“Something Like This Has 0 Repercussions if You Mess Up:” John Durham Debunked the Alfa Bank Debunkery

As you know, John Durham failed spectacularly in trying to use a false statement charge against Michael Sussmann to cement a wild conspiracy theory against the Democrats.

But Durham did succeed in one thing (though you wouldn’t know it from some of the reporting from the trial): He utterly discredited the FBI investigation into the Alfa Bank allegations. Lead prosecutor Andrew DeFilippis even conceded as much in his closing argument.

Now, ladies and gentlemen, you have heard testimony about how the FBI handled this investigation. And, ladies and gentlemen, you’ve seen that the FBI didn’t necessarily do everything right here. They missed opportunities. They made mistakes. They even kept information from themselves.

That’s a fairly stunning concession from DeFilippis. After all, DeFilippis asked the guy who was responsible for some of the worst failures in the investigation, Scott Hellman, to be his expert witness, even though Hellman, by his own admission, only “kn[e]w the basics” of the DNS look-ups at the heart of the investigation. Along with Nate Batty, Hellman wrote an analysis of the Alfa Bank white paper in less than a day that:

  • Misstated the methodology behind the white paper
  • Blew off a reference to “global nonpublic DNS activity” that should have been a tip-off about the kinds of people behind the white paper
  • Falsely claimed that the anomaly had only started three weeks before the white paper when in fact it went back months
  • Asserted that there was no evidence of a hack even though a hack is one of the hypotheses presented in the white paper for the anomaly at Spectrum Health (Spectrum itself said the look-ups were the result of a misconfigured application)

Later testimony showed that, after speaking to Hellman and before even checking whois records, the Chicago-based agent who had a lead role in the investigation told a supervisor that “we’re leaning towards this being a false server.”

Within hours, Miami-based agents had confirmed with Cendyn that was false.

In spite of being so egregiously misled from the start by the guys in Cyber, agent Curtis Heide testified in cross-examination by Sussman’s attorney, Sean Berkowitz, that Hellman’s analysis was one of the four things that he believed supported a finding that the anomaly was not substantiated.

Q. Okay. I think near the end of your examination by Mr. Algor he questioned you about your basis for concluding that there was — that the allegations were unsubstantiated. And I think you gave four reasons. I’m going to run through them. If there’s more, that’s okay. Number one, you said the assessment done by Agents Hellman and Batty. Correct?

A. Yes.

Q. Two, the review of the logs. Correct?

A. Yes.

Q. Three, the Mandiant conclusion. Correct?

A. Yes.

Q. And four, the discussions with Spectrum Health about the TOR node. Correct?

A. Yes.

Q. Anything else that you can recall, sir, as to why it was that your investigation, or rather the investigation that you oversaw, suggested that the allegations were unsubstantiated?

A. The only other thing I can think of would be my training and experience with — relating to Russia and cyber investigations.

Q. And is there anything in particular about that that you recall today?

A. With respect to the white paper, it didn’t — when I read through it initially, I had several questions, and it didn’t appear to be consistent with Russian TTPs.

Another thing Heide relied on was the analysis from Mandiant, which Alfa Bank hired to investigate after NYT reached out. According to Franklin Foer’s story, Lichtblau reached out to Alfa on September 21, after Sussmann had given the FBI a heads up but before the FBI asked Lichtblau to hold the story on September 26, so in the window when the FBI had a chance — but failed — to protect the investigation.

One of the truly insane parts of this investigation, by the way — which was conducted entirely during the pre-election window when overt actions were prohibited — was that FBI big-footed to Cendyn and Listrak before sending NSLs to them. And by that point, Alfa Bank was calling the FBI.

A report that was not explained amid the primary resources from the investigation, but which was concluded by October 3, reveals that Chicago’s conclusion was almost entirely based on what Alfa told the FBI and Mandiant.

There was nothing in the case documentation until a 302 for a March 27, 2017 interview done in association with Alfa’s 2017 claims of spoofed DNS traffic (the interview may have been done with Kirkland and Ellis) that documented that, when Mandiant arrived the previous year to investigate, there were no logs to investigate.

Indeed, Heide testified on cross-examination that he had never learned of that fact. At all.

Q. And were you aware, while you were doing the investigation, that Mandiant, when it went to talk to AlfaBank to look into these allegations, did not have any historical data, that Alfa-Bank did not provide any historical data to Mandiant? Did you know that?

A. No

We now know that at a time when “Executives at the highest level of ALFA BANK leadership” had been hoping to “exonerate them[selves]” in 2017, Petr Aven had already started acting on specific directives from Vladimir Putin, including trying to open a back channel to Trump.

Plus, at least as far as Listrak could determine, while the marketing server had sent materials to Spectrum, it had never sent anything to Alfa Bank. The stated explanation that this was spam, then, conflicts with what FBI was seeing in the logs.

As for Spectrum — another of the reasons Heide pointed to — there’s no evidence of anyone reaching out to them (as compared to interactions with agents in Philadelphia and Miami who reached out to Listrak and Cendyn, respectively).

It’s true that the anomaly at Spectrum was not a Tor node (something that researchers came to understand themselves around the time Sussmann shared the allegations with the FBI). But it’s also true that, per Cendyn (which only looked back a month), the identified IP address at Spectrum was reaching out to the Trump server.

The IP address in question showed up in traffic that may be associated with Chinese hacking.

This then might have corroborated the hypothesis, from the white paper, of a hack of Spectrum, but by this point, Hellman had long before decided there was no evidence of a hack and this was, “just garbage.”

That leaves the logs, Heide’s fourth reason for believing FBI had debunked the Alfa Bank allegations. As far as the logs in question, former agent Allison Sands (who was assigned the investigation as a brand new case agent) told one of the tech people on September 26 that, “the end user [possibly Cendyn] is willing to provide logs but they dont have what we need.” Cendyn did share details of their own spam filter, which wouldn’t address the DNS look-ups themselves.

Then, on October 12, Sands told Heide that,

the ‘logs’ we got from Listrak were not network logs

they basically just confirm that trump org is one of their email clients, but they dont show destination email addresses or IPs or anything that we can use to[ ]determine any communications


it was two excel spreadsheets

that was all we got

The FBI did get something. Sands testified that the FBI obtained upwards of 600,000 records (she described obtaining records from Cendyn, Listrak, and GoDaddy, but not Spectrum or Alfa Bank). But it’s not clear how useful those records really were. There’s a reference to the “take” elsewhere (see below), and redacted entries that look like intelligence targeting, plus a reference to an OGA partner reporting “no attempts.” (Here’s a reference to the OGA analysis that is redacted in other versions of the same email chain.) So it seems any useful logs came from another agency. But if that’s right, it would be targeted overseas.

In trial testimony, Sands described that her task was to prove that the allegation wasn’t true, not to explain what the anomaly was.

I knew still I had to rebuild from scratch and prove that this allegation wasn’t true.

In real time, too, she saw her task as disproving that emails had been shared, not even disproving that covert communication had occurred.

I have a few more logs to definitely prove there are no emails, and then Im putting it to bed

That’s a particularly problematic description given that the FBI had been told via other channels that there was some activity reflecting more than DNS look-ups.

That leaves, according to Heide’s judgement, just the observation that the DNS traffic was not consistent with known Russian techniques. Newbie agent Sands said something similar to Chris Trifiletti, Joffe’s handler and apparently sensitive for some other reasons. In response, he mused about whether Russia was “trying other things now that look more non traditional.”

We don’t know the answer to that, because the FBI didn’t try to figure it out.

Scott Hellman, the cyber agent who insisted at every opportunity he got that this was garbage was wrong about how long the anomaly had lasted, but he was right about one thing. On October 4, he advised newbie agent Sands that,

any chance you get to work something like this that truly has 0 repercussions if you mess it up ….take those opportunities

He did mess it up. It wasn’t just his own analysis; his repeated insistence that this was “garbage” appears to have made all the other investigators less careful, too. Six years later, we’re still no closer to understanding what happened.

Hellman was right about facing “zero repercussions if you mess it up.” By all appearances, he’s one of the few people who escaped any consequences for trying to investigate Russia in 2016. We know that several people — including Jim Comey, Andrew McCabe, Peter Strzok, and Bruce Ohr — were fired for their efforts to investigate Russia. We learned at the trial that Ryan Gaynor was threatened with criminal investigation for not answering questions the way Andrew DeFilippis wanted. Curtis Heide remains under FBI Inspection Division investigation for things he did in 2016. Rodney Joffe was discontinued as an FBI informant, according to him, at least, because he refused to cooperate with Durham’s investigation. Everyone who actually tried to investigate Russia in 2016 has faced adverse consequences.

But Hellman appears to have suffered none of those adverse consequences for fucking up an investigation into a still unexplained anomaly. On the contrary, he’s been promoted; he’s now a Supervisory Special Agent, leading a team of people who will, presumably, similarly blow off anomalies that might be politically inconvenient to investigate.

That’s the lesson of the Sussmann trial then: The only people who face zero consequences are the ones who fuck up.

Update: Corrected spelling of Hellman’s last name. Added Comey and McCabe to the list of those fired for investigating Russia. Removed Lisa Page–she quit before she was fired. In this podcast, Peter Strzok said that all FBI agents named in the DOJ IG Report are still under investigation.

Update: All the links to exhibits should be live now.

Update: Added detail that Listrak says Trump never sent marketing mail to Alfa Bank.


I’ve put (what I believe are) all the exhibits about the FBI investigation below.

These times are surely not all correct. Durham consistently shared evidence without marking what time zone the evidence reflected. Importantly, some, but probably not all of the FBI Lync messages reflect UTC time; where I was fairly certain, I tried to reflect the time in ET, but in others, the timeline below doesn’t make sense (I’ll keep tweaking it). Some of the emails reflect the Chicago time zone.

September 19, 2:00PM: Sussmann Meeting

September 19: Priestap notes

September 19: Anderson notes

September 19, 3:00PM: Strzok accepts materials

September 19, 4:31PM: Gessford to Pientka: Moffa with info dropped off to Baker

September 19, 5:00PM: Sporre accepts materials

September 20, 9:30AM: Nate Batty to Jordan Smith: A/AD has two thumb drives.

September 20, 12:29PM: Batty accepts materials

September 20, 4:54PM: Batty and Hellman re analysis

September 21, 8:48AM: Batty to Hellman: at least look at the thumb drives [Batty Lync]

September 21, 4:25PM: Pientka Lync to Heide: People on 7th floor fired up about this server

September 21, 4:46PM: Batty to Heide and others: initial assessment

September 21, 1:10PM [time uncertain] Sands to Pape: Director level interest

September 21, 4:57PM: Norwat to Todd: Not a cyber matter

September 21, 5:06PM: Todd to Heide, cc Pientka

September 21, 5:52PM: Pientka to Heide: Nat [sic] Batty ha the thumb drives

September 22, 4:58AM: Hubiak to Heide: Let me know if you need anything from PH

September 22, 8:09AM: Todd to Marasco [noting thumb drives came from DNC, suggesting tie to debate]

September 22, 8:33AM: Pientka to Heide: Less than 24 hours to investigate, determine nexus, before losing traffic, watched by Comey

September 22, 9:30AM: Pientka to Moffa: Cyber, ugh. Read first email.

September 22, 9:59PM: Hellman to Heide: can you talk on link

September 22, 10:23AM: Marasco to Pientka: FYI

September 22, 11:13AM: Sands to Hubiak: Suspect email domain hosted on Listrak server — if you can help out with a knock and talk it would be great.

September 22, 11:14AM: Baker to Comey and others: Reporter is Lichtblau

September22, 11:34AM: Hubiak to Sands: Will start working on this now

September 22, 12:02PM: Batty to Wierzbicki: We think it’s a setup

September 22, 12:10PM: Heide to Pientka: We’re leaning to this being a false server.

September 22, 2:00PM: Pientka to Hubiak: Thanks for all your efforts. The CROSSFIRE HURRICANE Team greatly appreciates you running this to ground.

September 22, 4:22PM: Sands to all: open full investigation, summary of Hellman’s conclusions [OGA partner targeting Alfa?]

September 22, 5:33PM: Heide to Pientka: it’s a legit domain

September 22, 4:53PM: Sands to all: Cendyn agrees to cooperate, legit mail server

September 23, 8:26AM: Sands to Hubiak: Cendyn willing to cooperate and provide logs

September 23, 1:09PM: Heide to Sands: once we get that case opened, let’s cut a lead to the MM division requesting assisting with the interview, etc.

September 23, 1:53PM: Sands to others: Cendyn, as of this morning no longer resolves, picture of Barracuda spam filter

September 23, 4:04PM: Heide to Gaynor: Cyber’s review

September 23: EC Opening Memo [without backup]

September 26: Gaynor notes

September 26: Intelligence Memo

September 26, 8:02AM: Lichtblau to Kortan: You know what time we’re meeting?

September 26, 9:29AM: Kortan to Lichtblau: Baker’s tied up until later this afternoon.

September 26, 10:02AM: Lichtblau to Kortan: planning to bring Steve Myers

September 26, 10:15: Heide to Pientka: We want to interview the source of the whitepaper?

September 26, 12:09: Kortan to Baker and Priestap: some kind of recap later today?

September 26, 12:29: Sands to Hubiak: I’m writing a justification for an NSL to GoDaddy

September 26, 4:19PM: Heide to Shaw: apparently it’s going to hit the times?

September 26, 4:55PM: Heide to Hellman: We think it’s a bunk report still…

September 26, 5:02PM: Soo to Sands: searching current and historical lists of Tor exit nodes

September 26, 6:20PM: Sands to all, cc Heide: Spectrum hit at Cendyn, NSLs for Listrak, GoDaddy, redacted, Tor results

October 2, 12:02PM: Grasso to Wierzbicki: Two IP addresses

October 2, 7:02PM: Heide to Hellman: Check this out….

October 3: Tactical Product

October 3: Communications Exploitation

October 3, 1:48PM: Gaynor to Heide: Did white paper start with person of interest?

October 3, 2:49PM: Heide to Gaynor and Sands: Interview source

October 3, 3:00PM: Wierzbicki to Gaynor, cc Moffa: I agree with Heide, interview source

October 4: Kyle Steere to Wierzbicki and Sands: Documenting contents of thumb drive

October 4, 8:26AM: Sands to Hellman: 2 random IP addresses we got from tom grasso

October 4, 8:28AM: Sands to Hellman: we got a report on the Alfa Bank side that they also think this is nothing

October 4, 8:43AM: Hellman to Sands: any chance you get to work something like this that truly has 0 repercussions if you mess it up ….take those opportunities [alt version]

October 4, 10:00AM: Gaynor to Wierzbicki et al, cc Moffa: We need to know what we can learn from the logs [CT version]

October 4, 9:50PM: Grasso to Sands: SME who can help give context to the data we discussed

October 4, 11:08PM: Sands to Grasso: Sounds great.

