“For every Oath Keeper you see, there are at least two you don’t see.” – email from Oath Keeper head Stewart Rhodes forwarded from Oath Keeper Graydon Young to his sister, Laura Steele, on January 4, 2021
I want to look at filings from the Oath Keepers investigation to show how FBI is juggling to move quickly enough to prevent obvious subjects from obstructing the investigation without tipping off others to the substance of the investigation. The filings confirm that the FBI will get sealed arrest warrants against subjects who are obviously obstructing the investigation, but may not use them right away, so as to obtain more evidence against them and their immediate co-conspirators. The filings also show how hard it is to delete evidence in an age of social media while conspiring with dozens of other co-conspirators.
The investigation from Watkins to Caldwell to the Parkers, Youngs, and Biggs
There’s a story about the Oath Keepers investigation that arises from the nature of the first publicly charged defendants. According to that story, the founder of an Ohio militia affiliated with the Oath Keepers, Jessica Watkins, boasted on Parler about “forcing entry into the Capitol” on the day of the attack. Videos of the Oath Keeper Stack showed up in videos posted within a day of the attack. Then, on January 13, the Ohio Capital Journal posted an interview with Watkins where she described it “the most beautiful thing” until she started hearing glass smashing — which she blamed on an Antifa false flag attack (a subsequent filing suggests Watkins wanted the Oath Keepers to get good press from the attack, threatening to sue some male journalist if he portrayed the Oath Keepers negatively).
That’s the evidence the FBI showed to obtain an arrest warrant on Watkins on January 16.
Meanwhile, as the investigation was closing in on Watkins, her recruit Donovan Crowl did an interview with the New Yorker for a story loaded with more images of coordinated movement from the Oath Keepers. Crowl offered similarly contradictory excuses for his action as Watkins.
On January 17, the FBI tried to conduct an interview with Watkins, only to be told by her partner, Montana Siniff, that she left Ohio on January 14 to stay with her friend and fellow Oath Keeper, “Commander Tom.”
At some point, the FBI obtained information from Facebook — they don’t explain when or on whom it was served, which I’ll return to. The return showed that Caldwell coordinated hotel reservations at the Comfort Inn/Ballston, not just with Watkins, but also others from North Carolina, as well as speaking with Crowl. This content may not have been obtained via Caldwell yet, because Caldwell’s private messages don’t show up in filings until January 19 (alternately they may have delayed that reveal until Caldwell was arrested).
But the FBI used that public Facebook information to obtain a warrant for Crowl on January 17. Watkins and Crowl turned themselves into Urbana, OH police that day, where the FBI took them into custody.
On January 13, the Guardian did a story on Watkins’ use of Zello.
“We are in the main dome right now,” said a female militia member, speaking on Zello, her voice competing with the cacophony of a clash with Capitol police. “We are rocking it. They’re throwing grenades, they’re frickin’ shooting people with paintballs, but we’re in here.”
“God bless and godspeed. Keep going,” said a male voice from a quiet environment.
“Jess, do your shit,” said another. “This is what we fucking lived up for. Everything we fucking trained for.”
The frenzied exchange took place at 2.44pm in a public Zello channel called “STOP THE STEAL J6”, where Trump supporters at home and in Washington DC discussed the riot as it unfolded. Dynamic group conversations like this exemplify why Zello, a smartphone and PC app, has become popular among militias, which have long fetishized military-like communication on analog radio.
On January 19, the government obtained an amended conspiracy complaint against Watkins, Crowl, and Caldwell. It included the following new information:
- Quotations from the Zello messaging
- Facebook messaging from Caldwell pictured standing outside the riot calling everyone in Congress a traitor
- Facebook messages showing planning between Watkins, Crowl, and Caldwell between December 24 and January 8
- Instructions for making plastic explosives found at Watkins’ house
Of particular interest, the complaint included the first hint that the Oath Keepers had intelligence — shared using Facebook — about the movements of Members of Congress.
On January 6, 2021, while at the Capitol, CALDWELL received the following Facebook message: “All members are in the tunnels under capital seal them in . Turn on gas”. When CALDWELL posted a Facebook message that read, “Inside,” he received the following messages, among others: “Tom take that bitch over”; “Tom all legislators are down in the Tunnels 3floors down”; “Do like we had to do when I was in the core start tearing oit florrs go from top to bottom”; and “Go through back house chamber doors facing N left down hallway down steps.”
