Posts

OpSec Confusion on the Oath Keeper Conspiracy

I write a lot about the comms the Oath Keepers used to plan insurrection. There was the post about how they figured out, too late, not to plan an insurrection on Facebook; of the five counts of obstruction on the Oath Keeper indictment released Sunday, two pertain to Facebook. Then there was the post where I cataloged how many social media platforms were described in the last iteration of the indictment against them.

  • leadership list on Signal they appear to have obtained from either Watkins and/or Kelly Meggs
  • Open channels on Zello, possibly separate ones for each large event
  • Telephony chats and texts, including during January 6
  • MeWe accounts
  • Way too much blabbing on Facebook, followed by a foolish belief they could delete such content
  • Parler for further blabbing
  • Stripe for payment processing (possibly for dues)
  • GoToMeeting for operational planning

The remaining three obstruction charges pertain to this social media activity, one — for Joshua James — specifically describing his attempt to delete and burn the “[S]ignal comms about the op.”

Add hand-written ProtonMail attachments to the toolchest

It turns out I should have included ProtonMail in that list, because both the addresses to which Laura Steele sent her vetting application to join the Oath Keepers on January 3 were ProtonMail addresses, but the government only laid that out in their unsuccessful bid to keep her detained, in an attempt to use its encryption to ascribe to her that operational security.

On the evening of January 3, 2021, Defendant Steele emailed a membership application and vetting form to the Oath Keepers of Florida.4 She copied Defendant Young on the email, and wrote: “My brother, Graydon Young told me to submit my application this route to expedite the process.” Under the section for “CPT Skill Sets (Community Preparedness Team) Experience or Interests,” she checked “Security.” Under “Skillsets,” she wrote: “I have 13 years of experience in Law Enforcement in North Carolina. I served as a K-9 Officer and a SWAT team member. I currently work Private Armed Security for [company name redacted]. I am licensed PPS through the North Carolina Private Protective Services.”

Within 10 minutes, Defendant Steele sent another email, this one directly to Defendant Kelly Meggs’s email account at Proton Mail, again copying Defendant Young. She again attached her application and vetting form, and wrote: “My brother, Graydon Young told me to send the application to you so I can be verified for the Events this coming Tuesday and Wednesday.”

The following day (January 4), Defendant Steele sent the same materials to yet another Oath Keepers email address at Proton Mail. On her email, she copied co-defendants Kelly Meggs and Graydon Young.

4 The email recipient was actually a Florida Oath Keepers account at “protonmail.com.” Proton Mail is housed overseas (in Switzerland) and offers end-to-end encryption. “Even the company hosting your emails has no way of reading them, so you can rest assured that they can’t be read by third parties either.” Mindaugas Jancis, ProtonMail review: have we found the most secure email provider in 2021?, CyberNews, Mar. 4, 2021, at https://cybernews.com/secure-email-providers/protonmail-review.

But Proton is not going to help if one side of a communication is on Gmail or some other email service on which FBI can serve a subpoena. Which may explain how the government obtained this email from the newly indicted Joseph Hackett in the latest superseding.

41. On December 19, 2020, HACKETT sent an email to YOUNG with a subject line “test.” The body of the email stated: “I believe we only need to do this when important info is at hand like locations, identities, Ops planning.” The email had a photo attached; the photo showed cursive handwriting on a lined notepad that stated: “Secure Comms Test. Good talk tonight guys! Rally Point in Northern Port Charlotte at Grays if transportation is possible. All proton mails. 7 May consider [a rally point] that won’t burn anyone. Comms – work in progress. Messages in cursive to eliminate digital reads. Plans for recruitment and meetings.”

7 Based on the investigation, “proton mails” appears to refer to the company “ProtonMail,” which offers encrypted email services.

I’ve not seen anything that suggests the government has obtained Proton Mails from the Oath Keepers conducted entirely on the platform; that may have to wait until someone involved decides to cooperate. But I’m not sure how writing the most sensitive messages on what sounds like dead tree paper before sending it adds to the security.

DOJ’s selective understanding of encryption

One of the more aggravating pieces of confusion in the new indictment, however, comes not from the alleged conspirators but from the government.

The last item in a list of Manner and Means employed in the conspiracy is the use of “secure and encrypted communications.”

Using secure and encrypted communications applications like Signal3 and Zello4 to develop plans and later communicate during the January 6 operation.

The first overt act describes Stewart Rhodes laying out what I am calling the “Antifa foil” on a GoToMeeting meeting.

At a GoToMeeting5 held on November 9, 2020, PERSON ONE told those attending the meeting, “We’re going to defend the president, the duly elected president, and we call on him to do what needs to be done to save our country. Because if you don’t guys, you’re going to be in a bloody, bloody civil war, and a bloody – you can call it an insurrection or you can call it a war or fight.”

As a result, the following footnotes appear on the bottom of the same page.

3 Signal is an encrypted messaging service.

4 Zello is an application that emulates push-to-talk walkie-talkies over cellular telephone networks. Zello can be used on electronic communication devices, like cellular telephones and two-way radios.

5 GoToMeeting is an online meeting site that allows users to host conference calls and video conferences via the Internet in real time.

Start with Zello: It can be secure. But it wasn’t, as used by the Oath Keepers, the day of the insurrection, because it was an open channel. Indeed, the reason we know about it is because journalist Micah Loewinger was following along in real time. Plus, anything saved onto a phone will be accessible once the phone is compromised, just like Signal will. (From the discovery letters shared with the Oath Keepers — the most recent of which is over a month old — the government appears to have initially relied on WNYC’s published versions of the Zello chats. But this superseding indictment includes time stamps from Watkins’ Zello exchanges, which suggests they’ve obtained a more reliable copy since then.