October 5, 1:20PM: Trifiletti to Sands: i reminded him once more that he has never proceeded with anything when he wasnt absolutely sure

October 5, 1:33PM: Hosenball request for comment

October 5, 3:02PM: Strzok to Gaynor, forwarding Hosenball with Mediafire package

October 5, 4:08PM: Sands to Trifiletti: We need to speak to Dave dagon now too

October 5, 5:07PM: Sands to all: Update on CHS conversation — redacted explanation for why Alfa changed

October 5, 6:58PM: Grasso to Sands: I told Dagon that you would be able to protect his identity so that his name is not made public

October 6: Gaynor notes and drawing [alt version, more redacted]

October 6, 4:20PM: Materials to storage

October 6, 4:28PM: Christopher Trifiletti: CHS report (Spectrum: misconfigured server)

October 6, 4:54PM: Trifiletti to Sands: Actual text of 1023 submitted

October 6, 6:21PM: Wierzbicki to Gaynor: CHS debrief

October 7, 8:59AM: Sands to Trifiletti

October 12, 8:01AM: Sands to Heide: the “logs” we got from listrak were not network logs

October 13, 5:45PM: Gaynor to Wierzbicki: Mediafire (includes link)

October 19, 8:05AM: Sands to Heide: we spoke to mandiant and that we are talkingt o [sic] the tech people at the ISP today

October 19, 10:15AM: Gaynor to Wierzbicki: 2 IP addresses, Mediafire, Dagon author?

November 1, 3:09PM: Sands to Trifiletti: I have a few more logs to definitely prove there are no emails, and then Im putting it to bed

November 14, 2:52PM: Steere to Sands: [report on September 30 receipt of logs from Cendyn]

January 18, 2017: Closing Memo

March 27, 2017: Sands 302 with Alfa reports that Mandiant reported no historic data

July 24, 2017: Moffa to Priestap: Includes several other reports

July 24, 2017, 3:10PM: Sands accepts custody

There Was No Crime Predicating the Durham Investigation

Deep in a NYT piece that suggests but does not conclude that John Durham’s purpose is to feed conspiracy theories, Charlie Savage writes,

Mr. Barr’s mandate to Mr. Durham appears to have been to investigate a series of conspiracy theories.

That’s as close as any traditional media outlet has come to looking at the flimsy predication for Durham’s initial appointment.

Billy Barr, however, has never hidden his goal. In his memoir, he describes returning to government — with an understanding about the Russian investigation gleaned from the propaganda bubble of Fox News, not any firsthand access to the evidence — with a primary purpose of undermining the Russian investigation. He describes having to appoint Durham to investigate what he believed, again based off Fox propaganda, to be a bogus scandal.

I would soon make the difficult decision to go back into government in large part because I saw the way the President’s adversaries had enmeshed the Department of Justice in this phony scandal and were using it to hobble his administration. Once in office, it occupied much of my time for the first six months of my tenure. It was at the heart of my most controversial decisions. Even after dealing with the Mueller report, I still had to launch US Attorney John Durham’s investigation into the genesis of this bogus scandal.

In his shameless excuses for bypassing MLAT to grill foreigners about their role in the investigation, Barr describes “ha[ving] to run down” whether there was anything nefarious about the intelligence allies shared with the US — a rather glorified description for “chasing George Papadopoulos’ conspiracy theories around the globe.”

Durham’s investigation was up and running by the late spring. Pending IG Horowitz’s completion of his review of Crossfire Hurricane, I asked Durham to focus initially on any relevant activities by the CIA, NSA, or friendly foreign intelligence services. One of the more asinine aspects of media coverage about Durham’s investigation was all the heavy breathing during the summer as news seeped out that I had contacts with foreign governments on Durham’s behalf. Various journalists and commentators claimed this indicated that I was personally conducting the investigation and suggested there was something nefarious about my communicating with allied governments about Russiagate. [sic] This coverage was a good example of the kind of partisan nonsense that passes as journalism these days.

One of the questions that had to be run down was whether allied intelligence services had any role in Russiagate [sic] or had any relevant information. One question was whether US officials had asked foreign intelligence services to spy on Americans. Various theories of potential involvement by British, Australian, or Italian intelligence agencies had been raised over the preceding two years. Talking to our allies about these matters was an essential part of the investigation. It should not surprise anyone that a prosecutor cannot just show up on the door- step of a foreign intelligence agency and start asking questions. An introduction and explanation at more senior levels is required. So— gasp!—I contacted the relevant foreign ambassadors, who in turn put me in touch with an appropriate senior official in their country with authority to deal with such matters. These officials quite naturally wanted to hear from me directly about the contours of the investigation and how their information would be protected.

Much later, when Barr claimed that Durham would not lower DOJ standards just to obtain results, Barr again described an investigation launched to “try to get to the bottom of what happened” rather than investigate a potential crime.

I acknowledged that what had happened to President Trump in 2016 was abhorrent and should not happen again. I said that the Durham investigation was trying to get to the bottom of what happened but “cannot be, and it will not be, a tit-for-tat exercise.” I pledged that Durham would adhere to the department’s standards and would not lower them just to get results. I then added a point, meant to temper any expectation that the investigation would necessarily produce any further indictments:

[W]e have to bear in mind [what] the Supreme Court recently re- minded [us] in the “Bridgegate” case—there is a difference between an abuse of power and a federal crime. Not every abuse of power, no matter how outrageous, is necessarily a federal crime.

And then Durham lowered DOJ standards and charged two false statement cases for which he had (and has, in the case of Igor Danchenko) flimsy proof and for which, in the case of Michael Sussmann, he had not tested the defendant’s sworn explanation before charging. Durham further lowered DOJ standards by turning false statement cases into uncharged conspiracies he used to make wild unsubstantiated allegations about a broad network of others.

This entire three year process was launched with no evidence that a crime was committed, and it seems likely that only the Kevin Clinesmith prosecution, which DOJ Inspector General Michael Horowitz handed Durham months after he was appointed as a fait accompli and which could easily have been prosecuted by the DC US Attorney’s Office, provided an excuse to convene a grand jury to start digging in the coffers of Fusion GPS and Perkins Coie.

There was no crime. Durham was never investigating a suspected crime and then, as statutes of limitation started expiring, he hung a conspiracy theory on a claimed false statement for which he had no solid proof. Eight months into Durham repeating those conspiracy theories at every turn — conspiracy theories that Durham admitted would not amount to a crime in any case! — a jury told Durham he had inadequate proof a crime was committed and that the entire thing had been a waste of time and resources.

“The government had the job of proving beyond a reasonable doubt,” she said, declining to give her name. “We broke it down…as a jury. It didn’t pan out in the government’s favor.”

Asked if she thought the prosecution was worthwhile, the foreperson said: “Personally, I don’t think it should have been prosecuted because I think we have better time or resources to use or spend to other things that affect the nation as a whole than a possible lie to the FBI. We could spend that time more wisely.”

Compare that to the Russian investigation, which was started to figure out which Trump associate had advance knowledge of Russia’s criminal hack-and-leak operation and whether they had any criminal exposure in it. Here’s how Peter Strzok described it in his book:

[A]gents often don’t even know the subject of a counterintelligence investigation. They have a term for that: an unknown subject, or UNSUB, which they use when an activity is known but the specific person conducting that activity is not — for instance, when they are aware that Russia is working to undermine our electoral system in concert with a presidential campaign but don’t know exactly who at that campaign Russia might be coordinating with or how many people might be involved.

To understand the challenges of an UNSUB case, consider the following three hypothetical scenarios. In one, a Russian source tells his American handler that, while out drinking at an SVR reunion, he learned that a colleague had just been promoted after a breakthrough recruitment of an American intelligence officer in Bangkok. We don’t know the identity of the recruited American — he or she is an UNSUB. A second scenario: a man and a woman out for a morning run in Washington see a figure toss a package over the fence of the Russian embassy and speed off in a four-door maroon sedan. An UNSUB.

Or consider this third scenario: a young foreign policy adviser to an American presidential campaign boasts to one of our allies that the Russians have offered to help his candidate by releasing damaging information about that candidate’s chief political rival. Who actually received the offer of assistance from the Russians? An UNSUB.


The FFG information about Papadopoulos presented us with a textbook UNSUB case. Who received the alleged offer of assistance from the Russians? Was it Papadopoulos? Perhaps, but not necessarily. We didn’t know about his contacts with Mifsud at the time — all we knew was that he had told the allied government that the Russians had dirt on Clinton and Obama and that they wanted to release it in a way that would help Trump.

The answer, by the way, was that at least two Trump associates had advance knowledge, George Papadopoulos and Roger Stone, and Stone shared his advance knowledge with Rick Gates, Paul Manafort, Steve Bannon, and Donald Trump, among others. By all appearances, DOJ was still investigating whether Stone had criminal exposure tied to his advance knowledge when Barr interfered in that investigation in February 2020, a fact that Barr hid until the day before the 2020 election.

With the Russian investigation, there was a crime: a hack by a hostile nation-state of a Presidential candidate, along with evidence that her opponent at least knew about the related leak campaign in advance. With the Durham investigation, there were only Fox News conspiracy theories and the certainty that Donald Trump shouldn’t be held accountable for encouraging Russia to hack his opponent.

The fact that this entire three year wild goose hunt was started without any predicating crime is all the more ridiculous given Durham’s repeated focus both on the predication of Crossfire Hurricane (in criticizing Horowitz’s report on Carter Page) and the Alfa Bank inquiry (during the Sussmann trial). John Durham, appointed to investigate conspiracy theories, deigns to lecture others about appropriate predication.

And that’s undoubtedly why, in the face of this humiliating result for Durham, Billy Barr is outright lying about what Durham’s uncharged conspiracy theories revealed about the predication of the Russian investigation.

He and his team did an exceptionally able job, both digging out very important facts and presenting a compelling case to the jury. And the fact that he … well, he did not succeed in getting a conviction from the DC jury, I think he accomplished something far more important, which is he brought out the truth in two important areas. First, I think he crystalized the central role played by the Hillary campaign in launching — as a dirty trick — the whole RussiaGate [sic] collusion [sic] narrative and fanning the flames of it, and second, I think, he exposed really dreadful behavior by the supervisors in the FBI, the senior ranks of the FBI, who knowingly used this information to start an investigation of Trump and then duped their own agents by lying to them and refusing to tell them what the real source of that information was.

That’s not what the trial showed, of course. Every witness who was asked about the centrality of the Alfa Bank allegations responded that there were so many other ties between Trump and Russia that the Alfa Bank allegations didn’t much stick out. Here’s how Robby Mook described it in questioning by Michael Bosworth.

[I]t was one of many pieces of information we had. And, in fact, every day, you know, Donald Trump was saying things about Putin and saying things about Russia. So this was a constituent piece of information among many pieces of information, and I don’t think we saw it as this silver bullet that was going to conclude the campaign and, you know, determine the outcome, no.

Q. There were a lot of Trump/Russia issues you were focused on?

A. Correct.

Q. And this was one of many?

A. Correct.

In response to questioning by Sean Berkowitz, Marc Elias traced the increased focus on Russia to Trump’s own request for Russia to hack Hillary.

Q. Let’s take a look — let me ask a different question. At some point in the summer of 2016, did Candidate Trump make any statements publicly about the hack?

A. Yes.

Q. What do you recall him saying and when?

A. There was a publication of emails, of DNC emails, in the days leading up to the Democratic National Convention. And it was in my opinion at the time clearly an effort by Russia to ruin what is the one clean shot that candidates get to talk to the American public. Right? The networks give you free coverage for your convention. And in the days before the convention, there was a major leak. And rather than doing what any decent human being might do and condemn it, Donald Trump said: I hope Russia is listening and, if so, will find the 30,000 Hillary Clinton emails that he believed existed and release them. That’s what I remember.

Q. Did you feel the campaign was under attack, sir?

A. We absolutely were under attack.

Q. And in connection with that, were there suggestions or possibilities at least in your mind and in the campaign’s mind that there could be a connection between Russia and Trump?

A. Again, this is, you know — this was public — Donald Trump — you know, the Republican Party historically has been very anti-Russia. Ronald Reagan was like the most anti-communist, the most anti-Soviet Union president.

And all of a sudden you had this guy who becomes the nominee; and they change the Russian National Committee platform to become pro-Russian and he has all these kind things to say about Putin. And then he makes this statement.

And in the meantime, he has hired, you know, Paul Manafort, who is, you know, I think had some ties to — I don’t recall anymore, but it was some pro-Russia thing in Ukraine.

So yeah. I thought that there were — I thought it was plausible. I didn’t know, but I thought it was an unusual set of circumstances and I thought it was plausible that Donald Trump had relations with — through his company with Russia.

Democrats didn’t gin up the focus on Trump’s ties to Russia, Trump’s own begging for more hacking did.

The trial also showed that this wasn’t an investigation into Trump. Rather, it was opened as an investigation into Kirkland & Ellis client Alfa Bank, which FBI believed had ties to Russian intelligence.

The investigation even considered whether Alfa Bank was victimizing Trump Organization.

Barr is similarly lying about whether supervisors revealed the source(s) of this information and what it was.

The source for the allegations was not Hillary, but researchers. And the trial presented repeated testimony that David Dagon’s role as one source of the allegations being shared with investigative agents. That detail was not hidden, but agents nevertheless never interviewed Dagon.

And even the purported tie to the Democrats was not well hidden. Indeed, the trial evidence shows that the FBI believed the DNC to be the source of the allegations, and that detail leaked down to various agents — including the two cyber agents, Nate Batty and Scott Hellman, whose shoddy analysis encouraged all other agents to dismiss the allegations — via various means.

Andrew DeFilippis made great efforts (efforts that lowered DOJ standards) to claim differently, but the evidence that key investigators assumed this was a DNC tip was fairly strong.

Three years after launching an investigation into conspiracy theories, Barr is left lying, claiming he found the result he set out to find three years ago. But the evidence — and the jury’s verdict — proves him wrong.

For years, Durham has been seeking proof that the predication of the Russian investigation was faulty. The only crime he has proven in the interim is that his own investigation was predicated on Fox News conspiracy theories.

FBI’s Russian Hack-and-Leak Investigation as Disclosed by the Sussmann Trial

Now that he has been acquitted, it’s easy to conclude the Michael Sussmann prosecution was a pointless right wing conspiracy theory. It was!

But the exhibits that came out at trial are a worthwhile glimpse of both the FBI’s investigation into the 2016 Russian hack of Democrats and the Bureau’s shoddy investigation of the Alfa Bank anomalies.

I’ve started unpacking what a shitshow the FBI investigation into the latter was here and collecting technical exhibits pertaining the investigation here (though that post is currently out of date).

