Posts

Jeffrey Rosen Separated the Investigation that Could Turn Rudy Into a Russian Agent from the Rudy Investigation

When Scott Stedman first reported that the FBI investigation into matters relating to Rudy Giuliani had expanded to include sanctioned Russian agent Andreii Derkach, he suggested it was tied to the SDNY seizure, just days earlier, of Rudy’s phones.

The Federal Bureau of Investigation (FBI) probe of Donald Trump’s personal lawyer Rudolph Giuliani has expanded to include Russia’s spy activities in the 2020 U.S. election, multiple sources tell Forensic News.

The criminal investigation, which led to a dramatic raid of Giuliani’s home and office this week, has for months included the activities of those who worked for or with Russian intelligence agent Andriy Derkach.

Derkach is a Ukrainian Member of Parliament who has been an “active Russian agent for over a decade,” according to the U.S. government.

Kenneth McCallion, an attorney who has represented multiple Ukrainian clients, said that prosecutors have been looking into the actions of Derkach in the 2020 election cycle as part of the Giuliani probe.

“I have been briefed that prosecutors are scrutinizing Derkach as part of the Giuliani probe,” McCallion told Forensic News. The inclusion of Derkach in the FBI’s probe suggests that the potential charges facing Giuliani might extend beyond just Foreign Agent Registration Act violations.

But the NYT last night reported (without crediting Stedman for the earlier report) that, instead, the Derkach part of the investigation is in EDNY, not SDNY, and in that investigation, Rudy is not a subject.

Federal prosecutors in Brooklyn have been investigating whether several Ukrainian officials helped orchestrate a wide-ranging plan to meddle in the 2020 presidential campaign, including using Rudolph W. Giuliani to spread their misleading claims about President Biden and tilt the election in Donald J. Trump’s favor, according to people with knowledge of the matter.

[snip]

The investigation is unfolding separately from a long-running federal inquiry in Manhattan that is aimed at Mr. Giuliani. While the two investigations have a similar cast of characters and overlap in some ways, Mr. Giuliani is not a subject of the Brooklyn investigation, the people said.

Instead, the Brooklyn prosecutors, along with the F.B.I., are focused on current and former Ukrainian officials suspected of trying to influence the election by spreading unsubstantiated claims of corruption about Mr. Biden through a number of channels, including Mr. Giuliani, Mr. Trump’s personal lawyer at the time. It is unclear whether the Brooklyn prosecutors will ultimately charge any of the Ukrainians.

At one point in the investigation, the authorities examined a trip Mr. Giuliani took to Europe in December 2019, when he met with several Ukrainians, according to the people, who spoke on the condition of anonymity to discuss an ongoing inquiry.

At least one of the current and former officials Mr. Giuliani met, a Ukrainian member of parliament named Andriy Derkach, is now a focus of the Brooklyn investigation, the people said. [my emphasis]

In a remarkably stupid comment, the NYT suggests that two investigations started under Trump pose a political problem for Merrick Garland (misstating, at the same time, what Garland promised).

Together, the Manhattan and Brooklyn investigations present a challenge for the Biden Justice Department, which has pledged to remain above the political fray even as it inherited a number of sensitive investigations linked to Ukraine and Russia.

The comment is especially stupid given the public record that suggests the most likely explanation for the two separate investigations is that Jeffrey Rosen took steps after Rudy became the focus of investigative attention in SDNY, to ensure that EDNY could stave off the most dangerous parts of the investigation.

I have pointed out repeatedly that had the Zelenskyy call whistleblower tip been treated like all other national security related tips in the post-9/11 world, investigators would have discovered that it pertained to an already open investigation in SDNY into Lev Parnas and Igor Fruman, an investigation that both Billy Barr and Jeffrey Rosen knew about. It appears that didn’t happen at first because the complaint was viewed exclusively as the transcript of President Trump’s call, and not the backup that tied the call to the influence peddling involving Rudy, Parnas, and Fruman that had been going on for some time.