Signal, DOJ says, is encrypted. I have no problem with that. But they started compromising the Signal chats as soon as they exploited Jessica Watkins’ phone. And the latest indictment seems to rely on the exploitation from another of the more involved participants — it’s where the new details on the Quick Reaction Force come from (here’s my rough capture of the communications we’ve seen referenced to date).

What I find annoying is that, after treating Signal and Zello as super spooky applications, DOJ then treats GoToMeeting like a normal tool, just “an online meeting site that allows users to host conference calls and video conferences via the Internet in real time.”

But it is also end-to-end encrypted and has a number of other security features that are necessary for its use by mainstream businesses and health care providers. That said, it is centralized and probably responds eagerly to legal process, which is the distinction DOJ really intends by this. That is, it’s not encryption that makes the use of these apps a useful marker of a conspiracy, it’s decentralized security, security that the Oath Keepers didn’t use with Zello the day of the insurrection. Plus, for a conspiracy indictment, as opposed to other criminal charges, the use of G2M suggests a bureaucratization that should be more useful to prove the case.

In any case, with this fourth indictment, DOJ added content from G2M that was probably meant to be secure: Stewart Rhodes’ “Antifa foil” comments. An initial production of G2M had been provided to defendants by April 9, with a second attempt on April 23. So it may be that it has taken some time to reconstruct whatever full production they might receive from the various Oath Keeper accounts.

The money is the metadata

That said, it is amusing seeing the conspirators try to add a layer of security to the already secure ProtonMail while they’re laying a trail of travel plans that knots them all up into a network. Here are just some of the fleshed out details from the indictment:

79. On January 4, 2021, HARRELSON and DOLAN departed Florida together in a vehicle rented by DOLAN and traveled to the Washington, D.C., metropolitan area.

[snip]

82. On January 4, 2021, PERSON TEN checked into the Hilton Garden Inn in Vienna, Virginia. The room was reserved and paid for using a credit card in PERSON ONE’s name.

[snip]

85. On January 5, 2021, PERSON ONE and MINUTA separately traveled to the Washington, D.C., metropolitan area and checked into the Hilton Garden Inn in Vienna, Virginia.

[snip]

90. KELLY MEGGS paid for two rooms, each for two people, at the Comfort Inn Ballston from January 5-6, 2021. The rooms were reserved under the name of PERSON THREE.

90. KELLY MEGGS paid for two rooms, each for two people, at the Comfort Inn Ballston from January 5-6, 2021. The rooms were reserved under the name of PERSON THREE.

91. KELLY MEGGS also booked two rooms at the Hilton Garden Inn in Washington, D.C., from January 5-7, 2021. KELLY MEGGS paid for both of the rooms, using two different credit cards.

[snip]

93. HACKETT paid for a room at the Hilton Garden Inn in Washington, D.C., from January 5-7, 2021. The room was booked in the name of PERSON SIXTEEN.

[snip]

95. MINUTA, using his personal email address and his personal home address, reserved three rooms at the Mayflower Hotel in Washington, D.C., under the names of MINUTA, JAMES, and PERSON TWENTY. A debit card associated with PERSON FIFTEEN was used to pay for the room reserved under MINUTA’s name. A credit card associated with JAMES was used to pay for the room reserved under JAMES’s name.

Kelly Meggs, by paying for what appears to be the QRF room and another for Person 3 to tend the weapons, would tie the Floridians staying in the DC Hilton Garden with a group coming from at least three states at the Ballston Comfort Inn (and that’s before you consider the surveillance footage that shows others dropping off weapons). Minuta, by reserving three rooms at the Mayflower, would tie Joshua James, Person Twenty, and Person Fifteen to the group, including Minuta, staying at the Vienna Hilton Garden, which includes Rhodes and Person Ten. And there’s at least one known payment — from some unidentified person to James’ wife — that doesn’t show up here.

Post 9/11, it’s hard to hide hotel travel, especially retroactively, after engaging in a terrorist attack, but it doesn’t help that the Oath Keepers didn’t compartment their network at all. So all the encrypted messaging and meeting apps in the world could not hide that this was a network that spanned (thus far, but I’m holding out hope they’ll roll out the first Mississippi defendants any day!) at least seven states.

Update: I’ve taken out a reference to the Ohioans walking Isaacs back to a hotel in DC. They did separate early but it was not to take him back. Thanks to Benny Bryant for the correction.

The State of the Five Now-Intersecting January 6 Militia Conspiracies

Paragraph 64 of a new conspiracy indictment including Proud Boys Ethan Nordean, Joe Biggs, and the newly arrested Proud Boys Zachary Rehl and Charles Donohoe includes a seemingly gratuitous reference to the Oath Keepers. The paragraph describes how Biggs, after having entered the Capitol once already from the northwest side, then moved to the opposite side of the building and forced his way in on the east side. He did so right in front of a group of Oath Keepers.

Thirty minutes after first entering the Capitol on the west side, BIGGS and two other members of the Proud boys, among others, forcibly re-entered the Capitol through the Columbus Doors on the east side of the Capitol, pushing past at least one law enforcement officer and entering the Capitol directly in front of a group of individuals affiliated with the Oath Keepers.

This would have been around 2:44 PM. The Oath Keeper “stack” went in the east side of the Capitol at around 2:40.

That reference, along with the common use of the Zello application, brings two parallel conspiracies laid out over a month ago closer together, arguably intersecting. As of right now, DOJ has charged 25 people in five different conspiracy indictments, four of which share precisely the same goal: to stop, delay, and hinder Congress’s certification of the Electoral College vote, with many similar means and methods. Three conspiracy indictments also share roughly the same goal of obstructing law enforcement. Those indictments are:

Here’s what a simplified version of the five different conspiracies looks like:

This is not the end of it: there are three Oath Keepers not included in that conspiracy, and a random bunch of Proud Boys who might eventually be included, as well as anyone else who coordinated this effort [wink]. But these conspiracy indictments will remain separate only for prosecutorial ease. They are, for all intents and purposes, now-intersecting conspiracies.

