May 27, 2022 / by 

 

Technical Exhibits, Michael Sussmann Trial

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs of transcripts. But if you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations. This coverage reflects the culmination of eight months work. 

Most of my coverage during the Michael Sussmann trial will be trial related, describing what witnesses and exhibits say about the case.

But there are good reasons to question the conduct of the investigation — and that’s a topic a lot of people have independent interest in. So I wanted to start a running post on technical issues.

If there’s a link that doesn’t work, it probably means I’ve forgot to set permissions to public (some of this needs redaction before posting). Leave a comment or tweet me at @emptywheel.

FBI investigation

160922: Scott Hellman/Nate Batty assessment

160923: Electronic Communication opening investigation

160923: EC plus all three shared documents

160926: Ryan Gaynor notes (includes details on election protection efforts)

161004: Kyle Steere document contents thumb drives

161005: Investigative update from Allison Sands

Includes:

  • FBI conclusion on changing DNS records
  • FBI’s response to David Dagon’s defense
  • Logs from Cendyn, with Listrak still to come
  • Barracuda reference
  • Discussion of Tor node

161007: Sands Draft FD-1023 CHS Report

170118: Sands Closing Memo

Materials shared with FBI

White paper

DNS logs

62 pages of DNS logs

Trump Who Is

9 IP Addresses

15 Trump mail domains

160919 Expert White Paper

Joffe data requests (postdates original data in white paper)

160820: Antonokakis to DeJong requesting data (including dcleaks)

List of IP addresses

Alfa Bank script

160915: DeJong shares results with Joffe

170718: DeJong to Joffe: I have four jobs that look for Trump

Posts related to technical issues

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules


The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

When Michael Sussmann attorney Sean Berkowitz was walking FBI Agent Scott Hellman through the six meetings he had with Durham’s team on Tuesday — meetings he first had as a witness about the investigation into the Alfa Bank allegations and later in preparation for his trial testimony — Berkowitz asked Hellman about how, sometime earlier this year, Andrew DeFilippis and Jonathan Algor asked him whether he could serve as their DNS expert for the trial.

Q And then, more recently, you met with Mr. DeFilippis and I think Johnny Algor, who is also at the table here, who’s an Assistant U.S. Attorney. Correct?

A. Yes.

Q. They wanted to talk to you about whether you might be able to act as an expert in this case about DNS data?

A. Correct.

To Hellman’s credit, he told Durham’s prosecutors — who have been investigating matters pertaining to DNS data for two years — that he only had superficial knowledge of DNS and so wasn’t qualified to be their expert.

Q. You said, while you had some superficial knowledge, you didn’t necessarily feel qualified to be an expert in this case, correct, on DNS data?

A. On DNS data, that’s correct.

It wasn’t until the third day of trial before Durham’s team presented any evidence about the alleged crime. Instead, Durham’s first two witnesses were their nominal expert, David Martin, and Hellman, who told Durham he wasn’t an expert but who offered opinions he neither had the expertise to offer nor had done the work to substantiate.

That’s important, because DeFilippis used him to provide an opinion only an expert should give. And virtually everything about his testimony — his claim to have relied on the data in the materials without looking at the thumb drives, an apparently made up claim about the timing of the analysis, and behaviors that the FBI normally finds suspicious — suggest he’s not only not a DNS expert qualified to assess this report, but his assessment of the white paper Sussmann shared also suffers from serious credibility issues.

The battle over an expert

The testimony of the nominal expert, David Martin, was remarkably nondescript, particularly given the fight that led up to his testimony. Durham’s team sprung even having an expert on Sussmann at a really late date: on March 30, after months of blowing off Sussmann’s inquiries if they would. Not only did they want Martin to explain to the jury what DNS and Tor are, Durham’s team explained, but they also wanted him to weigh in on the validity of conclusions drawn by researchers who had found the anomaly.

  • the authenticity vel non of the purported data supporting the allegations provided to the FBI and Agency-2;
  • the possibility that such purported data was fabricated, altered, manipulated, spoofed, or intentionally generated for the purpose of creating the false appearance of communications;
  • whether the DNS data that the defendant provided to the FBI and Agency-2 supports the conclusion that a secret communications channel existed between and/or among the Trump Organization, Alfa Bank, and/or Spectrum Health;

[snip]

  • the validity and plausibility of the other assertions and conclusions set forth in the various white papers that the defendant provided to the FBI and Agency-2;

As Sussmann noted in his motion to limit Martin’s testimony, he didn’t mind the testimony about DNS and Tor. He just didn’t want this trial to be about the accuracy of the data, especially without the lead time to prepare his own expert.

As the Government has already disclosed to the defense, should the defense attempt to elicit testimony surrounding the accuracy and/or reliability of the data that the defendant provided to the FBI and Agency-2, Special Agent Martin would explain the following:

  • That while he cannot determine with certainty whether the data at issue was cherry-picked, manipulated, spoofed or authentic, the data was necessarily incomplete because it was a subset of all global DNS data;
  • That the purported data provided by the defendant nevertheless did not support the conclusions set forth in the primary white paper which the defendant provided to the FBI;
  • That numerous statements in the white paper were inaccurate and/or overstated; and
  • That individuals familiar with these relevant subject areas, such as DNS data and TOR, would know that such statements lacked support and were inaccurate and/or overstated.

Based off repeated assurances from Durham that they weren’t going to make accuracy an issue in their case in chief, Judge Cooper ruled that the government could only get into accuracy questions if Sussmann tried to raise the accuracy of the data himself. But if he said he relied on the assurances of Rodney Joffe, it wouldn’t come in.

The government suggests that Special Agent Martin’s testimony may go further, depending on what theories Sussmann pursues in cross-examination or his defense case. Consistent with its findings above, the Court will allow the government’s expert to testify about the accuracy (or lack thereof) of the specific data provided to the FBI here only in certain limited circumstances. In particular, if Sussmann seeks to establish at trial that the data were accurate, and that there was in fact a communications channel between Alfa Bank and the Trump Campaign, expert testimony explaining why this could not be the case will become relevant. But, as the Court noted above, additional testimony about the accuracy of the data—expert or otherwise—will not be admissible just because Mr. Sussmann presents evidence that he “relied on Tech Executive-1’s conclusions” about the data, or “lacked a motive to conceal information about his clients.” Gov’s Expert Opp’n at 11. As the Court has already explained, complex, technical explanations about the data are only marginally probative of those defense theories. The Court will not risk confusing the jury and wasting time on a largely irrelevant or tangential issue. See United States v. Libby, 467 F. Supp. 2d 1, 15 (D.D.C. 2006) (excluding evidence under Rule 403 where “any possible minimal probative value that would be derived . . . is far outweighed by the waste of time and diversion of the jury’s attention away from the actual issues”).

Then, days before the trial, the issue came up again. Durham sent a letter on May 6 (ten days before jury selection), raising a bunch of new issues they wanted Martin to raise. Sussmann argued that Durham was trying to expand the scope of what his expert could present. Among his complaints, Sussmann argued that Durham was trying to make a materiality argument via his expert witness.

Third, the Special Counsel apparently intends to offer expert testimony about the materiality of the false statement alleged in this case. Indeed, the Special Counsel’s supplemental topic 9 regarding the importance of considering the collection source of DNS data is plainly being offered to prove materiality. But the Special Counsel did not disclose this topic in either his initial expert disclosure or Opposition, and the Court’s ruling did not permit such testimony. The Special Counsel should not now be allowed to offer an entirely new expert opinion under the guise of eliciting testimony regarding the types of conclusions that can be drawn from a review of DNS data.

Judge Cooper considered the issue Tuesday morning, before opening arguments. When asking why Martin had to present the concept of visibility, DeFilippis explained that Hellman–the Agent who’s not an expert on DNS but whom DeFilippis nevertheless had asked to serve as an expert on DNS–would talk about the import of knowing visibility to assess data.

THE COURT: Well, but isn’t the question here whether a case agent — is your case agent later going to testify that that was something that the FBI looked at or wanted to look at in this case and was unable to do so, and that that negatively affected the FBI’s investigation in some way? MR.

DeFILIPPIS: Yes, and I expect Special Agent Hellman, who will testify likely today, Your Honor, I expect that that is a concept that he will say was relevant to the determination that — determinations he was making as he drafted analysis of the data that came in. And, again, I don’t think we — for example, another way in which this comes up is that the FBI routinely receives DNS data from various private companies who collect that data, and it is always relevant sort of the breadth of visibility that those companies have. So it’s relevant generally, but also in this particular case the fact that the FBI did not have insight into the visibility or lack of visibility of that data certainly affected steps that the FBI took.

THE COURT: Okay. But Mr. Sussman has not been accused of misrepresenting who the source is. He’s simply — but rather who the client is. So how do you link that to the materiality of the alleged false statement?

MR. DeFILIPPIS: Because, Your Honor, I think we view them as intertwined. It was because — it was in part because Mr. Sussman said he didn’t have a client that made it more difficult for the FBI to get to the bottom of the source of this data or made it less likely they would, and so — and, again, I don’t think we expect to dwell for a long time on this, but I think the agents and the technical folks will say that that is part of why the origins of the data are extremely relevant when they took investigative steps here.

When Cooper noted Sussmann’s objection to Martin discussing possible spoofing of data, DeFilippis again answered not about what Martin would testify, but what Hellman would.

As DeFilippis explained, he claimed to believe that under Cooper’s ruling, the government could put in any little thing they wanted that they claimed had been part of the investigation.

And Special Agent Hellman, when he testifies today — now, Your Honor’s ruling we understand to permit us to put into evidence anything about what the FBI analyzed and concluded as its investigation unfolded because that goes to the materiality of the defendant’s statement. So Special Agent Hellman — through Agent Hellman we will offer into evidence a paper he prepared when the data first came in, and among its conclusions is that the data might — he doesn’t use the word “spoof” — but might have been intentionally generated and might have been fabricated. That was the FBI’s initial conclusion in what it wrote up.

So in order for the jury to understand the course of the FBI’s investigation and the conclusions that it drew at each stage, those concepts are at the center of it.

[snip]

MR. DeFILIPPIS: Okay. Your Honor, I’m sorry. We understood your ruling to be that the FBI’s conclusions as it went along were okay as long as we weren’t asserting the conclusion that it was, in fact, fabricated. You know, I mean, it’s difficult to chart the course of the FBI’s investigation unless we can elicit at each stage what it is that the FBI concluded.

Judge Cooper ordered that references to spoofing be removed — leading to a last minute redaction of an exhibit — but permitted a discussion of visibility to come in.

After all that fight, Martin’s testimony was not only bland, but it was recycled powerpoint. He not only admitted lifting the EFF description of Tor for his PowerPoint, but he included their logo.

Hellman delivers the non-expert expert opinion Durham was prohibited from giving

As I said, Martin was witness number one, Hellmann — the self-described non-expert in DNS — was witness number two.

Even though Hellman admitted, again, that he’s not a DNS expert, DeFilippis still had him go over what DNS is.

Q. How familiar or unfamiliar are you with what is known as DNS or Domain Name System data?

A. I know the basics about DNS.

Q. And in your understanding, on a very basic level, what is DNS?

A. DNS is basically how one computer would try and communicate with another computer.

After getting Hellman to explain how he purportedly got chain of custody signatures on September 20, 2016 for the materials Michael Sussmann dropped off with James Baker on September 19, DeFilippis walked Hellman through how, he claimed, he had concluded that the allegations Sussmann dropped off were unsupported. Hellman reviewed the data accompanying the white paper, Durham’s star cybersecurity witness claimed on the stand, and after reviewing that data, determined there was no allegation of a hack in the materials and therefore nothing for the Cyber Division to look at. And, as a report he wrote “within a day” summarized, he concluded the methodology was horrible.

As you read the following exchange, know that (as I understand it) some, if not most, of what Hellman describes as the methodology is wrong. Obviously, if Hellman’s understanding of the methodology is wrong, then the opinion that DeFilippis elicits from a guy who admitted he was not an expert on DNS but whom DeFilippis nevertheless asked to serve as his expert witness on DNS before inviting David Martin in to present slides lifted from the Electronic Frontier Foundation instead [Takes a breath] … If Hellman’s understanding of the methodology and the data he’s looking at is wrong, then his opinion about the methodology is going to be of little merit.

With that understanding, note the objection of Sean Berkowitz, who fought DeFilippis’ late hour addition of an expert that DeFilippis wanted to use to opine on the validity of the research, bolded below.

So we looked at the top part, which set out your top-line conclusion. You then have a portion of the paper that says, “The investigators who conducted the research appear to have done the following.” Now, Special Agent Hellman, it appears to be a pretty technical discussion, but can you just tell us, in that first part of the paper, what did you set out and what did you conclude?

A. It looks to be that they were looking for domains associated with Trump, and the way that they did that was they looked at a list of sort of all domains and looked for domains that had the word “Trump” in them as a way to narrow down the number of domains they were looking at.

And then they wanted to find, well, which of that initial set of Trump domains, which of them are email servers associated with those domains. And the way they did that was to search for terms associated with email, like “mail” or other email-related terms to then narrow down their list of domains even further to be Trump-associated domains that were email servers.

Q. And did you opine on the soundness of that methodology? In other words, did you express a view as to whether this was a good way to go about this project?

A. We did not — I did not feel that that was the most expeditious way to go about identifying email servers associated with the domain.

Q. And why was that?

A. You can name an email server anything you want. It doesn’t have to have the words “mail” or “SMTP” in it. And so by — if you’re just searching for those terms, I would wager to guess you would miss an actual email server because there are other — there are other more technical ways that you can use — basically look-up tools, Internet look-up tools where you can say, for any domain, tell me the associated email server. That’s essentially like a registered email server. But the way that they were doing it was they were just looking for key terms, and I think that it just didn’t make sense to me why they would go about identifying email servers that way as opposed to just being able to look them up.

Q. Was there anything else about the methodology used here by the writer or writers of this paper that you found questionable or that you didn’t agree with?

A. I think just the overall assumptions that were being made about that the server itself was actually communicating at all. That was probably one of the biggest ones.

Q. And what, if anything, did you conclude about whether you believed the authors of the paper or author of the paper was fairly and neutrally conducting an analysis? Did you have an opinion either way?

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Basis?

MR. BERKOWITZ: Objection on foundation. He asked him his opinion. He’s not qualified as an expert for that.

THE COURT: I’ll overrule it.

