Posts

Confirmed: John Durham Has Withheld Discovery That DOJ Already Disproved His Claims of Political Malice

In his reply filing in the fight over what evidence will be submitted at his trial, Michael Sussmann confirmed something I’ve long suspected: John Durham has not provided Sussmann with the discovery Durham would need to have provided to present his own conspiracy theories at trial without risking a major discovery violation.

Were the Special Counsel to try to suggest that Mr. Sussmann and Mr. Steele engaged in a common course of conduct, that would open the door to an irrelevant mini-trial about the accuracy of Mr. Steele’s allegations about Mr. Trump’s ties to Russia—something that, like the Alfa Bank allegations, many experts continue to believe in, and about which the Special Counsel has tellingly failed to produce any significant discovery.

Sussmann dropped this in the filing without fanfare. But it is clear notice that if Durham continues down the path he is headed, he may face discovery sanctions down the road.

I explained why that’s true in these two posts. A core tenet of Durham’s conspiracy theories is that the only reason one would use proven cybersecurity methods to test certain hypotheses about Donald Trump would be for malicious political reasons. Here’s how Durham argued that in his own reply.

As the Government will demonstrate at trial, it was also the politically-laden and ethically-fraught nature of this project that gave Tech Executive-1 and the defendant a strong motive to conceal the origins of the Russian Bank-1 allegations and falsely portray them as the organic discoveries of concerned computer scientists.

There’s no external measure for what makes one thing political and makes another thing national security. But if this issue were contested, I assume that Sussmann would point, first, to truth as a standard. And as he could point out, many of the hypotheses April Lorenzen tested, which Durham points to as proof the project was malicious and political, turned out to be true. They were proven to be true by DOJ. Some of those true allegations involved guilty pleas to crimes, including FARA, explicitly designed to protect national security; another involved Roger Stone’s guilty verdict on charges related to his cover-up of his potential involvement in a CFAA hacking case.

DOJ (under the direction of Trump appointee Rod Rosenstein, who in those very same years was Durham’s direct supervisor) has already decided that John Durham is wrong about these allegations being political. Sussmann has both truth and DOJ’s backing on his side that these suspicions, if proven true (as they were), would be a threat to national security. Yet Durham persists in claiming to the contrary.

Here’s the evidence proving these hypotheses true that Durham has withheld in discovery:

The researchers were testing whether Richard Burt was a back channel to the Trump campaign. And while Burt’s more substantive role as such a (Putin-ordered) attempt to establish a back channel came during the transition, it is a fact that Burt was involved in several events earlier in the campaign at which pro-Russian entities tried to cultivate the campaign, including Trump’s first foreign policy speech. Neither Burt nor anyone else was charged with any crime, but Mueller’s 302s involving the Center for National Interest — most notably two very long interviews with Dmitri Simes (one, updated, two, updated), which were still under investigation in March 2020 — reflect a great deal of counterintelligence interest in the organization.

The researchers were also testing whether people close to Trump were laundering money from Putin-linked Oligarchs through Cyprus. That guy’s name is Paul Manafort, with the assistance of Rick Gates. Indeed, Manafort was ousted from the campaign during the period researchers were working on the data in part to distance the campaign from that stench (though it didn’t stop Trump from pardoning Manafort).

A more conspiratorial Lorenzen hypothesis (at least on its face) was that one of the family members of an Alfa Bank oligarch might be involved — maybe a son- or daughter-in-law. And in fact, German Khan’s son-in-law Alex van der Zwaan was working with Gates and Konstantin Kilimnik in precisely that time period to cover up Manafort’s ties to those Russian-backed oligarchs.

Then there was the suspicion — no doubt driven, on the Democrats’ part, by the correlation between Trump’s request to Russia for more hacking and the renewed wave of attacks that started hours later — that Trump had some back channel to Russia.

It turns out there were several. There was the aforementioned Manafort, who in the precise period when Rodney Joffe started more formally looking to see if there was a back channel, was secretly meeting at a cigar bar with alleged Russian spy Konstantin Kilimnik discussing millions of dollars in payments involving Russian-backed oligarchs, Manafort’s plan to win the swing states, and an effort to carve up Ukraine that leads directly to Russia’s current invasion.

That’s the kind of back channel researchers were using proven cybersecurity techniques to look for. They didn’t confirm that one — but their suspicion that such a back channel existed proved absolutely correct.

Then there’s the Roger Stone back channel with Guccifer 2.0. Again, in this precise period, Stone was DMing with the persona. But the FBI obtained at least probable cause that Stone’s knowledge of the persona went back much further, back to even before the persona went public in June 2016. That’s a back channel that remained under investigation, predicated off of national security crimes CFAA, FARA, and 18 USC 951, at least until April 2020 and one that, because of the way Stone was scripting pro-Russian statements for Trump, might explain Trump’s “Russia are you listening” comment. DOJ was still investigating Stone’s possible back channel as a national security concern well after Durham was appointed to undermine that national security investigation by deeming it political.

Finally, perhaps the most important back channel — for Durham’s purposes — was Michael Cohen. That’s true, in part, because the comms that Cohen kept lying to hide were directly with the Kremlin, with Dmitri Peskov. That’s also true because on his call to a Peskov assistant, Cohen laid out his — and candidate Donald Trump’s — interest in a Trump Tower Moscow deal that was impossibly lucrative, but which also assumed the involvement of one or another sanctioned bank as well as a former GRU officer. That is, not only did Cohen have a back channel directly with the Kremlin he was trying to hide,  but it involved Russian banks that were far more controversial than the Alfa Bank ties that the researchers were pursuing, because the banks had been deemed to have taken actions that threatened America’s security.

This back channel is particularly important, though, because in the same presser where Trump invited Russia to hack his opponent more, he falsely claimed he had decided against pursuing any Trump Organization developments in Russia.

Russia that wanted to put a lot of money into developments in Russia. And they wanted us to do it. But it never worked out.

Frankly I didn’t want to do it for a couple of different reasons. But we had a major developer, particular, but numerous developers that wanted to develop property in Moscow and other places. But we decided not to do it.

The researchers were explicitly trying to disprove Trump’s false claim that there were no ongoing business interests he was still pursuing with Russia. And this is a claim that Michael Cohen not only admitted was false and described recognizing was false when Trump made this public claim, but described persistent efforts on Trump’s part to cover up his lie, continuing well into his presidency.

For almost two years of Trump’s Administration, Trump was lying to cover up his efforts to pursue an impossibly lucrative real estate deal that would have required violating or eliminating US sanctions on Russia. That entire time, Russia knew Trump was lying to cover up those back channel communications with the Kremlin. That’s the kind of leverage over a President that all Americans should hope to avoid, if they care about national security. That’s precisely the kind of leverage that Sally Yates raised when she raised concerns about Mike Flynn’s public lies about his own back channel with Russia. Russia had that leverage over Trump long past the time Trump limped out of a meeting with Vladimir Putin in Helsinki, to which Trump had brought none of the aides who would normally sit in on a presidential meeting, looking like a beaten puppy.

Durham’s failures to provide discovery on this issue are all the more inexcusable given the fights over privilege that will be litigated this week.

As part of the Democrats’ nesting privilege claims objecting to Durham’s motion to compel privileged documents, Marc Elias submitted a declaration describing how, given his past knowledge and involvement defending against conspiracy theory attacks on past Democratic presidential candidates launched by Jerome Corsi and Donald Trump, and given Trump’s famously litigious nature, he believed he needed expertise on Trump’s international business ties to be able to advise Democrats on how to avoid eliciting such a lawsuit from Trump. (Note, tellingly, Durham’s motion to compel doesn’t mention a great deal of accurate Russian-language research by Fusion — to which Nellie Ohr was just one of a number of contributors — that was never publicly shared nor debunked as to quality.)

There are four redacted passages that describe the advice he provided; he is providing these descriptions ex parte for Judge Cooper to use to assess the Democrats’ privilege claims. Two short ones probably pertain to the scope of Perkins Coie’s relationship with the Democratic committees. Another short one likely describes Elias’ relationship, and through him, Fusion’s, with the oppo research staff on the campaign. But the longest redaction describing Elias’ legal advice, one that extends more than five paragraphs and over a page and a half, starts this way:

That is, the introduction to Elias’ description of the privilege claims tied to the Sussmann trial starts from Trump’s request of Russia to hack Hillary. Part of that sentence and the balance of the paragraph is redacted — it might describe that immediately after Trump made that request, the Russians fulfilled his request — but the redacted paragraph and the balance of the declaration presumably describes what legal advice he gave Hillary as she faced a new onslaught of Russian hacking attempts that seemingly responded to her opponent’s request for such hacking.

Given what Elias described about his decision to hire Fusion, part of that discussion surely explains his effort to assess an anomaly identified independently by researchers that reflected unexplained traffic between a Trump marketing server and a Russian bank. Elias probably described why it was important for the Hillary campaign to assess whether this forensic data explained why Russian hackers immediately responded to Trump’s request to hack her.

As I have noted, in past filings Durham didn’t even consider the possibility that Elias might discuss the renewed wave of hacking that Hillary’s security personnel IDed in real time with Sussmann, Perkins Coie’s cybersecurity expert.

It’s a testament to how deep John Durham is in his conspiracy-driven rabbit hole that he assumes a 24-minute meeting between Marc Elias and Michael Sussmann on July 31, 2016 to discuss the “server issue” pertained to the Alfa Bank allegations. Just days earlier, after all, Donald Trump had asked Russia to hack Hillary Clinton, and within hours, Russian hackers obliged by targeting, for the first time, Hillary’s home office. Someone who worked in security for Hillary’s campaign told me that from his perspective, the Russian attacks on Hillary seemed like a series of increasing waves of attacks, and the response to Trump’s comments was one of those waves (this former staffer documented such waves of attack in real time). The Hillary campaign didn’t need Robert Mueller to tell them that Russia seemed to respond to Trump’s request by ratcheting up their attacks, and Russia’s response to Trump would have been an urgent issue for the lawyer in charge of their cybersecurity response.

It’s certainly possible this reference to the “server” issue pertained to the Alfa Bank allegations. But Durham probably doesn’t know; nor do I. None of the other billing references Durham suggests pertain to the Alfa Bank issue reference a server.

Durham took a reference that might pertain to a discussion of a correlation between Trump’s ask and a renewed wave of Russian attacks on Hillary (or might pertain to the Alfa Bank anomaly), and assumed instead it was proof that Hillary was manufacturing unsubstantiated dirt on her opponent. He never even considered the legal challenges someone victimized by a nation-state attack, goaded by her opponent, might face.

And yet, given the structure of that redaction from Elias, that event is the cornerstone of the privilege claims surrounding the Alfa Bank allegations.

Because of all the things I laid out in this post, Judge Cooper may never have to evaluate these privilege claims at all. To introduce privileged evidence, Durham has to first withstand:

  • Denial because his 404(b) notice asking to present it was late, and therefore forfeited
  • Denial because Durham’s motion to compel violated local rules and grand jury process, in some ways egregiously
  • Rejection because most of the communications over which the Democrats have invoked privilege are inadmissible hearsay
  • The inclusion or exclusion of the testimony of Rodney Joffe, whose privilege claims are the most suspect of the lot, but whose testimony would make the communications Durham deems to be most important admissible

Cooper could defer any assessment of these privilege claims until he decides these other issues and, for one or several procedural reasons, simply punt the decision entirely based on Durham’s serial failures to follow the rules.