Update: Last night, NYT’s visual team released new videos showing that the Oath Keepers Stack was involved in forcing entry into the East entrance of the Capitol. These videos depict what happened moments after Biggs reentered the Capitol, as described above.

Update: To see how the other pieces of any coordinated action fit, I will list the other Oath Keepers and Proud Boys that have played a part in this operation.

Oath Keepers

Stewart Rhodes: The Oath Keeper President. He is not charged, but implicated in the existing Oath Keepers indictment and the Minuta complaint.

Roberto Minuta: Minuta was arrested on March 8. An SDNY Magistrate judge released him on bail (he almost put up silver bars for his security, but ended up coming up with the money itself), ignoring the government request he stay the order. Minuta’s arrest affidavit–which was written 12 days before James’ but executed roughly the same day–focuses primarily on Minuta’s harassment of cops. It doesn’t mention, as James’ affidavit does, Minuta’s role in providing security, including for Roger Stone. Minuta also deleted his Facebook account on January 13, for which he was charged with obstruction.

Joshua James: James was arrested on March 9 and held without bail (in part because of a past arrest associated with claiming to be a military police officer in 2011). His arrest affidavit makes it clear he was a close contact with Minuta as well as Kelly Meggs. The affidavit repeatedly describes James offering security to VIPs we know to include Roger Stone. According to public reporting, James received payment for his “security” services on January 6, which Stone was publicly fundraising for in advance (then denied spending).

Jon Ryan Schaffer: The front man for the heavy metal band Iced Earth and an Oath Keeper lifetime member, Schaffer was arrested for spraying some police with bear spray. But two months after his arrest and detention, he has not been (publicly) indicted and only arrived in DC on March 17. The government has not publicly responded to his motion to dismiss his case on Speedy Trial grounds. All of which suggests there’s something more there that we can’t see.

Person Four: The James affidavit refers to Minuta as “Person Five.” It uses that number, it says, because “Persons Two [Caldwell’s spouse], Three [the NC-based Oath Keeper who might serve as a Quick Reaction Force], and Four are not included in this affidavit, but are already-numbered individuals associated with United States v. Thomas Caldwell, et al, Case No. 21-cr-28 (APM). To maintain consistent nomenclature, the referenced individual here will be defined as ‘Person Five.'” I haven’t been able to find the reference to Person Four (though it might be Watkins’ partner, references to whom are inconsistent).

Three more Stack participants and four others who operated with Minuta and James on January 6: This image, from James’ complaint, identifies three other Stack members (the second, third, and last yellow arrow) and four others who interacted with James and Minuta during the day on January 6.

Proud Boys

Enrique Tarrio: Tarrio is the head of the Proud Boys, but got arrested as he entered DC on January 4 on charges relating to vandalizing a Black church in December, onto which possession charges were added. He is referred to in all the Proud Boy conspiracies, repeatedly in the Leader one (because they scrambled to figure out what to do after his arrest). While it’s unlikely he was on the Telegram channels used to organize the insurrection, he was in touch with members via other, thus far unidentified channels.

Joshua Pruitt: Pruitt was arrested for a curfew violation on the night of the insurrection. He told the FBI he hadn’t engaged in any unlawful activity and was just trying to deescalate the situation. But he was indicted on his own weeks later for obstructing the vote count and interfering with cops, and abetting the destruction of property, along with trespassing. The Nordean conspiracy indictment notes that he went in the West entrance shortly after Dominic Pezzola breached it (suggesting the government may now know he was part of a cell with Pezzola). Pruitt is being prosecuted by the same prosecutor as on most Proud Boy cases, Christopher Berridge, and before the same judge, Timothy Kelly.

Gabriel Garcia: Garcia, a former Army Captain, appears to have originally been identified by the Facebook order showing who livestreamed from the Capitol. It’s possible his livestreams were intended to serve as live reporting for those coordinating outside (he catches the names of cops, the size of the crowd, and instructs, “keep ’em coming.” He incites a big push through a line of cops. Later, he calls for “Nancy” to “come out and play” and calls to “Free Enrique” [Tarrio]. He was charged by complaint on January 16 and by indictment on February 16 with obstruction and resisting cops during civil disorder. The Nordean conspiracy indictment notes he went in the West entrance shortly after Pezzola breached it.

Christopher Worrell: The government originally charged Worrell, a committed Proud Boy who traveled to DC in vans of Proud Boys paid for by someone else and wore comms equipment, with trespass crimes on March 10. Among his criminal background, he pretended to be a cop to intimidate a woman. He lied in his first interview with the FBI, hiding that he sprayed pepper spray on some police who were the last line of defense on the West side of the Capitol. According to a witness who knows him, he also directed other likely Proud Boys. After first being released, he was subsequently detained and is awaiting indictment on what the government suggests are likely to be assault charges.

Robert Gieswein: Ethan Nordean spoke to Giswein shortly before he and Pezzola launched the attack on the Capitol suggesting that Gieswein, who had known ties to the 3% movement, was coordinating with the Proud Boys that day. Over the course of breaking into the Capitol, he allegedly assaulted 3 cops with a bat or pepper spray, and broke a window to break in. He was first charged on January 16, indicted on January 27. His docket shows none of the normal proceedings, such as a protective order, but his magistrate’s docket shows two sealed documents placed there in recent weeks.