A. Sorry, can you please repeat the question?

Q. Sure. Did you draw a conclusion one way or the other as to whether the authors of this paper seemed to be applying a sound methodology or whether, to the contrary, they were trying to reach a particular result? Did you —

A. Based upon the conclusions they drew and the assumptions that they made, I did not feel like they were objective in the conclusions that they came to.

Q. And any particular reasons or support for that?

A. Just the assumption you would have to make was so far reaching, it didn’t — it just didn’t make any sense.

That’s how, as his second witness, Andrew DeFilippis introduced the opinion of a guy who admitted he wasn’t an expert on DNS that DeFilippis had asked to serve as an expert even though DeFilippis should have known that he didn’t have the expertise to offer expert opinions like this.

If Sussmann is found guilty, I would bet a great deal of money this stunt will be one part of a several pronged appeal, because Judge Cooper permitted DeFilippis to do precisely what Cooper had prohibited him from doing before trial, and he let him do it with a guy who by his own admission is not a DNS expert.

Cyber Division reaches a conclusion without looking at the thumb drives

Now let’s look at what Hellman describes his own methodology to be.

First, it was quick. DeFilippis seems to think that serves his narrative, as if this stuff was so crappy that it took a mere glimpse to discredit it.

Q. Special Agent Hellman, how long would you say it took you and Special Agent Batty to write this up?

A. Inside of a day.

Q. Inside of a day, you said?

Berkowitz walked Hellman through the timeline of it, and boy was it quick. There’s some uncertainty about this timeline, because John Durham’s office doesn’t feel the need to make clear whether exhibits they’re turning over in discovery reflect UTC or ET. But I think I’ve laid it out below (Berkowitz got it wrong in cross-examination, which DeFilippis used to attack his analysis).

As you can see, not only were FBI’s crack cybersecurity agents making a final conclusion about the data within a day but — by all appearances — they did so before they had ever looked at the thumb drives included with the white papers. From the record, it’s actually not clear when — if!!! — they looked at the thumb drives. But it’s certain they had their analysis finalized no more than one working day after they admitted they hadn’t looked at the thumb drive, which was itself after they had already decided the white paper was shit.

Timeline

September 20, 10:20AM: Nate Batty tells Jordan Kelly they’ll come from Chantilly to DC get the thumb drives

September 20, 10:31AM: Jordan Kelly tells Batty the chain of custody is “Sussman to Strzock to Sporre”

September 20, 12:29PM: Hellman and Nate Batty accept custody of the thumb drives

September 20, 1:30PM: Hour drive back to Chantilly, VA

September 20, 4:44PM: Hellman appears to explain the process of picking up the thumb drives to jrsmith, claiming to have spoken to Baker on the phone. jrsmith jokes about “doctor[ing] a chain of evidence form.”

September 20, 4:58: Hellman says the more he reads the report “it feels a little 5150ish,” suggesting (as he explained to Berkowitz on cross) the authors suffered from a mental disability, and Hellman complains that “it contains an absurd quantity of data” to which Batty responded, the data seemed “inserted to overwhelm and confuse the reader.”

September 21, 8:47AM: Batty tells Hellman their supervisor wants them to “write a brief summary of what we think about the DNC report.” Batty continues by suggesting that “we should at least plug the thumb drives into Frank’s computer and look at the files…”

9/22, 9:44AM: Curtis Heide, in Chicago, asks Batty to send the contents of the thumb drive so counterintelligence agents can begin to look at the evidence. The boys in Cyber struggle to do so for a bit.

9/22, 2:49PM: Batty asks Hellman what he did with the blue thumb drive.

9/22, 4:46PM: Batty sends “analysis of Trump white paper” to others.

In other words, the cyber division spent less than 28 hours doing this analysis.

Yes. The analysis was quick.

Hellman says his analysis is valid because he looked at the data

The hastiness of the analysis and the fact that Hellman didn’t look at the thumb drive before making initial conclusions about the research is fairly problematic, because when he discussed his own methodology, he described the data driving everything.

Q. Now, what principally, from the materials, did you rely on to do your analysis?

A. So it was really two things. It was looking at the data, the technical data itself. There was a summary that it came with. And then also we were comparing what we saw in the data, sort of the story that the data told us, and then looking at the narrative that it came with and comparing our assessment of the data to the narrative.

[snip]

Q. And in connection with that analysis, did you also take a look at the data itself that was underlying this paper?

A. Yes

[snip]

Q. And if we look at that first page there, Agent Hellman, what kind of data is this?

A. It appears to be — as far as I can tell, it looks to be — it’s log data. So it’s a log that shows a date and a time, a domain, and an IP address. And, I mean, that’s — just looking at this log, there’s not too much more from that.

Q. And do you understand this to be at least a part of the DNS data that was contained on the thumb drives that I think you testified about earlier?

A. Yes.

[snip]

A. It would have mattered — well, I think on one hand it would not have mattered from the technical standpoint. If I’m looking at technical data, the data’s going to tell me whatever story the data’s going to tell me independent of where it comes from. So I still would have done the same technical analysis.

But knowing where the data comes from helps to tell me — it gives me context regarding how much I believe in the data, how authentic it is, do I believe it’s real, and do I trust it. [my emphasis]

He repeated this claim on cross with Berkowitz.

I just disagreed with the conclusions they came to and the analysis that they did based upon the data that came along with the white paper.

When Berkowitz asked him why counterintelligence opened an investigation when Cyber didn’t, Hellman suggested that the people in CD wouldn’t understand how to read the technical logs.

A. Um, I think they’d probably be looking at it from the same vantage point, but if you’re not — you don’t have experience looking at technical logs, you may not have the capability of doing a review of those logs. You might rely on somebody else to do it. And perhaps counterintelligence agents are going to be thinking about other investigative questions. So I guess it would probably be a combination of both.

“If I’m looking at technical data,” DeFilippis’ star cybersecurity agent explained, “the data’s going to tell me whatever story the data’s going to tell me.”

Except he didn’t look at the technical data, at least not the data on the thumb drives, before he reached his initial conclusion.

Hellman makes a claim unsupported by the data in his own analysis

I’ll leave it to people more expert than me to rip apart Hellman’s own analysis of the white paper Sussmann shared with the FBI. In early consultations, I’ve been told he misunderstood the methodology, misunderstood how researchers used Trump’s other domains to prove that just one had this anomaly (that is, as a way to test their hypothesis), and misstated the necessity of some long-term feedback loop for this anomaly to be sustained. Again, the experts will eventually explain the problems.

One part of his report that I know damns his methodology, however, is where he says the researchers,

Searched “…global nonpublic DNS activity…” (unclear how this was done) and discovered there are (4) primary IP addresses that have resolved to the name “mail1.trump-email.com”. Two of these belong to DNS servers at Russian Alfa Bank. [my emphasis]

This is the point where every single person I know who assessed these allegations who is at least marginally expert on DNS issues stopped and said, “global nonpublic DNS activity? There are only a handful of people that could be!” See, for example, this Robert Graham post written in response to the original Slate story, perhaps the most influential critique of the allegations, probably even on Durham. Every marginally expert person I know has, upon reading something like that, tried to figure out who would have that kind of visibility on the data, because that kind of visibility, by itself, would speak to their expertise. Those marginally expert people did not have the means to identify the possible sources of the data. But a lot of them — including the NYTimes!! — were able to find people who had that kind of visibility to better understand the anomaly. When Hellman read that, he simply said, “unclear how this was done” and moved on.

Still, Hellman did not contest (or possibly even test) the analysis that said there were really just four IP addresses conducting look-ups with the Trump marketing server. Dozens of people have continued to test that result in the years since, and while there have been adjustments to the general result, no one has disproven that the anomaly was strongest between Alfa Bank and Trump’s marketing domain.

Where Hellman’s insta-analysis really goes off the rails, however, is in his assertion that, “it appears that the presumed suspicious activity began approximately three weeks prior to the stated start date of the investigation conducted by the researcher.”

I’m not a DNS expert, but I’m pretty good at timelines, and by my read here are the key dates in the white paper.

May 4, 2016: Beginning date for look-up analysis

July 28, 2016: Lookup for hostnames yielding Trump

September 4, 2016: End date for look-up analysis

September 14, 2016: Updated search for look-ups covering June 17 through September 14

The start date reflected in this white paper is July 28, 2016. Three weeks before that would be July 7, 2016, a date that doesn’t appear in the white paper. The anomaly started 85 days before the start date reflected in this white paper (and the start date for the research began months earlier, but still over three weeks after the May 4 start date).

I don’t understand where he got that claim. But DeFilippis repeated it on the stand, as if it were reflected in the data, I guess believing it makes his star cybersecurity agent look good.

DeFilippis’ star cybersecurity agent has some credibility problems

There are a few more problems with the credibility of Hellman, DeFilippis’ star cybersecurity agent who is not a DNS expert. One of those is that he compared notes with his boss before first testifying.

Q: And you also spoke with Nate Batty around that time, Right?

A: Yes.

Q: Did you talk to him before the first interview to kind of get ready for it?

A: I think so, but I don’t remember.

Q: Is that something that you encourage witnesses to do, to talk to other witnesses to see if your recollections are consistent?

A: No.

In addition, notwithstanding that Batty was told that Sussmann was in the chain of control, Batty claimed to believe the source was “anonymous” and Hellmann claimed to believe it was sensitive–a human source. Even after comparing notes their stories didn’t match.

There are other problems with Hellman’s memory of the events, notably that in his first interview — the one he did shortly after comparing notes with Batty — he claimed that Baker had told him he was unable to identify the source of the data.

Q. And when you went to Mr. Baker’s office, do you remember what, if anything, was said during that discussion or during that interaction?

A. I remember being in the office, but I don’t distinctly recall what the conversation was. I do remember after the fact, though, that I was frustrated that I was not able to identify who had provided these thumb drives, this information to Mr. Baker. He was not willing to tell me.

At the very least, this presents a conflict with Baker’s testimony, but it’s also another testament to how variable memories can be four years, much less six years, after the fact.

Hellman also claimed, when asked on cross, that the first time he had ever seen the reference to a “DNC report” in September 21 Lync notes he received was two years ago, when he was first interviewed.

A: The first time I saw this was two years ago when I was being interviewed by Mr. DeFilippis, and I don’t recall ever seeing it. I never had any recollection of this information coming from DNC. I don’t remember DNC being a part of anything we read or discussed.

Q: Okay. When you say, the first time you saw it was two years ago when you met with Mr. DeFilippis, that’s not accurate. Right? You saw it on September 21st, 2016. Correct?

A: It’s in there. I don’t have any memory of seeing it.

And when Sean Berkowitz asked about Hellman the significance of seeing the reference to a “DNC report” first thing on September 21, he described that DeFilippis suggested to him that it was likely just a typo for DNS.

Q. What’s your explanation for it?

A. I have no recollection of seeing that link message. And there is — I have absolutely no belief that either me or Agent Batty knew where that data was coming from, let alone that it was coming from DNC. The only explanation that popped or was discussed was that it could have been a typo and somebody was trying to refer to DNS instead of DNC.

Q. So you think it was a typo?

A. I don’t know.

Q. When you said the only one suggesting it — isn’t it true that it was Mr. DeFilippis that suggested to you that it might have been a typo recently?

A. That’s correct.

When asked about a topic for which there was documentary evidence Hellman had seen in real time that he claimed not to remember, Andrew DeFilippis offered up an explanation that Hellman then offered on the stand.

On the stand, DeFilippis also tried to get Hellman to call a marketing server a spam server, though Hellman resisted.

Once you look closely, I don’t think Hellman’s testimony helps Durham all that much. What it proves, however, is that DeFilippis attempted to coach testimony.

One final thing. DeFilippis got his star cybersecurity agent to observe that the researchers didn’t include their name or other markers on their report, as if that’s a measure of unreliablity.

Q. Now, let me ask you, were you able to determine from any of these materials who had actually drafted the paper alleging the secret channel?

A. No.

Q. In other words, was it contained anywhere in the documents?

Here’s what Hellman’s own report looks like:

There’s a unit — ECOU1 — but the names of the individual agents appear nowhere in the report. The report is not dated. It does not specifically identify the white papers and thumb drives by control numbers, something key to evidentiary analysis.

It has none of the markers of regularity you’d expect from the FBI. Hellman’s own analysis doesn’t meet the standards that DeFilippis uses to measure reliability.

This long-time Grand Rapids resident is furious that Hellman judged there was no hack

Everything above I write as a journalist who has tried to understand this story for almost six years. Between that and 18 years of covering national security cases, I hope I now have sufficient familiarity with it to know there are real problems with Hellman’s analysis.

But let me speak as someone who lived in Grand Rapids for most of this period, and had friends who had to deal with the aftermath of Spectrum Health appearing at the center of a politically contentious story.

Hellman had, as he testified, two jobs. First, he was supposed to determine whether there were any cyber equities, then he was supposed to do some insta-analysis of the data without first looking at the thumb drives.

According to Hellman, there was no hack.

I was asked to perform two tasks in tandem with Special Agent Batty, and our tasks were, number one, to look at this data, look at the data and look at the narrative that it came with and identify were there any what’s known as cyber equities. And by that it was, was there any allegation of a hacking. That’s what cyber division does. We investigate hacking. So was there an allegation that somebody or some company or some computer had been hacked. That was first.

[snip]

As I mentioned, the first piece was we had to identify was there any real allegation of hacking; and there was not. That was our first task by our supervisor. There was not.

[snip]

The allegation was that someone purported to find a secret communication channel between the Trump organization and Russia. And so we identified first that, no, we didn’t think that there was any cyber equity, meaning that there was probably nothing more for cyber to investigate further, if there was no hacking crime.

Except here’s what the white paper says about Spectrum, that Grand Rapids business that was swept up in this story.

The Spectrum Health IP address is a TOR exit node used exclusively by Alfa Bank. ie.,  Alfa Bank communications enter a Tor node somewhere in the world and those communications exit, presumably untraceable, at Spectrum Health There is absolutely no reason why Spectrum would want a Tor exit node on its system. (Indeed, Spectrum Health would not want a TOR node on its system because, by its nature, you never know what will come out of a TOR node, including child pornography and other legal content.)

We discovered that Spectrum Health is the victim of a network intrusion. Therefore, Spectrum Health may not know it has a TOR exit node on its network. Alternatively, the DeVos family may have people at Spectrum who know there is a TOR node. i.e.,  could have been placed there with inside help.

When faced with some anomalous activity that seemed to tie into the weird DNS traffic, the experts suggested that maybe the Spectrum hack related to the DNS anomaly.