Only after that, then, would Cooper assess a Durham conspiracy theory for which Durham himself admits he doesn’t have proof beyond a reasonable doubt. As part of his bid to submit redacted and/or hearsay documents as exhibits under a claim that this all amounted to a conspiracy (albeit one he doesn’t claim was illegal), Durham argues that unless he can submit hearsay and privileged documents, he wouldn’t otherwise have enough evidence to prove his conspiracy theory.

Nor is evidence of this joint venture gratuitous or cumulative of other evidence. Indeed, the Government possesses only a handful of redacted emails between the defendant and Tech Executive-1 on these issues. And the defendant’s billing records pertaining to the Clinton Campaign, while incriminating, do not always specify the precise nature of the defendant’s work.

Accordingly, presenting communications between the defendant’s alleged clients and third parties regarding the aforementioned political research would hardly amount to a “mini-trial.” (Def. Mot. at 20). Rather, these communications are among the most probative and revealing evidence that the Government will present to the jury. Other than the contents of privileged communications themselves (which are of course not accessible to the Government or the jury), such communications will offer some of the most direct evidence on the ultimate question of whether the defendant lied in stating that he was not acting for any other clients.

In short, because the Government here must prove the existence of client relationships that are themselves privileged, it is the surrounding events and communications involving these clients that offer the best proof of those relationships.

Moreover, even if the Court were to find that no joint venture existed, all of the proffered communications are still admissible because, as set forth in the Government’s motions, they are not being offered to prove the truth of specific assertions. Rather, they are being offered to prove the existence of activities and relationships that led to, and culminated in, the defendant’s meeting with the FBI. Even more critically, the very existence of these written records – which laid bare the political nature of the exercise and the numerous doubts that the researchers had about the soundness of their conclusions – gave the defendant and his clients a compelling motive, separate and apart from the truth or falsity of the emails themselves, to conceal the identities of such clients and origins of the joint venture. Accordingly, they are not being offered for their truth and are not hearsay.

This passage (which leads up to a citation from one of the Georgia Tech researchers to which Sussmann was not privy that the frothers have spent the weekend drooling over) is both a confession and a cry for help.

In it, Durham admits he doesn’t actually have proof that the conspiracy he is alleging is the motive behind Michael Sussmann’s alleged lie.

He’s making this admission, of course, while hiding the abundant evidence — evidence he didn’t bother obtaining before charging Sussmann — that Sussmann and Joffe acceded to the FBI request to help kill the NYT story, which substantiates Sussmann’s stated motive.

And then, in the same passage, Durham is pointing to that absence of evidence to justify using that same claimed conspiracy for which he doesn’t have evidence to pierce privilege claims to obtain the evidence he doesn’t have. It’s a circular argument and an admission that all the claims he has been making since September are based off his beliefs about what must be there, not what he has evidence for.

Thus far the researchers’ beliefs about what kind of back channels they might find between Trump and Russia have far more proof than Durham’s absence of evidence.

Again, Durham doesn’t even claim that such a conspiracy would be illegal (much less chargeable under the statute of limitations), which is why he didn’t do what he could have had he been able to show probable cause that a crime had been committed: obtaining the communications with a warrant and using a filter team. Bill Barr’s memoir made it quite clear that he appointed Durham not because a crime had been committed, but because he wanted to know how a “bogus scandal” in which DOJ found multiple national security crimes started. ”Even after dealing with the Mueller report, I still had to launch US Attorney John Durham’s investigation into the genesis of this bogus scandal.” In his filing, Durham confesses to doing the same, three years later: using his feelings about a “bogus scandal” to claim a non-criminal conspiracy that he hopes might provide some motive other than the one — national security — that DOJ has already confirmed.

An absolutely central part of Durham’s strategy to win this trial is to present his conspiracy theories, whether by belatedly piercing privilege claims he should have addressed before charging Sussmann (even assuming he’ll find what he admits he doesn’t have proof is there), or by presenting his absence of evidence and claiming it is evidence. He will only be permitted to do if Judge Cooper ignores all his rule violations and grants him a hearsay exception.

But if he manages to present his conspiracy theories, Sussmann can immediately pivot and point out all the evidence in DOJ’s possession that proves not just that the suspicions Durham insists must be malicious and political in fact proved to be true, but also that DOJ — his former boss! — already deemed these suspicions national security concerns that in some cases amounted to crimes.

John Durham’s entire trial strategy consists of claiming that it was obviously political to investigate a real forensic anomaly to see whether it explained why Russia responded to Trump’s call for more hacks by renewing their attack on Hillary. He’s doing so while withholding abundant material evidence that DOJ already decided he’s wrong.

So even if he succeeds, even if Cooper grants him permission to float his conspiracy theories and even if they were to succeed at trial, Sussmann would have immediate recourse to ask for sanctions, pointing to all the evidence in DOJ’s possession that Durham’s claims of malice were wrong.

Update: The bad news I’m still working through my typos, with your help, including getting the name of Dmitri Simes’ organization wrong. The good news is the typos are probably due to being rushed out to cycle in the sun, so I have a good excuse.

Update: Judge Cooper has issued an initial ruling on Durham’s expert witness. It limits what Durham presents to the FBI investigation (excluding much of the CIA investigation he has recently been floating), and does not permit the expert to address whether the data actually did represent communications between Trump and Alfa Bank unless Sussmann either affirmatively claims it did or unless Durham introduced proof that Sussmann knew the data was dodgy.

Finally, the Court takes a moment to explain what could open the door to further evidence about the accuracy of the data Mr. Sussmann provided to the FBI. As the defense concedes, such evidence might be relevant if the government could separately establish “what Mr. Sussmann knew” about the data’s accuracy. Data Mot. at 3. If Sussmann knew the data was suspect, evidence about faults in the data could possibly speak to “his state of mind” at the time of his meeting with Mr. Baker, id., including his motive to conceal the origins of the data. By contrast, Sussmann would not open the door to further evidence about the accuracy of the data simply by seeking to establish that he reasonably believed the data were accurate and relied on his associates’ representations that they were. Such a defense theory could allow the government to introduce evidence tending to show that his belief was not reasonable—for instance, facially obvious shortcomings in the data, or information received by Sussmann indicating relevant deficiencies.

Ultimately, Cooper is treating this (as appropriate given the precedents in DC) as a question of Sussmann’s state of mind.

Importantly, this is what Cooper says about Durham blowing his deadline (which in this case was a deadline of comity, not trial schedule): he’s going to let it slide, in part because Sussmann does not object to the narrowed scope of what the expert will present.

Mr. Sussmann also urges the Court to exclude the expert testimony on the ground that the government’s notice was untimely and insufficiently specific. See Expert Mot. at 6–10; Fed. R. Crim. P. 16(a)(1)(G). Because the Court will limit Special Agent Martin’s testimony largely to general explanations of the type of technical data that has always been part of the core of this case—much of which Mr. Sussmann does not object to—any allegedly insufficient or belated notice did not prejudice him. See United States v. Mohammed, No. 06-cr-357, 2008 WL 5552330, at *3 (D.D.C. May 6, 2008) (finding that disclosure nine days before trial did not prejudice defendant in part because its subject was “hardly a surprise”) (citing United States v. Martinez, 476 F.3d 961, 967 (D.C. Cir. 2007)).

This suggests Cooper may be less willing to let other deadlines slide, such as the all-important 404(b) one.

The Five Versions of the Mueller Report

As preparation for wading into the argument about why DOJ hasn’t indicted Trump on the obstruction charges laid out in the Mueller Report, I wanted to post links to the four different versions of the Report and comment on what they might tell us of the fate of Mueller’s work under Billy Barr. The five versions (which are all available at this link) are:

March 22, 2019

This is the version of the report released in April 2019. It had four kinds of redactions:

  • Harm to Ongoing Matter (basically, on-going investigations)
  • Personal Privacy
  • Investigative Technique
  • Grand Jury

June 3, 2019

Almost immediately after the release, a bunch of outlets FOIAed the report, including Jason Leopold. This is the version released in response to those FOIAs.

Volume I

Volume II

The release is identical to the one released months earlier (in that no new information was unsealed). But it used FOIA exemptions to explain redactions instead of the four terms used on original release.

This is the description of those exemptions:

Because the release effectively created a category to deal with everything related to the Roger Stone trial (about which the Concord Trolls made a big stink), it provided a way to identify which of the referrals at the end pertained to Stone.

Referrals 4 and 14 both pertained to the Stone trial. Because the referrals are alphabetical, those referrals might pertain to Jerome Corsi (who obviously lied to Mueller) and Stone himself.

June 19, 2020

After the Stone trial, Leopold got another copy of the report with matters revealed during the Stone trial unsealed.

Volume I

Volume II

Appendices

While there was a bunch of newly unsealed stuff in the body of the report, the two Stone-related referrals remained redacted, albeit with one fewer exemption (b7B, a disclosure that might prevent someone from getting a fair trial, was gone).

September 18, 2020

While not a full new report, in September 2020, DOJ released a spreadsheet listing all the redactions. They ended up withdrawing the redactions for a number of things, especially pertaining to the troll farm prosecution. Among other things, the newly unsealed information revealed that what was described as an investigation into a “Foreign campaign contribution” (the Egyptian bank bribe to Trump) and investigations into Paul Manafort’s firms had both been closed. The release is useful because it seems to date the closure of those investigations to sometime between June and September of the election year.

November 2, 2020

Literally on the eve of the election, DOJ released eight new pages, as well as a full report incorporating those eight pages and the withdrawn exemptions described in September. The newly unsealed information addressed the charging decisions surrounding the hacking charges.

The single most important newly disclosed detail is a footnote that reveals the “factual uncertainties” around Stone’s knowledge that the GRU continued to hack Hillary when he purportedly coordinated the release of the Podesta emails had been referred to the DC US Attorney’s Office for further investigation. That is, the investigation into Stone’s potential coordination with Russia was not done at the time Mueller shut down the investigation, a disclosure that has yet to be reported by any major outlets.

The referrals section in the full report is somewhat mystifying. As noted, the Egyptian bribe investigation and the Paul Manafort referrals are unredacted, reflecting that those investigations had been closed. The unsealed information on the Manafort firms explains an earlier redaction convention; earlier, these entries lacked some of the exemptions all other referrals had. That’s probably for two reasons: first, those Manafort companies aren’t mentioned elsewhere in the report (and so didn’t have a b(7)(C)-4 exemption)) and were not biological persons (and so didn’t have the privacy exemption).

Here are the last two pages of the referrals for all four versions, side by side (the rest are at this link).

The two Stone-related entries, like all the other redacted ones, remained exempted for an ongoing investigation (b7(A)).

But what doesn’t appear in that list, even though you’d think (and I long thought) it would, is something describing the George Nader child exploitation and foreign influence peddling referrals, both of which had been revealed in 2019 and the former of which is undoubtedly a Mueller referral. The fact that DOJ was unsealing closed investigations but has not unsealed an entry for the Nader referral that undoubtedly was opened after a Mueller-related FBI Agent found the CSAM on Nader’s phone suggests that these referrals aren’t necessarily everything that arose out of the Mueller investigation.

The distinction may be explained by a footnote that got unsealed with the last release, explaining why Greg Craig was treated differently than Tony Podesta and Mercury, all foreign influence peddling investigations that arose out of the Manafort team. “Greg Craig and FTI Consulting were treated as outright referrals (and therefore listed in Part B, infra) because evidence about their conduct was uncovered in the course of our authorized investigations.”