Having arrested the two Oath Keepers blabbing to the press and the guy they hid out with, there’s not much more overt sign of the investigation until February 11, when the government submitted filings supporting pre-trial detention for both Watkins and Caldwell.
Arrest affidavits submitted on February 11 and February 12 (but sealed until after February 16) also refer to Watkins’ cell phone returns, including address book information describing Bennie Parker as a recruit, texts between Watkins and Parker coordinating plans for the insurrection and reassuring him the FBI would not prosecute them after the insurrection, and a picture of his wife Sandi Parker. Watkins’ cell phone returns also show a contact for Kelly Meggs in Florida, which she associated in her address book with the Oath Keepers.
Those initially sealed arrest affidavits also rely on surveillance footage and financial records from the Comfort Inn where all the Ohioans stayed. It shows the Ohioans together in the lobby. It reveals that Kelly Meggs paid for a room that night registered under another suspected Oath Keeper’s name (according to credit card records showing a $302 charge, Meggs apparently stayed at the Hilton Garden Inn the night of January 7). [Update: The indictment clarifies that Meggs paid for two rooms at the Comfort Inn and booked two at the Hilton, of which he paid for one. h/t bb]
The initial affidavit against Kelly and Connie Meggs and Graydon Young and Laura Steele also includes a picture taken — by some unidentified person — from the van from North Carolina.
The same affidavit includes testimony from a witness who interacted with the Oath Keepers on January 6 and was on a text message chain including Young and Steele, who was introduced to them as Gray and Laura and learned they had taken the Metro into DC. It relies on surveillance video from the Metro. It includes returns from Steele and Young’s Google accounts, including Steele’s application to join the Oath Keepers.
It includes location data showing Graydon Young’s phone traveling from Englewood, FL to Thomasville, NC to Springfield, VA, to DC, then back to Thomasville and ultimately, on January 8, back to Englewood. It includes his round trip flight records from Tampa to Greensboro, consistent with the movement of his phone. The affidavit also uses location data to place Steele and the Meggses in a “geographic area that includes the interior of the United States Capitol building.”
It includes subscriber records for Steele, Young, and Kelly Megg’s MeWe accounts, as well as subscriber records for Facebook accounts for everyone. Of particular note, the affidavit used to arrest Young and the others shows advanced legal process for Young, but mostly subscriber information for the others. They also use Young’s Google data to establish probable cause against the Meggs but do not, yet, use it against Young.
It’s likely in the five days between the affidavit and the arrest, more warrants were served for materials on the others.
There wasn’t much added in a February 25 memo supporting Watkins’ pretrial detention — except that aforementioned Watkins text with Stewart Rhodes complaining about media reports making the Oath Keepers look bad (which, because of the timing of the coverage, likely happened almost a week after the insurrection, or later).
If he has anything negative to say about us OATHKEEPERS, I’ll let you know so we can sue harder. Class action style. Oathkeepers are the shit. They rescued cops, WE saved lives and did all the right things. At the end of the day, this guy better not try us. A lawsuit could even put cash in OK coffers. He doesn’t know who he is playing with. I won’t tolerate a defamation of character, mine or the Patriots we served with in DC. Hooah?!
But in a hearing held February 26, prosecutors told Judge Amit Mehta something in an ex parte hearing to support their argument that there really was a Quick Reaction Force outside of DC on the day of the insurrection ready to bring weapons into the Oath Keepers already in DC, which is one of the reasons he denied Watkins’ motion for release.
The earlier investigation into Graydon Young
It took a while for DOJ to unseal all the filings from the other co-conspirators, particularly the long affidavit for the four southerners. But a docket unsealed last week tells another side of that story. On January 15, a tipster identified Graydon Young, one of the Floridians added to the Caldwell and Watkins conspiracy. Based off that tip, the FBI prepared and got authorization for an arrest warrant by January 18. But they didn’t use it, perhaps because FBI was chasing down two false positives based off pictures of Young, as described in the later affidavit (the first of which may have been based off facial recognition).