To be clear, this Tor allegation is the the weakest part of this white paper. You will hear about this to no end over the next week. It was technically wrong.

But the allegation in the white paper is that maybe a recent hack of Spectrum Health is why it had this anomalous traffic with Trump’s marketing server. There’s your hack!!

Had the people at FBI’s cybersecurity side actually treated this as a possible compromise, it might have addressed the part of this story that never made any sense. And we might not, now, six years later, be arguing about what might explain it.

Let me be clear: I do think the white paper overstated its conclusions. I don’t think secret communication is the most obvious explanation here.

But there are hacks and then there are hacks in the testimony of DeFilippis’ star cybersecurity agent.

Update: Corrected an attribution to Batty instead of Hellman.

Update: Fixed my own timeline.

Update: Added link to Robert Graham’s analysis.

Update: This may be where Hellman gets his erroneous three week claim. There were two histograms included with the report. One, the close-up, does start around July 7.

But the broader scope shows look-ups earlier, very actively in June, but with a few stray ones in May.

The government didn’t include the pages and pages of logs that Batty complained about in this exhibit. Had they, it would be clear to jurors that this claim is false.

Update: Correction on two points. First, I think I’ve finally got the Lync exchange above correct between Batty and Hellman. As noted, Hellman complains that “it contains an absurd quantity of data” to which Batty responded, the data seemed “inserted to overwhelm and confuse the reader.”

Second, I was wading through exhibits this morning and found the exhibit of 19 pages of logs. Here’s just a subset of them, including logs that go back to May 2016. Hellman didn’t look even at the printed page of log files closely enough to realize his claim about three weeks was wrong. These data weren’t intended to overwhelm the reader. They were there to show how the anomaly accelerated during the election.


Confirmed: John Durham Has Withheld Discovery That DOJ Already Disproved His Claims of Political Malice

In his reply filing in the fight over what evidence will be submitted at his trial, Michael Sussmann confirmed something I’ve long suspected: John Durham has not provided Sussmann with the discovery Durham would need to have provided to present his own conspiracy theories at trial without risking a major discovery violation.

Were the Special Counsel to try to suggest that Mr. Sussmann and Mr. Steele engaged in a common course of conduct, that would open the door to an irrelevant mini-trial about the accuracy of Mr. Steele’s allegations about Mr. Trump’s ties to Russia—something that, like the Alfa Bank allegations, many experts continue to believe in, and about which the Special Counsel has tellingly failed to produce any significant discovery.

Sussmann dropped this in the filing without fanfare. But it is clear notice that if Durham continues down the path he is headed, he may face discovery sanctions down the road.

I explained why that’s true in these two posts. A core tenet of Durham’s conspiracy theories is that the only reason one would use proven cybersecurity methods to test certain hypotheses about Donald Trump would be for malicious political reasons. Here’s how Durham argued that in his own reply.

As the Government will demonstrate at trial, it was also the politically-laden and ethically-fraught nature of this project that gave Tech Executive-1 and the defendant a strong motive to conceal the origins of the Russian Bank-1 allegations and falsely portray them as the organic discoveries of concerned computer scientists.

There’s no external measure for what makes one thing political and makes another thing national security. But if this issue were contested, I assume that Sussmann would point, first, to truth as a standard. And as he could point out, many of the hypotheses April Lorenzen tested, which Durham points to as proof the project was malicious and political, turned out to be true. They were proven to be true by DOJ. Some of those true allegations involved guilty pleas to crimes, including FARA, explicitly designed to protect national security; another involved Roger Stone’s guilty verdict on charges related to his cover-up of his potential involvement in a CFAA hacking case.

DOJ (under the direction of Trump appointee Rod Rosenstein, who in those very same years was Durham’s direct supervisor) has already decided that John Durham is wrong about these allegations being political. Sussmann has both truth and DOJ’s backing on his side that these suspicions, if proven true (as they were), would be a threat to national security. Yet Durham persists in claiming to the contrary.

Here’s the evidence proving these hypotheses true that Durham has withheld in discovery:

The researchers were testing whether Richard Burt was a back channel to the Trump campaign. And while Burt’s more substantive role as such a (Putin-ordered) attempt to establish a back channel came during the transition, it is a fact that Burt was involved in several events earlier in the campaign at which pro-Russian entities tried to cultivate the campaign, including Trump’s first foreign policy speech. Neither Burt nor anyone else was charged with any crime, but Mueller’s 302s involving the Center for National Interest — most notably two very long interviews with Dmitri Simes (one, updated, two, updated), which were still under investigation in March 2020 — reflect a great deal of counterintelligence interest in the organization.

The researchers were also testing whether people close to Trump were laundering money from Putin-linked Oligarchs through Cyprus. That guy’s name is Paul Manafort, with the assistance of Rick Gates. Indeed, Manafort was ousted from the campaign during the period researchers were working on the data in part to distance the campaign from that stench (though it didn’t stop Trump from pardoning Manafort).

A more conspiratorial Lorenzen hypothesis (at least on its face) was that one of the family members of an Alfa Bank oligarch might be involved — maybe a son- or daughter-in-law. And in fact, German Khan’s son-in-law Alex van der Zwaan was working with Gates and Konstantin Kilimnik in precisely that time period to cover up Manafort’s ties to those Russian-backed oligarchs.

Then there was the suspicion — no doubt driven, on the Democrats’ part, by the correlation between Trump’s request to Russia for more hacking and the renewed wave of attacks that started hours later — that Trump had some back channel to Russia.

It turns out there were several. There was the aforementioned Manafort, who in the precise period when Rodney Joffe started more formally looking to see if there was a back channel, was secretly meeting at a cigar bar with alleged Russian spy Konstantin Kilimnik discussing millions of dollars in payments involving Russian-backed oligarchs, Manafort’s plan to win the swing states, and an effort to carve up Ukraine that leads directly to Russia’s current invasion.

That’s the kind of back channel researchers were using proven cybersecurity techniques to look for. They didn’t confirm that one — but their suspicion that such a back channel existed proved absolutely correct.

Then there’s the Roger Stone back channel with Guccifer 2.0. Again, in this precise period, Stone was DMing with the persona. But the FBI obtained at least probable cause that Stone’s knowledge of the persona went back much further, back to even before the persona went public in June 2016. That’s a back channel that remained under investigation, predicated off of national security crimes CFAA, FARA, and 18 USC 951, at least until April 2020 and one that, because of the way Stone was scripting pro-Russian statements for Trump, might explain Trump’s “Russia are you listening” comment. DOJ was still investigating Stone’s possible back channel as a national security concern well after Durham was appointed to undermine that national security investigation by deeming it political.

Finally, perhaps the most important back channel — for Durham’s purposes — was Michael Cohen. That’s true, in part, because the comms that Cohen kept lying to hide were directly with the Kremlin, with Dmitri Peskov. That’s also true because on his call to a Peskov assistant, Cohen laid out his — and candidate Donald Trump’s — interest in a Trump Tower Moscow deal that was impossibly lucrative, but which also assumed the involvement of one or another sanctioned bank as well as a former GRU officer. That is, not only did Cohen have a back channel directly with the Kremlin he was trying to hide,  but it involved Russian banks that were far more controversial than the Alfa Bank ties that the researchers were pursuing, because the banks had been deemed to have taken actions that threatened America’s security.

This back channel is particularly important, though, because in the same presser where Trump invited Russia to hack his opponent more, he falsely claimed he had decided against pursuing any Trump Organization developments in Russia.

Russia that wanted to put a lot of money into developments in Russia. And they wanted us to do it. But it never worked out.

Frankly I didn’t want to do it for a couple of different reasons. But we had a major developer, particular, but numerous developers that wanted to develop property in Moscow and other places. But we decided not to do it.

The researchers were explicitly trying to disprove Trump’s false claim that there were no ongoing business interests he was still pursuing with Russia. And this is a claim that Michael Cohen not only admitted was false and described recognizing was false when Trump made this public claim, but described persistent efforts on Trump’s part to cover up his lie, continuing well into his presidency.

For almost two years of Trump’s Administration, Trump was lying to cover up his efforts to pursue an impossibly lucrative real estate deal that would have required violating or eliminating US sanctions on Russia. That entire time, Russia knew Trump was lying to cover up those back channel communications with the Kremlin. That’s the kind of leverage over a President that all Americans should hope to avoid, if they care about national security. That’s precisely the kind of leverage that Sally Yates raised when she raised concerns about Mike Flynn’s public lies about his own back channel with Russia. Russia had that leverage over Trump long past the time Trump limped out of a meeting with Vladimir Putin in Helsinki, to which Trump had brought none of the aides who would normally sit in on a presidential meeting, looking like a beaten puppy.

Durham’s failures to provide discovery on this issue are all the more inexcusable given the fights over privilege that will be litigated this week.

As part of the Democrats’ nesting privilege claims objecting to Durham’s motion to compel privileged documents, Marc Elias submitted a declaration describing how, given his past knowledge and involvement defending against conspiracy theory attacks on past Democratic presidential candidates launched by Jerome Corsi and Donald Trump, and given Trump’s famously litigious nature, he believed he needed expertise on Trump’s international business ties to be able to advise Democrats on how to avoid eliciting such a lawsuit from Trump. (Note, tellingly, Durham’s motion to compel doesn’t mention a great deal of accurate Russian-language research by Fusion — to which Nellie Ohr was just one of a number of contributors — that was never publicly shared nor debunked as to quality.)

There are four redacted passages that describe the advice he provided; he is providing these descriptions ex parte for Judge Cooper to use to assess the Democrats’ privilege claims. Two short ones probably pertain to the scope of Perkins Coie’s relationship with the Democratic committees. Another short one likely describes Elias’ relationship, and through him, Fusion’s, with the oppo research staff on the campaign. But the longest redaction describing Elias’ legal advice, one that extends more than five paragraphs and over a page and a half, starts this way:

That is, the introduction to Elias’ description of the privilege claims tied to the Sussmann trial starts from Trump’s request of Russia to hack Hillary. Part of that sentence and the balance of the paragraph is redacted — it might describe that immediately after Trump made that request, the Russians fulfilled his request — but the redacted paragraph and the balance of the declaration presumably describes what legal advice he gave Hillary as she faced a new onslaught of Russian hacking attempts that seemingly responded to her opponent’s request for such hacking.

Given what Elias described about his decision to hire Fusion, part of that discussion surely explains his effort to assess an anomaly identified independently by researchers that reflected unexplained traffic between a Trump marketing server and a Russian bank. Elias probably described why it was important for the Hillary campaign to assess whether this forensic data explained why Russian hackers immediately responded to Trump’s request to hack her.

As I have noted, in past filings Durham didn’t even consider the possibility that Elias might discuss the renewed wave of hacking that Hillary’s security personnel IDed in real time with Sussmann, Perkins Coie’s cybersecurity expert.

It’s a testament to how deep John Durham is in his conspiracy-driven rabbit hole that he assumes a 24-minute meeting between Marc Elias and Michael Sussmann on July 31, 2016 to discuss the “server issue” pertained to the Alfa Bank allegations. Just days earlier, after all, Donald Trump had asked Russia to hack Hillary Clinton, and within hours, Russian hackers obliged by targeting, for the first time, Hillary’s home office. Someone who worked in security for Hillary’s campaign told me that from his perspective, the Russian attacks on Hillary seemed like a series of increasing waves of attacks, and the response to Trump’s comments was one of those waves (this former staffer documented such waves of attack in real time). The Hillary campaign didn’t need Robert Mueller to tell them that Russia seemed to respond to Trump’s request by ratcheting up their attacks, and Russia’s response to Trump would have been an urgent issue for the lawyer in charge of their cybersecurity response.

It’s certainly possible this reference to the “server” issue pertained to the Alfa Bank allegations. But Durham probably doesn’t know; nor do I. None of the other billing references Durham suggests pertain to the Alfa Bank issue reference a server.

Durham took a reference that might pertain to a discussion of a correlation between Trump’s ask and a renewed wave of Russian attacks on Hillary (or might pertain to the Alfa Bank anomaly), and assumed instead it was proof that Hillary was manufacturing unsubstantiated dirt on her opponent. He never even considered the legal challenges someone victimized by a nation-state attack, goaded by her opponent, might face.

And yet, given the structure of that redaction from Elias, that event is the cornerstone of the privilege claims surrounding the Alfa Bank allegations.

Because of all the things I laid out in this post, Judge Cooper may never have to evaluate these privilege claims at all. To introduce privileged evidence, Durham has to first withstand:

  • Denial because his 404(b) notice asking to present it was late, and therefore forfeited
  • Denial because Durham’s motion to compel violated local rules and grand jury process, in some ways egregiously
  • Rejection because most of the communications over which the Democrats have invoked privilege are inadmissible hearsay
  • The inclusion or exclusion of the testimony of Rodney Joffe, whose privilege claims are the most suspect of the lot, but whose testimony would make the communications Durham deems to be most important admissible

Cooper could defer any assessment of these privilege claims until he decides these other issues and, for one or several procedural reasons, simply punt the decision entirely based on Durham’s serial failures to follow the rules.

Only after that, then, would Cooper assess a Durham conspiracy theory for which Durham himself admits he doesn’t have proof beyond a reasonable doubt. As part of his bid to submit redacted and/or hearsay documents as exhibits under a claim that this all amounted to a conspiracy (albeit one he doesn’t claim was illegal), Durham argues that unless he can submit hearsay and privileged documents, he wouldn’t otherwise have enough evidence to prove his conspiracy theory.

Nor is evidence of this joint venture gratuitous or cumulative of other evidence. Indeed, the Government possesses only a handful of redacted emails between the defendant and Tech Executive-1 on these issues. And the defendant’s billing records pertaining to the Clinton Campaign, while incriminating, do not always specify the precise nature of the defendant’s work.

Accordingly, presenting communications between the defendant’s alleged clients and third parties regarding the aforementioned political research would hardly amount to a “mini-trial.” (Def. Mot. at 20). Rather, these communications are among the most probative and revealing evidence that the Government will present to the jury. Other than the contents of privileged communications themselves (which are of course not accessible to the Government or the jury), such communications will offer some of the most direct evidence on the ultimate question of whether the defendant lied in stating that he was not acting for any other clients.

In short, because the Government here must prove the existence of client relationships that are themselves privileged, it is the surrounding events and communications involving these clients that offer the best proof of those relationships.