There is, however, a single entry that could be a Tom Barrack referral, item 1, which is another investigation that arose out of the Mueller investigation, one that was charged once Barr got out of the way of it.

We might learn more the next time Leopold liberates an entirely new copy.

Let me be clear: I don’t think we’ll see much of these. The most recent release was 15 months ago, the statutes of limitation on any referrals will be tolling in the same time frame as obstruction charges would be. More recent 302 releases suggests there are few areas where investigation remains ongoing.

Given the way, though, that Trump’s first impeachment was largely a continuation of Paul Manafort’s Ukraine dalliances, that parts of January 6 are just a continuation of things (like Stone’s Stop the Steal and some of the people Mike Flynn worked with) that go back to 2016, and Trump’s tools of obstruction (most notably pardon dangles) remains the same, any current investigation may pull threads from past ones.

There’s a good deal more complexity remaining in the detritus of the Mueller investigation than people are allowing for.

February 11, 2022

Yesterday, DOJ released four pages showing the declination on misdemeanor CFAA charges for Don Jr, even though they could have proven it.

They also show that Mueller declined prosecution for JD Gordon for being an Agent of Russia.

Note: this post has been updated with the most recent release.

 

DOJ Treated Jerome Corsi as News Media but Not Roger Stone or Randy Credico (or Julian Assange)

Yesterday, DOJ released both an updated list of times when its media guidelines came into play (here are the 2016, 2017, and 2018 reports), as well as a summary of DOJ’s attempts to get records related to CNN, NYT, and WaPo reporting.

The former has raised some questions about how Mueller’s investigation applied these rules (as a reminder, my interview with the FBI was not with Mueller, though based on a month-long approval process I know to have occurred, I believe there is an entry in the 2017 report that pertains to me).

They’re easier to understand if you work through the second one, for legal process in 2019, first.

In the prosecution of an individual charged with obstructing the investigation into Russian interference in the 2016 presidential election, a United States Attorney authorized the issuance of a subpoena to a member of the news media for testimony. The member of the news media expressly agreed to testify pursuant to the subpoena. Because the member of the news media expressly agreed to testify, Attorney General authorization was not required. See 28 C.F.R. § 50.10(c)(3)(i)(A). The prosecution team did not call the member of the news media at trial.

There was just one trial of anyone for obstructing the investigation into Russian interference in 2016. George Papadopoulos, Mike Flynn, Michael Cohen, and Richard Pinedo never went to trial (nor did Alex Van der Zwaan, though his obstruction covered earlier events). Paul Manafort did go to trial for his tax cheating, but not for interfering with the Russian investigation (his plea breach hearing, which did pertain to lies he told to cover up his role in the Russian interference, was not a trial).

That means this has to be a reference to Roger Stone’s trial.

Two witnesses are known to have been subpoenaed, but not called to testify: Andrew Miller and Jerome Corsi. Randy Credico, a radio personality, testified at great length, including about how he booked Julian Assange and Roger Stone to appear on his radio show.

That’s not enough to prove that the reference is to Corsi (in part because there could have been other witnesses who were subpoenaed but not called to testify that we don’t know about). But now consider the second reference to the Mueller investigation, for something that happened in 2018.

In connection with an investigation into an alleged conspiracy involving persons or entities associated with a foreign government hacking the computers of a United States political party’s central organization, the Deputy Attorney General, acting as Attorney General, authorized the issuance of a grand jury subpoena duces tecum for the production of toll records from a cellular service provider for a telephone used by a member of the news media suspected of participating the conspiracy, as well as an application for a search warrant to search the member of the news media’s internet cloud and email accounts. Following the initial authorization, the Deputy Attorney General, acting as Attorney General, later authorized a voluntary interview of, and the issuance of a testimonial grand jury subpoena to, the member of the news media. All of this information was necessary to further the investigation of whether the member of the news media was involved in the conspiracy to unlawfully obtain and utilize the information from the hacked political party or other victims.

This is a description of someone investigated as a suspect.

While Mueller reviewed whether Don Jr violated the CFAA for accessing a non-public website he got sent a password to, the investigation into whether someone was part of the hack-and-leak conspiracy focused on Roger Stone (and Julian Assange, who does not obviously show up anywhere in this report, even though Mueller obtained a warrant targeting him as well). Two people were known to have been investigated as fellow suspects of Stone: Corsi and Ted Malloch. Mueller’s team obtained warrants and subpoenas targeting both. In Malloch’s case, however, the government is only known to have obtained his phone and his Gmail.

In Corsi’s case, however, Mueller targeted his Apple accounts, as well as email accounts held at CSC Holdings, and Windstream.

Mueller is not, however, known to have obtained a warrant targeting Credico.

If the government treated Corsi as a member of the news media in 2018, when they obtained warrants targeting him as a suspected co-conspirator of Roger Stone, then they likely treated him as a member of the news media in 2019, when they subpoenaed him — but did not call him — as a witness in Stone’s trial. That is, the available evidence strongly suggests that Corsi is the person described in both Mueller entries.

Which, in turn, suggests that DOJ treated Corsi — but not Stone or Credico — as members of the news media.

For what it’s worth, I’m virtually certain that there’s still a Mueller entry missing, pertaining to a member of the news media who asked for a subpoena before he would share materials relating to his work. That person has never been publicly referenced in Mueller-related investigative materials since released, but I believe 302s from the investigation reflect FBI having obtained the materials they were asking for from that member of the news media. But that incident would have fit under 28 CFR 50.10(c)(3)(i)(A), when a member of the news media agrees to provide information so long as he gets a subpoena, which under the media guidelines does not require Attorney General approval.

Update: There’s an important point that has been forgotten by these debates but which is implied in Merrick Garland’s statements about the media policy. There are other means to obtain records on people playing a journalistic function: under FISA, by providing probable cause that they are an agent of a foreign power.

Seth Rich Conspiracists Liberate Records Showing DOJ Believes They’re Conspiracists

Some Seth Rich truthers — including Matthew Couch and Ed Butowsky — recently got some files in a FOIA on Seth Rich documents liberated. They succeeded in liberating files that show that a conspiracy theory they’ve been chasing is, in fact, easily explained based on how FOIA and time work.

On September 1, 2017, Ty Clevenger FOIAed for Seth Rich documents, including but not limited to everything about his murder. After Clevenger sued, FBI FOIA lead David Hardy issued a declaration dated October 3, 2018 saying that he had found no primary files pertaining to Rich (meaning the FBI didn’t investigate his death, DC did), and that on appeal of this September 1, 2017 FOIA, he had even searched for references to Rich, but found nothing.

Clevenger argued that that claim is inconsistent with the deposition of former AUSA Deborah Sines in one of the related Seth Rich lawsuits where she was asked about claims she made to Michael Isikoff and Andy Kroll. Specifically, Sines revealed that she was interviewed by a Mueller AUSA.

According to Ms. Sines’s testimony, the FBI conducted an investigation into possible hacking attempts on Seth Rich’s electronic accounts following his murder. Ms. Sines also testified that the FBI examined Seth Rich’s laptop computer as part of its investigation, and that there should be emails between her and FBI personnel. Finally, she testified that she met with a prosecutor and an FBI agent assigned to Special Counsel Robert Mueller.

Ms. Sines’s testimony conflicts with the affidavit testimony of David M. Hardy, who claimed that the FBI conducted a reasonable search and could not find any records pertaining to Seth Rich. See October 3, 2018 Affidavit of David M. Hardy (http://lawflog.com/wpcontent/uploads/2020/01/Hardy-Declaration.pdf) and July 29, 2019 Affidavit of David M. Hardy (http://lawflog.com/wp-content/uploads/2020/01/Second-Hardy-Declaration.pdf). Mr. Hardy’s affidavits were also contradicted by email records that Judicial Watch obtained in Judicial Watch, Inc. v. U.S. Department of Justice, Case No. 1:18-cv-00154-RBW (D.D.C.). See August 10, 2016 email string (https://tinyurl.com/wylcu9l or http://lawflog.com/wpcontent/uploads/2020/04/FBI-emails-re-Seth-Rich.pdf). Clearly, the FBI is in possession of email records pertaining to Seth Rich.

Clevenger insists that records of this interview should have shown up in response to his September 1, 2017 FOIA.

Based on what the government released, it is true that Hardy’s declaration was wrong. There was an August 10, 2016 email chain via which a Washington Field Office press person alerted people to press questions after Julian Assange alleged Rich had a role in the email leak; the email chain ultimately included Peter Strzok. There was a September 1, 2016 notation by the San Francisco team that first investigated Guccifer 2.0 about something (probably information shared by either Twitter or WordPress). There were two copies of a 302 reporting on the September 14, 2016 interview of a DNC staffer (possibly Ali Chalupa) whose interview mentioned both Paul Manafort and Rich.

Those are the only things turned over, however, that pre-date Clevenger’s September 1, 2017 FOIA. So they’re the only things that Hardy should have found in his reference check.

That said, the claim that Hardy covered up details about Sines probably doesn’t hold up.

The document opening a case on a Dark Web threat, which may reflect the FBI investigation into allegations that someone tried to hack Rich’s email, is dated November 7, 2017.

And what is almost certainly Sines’ interview with Mueller detailee Heather Alpino took place on March 15, 2018. In addition to the AUSA’s explanation that she (again, almost certainly Sines) had collected all the conspiracy theories floating about Rich’s death, the 302 also reveals that the AUSA reviewed Rich’s financial records and job prospects as part of the investigation.

The 302 is also consistent — as are multiple other documents from this release — with the FBI obtaining Rich’s laptop after Clevinger’s original FOIA, as part of the Mueller investigation. The 302 shows the AUSA “request[ing] a forensic image of the laptop for the homicide investigation” from Alpino. If that’s right, the FBI didn’t even get Rich’s laptop until months after Clevenger first FOIAed for such information. The FBI received voluntary production of something on October 24, 2017, some of which was too large to be uploaded digitally, which could be the laptop. The FBI also received information on May 30, 2018 from the DNC which must include material pertaining to Rich.

Again, all that post-dates the original FOIA, and so would not have been included in Hardy’s search.

Indeed, these records indicate that the Mueller and hacking investigation did a lot of the things that the conspiracists claim they didn’t do, including chasing down the Seth Rich allegations, largely because the allegations floated by Roger Stone and Jerome Corsi became a focus of the investigation. The release includes two consent to search forms signed by Jerome Corsi on October 4, 2018, which suggest his electronic files were of interest in part because of claims he made about Seth Rich.

There are, however, a few interesting tidbits in here.

On April 9, 2019, the “SCO team” referred “information on a potential fraud scheme collected in the course of a Special Counsel’s Office.” That suggests one of the referrals Mueller made had to do with a fraud scheme involving Seth Rich.

A far more interesting document involves two pages of a 15-page 302 reflecting a 4-hour recorded interview that took place on October 2, 2019 between two FBI Agents and Dana Rohrabacher. Rohrabacher doesn’t appear to have had an attorney present. The interview covered “a wide variety of topics,” including people Rohrabacher had known going back to the Reagan administration. But the fragment pertaining to Rich appears among discussions about business relationships Rohrabacher had, including someone being asked to write articles of some sort (it’s not impossible that this is a reference to Corsi). The passage that probably relates to Rich is redacted for ongoing investigation. The circumstances under which alleged Russian asset Dana Rohrabacher would have a 4-hour recorded interview with the FBI are very curious indeed.