As to the Russian hack-and-leak, Sussmann’s team facilitated the process with a summary exhibit they included showing a selection of FBI communications pertaining to the investigation that either involve or mention Sussmann. Sussmann introduced these documents to show how obvious his ties to the Democrats would have been to the FBI, including to some people involved in the Alfa Bank investigation. A few of these communications refute specific claims Durham made, showing that meetings or communications Durham argued must relate to the Alfa Bank effort could be explained, in one case far more easily, as part of the hack-and-leak response. That is, some of these documents show that Durham was taking evidence of victimization by Russia and using it instead to argue that Sussmann was unfairly victimizing Trump.



Below, I’ve grouped the communications by topic (though a number of these communications span several topics). Note that Latham & Watkins’ paralegal only used the last date on these communications, which I will adopt. But a number reflect a communication chain that extends months and includes dates that are far more important to the Durham prosecution.

Some of these files include topics that have attracted a great deal of often misleading coverage, such as the efforts to get server images from the Democrats. Importantly, by the time the FBI asked for server images, according to these communications, the only place to get them was at CrowdStrike.

I don’t believe DNC/DCCC have the images that CS took. Only CS have those. It’s like paying ATM fees to your bank to get your cash. DNC/DCCC will be charged to get the images back.

After some discussion about who would pay CrowdStrike to create a second image, the firm offered to do it for free.

These communications also give a sense of the extent to which Democrats faced new and perceived threats all through the election. Given the communications below and some details I know of the Democrats’ response to the attacks, I suspect these communications do not include real attempted attacks, either because they were not reported or because the report went to FBI via another channel. While CrowdStrike attempted to ensure Sussmann was always in the loop, for example, that discipline was not maintained. And we know CrowdStrike found the compromise of the Democrats analytics hosted on AWS in September, a compromise that may only show up in these communications mentioned in passing. Some in the FBI seemed entirely unsympathetic to the paranoia that suffering a nation-state attack during an election caused, which couldn’t have helped already sour relations between the FBI and Hillary’s people.

Perhaps the most interesting communications — to me at least — pertain to efforts to authenticate the documents that got publicly posted and to identify any alterations to them. At least as laid out in these communications, the Democrats were way behind the public in identifying key alterations to documents posted by Guccifer 2.0, and it’s unclear whether the FBI was any further ahead. But these discussions show what kind of alterations the Democrats were able to identify (such as font changes) as well as which publicly posted documents the FBI was sharing internally.

FBI public statements

160614 DX102 A discussion of Jim Trainor’s preparation for a meeting with Ellen Nakashima in advance of her June 14, 2016 reporting the hack and CrowdStrike’s attribution. Among other things, they note Nakashima’s confidence that GOP PACs were also targeted.

160725 DX112 This email chain between Sussmann and Trainor captured Sussmann’s frustration that FBI made an announcement of an investigation into the DNC hack without first running the statement by Sussmann.

160729 DX117 Before FBI sent out a statement about the DCCC hack, Jim Trainor sent Sussmann their draft statement. In response, Sussmann complained that FBI said they were aware of media reports but not of the hack itself. The timing of this exchange is important because Durham’s team repeatedly described a meeting between Marc Elias and Sussmann that day pertaining to a server as relating to the Alfa Bank anomaly.

Points of contact

160616 DX105 An email thread sent within FBI OGC (including to Trisha Anderson) discussing an initial meeting between Jim Trainor, Amy Dacey, Sussmann, and Shawn Henry.

160621 DX107 Starting on June 16, Amy Dacey thanked Assistant Director Jim Trainor for meeting with the Democrats about the hack. The thread turned into a confused request from the campaign for a briefing about whether they, too, had been compromised.

160725 DX114 This chain reflects Hawkins’ confused response after Sussmann provided the contact information for a Hillary staffer with a role in technical security. Hawkins stated, “Nothing concerning HFA has come up.”

160809 DX127 After Donna Brazile replaced Debbie Wasserman Schultz, Sussmann set up a meeting between her and Jim Trainor.

160811 DX128 An email chain among cyber FBI personnel discusses three Secret threat briefings for the DNC, DCCC, and Hillary campaign. Sussmann was scheduled to attend all three briefings, and Marc Elias was scheduled to attend the DCCC and Hillary briefings (though he testified that he did not attend).

160811 DX130 Sussmann sent the FBI notice of a public report of the DNC’s establishment of a cybersecurity advisory board. The report was passed on to Jim Trainor.

DHS outreach

160802 DX106 A Lync chain starting in the initial aftermath of the Nakashima story, referencing an Intelligence Committee briefing, and discussing how to facilitate DHS assistance to the Democrats through Sussmann.

160802 DX120 With the goal of reaching out to the Democratic victims to offer assistance, DHS asked who the point of contact for both would be.

160816 DX125 This email chain documents DHS’ “SitRep” of their understanding of the DNC/DCCC hacks and their efforts to reach out to help. This includes sharing of DNC/DCCC “artifacts” with NCCIC.

Authentication and venue

160708 DX109 An email chain seeking DNC help authenticating a document released by Guccifer 2.0.

160723 DX110 A discussion starting on July 21 about authenticating and extending after the initial WikiLeaks dump. Hawkins observed, “Looks like there will be multiple releases on that [the WikiLeaks] front.”

160802 DX118 After Adrian Hawkins asked CrowdStrike’s Christopher Scott a question about a public report that the Democrats’ analytics had been hacked, Scott explained that Sussmann had to be involved in any discussions between the FBI and their cybersecurity contractor. Hawkins also asked for specifics about the compromised servers that the FBI could use to establish venue.

160816 DX134 An email chain mentioning but not including Sussmann describes the efforts to establish venue (especially for Field staff who rely on laptops and travel a lot) as well as the efforts to authenticate documents.

160822 DX136 Two Lync messages describing a script that can be used to match WordPress documents with files stolen from the DNC.

160922 DX145 NSD’s Deputy Chief of  Cyber, Sean Newell, asks Sussmann to meet to discuss some information requests from NDCA. They set up a meeting for September 26.

160930 DX147 Hawkins follows up on Newell’s request for information with a much more detailed request from the San Francisco Division. This request includes details of the forensics NDCA was asking for, generally to include the CrowdStrike reports, network diagrams, logs, and images for the compromised hosts.

161004 DX148 In response to WikiLeaks promises about an upcoming file release, Newell follows up on a September 27 request he made of Sussmann for any files that were altered as well as a list of files that had been released but not circulated outside of the victim organizations first, including some indication whether those had been altered. Sussmann says they would have information available later that week.

161012 DX150 In another chain of responses to Newell’s information request, someone at Perkins Coie passes on a description from the DCCC about how an image posted by Guccifer 2.0 differed from the file structure as it appeared on their server, including as it pertained to a file named, “Pelosi Vote Email.”

161026 DX154 This chain is a follow-up to the Newell request, though it actually includes Guccifer 2.0 documents about Trump’s taxes discussed. It includes description of an altered document published by Guccifer 2.0, in which the font was changed. It also includes a DOJ NSD person asking FBI to print out the document because they don’t have any unattributable computers.

161024 DX165 This is yet another continuation of the Newell request, this one included the Trump Report altered by Guccifer 2.0. It includes some discussion of alterations to that document (as compared to unaltered ones released by WikiLeaks). It also describes documents that a DNC research staffer believes were taken from his local desktop.

CrowdStrike Reports

160815 DX132 Burnham to Farrar explaining there are two CloudStrike reports, one for the DNC and the other for the DCCC. The former is done, while the latter will be done soon.

160825 DX137 Hawkins asks Sussmann about the DNC CrowdStrike report, Sussmann explains it’s still a few days away, but then the next day says he’s reading “it” (which may be the DCCC report). Sussmann’s response gets forwarded to a few more people.

160830 DX 138 A Lync chain conveying that Sussmann had alerted the FBI that the CrowdStrike report was done and asking if WFO should pick it up.

Server images

161013 DX151 In another chain of responses to Sean Newell’s information request, the discussion turns from Sussmann’s effort to make sure the Democrats respond to all the FBI’s data request to how to obtain images (whether to have CrowdStrike spend 10 hours to do it or let FBI onsite to do it themselves). As part of this chain, Sussmann says that “in theory” the Democrats would be amenable to letting the FBI onsite to image the serves themselves, but then checks to see whether the data is at CrowdStrike or the DNC.

161013 DX152 This chain is follow-up to the request for server images. Sussmann connects the FBI and CrowdStrike, CS offers to image the servers for free, and the FBI provides the address where to send them.

161028 DX153 A Lync that starts with Newell requesting someone attend the October 11 meeting with Sussmann, continues through a discussion about how to get images of the compromised servers (including whether Sussmann may have misinterpreted the ask), and includes a discussion about a re-compromise.

Lizard Squad ransomware threat

160803 DX121 Late night on August 2, Sussmann reported a ransomware threat from the Lizard Squad. This email discusses the various equities behind such a threat and involves a guy named Rodney Hays, whom the Durham team would at one point insist must be Rodney Joffe.

160806 DX124 This chain reflects more of the response to Sussmann reporting a ransomware threat from Lizard Squad. As noted, it involves a guy named Rodney Hays that Durham’s team insisted must be Joffe.

160922 DX144 Over a month after the Democrats reported the Lizard Squad threat, Eric Lu wrote up the intake report, including the bitcoin address involved and Sussmann’s email to Rodney on August 9 thanking him for his assistance.

Other threats

160726 DX115 Sussmann set up a meeting with Hawkins and others so someone could report “some offline activity related to the intrusion.” This was around the time when Ali Chalupa believed she was being followed, though nothing in this chain describes the threat.

160908 DX140 On August 26, EA Hawkins wrote Sussmann directly alerting him to a new phishing campaign targeting Democrats. On September 7, he wrote back with three accounts that may have been targeted.

160916 DX141 Moore emailing Josh Hubiak — a cyber agent in Pittsburgh — asking for contact information for Michael Sussmann so she can obtain the contact information for a DNC bigwig whose Microsoft Outlook account was compromised, apparently by APT 28. Hubiak is one of the agents also involved in the Alfa Bank investigation.

160917 DX142 The day after the request for contact information for the DNC bigwig, there’s further discussion about how to contact him. The FBI also shares new files reflecting the network share for a different DNC person, a former IT staffer, that was uploaded to Virus Total.

160927 DX146 In response to public reports that some Democratic phones may have been targeted and a potential compromise of Powell’s phone (probably Colin, whose communications were posted to dcleaks), there’s some chatter about what information is available from Apple and Google. One of the key agents involved complains that, “it would be awesome if Google helped out, as I know they are at least 2 steps ahead of me and I’m in a sad, losing game of catchup.”

161011 DX149 This seems to be a collection of Lync notes from October 11, showing three different issues pertaining to Sussmann happening at once: the transfer of custody of the thumb drives to the Chicago office, a reference to a meeting with Sussmann, and a report of a new Democratic concern about exposed Social Security numbers.

161230 DX155 A Lync chain that goes from October 28 through December 30 covering the concern about a bug at DNC HQ, the response to the NYT article naming Hawkins, and another compromise alert.

161017 DX164 This may be a summary prepared for Mother Jones. Whatever the purpose (there is no date), it describes the timeline of FBI’s response to a request for a sweep of DNC headquarters in response to some anomaly. Sussmann permitted the sweep but asked that it be done covertly, so as not to alert DNC staffers.

Crossfire Hurricane

160804 DX123 On August 4, Joe Pientka forwarded the original June 14 Nakashima story to the agents who had just been assigned to the Crossfire Hurricane team with the explanation, “Just going through old — possibly pertinent emails.”

“The Bell Can Never Be Unrung” … The Many Times Durham’s Prosecutors Flouted Judge Cooper’s Orders

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

The jury in the Michael Sussmann case will return to work this morning. They deliberated for some period on Friday (I’m not sure whether how long they deliberated has been reported). But the jury was unable to get questions answered or a verdict accepted after Judge Christopher Cooper left for the long holiday at 2:30PM. Even if the jury ends up finding Jim Baker’s testimony unreliable — which would likely be the quickest way to come to a verdict one way or another — I would expect it to take the jury a bit of time to sort through the centrality of his testimony to the charges.

So while we wait, I want to catalog how Durham’s team blew off just about every adverse decision Cooper made against them.

1. Delayed Request for Privileged Material

As I laid out in this post, Cooper ruled that a bunch of the emails over which the Democrats had originally claimed privilege were not. But because Durham waited so long to request a review of the privileged documents, Cooper ruled Durham could not use the emails at trial.

In cross-examination of Fusion’s tech person, Laura Seago, DeFilippis used the content of one of those emails that apparently discussed hiding her Fusion affiliation from Tea Leaves. (I laid out this exchange in this post.)

MR. DeFILIPPIS: So we have an issue with regard to Ms. Seago’s testimony. The government followed carefully Your Honor’s order with regard to the Fusion emails that were determined not to be privileged but that the government had moved on.

As Your Honor may recall, there was an email in there in which Ms. Seago talks very explicitly about seeking to approach someone associated with the Alfa-Bank matter and concealing her affiliation with Fusion in the email. When we asked her broadly whether she ever did that, she definitively said no when I, you know, revisited it with her. So it raises the prospect that she may be giving false testimony.

And so we were — you know, I considered trying to refresh her with that, but I didn’t understand that to be in line with Your Honor’s ruling. So the government is — we’d like to consider whether we should be — we’d like Your Honor to consider whether we should be able to at least recall her and refresh her with that document?

THE COURT: I don’t remember that question, but the subject matter was concealing Fusion or her identities in conversations with the press. If I recall correctly, that email related to “tea leaves,” correct?

After repeatedly asking Seago whether she had hidden her affiliation from the media, he asked about this email, catching Seago in a gotcha (though both Judge Cooper and Sussmann lawyer Sean Berkowitz took the question, as Seago seemed to, to relate to outreach to the press).

After setting his perjury trap, DeFilippis immediately tried to recall Seago onto the stand to delve into the content of this email. In this case, Judge Cooper ruled that DeFilippis had waived his opportunity to do so.

THE COURT: Well, I think the time to have asked the Court whether using the document to refresh was consistent with the order was before she was tendered and dismissed. So I think you waived your opportunity. All right? So we’re going to move on.

2. Non-Expert Expert Testimony

One of the most contentious arguments leading up to trial was Durham’s belated attempt to use an expert witness, ostensibly to discuss the technical complexities of DNS and Tor at the heart of the case (topics which prosecutors had witnesses explain over and over in as much detail as their nominal expert witness David Martin did), to address the accuracy of the research on the DNS anomaly.

This was an attempt to lead the jury to believe the anomaly was fabricated by Rodney Joffe and the researchers, in spite of the fact that Durham obtained plenty of evidence it was not.

On April 25, Judge Cooper ruled that Durham could have an expert discuss the technicalities of the data, but could only raise the accuracy if Sussmann did so himself.

Then on May 6, Durham attempted to expand that ruling by asking the expert to address materiality. In discussions the morning of opening arguments that focused entirely on the testimony of non-DNS expert Scott Hellman, not the nominal expert on DNS David Martin, Cooper prohibited Martin’s discussion of spoofing. (I describe these discussions here.)