Ryan Samsel: There’s no indication I know of that ties Samsel to the Proud Boys. But he marched with them and initiated the assault on the West side of the Capitol with Dominic Pezzola and William Pepe. He was charged with assault and obstruction on January 29 and arrested on February 3. In his case, he allegedly did so by assaulting a cop at the first line of barriers, knocking her out. He and the government are in talks for a guilty plea.

Ryan Bennett: Bennett was IDed off his own Facebook livestreaming, while wearing a Proud Boys hat, of the event, including his direct witness to the shooting of Ashli Bennett, with his voice yelling “Break it down!” in the background. He was arrested on January 26 and charged in a still-sealed March 17 indictment over which James Boasberg will preside.

Bryan Betancur: Betancur was busted by his Maryland Probation Officer, to whom he had lied about distributing Bibles to get permission to go to DC. He wore a Proud Boys shirt to the insurrection and is a known white supremacist who espouses violence. He was charged with misdemeanor trespass charges. His defense attorney is already discussing a guilty plea.

Daniel Goodwyn: Goodwyn’s online identity is closely associated with the Proud Boys. He was identified via an interview he did with Baked Alaska during the insurrection and texts sent to an associate; he was arrested on January 29. He was originally charged with trespass, with obstruction added in his indictment on February 24. Charles Berridge was originally the prosecutor on this case but has been replaced on it.

Christopher Kelly: Kelly revealed on Facebook before he headed to DC that he would be going with, “ex NYPD and some proud boys.” While inside, he bragged that they had “stopped the hearing, they are all headed to the basement.” He was originally charged with trespass and obstruction on January 20; he has yet to be (publicly) indicted yet. He has the same defense attorney, Edward McMahon, as Nicholas Ochs.

Around 40 other people who used the Proud Boys “Boots on the Ground” Telegram channel: As I noted here, the government must have at least monikers for — and likely email and/or device identifiers — for around 40 people who used the organizing channel set up less than a day before the operation. It will be interesting to see if they attempt to track all of them down.

Rolling Updates:

Marc Bru, a Proud Boy with ties to Nordean, was charged on March 9.

Paul Rae, a Proud Boy from Florida who trailed Biggs both times he entered the Capitol.

Arthur Jackman: a Proud Boy from Florida who trailed Biggs both times he entered the Capitol, including into the Senate.

 

An Inventory of the January 6 Investigation on Merrick Garland’s First Day

Overnight on the day that Merrick Garland got his first briefing on the January 6 investigation, DOJ asked for a 60-day extension of time in the Oath Keepers’s conspiracy case. As part of the motion, they cite what has been done on the investigation so far. That inventory includes:

  • Over 900 search warrants, executed in almost all fifty states and the District of Columbia
  • More than 15,000 hours of surveillance and body-worn camera footage from multiple law enforcement agencies
  • Approximately 1,600 electronic devices
  • The results of hundreds of searches of electronic communication providers
  • Over 210,000 tips, of which a substantial portion include video, photo and social media
  • Over 80,000 reports and 93,000 attachments related to law enforcement interviews of suspects and witnesses and other investigative steps
  • Involvement of 14 law enforcement agencies, including:
    • U.S. Capitol Police
    • DC Metropolitan Police Department
    • FBI
    • DHS
    • Bureau of Alcohol, Tobacco, Firearms and Explosives
    • US Secret Service
    • US Park Police
    • Virginia State Police
    • Arlington County Police Department
    • Prince William County Police Department
    • Maryland State Police
    • Montgomery County Police Department
    • Prince George’s County Police Department

As the filing lays out, the government and the DC Public Defender’s office are trying to set up a system making available the general set of evidence to all defendants, while providing more specific evidence directly to the defendant. Some of that has started in this case.

The government has already provided defense counsel with preliminary discovery, including: arrest paperwork; recordings of custodial interviews, where available; paperwork and photographs relating to premises search warrants; data extracted from several of the defendants’ cellular telephones and social media accounts; some defendants’ hotel records; and some photographs and video recordings, from publicly available sources, of the defendants participating in the alleged offenses.

But most of the defendants in this case have already opposed a continuance, including Donovan Crowl, Kelly and Connie Meggs, Graydon Young, and Thomas Caldwell.

Not only must they be aware that others will get added to the conspiracy, broadening the scope of their potential criminal exposure under the conspiracy. But the government also clearly envisions the potential of more charges (possibly including seditious conspiracy).

Some of the conspiratorial activity being investigated, such as the activity under investigation in this matter, involves a large number of participants. The spectrum of crimes charged and under investigation in connection with the Capitol Attack includes (but is not limited to) trespass, engaging in disruptive or violent conduct in the Capitol or on Capitol grounds, destruction of government property, theft of government property, assaults on federal and local police officers, firearms offenses, civil disorder, obstruction of an official proceeding, possession and use of destructive devices, and conspiracy. [my emphasis]

Given Amit Mehta’s inclinations in any case, he might grant the continuance but put several of the defendants on home detention. We’ll know more about his inclinations at a hearing at 3.

Oath Keepers Learn the Hard Way: Don’t Plan an Insurrection on Facebook

“For every Oath Keeper you see, there are at least two you don’t see.” – email from Oath Keeper head Stewart Rhodes forwarded from Oath Keeper Graydon Young to his sister, Laura Steele, on January 4, 2021

I want to look at filings from the Oath Keepers investigation to show how FBI is juggling to move quickly enough to prevent obvious subjects from obstructing the investigation without tipping off others to the substance of the investigation. The filings confirm that the FBI will get sealed arrest warrants against subjects who are obviously obstructing the investigation, but may not use them right away, so as to obtain more evidence against them and their immediate co-conspirators. The filings also show how hard it is to delete evidence in an age of social media while conspiring with dozens of other co-conspirators.