Moreover, even if the Court were to find that no joint venture existed, all of the proffered communications are still admissible because, as set forth in the Government’s motions, they are not being offered to prove the truth of specific assertions. Rather, they are being offered to prove the existence of activities and relationships that led to, and culminated in, the defendant’s meeting with the FBI. Even more critically, the very existence of these written records – which laid bare the political nature of the exercise and the numerous doubts that the researchers had about the soundness of their conclusions – gave the defendant and his clients a compelling motive, separate and apart from the truth or falsity of the emails themselves, to conceal the identities of such clients and origins of the joint venture. Accordingly, they are not being offered for their truth and are not hearsay.

This passage (which leads up to a citation from one of the Georgia Tech researchers to which Sussmann was not privy that the frothers have spent the weekend drooling over) is both a confession and a cry for help.

In it, Durham admits he doesn’t actually have proof that the conspiracy he is alleging is the motive behind Michael Sussmann’s alleged lie.

He’s making this admission, of course, while hiding the abundant evidence — evidence he didn’t bother obtaining before charging Sussmann — that Sussmann and Joffe acceded to the FBI request to help kill the NYT story, which substantiates Sussmann’s stated motive.

And then, in the same passage, Durham is pointing to that absence of evidence to justify using that same claimed conspiracy for which he doesn’t have evidence to pierce privilege claims to obtain the evidence he doesn’t have. It’s a circular argument and an admission that all the claims he has been making since September are based off his beliefs about what must be there, not what he has evidence for.

Thus far the researchers’ beliefs about what kind of back channels they might find between Trump and Russia have far more proof than Durham’s absence of evidence.

Again, Durham doesn’t even claim that such a conspiracy would be illegal (much less chargeable under the statute of limitations), which is why he didn’t do what he could have had he been able to show probable cause that a crime had been committed: obtaining the communications with a warrant and using a filter team. Bill Barr’s memoir made it quite clear that he appointed Durham not because a crime had been committed, but because he wanted to know how a “bogus scandal” in which DOJ found multiple national security crimes started. ”Even after dealing with the Mueller report, I still had to launch US Attorney John Durham’s investigation into the genesis of this bogus scandal.” In his filing, Durham confesses to doing the same, three years later: using his feelings about a “bogus scandal” to claim a non-criminal conspiracy that he hopes might provide some motive other than the one — national security — that DOJ has already confirmed.

An absolutely central part of Durham’s strategy to win this trial is to present his conspiracy theories, whether by belatedly piercing privilege claims he should have addressed before charging Sussmann (even assuming he’ll find what he admits he doesn’t have proof is there), or by presenting his absence of evidence and claiming it is evidence. He will only be permitted to do if Judge Cooper ignores all his rule violations and grants him a hearsay exception.

But if he manages to present his conspiracy theories, Sussmann can immediately pivot and point out all the evidence in DOJ’s possession that proves not just that the suspicions Durham insists must be malicious and political in fact proved to be true, but also that DOJ — his former boss! — already deemed these suspicions national security concerns that in some cases amounted to crimes.

John Durham’s entire trial strategy consists of claiming that it was obviously political to investigate a real forensic anomaly to see whether it explained why Russia responded to Trump’s call for more hacks by renewing their attack on Hillary. He’s doing so while withholding abundant material evidence that DOJ already decided he’s wrong.

So even if he succeeds, even if Cooper grants him permission to float his conspiracy theories and even if they were to succeed at trial, Sussmann would have immediate recourse to ask for sanctions, pointing to all the evidence in DOJ’s possession that Durham’s claims of malice were wrong.

Update: The bad news I’m still working through my typos, with your help, including getting the name of Dmitri Simes’ organization wrong. The good news is the typos are probably due to being rushed out to cycle in the sun, so I have a good excuse.

Update: Judge Cooper has issued an initial ruling on Durham’s expert witness. It limits what Durham presents to the FBI investigation (excluding much of the CIA investigation he has recently been floating), and does not permit the expert to address whether the data actually did represent communications between Trump and Alfa Bank unless Sussmann either affirmatively claims it did or unless Durham introduced proof that Sussmann knew the data was dodgy.

Finally, the Court takes a moment to explain what could open the door to further evidence about the accuracy of the data Mr. Sussmann provided to the FBI. As the defense concedes, such evidence might be relevant if the government could separately establish “what Mr. Sussmann knew” about the data’s accuracy. Data Mot. at 3. If Sussmann knew the data was suspect, evidence about faults in the data could possibly speak to “his state of mind” at the time of his meeting with Mr. Baker, id., including his motive to conceal the origins of the data. By contrast, Sussmann would not open the door to further evidence about the accuracy of the data simply by seeking to establish that he reasonably believed the data were accurate and relied on his associates’ representations that they were. Such a defense theory could allow the government to introduce evidence tending to show that his belief was not reasonable—for instance, facially obvious shortcomings in the data, or information received by Sussmann indicating relevant deficiencies.

Ultimately, Cooper is treating this (as appropriate given the precedents in DC) as a question of Sussmann’s state of mind.

Importantly, this is what Cooper says about Durham blowing his deadline (which in this case was a deadline of comity, not trial schedule): he’s going to let it slide, in part because Sussmann does not object to the narrowed scope of what the expert will present.

Mr. Sussmann also urges the Court to exclude the expert testimony on the ground that the government’s notice was untimely and insufficiently specific. See Expert Mot. at 6–10; Fed. R. Crim. P. 16(a)(1)(G). Because the Court will limit Special Agent Martin’s testimony largely to general explanations of the type of technical data that has always been part of the core of this case—much of which Mr. Sussmann does not object to—any allegedly insufficient or belated notice did not prejudice him. See United States v. Mohammed, No. 06-cr-357, 2008 WL 5552330, at *3 (D.D.C. May 6, 2008) (finding that disclosure nine days before trial did not prejudice defendant in part because its subject was “hardly a surprise”) (citing United States v. Martinez, 476 F.3d 961, 967 (D.C. Cir. 2007)).

This suggests Cooper may be less willing to let other deadlines slide, such as the all-important 404(b) one.


Five Years after WikiLeaks Exposed CIA Identities in Vault 7, UK Moves Closer to Assange Extradition

Last November, in response to an order from Judge Jesse Furman, DOJ said that they were fine with accused Vault 7 leaker Joshua Schulte’s request for a delay before his retrial. In fact, they didn’t think a Schulte retrial could start before March 21.

Although the Government is available for trial at any time in the first or second quarters of 2022, the Government does not believe it would be practical to schedule the trial prior to March 2022. In particular, although the Government believes that the Court’s prior rulings pursuant to Section 6 of CIPA address the vast majority of questions concerning the use of classified information at trial in this matter, it appears likely that the defendant will seek to use additional classified information beyond that previously authorized by the Court. The process for pretrial consideration of that application pursuant to Section 6 is necessarily complex, entailing both briefing and hearings in a classified setting. To the extent the Court authorizes the defendant to use additional classified information, implementation of the Court’s rulings can also take time, such as through either declassification of information or supplemental briefing regarding the application of Section 8 of CIPA (authorizing the admission of classified evidence without change in classification status). The proposed trial date also takes into consideration matters discussed in the Government’s ex parte letter submitted on August 4, 2021. Accordingly, in order to afford sufficient time both for the likely upcoming CIPA litigation and for the parties to prepare for trial with the benefit of any supplemental CIPA rulings, the Government believes that the earliest practical trial date for this matter would be March 21, 2022.

Part of this delay was to revisit the Classified Information Procedures Act decisions from the first trial because, now that he’s defending himself, Schulte likely wanted to use more classified information than Sabrina Shroff had used in the first trial. It turns out March 21 was overly optimistic for CIPA to be done. Because of an extended debate over how to alter the protective order, the government will only file its CIPA motion tomorrow (it just asked to submit a much longer filing than originally permitted, and got permission to file a somewhat longer one).

It’s the other part of the government’s interest in delay — its references to “matters discussed” in a sealed letter from August 4 — that I’ve been tracking with interest, particularly as the Assange extradition proceeded. As I noted earlier, that August 4 letter would have been sent five years to the day after Schulte started searching on WikiLeaks, Edward Snowden, and Shadow Brokers (according to the government theory of the case, Schulte stole and leaked the CIA’s hacking tools earlier, in late April and early May 2016).

Since those mentions of a sealed letter last year, the government has asked for and gotten two meetings to discuss classified information with Judge Fruman under section 2 of CIPA, first for February 8 (after which a sealed document was lodged in Chambers), and the second one for March 9.

Section 2 provides that “[a]t any time after the filing of the indictment or information, any party may move for a pretrial conference to consider matters relating to classified information that may arise in connection with the prosecution.” Following such a motion, the district court “shall promptly hold a pretrial conference to establish the timing of requests for discovery, the provision of notice required by Section 5 of this Act, and the initiation of the procedure established by Section 6 (to determine the use, relevance, or admissibility of classified information) of this Act.”

That second CIPA Section 2 meeting, on March 9, would have taken place days after the five year anniversary for the first Vault 7 publication, and with it the publication of the names or pseudonyms and a picture of several colleagues Schulte had vendettas against.

Schulte acknowledged that publication in a recently-released self-justification he wrote to an associate after the Vault 7 release (it’s unclear when in 2017 or 2018 he wrote it), one he’s making a renewed attempt to suppress.

The names that were allegedly un-redacted were pseudonyms — fake names used internally in case a leak happened. Those of us who were overt never used last names anyway; This was an unwritten rule at the agency — NEVER use/write true last names for anyone. So I was convinced that there was little personal information revealed besides a picture of an old boss of mine that was mistakenly released with the memes.

Not long after he acknowledged the rule against using people’s names in that self-justification, Schulte used the names of the three colleagues he was most angry at: His boss Karen, his colleague “Jeremy Weber,” and another colleague, Amol, names that were also central to his efforts to leak from jail. If the FBI could ever develop evidence that Weber’s name was deliberately left in WikiLeaks’ Vault 7 publication, both Schulte and anyone else involved would be exposed to legal liability for violating the Intelligence Identities Protection Act, among other crimes.

On Monday, one week short of the day DOJ thought might be a realistic start day for the retrial, the British Supreme Court refused Assange’s bid to appeal a High Court decision accepting (flimsy) US assurances that Assange would not be held under Special Administrative Measures, finding that the appeal “does not raise an arguable point of law.”

Given the timing of the sealed filings in the Schulte case and the way the 2020 superseding indictment accuses Assange of “exhort[ing a Chaos Computer Club] audience to join the CIA in order to steal and provide information to WikiLeaks,” effectively teeing up Schulte’s alleged theft, I would be unsurprised if one of the things DOJ was delaying for weren’t this moment, some resolution to the Assange extradition.

To be sure: the Assange extradition is not over, not by a long shot. As a letter from his attorneys explains, this decision will go back to Vanessa Baraitser, who will then refer the extradition to Home Secretary Priti Patel. Assange will have four weeks to try to persuade Patel not to extradite him.

And, as the same letter notes in classically British use of the passive voice, Assange could still appeal Baraitser’s original ruling.

It will be recollected that Mr Assange succeeded in Westminster Magistrates’ Court on the issue subsequently appealed by the US to the High Court. No appeal to the High Court has yet been filed by him in respect of the other important issues he raised previously in Westminster Magistrates’ Court. That separate process of appeal has, of course, has yet to be initiated.

But an appeal on these issues would be decidedly more difficult now than they would have been two years ago.

That’s true, in part, because the Biden Administration’s continuation of Assange’s prosecution has debunked all the bullshit claims Assange made about being politically targeted by Donald Trump.

I also expect at least one of the purportedly exculpatory stories WikiLeaks has been spamming in recent months to be exposed as a complete set-up by WikiLeaks — basically an enormous hoax on WikiLeaks’ boosters and far too many journalist organizations. WikiLeaks has become little more than a propaganda shop, and I expect that to become clearer in the months ahead.

Finally, if the US supersedes[d] the existing indictment against Assange or obtains[ed] a second one in the last seven months, it will badly undermine any remaining claim Assange has to doing journalism. That’s true for a slew of reasons.

As I laid out here, the part of the Baraitser ruling that distinguished Assange’s actions from journalism based on his solicitation of hacks relied heavily on the language that directly teed up the hack-and-leak Schulte is accused of.

Mr. Assange, it is alleged, had been engaged in recruiting others to obtain information for him for some time. For example, in August 2009 he spoke to an audience of hackers at a “Hacking at Random” conference and told them that unless they were a serving member of the US military they would have no legal liability for stealing classified information and giving it to Wikileaks. At the same conference he told the audience that there was a small vulnerability within the US Congress document distribution system stating, “this is what any one of you would find if you were actually looking”. In October 2009 also to an audience of hackers at the “Hack in the Box Security Conference” he told the audience, “I was a famous teenage hacker in Australia, and I’ve been reading generals’ emails since I was 17” and referred to the Wikileaks list of “flags” that it wanted captured. After Ms. Manning made her disclosures to him he continued to encourage people to take information. For example, in December 2013 he attended a Chaos computer club conference and told the audience to join the CIA in order to steal information stating “I’m not saying don’t join the CIA; no, go and join the CIA. Go in there, go into the ballpark and get the ball and bring it out”. [emphasis Baraitser’s]

If the government proves what is publicly alleged, Schulte’s actions have nothing to do with whistleblowing and everything to do with vindictive hacking to damage the CIA, precisely what Assange was eliciting. Plus, even if such a hypothetical superseding indictment added just Vault 7/Vault 8 charges against Assange, it could put extortion and IIPA on the table (the latter of which would be a direct analogue to the UK’s Official Secrets Act), to say nothing of the still unexplained fate of the CIA source code which — as Schulte himself acknowledged — would have provided an unbelievable benefit had Russia had received it.

And that assumes that Vault 7/Vault 8 would be the only thing the US wanted to supersede with. When Jeremy Hammond asked prosecutors why they hadn’t charged Assange for helping Russia tamper in US elections, they appeared to respond by describing the long time it would take to extradite Assange, implying that they still had time to charge Assange. To be sure, Mueller concluded that he “did not have admissible evidence that was probably sufficient to obtain and sustain a Section 1030 conspiracy conviction of WikiLeaks [or] Assange.” But the implication was that Mueller had evidence, just not stuff that could be submitted at trial. The extradition of Vladislav Klyushin — whose lawyer believed the US was particularly interested in his knowledge of the 2016 operation — might change that. (Like Assange, Klyushin’s extradition was also pending when DOJ submitted that first sealed filing; Klyushin’s case has been continued to share more discovery.)

