarily deny the campaign entered into a conspiracy with the Russians as governed by the laws invoked by plaintiffs (you should not take this emphasis as admission of guilt in a conspiracy, but rather the most efficacious way of defeating the lawsuit). As a primary defense, they point to First Amendment precedent to argue two things: First, the campaign can’t be held responsible for the theft of information because they only sought the dissemination of already stolen documents — they had nothing to do with the theft of the documents, the campaign argues.

In Bartnicki v. Vopper, 532 U.S. 514 (2001), the Supreme Court held that the First Amendment protects a speaker’s right to disclose stolen information if (1) the speaker was “not involved” in the acquisition and (2) the disclosure deals with “a matter of public concern.” Id. at 529, 535. There, union leaders spoke on the phone about using violence against school-board members to influence salary negotiations. Id. at 518–19. An unknown person secretly intercepted the call and shared the illegal recording with a local radio host, who played it on his show. Id. at 519. The Court ruled that the First Amendment protected the radio broadcast, because the host “played no part in the illegal interception” and “the subject matter of the conversation was a matter of public concern.” Id. at 525. The Court reasoned that “state action to punish the publication of truthful information seldom can satisfy constitutional standards.” Id. at 527. The state has an interest in deterring theft of information, but it must pursue that goal by imposing “an appropriate punishment” on “the interceptor”—not by punishing a speaker who was “not involved in the initial illegality.” Id. at 529. The state also has an interest in protecting “privacy of communication,” but “privacy concerns give way when balanced against the interest in publishing matters of public importance.” Id. at 533–34. In short, “a stranger’s illegal conduct does not suffice to remove the First Amendment shield from speech about a matter of public concern.” Id. at 535.

“An opposite rule”—under which a speaker may be punished for truthful disclosures on account of a “defect in the chain of title”—“would be fraught with danger.” Boehner v. McDermott, 484 F.3d 573, 586 (D.C. Cir. 2007) (opinion of Sentelle, J., joined by a majority of the en banc court). “U.S. newspapers publish information stolen via digital means all the time.” Jack L. Goldsmith, Uncomfortable Questions in the Wake of Russia Indictment 2.0 (July 16, 2018).1 Indeed, they “openly solicit such information.” Id. Punishing “conspiracy to publish stolen information” “would certainly narrow protections for ‘mainstream’ journalists.” Id.

The Campaign satisfies the first part of Bartnicki’s test: It “played no part in the illegal interception.” Bartnicki, 532 U.S. at 525. That is clear from Plaintiffs’ factual theory: “Defendants entered into an agreement with other parties, including agents of Russia and WikiLeaks, to have information stolen from the DNC publicly disseminated in a strategic way.” (Am. Compl. ¶ 16) (emphasis added). The complaint reinforces that theory on every page: “the publication of hacked information pursuant to the conspiracy” (id. ¶ 20); “conspiracy … to disseminate information” (id. ¶ 78); “extracting concessions … in exchange for the dissemination of the information” (id. ¶ 149); “an agreement to disseminate the hacked DNC emails”) (id. at 42); “motive to coordinate regarding such dissemination” (id. ¶ 153); “an agreement regarding the publication” (id. ¶ 154); “agreed … to publicly disclose” (id. ¶ 296) (all emphases added).

In a key move, the response points to the chronology (they incorrectly say) the plaintiffs lay out to show that the Campaign didn’t enter into a conspiracy with the Russians until after the theft had already taken place.

That is no surprise. Given Rule 11, Plaintiffs could not have alleged the Campaign’s involvement in the initial hack. According to Plaintiffs’ own account, Russian intelligence hacked the DNC’s networks “in July 2015,” and gained access to email accounts “by March 2016.” (Id. ¶ 86.) But the Campaign supposedly became motivated to work with Russia only in “the spring and summer of 2016” (id. at 25), and supposedly entered into the agreement in “secret meetings” in “April,” “May,” “June,” and “July” 2016 (id. ¶¶ 89–104). In other words, Plaintiffs themselves say that the alleged conspiracy was formed after the hack and after the acquisition of the emails—so that the Campaign could not have participated in the initial theft.

From there, the Campaign shifts to the second part of the First Amendment argument: what they encouraged the Russians (and WikiLeaks) to publish was a matter of public concern.

The Campaign also satisfies the second part of Bartnicki’s test: the disclosure deals with “a matter of public concern.” Bartnicki, 532 U.S. at 525. Whether speech deals with issues of public concern is “a matter of law.” Snyder v. Phelps, 580 F.3d 206, 220 (4th Cir. 2009). “Speech deals with matters of public concern when it can be fairly considered as relating to any matter of political, social, or other concern to the community, or when it is a subject of legitimate news interest.” Snyder v. Phelps, 562 U.S. 443, 453 (2011) (citations and quotation marks omitted). A court applying this test must examine the “content, form, and context” of the speech. Id.

Courts judge the public character of a disclosure in the aggregate, not line by line. Regardless of whether the particular sentence complained about is itself of public concern, the disclosure is constitutionally protected if the disclosure as a whole deals with a matter of public concern. For example, in Bartnicki, leaders of a teachers’ union spoke on the phone about “blow[ing] off [school-board members’] front porches” to influence salary negotiations. 532 U.S. at 519. Even though the threat to “blow off” porches was not itself speech about public issues, the First Amendment protected the disclosure because the host made it while “engaged in debate about” teacher pay—“a matter of public concern.” Id. at 535. The “public concern” test thus turns on the broader context of the disclosure, not the nature of the specific fact disclosed.

To substantiate their “public concern” defense, the response points to (and includes as exhibits) a handful emails out of the tens of thousands dumped in just the DNC release and some bad press coverage, and argues that because WikiLeaks has a policy of not redacting emails, the information that damaged the plaintiffs just came out along with this public concern information.

These emails revealed important information about the Clinton Campaign and Democratic Party. For example:

  • The emails revealed DNC officials’ hostility toward Senator Sanders. DNC figures discussed portraying Senator Sanders as an atheist, because “my Southern Baptist peeps would draw a big difference between a Jew and an atheist.” (Ex. 1.) They suggested pushing a media narrative that Senator Sanders “never ever had his act together, that his campaign was a mess.” (Ex. 2.) They opposed his push for additional debates. (Ex. 3.) They complained that he “has no understanding” of the Democratic Party. (Ex. 4.)
  • According to The New York Times, “thousands of emails” between donors and fundraisers revealed “in rarely seen detail the elaborate, ingratiating and often bluntly transactional exchanges necessary to harvest hundreds of millions of dollars from the party’s wealthy donor class.” These emails “capture[d] a world where seating charts are arranged with dollar totals in mind, where a White House celebration of gay pride is a thinly disguised occasion for rewarding wealthy donors and where physical proximity to the president is the most precious of currencies.” (Ex. 5.)
  • The emails revealed the coziness of the relationship between the DNC and the media. For example, they showed that reporters would ask DNC to pre-approve articles before publication. (Ex. 6.) They also showed DNC staffers talking about giving a CNN reporter “questions to ask us.” (Ex. 7.)
  • The emails revealed the DNC’s attitudes toward Hispanic voters. One memo discussed ways to “acquire the Hispanic consumer,” claiming that “Hispanics are the most brand loyal consumers in the World” and that “Hispanics are the most responsive to ‘story telling.’” (Ex. 8.) Another email pitched “a new video we’d like to use to mop up some more taco bowl engagement.” (Ex. 9.)