A word about what was included in this batch: The FBI put together a collection of 576 responsive pages that only provided pages that provided context to the reference to Rich, along with the page reference itself (so an entire 302 was only included if the entire interview pertained to Rich, otherwise they included the introductory page and the page with the Rich reference). Then, they withheld a bunch of pages in entirety, leaving fewer than 80 pages in the released files. So we don’t get to see every page (and a number of these files are Mueller files that were already released).

But what we do get to see reflect nothing of real interest that was in the FBI files when Clevenger first submitted his FOIA.

Update: This release includes some files (including the Sines one and a Jason Fishbein) that should have been turned over to BuzzFeed as part of that FOIA but I believe were not.

They also reprocessed this Jerome Corsi interview report, which doesn’t disclose anything that wasn’t already known, and this Paul Manafort interview report. The latter newly reveals that every day the week before the Podesta files dropped, Roger Stone told him they were coming, which makes it clear Stone didn’t have a lot of clarity on the timing of the release. It also shows Manafort recalling that, “Stone said things would come out related to Podesta. He did not recall that Stone specifically mentioned Podesta’s emails, just that Stone said it related to Podesta.” Similar Manafort testimony had shown up elsewhere, but this confirms that Manafort repeatedly testified that Stone knew the second WikiLeaks dump would pertain to Podesta.

Update: Corrected the timing of when FBI may have obtained Rich’s laptop.

Organized Crime

Know what you call a crowd that requires 25 pardons to cover their illegal activities of the last 5 years?

As it happens, Trump is mulling the pardons at a juncture when loyalty appears his principal concern, complaining repeatedly over the past weeks that Republicans are deserting him when he needed them to help overturn the election results.

He has largely frozen out those advisers and associates who do not seem on the same page. One person who used to speak to Trump regularly, but who delicately encouraged him to soften his post-election stance, no longer has his calls returned and hasn’t heard from Trump in weeks.

In all, the President is considering pardons for more than two dozen people in his orbit whom he believes were targeted — or could be targeted in the future — for political ends. That’s in addition to hundreds of requests from others who have approached the White House directly, and tens of thousands more whose petitions are pending at the Justice Department.

Organized crime.

Roger Stone Takes Georgia, and the Senate, Hostage

As far as I know, virtually no one else has accurately reported on the significance of this footnote in the Mueller Report, liberated by BuzzFeed hours before election day.

1279 Some of the factual uncertainties are the subject of ongoing investigations that have been referred by this Office to the D.C. U.S. Attorney’s Office.

The footnote explains why, on March 22, 2019, the Mueller team had not yet charged Roger Stone for conspiring with Russian intelligence officers to steal files from Democrats that could be leaked to help Donald Trump get elected President: because DOJ was still investigating it. The footnote — and the entire public record since then — make it clear that that investigation into Stone on CFAA conspiracy charges was ongoing. Indeed, I have shown that the Stone trial for lying to Congress to cover up the identity of his claimed go-between with WikiLeaks strongly suggests that his go-between was neither Jerome Corsi nor Randy Credico, but Guccifer 2.0, quite possibly an American cut-out working with the Russians.

While there are signs that Bill Barr effectively shut down that ongoing investigation by forcing the four Stone prosecutors to withdraw from the case, an investigation into whether Stone conspired with Russia would neither be tolled nor precluded on double jeopardy grounds. Nor would such crimes be covered by Trump’s commutation of Stone’s sentence for covering up who his go-between with WikiLeaks was, which appears to have been an effort to distract from his ties directly to the Russian operation. They are entirely different crimes. To pardon Stone for conspiring with Russia, Trump might well have to specify that Stone did conspire with Russia, something that would not only create legal jeopardy for himself, but would require admitting what he has tried to deny for four straight years, that his campaign “colluded” — conspired even! — with Russia to win.

It would be uncontroversial for Joe Biden’s Attorney General to reopen a case against Roger Stone for conspiring with Russia.

That may be useful background to the news that, after remaining relatively quiet for much of the 2020 election (or at least fronted by Steve Bannon), Stone is now threatening to hold Georgia’s Senate seats — and with it, GOP control of the Senate — hostage.

Conservative operatives and a super PAC with ties to infamous GOP dirty trickster Roger Stone are calling for Trump supporters to punish Republicans by sitting out Georgia’s crucial Senate runoffs or writing in Trump’s name instead. And though their efforts remains on the party’s fringes, the trajectory of the movement has Republicans fearful that it could cost the GOP control of the Senate.

The most aggressive call to boycott or cast protest ballots in the two runoff races has, so far, come from a dormant pro-Trump super PAC with ties to Stone, which unveiled a new initiative to retaliate against the Republican Party’s supposed turncoats by handing Democrats control of the U.S. Senate.

The group, dubbed the Committee for American Sovereignty, unveiled a new website encouraging Georgia Republicans to write in Trump’s name in both of the upcoming Senate runoff elections, which could determine the party that controls the upper chamber during President-elect Joe Biden’s first two years in office. The PAC argued that doing so will show support for the president in addition to forcing Republicans to address the wild election-fraud conspiracy theories floated by Trump supporters and members of his own legal team.

The effort uses some of the same infrastructure that the Mueller team scrutinized as part of its investigation of Stone.

The Committee for American Sovereignty and a sister nonprofit group were set up in 2016 as vehicles for prominent pro-Trump operatives—most notably Stone and former Blackwater chief Erik Prince—to attempt to suppress the Black vote by amplifying claims that Bill Clinton had an illegitimate biracial son. It’s been mostly quiet since then. The PAC’s recent filings with the Federal Election Commission disclose nothing but outstanding federal and state tax liabilities, and its new effort in Georgia doesn’t appear to have received much pickup yet.

A request for comment sent to the Committee for American Sovereignty email address on file with the FEC was not returned. Efforts to reach Pamela Jensen, a California political activist who leads the group, were not successful. Her husband, an attorney named Paul Jensen who describes Stone as a “long time client,” told The Daily Beast in an email his wife “has no comment, and nor do I.” Stone did not respond to inquiries about his present involvement with the group.

Stone made fairly naked threats in the days leading up to Trump’s commutation of his sentence, in that case to share information with prosecutors about Trump’s knowledge of his 2016 activities. The threats worked. This time around, Trump may not have the power to respond to Stone’s threats.

But Stone has proven in the past he’s willing to take reckless actions when he is cornered.

Some Details of Mueller’s GRU Indictment You Probably Missed

When the Mueller team wrote the GRU indictment, they were hiding that Roger Stone might one day be included in it.

Last week,  DOJ unsealed language making it clear that, when Mueller closed up shop in March 2019, they were still investigating whether Roger Stone was part of a conspiracy with Russia’s GRU to hack-and-leak documents stolen from the Democrats in 2016.

The Office determined that it could not pursue a Section 1030 conspiracy charge against Stone for some of the same legal reasons. The most fundamental hurdles, though, are factual ones.1279 As explained in Volume I, Section III.D.1, supra, Corsi’s accounts of his interactions with Stone on October 7, 2016 are not fully consistent or corroborated. Even if they were, neither Corsi’s testimony nor other evidence currently available to the Office is sufficient to prove beyond a reasonable doubt that Stone knew or believed that the computer intrusions were ongoing at the time he ostensibly encouraged or coordinated the publication of the Podesta emails. Stone’s actions would thus be consistent with (among other things) a belief that he was aiding in the dissemination of the fruits of an already completed hacking operation perpetrated by a third party, which would be a level of knowledge insufficient to establish conspiracy liability. See State v. Phillips, 82 S.E.2d 762, 766 (N.C. 1954) (“In the very nature of things, persons cannot retroactively conspire to commit a previously consummated crime.”) (quoted in Model Penal Code and Commentaries § 5.03, at 442 (1985)).

1279 Some of the factual uncertainties are the subject of ongoing investigations that have been referred by this Office to the D.C. U.S. Attorney’s Office.

That means, eight months after they charged a bunch of GRU officers for the hack-and-leak, DOJ still hadn’t decided whether Stone had criminally participated in that very same conspiracy.

That raises questions about why they obtained the indictment before deciding whether to include Stone in it.

In his book, Andrew Weissmann provides an explanation for the timing of it.

A problem arose, however, when it came to the timing of this indictment. Having secured the Intelligence Community’s and Justice Department’s go-ahead, Jeannie aimed to have the indictment completed by July 2018. However, Team M’s first case against Manafort was scheduled to go to trial in Virginia in mid-July and, with Manafort showing little sign of wanting to plead, much less cooperate, with our office, we had few doubts that the trial would go forward. If we brought Team R’s indictment just before the trial, the judge in the Manafort case would go bonkers, justifiably concerned that such an indictment from the Special Counsel’s Office could generate adverse pretrial publicity, even if it didn’t relate directly to the Manafort charges.

But we couldn’t afford to wait to bring the hacking indictment until after both of Manafort’s trials concluded—the trial in Virginia was slated to start in July and the trial in Washington in early September. By then, we would be running up on the midterms, and we would not announce any new charges that close to the election (consistent with Department policy). But waiting until mid-November would be intolerable to Mueller. I told Jeannie I thought we could safely defend ourselves from any objections from the Virginia judge if she brought her case at least two weeks before the start of our July trial—that, I hoped, would give us a reasonable buffer.

Jeannie said she could manage that, then quickly noted that the new timetable created yet another problem: Two weeks before our trial, the president was scheduled to be in Helsinki, where he would be meeting privately with Vladimir Putin. Our indictment would require alerting the State Department, given their diplomatic concerns in preparing for and running a summit, as the indictment would accuse the Russians explicitly of election interference. That was standard operating procedure, but there was also the real perception issue that the indictment could look like a commentary on Trump’s decision to meet alone with Putin, which we did not intend.

We brought the dilemma to Mueller. He suggested we determine whether the White House would take issue with our proceeding just before the president’s trip—would it pose any diplomatic issues? The answer we got back was no: The administration would not object to the timing. I suspect the White House Counsel’s Office did not want to be perceived as dictating to us how or when to bring our indictment, or as hiding evidence of Russian election interference. In retrospect, a less generous interpretation of their blessing to move forward was that they knew dropping the indictment just before the trip would provide Trump and Putin an opportunity to jointly deny the attack on a global stage—that they were playing us, as Barr would later on. [my emphasis]

The indictment was ready in July. If it wasn’t announced then and if both Manafort trials went forward, then prohibitions on pre-election indictments would kick in, meaning the indictment wouldn’t be released in mid-November. That would have been “intolerable” for Mueller’s purposes. Weissmann doesn’t note that mid-November would also be after the election, meaning that the indictment might not get released before a hypothetical post-election Mueller firing and so might not get released at all. That may be what intolerable means.

Other possible factors on the GRU indictment timing

One thing that almost certainly played a factor in DOJ obtaining the indictment before they decided whether to include Stone in it, however, was Andrew Miller’s appeal.

Stone’s former aide Andrew Miller was interviewed for two hours at his home on May 9, 2018; this is almost certainly the 302 from the interview. Assuming that is his 302, Miller was asked about his relationship with Stone, Stone’s relationship with Trump, a bunch of Stone’s right wing nut-job friends, and someone whom Miller knew under a different name. Nothing in the unredacted passages of the interview reflects Miller’s role coordinating Stone’s schedule at the RNC, even though that was the focus of a follow-up subpoena after Miller testified to the grand jury. At the end of the interview, Miller agreed to appear voluntarily for a follow-up and grand jury testimony.