But, probably with the public release of the whistleblower complaint, SDNY began to investigate how Rudy picked up the effort that Parnas and Fruman had already started in 2018, to get Marie Yovanovitch fired.

On November 4, 2019, SDNY executed searches — searches that Main Justice would have had to be informed about — on Rudy and Victoria Toensing’s cloud accounts. In subsequent months, SDNY would execute searches on Yuri Lutsenko and several other Ukrainians, but not Andrii Derkach, not even after Rudy flew to Ukraine to meet with Derkach personally on December 5, 2019.

In the wake of those searches, on January 17, 2020, Jeffrey Rosen issued a memo putting his trusted deputy, Richard Donoghue, in charge of all Ukraine-related investigations.

As has been publicly reported, there currently are several distinct open investigations being handled by different U.S. Attorney’s Offices and/or Department components that in some way potentially relate to Ukraine. In addition, new information potentially relating to Ukraine may be brought to the attention of the Department going forward. The Department has assigned Richard Donoghue, the U.S. Attorney in the Eastern District of New York (EDNY), who currently is handling certain Ukraine-related matters, to coordinate existing matters and to assess, investigate, and address any other matters relating to Ukraine, including the opening of any new investigations or the expansion of existing ones.

[snip]

Any and all new matters relating to Ukraine shall be directed exclusively to EDNY for investigation and appropriate handling.

[snip]

Any widening or expansion of existing matters shall require prior consultation with and approval by my office and EDNY.

Now that we know about the Rudy search in November 2019, the effect of this memo is clear: it limited the SDNY investigation to the scope of the investigation as it existed at that time, into the Lutsenko attempt to fire Yovanovitch (which was included in the original Parnas indictment), but not Rudy’s meeting with a Russian agent to help Trump win re-election.

Instead, EDNY presided over all the Ukraine goings-on during the election, during which time they could have done something about ongoing tampering. Indeed, after Geoffrey Berman succeeded in ensuring that Audrey Strauss would replace him after Barr fired him to try to shut down ongoing investigations (including, undoubtedly, the one into Rudy and Barr’s friend Victoria Toensing), Barr and Rosen replaced Donoghue with another trusted flunky, Seth DuCharme. Under DuCharme, then, EDNY sat and watched while Derkach interfered in the election and did nothing until — per yesterday’s NYT story — “the final months of the Trump administration.” According to the public timeline, it appears that they just let a known Russian agent play around in our democracy.

There is plenty of risk for Rudy in the existing SDNY investigation. But what Rudy did in response to Lutsenko’s entreaties amounts to lobbying, and so is probably most likely be charged as a FARA case (though Foreign Agent charges are on the table).

With Derkach, however, Rudy was affirmatively attempting to launder Russian-backed disinformation to affect the election. There’s no way that can be charged as lobbying. Plus, the government understood Derkach to be a Russian agent when Rudy attended that meeting (though Rudy claims he was not warned in advance). If Derkach were part of the SDNY investigation, in which Rudy is a subject, then treating Rudy as the Russian agent he has served as in recent years would be on the table.

But in EDNY, per the NYT report, Rudy’s conduct is not at issue.

No Honor Among Troll Faces: The Latest Lawfare against Prigozhin’s Trolls

Yesterday, Treasury sanctioned four people for election interference. Rudy Giuliani associate Andreii Derkach has gotten most of the attention. But Treasury also sanctioned three people associated with Yevgeniy Prigozhin’s troll operation.

Today, Treasury also designated three IRA actors pursuant to E.O. 13694, as amended by E.O. 13757, and E.O. 13848 for having acted or purported to act for or on behalf of, directly or indirectly, the IRA, an entity designated pursuant to E.O. 13694, as amended, and E.O. 13848. Russian nationals Artem Lifshits, Anton Andreyev, and Darya Aslanova, as employees of the IRA, supported the IRA’s cryptocurrency accounts. The IRA uses cryptocurrency to fund activities in furtherance of their ongoing malign influence operations around the world.