WikiLeaks, however, did not redact the emails, so the publication also included details that Plaintiffs describe as private.

In this scenario, even assuming the Trump campaign did enter a conspiracy with the Russians, the plaintiffs in this lawsuit were just collateral damage to disclosures protected by the First Amendment.

The conspiracy to hurt individual Democratic donors defense

As noted, the defense against the claim that the campaign entered into a conspiracy with the Russians is only a secondary part of the defense here. Perhaps that’s because this part of the defense is far weaker than the First Amendment part.

As part of it, the response notes that the plaintiffs would have had to enter into a conspiracy with the goal and the state of mind laid out by the two laws primarily cited by plaintiffs, to intimidate voters and to intentionally inflict harm on plaintiffs. Once again, this part of the argument treats the plaintiffs as collateral damage to the goals of embarrassing the DNC effectuated by the publication of materials by WikiLeaks, which has a policy of not redacting anything in its releases.

Plaintiffs do not plausibly allege these states of mind. For one thing, Plaintiffs allege that the object of the purported conspiracy was to promote the Trump Campaign and to embarrass the DNC and the Clinton Campaign. (Am. Compl. ¶ 190.) They do not allege facts showing that the Campaign even knew of Mr. Comer, Mr. Cockrum, or Mr. Schoenberg, much less that Campaign officials met with Russian agents for the purpose of disclosing these individuals’ social security numbers, gossip, and stomach-flu symptoms.

For another thing, Plaintiffs fail to address (let alone refute) the “obvious alternative explanation” for the disclosure of their emails (Iqbal, 556 U.S. at 682): WikiLeaks’ “accuracy policy,” under which WikiLeaks does not redact or “tamper with” the documents it discloses. (Ex. 10.) The upshot is that Plaintiffs do not plausibly allege that the Campaign acted with the purpose of intimidating Plaintiffs; do not plausibly allege that the Campaign acted with the specific intent to disclose Plaintiffs’ allegedly private emails; and do not plausibly allege that the Campaign acted with knowledge that the WikiLeaks email collection included Plaintiffs’ allegedly private emails.

It’s the other part of the conspiracy defense where the response is dangerously weak, given the possibility that Mueller will roll out another indictment providing more detail on negotiations between the campaign and Russia (which plaintiffs could then add in an amended complaint). Here, the campaign argues only that the plaintiffs haven’t shown proof of a conspiracy because they have not yet pointed to evidence that the campaign sought the DNC emails specifically, including the details that allegedly damaged the plaintiffs.

[T]he Amended Complaint fails to plausibly allege that the Campaign conspired with or aided and abetted the publishers of the DNC emails. Plaintiffs allege a series of meetings between the Campaign and Russian agents in 2016. (Id. ¶ 15.) But Plaintiffs do not allege that any of the meetings in any way concerned the DNC emails, much less the information about Plaintiffs contained in those emails. The allegation that people met to discuss something does not raise a plausible inference that they met to discuss collaborative efforts to release specific emails hacked from the DNC to influence an election, much less to intimidate or embarrass Plaintiffs. Cf. Twombly, 550 U.S. at 567 n.12 (regular meetings do not suggest conspiracy).

This argument may be sufficient for this civil suit, but for a number of reasons, such an argument would be totally insufficient in a criminal case. For starters, there likely is evidence, not least obtained from Paul Manafort’s cooperation, that the campaign had some idea of what they might get in exchange for entering into a quid pro quo with the Russians. As it is, Jones Day is utterly silent about Don Jr’s, “If it’s what you say I love it especially later in the summer” email, which reflects some expectation, already by June 3, 2016, of what the campaign would get for entering into a conspiracy, even though plaintiffs quote it in their complaint.

But also, the conspiracy charged in a criminal indictment would allege a different goal — in part, the embarrassment of the DNC and support of the Trump campaign that the campaign response stops far short of denying. So while with respect to the suit brought by these plaintiffs, the argument that the defendants did not have the mindset of trying to intimidate voters or damage the plaintiffs, if and when Mueller charges a conspiracy, it will argue a different mind set, to defraud the US’ election integrity, in part to obtain a thing of value from the Russians. And that mindset is going to be much easier to prove.

This response does next to nothing to deny that mindset.

Instead, much later in the response (as part of an argument that plaintiffs can’t claim a conspiracy to violate campaign finance laws because the FEC preempts it), the campaign does address what might be one defense in a criminal indictment charging that the Trump team conspired with Russia with the goal of obtaining illegal campaign donations in the form of dirt on Hillary. The response argues that such released emails do not constitute a thing of value, but are instead protected political speech.

Plaintiffs in all events fail to establish a conspiracy to violate any federal campaign-finance law. Plaintiffs assert that federal law prohibits foreign nationals from making “a contribution or donation of money or other thing of value” in connection with an election, 52 U.S.C. § 30121(a), and that “Defendant’s co-conspirators … contributed a ‘thing of value’ … in the form of the dissemination of hacked private emails” (Am. Compl. ¶ 215). This assertion is incorrect. For one, there is a fundamental difference between contributing a thing of value and engaging in pure political speech. Pure political speech constitutes “direct political expression”; in contrast, “while contributions may result in political expression if spent by a candidate or association to present views to the voters, the transformation of contributions into political debate involves speech by someone other than the contributor.” Buckley v. Valeo, 424 U.S. 1, 21–22 (1976). The disclosure of information about a political party is pure political speech, not a political contribution. The disclosure itself directly expresses political messages; unlike money, it does not need to be transformed into a political message by somebody else.

For another, treating a disclosure of information as a “contribution” would violate the First Amendment. The Supreme Court has held that the First Amendment guarantees Americans the right to receive political speech from foreigners. Lamont v. Postmaster General, 381 U.S. 301, 306 (1965). Yet under Plaintiffs’ theory, it would be illegal to solicit political information from a foreign national, because the provision of such information would amount to a “contribution.” For example, “if the Clinton campaign heard that Mar-a-Lago was employing illegal immigrants in Florida and staffers went down to interview the workers, that would be a crime.” Eugene Volokh, Can it be a crime to do opposition research by asking foreigners for information? (July 27, 2017).2 “Or say that Bernie Sanders’s campaign heard rumors of some misconduct by Clinton on her trips abroad—it wouldn’t be allowed to ask any foreigners about that.” Id. The First Amendment does not tolerate such results.

This claim, if it were substantiated, would have repercussions across Mueller’s work, extending to the Internet Research Agency indictment (indeed, Concord Consulting is trying to make similar arguments, though not as brazenly suggesting that foreigners have a First Amendment right to weigh in on our elections).