Ironically, this was all supposed to be about visibility, the import of understanding how much DNS traffic a researcher could access to the quality of that researcher’s work. In Hellman’s own analysis — for which he fairly demonstrably did not review the data that Sussmann shared with the FBI very closely —  he showed no curiosity about the issue.

Searched “…global nonpublic DNS activity…” (unclear how this was done) and discovered there are (4) primary IP addresses that have resolved to the name “”. Two of these belong to DNS servers at Russian Alfa Bank. [my emphasis]

Nevertheless, DeFilippis used this nested set of witnesses as an opportunity to get Hellman — who admitted he had only a basic understanding of DNS, who didn’t review the data very closely, and who formed his initial conclusion in about a day — to comment on the methodology of the researchers.

Q. And what, if anything, did you conclude about whether you believed the authors of the paper or author of the paper was fairly and neutrally conducting an analysis? Did you have an opinion either way?

MR. BERKOWITZ: Objection, Your Honor.


MR. BERKOWITZ: Objection on foundation. He asked him his opinion. He’s not qualified as an expert for that.

THE COURT: I’ll overrule it.

A. Sorry, can you please repeat the question?

Q. Sure. Did you draw a conclusion one way or the other as to whether the authors of this paper seemed to be applying a sound methodology or whether, to the contrary, they were trying to reach a particular result? Did you —

A. Based upon the conclusions they drew and the assumptions that they made, I did not feel like they were objective in the conclusions that they came to.

Q. And any particular reasons or support for that?

A. Just the assumption you would have to make was so far reaching, it didn’t — it just didn’t make any sense.

This is precisely the kind of opinion that Cooper had prohibited from an actual expert, admitted from someone whose own shoddy analysis became a recurrent theme for the defense.

3. Hearsay Clinton Tweet

DeFilippis’ efforts to get excluded information introduced was still more brazen with hearsay materials.

On May 7, Judge Cooper issued his initial ruling on which parts of Durham’s conspiracy theory could be admitted at trial. In general, Cooper permitted the introduction of Fusion GPS emails with the press about the Alfa Bank allegations, all of which post-date Sussmann’s alleged lie. He excluded all but one of the emails between Rodney Joffe and the researchers (more on the exception below).

Cooper equivocated wildly about a tweet sent out under Hillary Clinton’s name in response to the Franklin Foer story on the anomaly. In a hearing on April 27, he excluded it as hearsay.

THE COURT: All right. The Clinton Campaign Tweet, the Court will exclude that as hearsay. To the extent that the government believes that it offers some connection to the campaign and an attorney-client relationship, it’s likely duplicative of other evidence, so the Tweet will not come in.

In a pre-trial hearing on May 9 (after he had issued his order on motions in limine), Cooper explained he was revisiting the decision.

But I guess my question, as I have thought more about this, given the sort of two competing theories of the case and two narratives laid out in the Court’s ruling on the motion in limine, is whether it is relevant not for the truth, but to show the campaign’s connection to the alleged public relations effort to play stories regarding the Alfa-Bank data with the press and that therefore it is sort of context for the Government’s motive theory, that Mr. Sussmann sought to conceal that effort, as well as the campaign’s general connection to that effort.

After Sussmann lawyer Sean Berkowitz explained that the defense would not contest that the campaign wanted a story out there, Cooper opined that would make the tweet cumulative.

Well, if that’s going to be the case, and he’s not contesting that he was representing the campaign in connection with that effort, isn’t the tweet cumulative? It’s icing on the cake. Right?

DeFilippis claimed that without the tweet they would have no evidence about how the campaign worked the press on this issue (even though both Marc Elias, called as a government witness, and Robby Mook, who was originally listed as a government witness, eventually testified to the issue on the stand). After Judge Cooper said he would reserve his decision, Berkowitz noted that in fact, DeFilippis planned to use the tweet to claim the campaign wanted to go to the FBI when the testimony at trial (from both Elias and Mook) would establish that going to the FBI conflicted with the campaign’s goals.

[T]hey are offering the tweet for the truth of the matter, that that’s what the campaign desired and wanted and that it was a accumulation of the efforts.

Number one, it’s not the truth; and in fact, it’s the opposite of the truth. We expect there to be testimony from the campaign that, while they were interested in an article on this coming out, going to the FBI is something that was inconsistent with what they would have wanted before there was any press. And in fact, going to the FBI killed the press story, which was inconsistent with what the campaign would have wanted.

And so we think that a tweet in October after there’s an article about it is being offered to prove something inconsistent with what actually happened.

Then, after both Elias and Mook had testified that they had not sanctioned Sussmann going to the FBI, DeFilippis renewed his assault on Cooper’s initial exclusion, asking to introduce it through Mook’s knowledge that the campaign had tried to capitalize on the Foer story.

Having ruled in the past that the tweet was cumulative and highly prejudicial, Cooper nevertheless permitted DeFilippis to introduce the tweet if he could establish that Mook knew that the campaign tried to capitalize on the Foer story.

But Cooper set two rules: The government could not read from the tweet and could not introduce the part of the tweet that referenced the FBI investigation. (I explained what DeFilippis did at more length in this post.)

THE COURT: All right. Mr. DeFilippis, if you can lay a foundation that he had knowledge that a story had come out and that the campaign decided to issue the release in response to the story, I’ll let you admit the Tweet. However, the last paragraph, I agree with the defense, is substantially more prejudicial than it is probative because he has testified that had neither — he nor anyone at the campaign knew that Mr. Sussmann went to the FBI, no one authorized him to go to the FBI, and there’s been no other evidence admitted in the case that would suggest that that took place. And so this last paragraph, I think, would unfairly suggest to the jury, without any evidentiary foundation, that that was the case. All right?

MR. DeFILIPPIS: Your Honor, just two brief questions on that.


MR. DeFILIPPIS: Can we — so can we use — depending on what he says about whether he was aware of the Tweet or the public statement, may we use it to refresh him?

THE COURT: Sure. Sure.

MR. DeFILIPPIS: Okay. And then, as to the last paragraph, could it be used for impeachment or refreshing purposes as well in terms of any dealings with the FBI?

THE COURT: You can use anything to refresh.


THE COURT: But we’re not going to publish it to the jury. We’re not going to read from it. And let’s see what he says. [my emphasis]

Having just been told not to read the tweet, especially not the part about the FBI investigation, DeFilippis proceeded to have Mook do just that.

The exhibit of the tweet that got sent to the jury had that paragraph redacted and that part of the transcript was also redacted. But, predictably, the press focused on little but the tweet, including the part that Cooper had explicitly forbidden from coming into evidence.

4. Hearsay about Joffe’s Request for Feedback

As noted above, Judge Cooper permitted just one email between Joffe and the researchers to come into evidence: a request for feedback Rodney Joffe made of the researches. But he did so based on Durham’s representation that either David Dagon or Manos Antonakakis — both of whom received the email — would testify.

Neither did.

During Sean Berkowitz’ cross-examination of Curtis Heide, one of the agents assigned to investigate the anomaly, Sussmann’s attorney had Heide explain how they knew David Dagon had a role in the research, but nevertheless never bothered to speak to him directly.

AUSA Jonathan Algor used that as an opportunity to ask to introduce not just the email that had been permitted, but also the response, claiming that by highlighting how shoddy the FBI investigation was, Berkowitz was opening the door to accuracy questions.

MR. ALGOR: So, Your Honor, there was a good amount of cross-examination regarding David Dagon.


MR. ALGOR: And specifically asking about reaching out to him and also going into that he was the source of the white paper and what types of questions you would ask him and all. I think that this goes right to the red herring email.

THE COURT: I’m sorry, the what email?

MR. ALGOR: The red herring email, which you’ve previously excluded. It was Government Exhibit 124, when you would go through what type of questions. Now that Mr. Berkowitz has asked these, I would ask: What would you have asked having to provide data related to it? You know, Were there drafts of the white paper? Would Agent Heide ask who else he communicated with and what he believed regarding all of that data? And so I think he’s opened the door regarding that email.

Berkowitz noted that neither Sussmann nor Heide knew of the email.

MR. BERKOWITZ: Judge, this is not an email that was authored by Mr. Dagon. My cross-examination went directly to their investigation, who they spoke to, who they didn’t speak to. I asked him, he doesn’t know what Mr. Dagon said to Mr. Sussmann, if anything, and he said he didn’t. And I don’t think that opening the door to these communications where there’s no indication that it went to Mr. Sussmann is appropriate.

Cooper ruled that Algor could not introduce the email response.

That did not open the door to the excluded email about which — about what his and the other researchers’ views on the data or motivations may have been. In any case, the emails reflect — or the email reflects the views of Mr. Joffe, not Mr. Dagon, and those views came a full month and a half before the FBI was in a position to interview Mr. Dagon. They are, therefore, not relevant to Mr. Dagon’s views or motivations in any event.

So you can — you can certainly ask him, as you have in direct, what he would have done differently, what he would have questioned Mr. Dagon about, you know, to establish a materiality argument, but we’re not going to get into what the researchers’ motivations were. Okay?

Minutes later, Algor walked how Heide didn’t know any of the people on the email, and elicited from Heide the opinion that even asking the opinion might suggest people were trying to fabricate the data.

Q. Okay. And it — the “from” is Rodney Joffe. Do you see that?

A. Yes.

Q. And then the “to” is to Manos Antonakakis. Do you see that?

A. Yes.

Q. Do you know who that is?

A. I do not.

Q. And David Dagon, do you see that second name?

A. Yes.

Q. Do you know who David Dagon is?

A. No.

Q. You testified —

A. I’m sorry.

Q. — earlier —

A. I never met David Dagon, but I do know that he was the information that the source came forward and said he was potentially the author of the white paper.

Q. Okay. And that’s from a CHS that your team was contacted by?

A. Yes. Yes.

Q. And then, finally, April Lorenzen. Do you know who April Lorenzen is?

A. I do not.


Q. Would you also want to know whether the authors of the white paper were trying to make it out so that it wasn’t — so that it couldn’t be understood if you weren’t a DNS expert?

A. That would be important.

Q. And if you could read that last line, please.

A. It says, “Do NOT spend more than a short while on this (if you spend more than an hour you have failed the assignment). Hopefully less.”

Q. And just going back to the line above, it says, without — it says, “NOT to be able to say this is, with out doubt, fact, but to merely be plausible,” would you want to understand that coming from the source of the white paper?

A. Yes.

The discussion of the bench conference immediately after Heide left the stand (Berkowitz generally refrained from objecting to these shenanigans in front of the jury) is entirely redacted. But as noted below, Judge Cooper ultimately excluded the entire email as hearsay introduced without proper foundation.

6. Hearsay Commentary on an Attorney

In the very same sidebar where Judge Cooper excluded the Heide testimony, he also explicitly prohibited prosecutors from tying a research request that Rodney Joffe had given a colleague, Jared Novick, to an attorney. The research request pertained to Richard Burt and Carter Page (among others) at a time both had established ties to Russia. Novick testified to Joffe’s displeasure with his work abilities and it’s quite clear the two don’t like each other.

MR. BERKOWITZ: So with respect, Judge, to that, it sounds as if outside the norm of what he normally does, that he thought it was likely for a political campaign. I’m not sure that his determination that he thought it was for an attorney is relevant. If they want to put in an attorney-client-privileged document that he saw, I think he can do that. But if he says I understood this was going to an attorney connected to the campaign, that’s hearsay. And it really doesn’t have anything to do with Mr. Sussmann, unless they can tie it up in any way.

THE COURT: Is there — is there any link to the defendant?

MR. ALGOR: Your Honor, just that he understood the tasking was related to opposition research regarding Trump; that he was told by Mr. Joffe — and his understanding was — that it was — it was someone tied to the Clinton campaign. But his understanding overall, full context and understanding, regardless of what Mr. Joffe said, was that this was going to someone tied to the campaign; and that also in receiving the document that had attorney-client privilege, that he understood it to be for an attorney.

THE COURT: How is that not hearsay if Mr. Joffe offered for the purpose of showing that, in fact, it was from —

MR. ALGOR: Because it’s a full understanding. It’s not getting into the actual specific statements that Mr. Joffe told him, but just the full context of what he was tasked to do and who the ultimate receiver was.


MR. KEILTY: One second, Your Honor.

THE COURT: You can elicit his understanding that it was for a campaign, that it was unusual, that it may have had some political purpose. But I want you to stay away from any suggestion, which I don’t think has been established, that it was from Mr. Sussmann, including by suggesting it was from an attorney. Okay? [my enphasis]

Once again, minutes after Judge Cooper issued an order — this one ruling that Durham’s team could not elicit any reference to an attorney — Algor nevertheless got a former Joffe associate to do so.

Q. And, again, you — during cross-examination, Mr. Berkowitz asked you a series of questions regarding — regarding your work for Mr. Joffe on this project?

A. Uh-huh.

Q. And without getting into any specific conversations, based on the totality of your work, who was the intended audience for the project?

A. It was to go to an attorney with ties.

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Sustained.

That was the first time Berkowitz started getting really insistent about the pattern of Durham’s prosecutors completely ignoring explicit prohibitions from Cooper.

MR. BERKOWITZ: And — and just briefly, Your Honor, I don’t know when is an appropriate time to — to raise this. I want to express what — and I am not a — a hotheaded person —

THE COURT: You’re not a what?

MR. BERKOWITZ: I’m not a hotheaded person, but I have deep concern over the last line of questioning with the witness eliciting something that I think was clearly prohibited. And it’s consistent, in our view, with the line of questioning relative to Mr. Elias, [sic] relative to them reading the tweet that had been excluded. And, again, I know you don’t apportion bad faith, and I’m not asking you to do that at this point, but I just — I’m — I’m really concerned about the number of those issues that have come in and the prejudice to Mr. Sussmann. And I don’t know how best to deal with it, but I want to raise that to your attention.

Judge Cooper finally warns Durham to follow his orders

The Novick questioning finally stirred Cooper to try to do something about prosecutors flouting his orders. The first thing the next morning, he issued a both-sides warning about adhering to his rulings.

THE COURT: Okay. Good morning, everybody. All right. I just want to return briefly to the discussion we had at the end of the day yesterday.

You know, we’ve been here for two weeks. I have tried my best to let you folks try your cases as you see fit without undue intervention from the Court, as is my usual practice. But I obviously have set some evidentiary guardrails in the case that I expect both sides to follow, and I think you’ve done that for the most part.

Yesterday, however, I thought it was pretty clear — that I was pretty clear that in Mr. Novick’s testimony the government was not to suggest a link between the defendant and — on the one hand, and Mr. Joffe and the researchers’ data collection efforts on the other hand, or their views about the data. I didn’t think there was an evidentiary foundation for that.