But then Stone learned about the interview.

We know that from the description of a pen register Mueller obtained on Stone a week later, described in affidavits. The PRTT showed that Miller had called Stone twice in the days after his interview with the FBI. On May 11, 2018, Miller lawyered up and his new lawyer, Alicia Dearn, told Mueller that Miller would no longer appear voluntarily (remember that Stone had offered to get a lawyer who would help Randy Credico refuse to testify).

This timeline lays out the early part of Miller’s subpoena challenge.

Miller emailed Stone over a hundred times over the month after his FBI interview. Miller did schedule a grand jury appearance, but then blew it off. Mueller started moving to hold Miller in contempt on June 11. In the days between then and a hearing on the subpoena, Miller and Stone exchanged five more emails. Then, in late June, Miller added another lawyer, Paul Kamenar (whom Stone would add to his team after his sentencing, presumably to allow Kamenar to access the evidence against him under the protective order). Kamenar made it clear he would appeal Miller’s subpoena.

In other words, in late June, the Mueller team learned that they would have to wait a while to get Miller before the grand jury (it ultimately took until the moment Mueller closed up shop on May 29, 2019). All the back and forth also would have made it clear how damaging Stone believed Miller’s testimony against him to be. When Mueller obtained a second warrant for Stone’s emails in early August 2018, the team would have gotten the content of those emails to learn precisely what Stone had to say to Miller about his testimony.

So Miller’s challenge to his subpoena meant that Mueller’s team would not obtain testimony that — it seems clear — they knew went to the heart of whether Stone was conspiring with Russia until well after the midterm election.

If my concerns that “Phil” had a role in the Guccifer 2.0 operation were correct, there’s a chance my big mouth had a role in the timing, too. Starting on June 28, I started considering revealing that I had gone to the FBI in what would eventually become this post. Contrary to the invented rants of people like Glenn Greenwald and Eli Lake, even a year into an investigation into what I had shared with the FBI, long after the time they would have been able to dismiss my concerns if they had no merit, prosecutors did not blow me off.

My interaction with Mueller’s press person in advance of going forward extended over five days. I emailed the press person on June 28 and said I wanted to run something by him. He blew it off for a day (there was a Manafort hearing), then on Friday I wrote again saying I run my decision by my lawyer, and was still planning on going forward. He still blew it off. The next day, I suggested he go check with a particular prosecutor; while the prosecutor hadn’t been in my interview, he was involved in setting it up. The press guy called back within an hour, far more interested in the discussion, and chatty about the fact that I live(d) in Michigan. He asked me to explain the threats I believed I had gotten after I went to the FBI. He asked me generally what I wanted to say. I noted that I believed if people guessed why I had gone to the FBI, they would guess the Shadow Brokers side of it, since TSB had dedicated its last words to a tribute to me, but probably not the Guccifer 2.0 side.

He told me “some people” needed to discuss it. Early on Monday July 1, we spoke again first thing in the morning. He asked me to describe more specifically what I would say. I described the select parts of my post that I suspected would be most sensitive, and read the text that I planned to publish. He said some people needed to discuss it and I would hear by the end of the day. At the end of the workday, he apologized for a further delay. After some more back-and-forth, he told me, around 10PM, that my post would not damage the investigation. The Special Counsel’s Office took no view on whether it was a stupid idea or not (it probably was, not least because one can never understand the moving parts in an investigation like this).

I posted the next day, part of a mostly-failed attempt to get Republicans to care about the non-partisan sides of this investigation. That was 11 days before the actual indictment.

I didn’t know then and frankly I still can’t rule out whether, over those two days, when “some people” discussed my plans, they reached a final conclusion that my concerns about an American who might have a role in the Guccifer 2.0 operation were either baseless or could not be proven.

But the aftermath shows they were still investigating Stone’s ties to Guccifer 2.0, whether not I was right about an American involved in it. Later in July, after the GRU indictment was released, prosecutors would obtain a warrant on several of Stone’s Google accounts in an attempt to determine whether he was the person looking up dcleaks and Guccifer 2.0 before the sites went live. A month and a half later, they would get two warrants, two minutes apart, one for Stone’s cell site location, and another for a Guccifer 2.0 email account, possibly an attempt to co-locate Stone and someone using the Guccifer account. That was the beginning of the period when Mueller’s team would start gagging warrant applications to hide the scope of the investigation from Stone.

For several months after releasing an indictment that made it appear as if all the answers about the hack-and-leak were answered, then, Mueller’s team took a number of steps that aimed to understand any tie between Stone and Guccifer 2.0. Even sixteen months after the GRU indictment, the Guccifer 2.0 persona ended up being an unstated focus of Stone’s trial — a trial about his lies to hide his true go-between with WikiLeaks — too.

Whatever the reason for the timing of the GRU indictment, given the confirmation that Mueller’s team was still investigating whether Stone had foreknowledge of ongoing GRU hacks that would merit including him in the hack-and-leak conspiracy when they closed up shop in March 2019, it’s worth revisiting the GRU indictment. At the time Mueller’s team wrote it, they knew at a minimum they were killing time to get Miller’s testimony, and subsequent steps they took show they they continued to pursue a prong of the investigation pertaining to Guccifer 2.0 that they planned to hide from Stone. So it’s worth seeing how they wrote the indictment to allow for the possibility of later including Stone in it, without telegraphing that that was a still open part of the investigation.

The Stone investigation parallels several of the counts charged in Mueller’s GRU indictment

The indictment charges 12 GRU officers for several intersecting conspiracies: Conspiracy against the US by hacking to interfere in the 2016 election (incorporating various CFAA charges and 18 USC §371), conspiracy to commit wire fraud for using false domain names (18 USC §3559(g)(1)), aggravated identity theft for stealing the credentials of victims (18 USC 1028A(a)(1)), conspiracy to launder money for using bitcoin to hide who was funding the hacking infrastructure (18 USC §1956(h)), and conspiracy against the US for tampering with election infrastructure (18 USC §371). In addition there’s an abetting charge (18 USC §2). Those charges are similar to, but do not exactly line up with, the other GRU indictment obtained in 2018, for hacking international doping agencies, which I’ll call the WADA indictment. The WADA indictment includes hacking, wire fraud, money laundering conspiracies, along with identity theft, as well. But it doesn’t include the abetting charge. And as described below, it deals with the leaking part of the operation differently.

DOJ used the abetting charge in Julian Assange’s indictments, a way to try to hold him accountable for the theft of documents by Chelsea Manning. Given the mention of Company 1, WikiLeaks, in the indictment, that may be why the abetting charge is there.

But the charges in the Mueller GRU indictment also parallel those for which the office was investigating Stone: he was investigated for CFAA charges from the start (that first affidavit focused exclusively on Guccifer 2.0), 371 was added in the next affidavit, aiding and abetting a conspiracy was added in the third affidavit, and wire fraud was added in March 2018 (the campaign finance charges that would be declined in the Mueller Report were added in November 2017). While the wire fraud investigation might be tied to Stone’s own disinformation on social media, the rest all stems from the charges eventually filed against the GRU in July 2018. Those same charges remained in Stone’s affidavits through 2018 (though did not appear in the early 2019 warrants used to search his houses and devices).

Mueller charged Unit 74455 officers for “assisting” in the DNC leak, without describing whom they assisted

Given the overlap on charges between those for which Mueller investigated Stone and those that appeared in the indictment, the treatment of the information operation in the GRU indictment — particularly when compared with the WADA indictment — is of particular interest. In both cases, the indictment described the InfoOps side to be conducted by Russian military intelligence GRU Unit 74455, as distinct from Unit 26165, which did most (but not all, in the case of the election operation) of the hacking.

In the WADA indictment, none of the personnel involved in the hack-and-leak at Unit 74455 are named or charged. Instead the indictment explains that, “these [Fancy Bears Hack Team social media accounts] were acquired and maintained by GRU Unit 74455.” Later, the indictment describes these accounts as being “managed, at least in part, by conspirators in GRU 74455,” notably allowing for the possibility that someone else may have been involved as well. The actions associated with that infrastructure are generally described in the passive voice: “were registered,” “were released” (several times). For other actions, the personas were the subject of the action: “”@fancybears and @fancybearHT Twitter accounts sent direct messages…”

The Mueller indictment, however, names three Unit 74455 officers: It charges Aleksandr Osadchuk and Anatoliy Kovalev in the hack of the election infrastructure (Kovalev got charged in the recent GRU indictment covering the Seoul Olympics and NotPetya, as well).

And it charges Osadchuk and the improbably named Aleksey Potemkin in the hack-and-leak conspiracy. The Mueller indictment describes that those two Unit 74455 officers set up the infrastructure for the leaking part of the operation. Significantly, it describes that these officers “assisted” in the release of the stolen documents.

Unit 74455 assisted in the release of stolen documents through the DCLeaks and Guccifer 2.0 personas, the promotion of those releases, and the publication of anti-Clinton content on social media accounts operated by the GRU.

[snip]

Infrastructure and social media accounts administered by POTEMKIN’s department were used, among other things, to assist in the release of stolen documents through the DCLeaks and Guccifer 2.0 personas.

The indictment doesn’t describe whom these officers assisted in releasing the documents.

Unlike the WADA indictment, the Mueller indictment also includes specific details proving that GRU did control the social media infrastructure. It describes how the conspirators used the same cryptocurrency account to register “dcleaks.com” as they used in the spear-phishing operation, and the same email used to register the server was also used in the spear-phishing effort.

The funds used to pay for the dcleaks.com domain originated from an account at an online cryptocurrency service that the Conspirators also used to fund the lease of a virtual private server registered with the operational email account [email protected] The dirbinsaabol email account was also used to register the john356gh URL-shortening account used by LUKASHEV to spearphish the Clinton Campaign chairman and other campaign-related individuals.

[snip]

For example, between on or about March 14, 2016 and April 28, 2016, the Conspirators used the same pool of bitcoin funds to purchase a virtual private network (“VPN”) account and to lease a server in Malaysia. In or around June 2016, the Conspirators used the Malaysian server to host the dcleaks.com website. On or about July 6, 2016, the Conspirators used the VPN to log into the @Guccifer_2 Twitter account. The Conspirators opened that VPN account from the same server that was also used to register malicious domains for the hacking of the DCCC and DNC networks.

(Note, this is some of the evidence collected via subpoenas to tech companies that the denialists ignore when they claim that CrowdStrike was the only entity to attribute the effort to Russia.)

The Mueller indictment describes how Potemkin controlled the computers used to launch the dcleaks Facebook account.

On or about June 8, 2016, and at approximately the same time that the dcleaks.com website was launched, the Conspirators created a DCLeaks Facebook page using a preexisting social media account under the fictitious name “Alice Donovan.” In addition to the DCLeaks Facebook page, the Conspirators used other social media accounts in the names of fictitious U.S. persons such as “Jason Scott” and “Richard Gingrey” to promote the DCLeaks website. The Conspirators accessed these accounts from computers managed by POTEMKIN and his co-conspirators.

Finally, there’s the most compelling evidence, that some conspirators logged into a Unit 74455-controlled server in Moscow hours before the initial Guccifer 2.0 post went up and searched for the phrases that would be used in the first post.