Yet, as I’ve noted, Mueller has already collected evidence of how much a similar campaign to the one the Russians conducted would cost a campaign, in the form of the spooked up Psy-Group campaign offered by Israelis and Gulf supporters: $3.31 million. That is, Mueller has the evidence to show that the Russians did not just release the information, but engaged in an entire social media campaign to maximize the value of the information they released, and that information goes beyond simple publication to the stuff that political consultants charge real money for.

The other problems with this defense

There is far more to the campaign’s defense (notably, extensive arguments about whether state or federal law applies to particularly parts of the complaint, and if it’s state law, whether it’s Maryland, New Jersey, and Tennessee as plaintiffs argue, or Virginia and New York as defendants do) than what I’ve laid out, and this suit would be a challenge in any case. But there are other problems with the defense.

In a piece on this response, Floyd Abrams argues that there are key differences between the primary First Amendment precedent on which the defense relies and this case. For example, the Bartnicki case focused on material the entirety of which was in the public interest, whereas the bulk of what the Russians gave WikiLeaks is not.

[T]he entirety of the wiretapped recording in Bartnicki was of undoubted public interest while some portions of the purloined DNC documents had a special claim to being of no sustainable public interest while inflicting substantial potential privacy harm—including social security numbers sent to the DNC which WikiLeaks, as it has repeatedly chosen to do, decided to make public.

Jones Day may well realize this is a weak part of their argument, as they return to WikiLeaks’ failure to redact information that had no public interest in a number of ways. At one point, they argue that if WikiLeaks redacted information some information of public interest might get withheld as part of the process.

To establish public-disclosure liability, a plaintiff must show that the facts at issue are not “of legitimate concern to the public”—in other words, that the facts are not “of the kind customarily regarded as ‘news.’” Second Restatement § 652D & comment g. Like the First Amendment test, the tort-law test requires courts to analyze speech “on an aggregate basis.” Alvarado v. KOB-TV, LLC, 493 F.3d 1210, 1221 (10th Cir. 2007). A publisher does not have to “parse out concededly public interest information” “from allegedly private facts.” Id. That is because redactions would undermine the “credibility” of a disclosure, causing the public to doubt its accuracy. Ross v. Midwest Commc’ns, Inc., 870 F.2d 271, 275 (5th Cir. 1989). Further, requiring publishers to redact—“to sort through an inventory of facts, to deliberate, and to catalogue”—“could cause critical information of legitimate public interest to be withheld until it becomes untimely and worthless to an informed public.” Star-Telegram, Inc. v. Doe, 915 S.W.2d 471, 475 (Tex. 1995).

At another point, they argue (this is one of their most ridiculous arguments) that WikiLeaks is just an intermediary that the Russians used to post injurious messages.

Under section 230 of the Communications Decency Act (47 U.S.C. § 230), a state may impose liability on “the original culpable party who posts [tortious] messages,” but not on “companies that serve as intermediaries for other parties’ potentially injurious messages.” Zeran v. America Online, 129 F.3d 327, 330–31 (4th Cir. 1997). As a result, a website that provides a forum where “third parties can post information” is not liable for the third party’s posted information. Klayman v. Zuckerberg, 753 F.3d 1354, 1358 (D.C. Cir. 2014). Since WikiLeaks provided a forum for a third party (the unnamed “Russian actors”) to publish content developed by that third party (the hacked emails), it cannot be held liable for the publication.

And the insistence that WikiLeaks is known not to redact information may hurt the Trump campaign if it gets that far.

Abrams also points to how entering into a conspiracy might change the legal liability of the Trump campaign.

[T]he Bartnicki defendants were at all times entirely independent of the person who surreptitiously made the wiretapped recording available to it while the Trump campaign is accused in Cockrum of conspiring with its alleged Russian source after the information had been hacked to make the information public.

Even for the purpose of this lawsuit, the claim that the Trump campaign entered into a conspiracy only after the information had been hacked may not be sustainable. After all, George Papadopoulos learned the Russians were going to release emails, of some sort (even if he believed they were Hillary server emails rather than DNC ones), well before the Russians were ejected from the DNC servers a month later. The Russians first contacted the Trump campaign about this conspiracy on April 26, 2016, after they had stolen the Podesta emails in March; but the DNC emails that are the subject of this lawsuit weren’t exfiltrated, at least according to the GRU indictment, until a month later.

Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees.

So Papadopoulos’ responsiveness might be enough to sustain a claim that the Trump campaign was engaged in this conspiracy before the emails in question were stolen. Indeed, this paragraph from the response (cited above) falsely claims that the plaintiffs suggested the theft ended in March.

Plaintiffs could not have alleged the Campaign’s involvement in the initial hack. According to Plaintiffs’ own account, Russian intelligence hacked the DNC’s networks “in July 2015,” and gained access to email accounts “by March 2016.” (Id. ¶ 86.) But the Campaign supposedly became motivated to work with Russia only in “the spring and summer of 2016” (id. at 25), and supposedly entered into the agreement in “secret meetings” in “April,” “May,” “June,” and “July” 2016 (id. ¶¶ 89–104). In other words, Plaintiffs themselves say that the alleged conspiracy was formed after the hack and after the acquisition of the emails—so that the Campaign could not have participated in the initial theft.

Here’s what the complaint really says:

In order to defeat Secretary Clinton and help elect Mr. Trump, hackers working on behalf of the Russian government broke into computer networks of U.S. political actors involved in the 2016 election, including the DNC and the Clinton Campaign. Elements of Russian intelligence gained unauthorized access to DNC networks in July 2015 and maintained that access until at least June 2016. By March 2016, the Russian General Staff Main Intelligence Directorate (GRU) gained unauthorized access to DNC networks, DCCC networks, and the personal email accounts of Democratic Party officials and political figures.

By May 2016, the GRU had copied large volumes of data from DNC networks, including email accounts of DNC staffers. Much of the GRU’s activity within the DNC networks took place between March and June 2016, at the very same time its agents were intensifying their outreach to and securing meetings with agents of the Trump Campaign.

[snip]

According to the indictment, “in and around April 2016, the Conspirators began to plan the release of materials stolen from the Clinton Campaign, DCCC, and DNC.” And “in or around June 2016,” when the Trump Campaign was taking meetings with Russian agents to “get information on an opponent,” the indicted Russians and their coconspirators began to “stage[] and release[]” the stolen emails.

All that said, if the plaintiffs are relying on the June 9 meeting to establish the conspiracy, or even Don Jr’s June 3 email enthusiastically responding to Rob Goldstone’s offer, the campaign can argue in this suit that the actual theft of the emails in question — the DNC emails revealing the donors social security numbers and Comer’s embarrassing comments — were, according to the public record, already stolen by the time the campaign entered into the conspiracy.