The investigation from Watkins to Caldwell to the Parkers, Youngs, and Biggs

There’s a story about the Oath Keepers investigation that arises from the nature of the first publicly charged defendants. According to that story, the founder of an Ohio militia affiliated with the Oath Keepers, Jessica Watkins, boasted on Parler about “forcing entry into the Capitol” on the day of the attack. Videos of the Oath Keeper Stack showed up in videos posted within a day of the attack. Then, on January 13, the Ohio Capital Journal posted an interview with Watkins where she described it “the most beautiful thing” until she started hearing glass smashing — which she blamed on an Antifa false flag attack (a subsequent filing suggests Watkins wanted the Oath Keepers to get good press from the attack, threatening to sue some male journalist if he portrayed the Oath Keepers negatively).

That’s the evidence the FBI showed to obtain an arrest warrant on Watkins on January 16.

Meanwhile, as the investigation was closing in on Watkins, her recruit Donovan Crowl did an interview with the New Yorker for a story loaded with more images of coordinated movement from the Oath Keepers. Crowl offered similarly contradictory excuses for his action as Watkins.

On January 17, the FBI tried to conduct an interview with Watkins, only to be told by her partner, Montana Siniff, that she left Ohio on January 14 to stay with her friend and fellow Oath Keeper, “Commander Tom.”

At some point, the FBI obtained information from Facebook — they don’t explain when or on whom it was served, which I’ll return to. The return showed that Caldwell coordinated hotel reservations at the Comfort Inn/Ballston, not just with Watkins, but also others from North Carolina, as well as speaking with Crowl. This content may not have been obtained via Caldwell yet, because Caldwell’s private messages don’t show up in filings until January 19 (alternately they may have delayed that reveal until Caldwell was arrested).

But the FBI used that public Facebook information to obtain a warrant for Crowl on January 17. Watkins and Crowl turned themselves into Urbana, OH police that day, where the FBI took them into custody.

On January 13, the Guardian did a story on Watkins’ use of Zello.

“We are in the main dome right now,” said a female militia member, speaking on Zello, her voice competing with the cacophony of a clash with Capitol police. “We are rocking it. They’re throwing grenades, they’re frickin’ shooting people with paintballs, but we’re in here.”

“God bless and godspeed. Keep going,” said a male voice from a quiet environment.

“Jess, do your shit,” said another. “This is what we fucking lived up for. Everything we fucking trained for.”

The frenzied exchange took place at 2.44pm in a public Zello channel called “STOP THE STEAL J6”, where Trump supporters at home and in Washington DC discussed the riot as it unfolded. Dynamic group conversations like this exemplify why Zello, a smartphone and PC app, has become popular among militias, which have long fetishized military-like communication on analog radio.

On January 19, the government obtained an amended conspiracy complaint against Watkins, Crowl, and Caldwell. It included the following new information:

  • Quotations from the Zello messaging
  • Facebook messaging from Caldwell pictured standing outside the riot calling everyone in Congress a traitor
  • Facebook messages showing planning between Watkins, Crowl, and Caldwell between December 24 and January 8
  • Instructions for making plastic explosives found at Watkins’ house

Of particular interest, the complaint included the first hint that the Oath Keepers had intelligence — shared using Facebook — about the movements of Members of Congress.

On January 6, 2021, while at the Capitol, CALDWELL received the following Facebook message: “All members are in the tunnels under capital seal them in . Turn on gas”. When CALDWELL posted a Facebook message that read, “Inside,” he received the following messages, among others: “Tom take that bitch over”; “Tom all legislators are down in the Tunnels 3floors down”; “Do like we had to do when I was in the core start tearing oit florrs go from top to bottom”; and “Go through back house chamber doors facing N left down hallway down steps.”

Having arrested the two Oath Keepers blabbing to the press and the guy they hid out with, there’s not much more overt sign of the investigation until February 11, when the government submitted filings supporting pre-trial detention for both Watkins and Caldwell.

Arrest affidavits submitted on February 11 and February 12 (but sealed until after February 16) also refer to Watkins’ cell phone returns, including address book information describing Bennie Parker as a recruit, texts between Watkins and Parker coordinating plans for the insurrection and reassuring him the FBI would not prosecute them after the insurrection, and a picture of his wife Sandi Parker. Watkins’ cell phone returns also show a contact for Kelly Meggs in Florida, which she associated in her address book with the Oath Keepers.

Those initially sealed arrest affidavits also rely on surveillance footage and financial records from the Comfort Inn where all the Ohioans  stayed. It shows the Ohioans together in the lobby. It reveals that Kelly Meggs paid for a room that night registered under another suspected Oath Keeper’s name (according to credit card records showing a $302 charge, Meggs apparently stayed at the Hilton Garden Inn the night of January 7). [Update: The indictment clarifies that Meggs paid for two rooms at the Comfort Inn and booked two at the Hilton, of which he paid for one. h/t bb]

The initial affidavit against Kelly and Connie Meggs and Graydon Young and Laura Steele also includes a picture taken — by some unidentified person — from the van from North Carolina.

The same affidavit includes testimony from a witness who interacted with the Oath Keepers on January 6 and was on a text message chain including Young and Steele, who was introduced to them as Gray and Laura and learned they had taken the Metro into DC. It relies on surveillance video from the Metro. It includes returns from Steele and Young’s Google accounts, including Steele’s application to join the Oath Keepers.

It includes location data showing Graydon Young’s phone traveling from Englewood, FL to Thomasville, NC to Springfield, VA, to DC, then back to Thomasville and ultimately, on January 8, back to Englewood. It includes his round trip flight records from Tampa to Greensboro, consistent with the movement of his phone. The affidavit also uses location data to place Steele and the Meggses in a “geographic area that includes the interior of the United States Capitol building.”