On or about June 15, 2016, the Conspirators logged into a Moscow-based server used and managed by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Standard Time, searched for certain words and phrases, including:

Search Term(s)

“some hundred sheets”

“some hundreds of sheets”

dcleaks

illuminati

широко известный перевод [widely known translation]

“worldwide known”

“think twice about”

“company’s competence”

Later that day, at 7:02 PM Moscow Standard Time, the online persona Guccifer 2.0 published its first post on a blog site created through WordPress. Titled “DNC’s servers hacked by a lone hacker,” the post used numerous English words and phrases that the Conspirators had searched for earlier that day (bolded below):

Worldwide known cyber security company [Company 1] announced that the Democratic National Committee (DNC) servers had been hacked by “sophisticated” hacker groups.

I’m very pleased the company appreciated my skills so highly))) [. . .]

Here are just a few docs from many thousands I extracted when hacking into DNC’s network. [. . .]

Some hundred sheets! This’s a serious case, isn’t it? [. . .] I guess [Company 1] customers should think twice about company’s competence.

F[***] the Illuminati and their conspiracies!!!!!!!!! F[***] [Company 1]!!!!!!!!! [emphasis original]

Remember: in the weeks after DOJ released this indictment, Mueller’s team took steps to try to obtain proof of whether Roger Stone was the person in Florida searching on Guccifer’s moniker on June 15, 2016, before the initial post was published. If Stone did learn about this effort in advance, it would suggest he learned about Guccifer 2.0 operation around the same time as someone was searching on these phrases in a GRU server located in Moscow. It would mean Stone learned about the upcoming Guccifer post in the same timeframe as these GRU officers were reviewing it.

It’s not really clear what was going on here. The assumption has always been that GRU officers were looking for translations into English from a post they drafted in Russian, even though the quotation marks suggests the Russian officers were searching on English phrases.

The one exception to that seems to confirm that. Those conducting these searches appear to have searched on a Russian phrase, a phrase they would have easily understood.

широко известный перевод

Moreover, it would take a shitty-ass translation application to come up with the stilted English used in the post. Plus, “illuminati,” at least, is an easily recognized cognate, even for someone (me!) whose Russian is surely worse than the English of any one of these Russian intelligence officers.

Still, proof of this  activity — obtained via undescribed means — clearly ties the Guccifer operation to the GRU. It’s just not clear what to make of it. And the possibility that there’s an American component to the Guccifer 2.0 operation — whether “Phil” or someone else — one that may have alerted Stone to what was going on, provides explanations other than straight up translation. Indeed, it may be that GRU officers were approving the content that someone else wrote, originally in English. Which might also explain why Stone may have known about it in advance.

Whatever else, the GRU indictment only claims that these GRU officers “assisted” this effort. It doesn’t claim they wrote this post.

The Stone-adjacent Guccifer 2.0 activity

One other detail of Mueller’s GRU indictment of interest pertains to which Stone-adjacent activity it chose to highlight.

Stone had first made his DMs with Guccifer 2.0 public himself, in March 2017. They were covered in his House Intelligence Committee testimony. But when Mueller included them in the GRU indictment, Stone first denied, and then sort of conceded the reference to them might be him.  His initial denial was an attempt to deny he had spoken with people in the campaign other than Trump himself, even though he had released the communications himself over a year earlier.

Remember — Mueller was still weighing whether Stone was criminally involved in this conspiracy when Stone issued the initial denial!

But that’s not the most interesting detail of the part of the indictment that lays out with whom Guccifer 2.0 shared stolen documents (even ignoring one or two tidbits I’m still working on).

Mueller’s GRU indictment included — along with the reference to the Roger Stone DMs they still hadn’t determined whether reflected part of a criminal conspiracy or not — the Lee Stranahan exchange with Guccifer 2.0 that ended in Stranahan, a Breitbart employee who would later move to Sputnik, obtaining early copies of a document purportedly about Black Lives Matter.

On or about August 22, 2016, the Conspirators, posing as Guccifer 2.0, sent a reporter stolen documents pertaining to the Black Lives Matter movement. The reporter responded by discussing when to release the documents and offering to write an article about their release.

These Stranahan exchanges are really worth attention, not just for the way they prove that Stone-adjacent people got early releases on request (which, lots of evidence suggests, also happened with Stone with respect to the Podesta files pertaining to Joule Holdings), but also for the way Guccifer 2.0 ignored Stranahan’s claim in early August 2016 to have convinced Stone that Guccifer 2.0 was not Russian.

Note what this indictment didn’t mention, though: Guccifer 2.0’s outreach to Alex Jones (about whom, unlike Stranahan, the FBI questioned Andrew Miller).

As I’ve pointed out, in the SSCI Report, there’s a long section on Jones that remains almost entirely redacted. Citing to five pages of a report the title of which is also redacted, the four paragraphs appear between the discussions of Guccifer 2.0’s outreach to then-InfoWars affiliate Roger Stone and Guccifer 2.0 and dcleaks’ communication with each other.

According to Thomas Rid’s book, Active Measures, both dcleaks and Guccifer 2.0 tried to reach out to Jones on October 18, 2016.

On October 18, for example, as the election campaign was white hot and during the daily onslaught of Podesta leaks, both GRU fronts attempted to reach out to Alex Jones, a then-prominent conspiracy theorist who ran a far-right media organization called Infowars. The fronts contacted two reporters at Infowars, offered exclusive material, and asked to be put in touch with the boss directly. One of the reporters was Mikael Thalen, who then covered computer security. First it was DCleaks that contacted Thalen. Then, the following day, Guccifer 2.0 contacted him in a similar fashion. Thalen, however, saw through the ruse and was determined not to “become a pawn” of the Russian disinformation operation; after all, he worked at Infowars. So Thalen waited until his boss was live on a show and distracted, then proceeded to impersonate Jones vis-à-vis the Russian intelligence fronts.23

“Hey, Alex here. What can I do for you?” the faux Alex Jones privately messaged to the faux Guccifer 2.0 on Twitter, later on October 18.

“hi,” the Guccifer 2.0 account responded, “how r u?”

“Good. Just in between breaks on the show,” said the Jones account. “did u see my last twit about taxes?”

Thalen, pretending to be Jones, said he didn’t, and kept responses short. The officers manning the Guccifer 2.0 account, meanwhile, displayed how bad they were at media outreach work, and consequently how much value Julian Assange added to their campaign. “do u remember story about manafort?” they asked Jones in butchered English, referring to Paul Manafort, Donald Trump’s former campaign manager. But Thalen no longer responded. “dems prepared to attack him earlier. I found out it from the docs. is it interesting for u?”24

Rid describes just one of two outreaches to Jones (through his IC sources, he may know of the report the SSCI relies on). But a key detail is that this outreach used as entrée some stolen documents from May 2016 showing that the Democrats were doing basic campaign research on Trump’s financials. It then purports to offer “Alex Jones” information on early Democratic attacks on Paul Manafort’s substantial Ukrainian graft, possibly part of the larger GRU effort to claim that Ukraine had planned an election year attack on Trump.

That is, unlike Stranahan’s request for advance documents, this discussion intended for “Alex Jones,” ties directly to Stone’s efforts to optimize the Podesta release. And it’s something that some entity prevented SSCI from publishing.

It’s also something Mueller’s team left out of an indictment aiming to lay out the hack-and-leak case before they might get fired, but in such a way as to hide the then-current state of the investigation from Roger Stone.

There were actually a number of Stone-adjacent associates in contact with GRU’s personas. And as recently as just a few months ago, the government wanted to hide the nature of those ties.

Unsealed Mueller Report Passages Confirm the Then-Ongoing Investigation into Roger Stone

BuzzFeed released the last bits of the Mueller Report that Judge Reggie Walton ordered released late last night. I will have far more to say about them between meetings later today.

But for now, I want to point to the key paragraph on why Mueller didn’t charge Roger Stone in the hack-and-leak case. Basically, it says that neither Corsi’s testimony nor “other evidence currently available to the Office” is sufficient to prove that when Stone was coordinating the Podesta file dump, he knew that Russians continued to hack Democratic targets.

But then it includes a footnote that says there are “ongoing investigations” (plural) that the DC US Attorney’s Office will continue to pursue to try to address these factual uncertainties.

The Office determined that it could not pursue a Section 1030 conspiracy charge against Stone for some of the same legal reasons. The most fundamental hurdles, though, are factual ones.1279 As explained in Volume I, Section III.D.1, supra, Corsi’s accounts of his interactions with Stone on October 7, 2016 are not fully consistent or corroborated. Even if they were, neither Corsi’s testimony nor other evidence currently available to the Office is sufficient to prove beyond a reasonable doubt that Stone knew or believed that the computer intrusions were ongoing at the time he ostensibly encouraged or coordinated the publication of the Podesta emails. Stone’s actions would thus be consistent with (among other things) a belief that he was aiding in the dissemination of the fruits of an already completed hacking operation perpetrated by a third party, which would be a level of knowledge insufficient to establish conspiracy liability. See State v. Phillips, 82 S.E.2d 762, 766 (N.C. 1954) (“In the very nature of things, persons cannot retroactively conspire to commit a previously consummated crime.”) (quoted in Model Penal Code and Commentaries § 5.03, at 442 (1985)).

1279 Some of the factual uncertainties are the subject of ongoing investigations that have been referred by this Office to the D.C. U.S. Attorney’s Office.

As I described in May, in fall 2018, Mueller’s team took a bunch of investigative steps that they kept under seal. Then, they used the witness tampering case to obtain more information.

It’s unclear how much closer prosecutors got to proving the hack-and-leak case (though they obviously obtained Andrew Miller’s testimony, which was evidence not “currently available” when the Mueller Report was written). But there also appears to be evidence that, by intervening in the Stone sentencing, leading all the prosecutors to drop off the case, Bill Barr killed that part of the investigation.

Prosecutors were still working on proving Stone’s role in the hack-and-leak in March 2019. What’s unclear is how much closer they had since gotten to charging it before Barr intervened.

“Show Me the Metadata:” A Forensic Tie Between Shadow Brokers and Guccifer 2.0

On October 16, 2017, some of the last words the persona Shadow Brokers (TSB) ever wrote hailed my journalism.

TSB special shouts outs to Marcy “EmptyWheel” Wheeler, is being what true journalist and journalism is looking like thepeoples!

TheShadowBrokers, brokers of shadows.

As I noted at the time, I really didn’t need or appreciate the shout-out. I wrote a serious post analyzing that TSB post, but mostly I was trying to tell TSB to fuck off and leave me alone.

That was months after I told the FBI that I thought that someone I knew, whom I will refer by the pseudonym “Phil,” might be the voice of TSB, and less than a week after I got a Psycho-themed threat I deemed worthy of calling the cops.

As I laid out here, I told the FBI that months before Phil had left a comment on my site on July 28, 2016, signed [email protected], he had done some paranoid things starting on June 14, 2016, including making multiple references to ties he claimed to have with Russia. He then attended a Trump rally on August 13, 2016, taking pictures he would later suggest were really sensitive.

In addition to my suspicions about Guccifer 2.0, I also told the FBI that I suspected Phil was part of the operation that had been dumping NSA exploits and other records on the Internet starting in August 2016.

Unlike with Guccifer 2.0, Phil never signed a comment at the site under the name TSB — though on September 21, 2017, someone left a comment asking for my opinion about the ways the government was pursuing TSB.