But that’s not going to work if Mueller charges a criminal conspiracy. That’s true, in part, because the criminal conspiracy would include the social media part of the Russian assistance, which continued well after the June 9 meeting (the plaintiffs here couldn’t argue the social media exploitation hurt them because the emails including the information damaging to them wasn’t promoted by Russian social media actors). It would also include the DCCC releases, which led to the provision of opposition research to Republican operatives.

Indeed, even the hacking continued after the June 9 meeting. As the plaintiffs pointed out, on July 27, Russian hackers even seemed to respond directly to Trump’s request for assistance.

191. On July 27, 2016, during the Democratic National Convention, Mr. Trump held a press conference in Florida. During his remarks, Mr. Trump called on Russia to continue its cyberattacks, stating, “Russia, if you’re listening, I hope you’re able to find the 30,000 [Secretary Clinton] emails that are missing.” Although the Trump Campaign—and later, then-White House press secretary Sean Spicer—claimed that Mr. Trump was “joking,” when Mr. Trump was asked at the time to clarify his remark and whether he was serious, Mr. Trump stated: “If Russia or China or any other country has those emails, I mean, to be honest with you, I’d love to see them.”

192. According to the July 13, 2018 indictment of twelve Russian nationals filed by the Special Counsel, agents of the Russian government attempted that same day—July 27, 2016— “to spearfish for the first time email accounts at a domain hosted by a third-party provider and used by Clinton’s personal office.” In other words, on the day that Mr. Trump publicly said that he hoped Russia would be able to find missing emails related to Secretary Clinton, Russian intelligence for the first time attempted to hack email accounts on Secretary Clinton’s own server.

That particular hack was not successful, but a hack of the Democrats’ AWS hosted analytics program in September was; see ¶34. As I understand it, the targeting of Hillary’s campaign went on in a series of waves, and those waves might be shown to correlate to Trump’s requests for assistance.

So, absent proof that someone in the campaign encouraged Papadopoulos after having learned about the emails in April, the plaintiffs in this suit will struggle to show that Russian hacking of the emails that injured them took place after Trump’s campaign entered into the conspiracy. But Mueller won’t have that problem. And all that’s before the Peter Smith operation, which asked for assistance from Guccifer 2.0 and reached out to presumed Russian hackers to obtain information from Hillary’s home server. Plus, that’s all separate from the social media campaign which continued to benefit the Trump campaign up to the election.

The ironies of a First Amendment defense

There’s a detail about this response, however, that (relying as it does on a strong First Amendment defense) deserves more attention. The response claims that the entire purpose of this suit suit is to obtain discovery on the President on a number of topics — notably his tax returns and business relationships — that Democrats have been unable to fully pursue elsewhere.

The object of this lawsuit is to launch a private investigation into the President of the United States. The Amended Complaint already foreshadows discovery into the President’s “tax returns” (Am. Compl. ¶ 238), his “business relationships” (id.), his conversations with “Director Comey” (id. ¶ 251), and on and on.

Much later, in the conspiracy section, in an argument that seems designed for Brett Kavanaugh’s review, the response argues that plaintiffs need a more plausible claim to be able to get discovery from the President.

Rule 8 requires a complaint to state a “plausible” claim for relief. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). A complaint satisfies this standard if its “factual content” raises a “reasonable inference” that the defendant engaged in the misconduct alleged. Id. at 678. This requirement protects defendants against “costly and protracted discovery” on a “largely groundless claim.” Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 558 (2007). This protection is essential here, where Plaintiffs’ explicit goal is to burden the President with discovery. The President’s “unique position in the constitutional scheme” requires him to “devote his undivided time and attention to his public duties.” Clinton v. Jones, 520 U.S. 681, 697–98 (1997). Courts must thus ensure that plaintiffs do not use “civil discovery” on “meritless claims” to interfere with his responsibilities. Cheney v. U.S. District Court, 542 U.S. 367, 386 (2004).

It’s only after making the claim that this suit is all about obtaining public interest information such as the President’s tax returns that the campaign makes an argument justifying the release of all this information in the name of public interest.

According to the logic Jones Day lays out here, the Democrats’ mistake was in not finding foreign hackers to steal and then publish Trump’s tax returns.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Offering John Podesta Emails While Selling Deleted Hillary Emails

Back in April 2017, I noted something problematic with Democratic theories about the advance knowledge of Roger Stone — and by association, the Trump camp — of Russia’s hack and leak plans: Democrats have largely focused on Stone’s warning, on August 21, 2016, that “it would soon be the Podesta’s time in the barrel,” arguing it reflected foreknowledge of the October 2016 dump of John Podesta’s emails. Stone has said he was talking about blaming Tony Podesta for his corruption, and while that does appear to be a projection-focused defense of Paul Manafort as his own corruption posed problems for the Trump campaign, none of that explains how Stone implicated John in his brother’s sleaze.

That one comment aside, virtually every time Stone predicted a WikiLeaks October Surprise, he implied it would be Clinton Foundation documents or other ones she deleted from her home server, not Podesta emails. That is, while Stone appears to have known the general timing of the October dump, Stone didn’t predict the Podesta emails. He predicted emails deleted from Hillary’s home server, emails that never got published. Here’s how it looks in a timeline (partly lifted from this CNN timeline).

August 12, 2016: Roger Stone says, “I believe Julian Assange — who I think is a hero, fighting the police state — has all of the emails that Huma and Cheryl Mills, the two Clinton aides thought that they had erased. Now, if there’s nothing damning or problematic in those emails, I assure you the Clintonites wouldn’t have erased them and taken the public heat for doing so. When the case is I don’t think they are erased. I think Assange has them. I know he has them. And I believe he will expose the American people to this information you know in the next 90 days.”

August 15, 2016: Stone tells WorldNetDaily that, “’In the next series of emails Assange plans to release, I have reason to believe the Clinton Foundation scandals will surface to keep Bill and Hillary from returning to the White House,’ … The next batch, Stone said, include Clinton’s communications with State Department aides Cheryl Mills and Huma Abedin.”

August 26, 2016: Stone tells Breitbart Radio that “I’m almost confident Mr. Assange has virtually every one of the emails that the Clinton henchwomen, Huma Abedin and Cheryl Mills, thought that they had deleted, and I suspect that he’s going to drop them at strategic times in the run up to this race.”

August 29, 2016: Stone suggests Clinton Foundation information might lead to prison. “Perhaps he has the smoking gun that will make this handcuff time.”

September 16, 2016: Stone says that “a payload of new documents” that Wikileaks will drop “on a weekly basis fairly soon … will answer the question of exactly what was erased on that email server.”

September 18, 2016 and following: Stone asks Randy Credico to get from Assange any emails pertaining to disrupting a peace deal in Libya, making it clear he believes Assange has emails that WikiLeaks has not yet released.

In a Sept. 18, 2016, message, Mr. Stone urged an acquaintance who knew Mr. Assange to ask the WikiLeaks founder for emails related to Mrs. Clinton’s alleged role in disrupting a purported Libyan peace deal in 2011 when she was secretary of state, referring to her by her initials.