There are several other operations WikiLeaks was involved in in 2015 and afterwards that would undermine any claim of being a journalistic outlet — and would add to the evidence that Assange had, at least by those years, been working closely to advance the interests of the Russian government.

It would be very hard to argue that Assange was being prosecuted for doing journalism if the US unveiled more credible allegations about the multiple ways Assange did Russia’s bidding in 2016 and 2017, even in normal times. All the more so as Russia is continuing its attack on democracy with its invasion of Ukraine.

And that’s what Assange faces as he attempts to stay out of the US.


John Durham Says Election-Hack Victims Should Wait Until After the Election to Report Tips

Even as Russia assaults a peaceful democracy (which invasion, in a separate filing, Durham calls, “recent world events in Ukraine”), John Durham suggests that a political campaign victimized by Russia should expect to wait until after the election before the FBI opens an investigation into a cybersecurity anomaly potentially implicating her opponent.

Durham even asserts that such a cybersecurity anomaly is not a cybersecurity matter, but instead a political one.

Almost six years after Trump’s request, “Russia are you listening,” was met with a renewed Russian attack on Hillary Clinton, John Durham continues to treat Hillary’s attempts to run a campaign while being attacked as a greater threat than that nation-state attack by Russia.

Durham’s latest contortions come in a response to Micheal Sussmann’s motion to dismiss the indictment.

Sussmann argued that the alleged lie he told (motions to dismiss must accept the alleged facts as true), could not have affected the single decision facing the FBI when he shared information about a DNS anomaly: whether to open an investigation or not.

Following the Supreme Court’s clear instruction in Gaudin, in order to assess the materiality of the false statement that Mr. Sussmann is alleged to have made, this Court must ask what statement he is alleged to have made to the FBI; what decision the FBI was trying to make; and whether the false statement could have influenced that decision. Here, even accepting all the allegations in the Indictment as true—and the evidence would prove otherwise—the only decision the FBI was trying to make was the decision whether or not to commence an investigation into the allegations of suspicious internet data involving the Trump Organization and Russian Bank-1. Ample precedent—and the Special Counsel’s own allegations in this case—make clear that Mr. Sussmann’s purported false statement did not influence, and was not capable of influencing, that decision.

Predictably and reasonably, Durham’s response cited the precedent that leaves it up to juries to determine whether something is material or not.

In any event, the defendant’s arguments on the materiality of his statement are also premature. The Supreme Court in Gaudin held that materiality is an essential element of Section 1001 that must be resolved by a jury.

As I noted back in October, “Prosecutors will argue that materiality is a matter for the jury to decide.”

Prosecutors also noted what I did: a long list of precedents about materiality that Sussmann cited in his motion are all post-trial challenges to materiality, not pretrial motions to dismiss.

The defendant cites to multiple cases where the Supreme Court and Circuit Courts have held that the false statements and misrepresentations at issue were immaterial as a matter of law. See Def. Mot. at 7-10. But critically, all of those cases involved post-conviction appeals or motions to vacate the conviction after the Government presented its case at trial. Accordingly, none of these cases support the defendant’s requested relief here – that is, that the court dismiss the Indictment before trial because it fails to sufficiently allege that the defendant’s false statement is material. What the cases do show is that courts have routinely declined to usurp the jury’s role in making the determination on whether a false statement is material.

For those two reasons, Sussmann’s motion to dismiss is unlikely to succeed, and should instead be viewed as an opening bid to frame his defense and establish issues for appeal.

Those two arguments are all Durham really needed to respond to Sussmann’s motion to dismiss. Instead of leaving it with responsible lawyering, however, Durham instead launches into an illogical attempt to criminalize tip reporting.

Take his attempt to dismiss Rodney Joffe’s real cybersecurity expertise. In the three months since he charged Sussmann, Durham belatedly (at Sussmann’s request) discovered how closely Joffe had worked with the FBI on other investigations. As Sussmann scoffed in an earlier filing, “The notion that the FBI would have been more skeptical of the information had it known of Tech Executive-1’s involvement is, in a word, preposterous.” Now that Durham has discovered the close ties between Joffe and the FBI, he claimed that that history of reliability was itself something the FBI needed to know.

Namely, as the defendant’s motion reveals (Def. Mot. at 18-19, fn. 8), Tech Executive-1 had a history of providing assistance to the FBI on cyber security matters, but decided in this instance to provide politically-charged allegations anonymously through the defendant and a law firm that was then-counsel to the Clinton Campaign. Given Tech Executive-1’s history of assistance to law enforcement, it would be material for the FBI to learn of the defendant’s lawyer-client relationship with Tech Executive-1 so that they could evaluate Tech Executive-1’s motivations. As an initial step, the FBI might have sought to interview Tech Executive-1. And that, in turn, might have revealed further information about Tech Executive-1’s coordination with individuals tied to the Clinton Campaign, his access to vast amounts of sensitive and/or proprietary internet data, and his tasking of cyber researchers working on a pending federal cybersecurity contract.

Durham’s claim that “learning” how much data Joffe had access to (which is something the FBI undoubtedly knew — it is surely the reason why FBI partnered with him, because the volume of data Neustar had made their observations more useful) would make them more skeptical of the DNS tip is nonsensical. In fact, elsewhere (in tracking all the YotaPhone requests in the US over a three year period), Durham treated it as presumptively reliable.

Plus, Durham made no mention here of one of a number of the other things he belatedly learned: that the September 2016 tip Sussmann shared with FBI General Counsel James Baker was not the only one Joffe had shared via Sussmann anonymously. He shared a tip anonymously during this same time period with DOJ IG. Durham has no way of knowing, either, whether those two were the only ones, but his revised theory of materiality depends on an anonymous tip like this one being unique.

Similarly, Durham struggled to explain (including by citing an inapt precedent) why the FBI would need to be told that Sussmann represented Hillary when, in notes of Baker’s retelling of the meeting, Bill Priestap wrote that Sussmann represented the DNC and Clinton Foundation.

As he did with Joffe, Durham tried to flip Sussmann’s expertise, arguing that the former prosecutor’s recognized qualification as a cybersecurity expert, something that would help him assess whether DNS data were anomalous or not, is precisely why the Perkins Coie lawyer needed to disclose he was working for Hillary.

In an effort to downplay the materiality of this false statement, the defendant asserts that the FBI General Counsel was aware that the defendant represented the DNC. See Def. Mot at 18. But the Government expects that evidence at trial will establish that the FBI General Counsel was aware that the defendant represented the DNC on cybersecurity matters arising from the Russian government’s hack of its emails, not that he provided political advice or was participating in the Clinton Campaign’s opposition research efforts. Indeed, the defendant held himself out to the public as an experienced national security and cybersecurity lawyer, not an election lawyer or political consultant. Accordingly, when the defendant disclaimed any client relationships at his meeting with the FBI General Counsel, this served to lull the General Counsel into the mistaken, yet highly material belief that the defendant lacked political motivations for his work.

There are many crazy assumptions built into this statement: that, had Sussmann identified Hillary as his client, it would have required him to reveal her motives as political rather than security-related to the FBI, breaching privilege; that reporting an anomaly potentially involving Trump after Trump had begged Russia to further hack Hillary would not be a sound decision from a cybersecurity standpoint; that researching the context of an anomaly, such as Alfa Bank’s ties to Putin, is not part of cybersecurity. Effectively, Durham has unilaterally decided that pursuing this anomaly was a political act, with no basis in law or fact.

Which is how Durham espoused the claim that the FBI, facing an unprecedented attack by Russia on American elections in 2016, might have delayed investigation of a part of it that might have implicated one of the contestants.

The defendant’s false statement to the FBI General Counsel was plainly material because it misled the General Counsel about, among other things, the critical fact that the defendant was disseminating highly explosive allegations about a then-Presidential candidate on behalf of two specific clients, one of which was the opposing Presidential campaign. The defendant’s efforts to mislead the FBI in this manner during the height of a Presidential election season plainly could have influenced the FBI’s decision-making in any number of ways. The defendant’s core argument to the contrary rests on the flawed premise that the FBI’s only relevant decision was binary in nature, i.e., whether or not to initiate an investigation. But defendant’s assertion in this regard conveniently ignores the factual and practical realities of how the FBI initiates and conducts investigations. For example, the Government expects that evidence at trial will prove that the FBI could have taken any number of steps prior to opening what it terms a “full investigation,” including, but not limited to, conducting an “assessment,” opening a “preliminary investigation,” delaying a decision until after the election, or declining to investigate the matter altogether.

[snip]

Moreover, the Department of Justice and the FBI maintain stringent guidelines on dealing with matters that bear on U.S. elections. Given the temporal proximity to the 2016 U.S. presidential election, the FBI also might have taken any number of different steps in initiating, delaying, or declining the initiation of this matter had it known at the time that the defendant was providing information on behalf of the Clinton Campaign and a technology executive at a private company.

[snip]

And the evidence will show that it would have been all the more material here because the defendant was providing this information on behalf of the Clinton Campaign less than two months prior to a hotly contested U.S. presidential election. [my emphasis]

The first paragraph here is really telling, given Durham’s public complaint that the Crossfire Hurricane team should have opened the investigation as a preliminary investigation, not a full investigation (the investigation into Mike Flynn, specifically, wasn’t opened as a full investigation, but none of the techniques used would have otherwise been unavailable, not least because there was already a full investigation opened on Carter Page). This is an argument Durham may reprise in his report: That it was unreasonable for Hillary Clinton to ask the FBI to inquire into Trump’s campaign after he publicly asked a foreign country for help (even ignoring the tip from Australia).

Durham seems to think Hillary should have had no assistance from law enforcement when her opponent publicly asked Russia to hack her some more if people close to her found more reason to be concerned. He even mocked Sussmann as too powerful to choose to use anonymity.

[W]hile the defendant’s motion seeks to equate the defendant with a “jilted ex-wife [who] would think twice about reporting her ex-husband’s extensive gun-smuggling operation,” this comparison is absurd. Def. Mot. at 24

Far from finding himself in the vulnerable position of an ordinary person whose speech is likely to be chilled, the defendant – a sophisticated and well-connected lawyer – chose to bring politically-charged allegations to the FBI’s chief legal officer at the height of an election season.”

This also betrays pure insanity. The anomaly involving Trump could always have reflected disloyal insiders compromising the candidate, as could the YotaPhones potentially in use in Trump headquarters. In fact, Page did compromise Trump when he went to Russia in December 2016 and tell Russians there that he was representing Trump on matters pertaining to Ukraine, just as Mike Flynn did by selling his access to Trump to Turkey, just as Tom Barrack is accused of doing with the Emirates. The reason why Sussmann was providing this information less than two months before an election is because cybersecurity researchers had gone looking because there was an ongoing multi-faceted cybersecurity attack, one that continued right through the election, one that could have victimized Trump as well as Hillary.

Which brings me to the one point Sussmann made that Durham completely ignored. In his response, Durham’s response uses the word “purported” to describe the DNS allegations from Sussmann five times:

  1. The defendant provided the FBI General Counsel with purported data and “white papers” that allegedly demonstrated a covert communications channel between the Trump Organization and a Russia-based bank
  2. the purported data and white papers
  3. the purported DNS traffic that Tech Executive-1 and others had assembled
  4. the defendant provided data which he claimed reflected purportedly suspicious DNS lookups by these entities of internet protocol (“IP”) addresses affiliated with a Russian mobile phone provider (“Russian Phone Provider-1”)
  5. examine the origins of the purported data

What Durham did not do is ever address this point from Sussmann:

Indeed, the defense is aware of no case in which an individual has provided a tip to the government and has been charged with making any false statement other than providing a false tip. But that is exactly what has happened here.

In the fall of 2016, Michael Sussmann, a prominent national security lawyer, voluntarily met with the Federal Bureau of Investigation (“FBI”) to pass along information that raised national security concerns. He met with the FBI, in other words, to provide a tip. There is no allegation in the Indictment that the tip he provided was false. And there is no allegation that he believed that the tip he provided was false. Rather, Mr. Sussmann has been charged with making a false statement about an entirely ancillary matter—about who his client may have been when he met with the FBI—which is a fact that even the Special Counsel’s own Indictment fails to allege had any effect on the FBI’s decision to open an investigation.

[snip]

Again, nowhere in the Indictment is there an allegation that the information Mr. Sussmann provided was false. Nowhere is there an allegation that Mr. Sussmann knew—or should have known—that the information was false. And nowhere is there an allegation that the FBI would not have opened an investigation absent Mr. Sussmann’s purported false statement.

I could fund an entire Special Counsel investigation if I had $5 for every time in this prosecution Durham has used the word “purported.” For almost six months, his entire prosecution has been premised on this anomaly not being “real,” meaning unexplained traffic that might represent something serious.

And yet he has not charged that (though he seems to have bullied April Lorenzen, perhaps because he needs her to be something other than she was). Instead, he just keeps doing the work for which actual evidence is normally required by repeating the word “purported” over and over.

This motion to dismiss will likely fail, because juries get to decide what is material. But contrary to Durham’s claims, unless and until he can prove that Sussmann, Jofffe, and Lorenzen didn’t believe this was a real anomaly worth investigating given all the other attacks that, Sussmann especially, knew were ongoing, then he really will be prosecuting someone for reporting a valid national security concern.


Behind the Arrest of Putin’s Pen-Tester, Vladislav Klyushin

There’s a gratuitous passage in the March 20, 2021 complaint charging Vladislav Klyushin, Ivan Yermakov, Igor Sladkov, Mikhail Irzak, and Nikolay Rumyantev with conspiracy to violate the Computer Fraud and Abuse Act. It describes that Klyushin — the guy just extradited to the US on the charges — possessing a picture of Alexander Borodaev and Sergey Uryadov posing in front of Scotland Yard in London.

Thus far, it’s unclear who the guys in the picture are, other than customers of M-13’s “investment services,” for which they paid extortionate 60% commissions to benefit from the insider trading scheme allegedly run by Klyushin and Yermakov. But, in addition to alerting Klyushin to how many of his personal files the FBI has obtained, folks back in Russia will have a taste of the kind of information at risk now that Klyushin is in US custody.