The identifying information announcement provides not just passport and date of birth information (which is normal), but for two of the sanctioned individuals, it includes 17 and 6 crypto-currency addresses, respectively.

ANDREYEV, Anton Nikolaeyvich (Cyrillic: АНДРЕЕВ, Антон Николаевич), 9 3 Bloshevikov Prospect Apt 35, Saint Petersburg, Russia; DOB 03 Mar 1985; POB Saint Petersburg, Russia; nationality Russia; Email Address [email protected]; Gender Male;

Digital Currency Address – XBT 1Fz29BQp82pE3vXXcsZoMNQ3KSHfMzfMe3;

alt. Digital Currency Address – XBT 1AeSq93WDNdLoEJ92sex7T8xQZoYYm8BtS;

alt. Digital Currency Address – XBT 1AoxtfiBQ22DvbhqAN9Ctb8sULMRhrdwTr;

alt. Digital Currency Address – XBT 18Qj1THHuETfYhuRDZycXJbWwDMGw73Poa;

alt. Digital Currency Address – XBT 1MnbhWe5wr7Ut45ReyQsm96PwnM9jD7KaH;

alt. Digital Currency Address – XBT 1DYFJ6CuBvrxyoQSuBzVsNcetY9tvdsrag;

alt. Digital Currency Address – XBT 15Pt4NwZaUmMUwS2bQbyyncc7mzgWShtv8;

alt. Digital Currency Address – XBT 1PhqQpaGCrqSxQ6QDXcv14QCd1U98Zp34E;

alt. Digital Currency Address – XBT 13YBQr2Cp1YY3xqq2qngaPb7ca1o4ugeq6;

alt. Digital Currency Address – XBT 1KgudqxMfYaGzqAA7MS4DcsqejtMteqhix;

alt. Digital Currency Address – XBT 1FRyL9gmFGbzfYDAB4iY9836DJe3KSnjP9;

alt. Digital Currency Address – XBT 1DbShx4r8i2XesthoDBf5EkYWz5dsKEusV;

Digital Currency Address – ETH 0x8576acc5c05d6ce88f4e49bf65bdf0c62f91353c;

Phone Number 79315403678;

Digital Currency Address – LTC LWnbjLYUfqeokfbWM4FcU7uk2FP2DSxuWS;

alt. Digital Currency Address – LTC LaYUy1DGfVSuSF5KbPhbLrm8kRotqiwUJn;

Digital Currency Address – ZEC t1WSKwCDL1QYRRUrCCknEs5tDLhtGVYu9KM;

Digital Currency Address – BSV 12sjrrhoFEsedNRhtgwvvRqjFTh8fZTDX9; Passport 4005504207 (Russia) (individual) [CYBER2] [ELECTION-EO13848].

[snip]

LIFSHITS, Artem Mikhaylovich (Cyrillic: ЛИФШИЦ, Артем Михайлович), Primorsky Prospect 159, Saint Petersburg 197374, Russia; DOB 26 Dec 1992; nationality Russia; Email Address [email protected]; alt. Email Address [email protected]; Gender Male;

Digital Currency Address – XBT 12udabs2TkX7NXCSj6KpqXfakjE52ZPLhz;

alt. Digital Currency Address – XBT 1DT3tenf14cxz9WFNxmYrXFbB6TFiVWA9U;

Digital Currency Address – ETH 0x901bb9583b24d97e995513c6778dc6888ab6870e;

alt. Digital Currency Address – ETH 0xa7e5d5a720f06526557c513402f2e6b5fa20b00;

Phone Number 79110354982;

Digital Currency Address – LTC Leo3j36nn1JcsUQruytQhFUdCdCH5YHMR3;

Digital Currency Address – DASH Xs3vzQmNvAxRa3Xo8XzQqUb3BMgb9EogF4; Passport 719032284 (individual) [CYBER2] [ELECTION-EO13848].