“Please ask Assange for any State or HRC e-mail from August 10 to August 30–particularly on August 20, 2011,” Mr. Stone wrote to Randy Credico, a New York radio personality who had interviewed Mr. Assange several weeks earlier. Mr. Stone, a longtime confidant of Donald Trump, had no formal role in his campaign at the time.

Mr. Credico initially responded to Mr. Stone that what he was requesting would be on WikiLeaks’ website if it existed, according to an email reviewed by the Journal. Mr. Stone, the emails show, replied: “Why do we assume WikiLeaks has released everything they have ???”

In another email, Mr. Credico then asked Mr. Stone to give him a “little bit of time,” saying he thought Mr. Assange might appear on his radio show the next day. A few hours later, Mr. Credico wrote: “That batch probably coming out in the next drop…I can’t ask them favors every other day .I asked one of his lawyers…they have major legal headaches riggt now..relax.”

As I further noted, when WikiLeaks started dumping Podesta emails in October (including excerpts of Hillary’s private speeches), Stone focused more on accusing Bill Clinton of rape, another projection-based defense of Donald Trump (especially in light of the Access Hollywood tape) than he focused on the Podesta emails.

In other words, Stone may not have exhibited foreknowledge of the Podesta dump. By all appearances, he seemed to expect that WikiLeaks would publish emails obtained via the Peter Smith efforts — efforts that involved soliciting Russian hackers for assistance. That actually makes Stone’s foreknowledge more damning, as it suggests he was part of the conspiracy to pay Russian hackers for emails they had purportedly already hacked from Hillary’s server and that he expected WikiLeaks would be an outlet for the emails, as opposed to just learning that Podesta’s emails had been hacked some months after they had been.

It was Guccifer 2.0, not Assange, who claimed anyone had Clinton server documents (including in a tweet responding to my observation he was falsely billing documents as Clinton Foundation ones).

And Guccifer 2.0 was (according to Politico, not WSJ) in the loop of this effort, so may have been trying to pressure WikiLeaks to publish sets of files already sent, as he had tried to do with DCCC files earlier in August.

[Chuck] Johnson said he and [Peter] Smith stayed in touch, discussing “tactics and research” regularly throughout the presidential campaign, and that Smith sought his help tracking down Clinton’s emails. “He wanted me to introduce to him to Bannon, to a few others, and I sort of demurred on some of that,” Johnson said. “I didn’t think his operation was as sophisticated as it needed to be, and I thought it was good to keep the campaign as insulated as possible.”

Instead, Johnson said, he put the word out to a “hidden oppo network” of right-leaning opposition researchers to notify them of the effort. Johnson declined to provide the names of any of the members of this “network,” but he praised Smith’s ambition.

“The magnitude of what he was trying to do was kind of impressive,” Johnson said. “He had people running around Europe, had people talking to Guccifer.” (U.S. intelligence agencies have linked the materials provided by “Guccifer 2.0”—an alias that has taken credit for hacking the Democratic National Committee and communicated with Republican operatives, including Trump confidant Roger Stone—to Russian government hackers.)

Johnson said he also suggested that Smith get in touch with Andrew Auernheimer, a hacker who goes by the alias “Weev” and has collaborated with Johnson in the past. Auernheimer—who was released from federal prison in 2014 after having a conviction for fraud and hacking offenses vacated and subsequently moved to Ukraine—declined to say whether Smith contacted him, citing conditions of his employment that bar him from speaking to the press.

Two interesting issues of timing arise out of that, then.

First, to the extent that Stone’s tweets during the week of October 7 (the ones that exhibited foreknowledge of timing, if not content) predicted the timing of the next leak, they would seem to reflect an expectation that deleted emails were coming, not necessarily that Podesta ones were.

[O]n Saturday October 1 (or early morning on October 2 in GMT; the Twitter times in this post have been calculated off the unix time in the source code), Stone said that on Wednesday (October 5), Hillary Clinton is done.

Fewer of these timelines note that Wikileaks didn’t release anything that Wednesday. It did, however, call out Guccifer 2.0’s purported release of Clinton Foundation documents (though the documents were real, they were almost certainly mislabeled Democratic Party documents) on October 5. The fact that Guccifer 2.0 chose to mislabel those documents is worth further consideration, especially given public focus on the Foundation documents rather than other Democratic ones. I’ll come back to that.

Throughout the week — both before and after the Guccifer 2.0 release — Stone kept tweeting that he trusted the Wikileaks dump was still coming.

Monday, October 3:

Wednesday, October 5 (though this would have been middle of the night ET):

Thursday, October 6 (again, this would have been nighttime ET, after it was clear Wikileaks had not released on Wednesday):

But it also makes the October 11 email — which was shared with still unidentified recipients via foldering, not sent — reported by WSJ the other day all the more interesting. The email seems to suggest that on October 11, the “students” who were really pleased with email releases they had seen so far were talking about the Podesta emails.

“[A]n email in the ‘Robert Tyler’ [foldering] account [showing] Mr. Smith obtained $100,000 from at least four financiers as well as a $50,000 contribution from Mr. Smith himself.” The email was dated October 11, 2016 and has the subject line, “Wire Instructions—Clinton Email Reconnaissance Initiative.” It came from someone calling himself “ROB,” describing the funding as supporting “the Washington Scholarship Fund for the Russian students.” The email also notes, “The students are very pleased with the email releases they have seen, and are thrilled with their educational advancement opportunities.”

In a follow-up, WSJ confirmed the identities of three of the four alleged donors (they’re still trying to track down the real ID of the fourth).

He reached out to businessmen as financial backers, including Maine real-estate developer Michael Liberty, Florida-based investor John “Jack” Purcell and Chicago financier Patrick Haynes. They were named in an email reviewed by the Journal as among a group of people who pledged to contribute $100,000 to the effort, along with $50,000 of Mr. Smith’s own money.

If the Smith conspirators were referring to the Podesta emails stolen by GRU in the same breath as a funding solicitation for Clinton Foundation ones, it suggests that whoever Smith’s co-conspirators were, as late as October 11, they were referring to the Podesta emails in the same breath as the Clinton server ones they were still hunting for.

As I said in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

A Tale of Two GRU Indictments

Yesterday, DOJ indicted a bunch of GRU hackers again, in part for hacks in retaliation for anti-doping associations’ reports finding a state-run Russian effort to help its athletes cheat (though also including hacks of Westinghouse and the Organization for the Prohibition of Chemical Weapons (OPCW)).

As the DNC GRU indictment did, this indictment provides a snapshot of the division of labor in GRU, made easier by the capture of four of these guys, with all their hacking toys in the trunk of their rented car, in the Netherlands. I find a comparison of the two indictments — of some of the same people for similar activity spanning the same period of time — instructive for a number of reasons.

The team

Consider the team.

There are Aleksei Morenets and Evgenii Serebriakov, whom the indictment calls “on-site GRU hackers who traveled to foreign countries with other conspirators, in some instances using Russian government issued diplomatic passports to conduct on-site operations.” Serebriakov even has a title, “Deputy Head of Directorate,” which sounds like a pretty senior person to travel around sniffing WiFi networks.