It includes subscriber records for Steele, Young, and Kelly Megg’s MeWe accounts, as well as subscriber records for Facebook accounts for everyone. Of particular note, the affidavit used to arrest Young and the others shows advanced legal process for Young, but mostly subscriber information for the others. They also use Young’s Google data to establish probable cause against the Meggs but do not, yet, use it against Young.

It’s likely in the five days between the affidavit and the arrest, more warrants were served for materials on the others.

There wasn’t much added in a February 25 memo supporting Watkins’ pretrial detention — except that aforementioned Watkins text with Stewart Rhodes complaining about media reports making the Oath Keepers look bad (which, because of the timing of the coverage, likely happened almost a week after the insurrection, or later).

If he has anything negative to say about us OATHKEEPERS, I’ll let you know so we can sue harder. Class action style. Oathkeepers are the shit. They rescued cops, WE saved lives and did all the right things. At the end of the day, this guy better not try us. A lawsuit could even put cash in OK coffers. He doesn’t know who he is playing with. I won’t tolerate a defamation of character, mine or the Patriots we served with in DC. Hooah?!

But in a hearing held February 26, prosecutors told Judge Amit Mehta something in an ex parte hearing to support their argument that there really was a Quick Reaction Force outside of DC on the day of the insurrection ready to bring weapons into the Oath Keepers already in DC, which is one of the reasons he denied Watkins’ motion for release.

The earlier investigation into Graydon Young

It took a while for DOJ to unseal all the filings from the other co-conspirators, particularly the long affidavit for the four southerners. But a docket unsealed last week tells another side of that story. On January 15, a tipster identified Graydon Young, one of the Floridians added to the Caldwell and Watkins conspiracy. Based off that tip, the FBI prepared and got authorization for an arrest warrant by January 18. But they didn’t use it, perhaps because FBI was chasing down two false positives based off pictures of Young, as described in the later affidavit (the first of which may have been based off facial recognition).

First, on or around January 14, 2021, after receiving an internet tip and viewing similar photographs and video of Young from the civil unrest on January 6, 2021, an FBI agent drafted an arrest warrant for an individual (Subject-1) other than Young, based on a review of Subject-1’s driver’s license photo and the fact that Subject-1 was affiliated with the Oath Keepers. An FBI agent in Kansas City, Missouri, who was familiar with Subject-1, then determined that Subject-1 was not the individual depicted in the photos at the U.S. Capitol on January 6, 2021. The government did not pursue charges against Subject-1. Second, on or around January 15, 2021, a concerned citizen provided the FBI with a tip that the photograph of Young in the Rotunda was a photograph of Subject-2, who was a co-worker of the concerned citizen in Illinois. On January 18, 2021, SA Wren spoke with the concerned citizen, who stated that Subject-2 had quit the job and moved to Colorado, and “seemed like the type” who would have gone to the Capitol. SA Wren reviewed Subject-2’s driver’s license photo and determined that Subject-2 is not the person depicted in the photographs of Young at the U.S. Capitol.

In other words, FBI was prepared to arrest Young by January 18, within a day of the initial Watkins arrest. But they did not. They kept that arrest warrant sealed while they obtained his location records, travel records (including evidence he drove home from North Carolina rather than flying, and had his sister’s car towed back to North Carolina afterwards), and subscriber information for other social media.

At some point (as noted), FBI obtained Young’s Google account. But on February 11, they used that “solely as evidence against Kelly Meggs. At this time, the government is not seeking to use this email against Young,” suggesting they still needed legal process to use it against him.

Don’t launch an insurrection with a still-active Facebook account

Given that the FBI was ready to arrest Graydon Young on January 18, it’s worth looking more closely at the Facebook evidence in this conspiracy.

The FBI learned on January 15 that Young was probably at the insurrection, had been tagged in planning for the event on January 4, and had attempted to delete his Facebook account on January 7 (it went into effect the next day). Young didn’t delete his related Instagram account until January 13.

At some point, the FBI also learned that Caldwell attempted to unsend messages on January 8, the same day Young shut down his Facebook account.

Nevertheless, Facebook still had Young’s data, including a post from January 6 boasting, “We stormed and got inside.”

The government also obtained highly damning Facebook content from much earlier, including a message he posted to a group, the “War of Northern Aggression,” on November 7. In it, he clearly acknowledges Joe Biden’s victory.

Will this group consider migration to MeWe and Parler? I think censorship is going to get worse with Biden win.

On November 9, he asked again to move from Facebook to MeWe and Parler.

On November 30, he pushed MeWe and Parler again.

I already have MeWe and Parler … waiting for this drama to end before I delete my FB account.

Hey Graydon?!?! The drama for you is just beginning.

Meanwhile, Caldwell didn’t succeed in deleting all his evidence either. As early as January 17, in Crowl’s affidavit, they had a message (it’s unclear whether it’s public or private)

Here is the direct number for Comfort Inn Ballston/Arlington 1-571-397-3955 I strongly recommend you guys get one or two rooms for a night or two. Arrive 5th, depart 7th will work. She says there are five of you including a husband and wife new recruits. This time of year especially you will need to be indoors to set up, etc. Really, press this home, just get somebody to put it on a credit card. Even if you tell the hotel its double occupancy, you can STILL get a couple of people on the floor with bedrolls and the hotel won’t know shit. Paul said he might be able to take one or two in his room as well. I spoke to the hotel last night (actually 2 a.m. this morning) and they still had rooms. This is a good location and would allow us to hunt at night if we wanted to. I don’t know if Stewie has even gotten out his call to arms but it’s a little friggin late. This is one we are doing on our own. We will link up with the north carolina [sic] crew.