Yesterday, EDVA also announced a single criminal charge of conspiracy to commit wire fraud against one of the sanctioned people, Artem Lifshits, who in 2017 was head of the “Translator Department [or Project],” which is what the troll project focusing on the US is called. As the excerpt above notes, Lifshits actually got fewer of his cryptocurrency accounts sanctioned than another of the targets, Anton Andreyev.

I’d like to look at how the criminal complaint complements the two other sets of charges against Prigozhin’s troll operation, the indictment against 13 of the actual trolls as well as some of the companies involved (here’s a very long post on that prosecution), and Prigozhin himself and a complaint against one of the accountants involved, Elena Alekseevna Khusyaynova (here’s my post on that). Along with renewing and fleshing out the case against Prigozhin, the complaint may be an effort to sow discord within Prigozhin’s operation, by alerting him that some of his employees may be helping themselves to company troll funds.

The affidavit by a Secret Service Agent supporting the complaint incorporates the other two legal actions and includes them as exhibits to this charge. It even includes a footnote explaining why DOJ dismissed the charges against Prigozhin’s shell companies.

On March 16, 2020, the United States dismissed Concord Management and Consulting LLC from the Indictment. Concord “availed itself of the Court’s jurisdiction to obtain discovery from the United States . . . while positioning itself to evade any real obligations or responsibility,” even refusing to produce a corporate representative despite “appearing” through counsel. Mot. to Dismiss Concord Defs., 2, 6, United States v. Internet Research Agency, et. al, 1:18-cr-32 (DLF) (D.D.C. Mar. 16, 2020). In light of the defendant’s conduct, the United States dismissed these parties from the Indictment, stating substantial federal interests were no longer served by continuing the proceedings against them. See id. at 9. The Indictment remains pending and active as to thirteen named individual defendants and the IRA.

After some introductory matter, the affidavit:

  • Describes the Lakhta disinformation project generally, including a brief overview of its attempts to sow discord between December 2016 through May 2018, incorporating some but not all of the examples from the Khusyaynova complaint, and adding a few new ones, including three paragraphs on use, starting in July 2019 of a cover company located in Accra, Ghana.
  • Describes how in October 2018 the Secret Service started investigating the role of cryptocurrency in the operation.
  • Explains that Lifshits served as head of the Translator Department.
  • Describes how Lifshits transferred money from a BTC account opened using the stolen identity of “T.W.” to his own personal account, the central allegation of wire fraud laid out in the indictment.

The basic proof accusing Lifshits of using T.B.’s stolen identity to open a Bitcoin account that he then used to transfer money into his own account relies on very basic metadata analysis obtained using legal process:

  • Evidence backing the selectors of Lifshits tie to his biological person and one of the cryptocurrency accounts he transferred money into (including two other Internet troll employees’ address book entries with his phone number, one of which referred to him as “Troll Face”).
  • Evidence showing Lifshits applying to Project Lakhta in July 2015 and appearing on rosters of Project Lakhta employees dated January 28, 2017 to October 26, 2017.
  • A description of finding order confirmations in the known IRA email, allforusa, from a criminal marketplace that sold fraudulent identities (this might be Richard Pinedo’s site).
  • Two paragraphs describing interviews with T.W. and another identity theft victim, T.B.,  in which they said he had never owned any cryptocurrency themselves and had not authorized anyone to do so on their behalf.
  • IP analysis showing Lifshits accessing cryptocurrency addresses (including his own) from an IRA IP address, as well as from a US-based account set up using a stolen identity but controlled by IRA.
  • IP address analysis showing him accessing the T.W. cryptocurrency account at the same time he accessed one of his own accounts, into which he transferred funds.
  • User Agent String analysis showing those accounts being accessed by the same browser.
  • IP analysis establishing venue in EDVA via some AWS servers.

In other words, the complaint, after invoking the two other legal actions against IRA and Prigozhin, finds one manager amid Prigozhin’s employees and shows some very basic metadata evidence — relying on neither intelligence nor some of the more sophisticated blockchain analysis the US government would like to hide — to accuse the manager, Lifshits, of wire fraud because of a financial transfer involving the stolen identity of an American.