That is, this passage, and a host of others in the charging documents, appear designed to maximize the discomfort of a number of people involved, as much as justifying the arrest and extradition of the guy who led a company that provided services that amount to information operations to Vladimir Putin. As the DOJ presser explained,

M-13’s website indicated that the company’s “IT solutions” were used by “the Administration of the President of the Russian Federation, the Government of the Russian Federation, federal ministries and departments, regional state executive bodies, commercial companies and public organizations.” In addition to these services, Klyushin, Ermakov and Rumiantcev also allegedly offered investment management services through M-13 to investors in exchange for up to 60 percent of the profit

The insider trader scheme works like this: Klyushin (the guy in US custody) and Yermakov (a key person involved in the 2016 DNC hack, described in DOJ’s press release as a “former” GRU officer), along with one other guy from M-13, area accused of hacking at least two US filing agents to obtain earnings reports before they were officially released. They conducted trades for a handful of clients — along with Borodaev and Uryadov, Boris Varshavskiy is mentioned. Klyushin also conducted trades for himself. The three M-13 figures were indicted on conspiracy, hacking, wire fraud, and securities fraud charges on April 6, 2021, an indictment that formalized the extradition request for Klyushin, who had already been arrested in Switzerland.

Then there are two apparent private citizens who live in St. Petersburg, Michail Irzak and Igor Sladkov. They were indicted on May 6, 2021 on conspiracy to hack and hacking charges, along with securities fraud. That indictment (like the complaint) focuses on some different trades than the Klyushin one (and because neither is likely to be extradited anytime soon, the second indictment may shield some portion of evidence from discovery).

Actions attributed elsewhere to Yermakov are attributed to Co-Conspirator 1 in that indictment, and it is on that basis that Irzak and Sladkov are exposed to the hacking charges. Irzak and Sladkov don’t appear to have been paying the extortionate 60% fees that the other M-13 clients were, which makes me wonder whether Yermakov was helping buddies get rich on the side. Worse still, Sladkov had some epically bad operational security; the indictment describes he had in his possession pictures showing:

  • A picture of a black Acer computer, with a blue Russian Olympic Committee sticker over the camera, showing a press release with Snap’s 2017 earnings that was not released publicly until 8 hours later.
  • A picture showing the same Acer computer with the same blue sticker showing his own trading activity on BrokerCreditService on May 2, 2018
  • A picture taken on July 24, 2018 at 2:05PM (ET) showing himself and Irzak sitting at a brown table; Irzak had Facebook running at the time, which showed him to be in the vicinity of Sladkov’s house
  • A picture dated July 25, 2018 showing him trading in a bunch of shares the earnings reports of which had been illegally accessed the day before
  • A picture dated October 14, 2018 showing a hand-written note instructing to “short” three shares, which Irzak did short two days later

In other words, Sladkov documented much of his insider training in photographs (perhaps to share the instructions with Irzak), and left all those photographs somewhere accessible to the US government.

If Yermakov was sharing this information with these guys without permission, then Sladkov’s role in providing the US government really damning information that would form the basis for an arrest warrant for Klyushin, then things might get really hot.

But it’s not like Klyushin or Yermakov did much better. In addition to the pictures of the clients, above, and some screencaps that got sent showing trading activity (though with less obvious evidence of insider trading), there’s a bunch of messaging from both, including an oblique reference to messages Yermakov and Borodaev sent on November 19, 2020 that have nothing to do with the context of the indictment but happens to be after the US election. There are even pictures Klyushin shared with Yermakov, “showing a safe that contained growing stacks of U.S. one hundred dollar bills.”

Yermakov appears to have used one of his messaging accounts via multiple devices, because on December 3, 2018, when he “forgot telephone at work,” he was still able to message Klyushin about closing out a trade. Using the same messaging app across platforms would offer one means of compromise, especially if the FBI had gotten into Yermakov’s device updates. The indictment doesn’t mention a warrant for such messaging that you would expect if it took place on Facebook.

Again, this indictment seems to aim to cause discomfort and recriminations based on information in US possession.

But then there’s the question of how it came about, how it landed in Massachusetts rather than DC (where the lead FBI agent is from) or NY (where the trades get done) or Pittsburgh, where one of the prior indictments against Yermakov was done.

The indictments and complaint base the MA jurisdiction on the fact that the culprits used a VPN that used a server in MA on several occasions. At a presser the other day, Acting US Attorney Nathaniel Mendell suggested the case had been assigned to MA because of its good securities prosecution teams.

As to how it came about, purportedly, the story starts in January 2020, when two filing agents allegedly hacked by the men, FA1 and FA2, reported being hacked at virtually the same time. Someone had used an FA1 employee’s credentials on January 21, 2020 to access the earnings data for IBM, Steel Dynamics, and Avnet before those results were publicly announced the following day, but no similar transaction noted with respect to F2 (indeed, a list of accesses involving F2 have a gap from November 2019 through May 2020). The investigation determined that FA1 had first been hacked by November 2018 and that FA2 had first been hacked by October 2017.

FA1 and FA2 discovered this compromise just months after the third M-13 employee, Rumyantev, was blocked by his Russian-based brokerage account for suspicious transactions. Months after FA1 and FA2 reported their compromise, Rumyantev and Klyushin lied to a Denmark bank that they were working entirely off of public information. By that point, in other words, banks in at least two countries were onto them.

Then, the story goes, the FBI investigated those hacks — through domains hosted by Vultr Holdings to a hosting company in Sweden to a user account under the name Andrea Neumann. From there, the FBI tracked back through some Bitcoin transactions made in October and November 2018 to the IP address for M-13 where they just happened to discover one of the very same hackers that was behind the 2016 hack of the DNC was also behind this hack. Mendell sounded pretty sheepish when he offered that explanation at the press conference.

Perhaps it’s true, but another key piece of evidence dates to actions Yermakov took on May 9, 2018, when he was under very close scrutiny as part of the twin investigations into his role in the hacks of the DNC and doping agencies, but before the first indictment against him was obtained.

Based on a review of records obtained from a U.S.-based technology company (the “Tech Company”), I have learned that on or about May 9, 2018, at 3:44 a.m. (ET), an account linked to ERMAKOV received an update for three native applications associated to the Tech Company. Records show that the May 9, 2018 application updates were associated to IP address 119.204.194.11 (the “119 IP Address”).

Based on my review of a log file from FA 2, I learned that on or about that same day, May 9, 2018, starting at 3:46 a.m. (ET)–approximately two minutes after ERMAKOV received application updates from the Tech Company–the FA 2 employee’s compromised login credentials were used to gain unauthorized access to FA 2’s system from the same 119 IP Address, and to view and/or download earnings-related files of four companies: Cytomx Therapeutics, Horizon Therapeutics, Puma Biotechnology, and Synaptics.7 All four companies reported their quarterly earnings later that day.

It would be rather surprising if the FBI agents investigating the DNC hack had not at least attempted to ID the IP associated with Yermakov’s phone (or other device) back in 2018. Whether or not they watched him engage in insider trading for years after that — all the while collecting evidence from co-conspirators flaunting the proof of their insider trading — we may never learn. The discovery on this case, featuring evidence explaining how the FBI tracked the insider trading of Putin’s pen-tester, will certainly feature a number of law enforcement sensitive techniques that Klyushin would love to bring back to Putin.

But it’s possible these techniques were what the FBI used to target these guys four years ago now, and the insider trading that Yermakov was doing in addition to whatever he spent the rest of his time doing has now provided a convenient way to bring Putin’s pen-tester to the United States for a spell.

Update: Included the pictures of the safe included with his detention memo, as well as earnings reports from Sladkov’s computer. Note the detention memo says the latter came from an ISP.


DOJ’s Ex Parte Classified Plans for Joshua Schulte — and Maybe, Julian Assange

Update: The High Court has overturned Baraitser’s ruling, finding that the US should have had an opportunity to give the assurances it has since given that Assange will not be subjected to solitary confinement. I expect Assange will appeal immediately.

Per a tweet from Stella Morris, the decision in the appeal of a Vanessa Baraitser’s decision denying the US extradition request for Julian Assange on humanitarian grounds will be announced Friday at 10:15 GMT. Because of something that happened in the High Court extradition hearing, I want to point to some things that happened in the Joshua Schulte docket in recent months.

On August 5, DOJ filed notice of an ex parte classified status letter in the Schulte case.

The Government respectfully submits this letter to provide notice of an ex parte, classified status letter submitted yesterday.

By filing an ex parte classified status letter, the government would have informed the judge (then Paul Crotty but the case has since been reassigned to Judge Jesse Furman) something about the case, without sharing it with Schulte or the public. The letter would have been filed five years to the day after the start date, August 4, 2016, for searches DOJ has described that Schulte did on WikiLeaks, Edward Snowden, and (as described elsewhere) Shadow Brokers.

In addition to the numerous searches for “wikileaks” which commenced on August 4, 2016, SCHULTE also conducted multiple related Searches, including: prior to the March 7, 2017 release of the Classified Information, “assange” (Julian Assange is the founder and “editor-in-chief’ of WikiLeaks.org), “snowden its time,” “wikileaks code,” and “wikileaks 2017”-and after the March 7, 2017 release of the Classified Information, “wikileaks public opinion,” and “officials were aware before the WikiLeaks release of a loss of sensitive information.”

On September 23, the government wrote a letter to Judge Crotty, voicing its support for adjourning Schulte’s trial date — which at that point was scheduled for October 25, two days before Assange’s extradition hearing — and revisiting the schedule after November 1, several days after the extradition hearing.

The Government respectfully submits this letter in response to the defendant’s request to adjourn the trial date, currently scheduled for October 25, 2021. (D.E. 495). As discussed at the pretrial conference held on September 15, 2021, the Government consents to the defendant’s request for an adjournment. We respectfully suggest that the Court enter an order adjourning the trial sine die, and the Government will provide an update with respect to our views on an appropriate trial date by November 1, 2021.

On September 26, Yahoo published a story that made claims about assassination discussions that, the story itself revealed, were overblown. The story debunked WikiLeaks’ claims that the charges against Assange were political retaliation pertaining to the Russian investigation from Trump. It corroborated the obvious temporal link between the initial charge against Assange and a Russian exfiltration attempt. And it provided details of CIA’s clandestine plans to limit the damage of the still (then, and now) unreleased Vault 8 source code of CIA’s hacking tools. There’s reason to believe WikiLeaks has known aspects of those damage mitigation plans for at least two years, via means they do not want to disclose.

Since its publication, WikiLeaks has used the story to try to suggest that the DOJ extradition should not go forward, but the British judges who heard the appeal seemed unimpressed by tales of CIA outrage about WikiLeaks’ hoarding CIA’s hacking tools.

As part of the extradition hearing on October 28, according to the WikiLeaks’ Twitter account, the lawyer representing the US in Assange’s extradition hearing, James Lewis, asserted that if this effort to extradite Assange fails, they can just start again with another extradition request.

Note: I looked for a more credible source for this quotation than WikiLeaks, which has been sowing more propaganda than usual in recent months, but did not find it quoted by other credible journalists. For the purposes of this post, though, I will accept this as accurate. A representative for US DOJ said that if this extradition attempt fails, Lewis seemed to suggest, DOJ can ask the UK to extradite on a different indictment.

Shortly after the extradition hearing, on November 5, in response to an order from Judge Furman, DOJ proposed March 21, 2022 as the earliest feasible trial date, largely because of expected CIPA proceedings, but in part because of whatever DOJ discussed in that August 4 ex parte classified status letter.

Although the Government is available for trial at any time in the first or second quarters of 2022, the Government does not believe it would be practical to schedule the trial prior to March 2022.

[snip]

The proposed trial date also takes into consideration matters discussed in the Government’s ex parte letter submitted on August 4, 2021. Accordingly, in order to afford sufficient time both for the likely upcoming CIPA litigation and for the parties to prepare for trial with the benefit of any supplemental CIPA rulings, the Government believes that the earliest practical trial date for this matter would be March 21, 2022.

March 21 would be two weeks after the five year anniversary of the first publication of Vault 7, the less harmful development notes stolen from the CIA, but with them, the names or pseudos of several colleagues that Schulte allegedly scapegoated. That would be the likely date for any statutes of limitation on another CFAA conspiracy to toll.

That is, this timing would provide DOJ an opportunity to learn the fate of Assange’s first, declassified charges through 2015, in case DOJ wanted to ask for extradition on a second case charging actions since 2015.

Admittedly, one explanation for that August 4 filing could be that DOJ obtained new evidence (though if it is evidence Schulte will ultimately get, it should not be ex parte). But given Lewis’ comment and the timing of DOJ’s various updates about trial schedule, one explanation is that DOJ would ask to extradite Assange for the Vault 7 publications (and related actions that have nothing to do with journalism) if the current extradition effort fails.

Ultimately, Schulte’s decisions have created a further delay than the one the government proposed. Because Schulte’s expert, Steve Bellovin, has limited availability due to his teaching schedule, the trial is scheduled to start on June 13, 2022, more than six years after Schulte allegedly stole the files in question.

Depends on what happens tomorrow, though, we may learn sooner what that ex parte filing was.


DOJ Was Still Working to Access Joshua Schulte’s Phone in September 2019

Glenn Greenwald is making factually unsupported defenses of Russia on Twitter again.

Yesterday, he made an argument about what he sees as one of the most overlooked claims in the Yahoo piece suggesting there was an assassination plot against Julian Assange and then, 100-something paragraphs into the thing, admitting that discussions of killing Assange were really regarded in the CIA as, “a crazy thing that wastes our time.”

Glenn doesn’t, apparently, think the overlooked detail is that the timeline in the story describing the changing US government understanding towards Assange, including Edward Snowden’s central role in that, shows that Assange’s defense lied shamelessly about the timeline in his extradition hearing.

Nor does Glenn seem interested that DOJ didn’t charge Assange during the summer of 2017 after Mike Pompeo started plotting against the Australian, but only did so on December 21, 2017, as the US and UK prepared for what they believed to be an imminent exfiltration attempt by Russia.

Intelligence reports warned that Russia had its own plans to sneak the WikiLeaks leader out of the embassy and fly him to Moscow, according to Evanina, the top U.S. counterintelligence official from 2014 through early 2021.

The United States “had exquisite collection of his plans and intentions,” said Evanina. “We were very confident that we were able to mitigate any of those [escape] attempts.”

[snip]

Narvaez told Yahoo News that he was directed by his superiors to try and get Assange accredited as a diplomat to the London embassy. “However, Ecuador did have a plan B,” said Narvaez, “and I understood it was to be Russia.”

Aitor Martínez, a Spanish lawyer for Assange who worked closely with Ecuador on getting Assange his diplomat status, also said the Ecuadorian foreign minister presented the Russia assignment to Assange as a fait accompli — and that Assange, when he heard about it, immediately rejected the idea.