There are the three men we met in the DNC indictment, Ivan Yermakov, Artem Malyshev, and Dmitriy Badin, all of whom work  out of Moscow running hacks. Yermakov and Malyshev were closely involved in both hacks in 2016 (as demonstrated by the timeline below).

Finally, there are Oleg Sotnikov and Alexey Minin, who joined Morenets and Serebriakov as they tried to hack the Organization for the Prohibition of Chemical Weapons (OPCW) and tried to hack the Spiez Chemical laboratory that was analyzing the Novichok used to poison Sergei Skripal.

There are slightly different tactics than in the DNC hack. For example, GRU used a bunch of bit.ly links in this operation (though some of those are an earlier campaign against Westinghouse). And they sent out hackers to tap into targets’ WiFi networks directly, whereas none of the DNC hackers are alleged to have left Russia.

But there’s a ton of common activity, notably the spearphishing of targeted individuals and the use of their X-Agent hacking tool to exploit targeted machines.

Overlapping hack schedule

I’m also interested in the way the WADA hack, in particular, overlaps with the DNC one. I’ve got a timeline, below, of the two indictments look like (I’ve excluded both the Westinghouse and OPCW hacks from this timeline to focus on the overlapping 2016 operations).

Yermakov and Malyshev are described by name doing specific tasks in the DNC hack though May 2016. By August, they have turned to hacking anti-doping targets. Yermakov, in particular, seems to play the same research role in both hacks.

Given the impact of these operations, it’s fairly remarkable that such a small team conducted both.

Common bitcoin habits and possibly even infrastructure

There are also paragraphs in the WADA indictment, particularly those pertaining to the use of bitcoin to fund the operation used to substantiate the money laundering charge, that appear to be lifted in their entirety from the DNC one (or perhaps both come from DOJ or Western PA US Attorney boilerplate — remember that the DNC hack was originally investigated in Western PA, so this language likely originates there).

These include:

  •  58/106: Describing how conspirators primarily used bitcoin to pay for infrastructure
  • 59/107: Describing how bitcoin works, with examples specific to each operation provided
  • 60/108: Describing how conspirators used dedicated email accounts to track bitcoin transactions
  • 61/109: Describing how conspirators used the same computers to conduct hacking operations and facilitate bitcoin payments
  • 62/110: Describing how conspirators also mined bitcoin and then used it to pay for servers, with examples specific to each operation
  • 64/111: Describing how conspirators used the same funding structure and sometimes the same pool of funds to pay for hacking infrastructure, with examples specific to each operation provided

The similarity of these two passages suggests two things. First, it suggests that the August 8, 2016 transaction in the WADA indictment may have been orchestrated from the gfade147 email noted in the DNC indictment. With both, the indictment notes that “One of these dedicated accounts … received hundreds of bitcoin payment requests from approximately 100 different email accounts,” with the DNC indictment including the gfade147 address. (Compare paragraphs 60 in the DNC indictment with 108 in the WADA one.)  That would suggest these two operations overlap even more than suspect.

That said, there’s one paragraph in the DNC indictment that doesn’t have an analogue in the WADA one, 63. It describes conspirators,

purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards. They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.

Given how loud much of these operations were, it raises questions about why some of the DNC hack (but not, at least by description) the WADA one would require “heightened anonymity.”

Different treatment of InfoOps

I’m perhaps most interested in the different treatment of the InfoOps side of the operation. As I noted here, in general there seems to be a division of labor at GRU between the actual hackers, in Unit 26165, which is located at  20 Komsomolskiy Prospekt, and the information operations officers, in Unit 74455, which is located in the “Tower” at 22 Kirova Street, Khimki. Both units were involved in both operations.

Yet the WADA indictment does not name or charge any Unit 74455 officers, in spite of describing (in paragraphs 1 and 11) how the unit acquired and maintained online social media accounts and associated infrastructure (paragraph 76 describes that infrastructure to be “procured and managed, at least in part, by conspirators in GRU Unit 74455”). Five of the seven named defendants in the WADA indictment are in Unit 26165, with Oleg Sotnikov and Alexey Minin not identified by unit.

By comparison, three of the 11 officers charged in the DNC indictment belong to Unit 744555.

And the WADA campaign did have a significant media component, as explained in paragraphs 76-87. The indictment even complains (as did DOJ officials as the press conference announcing this indictment) about,

reporters press[ing] for and receiv[ing] promises of exclusivity in such reporting, with one such reporter attempting to make arrangements for a right of first refusal for articles on all future leaks and actively suggesting methods with whicch the conspiracy could search the stolen materials for documents of interest to that reporter (e.g., keywords of interest).

That said, the language in much of this discussion (see paragraphs 77 through 81) uses the passive voice — “were registered,” “were named,” “was posted,” “were released,” “were released,” “were released,” “were released” — showing less certainty about who was running that infrastructure.

That’s particularly interesting given that the government clearly had emails between the Fancy Bear personas and journalists.

One difference may be, in part, that in the DNC indictment, there are specific hacking (not InfoOps) actions attributed to two of the Unit 74455 officers: Aleksandr Osadchuk and Anatoliy Kovalev. Indeed, Kovalev seems to have been added on just for that charge, as he doesn’t appear in the introduction section at the beginning of the indictment.

Whereas Unit 74455’s role in the WADA indictment seems to be limited to running the InfoOps infrastructure.

Importance of WikiLeaks and sharing with Republicans

It’s not clear how much we can conclude form all that. But the different structure in the DNC indictment does allow it to foreground the role of a number of others, such as WikiLeaks and Roger Stone and — as I suggested drop in some or all of  those others in a future conspiracy indictment — that were a key part of the election operation.

Timeline

February 1, 2016: gfade147 0.026043 bitcoin transaction

March 2016: Conspirators hack email accounts of volunteers and employees of Hillary campaign, including John Podesta

March 2016: Yermakov spearphishes two accounts that would be leaked to DC Leaks

March 14, 2016 through April 28, 2016: Conspirators use same pool of bitcoin to purchase VPN and lease server in Malaysia

March 15, 2016: Yermakov runs technical query for DNC IP configurations and searches for open source info on DNC network, Dem Party, and Hillary

March 19, 2016: Lukashev spearphish Podesta personal email using john356gh

March 21, 2016: Lukashev steals contents of Podesta’s email account, over 50,000 emails (he is named Victim 3 later in indictment)

March 25, 2016: Lukashev spearphishes Victims 1 (personal email) and 2 using john356gh; their emails later released on DCLeaks

March 28, 2016: Yermakov researched Victims 1 and 2 on social media

April 2016: Kozachek customizes X-Agent

April 2016: Conspirators hack into DCCC and DNC networks, plant X-Agent malware

April 2016: Conspirators plan release of materials stolen from Clinton Campaign, DCCC, and DNC

April 6, 2016: Conspirators create email for fake Clinton Campaign team member to spearphish Clinton campaign; DCCC Employee 1 clicks spearphish link