The later affidavits include Caldwell Facebook messages sent in November predicting violence.

I am very worried about the future of our country. Once lawyers get involved all of us normal people get screwed. I believe we will have to get violent to stop this, especially the antifa maggots who are sure to come out en masse even if we get the Prez for 4 more years.

On January 6, Caldwell continued to use Facebook, receiving a message informing him,

All members are in the tunnels under capital seal them in. Turn on gas.

And,

Tom all legislators are down in the Tunnels 3floors down

Between Young and Caldwell, Facebook evidence shows that this operation clearly targeted legislators even after they knew Joe Biden had been elected. It turns out that neither of them successfully deleted this Facebook content before the drama really got started.

The delayed reveal

As noted, it took some time for the affidavit for the southern Oath Keepers to be unsealed. In the interim period, the FBI would have been able to investigate the Oath Keeper whose name was on the hotel room Young paid for, and all the other people on the bus on which Young and his sister were pictured. The FBI surely has reviewed any role the War of Norther Aggression Facebook group had in the insurrection. The accounts for which the FBI just had subscriber information on February 11 are probably now being fully exploited (including the WeMe accounts on which they may have been more open about their plotting).

There are still members of The Stack at large, the others on the bus, the group from Mississippi those who provided “security” for Trump’s closest associates. We don’t know where the next Oath Keepers to be arrested are. We do know where the FBI was, 17 days ago.

Timeline of Oath Keeper conspiracy

January 4: Young travels from Englewood, FL to Thomasville, NC. Young tagged in planning messaging for the attack.

January 5: Young travels from Thomasville to Springfield, VA, then heads to DC for the evening.

January 6: Young travels into DC, then back to Thomasville that night. Watkins posts to Parler and Caldwell posts to Facebook. Young posts, “we stormed and got inside” on Facebook.

January 7: Young deleted Facebook content going back to March 2019 (per Facebook record it goes into effect on January 8).

January 8: Caldwell unsends Facebook messages continuing evidence. Young returns to Englewood. Young writes an email saying that his “team leader” during the insurrection was “OK Gator 1” with Kelly Meggs’ phone number.

January 9: Watkins texts Bennie Parker telling him not to worry about the FBI investigating them.

January 11: Young has a vehicle registered to Steele’s address towed from a location near his home to Steele’s home in NC. Young deletes his Instagram account.

January 13: Watkins interview in Ohio Capital Journal. Guardian story on Watkins’ use of Zello. Young closes Instagram account.

January 14: Donovan Crowl story in New Yorker. Watkins and Crowl travel to Caldwell’s property in VA; he gives them OpSec tips for the drive. Bennie Parker texts Watkins asking if she put Sandi “out there” in the Capitol. FBI chases a false positive for Young on an Oath Keeper who lives in Kansas City, MO.

January 15: A tipster who has known Young for 35 years identified Young in an image published by NBC, informs the FBI that on January 4, other people had tagged Young in a discussion about traveling to DC. The tipster further revealed that on January 7, Young deleted his Facebook content going back to March 2019, then deleted the whole thing. FBI chases a false positive for Young to someone in CO.

January 16: Arrest warrant for Watkins.

January 17: Search of Watkins’ house discovers gear and other military items. Interview of her partner reveals she has left to stay with a friend, Commander Tom, and provides a phone registered to him at his VA property as the way to reach Watkins. Arrest warrant for Crowl. Search of a location where Crowl stays finds his tactical vest. Arrest warrant for Caldwell. Both Watkins and Crowl turn themselves in to the Urbana Police, where the FBI takes them into custody.

January 18: First arrest warrant for Graydon Young.

January 19: Caldwell, Crowl arrested by FBI, and Watkins arrested. Amended criminal complaint makes conspiracy charges against Watkins, Crowl, and Caldwell more formal. Search of Caldwell’s property finds Death List targeting election official from a different, a Gadsden flag signed by Crowl and Watkins, and a sales invoice for a weapon designed to look like a phone.

Janaury 21: Stewart Rhodes declares Biden’s “not a constitutional government.” Kelly Meggs closes his Facebook account.

January 27: Indictment for Watkins, Crowl, and Caldwell.

January 29: NYT does video analysis showing the movements of the Oath Keepers from the Ellipse to the Capitol.

February 11: Counterterrorism prosecutors Justin Sher and Alexandra Hughes join team. Motions for pre-trial detention for both Watkins and Caldwell. Sealed complaint filed against Kelly and Connie Meggs, Graydon Young, and Laura Steele.

February 12: Government moves for protective order against the original conspirators; Caldwell objects. Sealed complaint filed against Bennie and Sandi Parker.

February 16: Graydon Young arrested.

February 17: The Meggs and Laura Steele arrested.

February 18: The Parkers arrested.

February 23: Thomas Caldwell appeals detention.

February 26: Amit Mehta grants government motion to detain Jessica Watkins.

Update: I clarified that the email quoted at the top is from Stewart Rhodes, not Graydon Young.

The New Recruits on the Front Line on January 6

In addition to adding six more people to the Oath Keeper conspiracy indictment originally charged against Jessica Watkins, DOJ added some new overt acts. Among others, it added training.

Training and recruitment were always part of Watkins’ alleged actions:

On November 9,2020, WATKINS, the self-described “C.O. [Commanding Officer] of the Ohio State Regular Militia,” sent text messages to a number of individuals who had expressed interest in joining the Ohio State Regular Militia. In these messages, WATKINS mentioned, among other things, that the militia had a weekJong “Basic Training class coming up in the beginning of January,” and WATKINS told one recruit, “l need you fighting fit by innaugeration.” WATKINS told another individual, “It’s a military style basic, here in Ohio, with a Marine Drill Sergeant running it. An hour north of Columbus Ohio[.]”