On Dec. 21, the Justice Department secretly charged Assange, increasing the chances of legal extradition to the United States. That same day, UC Global recorded a meeting held between Assange and the head of Ecuador’s intelligence service to discuss Assange’s escape plan, according to El País. “Hours after the meeting” the U.S. ambassador relayed his knowledge of the plan to his Ecuadorian counterparts, reported El País.

What Glenn thinks is important is that, on April 13, 2017, when Mike Pompeo labeled WikiLeaks a non-state hostile intelligence service, the CIA did not yet have proof that “WikiLeaks was operating at the direct behest of the Kremlin,” though of course Glenn overstates this and claims that they had “no evidence.”

Glenn then claimed that CIA’s lack of proof on April 13, 2017 is proof that all claims about Assange’s ties with Russia made in the last five years — that is, from roughly October 7, 2016 through October 12, 2021 — lacked (any!) evidence. In other words, Glenn claims that CIA’s lack of proof, before UC Global ratcheted up surveillance against Assange in June 2017 and then ratcheted it up much more intensively in December 2017, and before US intelligence discovered the Russian exfiltration attempt, and before they had enough evidence to charge Joshua Schulte in 2018, and before they seized Assange’s computer in 2019, and before Snowden wrote a book confirming WikiLeaks’ intent in helping him flee, is proof that they never acquired such proof in the 1600 days since then.

At the time Pompeo made his comments, FBI was just five weeks into the Vault 7 investigation. They were chasing ghosts in the Shadow Brokers case, which also implicated Assange. Robert Mueller had not yet been appointed and, perhaps a month after he was, Andrew Weissmann discovered that, “the National Security Division was not examining what the Russians had done with the emails and other documents they’d stolen from those servers.” Pompeo’s comments came four months before Mueller obtained the first warrant targeting Roger Stone. They came seven months before Mueller obtained a warrant targeting Assange’s Twitter account. They came sixteen months before Mueller obtained a warrant describing a hacking and foreign agent investigation into WikiLeaks and others. They came 25 months before Mueller released his report while redacting the revelation that multiple strands of the investigation into Stone were ongoing (though also stating they did not have enough admissible evidence to prove Assange knew that Russia continued to hack the DNC). They came three years before DOJ kept the warrants reflecting the foreign agent investigation into WikiLeaks and others largely redacted, presumably because that investigation remained ongoing. They came three and a half years before the government withheld almost all of WikiLeaks lawyer Margaret Kunstler’s two interviews with Mueller’s team because of an ongoing investigation.

And all that’s separate from the long-standing WikiLeaks investigation at EDVA that led to Assange’s charges, which Rod Rosenstein has said never fully moved under Mueller.

On April 13, 2017, the investigation into Assange’s activities in 2016 had barely begun. Yet the fact that CIA couldn’t prove Assange was a Russian agent before most investigation into these things had started, Glenn claims, is proof that Assange is not a Russian agent.

It’s a logically nonsensical argument, but because certain gullible WikiLeaks boosters don’t see the flaws in the argument, I’d like to point to something fascinating disclosed just recently in the Joshua Schulte case: as late as September 2019, DOJ was still trying to get a full forensic image of the the phone Schulte was using when he was first interviewed on March 15, 2017.

That was revealed in the government’s response to a Schulte motion to suppress evidence from the Huawei he used at the time, in the early stages of the FBI’s investigation. We saw many of these warrants from Schulte’s first attempt to get these early warrants suppressed (in which his attorney noted that the government got a second device-specific warrant). But Schulte is challenging the search on a basis that even Sabrina Shroff didn’t raise two years ago.

As the government tells it, FBI agents used a subpoena to get Schulte to hand over his phone during the interview on March 15 before they all returned to his apartment where they had a warrant for all his devices, then got a separate warrant at 1:26AM that night to search the phone specifically. They were unable to do so because it was locked, so in an interview on March 21 — at which time the search warrant was still valid — they got Schulte to open his phone (something his attorney at the time boasted he did voluntarily during a 2017 bail hearing).

Someone must have lost their job at FBI, though, because after Schulte opened the phone, it rebooted, preventing them from obtaining a full forensic copy of the device.

On March 20 and 21, 2021, the defendant, accompanied by his attorneys, was interviewed by the Government and law enforcement agents at the U.S. Attorney’s Office. At the interview on March 21, 2021, the defendant, in the presence of counsel, consented to a search of the Cellphone and entered his password to unlock it. (Id. ¶ 13(b)). When the Cellphone was unlocked, however, it rebooted, and FBI was able to obtain only a logical copy of the Cellphone rather than a complete forensic image. (Id. ¶ 13(c)).

However, in its response to Schulte, the government is relying on two documents that it released for the first time. First, a location warrant/pen register targeting three different phones, which the government submitted to show that Schulte’s Google history obtained on March 14 showed that he searched for ways to delete files in the time period he is accused of stealing the CIA files and deleting evidence of doing so. The affidavit is useful for explaining how Schulte was using phones in that period of 2017. In addition to the Huawei, for example, Schulte had a phone with a Virginia number he used to call at least one of his CIA colleagues between March 7 and when he canceled the phone on March 12. Then, after he gave the FBI his Huawei phone, he bought one that night he used to call Bloomberg (his employer), and another on March 17.

More importantly, the government released the affidavit and warrant from September 9, 2019, providing more explanation why they weren’t able to fully exploit the phone in 2017.

After Schulte unlocked the phone, FBI personnel attempted to forensically image the Subject Device so that the FBI could review its contents. However, because the Subject Device rebooted during that process, the FBI was able to obtain only a logical forensic image of the Subject Device (the “Logical Forensic Image”). Although the Logical Forensic Image contains some content from the Subject Device, the Logical Forensic Image does not contain all data that may be on the Subject Device, including deleted information and data from applications. The data and information from the Subject Device that is missing from the Logical Forensic Image would likely be captured on a complete forensic image of the phone (“Complete Forensic Image”). However, in March 2017, the FBI was unable to obtain a Complete Forensic Image of the Subject Device because the Subject Device locked after it rebooted and the FBI did not know the password to unlock the phone again to attempt to obtain a Complete Forensic Image.

On or about August 12, 2019, FBI personnel involved in this investigation successfully unlocked the Subject Device using a portion of a password identified during the course of the investigation (“Password-1”). Forensic examiners with the FBI believe that they will be able to obtain a Complete Forensic Image of the Subject Device using Password-1.

After unlocking the Subject Device using Password-1, an FBI agent promptly contacted the Assistant United States Attorneys involved in this investigation to inform them of this development, and the decision was made to seek a warrant to search the Subject Device for evidence, fruits, and instrumentalities of the Subject Offense.

The affidavit explains, among other things, that Schulte first obtained the phone on September 21, 2016 and logged into Google right away (somewhere in the vast paperwork released in the case, Schulte admitted that Google was his big weakness — and how!).

In the government response, they describe that the government did search the phone. They say the phone contains images of a woman Schulte lived with that he was charged, in Virginia, with assaulting in 2015.

The FBI searched the Cellphone pursuant to that warrant. The Cellphone contains, among other things, images of an individual identified as Victim-1 in the Government’s prior filings.

It’s an interesting defense of the import of the warrant. As the government explained in 2017 when it first informed Judge Paul Crotty of the Virginia assault charge, the incriminating photos had already been found on one of Schulte’s phones (it’s unclear whether these were found on the Huawei or the phone shut down on March 12), so the State of Virginia presumably doesn’t need any images discovered after 2019 to prosecute him on the assault charge.

As relevant here, the Government discussed several photographs recovered from the defendant’s cellphone that depicted an unknown individual using his hands to sexually assault an unconscious female woman (the “Victim”). (See Exhibit A, Aug. 24, 2017 Tr. at 12-13). At the time, the Government was aware that the Victim knew the defendant and had lived in his apartment as a roommate in the past. (Id.) Magistrate Judge Henry B. Pitman, who presided over the presentment, did not consider the information proffered by the Government regarding the Victim, explaining that “facts have [not] been proffered that . . . tie Mr. Schulte to the conduct in that incident.” (Id. at 48-89). Nevertheless, Judge Pitman detained the defendant concluding that the defendant had not rebutted the presumption that he was a danger to the community. (Id. at 47-49).

[snip]

On or about November 15, 2017, the defendant was charged in Loudoun County Virginia with two crimes: (i) object sexual penetration, a felony, in violation Virginia Code Section 18.2-67.2; and (ii) the unlawful creation of an image of another, a misdemeanor, in violation of Virginia Code Section 18.2-386.1. The Government understands that these charges are premised on the photographs of the Victim. Specifically, the Loudoun County Commonwealth’s Attorneys Office has developed evidence that the defendant was the individual whose hands are visible in the photographs sexually penetrating the Victim.

But whatever they found on the phone, the government made an effort to make clear that even this 2019 search — which might have obtained deleted WhatsApp or Signal texts, both of which Schulte has used — was covered by a search warrant, something Schulte is currently trying to suppress only on a poison fruit claim.

This wasn’t the only evidence the government obtained years after Schulte became the primary suspect, though. They didn’t obtain full cooperation from Schulte’s closest buddy from when he was at the CIA, Michael, until January 2020, just before his first trial (which is one of the reasons the government provided fatally late notice to Schulte that the friend had been placed on leave at CIA). Michael helped Schulte buy the disk drives the government seems to suspect Schulte used in the theft, he also knew of Schulte’s gaming habits, and the CIA believed he might know more about Schulte’s theft from CIA.

So it’s clear that for most of the time that Glenn says the investigation as it stood in April 2017 must reflect all the evidence about Schulte, Assange, and Russia, the government continued to investigate.

None of that says DOJ obtained information from Schulte in that time implicating Assange in ties with Russia (though, as I’ve noted, someone close to WikiLeaks told me Schulte reached out to Russia well before ambiguous references to Russia showed up at Schulte’s trial). But to suggest all the evidence the government might now have was already in their possession on April 13, 2017, requires ignoring everything that has happened since that time.

Timeline

October 7, 2016: In statement attributing DNC hack to Russia, DHS and ODNI include documents released by WikiLeaks; an hour later WikiLeaks starts Podesta release

January 6, 2017: Intelligence Community Assessment assesses, with high confidence, that GRU released stolen documents via exclusives with WikiLeaks

March 7, 2017: First Vault 7 release, including unredacted names of key CIA developers

March 13, 2017: Affidavit supporting covert warrant approving search of Schulte’s apartment, including the devices found there

March 14, 2017: Affidavit supporting overt warrant approving search of Schulte’s apartment, including devices

March 14, 2017: Search warrants for Schulte’s Google account and other electronic accounts

March 15, 2017: 302 from interview with Schulte and testimonial subpoena and cell phone subpoena handed to him at interview

March 16, 2017: Affidavit supporting search warrant authorizing search of Schulte’s Huawei smart phone

March 31, 2017: Warrant and pen register for three different Schulte phones — one serviced by Sprint that he had used through all of 2016 but canceled on March 12, 2017, one he obtained after his phone was seized on March 15, 2017 serviced by Virgin, another he bought on March 17, 2017 serviced by AT&T

April 13, 2017: Mike Pompeo declares WikiLeaks a non-state hostile intelligence service

May 17, 2017: Robert Mueller appointed

August 7, 2017: Mueller obtains first warrant targeting Stone, covering hacking

August 23, 2017: Schulte charged with possession of child pornography

September 6, 2017: Schulte indicted on child pornography charges

September 26, 2017: Roger Stone testifies before HPSCI, lies about source for advance knowledge

October 19, 2017: Stone falsely claims Credico is his intermediary with WikiLeaks

November 6, 2017: Mueller obtains warrant targeting Assange’s Twitter account, citing hacking, conspiracy, and illegal foreign political contribution

November 8, 2017: Schulte claims to have been approached by foreign spies on Subway between his house and court appearance

November 9, 2017: WikiLeaks releases source code, billing it Vault 8

November 14, 2017: Assange invokes CIA’s source code (Vault 8) in suggesting Don Jr should get him named Ambassador to the US

November 16, 2017: Schulte tells FBI story about approach on Subway, accesses Tor

November 17, 2017: Schulte accesses Tor

November 26, 2017: Schulte accesses Tor

November 30, 2017: Schulte accesses Tor

December 5, 2017: Schulte accesses Tor

December 7, 2017: Schulte detained pursuant to charges of sexual assault in VA and violating release conditions

December 12, 2017: Randy Credico invokes the Fifth

December 21, 2017: Assange first charged with CFAA charge

March 6, 2018: Assange indicted on single CFAA charge

June 18, 2018: Superseding Schulte indictment adds Vault 7 leak charges

June 19, 2018: WikiLeaks links to Schulte diaries

August 20, 2018: Mueller obtains warrant describing investigation of WikiLeaks and others into conspiracy, hacking, illegal foreign contribution, and foreign agent charges

September 25, 2018: Schulte posts diaries from jail

October 31, 2018: Second Schulte superseding indictment adds charges for leaking from MCC

April 11, 2019: Assange seized from Embassy

May 23, 2019: Superseding Assange indictment adds Espionage Act charges

August 16, 2019: After FBI interview, CIA places Schulte buddy, “Michael” on leave

September 9, 2019: Affidavit in support of warrant authorizing search of Huawei phone

February 4, 2020: Schulte trial opens

February 12, 2020: Schulte attorneys reveal “Michael” was put on paid leave in August 2019

March 6, 2020: In effort to coerce Jeremy Hammond to testify, AUSA twice tells Hammond that Julian Assange is a Russian spy

March 9, 2020: Judge Paul Crotty declares mistrial on most counts in Schulte case

April 28, 2020: DOJ continues to redact Foreign Agent warrants targeting WikiLeaks and others because of ongoing investigation

June 8, 2020: Third superseding Schulte indictment adds clarification to the charges

June 24, 2020: Second superseding Assange indictment extends CFAA conspiracy through 2015, citing efforts to use Snowden to recruit more leakers

November 2, 2020: BuzzFeed FOIA reveals that Mueller referred “factual uncertainties” regarding possible Stone hacking charge to DC US Attorney for further investigation, but also finding that it did not have admissible evidence that Assange knew Russia continued to hack the DNC

September 3, 2021: Schulte submits motion to suppress cell phone content

September 31, 2021: Schulte’s motion to suppress docketed

October 1, 2021: Government response to Schulte motion to suppress


At Lunchtime on March 15, 2017, Joshua Schulte Went Home and Got His Passport[s]

“Whoever committed the leak” of CIA hacking tools Joshua Schulte stands accused of, Schulte said in his first FBI interview on March 15, 2017, “was guilty of espionage and deserved to be executed.”