April 7, 2016: Yermakov runs technical query for DCCC’s internet protocol configurations

April 12, 2016: Conspirators use stolen credentials of DCCC employee to access network; Victim 4 DCCC email victimized

April 14, 2016: Conspirators use X-Agent keylog and screenshot functions to surveil DCCC Employee 1

April 15, 2016: Conspirators search hacked DCCC computer for “hillary,” “cruz,” “trump” and copied “Benghazi investigations” folder

April 15, 2016: Victim 5 DCCC email victimized

April 18, 2016: Conspirators hack into DNC through DCCC using credentials of DCCC employee with access to DNC server; Victim 6 DCCC email victimized

April 19, 2016: Kozachek, Yershov, and co-conspirators remotely configure middle server

April 19, 2016: Conspirators register dcleaks using operational email [email protected]

April 20, 2016: Conspirators direct X-Agent malware on DCCC computers to connect to middle server

April 22, 2016: Conspirators use X-Agent keylog and screenshot function to surveil DCCC Employee 2

April 22, 2016: Conspirators compress oppo research for exfil to server in Illinois

April 26, 2016: George Papadopolous learns Russians are offering election assistance in the form of leaked emails

April 28, 2016: Conspirators use bitcoin associated with Guccifer 2.0 VPN to lease Malaysian server hosting dcleaks.com

April 28, 2016: Conspirators test IL server

May 2016: Yermakov hacks DNC server

May 10, 2016: Victim 7 DNC email victimized

May 13, 2016: Conspirators delete logs from DNC computer

May 25 through June 1, 2016: Conspirators hack DNC Microsoft Exchange Server; Yermakov researches PowerShell commands related to accessing it

May 30, 2016: Malyshev upgrades the AMS (AZ) server, which receives updates from 13 DCCC and DNC computers

May 31, 2016: Yermakov researches Crowdstrike and X-Agent and X-Tunnel malware

June 2016: Conspirators staged and released tens of thousands of stolen emails and documents

June 1, 2016: Conspirators attempt to delete presence on DCCC using CCleaner

June 2, 2016: Victim 2 personal victimized

June 8, 2016: Conspirators launch dcleaks.com, dcleaks Facebook account using Alive Donovan, Jason Scott, and Richard Gingrey IDs, and @dcleaks_ Twitter account, using same computer used for other

June 9, 2016: Don Jr, Paul Manafort, Jared Kushner have meeting expecting dirt from Russians, including Aras Agalarov employee Ike Kaveladze

June 10, 2016: Ike Kaveladze has calls with Russia and NY while still in NYC

June 14, 2016: Conspirators register actblues and redirect DCCC website to actblues

June 14, 2016: WaPo (before noon ET) and Crowdstrike announces DNC hack

June 15, 2016, between 4:19PM and 4:56 PM Moscow Standard Time (9:19 and 9:56 AM ET): Conspirators log into Moscow-based sever and search for words that would end up in first Guccifer 2.0 post, including “some hundred sheets,” “illuminati,” “think twice about company’s competence,” “worldwide known”

June 15, 2016, 7:02PM MST (12:02PM ET): Guccifer 2.0 posts first post

June 15 and 16, 2016: Ike Kaveladze places roaming calls from Russia, the only ones he places during the extended trip

June 20, 2016: Conspirators delete logs from AMS panel, including login history, attempt to reaccess DCCC using stolen credentials

June 22, 2016: Wikileaks sends a private message to Guccifer 2.0 to “send any new material here for us to review and it will have a much higher impact than what you are doing.”

June 27, 2016: Conspirators contact US reporter, send report password to access nonpublic portion of dcleaks

Late June, 2016: Failed attempts to transfer data to Wikileaks

July, 2016: Kovalev hacks into IL State Board of Elections and steals information on 500,000 voters

July 6, 2016: Conspirators use VPN to log into Guccifer 2.0 account

July 6, 2016: Wikileaks writes Guccifer 2.0 adding, “if you have anything hillary related we want it in the next tweo [sic] days prefabl [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after”

July 6, 2016: Victim 8 personal email victimized

July 10-19: Morenets travels to Rio de Janeiro

July 14, 2016: Conspirators send WikiLeaks an email with attachment titled wk dnc link1.txt.gpg providing instructions on how to access online archive of stolen DNC documents

July 18, 2016: WikiLeaks confirms it has “the 1Gb or so archive” and would make a release of stolen documents “this week”

July 22, 2016: WikiLeaks releases first dump of 20,000 emails

July 27, 2016: Trump asks Russia for Hillary emails

July 27, 2016: After hours, conspirators attempt to spearphish email accounts at a domain hosted by third party provider and used by Hillary’s personal office, as well as 76 email addresses at Clinton Campaign

August 2016: Kovalev hacks into VR systems

August 2-9, 2016: Conspirators use multiple IP addresses to connect to or scan WADA’s network

August 2-4, 2016: Yermakov researches WADA and its ADAM database (which includes the drug test results of the world’s athletes) and USADA

August 3, 2016: Conspirators register wada.awa.org

August 5, 9, 2016: Yermakov researches Cisco firewalls, he and Malyshev send specific WADA employees spearfish

August 8, 2016: Conspirators register wada-arna.org and tas-cass.org

August 8, 2016: .012684 bitcoin transaction directed by dedicated email account

August 13-19, 2016: Morenets and Serebriakov travel to Rio, while Yermakov supports with research in Moscow

August 14-18, 2016: SQL attacks against USADA

August 15, 2016: Conspirators receive request for stolen documents from candidate for US congress

August 15, 2016: First Guccifer 2.0 exchange with Roger Stone noted

August 19, 2016: Serebriakov compromises a specific anti-doping official and obtains credentials to access ADAM database

August 22, 2016: Conspirators transfer 2.5 GB of stolen DCCC data to registered FL state lobbyist Aaron Nevins

August 22, 2016: Conspirators send Lee Stranahan Black Lives Matter document

September 1, 2016: Domains fancybear.org and fancybear.net registered

September 6, 2016: Conspirators compromise credentials of USADA Board member while in Rio

September 7-14, 2016: Conspirators try, but fail, to use credentials stolen from USADA board member to access USADA systems

September 12, 2016: Data stolen from WADA and ADAMS first posted, initially focusing on US athletes

September 12, 2016 to January 17, 2018: Conspirators attempt to draw media attention to leaks via social media

September 18, 2016: Morenets and Serebriakov travel to Lausanne, staying in anti-doping hotels, to compromise hotel WiFi

September 19, 2016 to July 20, 2018: Conspirators attempt to draw media attention to leaks via email

September 2016: Conspirators access DNC computers hosted on cloud service, creating backups of analytics applications

October 2016: Linux version of X-Agent remains on DNC network

October 6, 2016: Emails stolen from USADA first released

October 7, 2016: WikiLeaks releases first set of Podesta emails

October 28, 2016: Kovalev visits counties in GA, IA, and FL to identify vulnerabilities

November 2016: Kovalev uses VR Systems email address to phish FL officials

December 6, 2016 – January 2, 2017: Using IP frequently used by Malyshev, conspirators compromise FIFA’s anti-doping files

December 13, 2016: Data stolen from CCES released

January 19-24, 2017: Conspirators compromise computers of four IAAF officials

June 22, 2017: Data stolen from IAAF’s network released

July 5, 2017: Data stolen from IAAF’s network released

August 28, 2017: Data stolen from FIFA released

As I said in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The Assange Exfiltration Would Have Taken Place in the Wake of Joshua Schulte Tor Activity

The Guardian has a wild story about a joint Ecuadorian-Russian attempt to spring Julian Assange from the embassy. The idea was that he’d be snuck out of the Embassy in a diplomatic vehicle and sent to live in either Russia or Ecuador.