First, on or around January 14, 2021, after receiving an internet tip and viewing similar photographs and video of Young from the civil unrest on January 6, 2021, an FBI agent drafted an arrest warrant for an individual (Subject-1) other than Young, based on a review of Subject-1’s driver’s license photo and the fact that Subject-1 was affiliated with the Oath Keepers. An FBI agent in Kansas City, Missouri, who was familiar with Subject-1, then determined that Subject-1 was not the individual depicted in the photos at the U.S. Capitol on January 6, 2021. The government did not pursue charges against Subject-1. Second, on or around January 15, 2021, a concerned citizen provided the FBI with a tip that the photograph of Young in the Rotunda was a photograph of Subject-2, who was a co-worker of the concerned citizen in Illinois. On January 18, 2021, SA Wren spoke with the concerned citizen, who stated that Subject-2 had quit the job and moved to Colorado, and “seemed like the type” who would have gone to the Capitol. SA Wren reviewed Subject-2’s driver’s license photo and determined that Subject-2 is not the person depicted in the photographs of Young at the U.S. Capitol.
In other words, FBI was prepared to arrest Young by January 18, within a day of the initial Watkins arrest. But they did not. They kept that arrest warrant sealed while they obtained his location records, travel records (including evidence he drove home from North Carolina rather than flying, and had his sister’s car towed back to North Carolina afterwards), and subscriber information for other social media.
At some point (as noted), FBI obtained Young’s Google account. But on February 11, they used that “solely as evidence against Kelly Meggs. At this time, the government is not seeking to use this email against Young,” suggesting they still needed legal process to use it against him.
Don’t launch an insurrection with a still-active Facebook account
Given that the FBI was ready to arrest Graydon Young on January 18, it’s worth looking more closely at the Facebook evidence in this conspiracy.
The FBI learned on January 15 that Young was probably at the insurrection, had been tagged in planning for the event on January 4, and had attempted to delete his Facebook account on January 7 (it went into effect the next day). Young didn’t delete his related Instagram account until January 13.
At some point, the FBI also learned that Caldwell attempted to unsend messages on January 8, the same day Young shut down his Facebook account.
Nevertheless, Facebook still had Young’s data, including a post from January 6 boasting, “We stormed and got inside.”
The government also obtained highly damning Facebook content from much earlier, including a message he posted to a group, the “War of Northern Aggression,” on November 7. In it, he clearly acknowledges Joe Biden’s victory.
Will this group consider migration to MeWe and Parler? I think censorship is going to get worse with Biden win.
On November 9, he asked again to move from Facebook to MeWe and Parler.
On November 30, he pushed MeWe and Parler again.
I already have MeWe and Parler … waiting for this drama to end before I delete my FB account.
Hey Graydon?!?! The drama for you is just beginning.
Meanwhile, Caldwell didn’t succeed in deleting all his evidence either. As early as January 17, in Crowl’s affidavit, they had a message (it’s unclear whether it’s public or private)
Here is the direct number for Comfort Inn Ballston/Arlington 1-571-397-3955 I strongly recommend you guys get one or two rooms for a night or two. Arrive 5th, depart 7th will work. She says there are five of you including a husband and wife new recruits. This time of year especially you will need to be indoors to set up, etc. Really, press this home, just get somebody to put it on a credit card. Even if you tell the hotel its double occupancy, you can STILL get a couple of people on the floor with bedrolls and the hotel won’t know shit. Paul said he might be able to take one or two in his room as well. I spoke to the hotel last night (actually 2 a.m. this morning) and they still had rooms. This is a good location and would allow us to hunt at night if we wanted to. I don’t know if Stewie has even gotten out his call to arms but it’s a little friggin late. This is one we are doing on our own. We will link up with the north carolina [sic] crew.
The later affidavits include Caldwell Facebook messages sent in November predicting violence.
I am very worried about the future of our country. Once lawyers get involved all of us normal people get screwed. I believe we will have to get violent to stop this, especially the antifa maggots who are sure to come out en masse even if we get the Prez for 4 more years.
On January 6, Caldwell continued to use Facebook, receiving a message informing him,
All members are in the tunnels under capital seal them in. Turn on gas.
And,
Tom all legislators are down in the Tunnels 3floors down
Between Young and Caldwell, Facebook evidence shows that this operation clearly targeted legislators even after they knew Joe Biden had been elected. It turns out that neither of them successfully deleted this Facebook content before the drama really got started.