‘Merican

September 21, 2017 at 1:58 am

Is what you say easier get FISA than Criminal warrant or FISA keep secret from rest of government, but Criminal warrant maybe not? FBI is not intelligence agency is law enforcement agency why have access FISA? You write many articles about the shadow brokers, what you think FISA or Criminal for the shadow brokers? You thinking anyone in US government is looking for the shadow brokers? US government not even say name “name that shall never be spoken”. What is best way discover national security letter sent to your service provider? …asking for a friend!

I thought Phil might be TSB, in part, because Phil had said almost identical things to me in private that TSB said publicly months later. There were other things in TSB’s writing that resonated with stuff I knew about Phil. And while Phil and I never (as far as I recall) talked about TSB, at least once he did say some other things that went a long way to convincing me he could be TSB; I thought he was seeking my approval for what TSB was doing, approval I was unwilling to give.

There are, however, public exchanges between the persona TSB and me, in addition to that shout out in what turned out to be TSB’s swan song.

For example, after I wrote a post on January 5, 2017 wondering why the government hadn’t included TSB in any of its discussions of election year hacking, TSB tweeted to me, complaining that I had described TSB as “bitching” about the coverage, rather than calling it “trolling.” (Note, the language in these screen caps reflects the language used by the people who first archived these tweets, so don’t go nuts about the Russian.)

TSB then RTed my article, suggesting other outlets were complicit for not asking the same questions.

The first tweet, at least, didn’t adopt the fake Borat voice that TSB used to mask a very fluent English, though I think there were some other tweets TSB sent that day where that may be true as well. In neither of these tweets did TSB mock me for misspelling “Whither” (the post’s title originally spelled it “Wither”); that’s a bit odd, because TSB rarely passed up any opportunity to be an asshole on Twitter.

Then, on July 18, 2018, after I had revealed I had shared information with the FBI, someone started a Twitter account under the name LexingtonAl that ultimately claimed to be — and was largely viewed as, by those who followed it — TSB (the persona deleted most tweets in February 2019, but many are saved here). Starting in December 2018, Lex and I had several exchanges about what TSB had actually done. 

Here’s my side of one from that month where I pointed out a problem with Lex’s claim that TSB consisted of just three contractors who leaked the files to reveal US complicity with tech companies to other Americans. The claim didn’t accord with having sent the files to WikiLeaks (as both WikiLeaks and TSB claimed in real time).

At the time, Lex went on an anti-Semitic rant about things he hated. Assuming that Lex is TSB (as he claimed), I got demoted from being TSB’s favorite journalist to third on the list of things Lex hated.

Note: when I interacted with Phil, he was never anti-Semitic (though he was a raging asshole when angry), but Lex was clearly even more disturbed than Phil was in the period when I interacted with him.

Then, in January, Lex bitched (again, in anti-Semitic terms) about a post I had done noting that, given Twitter’s poor security at the time, the Twitter DMs that Hal Martin allegedly sent Kaspersky might have served to frame him.

The post had noted that the early TSB posts — including a number sent after Martin was arrested — had relied on similar cultural allusions as the DMs sent from Martin’s Twitter account. Shortly thereafter the FBI arrested Martin in a guns-wagging raid on his home in Maryland. Per this Kim Zetter story, the Tweets had mentioned the 2016 version of Jason Bourne and Inception. I reiterated that on Twitter.

It was a factual observation supported by the content of the earlier TSB posts, not a comment about any spookiness behind the release of the files.

I asked why TSB was so defensive about having those cultural allusions called out.

Lex responded with another anti-Semitic rant.

I responded,

Finally, in February 2019, Lex invoked me — including that I had “had a breakdown and outed her source” — sort of out of the blue in the middle of what might be called his claimed doctrine behind the leaks.

I noted that if his claimed doctrinal explanation were true, then TSB would have done a victory lap (and stopped dropping files) when Microsoft President Brad Smith started advocating for a Digital Geneva Convention in February 2017, which would have brought about an end to the practice that, Lex claimed, was his reason for dumping the files.

Not only didn’t TSB mention that in real time (instead choosing to exacerbate the tensions between the US and Microsoft), but TSB kept dropping files for six months after that.

Lex responded with another attack.

I have far less evidence that I could share to prove that TSB or Lex are Phil. But little noticed in the midst of TSB’s widely-discussed obsession with Jake Williams, a former NSA hacker whom TSB probably tried to frame as the source of the files, TSB also had an obsession with me — and certainly took notice when I revealed that I had gone to the FBI.

All that said, virtually all of these communications post-dated the time when I went to the FBI.

I went to the FBI in the wake of the WannaCry attack. The attack, reportedly a North Korean effort to make use of the tools dropped by TSB that went haywire, ended up causing a global worm attack that shut down hospitals and caused hundreds of billions of dollars in damage. When I have alluded to the ongoing damage I was trying to prevent, that’s what I mean: the indiscriminate release of NSA exploits to the public which, in that case, literally shut down hospitals on the other side of the world. 

There’s no defense for that.

While I had been trying to find some way to share my concerns long before that, I may never have met directly with the FBI about any of my suspicions except for another detail: I learned that there was a forensic tie between the Guccifer 2.0 and TSB personas. While, at the time, I had moderate confidence about both my belief that Phil had a role in the Guccifer operation and moderate confidence that he was TSB, when I learned there was a forensic tie between the two of them, it increased my confidence in both. 

A strong caveat is in order: the forensic tie isn’t decisive; it could be insignificant, or untrue.

The forensic tie is that someone logged into one of the Guccifer 2.0 accounts — I think the WordPress account — using the same IP address as someone who logged into the early staging sites — either Pastebin or GitHub — for the TSB operation.

If someone using the same IP address accessed both sites — probably using a VPN — it could mean either that the same person was involved, or whoever staged these things was doing little to cover their tracks and outsiders were accessing their infrastructure. One of the people who told me about this forensic tie interpreted it as a deliberate attempt to tie the two operations together, sort of yanking the government’s chain.

I learned of this forensic tie from multiple people, all of whom are credible. That said, I can’t rule out that they learned it from the same person. No one has reported on this in the years since these operations, even though I’ve tried to get better sourced journalists to go chase it down. Indeed, I recently learned that a top outside expert on issues related to TSB did not know this forensic detail.

The FBI had to chase down a lot of weird forensic shit pertaining to these influence operations, because that’s how this kind of operation works. I have noted in the past, for example, that some script kiddies tried to hijack an early Guccifer 2.0 email account; that was investigated by a Philadelphia grand jury in spring of 2017. So this forensic tidbit could be similarly unrelated to the people behind the operation.

So I don’t want to oversell this forensic tie. I do want to encourage others to try to chase it down. 

But it was something that significantly influenced my understanding of all this in 2017, when files released by TSB had just caused the worst damage of any cyber attack in history, to date.

When I mentioned the forensic tie during my FBI interview, the lead agent responded that they couldn’t confirm or deny anything during the interview. I wasn’t there to get confirmation.

Still, if it’s true — given what we’ve learned since about the Guccifer 2.0 operation — it is hugely significant.

TSB started staging its release — per this really helpful SwitHak timeline — on July 25, the same day Trump directed people to get Roger Stone to chase down the next WikiLeaks releases. The first files were encrypted on August 1, after Stone had already pitched Paul Manafort on a way to “save Trump’s ass.” TSB loaded the NSA files on GitHub just after Stone published a piece suggesting that Guccifer 2.0, and not Russia, had hacked the DNC. TSB went live overnight on August 12-13, not long after Guccifer 2.0 publicly tweeted to Stone, “Thanks that u believe in the real #Guccifer2.” WikiLeaks publicized the effort on August 15, after some private back and forth between Guccifer 2.0 and Stone, including Guccifer 2.0’s question, “thank u for writing back . . . do u find anyt[h]ing interesting in the docs i posted?” And, per the SSCI analysis and my own, WikiLeaks helped to boost TSB the same day Jerome Corsi may have started giving Roger Stone advance information about the content of the John Podesta emails that wouldn’t be dropped for another two months (SSCI appears not to have considered, much less concluded, that Guccifer 2.0 might be Stone’s source).

If the forensic tie between Guccifer 2.0 and TSB is real, it means that during precisely the same period when Roger Stone was desperately trying to optimize the release of the John Podesta files to save his buddies Paul Manafort and Donald Trump, related actor TSB was beginning a year-long effort to burn the NSA to the ground.

(Part of) What I Shared with the FBI

On July 28, 2016, something happened that would eventually lead me to the FBI.

I’m going to explain part of that story now. I’m explaining it for several reasons. I had promised myself I wouldn’t let another election pass without sharing what happened. Even now, I can’t entirely make sense of it — that was part of the point, confusion. But the release of documents in the wake of the Mueller investigation has provided a great number of public details (some of which I laid out in my Rat-Fucker Rashomon series) with which this story might be consistent. I can’t prove that this story explains the unanswered questions about the Roger Stone story (and Bill Barr’s intervention in the Stone sentencing seems to have shut down some parts of any ongoing investigation to do so). But at least I can share details that may provide an explanation.

It started with a several-day dispute about attribution, starting on July 26, 2016, which included discussions about Guccifer and Crowdstrike. A guy I will refer to by the pseudonym Phil and I were texting on Signal debating that attribution. On the 27th, Phil disputed the Crowdstrike report that APT 28, which had done the hack, was GRU, “Russia didn’t write this APT damnit.”

I told him, vaguely, that I knew that entities external to both the DNC and Crowdstrike had evidence confirming the GRU attribution. I had a well-placed source who knew Phil was wrong. He seemed not only sure he could convince me otherwise, but intent on learning what I knew, which I didn’t share.

The next day, July 28, 2016, Phil made up an excuse for wanting me to tell him what his IP address was–it was a bullshit excuse and doesn’t matter for the purpose of this story. “Can you see an ip on your website,” he asked. “Yeah I can get logs.” I said, “Easiest obviously is fr a comment.” (I was wrong about my ability to see the IP address, and he may have known that, because he had been testing how requests to my site worked for months.) “Now,” he said, as he left a comment. 

I forgot about the request until the next day, July 29, when another of the people who can approve first-time comments at the site emailed me with the comment, which had been posted moments after he had told me, “Now.” “I debated about approving that comment by icelanderia in DNC Hack sourcing post,” the person said. “But didn’t because of the email addy attached to it.” To readers of the public site, the comment read, “Just one phrase. Show me the metadata.” It was signed “Icelanderia.” Visible only to those of us with backstage access, however, it was signed [email protected]

Much later, Phil told me he liked leaving comments at my site as a, “Great outlet to talk to my usg pals.” Until late 2017, we kept getting comments at the site which were consistent with disinformation deliberately left in the first Guccifer 2.0 releases, but which might or might not have been him.

But I knew that first one, [email protected] was Phil, purportedly left to find out what IP address his comments would show up as. He never did follow up to ask me whether I could see his IP address. And so I was left trying to figure out why the hell he signed a comment with the name of the persona who was trying to obfuscate what really happened with the DNC hack.

Normally, I don’t think twice about comments left at my site under obviously fake names. Lots of people choose not to use their real email addresses when leaving comments at this site. Unsurprisingly, we’ve had a ton of comments claiming to use NSA email addresses. And from time to time — though, given how chummy and long-established emptywheel’s comments section is and how closely we moderate obvious trolls, not all that often — people try to get funny with their log-in names. 