There are two interesting aspects of the complaint, besides the way it slowly builds the case against Prigozhin via interlocking accusations.

First, a key passage of all this describes that Lifshits made this transfer “for personal gain.”

60. On or about December 29, 2017, LIFSHITS accessed and used the T.W. Exchange 1 Account to conduct an electronic transfer of funds from the T.W. Exchange 1 Account to his personal Exchange 3 account. This transaction is publicly viewable on the Bitcoin blockchain and USSS confirmed its existence through other investigative means.

61. On or about December 29, 2017, LIFSHITS used United States IP Address 1 at 15:35 UTC to access his Exchange 3 account. Then, three minutes later, he used the same IP address to access the T.W. Exchange 1 Account. This is on the same day that the T.W. Exchange 1 Account sent an electronic funds transfer to LIFSHITS’ Exchange 3 account.

62. With this transaction, LIFSHITS (1) intentionally and voluntarily devised or participated in a scheme to defraud — as evidenced by controlling and using a fraudulent cryptocurrency account, and (2) used interstate wire communications to further the fraud — as evidenced by the online cryptocurrency transactions.

It doesn’t say, one way or another, whether this was a sanctioned transfer of funds out of an IRA-controlled account or not. The government may have used this 34-page affidavit not only to flesh out the case against Prigozhin, but also to reveal that one of his employees is bilking him, effectively stealing trolling funds.

But the complaint also mentions a Co-Conspirator 1, who along with Lifshits bought identities using cryptocurrency.

Law enforcement obtained a search warrant for the contents of the email account [email protected], which as stated above is associated with a cryptocurrency account linked to both LIFSHITS and Co-Conspirator 1. During a review of the emails, law enforcement located “Order Confirmation” emails received from an online criminal marketplace that sells fraudulent passports and similar identification documents (the “Criminal Marketplace”). These emails corresponded to purchases of United States driver licenses that reflected the real names, addresses, and dates of birth of United States identity theft victims. This type of personally identifiable information is a “means of identification” as defined in Title 18, United States Code, Section 1028(d)(7).

It describes Co-Conspirator 1 as the sole other beneficiary of transfers out of a different IRA trolling account (though also suggests that one of the guys charged in the larger indictment might also be conducting such transfers as well).

The T.W. Exchange 1 Account reflected debits to several beneficiaries, including accounts registered to LIFSHITS and another known Project Lakhta member (“Co-Conspirator 1”). The IP activity associated with the T.W. Exchange 1 Account also matched the IP address activity of cryptocurrency accounts registered to LIFSHITS and Vladimir Venkov, who is charged in the USAO-DC Indictment.

It then introduces an account based off a different stolen identity, that of T.B., from which funds were transferred into an account controlled by the Co-Conspirator.

USSS identified a second account, which was hosted at another United States cryptocurrency exchange (“Exchange 2”). The Exchange 2 account was registered to a known Project Lakhta email account, [email protected] (hereinafter the “AllforUSA Exchange 2 Account”).7 Project Lakhta members opened the AllforUSA Exchange 2 Account using the identifiers of T.B. According to Exchange 2’s records, Project Lakhta members solely funded the AllforUSA Exchange 2 Account with an incoming credit from an account also in the name of T.B. at a United States-based financial institution. This credit was used exclusively to fund outgoing payments to a Blockchain wallet that USSS investigators determined was controlled by Co-Conspirator 1.

Now, it may be that the government only introduced Co-Conspirator 1 to establish venue in EDVA (which went through the T.B. account).

But it sure sounds like it is describing Co-Conspirator 1 as engaging in the same kind of transfers from IRA accounts into his own personal accounts that it describes Lifshits as doing.

Perhaps stealing from the troll till is considered part of their official compensation (elsewhere, the complaint cites the salary of Lifshits, so the US government may know the answer). Or perhaps these guys whose cryptocurrency addresses just got published in a US sanction announcement have been stealing from Prigozhin, in which case the US Treasury just provided Prigozhin a lot of hints about how to prove it.