On November 9,2020, WATKINS asked a recruit if he could “download an App called Zello” and stated, “We all use Zello though for operations.”

On November 17 , 2020, when a recruit asked WATKINS for her predictions for 2021 , WATKINS replied, among other statements:

I can’t predict. I don’t underestimate the resolve of the Deep State. Biden may still yet be our President. If he is, our way of life as we know it is over. Our Republic would be over. Then it is our duty as Americans to fight, kill and die for our rights.

and:

[I]f Biden get the steal, none of us have a chance in my mind. We already have our neck in the noose. They just haven’t kicked the chair yet.

The original indictment also described Donovan Crowl attending a training session in December.

On December 12-13,2020, CROWL attended a training camp in North Carolina.

The superseding indictment adds to these details. It includes descriptions of how 54-year old Graydon Young and his 52-year old sister Laura Steele joined the Oath Keepers.

31. On December 3, 2020, YOUNG emailed the Florida chapter of the Oath Keepers with a membership application and wrote, “looking to get involved in helping. . ..”

33. On December 19, 2020, YOUNG wrote to a Facebook group: “Please check out Oath Keepers as a means to get more involved. Recruiting is under way. DM me if you want more info.”

38. On December 26, 2020, YOUNG wrote an email to a Florida company that conducts training on firearms and combat. YOUNG wrote, in part, “l trained with you not long ago. Since then I have joined Oath Keepers. I recommended your training to the team. To that effect, four of us would like to train with you, specifically in your UTM rifle class.”

52. On January 3, 2021, STEELE emailed the Florida chapter of the Oath Keepers with a membership application and wrote, “My brother, Graydon Young told me to submit my application this route to expedite the process.” Later in the day, STEELE emailed KELLY MEGGS and wrote, “My brother, Graydon Young told me to send the application to you so I can be verified for the Events this coming Tuesday and Wednesday.” The following day, STEELE sent an email to an Oath Keepers address, copying both YOUNG and KELLY MEGGS, attaching her Florida Oath Keepers membership application and vetting form, and writing, “I was just requested to send my documents to this email.”

And the arrest affidavit for the Parkers describe them discussing joining Watkins’ militia because their own had largely dissolved.

On December 27, 2020, Bennie Parker texted Watkins, “I may have to see what it takes to join your militia, ours is about gone.” Also on December 27, 202, Bennie Parker texted Watkins, “Yes and you and Sandi and I are like minded you guy [sic] aren’t that far away . . . . “

Effectively, that means that the organized stack (also included as an overt act in the superseding indictment) included at least three people — Crowl, Steele, Young, and Sandi Parker — who had just joined either Watkins’ militia or the Oath Keepers generally (Bennie, who’s 70, is not known to have entered the Capitol).

For all that it attracted media attention for that organized stack, the Oath Keepers weren’t as instrumental to the launch of the coup attempt as the Proud Boys.

But there, too, the militia was relying on new recruits. Dominic Pezzola claims (not entirely convincingly) that the insurrection was just his second action with the Proud Boys (though his first was the December MAGA March, where he was in close proximity to Roger Stone’s Oath Keeper body guard Robert Minuta).

Of more interest are the details Felicia Konold shared about her experience leading the mob.

She did a Snapchat video gleefully describing how much power she had exercised.

I’m watching the new guys

Fuuuck

Dude, I can’t even put into words. I. I. Never.

I never could [unintelligible] have imagined having that much of an influence on the events that unfolded today.

[Laughs]

Dude, people were willing to follow. You fucking lead, and everyone had my back, due, everyone, fucking wall, legit, in the air, up against the fence, [unintelligible], three lines of police, fence, me, not even on the ground, my feet weren’t even on the ground, all my boys, behind me, holding me up in the air, pushing back.

[Laughs]

We fucking did it.

Her arrest affidavit also quotes her on saying she was, “recruited into a fucking chapter from Kansas City,” complete with a challenge coin. The government’s detention memo for William Chrestman describes that he, “readily recruited two individuals from Arizona [Felicia and her brother Cory] to join the group of Kansas City Proud Boys, who then participated in the crime spree on U.S. Capitol grounds.” (It’s likely the case against Chrestman relies on an FBI interview of Konold, which has not been publicly cited.)

And it didn’t stop there. Experts have talked, abstractly, about how January 6 served as a recruiting boon for right wing terrorists. That’s shown tangibly in a detail from Royce Lamberth’s opinion  Zip Tie Guy Eric Munchel granting the government’s motion for his detention. Even as images from Munchel’s antics in the Senate had attracted close focus and on the same day the government obtained a warrant for his arrest, Zip Tie Guy reached out — via Signal — to the Proud Boys in an effort to join up.

There is also no evidence that Munchel is a member of any violent groups, thought the government has presented evidence that Munchel was in contact with a member of the Proud Boys after January 6 and was interested in joining the group. See Signal Chat Tr. (Jan. 9-10, 2021).

On top of being an explicit attempt to prevent Joe Biden from assuming the presidency, January 6 was also a recruitment bonanza, providing both a goal in advance to work towards, but also a networking opportunity permitting in-person recruitment.

The insurrectionists breached the Capitol with flagpoles and bullhorns. And some of the key players leading that breach were recent recruits to the organized militia leading the way. Meanwhile, Stewart Rhodes, Joe Biggs, and Ethan Nordean were watching from relative safety.

Update: I’ve fixed the Stack numbers; I think Crowl may have been training rather than being trained at the came in North Carolina in December.