In this case I did take notice. I did so, partly, because of how he had left it, giving me a heads up that it was him, but doing so in such a way that only I would know it was him (as noted, he never did ask me what IP he had come in under and, as I said, I was never able to determine that). But it also made me rethink stuff that had happened between us going back to fall 2015 and earlier, especially because of what had happened starting on June 14, 2016, the day that the Democrats publicly announced they had been hacked by the Russians, when he tried to get me to change my operational security even as he seemed to be debating about going forward with something, which he referred to in terms of “tapping out.”

On June 14, 2016, the same day the Washington Post reported that the DNC had been hacked by Russia, Phil called me up and asked me to delete notes of conversations we had had going back to December 2015, notes telling a story about his life and motivations for being angry with the government that he had wanted me to tell after he died, which he claimed — starting in December 2015 — was going to be imminent. The next day, he claimed he believed he was being investigated by the FBI for the way he had narced out some people in April, which was his explanation for escalating levels of paranoia. That same day, he asked me to shift our comms to the Silent Circle text service, which would have put the texts beyond the reach of US law enforcement. This was at least the fourth effort he had made to shift to more secure comms than Signal and PGP email with me, including a highly inappropriate suggestion earlier that spring; each time, including this one, I blew off the request, because I didn’t believe these conversations were that sensitive or interesting. 

Starting at 3:12PM on June 21, the weirdness resumed. He asked me to change my PGP key, inventing a bullshit excuse, while explaining he was flipping his own keys. He showed me a traceroute on my site he had done, reflecting my recent addition of Cloudflare to protect the site (he had concocted an earlier traceroute in May 2016 that–I’m certain–was designed to make me paranoid). He advised me that when using a VPN, one should always choose a Swiss or even a Russian server. He told me he worked for a company owned by FSB’s founding fathers. 

Around 8:12PM on June 21, he claimed, “I am getting DDOSed like a motherfucker–is it you or ‘Gucifer’?” 

As far as I knew, he had no website to be DDOSed. As he surely knew, I didn’t have the capability to DDOS anything. It was just word salad invoking the newly unveiled GRU persona, but amid the other weirdness I didn’t make too much of it.

He then called me and repeated much of the story he had told me over the past six months, the story the notes of which he had, just a week earlier, asked me to destroy. In that retelling of the story, he would include several details about Russia (on top of the FSB founding fathers comment). He described a meeting he attended months before, overseas, one that (he claimed) members of Russian intelligence had also attended, where he had been physically beat up. Before that June 21 conversation, he had told me a version of that overseas meeting story at least 6 times, including telling me about the meeting in real time (in just two of those tellings do I remember him mentioning Russian intelligence, and precisely who in Russian intelligence he said attended was inconsistent). I’m not attesting that his claims about the meeting were true, I’m describing that he kept telling me about the meeting over the course of more than six months. 

Another detail in that June 21 conversation was the way he insisted to me, as he had at least once before June 14, almost plaintively, that he hates Russia. Phil told me that two of his most cherished possessions were trophies from interactions with Russia. At the time, I didn’t understand why he felt it was so urgent to convince me he really did hate Russia, but after the fact it seemed to be an effort to excuse himself, like emphasizing that he had been physically beaten.

There was a third story, too, another story about an interaction with Russia more alarming than the others, another one he had told me once prior to June 14. The story involved a moment when Russians held “a gun to [his] head.” I believe the story, as he told it to me, was a well-rehearsed lie, one he had told others. But if the lie served to explain away something else, it would be the kind of thing that might mean his comment might not be a joke, that he might have a role in the Guccifer 2.0 operation. 

In June, this felt somewhat stalkerish. I still had no idea why he was telling me this, aside from the fact he wanted me to tell the story of his grievances with the government, but he was also in a bad place and I was trying to make sense of it. The next day, June 22, between 12 and 5PM ET, we spoke again on and off. When I suggested I might be under surveillance to see how he’d react, he said there were no rules, saying that no one could back out of a deal (I had no idea what deal he was talking about). “360 degress of no rules, tap out is not an option unless (Apparently) you are a politician. But even then…”

The next day, June 23, just after 5PM, he told me he had been contemplating a line from a Cormac McCarthy screenplay: “The world in which you seek to undo the mistakes that you make, is different from the world where the mistakes were made.” He added, within that same hour, “I’m done. I don’t re-decide.” Phil was, obviously, a mess, but he was also done talking about ways out of whatever mess he was in. 

I broke off communication at that point for a period, but a week later, at 6:51PM on June 30, he was back. He told me he had “unfucked his problems.”

As weird as all this was, in those days in June, I was just observing, trying to figure out what had caused the sudden bout of paranoia, and honestly trying to figure out what he wanted out of me. I sure as hell didn’t think, at the time, there was a tie between all that and the DNC hack (remember, he was claiming — probably another lie — that the FBI was investigating him, which I assumed was what all the weirdness was about). 

But when I remembered all this on July 29, it made me reconsider whether there was a tie. As I’ve alluded to publicly in the past, it is why I spent six months on my part to test the Russian attribution for myself, to decide for myself whether the IC and Crowdstrike, along with people in tech companies and individuals who fought this hack personally with whom I’d spoken — were correct, that it had been the Russians, or whether what I took to be Phil’s suggestion that he or people he knew, without the Russians, may have been involved. Absent such an effort, I assume that certain other people who’ve interacted with Phil have, instead, taken the existence of an American body claiming to have been involved as enough to deny Russian involvement. That may be what happened with Roger Stone.

Once I was convinced about the Russian attribution in December 2016 and given a growing certainty I couldn’t test key parts of this story myself, I began to consider sharing it with the government in a way that protected both my identity and Phil’s. 

As I noted in the title, these events were just one part of the reason I went to the FBI in 2017, and not actually the most urgent reason at the time, nor the one I had most confidence in. There’s another part of the election year attack — one few people know is related — that I believed (and still believe) he may have had a role in, too. Those other parts of this story were, in 2017, an escalating, ongoing threat, which is part of why I ultimately chose to meet with two FBI cyber agents and a prosecutor from DOJ’s National Security Division, to stop ongoing damage if I was right. 

Now, four years later, it’s clear the details Phil shared with me in 2016 might be consistent with several details discovered in the Roger Stone investigation. Indeed, starting in August 2018, Mueller’s team appears to have investigated whether Stone had been co-present, in the US, with someone involved in this operation, and they also appear to have confirmed, after the Mueller team shut down, that Stone met with someone face-to-face at the RNC who gave Stone advance warning of the DNC drop. On July 15, 2016, Phil described to me flying east from the West Coast. 

More interesting still is the way that Phil’s activities over a key weekend in August 2016 overlap with Roger Stone’s. I won’t yet lay out how this timeline looks (I’ll return to it). For now, compare the one I did in this post to the timeline I lay out here. 

On August 12, 2016, the night that Guccifer 2.0 released DCCC documents the timing of which Jerome Corsi had predicted, Phil texted me at 11:32PM and told me he was thinking of going to the Trump rally that was scheduled — inexplicably, from a campaign strategy standpoint — in Roger Stone and Paul Manafort’s home state of Connecticut the next day. “Should I stay or should I go…” he said, but he already had a ticket. At 9:46 AM the next morning, he said it again. “Trump rally [in CT] tonight, thinking of swinging by.”

He did go, and made sure I had abundant contemporaneous record of it. At 4:21PM he told me he was close to the protest venue. At 4:33PM he told me he had put together an IMSI catcher for the event to track where the Secret Service had Stingrays.

Amid those texts, I told him that I had freed up the Guccifer comment at my site; I wanted to see how he’d react. “Haha-the mouthpiece,” he responded. “‘they’ are clueless as I’m fond of saying…” he added, which I took not only as confirmation that he did leave the comment, but also to mean that he believed the authorities misunderstood the Guccifer persona. 

It was an hour, though, before the calls started. From 5:57PM to 6:58PM, he kept calling me and sharing video of what he was doing at a protest close to the rally (as well as a screenshot of the IMSI catcher).

At the time, I thought he was hoping to film himself picking a confrontation with the cops that would go viral. I thought it was really stupid and started ignoring his calls. It was actually years before I reviewed all these videos. When I did, I realized that he was not interacting with any of the protestors. He was, instead, just badgering the cops, in really controlled fashion. He was filming the confrontations so as to catch their name badges. And then, each of several times he did this, he would back off and thank the cops for what they were doing. Those interactions would have left a handful of cops, whose names I’d have, who would have remembered him as the obnoxious guy at an event protesting Donald Trump. 

At 9:59PM, he told me the rally itself was done, he was not in jail, and his phone was intact. He showed me a document that he had picked up at the rally.

The next morning, August 14, at 7:22AM, he texted me a picture to let me know he was in NYC. That was the day Jerome Corsi claims he started a file named “Podesta,” that would eventually become posts that integrated documents publicly released in October. 

Again, I didn’t make much of this, as I didn’t make much of earlier events. 

Except that just over a week later, as part of a conversation from 7:56 to 8:28PM on August 21 (and so hours after Stone’s famous “time in the barrel” comment), he emphasized to me that I was the only one whom he had sent videos from the August 13 protest. Then he said there were more. “I have like 20 more vids before and after no one gets,” he told me. Something was interesting enough, both from before and after he attended the protest of the Trump rally, that was not only worth filming, but that was more sensitive than these protest videos.

Even as Stone and the persona Guccifer 2.0 were chatting away on Twitter over the weekend of August 12, a guy who’d just covertly signed his name “Guccifer2” on my site was at the Trump rally, taking videos of … something.

 Not immediately, but over time, I’ve wondered what might be on those videos.

On January 1, 2017, in the wake of Trump boasting that, “I also know things that other people don’t know,” about the Russian hack, I did a post wondering if what Trump thought he knew was the same thing that Craig Murray believed — that there was an American involved in this operation. I wrote, “I have a suspicion that Trump’s campaign did meet with such a person (I even have a guess about when it would have happened).” I had the rally in mind. Within 30 minutes after I published the post, after having not spoken to me in weeks (he later told me he had been overseas), Phil called me, but hung up before we spoke. 

Indeed, events that the investigation have since made public — including the confirmation that Roger Stone set about getting Julian Assange a pardon no later than 7 days after Trump won the election — made me revisit additional texts from July 29, ones I hadn’t even paid attention to in real time. 

On July 29, 2016 — the same day I was trying to figure out why this guy had just made a big deal of signing a comment guccifer2 — we had another conversation, one I believed at the time was unrelated, a discussion about what motivated Julian Assange. Revenge, I argued: the guy hates Hillary, going back to 2010. “Yes” Phil conceded, “but he has a puppeteer too — IDK who and maybe it’s just $ but.” Again, I was sure this was “sheer retaliation for him.” “You might be right,” Phil responded, “but there’s a political or $ way to get him out — please don’t lose sight of that…” I still didn’t buy it, and asked again why. “B/C if ‘I’ wanted badly enough for him to release that data in a manner that benefitted me, I could get him out and he’s damn sure in prison — where people do desperate things.”

On that day in July 2016, no one in public knew there’d be a second dump. Certainly, no one knew that, on that day and the next, Roger Stone was in conversations with Trump’s campaign manager planning how to optimize the next dump. “Good shit happening,” Stone told Manafort just over an hour before this exchange, before the old friends spent 67 minutes on the phone together on July 30, their longest conversation of the year. No one knew that Stone would turn immediately to getting Assange out of the Embassy at least as early as November 15, probably even before. 

But Phil, who had just made sure I knew he signed a comment Guccifer2, seemed to be sure of it before it all started.