I thought that the jury would only be able to speculate about any such connection, and I thought that any knowledge Mr. Novick had about that was necessarily hearsay from Mr. Joffe, who obviously is not here to testify. And I thought, at least, the final question in the redirect that was asked yesterday, nevertheless, attempted to establish such a link.

You know, I know that questions get asked rhetorically or argumentatively that are likely to draw an objection, and I will give lawyers some slack on that, but I expect both sides to comply with my evidentiary rulings.

There’s a lot of evidence in this case. There’s a lot for the jury to digest. They will have plenty of validly admitted evidence to pore over, and from here on out, including in arguments, I expect both sides to comply with both the letter and the spirit of the Court’s evidentiary rulings. So let’s keep it clean from here, okay?

MR. KEILTY: Yes, Your Honor.

Berkowitz used that exchange to request that Cooper exclude the entirety of the email that Algor used to invite Heide to suggest the data had been fabricated as the only way to limit the damage from prosecutors breaking Cooper’s rules.

MR. BERKOWITZ: Thank you very much for that, Your Honor. I have one other request related to it. And I don’t mean to go to the well, but there was an additional line of questioning yesterday related to Government Exhibit 132 with Agent Heide. I’m happy to provide a copy of it, if you would like.

THE COURT: Just remind me what it is.

MR. BERKOWITZ: It’s the document they sought to admit between Rodney Joffe, David Dagon, and Manos Antonakakis, “Is this a plausible explanation?”

THE COURT: Yes, I know that one. Actually, pass it up.

MR. BERKOWITZ: Your Honor, I went back and read the basis for your admitting the document, which was that it was not hearsay because there was a statement, “can you review,” and a question, “is this a plausible explanation?” I think we all contemplated at the time that both Mr. Dagon and Mr. Antonakakis were on the witness list and might testify.

You did allow it in. We didn’t object on the basis that you had previously ruled on it.

The manner in which it was used with the witness, I think, didn’t comply with the spirit of the Court’s ruling. There were questions asked related to “if you had spoken with Mr. Dagon, and you were aware of this communication” words to the effect of “would that have been concerning?”

And the witness — and I’m not suggesting that it was elicited intentionally, but the witness said “it would concern me because it appears as if it’s fabricated.”

Berkowitz noted that (like the Clinton tweet before it, though Berkowitz didn’t make the connection) that exchange got reported in the press.

That’s been reported in the press, even though you struck it from the record at our request.

Our remedy request, Your Honor, in light of that, and in light of the lack of probative value of that document with no connection to Mr. Sussmann, would be to strike the question and answering related to that document, to strike that document from the record, and not allow the prosecution team to use it with any defense witnesses, as well as not to use it in argument because it would have been stricken from the record.

We think the probative value of that document at this stage is minimal, and I expect that if it is published to the jury and used in any way, the jurors will associate it with the fabrication comment. And you worked real hard — and we have all worked really hard — to keep out the accuracy of the data. And the prejudicial nature of the document and the testimony associated with it is something that we think, while it can’t be remedied, and the bell can never be unrung, they should not be reminded and put before them. [my emphasis]

After having just been scolded, DeFilippis nevertheless made a bid to keep the document that might trigger the improperly elicited comment in as evidence.

Michael Keilty — the closest thing to a grown-up on this team — then tried to explain away Algor’s flouting of the rules with Novick.

MR. KEILTY: One last thing, Your Honor, just with respect to the final question to Mr. Novick yesterday. I think Your Honor’s aware that the government obviously did not intend for that — to elicit that answer. Instead, it intended to elicit an answer regarding Mr. Novick’s thoughts about whether this was involved with a political entity or political campaign. We didn’t have the opportunity or the benefit of conferring with Mr. Novick prior to Your Honor’s ruling. So we apologize for that, but we just wanted to put on the record some of the reasons why.

THE COURT: Well, you could have asked, “Without telling me who it came from, what was your understanding of the general nature of the source?” Right?

7. Hearsay on Top of Hearsay about Joffe’s Joke about a Job

But the Durham team’s defiance of Cooper didn’t stop there. While Cooper had permitted (with the proper foundation) a Joffe email that elicited feedback, Cooper had excluded an email — sent to someone never identified as a witness in this case — in which Joffe had joked about working in cybersecurity under a Clinton Administration. Nevertheless, as part of a long exchange with retired FBI Agent Tom Grasso in which DeFilippis asked Grasso materiality questions about stuff he heard about but had no firsthand knowledge of — each time presented as fact rather than as a conspiracy that Durham had explicitly been prohibited from presenting because they hadn’t charged it — Durham’s lead prosecutor raised the allegation he had been prohibited from raising.

Q. So when he came to you or at any time after that, did Mr. Joffe disclose to you whether he was working on this with representatives of the — of a political campaign?

A. He did not, no.

Q. And do you think you’d remember if he had told you at the time, you know, “I’m doing this, working with some folks who are working with the political campaign”?

A. I would think I would remember that, yes.

Q. So Mr. Joffe didn’t tell you — have you heard of a firm called Fusion GPS?

A. I have heard of Fusion GPS, yes, sir.

Q. Okay. And are you generally aware that they had — without getting into any specific work you did, are you generally aware that they had done some work for the Clinton Campaign at the time?

A. Yes, I —

Q. Okay.

A. Yes, I am aware of that, yes.

Q. So Mr. Joffe didn’t say he was working with Fusion GPS on this project?

A. Not that I recall, no.

Q. And Mr. Joffe never told you that, you know, this project had arisen in the context of opposition research that the Clinton Campaign was working on?

A. I do not recall that coming up, no.

Q. If Mr. Joffe had come to you and said, “I’m working with some investigators and some lawyers who are working for the Clinton Campaign, and, you know, that’s part of what I’m doing here with this information, can you please keep my name out of this,” would you have viewed that differently than you viewed the information as you got it?


Q. Okay. And in the 2016 election period, you and Mr. Joffe, I imagine, never discussed politics or anything like that?

A. I don’t recall political discussions with him, no.

Q. Okay. And did you — so you certainly didn’t know that he was working with folks affiliated with a particular political party or campaign on what he brought to you, right?

A. I have no recollection of that.

Q. And any recollection of hearing or learning that he was expecting any kind of position in a future political administration?

A. I do not have a recollection of that other than — let me rephrase that. I have a recollection of that being reported in the media, but I don’t have a —

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Sustained. [my emphasis]

When Berkowitz raised this exchange at the end of the day, Judge Cooper noted that the several meetings they had with Grasso were ample basis for DeFilippis to understand that Grasso had no knowledge of those matters (or, for that matter, the topics covered by that entire line of questioning).

MR. BERKOWITZ: Judge, I regret that I’m going back to this same issue that we started the day with where  you admonished counsel to be careful of the guardrails related to evidentiary rulings. We had another situation n today that I think ran afoul of your comments. There was an email that was the subject of a motion related to Mr. Joffe communicating about a potential job. And in the cross-examination of Agent Grasso there was a question about, “He certainly didn’t know he was working with folks affiliated with a particular political party or campaign when he brought that to you. Right?”

Answer: “I have no recollection of that.” I didn’t object.

And then he followed up with: “And any recollection of hearing or learning that he was expecting any kind of position in a future political administration, knowing that there was nothing in the 3500 materials related to that and knowing an objection that was sustained could elicit a belief that he would do that?”

The witness answered, “I do not have a recollection of that other than — let me rephrase that. I have a recollection of that being reported in the media.”

I objected. Your Honor, they had met with this witness four times. They had pretried him twice. There was nothing in the 3500 material to suggest that he had any belief of that or any recollection or any connection.

And it’s another instance in a litany of instances that’s suggesting to the jury topics and issues that were the subject of your ruling. And I, you know, particularly  with the potential testimony of Mr. Sussmann coming up, I don’t know what else to say or to do, and we’ll consider filing a motion. But I wanted to raise the issue, and I take no joy in continuing to do this. But I cannot stand by while it continues to go on.

DeFilippis at first tried to excuse blowing off Cooper’s ruling by saying that the rules for cross-examination are different. But not if the witness was originally a witness for the prosecution.

THE COURT: Counsel?

MR. DeFILIPPIS: Yes, Your Honor. I guess we’re glad that Mr. Berkowitz raised it in the sense that, you know, typically the rules for cross-examination are different from evidence presented in a case in chief. And if there is a good-faith basis to ask — inquire as to knowledge of a matter, Your Honor, the government didn’t phrase the question tethered to any email or refer to any hearsay.

It was just inquiring as to knowledge and then inquiring as to whether that fact would be relevant to what  it is that Mr. Grasso’s interactions with Mr. Joffe were.

So if, again if the Court wants —-

THE COURT: Counsel, I don’t disagree with that, but you got to have a good faith basis for asking the question. Right? And if you prepped this guy and he’s never said anything about it, then there’s no good-faith basis. Okay? Him reading it in The New York Times or whatever is not a good-faith basis.

Then DeFilippis claimed that the question — which came after two earlier ones in which he asked Grasso questions about things he had “heard of” — was not deliberately intended to elicit such a response.

MR. DeFILIPPIS: Yeah, and to be clear, Your Honor, the portion where he said he read in the — we didn’t know that, and we wouldn’t have intentionally elicited something from a press account. So we will certainly be careful.

THE COURT: He was the defense’s witness here, but he was on your witness list. You should have known. If there was a basis to ask that question, you should have known what it was.

MR. DeFILIPPIS: Yeah. Understood, Your Honor.

Only after this exchange on prosecutors using someone who had originally been a government witness to invite speculation did Cooper exclude the entire email discussion involving Heide.

THE COURT: In that vein, let’s go back to GX-132 the admission of the email did not sit well with me yesterday, and it still does not sit well with me.

The Court ruled that the document was [sic] hearsay originally because it contained a question and a request, as opposed to an assertion. But the Court made clear in its order that, in order to be admitted, it would still need a proper foundation. The witness through which the document ultimately was admitted, albeit not without an objection from the defense, was Mr. Heide, who, as far as I could tell, had no personal knowledge whatsoever of the email. He didn’t know Mr. Joffe. He didn’t know the researchers who received it. He obviously was not a party to the email. So frankly, I don’t see how he could testify to that email in his personal knowledge as required by Rule 602.

So for that reason, I don’t think it was properly admitted through that witness. As I said yesterday, we had expected at least two of the researchers to testify based on who was on the government’s list. And I think it would have been properly admissible through those people to explain how the data came into being  as the Court ruled prior to trial. So I am going to exclude that email as well as any testimony by Mr. Heide describing his interpretation or views or thoughts on the email. Okay?

Conspiracy theory

This repeated defiance of Judge Cooper was treated as one after another evidentiary issue, usually prosecutors sneaking in hearsay with no basis. Ultimately, however, it was about a more basic ruling Judge Cooper had made, that this trial would not be about a conspiracy theory that Durham wanted to criminalize without charging.

As Berkowitz observed in his close,

This case is not about a giant political conspiracy theory. It’s about a short meeting.


So the people who were part of this large political conspiracy theory are the people at HFA, Rodney Joffe, and Fusion GPS. They’re the people that are supposedly involved in this conspiracy.

There will be a lot said about this trial, no matter the verdict. But the serial defiance of the Durham prosecutors was a successful attempt to do something else that Judge Cooper had prohibited: to criminalize, under a conspiracy theory, perfectly legal behavior.


Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

John Durham’s Lies with Metadata

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

That Clinton Tweet Could Lead To a Mistrial (or Reversal on Appeal)

John Durham Is Prosecuting Michael Sussmann for Sharing a Tip on Now-Sanctioned Alfa Bank

Apprehension and Dread with Bates Stamps: The Case of Jim Baker’s Missing Jencks Production

Technical Exhibits, Michael Sussmann Trial

Jim Baker’s “Doctored” Memory Forgot the Meeting He Had Immediately After His Michael Sussmann Meeting

The FBI Believed Michael Sussmann Was Working for the DNC … Until Andrew DeFilippis Coached Them to Believe Otherwise

The Visibility of FBI’s Close Hold: John Durham Will Blame Michael Sussmann that FBI Told Alfa Bank They Were Investigating

The Staples Receipt and FBI’s Description of Michael Sussmann Sharing a Tip from Hillary

“and” / “or” : How Judge Cooper Rewrote the Michael Sussmann Indictment


“and” / “or” : How Judge Cooper Rewrote the Michael Sussmann Indictment

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

I’ve been tracking a dispute about the jury instructions in the Michael Sussmann trial, but only got time to check the outcome last night. At issue was whether some of the extraneous language from the indictment would be included in the description of the charge.

Here’s the language the grand jury approved in the indictment.

O]n or about September 19, 2016, the defendant stated to the General Counsel of the FBI that he was not acting on behalf of any client in conveying particular allegations concerning a Presidential candidate, when in truth, and in fact, and as the defendant knew well, he was acting on behalf of specific clients, namely, Tech Executive-1 and the Clinton Campaign. [my emphasis]

Sussmann had wanted the instructions to include that language claiming Sussmann was lying to hide two clients.

Mr. Sussmann proposes modifying the last sentence as follows, as indicated by underlining: Specifically, the Indictment alleges that, on or about September 19, 2016, Mr. Sussmann, did willfully and knowingly make a materially false, fictitious, and fraudulent statement or representation in a matter before the FBI, in violation of 18 U.S.C. § 1001(a)(2), namely, that Mr. Sussmann stated to the General Counsel of the FBI that he was not acting on behalf of any client in conveying particular allegations concerning Donald Trump, when, in fact, he was acting on behalf of specific clients, namely, Rodney Joffe and the Clinton Campaign.5 The government objects to the defense’s proposed modification since it will lead to confusion regarding charging in the conjunctive but only needing to prove in the disjunctive.

When Judge Cooper instructed the jury, however, he rewrote the indictment approved by the grand jury to reflect that maybe Sussmann was just hiding one client.

Specifically, the Indictment alleges that in a meeting on September 19, 2016, Mr. Sussmann did willfully and knowingly make a materially false, fictitious, and fraudulent statement or representation in a matter before the FBI in violation of 18 USC 1001(a)(2); namely, that Mr. Sussmann stated to the General Counsel of the FBI that he was not acting on behalf of any client in conveying particular allegations concerning Alfa-Bank and Donald Trump, when, in fact, he was acting on behalf of specific clients, namely Rodney Joffe or the Clinton Campaign. [my emphasis]

Now, perhaps there was some discussion I missed finding that the government only had to prove Sussmann was hiding one client — the disjunctive proof business, above. And perhaps it will not matter — I think Sussmann’s team raised plenty of issues with Jim Baker’s credibility such that the jury will find the whole prosecution preposterous, but I also think Durham’s team may have thrown enough cow manure at the jury to stifle rational thought.

But this slight change — unilaterally replacing “and” with “or” — seems to intervene to help Durham recover from one of the most abusive aspects of the prosecution, his failure to take basic investigative steps before charging Sussmann.