Sources said the escape plot involved giving Assange diplomatic documents so that Ecuador would be able to claim he enjoyed diplomatic immunity. As part of the operation, Assange was to be collected from the embassy in a diplomatic vehicle.

Four separate sources said the Kremlin was willing to offer support for the plan – including the possibility of allowing Assange to travel to Russia and live there. One of them said that an unidentified Russian businessman served as an intermediary in these discussions.

A single source claims that the plan was supposed to take place on Christmas Eve of last year.

The operation to extract Assange was provisionally scheduled for Christmas Eve in 2017, one source claimed, and was linked to an unsuccessful attempt by Ecuador to give Assange formal diplomatic status.

[snip]

Assange’s Christmas Eve escape was aborted with just days to go, one source claimed. Rommy Vallejo, the head of Ecuador’s intelligence agency, allegedly travelled to the UK on or around 15 December 2017 to oversee the operation and left London when it was called off.

In February Vallejo quit his job and is believed to be in Nicaragua. He is under investigation for the alleged kidnapping in 2012 of a political rival to Correa.

I’m not 100% convinced about that timing for two reasons. First, because related events — Assange receiving Ecuadorian citizenship and Ecuador requesting he be given diplomatic status — only got reported in January.

The Foreign Office has turned down a request from the Ecuadorian government to grant the WikiLeaks founder, Julian Assange, diplomatic status as a means of breaking the stalemate over his continued presence in the UK.

The development comes amid reports that Assange – an Australian who has been holed up in the Ecuadorian embassy for more than five years – has recently become a citizen of the South American state.

If awarded the status of a diplomat, it is thought, Assange could obtain certain rights to legal immunity and might be able to leave the embassy in Knightsbridge, and eventually the UK, without being arrested for breaching his former bail conditions.

Also, when Fidel Narváez denied involvement to the Guardian, he denied meetings with Russia this year, not last (though that’s just as likely non-denial denial).

Two sources familiar with the inner workings of the Ecuadorian embassy said that Fidel Narváez, a close confidant of Assange who until recently served as Ecuador’s London consul, served as a point of contact with Moscow.

In an interview with the Guardian, Narváez denied having been involved in discussions with Russia about extracting Assange from the embassy.

Narváez said he visited Russia’s embassy in Kensington twice this year as part of a group of “20-30 more diplomats from different countries”. These were “open-public meetings”, he said, that took place during the “UK-Russian crisis” – a reference to the aftermath of the novichok poisoning of Sergei and Yulia Skripal in March.

That said, assuming the diplomatic request went in sometime in advance of the reporting on it, then the timing does make sense.

And that’s interesting because it would mean the Ecuadorian-Russian attempt to exfiltrate Assange would have happened in the wake of accused Vault 7 leaker Joshua Schulte endangering his bail by hopping on Tor to do … we don’t know what. Whatever he did, however, it led to Schulte’s detention in MCC and ultimately his delayed indictment for leaking the Vault 7 documents.

November 9, 2017: Wikileaks publishes Vault 8 exploit

November 14, 2017: Assange posts Vault 8 Ambassador follow-up

November 14, 2017: Arrest warrant in VA

November 15, 2017: Charged in Loudon County for sexual assault

November 16, 2017: Use of Tor

November 17, 2017: Use of Tor

November 26, 2017: Use of Tor

November 29, 2017: Abundance of caution, attorney should obtain clearance

November 30, 2017: Use of Tor

December 5, 2017: Use of Tor, Smith withdraws

December 7, 2017: NYPD arrests on VA warrant for sexual assault

December 12, 2017: Move for detention, including description of email and Tor access

Separately, since the defendant was released on bail, the Government has obtained evidence that he has been using the Internet. First, the Government has obtained data from the service provider for the defendant’s email account (the “Schulte Email Account”), which shows that the account has regularly been logged into and out of since the defendant was released on bail, most recently on the evening of December 6, 2017. Notably, the IP address used to access the Schulte Email Account is almost always the same IP address associated with the broadband internet account for the defendant’s apartment (the “Broadband Account”)—i.e., the account used by Schulte in the apartment to access the Internet via a Wi-Fi network. Moreover, data from the Broadband Account shows that on November 16, 2017, the Broadband Account was used to access the “TOR” network, that is, a network that allows for anonymous communications on the Internet via a worldwide network of linked computer servers, and multiple layers of data encryption. The Broadband Account shows that additional TOR connections were made again on November 17, 26, 30, and December 5.

[snip]

First, there is clear and convincing evidence that the defendant has violated a release condition—namely, the condition that he shall not use the Internet without express authorization from Pretrial Services to do so. As explained above, data obtained from the Schulte Email Account and the Broadband Account strongly suggests that the defendant has been using the Internet since shortly after his release on bail. Especially troubling is the defendant’s apparent use on five occasions of the TOR network. TOR networks enable anonymous communications over the Internet and could be used to download or view child pornography without detection. Indeed, the defendant has a history of using TOR networks. The defendant’s Google searches obtained in this investigation show that on May 8, 2016, the defendant conducted multiple searches related to the use of TOR to anonymously transfer encrypted data on the Internet. In particular, the defendant had searched for “setup for relay,” “test bridge relay,” and “tor relay vs bridge.” Each of these searches returned information regarding the use of interconnected computers on TOR to convey information, or the use of a computer to serve as the gateway (or bridge) into the TOR network.

Which is to say, things were falling apart in this period. And the response, tellingly, was for the Russians to try to find a way to exfiltrate Assange.

Update: Reuters describes the timing as still more problematic.

Ecuador last Dec. 19 approved a “special designation in favor of Mr. Julian Assange so that he can carry out functions at the Ecuadorean Embassy in Russia,” according to the letter written to opposition legislator Paola Vintimilla.

“Special designation” refers to the Ecuadorean president’s right to name political allies to a fixed number of diplomatic posts even if they are not career diplomats.

But Britain’s Foreign Office in a Dec. 21 note said it did not accept Assange as a diplomat and that it did not “consider that Mr. Assange enjoys any type of privileges and immunities under the Vienna Convention,” reads the letter, citing a British diplomatic note.

More and more this looks like an attempt to legally exfiltrate him.

image_print