Schulte submitted the 302 from that interview to accompany a motion to suppress the initial search of his cell phone (remember, he went pro se last month, so he’s formulating this defense himself, and this challenge not one the supremely competent Sabrina Shroff mounted when she was in charge of his defense). Schulte based his motion to suppress on a claim that the FBI used a subpoena, not a warrant, to authorize the seizure of his phone.

Schulte’s challenge is, from a legal standpoint, transparent garbage. He claims that the FBI seized his phone with a subpoena. That’s not what the record he submits shows. It shows, instead, that the FBI handed him a subpoena for both grand jury testimony and his phone, then walked back to his apartment with him, then executed a search warrant that included his electronic devices among the items to be searched.

[Schulte, referred to as KP, for either Kinetic Panda or Kinetic Piranha] was presented with a subpoena to appear at a grand jury hearing, scheduled to occur on March 17, 2017. KP was also served with a subpoena, authorizing the FBI to seize KP’s phone. From PERSHING SQUARE, the interviewing Agents and KP walked to KP’s residence, 200 East 39th Street, Apartment 8C, New York, New York, where FBI personnel executed a search warrant.

[snip]

SSA HUI thereafter served KP with a subpoena to appear at a grand jury hearing on March 17, 2017 and a subpoena that authorized the FBI to seize KP’s phone. SSA HUI also stated the FBI would soon execute a search warrant at KP’s residence. KP read the documents and stated he did not know what it all meant. KP was told by the interview Agents that he had every right to seek legal counsel. KP was also told by the interview Agents that he could return to the residence and be present during the search. KP voluntarily agreed to return to the residence and provide access to the search team.

The FBI obtained two warrants to search items including Schulte’s electronic devices first one permitting a covert search and then a second one that permitted that overt search. He knew of the warrant before the search of the phone occurred.

Which means the other details of the 302, which don’t help Schulte but which provide new insight on him and the investigation, are the most interesting details of this new release.

Consider his comment that the leaker should be executed. In the interview, he places blame on “Karen,” for lax security. “KP stated he didn’t want to place blame on anyone in terms of being negligent, but her approach to security was lax.” Trial testimony makes it clear this is a reference to the second-level supervisor he blamed for being disciplined at CIA. So from the very first moment, he seemed to frame Karen as a target of a ruthless Espionage investigation. He would continue from jail, suggesting the “Information War” he launched from a jail cell was actually continuous with an earlier effort to blame Karen, contrary to what Schulte argued at his first trial.

Just as interesting, the comment claiming such a leaker would be guilty of espionage matches something he said to his co-worker, “Jeremy Weber” (whom he also tried to blame for the leak) in conversations about Edward Snowden.

Q. You don’t remember him ever discussing leakers with you?

A. I, I do remember talking about leakers.

Q. Okay. What do you recall?

A. There was discussion around Snowden.

Q. Okay. And?

A. Schulte felt that Snowden was a — had betrayed his country.

Q. That doesn’t, you know, he seems to have strong opinions on everything. You sure he didn’t say more?

A. He probably would have call him a traitor. Said he should be executed for sure. I don’t remember specific verbiage, but he did express his typical strong opinions.

Schulte made those comments to Weber, even though the government claims to have chat logs in which Schulte said that Snowden, unlike Chelsea Manning, didn’t endanger anyone with his leaks.

More recently, Schulte has been fighting to have a home server, including a selection of Snowden files on it, returned to him.

But I’m particularly interested in the comments Schulte made about his planned trip to Cancun.

KP advised that he planned to travel to Cancun, Mexico on Thursday, March 16, 2017 with his brother who lived in Dallas, Texas. KP stated he has three younger brothers who all lived in Texas. KP had discussed moving back to Texas at some point and running a business with his brother in Dallas. KP stated the trip cost him approximately $1,200.00 and they planned to stay at a resort. KP stated he had no plans to meet up with anyone other than his brother during the trip, and he planned to return to the U.S. on March 20, 2017. KP stated he and his brother wanted to take a trip to either Cancun or Denver, Colorado, but they ultimately chose Cancun.

KP stated he returned to his residence during lunchtime earlier in the day to retrieve his passport so he could check-in online. KP said his passport was currently located inside his backpack, which was on the floor next to KP at PERSHING SQUARE. KP said he printed out his travel documents earlier. (Agent Note. KP reached inside his backpack and showed SA DONALDSON the documents he printed for the Cancun trip.)

KP said he understood how his potential travel abroad could cause angst at high levels of government; however, KP said if he was guilty, then he would have already left the country. KP stated he booked the Cancun trip prior to the WIKILEAKS publication. [my emphasis]

According to the trial interview of Robert Evanchec, one of the agents who conducted this investigation, they already knew of this trip when then went to interview him (indeed, they included it in the warrant affidavits). “[W]e learned that within a week’s time he was planning to travel, for the second time in his life, outside the United States.” As described in that testimony, it was why they chose to interview Schulte so early in the investigation.

Q. I think you said earlier that early in the investigation, you learned that the defendant was traveling or planning to travel?

A. That’s correct.

Q. Where was he planning to travel to?

A. To Cancun, Mexico.

Q. When was the defendant scheduled to travel?

A. He was scheduled to depart on March 16, 2017.

Q. How, if at all, did that impact your investigation?

A. It accelerated our need to quickly understand what this defendant had done, and what his intentions were in traveling to Cancun. As I said earlier, it was only the second time in his life that he left the United States. And certainly his departure this close to the WikiLeaks release was of concern to us, and necessitated that we escalate our investigation and look into other ways to find out why he was traveling.

Q. What did you do as a result of that?

A. As a result of that, we had planned and actually ended up interviewing the subject Mr. Schulte.

While the 302 doesn’t record it, according to Evanchec’s testimony, after telling the FBI he had gone home at lunch to retrieve “his passport,” Schulte then told FBI Agents his diplomatic passport was back at his apartment.

Q. Did the defendant say anything about a diplomatic passport at the residence?

A. He did.

Q. What did he say about that?

A. He indicated that he had retained a diplomatic passport from his time at the CIA that he had not returned that was inside of his residence.

Schulte accompanied the FBI back to the apartment, let them in, hung around for a bit, then returned to Bloomberg, staying longer than he told them he would.

While he was at Bloomberg, FBI got far enough in their search of Schulte’s apartment to determine that the diplomatic passport was not there.

Q. You testified that the defendant told you that that diplomatic passport was in his apartment; is that correct?

A. That’s correct, sir.

Q. Was the diplomatic passport found in his apartment?

A. It was not.

When Schulte didn’t return when he said he would, Evanchec intercepted Schulte again as he was about to leave Bloomberg. The 302 redacts the reference to the FBI telling him they did not find his diplomatic passport at the apartment.

As Evanchec testified, when they intercepted Schulte on his way out, he admitted that he had stashed his diplo passport at his work station at Bloomberg, and they all went to his workstation and got both passports.

A. I believe it was just after midnight, around 12:15 p.m. We observed him again in the lobby of the Bloomberg building at 120 Park Avenue.

Q. Did you approach him?

A. We did.

Q. Who was with you at that time?

A. At the time it was myself, Special Agent Gary Ido, and Special Agent John Summers.

Q. What, if anything, did you say to the defendant at that time?

A. We indicated to him that we had obtained classified information or found classified information in his residence. And we also indicated that we had not recovered his diplomatic passport.

Q. What, if anything, did the defendant say in response?

A. He indicated the diplomatic passport was actually in his office at Bloomberg.

Q. Did he go anywhere after that?

A. Yes, he escorted us along with a security official from Bloomberg to his desk where we took possession of the diplomatic passport.

Q. Did you take possession of any other passport at that time?

A. Yes.

Q. What passport?

A. His personal passport.

Now, virtually all of this has previously been made public (presumably, Evanchec reviewed the 302s before testifying at the trial).

What’s new is that, at least per Schulte, he went home in the middle of the day to get his passport(s). His excuse for doing so might make sense — he was trying to check in online, which you can only do a day in advance. He might have been able to check in from his house, at lunch, unless he tried and discovered he could only check in 24-hours before his flight (he was scheduled to leave work before the end of the day on March 16).

Except none of that would require Schulte to bring two passports back to work, his regular passport and his diplomatic passport (the latter of which he should have but did not turn in when he left the CIA the previous November). Indeed, given the scrutiny Schulte had to have known he would be under, flying under the diplo passport would provoke alarm all by itself, so presumably he was checking in with his regular passport.

What I find particularly interesting, however, is the timing.

That’s because sometime between 10:50 AM and 3:30 PM that same day, Trump said the following in a recorded interview with Tucker Carlson, leaking classified information that would have alerted Schulte, if he had a way to hear it, that the government had determined that “a lot of things were taken” from the CIA under Obama, not under Trump.

Trump: Because I don’t want to do anything that’s going to violate any strength of an agency. You know we have enough problems. And by the way, with the CIA, I just want people to know, the CIA was hacked and a lot of things taken. That was during the Obama years. That was not during, us, that was during the Obama situation. Mike Pompeo is there now, doing a fantastic job. But we will be submitting certain things, and I will be perhaps speaking about this next week. But it’s right now before the Committee, and I think I want to leave it at that. I have a lot of confidence in the committee.

If Schulte had some way of seeing this, then, he would have been alerted that FBI had learned enough to know that he was a likely culprit for the leak.

Around the time Trump said this, Schulte (by his own telling) left work and got the passport he needed to check in for his second-ever flight out of the country — he reserved the flight on February 27. He never showed which passport he had in his bag to the FBI Agents, so it’s possible he also got the diplo passport he shouldn’t have even had, much less needed to check in for a flight.

For what it’s worth, it doesn’t seem possible that Schulte would have gotten advance notice he was the suspect for the leak from Trump’s blabbing to Tucker Carlson. I’ve not found any evidence that that interview played live; rather, it appears to have first aired at 9PM, by which point Schulte would have already been intercepted by FBI Agents in the Bloomberg lobby as he left from work.

But the 302 shows that, at around the same time that Trump was blabbing non-public details of the investigation into Schulte to a cable TV personality, Schulte left work and got his passport, possibly even the diplomatic passport he shouldn’t have had.


More on Joshua Schulte’s Attempted Hack of the Justice System

A few weeks ago, I described what I believed was an attempt by Joshua Schulte to hack the judicial system — not by using computer code, but by exploiting legal code. In a status hearing, he claimed that he had informed prosecutors that he wanted to proceed pro se (representing himself). The sole remaining member of the prosecution team, David Denton, said he hadn’t heard of it.

A letter submitted by Denton and AUSA Michael Lockard today, who has joined the team, explains why: after they reviewed one of many appeals Schulte had filed (this one a demand for the judge in this case to recuse), he actually informed of his purported decision Judge Paul Crotty ex parte, before he sent a contrary filing, also ex parte. Crotty, having gotten no unequivocal indication that Schulte intended to proceed pro se, did nothing, which is part of the basis for Schulte’s mandamus filing.

On June 9, 2021, the defendant filed a pro se petition for a writ of mandamus in the Second Circuit seeking to recuse the District Court, claiming, among other things, that the defendant “petitioned [the Court] to represent himself in multiple letters throughout November 2020,” and that the Court “did not hold a Faretta hearing as required by law.” In Re: Joshua Schulte, 21-1445, Dkt. 1 at 10 (2d Cir. 2021). At the status conference in this matter on June 15, 2021, the Government noted that no such request appeared on the docket for this case, and that the Government was not aware of the defendant expressing “an unequivocal intent to forego the assistance of counsel.” Williams, 44 F.3d at 100. At the conference, defense counsel, at the defendant’s apparent request, stated that this was incorrect, and the defendant did wish to proceed pro se. Following the conference, defense counsel forwarded the Government a copy of a letter dated November 6, 2020, in which the defendant indicated his desire to proceed pro se, and informed the Government that the request had been submitted by the defendant to the Court ex parte. Defense counsel further explained that, in subsequent ex parte communication with the Court following the defendant’s November 2020 letter, defense counsel had advised the Court that the defendant intended to continue with counsel.

Much of the letter submitted today is routine process for when a defendant claims to want to represent himself. Among the precedents the government cites are two (one in this circuit) holding that a defendant cannot be co-counsel with his defense attorney, which is effectively what Schulte has done.

(4) a defendant who elects to proceed pro se “has no constitutional or statutory right to represent himself as co-counsel with his own attorney,” United States v. Tutino, 883 F.2d 1125, 1141 (2d Cir. 1989); see also Schmidt, 105 F.3d at 90 (“[T]here is no constitutional right to hybrid representation.”).

And while at the hearing Sabrina Shroff had suggested she and Deborah Colson serve as stand-by counsel, the government rightly notes that in his mandamus petition, Schulte raised conflicts reviewed before his first trial, which is something amounting to advice from Shroff that Schulte write down everything he wanted to leak in his prison notebook. They’re using that to ask that Crotty appoint someone besides Shroff (though they don’t name her) as standby counsel.

With regard to the appointment of standby counsel, the Government notes that the defendant’s recently filed pro se mandamus petition reiterates his prior claims that he wishes to call as witnesses certain of his prior and current counsel from the Federal Defenders of New York, although that claim is framed in the context of arguing that the Court’s prior rulings on this issue demonstrate bias that requires the Court’s recusal, rather than seeking relief from the Court’s orders themselves. See In Re: Joshua Schulte, 21-1445, Dkt. 1 at 4-9 (2d Cir. 2021). Accordingly, in order to avoid later claims alleging any purported conflict-of-interest, the Government respectfully suggests that it would be prudent for the Court to appoint as standby counsel one of the defendant’s current or former attorneys not implicated in the defendant’s claims asserting conflict or implicating the attorney-witness rule.

So the letter explains what, in a normal court room, is going on. But I maintain that Schulte is (and has been, for some time) attempting to do what he did with CIA’s computer systems: send a bunch of conflicting messages to get the machine to operate in a way entirely unexpected. Indeed, one tactic he’s using is one he used several times at CIA, the same tactic small children use when one parent gives them a response they don’t like: Schulte is bypassing his criminal docket (both through the use of the ex parte letters and the non-associated dockets, to ensure the government didn’t learn of this ploy until all the Speedy Time would, if the ploy is successful, have elapsed).

If I were the government I’d have some good hacking investigators review the docket to try to understand it all from a hacker’s brain. Because, at the very least, I suspect Schulte plans to claim that the government simply forgot to hold his second trial.

Copyright © 2022 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/cybersecurity/