As I’ve repeatedly shown, Durham did nothing to test Michael Sussmann’s sworn explanation for his meeting with Jim Baker — that he wanted to give the FBI an opportunity to intervene before a shitshow story happened during election season — before charging. He spent months and months after the indictment scrambling to find the documentation for the efforts the FBI made to kill the NYT story (and ultimately only found part of that documentation), evidence he should have consulted in advance.

Durham also never subpoenaed Jim Baker for related materials before charging this.

Those two facts are how it was possible that Baker only discovered the September 18, 2016 text in which Sussmann explained he was trying to help the FBI on March 4, 2022, almost six months after the indictment (though Andrew DeFilippis misrepresented this at trial).

We also know from Sussmann’s discovery requests that Durham did little to explore Rodney Joffe’s relationship with the FBI before charging. While Durham knew that Joffe had been an informant — and had forced FBI to remove him as such, allegedly as retaliation because Joffe wouldn’t cooperate with Durham’s investigation — it’s not clear whether Durham had found two instances where Joffe had offered up more information about the Alfa Bank allegations to an FBI agent (not his handler) who knew his identity and could easily have shared it with investigators.

In other words, even if you think Sussmann was attempting to hide the Hillary campaign’s role in the underlying allegations (which is different from hiding the campaign’s role in the meeting with the FBI, though Durham’s team surely hopes the jury misses the distinction), the trial actually presented a fair amount of evidence that Sussmann wasn’t hiding Joffe’s role. The FBI knew of Joffe’s role within days of Sussmann’s meeting.

For months, Durham has been spinning a wild conspiracy theory claiming Joffe had direct ties to the Hillary campaign that he simply didn’t have. That is the conspiracy theory he laid out in the indictment. That is the conspiracy theory he should be held to.

But Cooper rewrote that part of the indictment such that Durham is not being held to his own conspiracy theories when it matters.


Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

John Durham’s Lies with Metadata

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

That Clinton Tweet Could Lead To a Mistrial (or Reversal on Appeal)

John Durham Is Prosecuting Michael Sussmann for Sharing a Tip on Now-Sanctioned Alfa Bank

Apprehension and Dread with Bates Stamps: The Case of Jim Baker’s Missing Jencks Production

Technical Exhibits, Michael Sussmann Trial

Jim Baker’s “Doctored” Memory Forgot the Meeting He Had Immediately After His Michael Sussmann Meeting

The FBI Believed Michael Sussmann Was Working for the DNC … Until Andrew DeFilippis Coached Them to Believe Otherwise

The Visibility of FBI’s Close Hold: John Durham Will Blame Michael Sussmann that FBI Told Alfa Bank They Were Investigating

The Staples Receipt and FBI’s Description of Michael Sussmann Sharing a Tip from Hillary


The Staples Receipt and FBI’s Description of Michael Sussmann Sharing a Tip from Hillary

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

Both sides in the Michael Sussmann case will give their closing arguments today. I’ll try to watch the live tweets, but will be driving around Achill Island so likely will have little Internet access.

I have yet to see the jury instructions, which will dictate a few details of the closing arguments. Most important — as I have noted before — is whether Durham will have to prove the actual allegations in his indictment.

Mr. Sussmann proposes modifying the last sentence as follows, as indicated by underlining: Specifically, the Indictment alleges that, on or about September 19, 2016, Mr. Sussmann, did willfully and knowingly make a materially false, fictitious, and fraudulent statement or representation in a matter before the FBI, in violation of 18 U.S.C. § 1001(a)(2), namely, that Mr. Sussmann stated to the General Counsel of the FBI that he was not acting on behalf of any client in conveying particular allegations concerning Donald Trump, when, in fact, he was acting on behalf of specific clients, namely, Rodney Joffe and the Clinton Campaign.5 The government objects to the defense’s proposed modification since it will lead to confusion regarding charging in the conjunctive but only needing to prove in the disjunctive.

4 Authority: Indictment.

5 Authority: Indictment.

Durham’s single witness is the only one who claims to have remembered this meeting, but he has had about six different memories of the meeting, and Sussmann made a really good case that Baker’s evolving testimony (as well as that of several other witnesses) is an attempt to avoid legal jeopardy himself. Sussmann has shown a receipt that did not bill his $28.00  taxi to Hillary, and I believe he affirmatively took the meeting time off his bill to Hillary before the election (though I need to check the records).

That leaves Durham with a September 13, 2016 $12.99 receipt for two thumb drives and a Google map from his office to Staples to buy it.

BY MR. KEILTY: Q. Ms. Arsenault, what, generally, is this document?

A. This is an expense report we received from Perkins Coie.

Q. And can you walk the jury through the information in this document.

A. Sure. In the top left corner, the report name is “Purchase of flash drives” on September 13, 2016. The expense owner is Michael Sussmann. The submission date is September 22nd in 2016. If you go all the way down to the allocation summary, the allocations charged is 116514.0001, confidential, for $58.56.

Q. Ms. Arsenault, in your review of records, have you seen that number under the allocations charged, the 116514.0001 number before?

A. I have. Q. Is that related to a certain client?

A. Yes.

Q. What client is that?

A. It’s Hillary For America.

MR. KEILTY: Okay. Mr. Algor, can we next look at Government Exhibit 553.19 — I’m sorry, can you leave it there. (Pause) Can you go down to the next document in 380.

(Pause) Okay. And could you go down to the next document, please, in the same exhibit. Could you blow this up, please.

Q. Ms. Arsenault, what is this particular document?

A. This is the receipt for the expenses reflected in the previous two pages of the expense report.

Q. And was this receipt contained in the records the government obtained from Perkins Coie?

A. It was.

MR. KEILTY: And if you go about halfway down the document, Mr. — sorry, the receipt. Could you blow up the section where it says “PNY 2 Pack,” Mr. Algor. Thank you.

Q. Ms. Arsenault, I think you might have said this, but where is this receipt from? A. Staples.

Q. And what does the blown-out part say?

A. “PNY 2 pack 16GB,” as in gigabyte. And then there’s a UPC code. And the cost was $12.99.

MR. KEILTY: Okay. And moving out of that, can you just blow up the address of the Staples.

Q. Okay. And what’s the address?

A. 1250 H Street N.W., Suite 100, Washington, D.C., 20005.

MR. KEILTY: Okay. And can we please pull up Government Exhibit 553.19 in evidence.

Q. Ms. Arsenault, what are we looking at in Government Exhibit 553.19?

A. This is a disbursement report from the billing records from Perkins Coie.

Q. Okay. And can you walk the jury through this — the blown-out part of this report.

A. The client assigned for this disbursement is Hillary For America. The matter is General Political Advice under 116514.0001. And the description is “Sussmann, Michael A. – M. Sussmann, purchase of new, single use flash drives for secure sharing of files, 9/13/2016.”

Q. Okay. And finally, Ms. Arsenault, I’m going to show you what’s been marked for identification as Government Exhibit 63, which will show up on your screen. Ms. Arsenault, what is Government’s Exhibit 63?

A. It’s a Google map displaying the directions between the office for Perkins Coie to the address listed on the Staples receipt.

Q. And did you create Government Exhibit 63?

A. I did.

Q. And how did you create Government Exhibit 63?

A. I went on Google and I typed in both addresses, and I printed the result.

MR. KEILTY: Your Honor, the government would move Exhibit 63 into evidence.

MR. BOSWORTH: No objection.

THE COURT: So moved.

MR. KEILTY: Mr. Algor, can you blow that up.

Q. Okay. And, Ms. Arsenault, on this map Perkins Coie is listed, is that correct, with the red dot?

A. Yes.

Q. And then there’s a series of blue dots, which apparently lead to a blue bubble; is that correct?

A. Yes.

Q. And what is that blue bubble? What address is that?

A. The blue bubble represents the address listed on the Staples receipt, which is 1250 H Street N.W., Washington, D.C., 20005. [my emphasis]

I expect Durham introduced the map to show that Sussmann went to buy these thumb drives immediately after some phone call or meeting.

As described, there are so many ways to explain these thumb drives. Remember: Sussmann admits he shared the story with the press and wanted it to come out. What he denies is that his intent in going to the FBI was in getting them to investigate to serve the story.

Durham will also claim, probably falsely, that Fusion or Sussmann had to have told Mark Hosenball about the investigation; I know of no evidence that’s the case, Durham’s repeated efforts to misrepresent the timeline on Fusion emails suggests he doesn’t have that evidence, and plenty of reason to believe there are other ways he could have learned about this.

Perhaps Durham has more somewhere.

But, particularly depending on the outcome of that jury instruction, even that receipt may not be enough. That’s because Sussmann has presented this piece of proof about how the FBI understood his tip.

One of the first people to respond to this tip (this text is likely in UTC, not ET, so this is likely at 4:31 on September 19, four hours after the meeting) understood it to be:

  • A tip about a Trump company, not Trump himself
  • From the DNC and Clinton
  • Bringing information a private cyber group had identified

That is, whatever Sussmann said in the meeting with Jim Baker, the best representation of what the FBI understood showed him identifying both his possible clients. And identifying a tip not about Trump himself, but his corporate person and a Russian bank that the FBI understood to have ties to Russian intelligence.

It’s hard to claim this alleged lie was material if the FBI responded to it as if he had fully disclosed both Hillary and private researchers like Rodney Joffe’s role in it.

Update: Corrected two errors (the UTC conversation and a spelling error). To make up for not covering the trial live, here’s my excuse

Update: Here’s Sussmann’s Rule 29 motion for a judgment of acquittal. This is a routine motion defendants always file. Because of the political nature of the case, Judge Cooper would never grant it. And there’s nothing terribly exciting in it.


Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

John Durham’s Lies with Metadata

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

That Clinton Tweet Could Lead To a Mistrial (or Reversal on Appeal)

John Durham Is Prosecuting Michael Sussmann for Sharing a Tip on Now-Sanctioned Alfa Bank

Apprehension and Dread with Bates Stamps: The Case of Jim Baker’s Missing Jencks Production

Technical Exhibits, Michael Sussmann Trial

Jim Baker’s “Doctored” Memory Forgot the Meeting He Had Immediately After His Michael Sussmann Meeting

The FBI Believed Michael Sussmann Was Working for the DNC … Until Andrew DeFilippis Coached Them to Believe Otherwise

The Visibility of FBI’s Close Hold: John Durham Will Blame Michael Sussmann that FBI Told Alfa Bank They Were Investigating

The Visibility of FBI’s Close Hold: John Durham Will Blame Michael Sussmann that FBI Told Alfa Bank They Were Investigating

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs of transcripts. But if you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations. This coverage reflects the culmination of eight months work. 

According to an exchange at the end of they day yesterday, John Durham’s team plans to introduce “a hundred” exhibits through their paralegal acting as a summary witness today.

My understanding is that the defense objects to the PowerPoint presentation style of the process. But, again, we think it just streamlines it in terms of — the alternative is to have to put literally a hundred exhibits in through Ms. Arsenault one at a time.

Given the exhibits from Monday, I assume Durham will throw a bunch of Fusion documents at the jury in an attempt to insinuate, once again, that Michael Sussmann shared with the press that the FBI was investigating the Alfa Bank anomaly.

The coming onslaught of Fusion documents

I say that because Mark Hosenball wrote the FBI for comment at 1:33PM on October 5, 2016, attaching the Mediafire package, asking for comment and noting that, “it has been suggested to me that this information and scenario is under careful investigation by the FBI.”

Hosenball’s email to the FBI puts it right at the beginning (in red, below) of the known universe of Fusion emails we’ve seen from that day, the timestamps of which Durham has repeatedly tried to obscure. (Maybe while paralegal Kori Arsenault is on the stand, Sussmann’s team can ask her why Durham’s exhibits misleadingly don’t correct for UTC.)

That said, there’s still a Hosenball email unaccounted for in which he shared one of the publicly available links to Tea Leaves packaged data. It’s quite possible that email precedes Seago’s question to Fritsch, which is currently the earliest email in the list, asking whether one of the i2p sites hosting the data was safe. See this post for background.

5:23PM (likely 1:23?): Seago to Fritsch, Is this safe?

1:31PM: [not included] Fritsch to Hosenball email with Alfa Group overview

1:32PM: Fritsch sends Isikoff the September 1, 2016 Alfa Group overview (full report included in unsealed exhibit)

1:33PM: Hosenball to FBI, “careful investigation by the FBI”

1:33PM [not included] Fritsch to Hosenball, “that memo is OTR — tho all open source”

1:35/1:36PM: Hosenball replies, “yep got it, but is that from you all or from the outside computer experts?”

1:37PM: Fritsch responds,

the DNS stuff? not us at all

outside computer experts

we did put up an alfa memo unrelated to all this

1:38PM: [not included] Hosenball to Fritsch:

is the alfa attachment you just sent me experts or yours ? also is there additional data posted by the experts ? all I have found is the summary I sent you and a chart… [my emphasis]

1:41PM: [not included] Fritsch to Hosenball:

alfa was something we did unrelated to this. i sent you what we have BUT it gives you a tutanota address to leave questions.  1. Leave questions at: [email protected]

1:41PM: [not included] Hosenball to Fritsch:

yes I have emailed tuta and they have responded but haven’t sent me any new links yet. but I am pressing. but have you downloaded more data from them ?

1:43PM: [not included] Fritsch to Hosenball, “no”

1:44PM: Fritsch to Lichtblau:

fyi found this published on web … and downloaded it. super interesting in context of our discussions

[mediafire link] [my emphasis]

2:23PM: [not included] Lichtblau to Fritsch, “thanks. where did this come from?”

2:27PM: [not included] Hosenball to Fritsch:

tuta sent me this guidance


Since I am technically hopeless I have asked our techie person to try to get into this. But here is the raw info in case you get there first. Chrs mh

2:32PM: Fritsch to Lichtblau:

no idea. our tech maven says it was first posted via reddit. i see it has a tutanota contact — so someone anonymous and encrypted. so it’s either someone real who has real info or one of donald’s 400 pounders. the de vos stuff looks rank to me … weird

6:33PM (likely 2:33PM): Fwd Alfa Fritsch to Seago

6:57PM (like 2:57PM): Re alfa Seago to Fritsch

7:02PM (likely 3:02): Re alfa Seago to Fritsch

3:27PM: [not included] Fritsch to Hosenball cc Simpson: “All same stuff”

3:58PM: [not included] Hosenball to Fritsch, asking, “so the trumpies just sent me the explanation below; how do I get behind it?”

4:28PM: [not included] Fritsch to Hosenball, “not easily, alas”

4:32PM: Fritsch to Hosenball, cc Simpson:

Though first step is to send that explanation to the source who posted this stuff. I understand the trump explanations can be refuted.

So I assume that Durham will argue that Fusion must have passed on the information that the FBI was investigating — and they may have! (though none of the currently public emails reflect that — and suggest that was all part of Michael Sussmann’s devious plan on September 19.