The delayed reveal
As noted, it took some time for the affidavit for the southern Oath Keepers to be unsealed. In the interim period, the FBI would have been able to investigate the Oath Keeper whose name was on the hotel room Young paid for, and all the other people on the bus on which Young and his sister were pictured. The FBI surely has reviewed any role the War of Norther Aggression Facebook group had in the insurrection. The accounts for which the FBI just had subscriber information on February 11 are probably now being fully exploited (including the WeMe accounts on which they may have been more open about their plotting).
There are still members of The Stack at large, the others on the bus, the group from Mississippi those who provided “security” for Trump’s closest associates. We don’t know where the next Oath Keepers to be arrested are. We do know where the FBI was, 17 days ago.
Timeline of Oath Keeper conspiracy
January 4: Young travels from Englewood, FL to Thomasville, NC. Young tagged in planning messaging for the attack.
January 5: Young travels from Thomasville to Springfield, VA, then heads to DC for the evening.
January 6: Young travels into DC, then back to Thomasville that night. Watkins posts to Parler and Caldwell posts to Facebook. Young posts, “we stormed and got inside” on Facebook.
January 7: Young deleted Facebook content going back to March 2019 (per Facebook record it goes into effect on January 8).
January 8: Caldwell unsends Facebook messages continuing evidence. Young returns to Englewood. Young writes an email saying that his “team leader” during the insurrection was “OK Gator 1” with Kelly Meggs’ phone number.
January 9: Watkins texts Bennie Parker telling him not to worry about the FBI investigating them.
January 11: Young has a vehicle registered to Steele’s address towed from a location near his home to Steele’s home in NC. Young deletes his Instagram account.
January 13: Watkins interview in Ohio Capital Journal. Guardian story on Watkins’ use of Zello. Young closes Instagram account.
January 14: Donovan Crowl story in New Yorker. Watkins and Crowl travel to Caldwell’s property in VA; he gives them OpSec tips for the drive. Bennie Parker texts Watkins asking if she put Sandi “out there” in the Capitol. FBI chases a false positive for Young on an Oath Keeper who lives in Kansas City, MO.
January 15: A tipster who has known Young for 35 years identified Young in an image published by NBC, informs the FBI that on January 4, other people had tagged Young in a discussion about traveling to DC. The tipster further revealed that on January 7, Young deleted his Facebook content going back to March 2019, then deleted the whole thing. FBI chases a false positive for Young to someone in CO.
January 16: Arrest warrant for Watkins.
January 17: Search of Watkins’ house discovers gear and other military items. Interview of her partner reveals she has left to stay with a friend, Commander Tom, and provides a phone registered to him at his VA property as the way to reach Watkins. Arrest warrant for Crowl. Search of a location where Crowl stays finds his tactical vest. Arrest warrant for Caldwell. Both Watkins and Crowl turn themselves in to the Urbana Police, where the FBI takes them into custody.
January 18: First arrest warrant for Graydon Young.
January 19: Caldwell, Crowl arrested by FBI, and Watkins arrested. Amended criminal complaint makes conspiracy charges against Watkins, Crowl, and Caldwell more formal. Search of Caldwell’s property finds Death List targeting election official from a different, a Gadsden flag signed by Crowl and Watkins, and a sales invoice for a weapon designed to look like a phone.
Janaury 21: Stewart Rhodes declares Biden’s “not a constitutional government.” Kelly Meggs closes his Facebook account.
January 27: Indictment for Watkins, Crowl, and Caldwell.
January 29: NYT does video analysis showing the movements of the Oath Keepers from the Ellipse to the Capitol.
February 11: Counterterrorism prosecutors Justin Sher and Alexandra Hughes join team. Motions for pre-trial detention for both Watkins and Caldwell. Sealed complaint filed against Kelly and Connie Meggs, Graydon Young, and Laura Steele.
February 12: Government moves for protective order against the original conspirators; Caldwell objects. Sealed complaint filed against Bennie and Sandi Parker.
February 16: Graydon Young arrested.
February 17: The Meggs and Laura Steele arrested.
February 18: The Parkers arrested.
February 23: Thomas Caldwell appeals detention.
February 26: Amit Mehta grants government motion to detain Jessica Watkins.
Update: I clarified that the email quoted at the top is from Stewart Rhodes, not Graydon Young.
![#246 – AFO [Assault on Federal Officer]](https://www.fbi.gov/wanted/capitol-violence-images/246a.png/view){kind=link}