When, under threat of prosecution, an attempt to prevent politicization turns into an attempt to hide political bias

That’s where things will get interesting. One key dispute in this case is why one keeps secrets. Durham wants to argue that keeping secrets can only serve a political purpose.

Sussmann will argue that keeping secrets facilitates national security interests.

Sussmann will show that everyone at the FBI recognized the value, to the FBI, of stalling a newspaper article about a potentially important threat so the FBI could covertly investigate it. All the more so during election season when — investigation after investigation into the Russian investigation has shown — the FBI was, if anything, being too careful in an attempt to avoid impacting Trump’s political fortunes, even while Jim Comey was tanking Hillary’s campaign. According to Sussmann’s own sworn testimony — testimony that Durham didn’t bother testing before charging Sussmann — allowing the FBI the opportunity to do that was the reason Sussmann shared the Alfa Bank anomaly with the FBI. Durham wants to imprison Sussmann for giving the FBI that heads up, arguing that because he hid his purported clients, it led the FBI to open a Full Investigation more quickly than they otherwise would have (even though, as Sussmann’s team has demonstrated, the FBI did nothing that would have required a Full Investigation in the short period during which they investigated).

A key part of that story Durham wants to tell — needs to tell, given all the evidence that the FBI perceived this to be a DNC-related tip — is that some of his key villains were attempting to hide the perceived political nature of the tip, rather than ensuring the integrity of the investigation itself (or possibly, but I’m still working on this, protecting the identity of a CHS).

Central to that narrative is the changing testimony of FBI Agent Ryan Gaynor — his stated reasons for refusing to let the case agents in Chicago interview either Sussmann or Georgia Tech professor David Dagon. In an interview on October 30, 2020 (a week after Durham had been granted Special Counsel status), Gaynor explained that he had intervened to make sure agents couldn’t conduct interviews that would have led to a more robust investigation to ensure the integrity of the investigation.

Q. Okay. So you remember telling the government that you believed that the agents in Chicago would have been biased by Mr. Sussmann’s perception of the issue — the source’s perception of the issue if they had interviewed him before they got all of the data and analyzed it?

A. Yes.

Q. Okay. And that’s because, at the time, you believed the DNC was the source of the information itself. Right?

A. That’s because, at the time, I believed that he was a DNC attorney associated with the Democratic party and it would be potentially highly-biasing information.

Q. And you told the government, if you had provided the identity of the DNC as the source of the information, they would have known there was possible political motivation. rignt?

A. I recall that exact statement.

Shortly after he gave this testimony, prosecutors took a break, and told his lawyer they were moving towards treating Gaynor as a subject of, rather than just a witness in, the investigation.

Q. Okay. Well, at or around the time you were talking about passing along the source’s name or not, you took a break in the meeting. Do you remember taking breaks during the meeting?

A. I do.

Q. And do you remember when you broke at that point that the government told your attorney that your own status in the investigation had changed. Do you remember hearing that?

A. So I didn’t hear that, but when my attorney came back in, he advised me that my status was in jeopardy.

After that, Gaynor went back, looked at two sets of scribbled notes (Gaynor, because he remains at FBI, was able to review his notes, unlike a number of other Durham witnesses), and decided that now that he thought about it, Jonathan Moffa had actually instructed him to keep a close hold on Sussmann’s identity. It wasn’t his decision anymore, it was Moffa’s, and the dastardly Peter Strzok was in on it. Once Gaynor testified that way, he became a — to Andew DeFilippis, anyway — credible witness again.

Q. Okay. And when you told the government there was a close hold, were you told that your status changed back to being a witness?

A. At the conclusion of the interview, once I had gone over all of the material that I brought and walked through what I had reconstructed and what I could recollect after doing so, I was informed that my status had changed, yes.

Q. Changed back to being a witness?

A. To a witness, yes.

Q. So you go into meeting one being told you are a witness, telling them you decided not to share the agents’ names among other things. Then you are told you are a subject facing criminal charges, potentially. You come back. You tell them about a close hold, and you go back to being a witness; is that right?

Politico may have been the only outlet that described this fairly shocking testimony.

These conflicting claims about the purported reasons to keep Sussmann’s identity (as opposed to the investigation itself) a secret are important background to that Hosenball email on October 5, which I suspect Durham will use to claim that the Democrats were leaking about the investigation.

Starting almost immediately after getting the investigation, Chicago case agents started asking to interview the source, variously defined to be either Sussmann or the person who wrote the white paper. Gaynor kept pushing the agents to go review the logs again — though the file memorializing the contents of what it describes as a single thumb drive (Sussmann shared two) was not written up until October 4. But then, by October 5 (the same day that Hosenball asked the FBI for comment, albeit this report comes in four hours later), FBI had learned from one of their confidential human sources that David Dagon had a role in the white paper and he — and the FBI’s own source! — would be going public pushing the credibility of the allegations.

In that email, newbie agent Allison Sands explained that they were going to contact Dagon.

So, among other things, on the same day Hosenball writes in reflecting an awareness that there was an ongoing investigation, the FBI hears from a CHS who says he or she has already been talking with David Dagon and was going public backing the claims (though this source was speaking to the WaPo, not Reuters).

Note that, as of that date, the FBI still hadn’t received logs from Listrak.

By the time Allison Sands wrote that email, it appears from Lync messages that like others probably haven’t been noticed to reflect UTC time zone, had already contacted Rodney Joffe’s handler to contact Dagon.

Fun with missing Bates stamps

Side note. There are actually two versions of the notes that purportedly caused Gaynor to change his mind about there being a close hold and on what source that close hold was on. There’s Defense Exhibit 524, which has a slew of Bates stamps, and 7 redactions.

And then there’s a page from Government Exhibit 279, which appears between a page with Bates stamp SC-6454 and one with Bates stamp SC-6456, which has no Bates stamp at all (and lacks the protective order stamp that appears on the other pages of the exhibit).

That version of the exhibit has just four redactions, one of which is smaller. The unredacted bits on the exhibit reveal discussions of the informant and recognition that the statements of the informant “likely triggered” the press attention.

Incidentally, Durham’s team took an entire day to upload this set of exhibits. I’m wondering if the exhibit that was viewed by Gaynor and entered into evidence actually looked like this one does.

Calling the agent of a foreign agent to ask for comment

There’s one other thing going on. On the stand, Gaynor spent a great deal of time explaining about how important it was to hide an investigation — particularly from anyone who might have a partisan interest — during an election.

Except for all the talk of a close hold, the FBI wasn’t holding this very close. They were stomping around to a bunch of sources asking for data logs, even before they had checked what was on (one of) the thumb drives that Sussmann had dropped off. They fairly demonstrably were stomping around before they understood what they should be looking for.

They also were calling Mandiant, which was working for Alfa Bank, which by October 19 when they were formally interviewed discovered Alfa Bank had no logs, but which knew of the investigation by October 5.

Q. Uh-huh. You testified about the reasons why you’d want to keep it covert, you wouldn’t want to do anything that could affect the election so close to the election. Right?

A. Yes.

Q. The FBI, as part of the Alfa-Bank investigation, talked to a number of different individuals outside of the FBI to acquire information, to get you information so that you could investigate the allegations. Right?

A. Yes.

Q. Okay. You spoke to people at Central Dynamics?

A. Yes, and I believe the investigative team documented in the email that I saw that they had done it in a manner to attempt to avoid it outing the allegation.


A. I’m sorry?

Q. And how is that that they could conduct an interview with a third party in a way that the third party wouldn’t tell other people about it?

A. They described it in a manner that they had obfuscated what their direct interest was.

Q. So from the Central Dynamics’ perspective, they didn’t know what you were looking at?

A. That is what I had in the email chain, yes. n

Q. But you testified that the FBI interviewed Mandiant as part of the investigation. Correct?

A. Yes. My understanding there is that was a private liaison relationship that occurred.

Q. Mandiant — just to be clear — Alfa-Bank itself hired Mandiant to analyze whether there was a secret communications channel. Correct?

A. Yes.

Q. So Alfa-Bank paid Mandiant to look into whether there was a secret communications channel. Right?

A. Yes.

Q. And Alfa-Bank obviously had a relationship with Mandiant that was put at issue by hiring Mandiant. Right?

A. Yes.

Q. Okay. So the FBI went to Alfa-Bank’s paid consultant and asked them for their view on the allegation. Correct?

A. I believe the FBI had a prior relationship with one of the employees, and they utilized that in the field. Plus, I don’t think the Bureau would violate policy on a sensitive investigative matter when the Chief Division Counsel of the office is involved. So I would assume that they did that in a manner that they did not feel would be alerting or go to the media.

Q. Mr. Gaynor, the FBI in this investigation went to Alfa-Bank’s paid consultant and asked them for their views of the allegations. correct?

A. Yes.

Q. And Alfa-Bank’s paid consultant could have told Alfa-Bank. Correct?

A. Yes.

Q. And could have told the press for all you know. Correct?

A. Yes. And I don’t know how Chicago mitigated that.

Q. And is it your testimony that going to Alfa-Bank, the Russian bank that is the focus of this investigation, and asking their paid consultant for their views on the matter wasn’t going to overt?

A. Again, I don’t know how Chicago mitigated that issue.


Q. Did you ever have a conversation with anybody at headquarters about whether to provide the names of the source to the Chicago agents?

A. Yes. There was a conversation about the close hold, as I mentioned, although it wasn’t correctly, I guess, documented between Pete Strzok, myself and Mr. Moffa at some point during that time period.


Q. And the reason that you say no one talked to him is because, as of that point, October 6th, you had already concluded that there was nothing to these allegations. Right?

A. As of October 5th, evening of October 5th, we had come to a pretty solid conclusion that these allegations did not have merit and there wasn’t a national security threat.

Q. Are you aware that the agents first interviewed Alfa-Bank’s paid consultant, Mandiant, merely two weeks later on October 19th?

A. So I’m aware that we had information from Mandiant as of October 5th that they had looked at this allegation and found that it didn’t have merit. And then I’m also aware that there was an interview that was conducted later, October 19th or so, when I was made aware of it, yes.

A text between Allison Sands and Scott Hellman reflects the FBI had contact with Alfa Bank by October 4.

It appears that contact occurred in London — a place where Mark Hosenball has strong source ties since the time in 1976 when he got expelled for reporting on Northern Ireland.

In other words, Gaynor’s currently operative stance is that case agents couldn’t contact David Dagon — much less Rodney Joffe, who had business ties with the FBI — to find out what was going on, because that would present a conflict.

But it was okay for the FBI to contact the agent of the subject of the investigation overtly.

Agent Gaynor belatedly rediscovers the Mediafire package

Incidentally, when that original request for comment from Hosenball came in, it got transferred to people in the cyber division, then shared with the investigative team. In response, the senior-most person on that team sent it to Peter Strzok. Strzok forwarded it, at 3:02 on October 5, to Ryan Gaynor.

On October 13, just over a week after he had originally received it, Gaynor sent the Mediafire package to the case team, noting that the observations in it reflected actions taken in response to their investigation, but asking for their technical opinion.

He included Moffa and Joe Pientka on that email.

But not Strzok, who knew he had received it 8 days earlier.


Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

John Durham’s Lies with Metadata

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

That Clinton Tweet Could Lead To a Mistrial (or Reversal on Appeal)

John Durham Is Prosecuting Michael Sussmann for Sharing a Tip on Now-Sanctioned Alfa Bank

Apprehension and Dread with Bates Stamps: The Case of Jim Baker’s Missing Jencks Production

Technical Exhibits, Michael Sussmann Trial

Jim Baker’s “Doctored” Memory Forgot the Meeting He Had Immediately After His Michael Sussmann Meeting

The FBI Believed Michael Sussmann Was Working for the DNC … Until Andrew DeFilippis Coached Them to Believe Otherwise

The FBI Believed Michael Sussmann Was Working for the DNC … Until Andrew DeFilippis Coached Them to Believe Otherwise

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs of transcripts. But if you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations. This coverage reflects the culmination of eight months work. 

There’s accumulating evidence that at least some people — including some key decision-makers — believed the FBI believed that the Alfa Bank tip came from the DNC — and that Andrew DeFilippis has engaged in a lot of coaching to try to make that evidence go away.

The first time FBI Agent Ryan Gaynor testified to John Durham about the investigation into the Alfa Bank anomaly in October 2020, he told prosecutors that the DNC was the source of the allegation.

Q. Okay. So in your first meeting with the government, you — this is October of 2020, correct?

A. Yes.

Q. You told them multiple times that you believed that the Democratic National Committee was the source of the allegations of connections between Alfa-Bank and Russia, correct?

A. Correct, which was wrong.

Q. Okay. But you said that you thought the Democratic party itself was who provided the information, correct?

A. I did say that in the meeting.

That’s even what he has written down in a briefing document he kept in Fall 2016.

At the end of that October 2020 interview, prosecutors threatened Gaynor with prosecution.

His more recent testimony, starting for the first time on May 13, was that Sussmann was representing himself. The reason he now remembers that to be true goes to the heart of Durham’s materiality: it would have mattered if Sussmann was representing the DNC, so he must have been representing himself.

Q. Okay. I want to ask you, first, about testimony that you gave today where you said that when Mr. Moffa told you that Mr. Sussmann was a DNC attorney, you said, “I understood that to mean that he had been affiliated with the Democratic party but that he had come representing himself on the Alfa-Bank allegations.” Do you remember giving that testimony?

A. That was my take-away.

Q. And you gave that testimony that I just read?

A. Yes; that he was a DNC attorney, but that my take-away from that discussion was that he wasn’t there representing the DNC.

Q. When you were asked, “When Mr. Moffa said Mr. Sussmann was an attorney for the DNC, what impression did you come away with?” what did you understand that to mean? And your answer was: “I understood that to mean that he had been affiliated with the Democratic party, but that he had come representing himself,” right?

A. So he’s affiliated with the Democratic party because he was a DNC attorney.

Q. And your impression was he had come representing himself?

A. My take-away from that meeting, what I recall, is that I did not believe that he was there representing the DNC specifically because, had he been, that would have been information that would have impacted it.

This is a tautology: If Sussmann had been representing the DNC it would have mattered so it must be the case that Gaynor believed he was not representing the DNC. It also happens to be the central argument of DeFilippis’ materiality claim.

Meanwhile, Scott Hellman — Durham’s star cyber witness — received a text from his boss, Nate Batty (with whom he compared notes before his first interview with Durham), referring to the white paper as a “DNC report” on September 21, 2016, two days after Jim Baker received the materials.

Michael Sussmann lawyer Sean Berkowitz asked Hellman about that the other day. At first, Hellman expressed surprise about that text.

Q. All right. And then, with respect to Stranahan, he asks you and Nate to write a report about the — write a summary of the DNC report. Correct? That’s what it says?

A. That’s what it says in this chat, yes.

Q. And did you understand, sir, that the information had come from a DNC, meaning Democratic National Committee, source?

A. I did not understand that, no.

Q. Did you know what Nate Batty knew about it?

A. I don’t think he knew anything about it.

Q. Did you call up Tim and say, what a second. This is a DNC report? That’s political motivation.

A. No.

Q. Didn’t do anything or it didn’t occur to you?

A. The first time I saw this was two years ago when I was being interviewed by Mr. DeFilippis, and I don’t recall ever seeing it. I never had any recollection of this information coming from the DNC. I don’t remember DNC being a part of anything that we read or discussed.

Q. Okay. When you say, the first time you saw it was two years ago when you met with Mr. DeFilippis, that’s not accurate. Right? You saw it on September 21st, 2016. Correct?

A. It’s in there. I don’t have any memory of seeing it.

Later in Berkowitz’ cross-examination he returned to the text. He asked how it could be that a white paper from a DNC lawyer could be referred to as a DNC report.

Q. And although you were surprised to see it today, it appears that at least somebody, such as Mr. Batty was aware and you were aware that somebody was calling this white paper a DNC report. Correct?

A. I was not aware that anybody was calling it a DNC report, and I don’t believe Mr. Batty knew that either.

Q. But you saw the link message. Right?

A. I did see the link message, yes.

Berkowitz asked Hellman how it could be that he would see a reference to a DNC report and not take from that it was a DNC report. Hellman describes “the only explanation that … was discussed” — which is that it was a typo.

Q. What’s your explanation for it?

A. I have no recollection of seeing that link message. And there is — have absolutely no belief that either me or Agent Batty knew where that data was coming from, let alone that it was coming from DNC. The only explanation that popped or was discussed was that it could have been a typo and somebody was trying to refer to DNS instead of DNC.

Q. So you think it was a typo?

A. I don’t know.

Q. When you said the only one suggesting it — isn’t it true that it was Mr. DeFilippis that suggested to you that it might have been a typo recently?

A. That’s correct.

Q. Okay. You didn’t think that at the time. Right?

A. I did not. I had never seen it or had any memory of seeing it ever before it was put in front of me.

With some prodding, Hellman admitted that when he referred to “discussing explanations,” he meant doing so with Andrew DeFilippis. This exchange was, quite literally, Berkowitz eliciting Hellman to provide an answer that DeFilippis thought up — one necessary to sustain DeFilippis’ narrative — without, at first, admitting it was DeFilippis’ opinion of what the truth must be.

So after DeFilippis threatened Gaynor with prosecution, he came to remember something other than what the note, tying the white paper to DNC lawyer Michael Sussmann, that he used to “refresh his memory” said.

And when faced with the possibility, two years or maybe six after the fact, that Scott Hellman’s epically shitty analysis of the white paper could have been influenced by being told that it was a DNC white paper, Hellman offered up the explanation that DeFilippis offered him.

At least twice, then, under coaching from Durham’s lead prosecutor, key witnesses have come to believe something other than what the documentary evidence suggests.

The fact that DeFilippis has twice coached witnesses to deny any understanding at FBI that this was a DNC tip — whether it was a DNC tip or not — is really telling. That’s because DeFilippis has to try to pitch a nearly unsustainable position: how his single witness to Sussmann’s alleged crime, Jim Baker, can in 2016 have told Bill Priestap the following:

Q. I think you testified yesterday that by this time you were at least generally aware that Mr. Sussmann represented the DNC in connection with hacks; is that right?

A. That’s correct.

Q. And what, if anything, did you say to Mr. Priestap about that?

A. I think I told him like, okay, this is who Michael is. He’s represented the Democratic party in the Russian hack that we were also investigating and/or the Hillary Clinton Campaign. So just, again, to orient Bill to who Michael was. I mean, that’s a serious credential in terms of being a cyber security expert. And then to explain: But in this case he said he’s not appearing on behalf of them. In this case he’s coming in as a good citizen.

And then, in 2018, have told Jim Jordan the following:

Q. Mr. Jordan then says: “And he was representing a client when he brought this information to you or just out of the goodness of his heart? Someone gave it to him and he brought it to you?”

A. In that first interaction, I don’t remember him specifically saying that he was acting on behalf of a particular client.

Q. Did you know at the time that he was representing the DNC in the Clinton campaign?

A. I can’t remember. I had learned that at some point. I don’t, as I said — as I think I n said last time, I don’t specifically remember when I learned that — excuse me — so I don’t know that I had that in my head when he showed up in my office. I just can’t remember.

Q. Did you learn that shortly thereafter if you didn’t know it at the time?

And then testify last week this way.

Q. Okay. Number two, did you know on the September 19th, 2016 meeting that Mr. Sussmann had been representing Hillary For America’s campaign and the DNC in connection with the hack investigation. Did you know that on September 19th when he met with you?

A. Sitting here today, I think the answer is, yes, I did know that by that point in time.

Q. I’ve written down, “yes, DNC and HFA and hack”. I want to be really clear. You’re not saying that he said that in the meeting. correct?

A. Correct.

Q. And you’re not saying he said he was there on behalf of them? You’re just saying that in your mind you knew that he had been acting as a lawyer for those two entities in connection with the hack. Correct?

It’s not just a question of whether Baker will be a credible witness, though his wildly changing claims about the DNC are among the reasons why his testimony is not credible.

It’s also that Durham wants to point to Sussmann’s failure, a year earlier in a Congressional hearing, to offer up his ties with the Democrats as proof he was lying. But Durham is treating Baker’s failure to do so in the same situation as an innocent mistake. For his single witness to be credible, DeFilippis has to find a way to excuse Baker’s failure to offer that up in a far more direct question while pointing to Sussmann’s failure to offer it up as proof of guilt.

He has to do so to defend his prosecutorial decisions, too. Given how much stake DeFilippis has placed on Baker sharing with Priestap that he knew Sussmann represented the Democrats, it makes it far less credible that Baker didn’t knowingly lie to Jordan. Especially given the way Baker responded to a Berkowitz question, suggesting that perhaps he hadn’t been truthful with Jordan, but instead was “careful.”

Q. And when you gave voluntary information to Congress, you understood that you were under oath?

A. I don’t think I was under oath, but I understood that it’s a crime to make false statements to Congress.

Q. So you tried to be as careful as you could. Correct?

A. I tried to be as careful as I could in that environment, yes, sir.

Q. You tried to be as truthful as you could?

A. (No response)

Q. Tried to be as truthful as you could?

A. Yes, sir.

Sussmann’s team is going to argue that there are a long list of people against whom there is far better evidence for false statements or perjury charges than him, with the single difference being that the other people were willing to tell the storytale DeFilippis is using prosecutorial resources to tell. And the first person on that list — it makes me sick to my stomach to say — is Jim Baker.

Finally, it’s a matter of materiality. DeFilippis has to find a way for it to be the case that his single witness knew when he met with Sussmann that Sussmann was a DNC lawyer (because Bill Priestap’s notes reflect that), but didn’t view that to be material to everything that happened next.

And the only way to sustain that rickety narrative is to ensure that no one else — not even the people using documentary proof reflecting a belief that this was a DNC report to refresh faded memories — understood that the white paper came from the DNC.

Thus far, Sussmann’s cross-examination has elicited evidence that at least three witnesses changed their testimony after interviews with DeFilippis, adopting a “memory” that conflicts with the documentary record with regards to whether the FBI believed the white paper to be associated with the DNC.


Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

John Durham’s Lies with Metadata

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

That Clinton Tweet Could Lead To a Mistrial (or Reversal on Appeal)

John Durham Is Prosecuting Michael Sussmann for Sharing a Tip on Now-Sanctioned Alfa Bank

Apprehension and Dread with Bates Stamps: The Case of Jim Baker’s Missing Jencks Production

Technical Exhibits, Michael Sussmann Trial

Jim Baker’s “Doctored” Memory Forgot the Meeting He Had Immediately After His Michael Sussmann Meeting

Jim Baker’s “Doctored” Memory Forgot the Meeting He Had Immediately After His Michael Sussmann Meeting

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs of transcripts. But if you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations. This coverage reflects the culmination of eight months work. 

One of key piece of evidence to John Durham’s prosecution against Michael Sussmann are the notes that Bill Priestap took reflecting Baker saying that Sussmann, “said not doing this for any client.”

On the stand, Priestap remembered nothing about this meeting.

Baker, though, claims he remembers a bunch of things.

In response to Sean Berkowitz’s attempt to pin down his testimony the other day, Baker said that his meeting with Sussmann was thirty minutes long. That’s not actually a direct memory, it seems. It is one reconstructed, Baker says, from calendars and the chain of custody document.

Q. How long was the meeting?

A. Which meeting?

Q. September 19th, 2016

A. About 30 minutes.

Q. How sure are you of that?

A. I’m going from the calendar entries and the entries on that chain of custody document.

Q. Okay. Not from your memory? You’re looking at documents?

A. I remember it was a short meeting. I would view a 30-minute meeting as a short meeting.

The chain of custody document shows that Baker took possession of the thumb drives at 2:30PM on September 19, 2016.

There are problems with relying on the chain of custody document to reconstruct your memory though, because it was, itself, reconstructed after the fact, the next day. One FBI agent discussing this process even joked that this amounted to “doctoring” the chain of custody — and with it, six years later, doctoring Baker’s current memory.

Baker professes to be slightly more certain about his meeting with Priestap, at which he relayed what had happened in the meeting with Sussmann. Baker “immediately or very close afterwards” called Priestap and told him what happened in the meeting.

Q. Okay. Now, taking us back to our time period, 15 we’ve left you getting the information from Mr. Sussmann on the 19th, and you immediately or very close afterwards called Mr. Priestap?

A. Yes, sir.

And the meeting was ten or fifteen minutes long.

Q. How long was the conversation with Mr. Priestap?

A. I don’t think it was a very long conversation. Ten minutes, maybe, fifteen minutes, something like that.

That’s a problem for Durham’s narrative. That’s because according to Baker’s own calendar, he had a meeting immediately after the one with Sussmann. The meeting with Sussmann ended at 2:30, his calendar showed, which is what the “doctored” chain of custody document says. Immediately after that he had a meeting with someone named Rich.

In fact, per his calendar, Baker was busy straight through until 4PM (though it’s unclear from Baker’s calendar precisely when the meeting with Rich happened). And the first Deputies Committee meeting after his meeting with Sussmann — which is the best explanation for Trisha Anderson’s notes — happened the next day, on September 20.

I haven’t yet seen how Sussmann’s lawyers got this into evidence yesterday (I’m still working through the morning transcript). But it’s possible that Baker never refreshed his memory with this calendar.

That’s because this calendar was extracted from Baker’s Samsung phone by DOJ Inspector General’s Office back in 2018. This is the phone that Durham had been told about in real time in 2018 (when Durham was investigating Baker for something else), but nevertheless didn’t think to look for the phone before charging Sussmann, and so only found it four months after the indictment.

When confessing all this confusion to Judge Cooper (as I explained in this post), Durham explained he hadn’t taken the basic investigative step of reviewing the contents of Baker’s phone before charging Sussmann because his memory didn’t go back four whole years — or even two, which is when Durham started interviewing Baker in this investigation.

Paragraph 10(a)(ii) states: “[I]n early January 2022, the Special Counsel’s Office learned for the first time that the OIG currently possesses two FBI cellphones of the former FBI General Counsel to whom the defendant made his alleged false statement, along with forensic reports analyzing those cellphones.” Id. The Government wishes to provide some additional context for this statement.

After reviewing the Special Counsel’s Office’s public filing, the DOJ Office of Inspector General (“OIG”) brought to our attention based on a review of its own records that, approximately four years ago, on February 9, 2018, in connection with another criminal investigation being led by then-Acting U.S. Attorney Durham, an OIG Special Agent who was providing some support to that investigation informed an Assistant United Attorney working with Mr. Durham that the OIG had requested custody of a number of FBI cellphones. OIG records reflect that among the phones requested was one of the two aforementioned cellphones of the thenFBI General Counsel. OIG records further reflect that on February 12, 2018, the OIG Special Agent had a conference call with members of the investigative team, including Mr. Durham, during which the cellphones likely were discussed. OIG records also reflect that the OIG subsequently obtained the then-FBI General Counsel’s cellphone on or about February 15, 2018. Special Counsel Durham has no current recollection of that conference call, nor does Special Counsel Durham currently recall knowing about the OIG’s possession of the former FBI General Counsel’s cellphones before January 2022. [my emphasis]

Durham forgot that he knew about the phone.

And because he forgot that he knew about the phone until it was too late, it’s not actually clear whether Baker’s reconstructed memory has faced the fact that he could not have had a 30 minute meeting with Sussman followed by a 10 minute call with Priestap and still made his 2:30PM meeting with Rich.

And given that both Baker and Priestap have testified, it’s probably too late to doctor a new memory to explain this all.


Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

John Durham’s Lies with Metadata

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

That Clinton Tweet Could Lead To a Mistrial (or Reversal on Appeal)

John Durham Is Prosecuting Michael Sussmann for Sharing a Tip on Now-Sanctioned Alfa Bank

Apprehension and Dread with Bates Stamps: The Case of Jim Baker’s Missing Jencks Production

Technical Exhibits, Michael Sussmann Trial

Technical Exhibits, Michael Sussmann Trial

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs of transcripts. But if you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations. This coverage reflects the culmination of eight months work. 

Most of my coverage during the Michael Sussmann trial will be trial related, describing what witnesses and exhibits say about the case.

But there are good reasons to question the conduct of the investigation — and that’s a topic a lot of people have independent interest in. So I wanted to start a running post on technical issues.

If there’s a link that doesn’t work, it probably means I’ve forgot to set permissions to public (some of this needs redaction before posting). Leave a comment or tweet me at @emptywheel.

FBI investigation

160921 Allison Sands’ Lync Notes (thru 161012)

160922: Scott Hellman/Nate Batty assessment

160923: Electronic Communication opening investigation

160923: EC plus all three shared documents

160926: Curtis Heide Lyncs

160926: Heide to Hellman, Hope our assessment is good

160926: Ryan Gaynor notes (includes details on election protection efforts)

161004: Kyle Steere document contents thumb drives

161005: Investigative update from Allison Sands


  • FBI conclusion on changing DNS records
  • FBI’s response to David Dagon’s defense
  • Logs from Cendyn, with Listrak still to come
  • Barracuda reference
  • Discussion of Tor node

161007: Sands Draft FD-1023 CHS Report

170118: Sands Closing Memo

170327: 302 interview Alfa Bank

Materials shared with FBI

White paper

DNS logs

62 pages of DNS logs

Trump Who Is

9 IP Addresses

15 Trump mail domains

160919 Expert White Paper

Joffe data requests (postdates original data in white paper)

160820: Antonokakis to DeJong requesting data (including dcleaks)

List of IP addresses

Alfa Bank script

160915: DeJong shares results with Joffe

170718: DeJong to Joffe: I have four jobs that look for Trump

Posts related to technical issues

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules