The Cultivation of Don Jr: A Framework to Think of the Russian Attack

Months ago, I started laying out a framework to provide background to explain how Trump has trained the GOP to hate rule of law, a key part of how he has brought us close to fascism. My weekend post on Bill Barr’s obfuscation about his role in Ukrainian matters (to which there will be a follow-up) started to fill in another of the remaining bullets.

Today, and in parallel, LOLGOP and I will begin to release some podcasts as we explain the important part: how all this brings us to where we are, with both Aileen Cannon and SCOTUS taking active measures [heh] to help Donald Trump avoid accountability.

So I need to explain how I think of the Russian attack.

Generally, people think of the Russian attack in the same way Robert Mueller set up Volume I of his Report:

  • Volume I Section II: [Dead] Yevgeniy Prigozhin’s social media campaign
  • Volume I Section III: GRU’s hack and leak campaign
  • Volume I Section IV: Russian Government contacts to the Trump campaign

Remember, his report was an explanation of prosecutorial decisions. It was only intended to determine whether things were crimes. It only included the prosecutorial decisions that had been concluded by Mueller. So, for example, the report itself didn’t describe the referrals sent to other districts, such as SDNY’s prosecution of Michael Cohen for financial crimes and hush money payments or EDNY’s prosecution of Tom Barrack on foreign agent crimes, which ended in acquittal; it remains unclear how much of these referrals show up in the referral section. Mentions of ongoing investigations, such as into the suspected $10 million payment to Trump from an Egyptian bank or evidence that Roger Stone conspired with Russian in the hack-and-leak, were relegated to the appendix or a footnote.

The SSCI Report instead considered whether these things posed a counterintelligence risk, rather than a crime. As such, they considered a long list of possible compromises, categorized both by people (like Paul Manafort or Maria Butina — the latter of whom was not included in scope of Mueller Report) and events (like the June 9 meeting). Viewed from that framework, having a guy who spent years implementing influence operations for Russian allies Manafort, work for “free” on the campaign looks quite different, like a grave counterintelligence risk to Donald Trump. Great swaths of that report — such as a section on Andrii Telizhenko’s influence operations, which may even have incorporated Bill Barr — remain redacted.

But as this effort to interfere in the US election proceeded, Russia conducted at least two (and, I argue, at least a third) devastating attacks on US intelligence, which had ties to the election year attack itself.

  • The Shadow Brokers release of NSA’s hacking tools, which (I was told but have not reconfirmed) shared one forensic link and has several human infrastructure links to the election attack
  • The Vault 7/Vault 8 release of CIA’s hacking tools, which in implementation continued a pressure campaign by Julian Assange rooted in the election year attack
  • A concerted campaign against the FBI, largely focused but not exclusively reliant on the Steele dossier

The Solar Winds attack, discovered in the last year of Trump’s presidency, could be another such attack, one used by Sidney Powell’s team (including Mike Flynn and Patrick Byrne) in their attack on democratic elections, one that stole Chad Wolf’s emails as he helped Trump discredit election integrity efforts, one Trump is using in his attack on rule of law. The attack was first initiated years earlier, possibly as early as 2016. But so little is known about the attack — aside from that it targeted a number of government agencies and court filing systems — that I will bracket that for now.

This sets up a structure something like this:

What Mueller includes in his contacts with Russia section is possible (and in some cases, definite) attempted recruitment. That kind of thing is a constant.

In advance of the Russian attack, however, Russian entities may have been behind a number of efforts focused on Trump and his associates. Deripaska worked a brutal double game that made it more likely to get Manafort’s cooperation, witting or not. Joseph Mifsud brokered ties to Russian officials for George Papadopoulos — leading to an (aborted) plan to set up a meeting with Putin’s team in London. A former GRU officer and two sanctioned banks got involved in Felix Sater’s pitch of a Trump Tower to Cohen, resulting in Dmitry Peskov collecting proof of Trump’s willingness to work with GRU before the Hillary hack was ever revealed. Someone dangled stolen emails before Roger Stone, ultimately giving him an advance peek — in exchange for what, we don’t know — but Stone started pursuing a pardon for Julian Assange no later than November 15 (and probably as early as October 3).

With the exception of the Manafort pitch (which leveraged his financial desperation), none of those pitches from Russia — whether they were backed by Russian spooks or not — would have required anything more than recklessness and venality from the Trump side. For example, in January, when Cohen called Dmitry Peskov to ask for Putin’s help finalizing the Trump Tower deal, Trump probably doubted he was going to win and there was no reason to be particularly alarmed by the GRU tie; but after the revelation that GRU hacked the DNC, after Trump got the nomination, the existence of the January call became potentially devastating. The Coffee Boy bragged to diplomats from three different countries that Russia was going to attack Hillary, which looked dramatically different when WikiLeaks released the stolen DNC emails (which is when the Australians shared their knowledge of it).

If I’m right that Russia deliberately used some of the same infrastructure in the hack-and-leak and the Shadow Broker operation, it would serve as a stick unveiled at precisely the moment Roger Stone bit on the carrot of advanced access to John Podesta emails, basically tying Stone’s outreach to an attack on the NSA.

Similarly, the unveiling of the Vault 7 release, which WikiLeaks (or an intermediary between Josh Schulte and WikiLeaks) sat on from May 2016 until March 2017, made Stone’s sustained commitment to winning a pardon for Assange all the more damaging. It is unknown whether Russia got an advanced look at those files (which would have provided a way to identify CIA’s assets in Russia), but Assange used a Deripaska-linked attorney to try to negotiate immunity in advance of releasing the files, tying its release to Russia.

Along with Stone, this entire operation came to a focus on Don Jr.

Obviously, there’s the June 9 meeting pitch, which again requires nothing more than recklessness from Don Jr, but which resulted in him receiving a pitch for sanctions relief in exchange for dirt on Hillary. “If it’s what you say I love it especially later in the summer.” Maria Butina similarly tried to pitch Trump’s son.

Don Jr, who joined some of the most rabid Trumpsters in validating the Prigozhin’s trolls, likewise would have represented an overlap between those trolling operations and the ones run by right wing extremists.

At least as interesting is the way Assange repeatedly incorporated Don Jr into his pitch. On September 20, WikiLeaks alerted Don Jr to an anti-Trump campaign and provided a password.

59. On or about September 20, 2016, at approximately 11 :59PM, Target Account 1 sent a private message to a high level individual associated with the Campaign (the “high-level · Campaign individual”). 4 The message stated: “A PAC run anti-Trump site ‘ ‘ is about to launch. The PAC is a recycled pro-Iraq war·PAC. We have guessed the password. It is ‘. See ‘About’ for who is behind it. Any comments?”

Jr passed it onto the campaign, making it clear he had accessed the site. This was the basis of the (totally appropriate) prosecution declination for Jr. only disclosed after years of FOIA challenge by Jason Leopold.

In October, at a time when WikiLeaks was rebuffing Stone’s outreach, WikiLeaks repeatedly suggested Don Jr push out links (and recommend his father do so too). A figure in the Douglass Mackey DM threads by the name of P0TUSTrump kept pushing those links as if in response.

The day of the election, WikiLeaks pushed Don Jr to convince his dad not to concede.

Hi Don; if your father ‘loses’ we think it is much more interesting if he DOES NOT conceed [sic] and spends time CHALLENGING the media and other types of rigging that occurred–as he has implied that he might do. He is also much more likely to keep his base alive and energised this way and if he is going to start a new network, showing how corrupt the old ones are is helpful. The discussion about the rigging can be transformative as it exposes media corruption, primary corruption, PAC corruption etc. We don’t like corruption ither [sic] and our publications are effective at proving that this and other forms of corruption exists.

On December 16, 2016, WikiLeaks pushed Jr to convince his dad to give Assange an Ambassadorship (which would amount to immunity).

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. Background:

As news of the June 9 meeting broke, WikiLeaks advised Jr to release his emails via WikiLeaks and also advised he reach out to Margaret Kunstler.

When these DMs were released on November 14, 2017, Assange tweeted out a follow-up to the December 2016 one, adding a threat by hashtagging, Vault8, the source code to the CIA files, a single example of which WikiLeaks had just released on November 9, 2017.

I read this as a concerted effort to shift from Stone to Don Jr. Whether Don Jr was actively soliciting this help or not, WikiLeaks made sure to tie Trump’s son to their plight, both publicly and privately.

Whatever else may have gone on between WikiLeaks and the failson, around the time that Mueller’s questions would have alerted Trump that he knew of the pardon pitches, at a time when WikiLeaks’ ties with Russia were under far greater scrutiny, Jr’s buddy Arthur Schwartz went after Cassandra Fairbanks, disabusing her of any hopes Trump would pardon Assange. She ultimately flew off to London to tell him.

None of this says that Don Jr conspired with Russia on the 2016 attack. What is says is that Russian assets systematically viewed him as an idiot that could be and was often useful. And Jr ended up connecting all the through-strands: he bridged the hack-and-leak and social media campaigns with the right wing lists, he reliably got his dad to act on his instructions, and then — as the cost of all this went up — Assange repeatedly targeted Jr as he increased the cost of the hack of the CIA, effectively extorting Jr as he started releasing CIA source code.

Even before I turn to the dossier, viewed this way, the Russian operation in 2016 isn’t so much about getting Trump elected. Rather, it’s about sowing irreparable polarization in the US that deliberately tied Trump’s people to the twin attacks on the Deep State — Shadow Brokers and Vault 7/8.

With little involvement beyond predictable recklessness and venality (and Don Jr’s stupidity), then, Russian assets implicated Trump’s people in attacks on the Deep State that raised the cost of their openness to Russian help in 2016, but which would have made any admissions by Trump all the more costly.

Russia didn’t need cooperation from Trump’s people (though they got it from at least Manafort and Stone and a certain idiot who proved useful). They just needed to make any already improbable conciliation impossible, impossible politically and impossible for a Narcissist like Trump to do. That would practically guarantee that Trump would attack the country to defend himself, his son, his ego.

That, in turn, would make the aftermath of the 2016 attack far more fertile for recruitment, because it would prioritize allegiance to Trump over allegiance to country.

emptywheel Makes CIPA History

Yesterday, Judge Aileen Cannon issued a surly order, acceding to Jack Smith’s request to protect witnesses. In reversing herself, Cannon scolded Smith for not making a more fulsome case to seal information.

Only now, after failing to meaningfully “raise argument[s] or present evidence that could have been raised” in these responses, Wilchombe, 555 F.3d at 957, the Special Counsel moves for reconsideration and argues, in no uncertain terms, that the Court committed “clear error” by applying an unobjected-to legal standard [ECF Nos. 267, 282]

Ultimately, Cannon argued the 11th Circuit precedent on this — but not on other — types of pretrial motions is undecided.

Having done so, the bottom line is this. The Eleventh Circuit has not specifically addressed the instant question: whether, in a criminal proceeding, the First Amendment qualified right of access attaches to discovery materials referenced or attached in support of a publicly filed Rule 12(b) motion to compel discovery under Rule 16. Nevertheless, the most faithful application of Supreme Court and available Eleventh Circuit authority is that Defendants’ MTC in this case is not subject to a public right of access, whether constitutional or common law in nature, because it is a still, ultimately, a discovery motion as distinct from a substantive pre-trial motion requiring judicial resolution on the merits.

Remember: One reason Trump has these materials to attempt to publicly release is because Smith was more generous in discovery than the rules require. Cannon did not permit Smith to seal information that would otherwise be Jencks, aside from information identifying witnesses.

The Court reaches a different conclusion as to the Special Counsel’s broad-based request to seal the substance of all substantive Jencks statements referenced in and/or attached to the MTC [ECF No. 278 p. 2 (arguing for wholesale sealing of potential witnesses’ statements to avoid “influenc[ing] the testimony of other witnesses or the jury pool”)]. By granting this sweeping and undifferentiated request—which the Special Counsel also raises in seal requests associated with Defendants’ substantive pretrial motions [See ECF No. 348 pp. 6–7]—the Court would be authorizing the categorical sealing of large portions of the record attached in support of critical
pretrial defense motions.

Meanwhile, in SDNY, I won (or rather, Judge Jesse Furman used my intervention (and that of Inner City Press) as an excuse to grant disclosure of something even more rare: Redacted transcripts from the CIPA 6 conference in the Josh Schulte case.

[T]he Court concludes that CIPA overrides any common law right of public access to the transcripts of a closed CIPA Section 6 hearing, at least where, as here, the court determines that the classified information may not be disclosed or used at trial. But the Court concludes that the public has a qualified right of public access to such transcripts under the First Amendment. It follows that the transcripts at issue here, redacted to protect national security or to preserve other higher values, must be unsealed.

As Furman noted, he had already disclosed some of this in a conference on jury instructions; he had distinguished those who disseminated already-released classified information if they knew it was classified (and therefore, by re-disseminating it, would confirm that it was classified) from those who did not have means to know.

I gave you two hypotheticals. I think one is where a member of the public goes on WikiLeaks today and downloads Vault 7 and Vault 8 and then provides the hard dive with the download to someone who is not authorized to receive NDI, and I posed the question of whether that person would be guilty of violating the Espionage Act and I think your answer was yes. That strikes me as a very bold, kind of striking proposition because in that instance, if the person is not in a position to know whether it is actual classified information, actual government information, accurate information, etc., simply providing something that’s already public to another person doesn’t strike me as — I mean, strikes me as, number one, would be sort of surprising if that qualified as a criminal act. But, to the extent that the statute could be construed to [] extend to that act one would think that there might be serious constitutional problems with it.

I also posed the hypothetical of the New York Times is publishing something that appears in the leak and somebody sharing that article in the New York Times with someone else. That would be a crime and there, too, I think you said it might well be violation of the law. I think to the extent that that would extend to the New York Times reporter for reporting on what is in the leak, or to the extent that it would extend to someone who is not in position to know or position to confirm, that raises serious constitutional doubts in my mind. That, to me, is distinguishable from somebody who is in a position to know. I think there is a distinction if that person transmits a New York Times article containing classified information and in that transmission does something that confirms that that information is accurate — right — or reliable or government information, then that’s confirmation, it strikes me, as NDI. But it just strikes me as a very bold and kind of striking proposition to say that somebody, who is not in position to know or does not act in a way that would confirm the authenticity or reliability of that information by sharing a New York Times article, could be violating the Espionage Act. That strikes me as a kind of striking proposition.

So all of which is to say I think I have come around to the view that merely sharing something that is already in the public domain probably can’t support a conviction under this provision except that if the sharing of it provides something new, namely, confirmation that it is reliable, confirmation that it is CIA information, confirmation that it is legitimate bona fide national defense information, then that confirmation is, itself, or can, itself, be NDI. I otherwise
think that we are just in a terrain where, literally, there are hundreds of thousands of people unwittingly violating the Espionage Act by sharing the New York Times report about the WikiLeaks leak.

Furman has given the government an opportunity to further redact the transcripts, but ordered them otherwise released on May 3 — meaning they’d be available before the follow-up hearing in the Assange extradition case, on which — because they pertain to the First Amendment — they may have bearing.

I’m not entirely sure this move is as unprecedented as Furman makes out. Some of the CIPA materials in the Scooter Libby case were released.

But particularly because this may affect the Assange extradition and particularly because the CIPA hearings in the Trump case are sure to be contentious, I would not be surprised if the government appeals this decision.

Thanks, again, to National Security Counselors’ Kel McClanahan to agreeing to argue this for me. You can support them here or here.

Update: Here’s my post explaining the High Court order inviting assurances about Assange’s First Amendment protections. DOJ has 6 more days to issue those assurances.

High Court Decision May Pose New Challenges to Julian Assange Prosecution

The British High Court today issued a ruling provisionally giving Julian Assange permission to appeal his extradition on three grounds. But before he can do that, the US has an opportunity to give assurances on those grounds to address specific concerns.

The court put everything on hold, then, for 55 days to allow that reassurance process to happen.

We adjourn the renewed application for leave to appeal on grounds iv), v) and ix). The adjournment is for a period of 55 days until 20 May 2024, subject to the following directions:

i) The respondents have permission to file any assurances with the court by 16 April 2024.

ii) In the event that no assurances are filed by then, leave to appeal will be granted on grounds iv), v) and ix).

iii) In the event that assurances are filed by 16 April 2024, the parties have permission to file further written submissions on the issue of leave to appeal, in the light of the assurances, such submissions to be filed by the applicant by 30 April 2024, and by the respondent and the Secretary of State by 14 May 2024.

iv) In the event that assurances are filed by 16 April 2024, we will consider the question of leave to appeal at a hearing on 20 May 2024.

One of those three grounds — that he might become eligible for the death penalty — will be easily dispensed with, as the US easily dispenses with similar concerns in terrorism cases.

When I first read the judgment, I assumed the other two issues would be similarly dispensed with easily (and the judges certainly seem inclined to grant extradition if they get appropriate assurances).

The third ground for appeal, after all, pertains to whether Assange will be treated as a defendant like an American would be. And since the Espionage Act doesn’t allow for content-based defenses, Assange would be no worse situated than any other Espionage Act defendant — arguably including Donald Trump (whose 2010 attacks on Assange were one basis for raising concerns about the death penalty).

But the second basis for appeal may be more tricky for the US to issue assurances.

It has to do with whether the First Amendment gives Assange equal protection to what he’d get under Article 10 of the European Convention on Human Rights.

The judges seem inclined to adopt Baraitser’s analysis that, so long as Assange can rely on the First Amendment, it would (and therefore that if the US says he can do so, the extradition can be approved).

However, we agree with the judge that extradition of the applicant would not involve a flagrant denial of his article 10 rights. In summary, that is because:

i) The First Amendment gives strong protection to freedom of expression, which broadly reflects the protection afforded by article 10 of the Convention. On the assumption that the applicant is permitted to rely on the First Amendment, it is not arguable that extradition will give rise to a real risk of a flagrant denial of his article 10 rights.

ii) Counts 1 to 14 and 18 concern conduct which is contrary to the criminal law and which does not directly concern free expression rights. The prosecution of such conduct does not involve a flagrant denial of article 10 of the Convention.

iii) Counts 15, 16 and 17 concern the publication of the names of human intelligence sources. There is a strong public interest in protecting the identities of human intelligence sources, and no countervailing public interest justification for publication has been identified.

iv) There were strong reasons, as the judge found, to conclude that the applicant’s activities did not accord with the “tenets of responsible journalism”.

But as I noted here, that analysis is fine for the extradition question. It’s fine to rule that Assange would get at least the same protections as he would in Europe.

It’s another thing altogether for use in a US courtroom.

That’s because the First Amendment doesn’t include a balancing test of privacy versus public interest present in the ECHR.

Rather, in language that would apply equally to Assange’s indiscriminate publication of the DNC and Podesta emails (as well as the publication of the Turkish and Saudi emails), Baraitser argued that Assange’s publication in bulk was not protected because it did not and could not properly weigh the risk to others.

This part of the ruling, in particular, would not translate into US law. There is no such privacy balance in the US outside of much weaker defamation laws. And so this part of the ruling does not offer much comfort with regards the existing charges as precedent in the US context.

Whereas in Europe, you have to act like a journalist to get protections as one (which Baraitser said Assange did not, especially not with respect to the three counts of publishing the identities of US and Coalition sources, which had little public interest value to counterweigh the harm he did to those whose names he published), in the US one does not have to adhere to journalistic principles to be protected by the First Amendment.

The US may have real concerns about giving assurances sufficient to meet this particular concern. If they do, Assange would be able to argue that the US was unfairly applying prior restraint to him in a way it doesn’t others — including Cryptome’s John Young, who has repeatedly tried to intervene in Assange’s case in various ways, each time on the basis that he published the State cables without punishment.

All that may be for the best. Faced with such a choice, the US might choose to drop the case entirely (or drop the three most damaging charges, if they are able to do that). I doubt they would drop it entirely, but they could.

They could also pursue the misdemeanor plea the WSJ recently reported, though as reported that seemed like mostly Assange-derived fluff.

Or they could limit the kinds of evidence they use on these charges. One thing that distinguishes Assange from journalists — and from Young — for example, is that prior to publishing all the cables without adequate redaction, he first shared a subset of them with Israel Shamir, who then gave them to (at least) Belarus. At least for the state cables, prosecutors could prove the dissemination charge without relying on publication altogether. Doing so would not only mitigate the damage this precedent would cause, but would get to the real damage that releasing those identities did, willfully giving dictators advance notice to retaliate against US sources before the US could take mitigating measures.

Finally, the might just note that Bartnicki does not apply because Assange allegedly was involved in the theft of the documents in question. Who knows. Depending on what happens with the Project Veritas investigation associated with Ashley Biden’s diary, DOJ might soon have a US citizen being prosecuted in a similar situation.

I imagine the US would have no problem assuring the Brits that Assange would have the same stinky content-based First Amendment rights as other Espionage Act defendants. The question is whether they’d be willing to allow Assange to argue that his prosecution amounted to prior restraint.

Josh Schulte Sentenced to 40 Years

Aldrich Ames was arrested at the age of 53 in 1994 after 9 years of spying for Russia. He remains imprisoned in Terre Haute to this day — 30 years and counting — at the age of 82. (My math here is all rough.)

Robert Hanssen was arrested in 2001 at the age of 57 after 22 years of spying for Russia. He died last year, at the age of 79, in Florence SuperMax.

After six years in jail — most under Special Administrative Measures sharply limiting his communication — Josh Schulte, aged 35, was sentenced Thursday to 40 years in prison. He will presumably go to either Florence (most likely, because Judge Jesse Furman recommended he should go to someplace close to Lubbock) or Terre Haute.

Since his guidelines sentencing range was life in prison, I’m not sure how much, if any, of his sentence could, hypothetically, be dropped for good behavior.

Furman sentenced him concurrently on his Child Sexual Abuse Material conviction and the Espionage Act charges. Barring any successful appeal, he would be in prison for at least 20 years on top of time served, if he were to get credit for good behavior. That would put him back on the street at age 55, still the prime of his life (says someone in precisely that prime of her life, someone still learning some of the forensic techniques Schulte mastered as a teenager).

But the possibility that Schulte would be released before 2058, when Schulte will be 69, is based on two very big assumptions (on top of my uncertainty about whether he could get time off). First, that Schulte could sustain “good behavior” in prison, when he has failed to do so even while being held under SAMs in New York. Most recently, the government alleges he somehow obtained more CSAM in 2022 while in prison, where he would consume it in his cell after days representing himself in his second trial, the one in which he was convicted of the Espionage Act charges.

Even while Schulte’s family was traveling to attend his trial in 2022, he chose to retreat to his cell to view the child pornography that he had secreted on his prison laptop. (See D.E. 1093-1 at 3-4 (describing examples of times when videos were played).)

And there’s good reason to believe he attempted to — may well have succeeded at — conducting further hacks from prison.

That’s some of what I’ve been pondering since the government first requested that Schulte be treated like four men, including Ames and Hanssen, who gave America’s secrets to Russia rather than giving them to WikiLeaks, as a jury convicted Schulte of doing, by sentencing him to life in prison.

It took years of tradecraft to recruit and cultivate sources like Ames and Hanssen.

Many of the details about what led up to Schulte’s leaks of the CIA’s hacking tools remain unknown — including via what server he shared the files, because WikiLeaks’ submission system could not have accepted them at the time, meaning Schulte necessarily had some kind of contact with WikiLeaks in advance.

But the current story is that Schulte reacted to being disciplined at work fairly directly by stealing and then sharing the CIA hacking tools in one fell swoop. In a matter of days in April and May 2016 (perhaps not coincidentally, the same period when Russian hackers were stealing files from Hillary Clinton’s team), Schulte took steps that burned a significant part of CIA’s capabilities to the ground.

As a result of that reactive decision, Schulte delivered a set of files that would allow their recipients to hunt down CIA’s human sources based off the digital tracks they left in highly inaccessible computers. As I’ve noted, Schulte was well aware of the damage that could do, because he wrote it up in a self-serving narrative after the fact.

I told them the confluence server was the one that seemed to be compromised, and while horrible and damaging at least it wasn’t Stash; At least not at this point–Hopefully they could stop any additional leaks from the network at this point. From the news articles I’ve read, wikileaks claims to have source code, but we don’t know what code or from where. However, at this point, I knew the SOP was a complete stand down on all [redacted] operations. We had no idea what had been leaked, when, for how long, or even who else had seen the materials leaked. Have they been steadily accessing our network every day? Have all our ops been blown since we wrote the first line of code? Perhaps only confluence had been leaked, but the individual(s) responsible are/were planning to exfil the other parts of DEVLAN too? So much still unknown, and with potential (yet unconfirmed) link between wikileaks and Russia–Did the Russians have all the tools? How long? It seems very unlikely that an intelligence service would ever leak a nation’s “cyber weapons” as the media calls them. These tools are MUCH more valuable undiscovered by the media or the nation that lost them. Now, you can secretly trace and discover every operation that nation is conducting. I told them all this was certainly very disturbing and I felt bad for my friends and colleagues at the agency who likely weren’t doing anything and most likely had to completely re-write everything. [my emphasis]

What gets virtually no coverage is that this is precisely what happened: the bulk of the most sensitive files Schulte stole, the source code, has never been publicly accounted for. That’s why I find credible the unsealed and sealed filings submitted with sentencing claiming that Schulte caused what Judge Furman claimed (as reported by Inner City Press) was $300 million in damage and a cascading series of compromises.

Because DOJ couldn’t trade a death sentence in exchange for cooperation about how Schulte did it, as they did with Ames and Hanssen, because digital encryption is much more secure than a dead drop in a Virginia park, it’s not clear whether the government even knows all of it.

I don’t even know what Schulte was trying when he attempted to social engineer me from jail in 2018 — but I have my suspicions.

Later this month, Julian Assange will get a last chance to stave off extradition. I have long suspected if the UK approves the extradition, Russia will attempt to swap Evan Gershkovich for Assange. One way or another, we may learn more about what the US government has learned about the WikiLeaks operation in the 7 years since Schulte was part of one of the most successful, sustained attacks by Russia on the US.

But until then, Schulte will be moving to new long-term accommodations in a highly secure prison.

Claiming Josh Schulte’s Leaks Cost CIA 100s of Millions, DOJ Asks for Life Sentence

In support of sentencing for Josh Schulte, DOJ submitted an unclassified letter from CIA’s Deputy Director claiming his breach cost the agency hundreds of millions of dollars, a sealed classified filing that must speak to grave harm, and a sealed letter from a CSAM victim.

The how they get to the sentencing recommendation is quite technical (though it involves a terrorism enhancement for using computers to engage in espionage).

The what — a request for a life sentence — is not surprising. The comparison of his crimes to Robert Hanssen and Aldrich Ames is similary not surprising.

Indeed, it is the proof that Schulte carried out his conduct with the specific intent that his theft would harm the United States that sets his case apart. In virtually all cases identified in the Government’s research in which violations of § 793(b) have been prosecuted, that charge has been paired with violations of 18 U.S.C. § 794, which penalizes the delivery of national defense information to a foreign government with the same intent requirement. That offense does not apply to Schulte’s conduct, because he chose to transmit the Stolen CIA Files to WikiLeaks, rather than directly to a foreign state. But Schulte’s intent to harm the United States, the scope of his theft and disclosure, and the consequences of his conduct, more closely parallels cases prosecuted under § 794 than so-called “leak” cases in which comparatively small amounts of information are shared with media organizations with a misguided sense of the public interest. In such cases, Courts have routinely, albeit gravely, concluded that terms of life imprisonment are the only appropriate sanction for such devastating crimes, notwithstanding the fact that many similarly situated individuals accepted responsibility for their crimes. See, e.g., United States v. Robert Hanssen, 01 Cr. 1088 (E.D. Va. 2002) (life imprisonment for FBI supervisor who pled guilty to selling classified information to Russia); United States v. Aldrich Ames, 94 Cr. 166 (E.D. Va. 1994) (life imprisonment for CIA officer who pled guilty to selling classified information to Russia); United States v. Arthur James Walker, 85 Cr. 92 (E.D. Va. 1985) (life imprisonment for former Navy officer convicted of selling documents for transmission to Russia); United States v. Andrew Daulton Lee, 589 F.2d 980 (9th Cir. 1979) (life imprisonment for contractor convicted of selling classified information regarding CIA project to Russia).

It is, however, fairly sobering.

Don Jr Confesses He and Douglass Mackey Were “Put on Lists” Together

In an interview of far right troll and now convicted felon Douglass Mackey yesterday, Don Jr confessed that he and Mackey had frequented the same lists back in the day.

DONALD TRUMP JR. (HOST): And with that, guys, joining us now is Doug Mackey. Again, if you guys were in the meme wars, like, early adapters like me back in 2015 and ’16, you’ll know him as Ricky Vaughn. But Doug, for the people watching — and it’s great to have you. You know, I know — we’ve probably gone back and forth on Twitter back in the old days and DMs, and I’m sure we were put on lists way back then. But for the people watching, can you explain what happened here? I mean, you literally ran a Twitter account named Ricky Vaughn. And you got charged for posting a meme. What’s going on?

Later in the interview, Trump Jr. told Mackey that his Ricky Vaughn account was “awesome” and “may be my favorite Twitter account of all time” and “maybe the best of all time.” [my emphasis]

I find that particularly interesting, because there’s a troll in the troll rooms released as part of Mackey’s trial named P0TUS Trump. I’ve always wondered whether it could be Don Jr.

I had that suspicion not just because of the name, but also because P0TUS Trump always seemed even more focused on the WikiLeaks releases than the others. The others were busy conducting far more sophisticated campaigns.

On October 12, 2016, as everyone else was excited that Mackey had been added back to their group after being banned, P0TUS Trump was instead pushing #PodestaEmails3.

An hour later, in a conversation with Mackey co-conspirator MicroChip, he pushed #PodestaEmails4.

The next day, as MicroChip and unindicted co-conspirator HalleyBorderCol were casting doubt on claims that Trump was a rapist, P0TUS Trump again was focused on WikiLeaks.

That monomaniacal focus on WikiLeaks while everyone else was focused on other things came in the days after — according to the SSCI Report — WikiLeaks had DMed Don Jr at his normal Twitter account (for which Mueller obtained.a warrant in October 2017) directly to get him to push hashtags, including pertaining to PodestaEmails4.

(U) WikiLeaks also sought to coordinate its distribution of stolen documents with the Campaign. After Trump proclaimed at an October 10 rally, “I love WikiLeaks” and then posted about it on Twitter,1730 WikiLeaks resumed messaging with Trump Jr. On October 12, it said: “Strongly suggest your dad tweets this link if he mentions us … there’s many great stories the press are missing and we’re sure some of your follows [sic] will find it. btw we just released Podesta Emails Part 4.”1731 Shortly afterward, Trump tweeted: “Very little pick-up by the dishonest media of incredible information provided by WikiLeaks. So dishonest! Rigged System!”1732 Two days later, Donald Trump Jr. tweeted the link himself: “For those who have the time to read about all the corruption and hypocrisy all the @wikileaks emails are right here:”1733 Trump Jr. admitted that this may have been in response to the request from WikiLeaks, but also suggested that it could have been part of a general practice of retweeting the WikiLeaks releases when they came out. 1734 [my emphasis]

WikiLeaks remained focused on cultivating Don Jr for at least another year, trying to get him rather than Roger Stone to take the lead on a pardon for Julian Assange, and when that didn’t happen, posting ominous warnings about dropping the source code Josh Schulte had stolen under the Vault 8 label.

And that’s just what’s public.

Imagine if the former President’s failson had a private identity, one playing right along with two men who have been convicted of conspiring to harm the civil rights of Hillary Clinton supporters, the same crime, 18 USC 241, for which Trump now stands accused.

Former WikiLeaks Task Force Member Charles McGonigal Didn’t Take Credit for the Josh Schulte Investigation

There’s something about the second Josh Schulte trial I’ve always meant to go back and lay out. It pertains to what I think of as Schulte’s “Guccifer Gotcha.”

Throughout the trial, Schulte, who was representing himself, often got caught up in proving — right there in the courtroom — that he was the smartest guy in the room. That often (particularly with prosecutors’ technical expert and a former supervisor) led Schulte to get entirely distracted from proving his innocence. He focused on proving he was smart, rather than not guilty.

A particularly revealing instance came with Richard Evanchec who, as a member of New York Field Office’s Counterintelligence Squad 6 that focused on insider threats, was one of the lead FBI agents on the Schulte investigation.

On direct, Evanchec had described how before, August 2016, Schulte had only done three searches — ever — on WikiLeaks, but he did 39 searches between August 2016 and January 2017, when WikiLeaks announced Vault 7. (This exhibit is from Schulte’s first, 2020 trial; because the exchange below describes the August 16 search as the first one, I believe the one from his 2020 trial may not have included the Snowden search.)

Schulte started his cross on this topic by asserting that Evanchec had “made [a] grave mistake” in calculating Schulte’s Google searches.

[Reminder: these transcripts were paid for by Wau Holland foundation, which has close ties to WikiLeaks.]

Q. Additionally, sir, did you realize that you made the grave mistake in calculating the Google searches during this time period?

A. I don’t.

Q. You don’t recall that.

A. No.


Q. Did you not realize, sir, that 80 percent of the searches you claim that I conducted for WikiLeaks were not actually searches at all?

A. I don’t know that, sir, again.

Q. Sir, are you familiar with the service Google offers called Google News?

A. I am not. I don’t use Google regularly or gmail regularly so I don’t know what that is.

Schulte then walked Evanchec through how a Google News search and a related page visit search show up differently in the logs, demonstrating the concept with some activity from early morning UTC time on August 17, 2016 on Schulte’s Google account.

Q. Did you know that Google makes a special log in its search history when you are using Google News?

A. I don’t. I am not aware of that.


Q. OK. Entry no. 12954.

A. Your question, sir?

Q. Can you read just the date that this search is conducted?

A. Appears to be August 17 of 2016 at 2:45:07 UTC.

Q. Can you read what the search is?

A. Searched for pgoapi.exceptions.notloggedinexception. Then there is: (

Q. OK. And then the search after it, Google has it, produces it in the opposite direction so the one after that. Can you read that?

A. You are referring to line 12953?

Q. Yes. I’m sorry. Thank you.

A. Tease [sic] OK. Again August 17, 2016, 2:35:27

Schulte then got Evanchec to admit that the FBI agent didn’t consult with any FBI experts on Google before he did his chart of Google searches.

Q. So you basically, just as a novice, opened up this document and just based on no experience, you just picked out lines; correct?

A. No.

Q. No. You did more?

A. Yes. I queried for every time this history set searched for and then included the search terms. That’s what I culminated in my summary.

Q. OK, but you didn’t run that by any of the technical experts at the FBI, did you?

A. Not that I recall.

Q. And you said you didn’t reach out to Google or anyone with expertise, correct?

In his close, Schulte claimed that the exchange showed that all the Google searches he did between August 2016 and January 2017 were based off a Google news alert, and what drove the number of searches was the degree to which WikiLeaks was in the news because of the DNC hack-and-leak.

Mr. Lockard then brings up the Google searches for WikiLeaks, but of course, as Agent Evanchec testified, there were multiple news events that occurred in the summer of 2016. WikiLeaks dumped the Clinton emails. Really? Come on. Everyone was reading that news — Guccifer 2.0. The Shadow brokers released data, and even WikiLeaks claimed to have that code.

No doubt Schulte did demonstrate clearly to Evanchec that he didn’t did look closely at the logs of these searches and that he — Schulte — knew more about Google searches than one of the agents who had led the investigation into him did.

He was the smartest guy in the room.

But in the particular search in question — one that would have been before midnight on August 16, 2016 on the East Coast — what Schulte appears to have shown is that among all the Google news alerts reporting on a flood of news about WikiLeaks, one of the only alerts that he clicked through was one reporting WikiLeaks’ claim to have a tie to ShadowBrokers.

WikiLeaks on Monday announced plans to release a collection of “cyber weapons” purportedly used by the National Security Agency following claims that hackers have breached a division of the NSA said to deal in electronic espionage.

“We had already obtained the archive of NSA cyber weapons released earlier today and will release our own pristine copy in due course,” WikiLeaks said through its official Twitter account Monday.

Individuals calling themselves the “Shadow Broker” claimed earlier in the week to have successfully compromised Equation Group — allegedly a hacking arm of the NSA — and offered to publicly release the pilfered contents in exchange for millions of dollars in bitcoins.

At a threshold level, Schulte’s gotcha doesn’t show what he claimed it did. It showed that among the flood of news about WikiLeaks — almost all focused on the DNC hack-and-leak — he clicked through on stories about an upcoming code release. “Everyone was reading that news — Guccifer 2.0,” Schulte said. But he wasn’t. He clicked on one Guccifer story. He was sifting past the Guccifer news and reading other stuff. Schulte caught Evanchec misreading the Google logs, but then went on to misrepresent the significance of what they showed, which is that amid a flood of news about the DNC hack-and-leak, he was mostly interested in other stuff.

More importantly, once you realize that Evanchec hadn’t looked closely at the logs of these Google searches, something about his first demonstrative — showing just these three searches before August 2016 — becomes evident.

July 29, 2010: Searched for “WikiLeaks”

  • Visited webiste [sic]

July 30, 2010: Searched for “WikiLeaks ‘Bastards’”

  • Visited website titled “WikiLeaks Plans to Post CIA Chiefs Hacked Emails” on The Hill

July 6, 2016: Searched for “WikiLeaks Clinton Emails”

  • Visited website titled “WikiLeaks Dismantling of DNC Is Clear Attack By Putin on Clinton” on The Observer

For at least two of these searches, the date in Evanchec’s demonstrative cannot reflect the actual date of the search.

The story, “WikiLeaks Dismantling of DNC Is Clear Attack By Putin on Clinton” — one of the first ones concluding from the DNC hack that Putin was involved — was not posted until July 25, 2016, yet Evanchec’s demonstrative says the search happened weeks earlier.

The story, “WikiLeaks Plans to Post CIA Chiefs Hacked Emails,” describing the Crackas With Attitude hacks of top intelligence community figures in advance of the 2016 operation, dates to October 21, 2015. Evanchec described Google records that say the search happened five years before the article was posted.

Neither of those searches could possibly have been done on the date in Evanchec’s demonstrative, which Schulte — in spite of his obsession with being the smartest guy in the room — undoubtedly knew but didn’t point out at trial.

Schulte got his gotcha. It didn’t help him secure acquittal (or even another hung jury). And it got me, at least, to look more closely at what it proves, which is that at least two of the manual searches Schulte did, searches that sought out very select stories, seemed to obscure the date of the search.

As I said, I’ve been meaning to post this ever since it happened at trial.

I’m revisiting it, though, because of something remarkable about Charles McGonigal’s sentencing memo. Unsurprisingly,  his attorney, former Bill Barr flunkie Seth DuCharme, lays out a bunch of the important FBI investigations that McGonigal was a part of over his 22-year FBI career to describe what service he has done for US security: TWA Flight 800, the 1997 investigation into attempted subway bombers Gazi Ibrahim Abu Mezer and Lafi Khalil, the investigation into the 1998 bombings of US embassies in Africa, the 9/11 attack, the 2002 abduction of a Wooster County, OH girl, the Sandy Berger investigation, the RICO investigation of Huawei Technologies Co.

The government, in their own sentencing memo, includes a footnote suggesting that McGonigal is fluffing his role in at least one of these investigations.

The law enforcement and counterintelligence agents who reviewed McGonigal’s cited exploits noted that he often claims credit for operations in which his personal involvement was less significant than the operation itself. For example, in both his classified and unclassified submissions, McGonigal may describe a significant investigation where he—along with many other officials—was simply somewhere in a lengthy chain of command. (See PSR ¶ 82). Thus, to the extent this Court is inclined to parse McGonigal’s career achievements, the Government respectfully submits that it should limit its analysis to the specific actions that McGonigal personally took. See United States v. Canova, 412 F.3d 331, 358-59 (2d Cir. 2005) (Guidelines departure for exceptional public service warranted where defendant served as volunteer firefighter “sustaining injuries in the line of duty three times,” “entering a burning building to rescue a threeyear old,” “participated in the successful delivery of three babies,” and administered CPR to persons in distress both while volunteering as a firefighter and as a civilian).

One example where McGonigal claimed credit for being in a lengthy chain of commend must be the Huawei investigation, one that Seth DuCharme would also have worked on in the period when he and McGonigal overlapped in NY, from 2016 until 2018. The 2020 press release that DuCharme links to about that investigation, from over a year after McGonigal retired, includes two paragraphs of recognition, including units far afield from counterintelligence.

But one investigation included in McGonigal’s sentencing memo where he did have more involvement is the original WikiLeaks Task Force.

Mr. McGonigal later led the FBI’s WikiLeaks Task Force investigating the release of over 200,000 classified documents to the WikiLeaks website—the largest in U.S. history—ultimately resulting in the 20-count conviction of Chelsea Manning for espionage and related charges.

Charles McGonigal did have a significant role in the first criminal investigation of WikiLeaks, one conducted five years before his retirement.

And that’s why it’s weird that McGonigal doesn’t describe that, in the 18 months before he retired, including in the period between May 2017, when he received a report describing Oleg Deripaska’s ties to GRU, and the period, starting in March 2018, when McGonigal first started interacting with Deripaska’s deputy, Yevgeny Fokin, whom McGonigal allegedly identified as a Russian intelligence officer and claimed to want to recruit, a unit McGonigal supervised solved a WikiLeaks compromise even more damaging and complex than Chelsea Manning’s had been four years before.

Charles McGonigal doesn’t claim credit for the arrest of Josh Schulte and charges filed, over two years after the compromise, for the Vault 7 attack, something in which his team had a more central role than in the Huawei case, something that was every bit as important to national security.

By that point, WikiLeaks had ties to Russia not just through Israel Shamir but also — at least through a shared lawyer — with Oleg Deripaska. That shared lawyer almost negotiated immunity for Assange in exchange for holding off on the Vault 7 leaks.

Now, I’m not at all suggesting that McGonigal was responsible for that fucked up Google analysis, which Schulte would mock five years later. There would have been several levels of management between McGonigal and that analysis. Evanchec simply didn’t look closely enough at the Google metadata, and so didn’t see that those searches were even more interesting than he understood.

But what McGonigal would have known, when he was meeting Deripaska personally in 2019, was that the FBI hadn’t discovered that Schulte had somehow obscured when he did his search on WikiLeaks’ role in embarrassing CIA Director John Brennan and National Security Director James Clapper in 2015, in advance of the 2016 election attack, that he had likewise obscured the date when he searched on Putin’s role in the DNC hack-and-leak. The FBI didn’t even know that in 2022, by the second trial.

McGonigal may also have known what someone associated with WikiLeaks told me, in 2019, that the FBI had learned about Schulte: that he had somehow attempted to reach out to Russia.

To be clear: None of this is charged. There’s no evidence that McGonigal shared details he learned as NYFO’s counterintelligence head, about the WikiLeaks investigation, to say nothing about NYFO’s investigation of oligarchs like Deripaska. McGonigal’s case has been treated as a public corruption case, not an espionage case. So it may be that SDNY has confidence that McGonigal didn’t do anything like that.

But this risk — the possibility that McGonigal could have shared investigative information with Deripaska — doesn’t show up in SDNY’s sentencing memo. SDNY makes no mention of how obscene it is that DuCharme wants his client to get probation when any witnesses implicated in the investigations McGonigal oversaw would never know whether he had shared that information with Deripaska.

That includes me: As I have written, in August 2018, the month before McGonigal retired, someone using one of the ProtonMail accounts Schulte and his cellmate used reached out to me. I have no idea why they did that. But I’d love to know. I’d also love to know whether McGonigal learned of it and shared it.

It makes sense that McGonigal doesn’t emphasize what SDNY did on their own sentencing memo: That McGonigal went from supervising investigations into Deripaska to working for him, allegedly knowing full well he had ties to Russian intelligence. But the tie between WikiLeaks and Deripaska is more obscure, and so he could have bragged that twice in his career he led substantial investigations into WikiLeaks. Schulte’s third trial, for Child Sexual Abuse Material, even happened after Judge Jennifer Rearden became a judge in October 2022.

McGonigal could have bragged that twice in his career, in 2014 and in 2018, teams he oversaw solved critical WikiLeaks compromises. He only claimed credit for the first of those.

Update: Corrected Fokin’s first name.

Serving as Julian Assange’s Unwitting Data Mule to Israel Shamir Is Not Journalism

It’s a testament to how effective WikiLeaks’ propaganda is that almost none of the people implicated by things Julian Assange did years ago and almost none of the people who brainlessly repeat Julian Assange’s propaganda now know about this May 16, 2022 filing, submitted last year in the Josh Schulte case, which I wrote about here.

The redacted bits of the filing almost certainly describe things obtained in an ongoing investigation of WikiLeaks that pertain to how the data stolen by Schulte was used. The unredacted parts, however, describe that what must be the WikiLeaks investigation is both ongoing and has a scope that, “is neither known to the public nor to all of the targets of the investigation.”

“All of the targets.” That phrase is telling. At least one target — Assange — knows he is a target. The other targets (and DOJ uses the jargon to describe people who almost certainly will be charged, not just people who might be) don’t know.

The WikiLeaks investigation — which is ongoing and not just, as many boosters claim, an attempt to shore up the case against Assange — is not an investigation into Assange, exclusively. There are other targets.

Key WikiLeaks people almost certainly know about this filing, because they treated Schulte’s second trial — where he defended himself and repeatedly tried to publicly share classified information, almost certainly including details of the discovery about the ongoing WikiLeaks investigation he had received — differently than the first.

They’re just not telling you that there are other targets of the WikiLeaks investigation.

They’re not telling you, in part, because it ensures that when the Met or FBI or other investigators approach people to obtain information about those other targets, they’ll refuse, because they don’t want to be part of a prosecution of Julian Assange for what they’re telling themselves is journalism.

James Ball is the latest person describing how that happened.

In a Rolling Stone post describing the two year effort to obtain his cooperation, he claims journalists are being asked to cooperate against Assange.

And he claims he’s being approached — for information that clearly pertains to Israel Shamir — as a journalist.

He asserts that he’s being approached as a journalist by claiming that DOJ wants to talk to him about this 2013 article, rather than about his own conduct described in the article.

As the article described, in 2010, he unwittingly served as Assange’s data mule, handing off 90,000 State Cables to Israel Shamir, who then exploited them — by sharing them with Belarusian dictator Alexandr Lukashenko and/or selling them — before the entire Cable set was released.

Shamir is an anti-Semitic writer, a supporter of the dictator of Belarus, and a man with ties and friends in Russian security services. He and Julian—unknown to us—had been in friendly contact for years. It was a friendship that would have serious consequences.

Introduced to WikiLeaks staff and supporters under a false name, Shamir was given direct access to more than 90,000 of the U.S. Embassy cables, covering Russia, all of Eastern Europe, parts of the Middle East, and Israel. This was, for quite some time, denied by WikiLeaks. But that’s never a denial I’ve found convincing: the reason I know he has them is that I gave them to him, at Assange’s orders, not knowing who he was.

Why did this prove to be a grave mistake? Not just for Shamir’s views, which are easy to Google, but for what he did next. The first hints of trouble came through contacts from various Putin-influenced Russian media outlets. A pro-Putin outlet got in touch to say Shamir had been asking for $10,000 for access to the cables. He was selling the material we were working to give away free, to responsible outlets.

Worse was to come. The NGO Index on Censorship sent a string of questions and some photographic evidence, suggesting Shamir had given the cables to Alexander Lukashenko of Belarus, Europe’s last dictator. Shamir had written a pro-Belarus article, shortly before photos emerged of him leaving the interior ministry. The day after, Belarus’s dictator gave a speech saying he was establishing a WikiLeaks for Belarus, citing some stories and information appearing in the genuine (and then unpublished) cables. [my emphasis]

As he admits, at least by 2013, Ball was aware that Shamir had ties to Russian spooks.

What Ball describes in the piece is that he entered into an agreement with Assange to provide data to someone, Shamir, that Shamir did not publish, but instead shared with a repressive dictator and, probably, with Russian intelligence services.

That’s not journalism. That’s spying.

To be sure: as Ball describes, he realized his error and promptly left WikiLeaks (and, as he described in the 2013 article, refused to sign some of the NDAs Assange was pushing). That’s why he was approached as a witness and not a subject, because he made affirmative efforts to leave the conspiracy that has already been charged against Assange and almost certainly will be charged against Shamir, if it hasn’t already been, under seal.

After having served as an unwitting data mule for Assange in a handoff that would result in Lukashenko (and possibly Russian spies) getting advance access to the content of the Cables, Ball subsequently became a journalist. But that does not retroactively change what happened in 2010. Nor does that mean FBI approached him as a journalist. They approached him as a guy who once unwittingly served as a data mule for the part of the Cable releases that undermines all the claims that Assange is nothing but a publisher.

Here’s what people miss about the publication charges against Julian Assange, including the Cable count. They charge him for, “distributing them and then by publishing them.” Proving that Assange distributed the State Cables via unwitting data mule James Ball to Shamir is all DOJ would have to do to prove that charge against Assange, to prove that Assange shared them with someone not authorized to receive them. At a hypothetical trial of Assange (and whoever else gets charged), they’ll undoubtedly explain that after first giving privileged access to the Cables to Shamir, who handed them onto people who would use them to suppress dissent, Assange published all of them. That’s part of the cover. That’s part of what leads people like Ball to imagine he was involved in journalism when he shared the Cable files with Shamir.

For a number of WikiLeaks releases, there’s some story like this, about how before publication, files were either removed from the publication set or provided exclusively to someone in advance. The publication is, in part, cover for that earlier sharing. Schulte even described how if Russia got the source code he shared with WikiLeaks but which WikiLeaks, with limited exceptions, did not publish, they would never publish it, because it would be more useful to reverse engineer what the CIA had been doing.

These tools are MUCH more valuable undiscovered by the media or the nation that lost them. Now, you can secretly trace and discover every operation that nation is conducting.

Schulte is one of the people that anyone charged in a larger WikiLeaks conspiracy would be charged with conspiring with.

That’s the tough thing about US conspiracy law: Once you enter into a conspiracy, you’re on the hook for the actions of anyone who later enters into that conspiracy — like Shamir or Schulte — whether or not you know about it personally. You’re on the hook unless and until you take affirmative actions to leave the conspiracy. Lots of people with ties to WikiLeaks want no tie to Assange’s relationship with Shamir, but if DOJ adds him as a co-conspirator, then they’re not going to have much choice in the matter.

In any case, because so few of WikiLeaks’ boosters know that there are other targets in this investigation, they seem to be getting unfortunate legal advice, such as regarding the import of the detail that FBI obtained a statement from Shamir — whose statements, if and when he is charged as a co-conspirator, can be entered at trial — stating that Ball provided Cables, which he claimed to be about “the Jews,” to him.

The U.S. government cannot make much use of what I revealed in the article in a court of law unless I testify to it — and it is not hard to see how I could be useful if they were trying to strengthen the political case against Assange. In the article, I admit that I was the one who gave Shamir the material, albeit on Assange’s orders, without knowing who he was. If I testified to all this, it could, at least in theory, open me to criminal charges of my own.


When, after months of delaying tactics had run out of road, we said a final “no”, there was a small sting in the tale from a DOJ prosecutor to my lawyers. Sending a statement in which Shamir had falsely claimed I had provided him with cables on “the Jews,” the prosecutor noted:

“Upon seeing those words from Shamir, I cannot help but ask whether Mr. Ball would reconsider his decision about speaking to the investigators, even if only just to respond to Shamir’s allegations.”

Yeah, it was a sleazy tactic, but also one designed to alert his lawyer that Ball does not currently have exposure but at a trial in which Shamir is a co-conspirator, Ball’s own conduct will be introduced at trial as part of proving that Cable charge and can be introduced without the article Ball wrote in 2013. Ball was advised they can’t use his article without his testimony — and because he had already left any agreement with Assange that’s probably right — but FBI can certainly introduce Shamir’s claims that he got the Cables from Ball, along with whatever other evidence they have about what Shamir did with them afterwards.

One more reason the fact that this is an ongoing investigation into targets not publicly identified matters: DOJ may or may not  or may already have gotten the UK to approve superseding the existing indictment against Assange, the one that has led people to believe he is the only target of it. But they certainly have the ability to charge a conspiracy in which Assange is an uncharged co-conspirator, showing a seven year conspiracy involving Russian spooks — starting no later than that handoff of cables to Shamir — charging everyone else that entered into a conspiracy via Assange with Russian spooks. Back in 2020, prosecutors implied to Jeremy Hammond that the long extradition process of Assange would provide the opportunity to charge Assange’s involvement in the 2016 Russian hack-and-leak. And because at least one of the people who would be charged in such a conspiracy, Josh Schulte, appears to have continued his efforts to leak through last year, any statute of limitations might go through 2027. That’s why they’re in no rush to charge Shamir publicly: because the way conspiracy law works in the US, they can charge everyone who didn’t affirmatively leave the WikiLeaks conspiracy so long as the conspiracy remains ongoing.

Ball may well be right that the other people the FBI has approached are being approached for coverage of WikiLeaks they did, as journalists (though there are some edge cases). But of the descriptions I’ve seen, there’s always another as yet uncharged target about whom the FBI is asking. That may not change their calculus about whether they want to cooperate, but it means, whether they know it or not, that their refusals are not limited to a bid to protect Assange’s conduct.

I think the people approached for their coverage of WikiLeaks should definitely tell the FBI to fuck off.

But there’s more going on here, particularly with the request to Ball.

On Joshua Schulte’s Alleged Substantial Amount of CSAM … and Other Contraband

Yesterday, Judge Jesse Furman docketed a letter, impossibly dated March 23, updating him on the investigation into the Child Sexual Abuse Material allegedly found on WikiLeaks Vault 7 source, Josh Schulte’s discovery computer, six months ago (see this post for an explanation).

It described more about the CSAM material found on Schulte’s computer: The FBI had found “at least approximately 2,400 files on the laptop … likely containing CSAM.”

With respect to assertions that Joshua Schulte, the defendant, has made about the discovery laptop—that the laptop does not contain CSAM, that any CSAM appears only in thumbnails, or that the CSAM was maliciously or inadvertently loaded onto the laptop by the Government. See, e.g., D.E. 998 at 3 (pro se letter to the Court dated Dec. 21, 2022), 5 (pro se letter to the Court dated Jan. 5, 2023)—the Government is able to confirm the following: at least approximately 2,400 files on the laptop have been identified to date as likely containing CSAM. Those files include full images, and are not limited to thumbnail images. Moreover, the Government did not copy discovery materials onto the defendant’s laptop. In 2021, former defense counsel copied discovery and trial materials onto the laptop, which was then reviewed by personnel from the U.S. Attorney’s Office for security compliance before making a file index and providing the laptop to the Metropolitan Correctional Center (“MCC”), where the defendant was then in custody. The CSAM on the laptop was not provided by the Government or the result of Government action.

That, by itself, doesn’t tell us a lot more than we learned in an October filing, which explained that the FBI had found, “a substantial amount” of suspected CSAM.

Indeed, the letter focuses on debunking two counterarguments Schulte has made since, which is one of the reasons Furman docketed it after DOJ submitted it ex parte: “[T]his letter responds directly to assertions by Mr. Schulte,” Furman observed.

The government was debunking a claim made by Schulte that the government had caused the CSAM — but only thumbnails — to be loaded onto his discovery computer by “connect[ing] a child pornography drive to the laptop during setup.”

Schulte repeated and expanded — at great, great length — that theory in a set of filings dated March 1 but just loaded to the docket today.

The government response, effectively, was that they made an index of the files as the computer existed when it was turned over to MCC in 2021, calling Schulte on his claim that he was framed with CSAM.

Ultimately both sides will be able to present their claims to a jury.

But there are several other reasons I’m interested in the letter and related issues.

The government’s working theory when they first revealed this last fall, was that Schulte got a thumb drive into the SCIF and from that accessed the CSAM allegedly found on his home computer six years ago, presumably just to have it in his cell for his own further exploitation of children.

there is reason to believe that the defendant may have misused his access to the SCIF, including by connecting one or more unauthorized devices to the laptop used by the defendant to access the CSAM previously produced.

That’s because in August, they found a thumb drive attached to the SCIF laptop.

On or about August 26, 2022, Schulte was produced to the Courthouse SCIF and, during that visit, asked to view the hard drive containing the Home CSAM Files from the Home Desktop. The hard drive was provided to Schulte and afterwards re-secured in the dedicated safe in the SCIF. The FBI advised the undersigned that, while securing the hard drive containing the Home CSAM Files, they observed that an unauthorized thumb drive (the “Thumb Drive”) was connected to the SCIF laptop used by Schulte and his counsel to review that hard drive containing the Home CSAM Files. On or about September 8, 2022, at the Government’s request, the CISO retrieved the hard drive containing materials from the Home Desktop from the SCIF and returned it to the FBI so that it could be handled pursuant to the normal procedures applicable to child sexual abuse materials. The CISO inquired about what should be done with the Thumb Drive, which remained in the dedicated SCIF safe.

But in a little noticed development, during the period when FBI has been investigating how a defendant held under SAMs managed to get (we’re now told) 2,400 CSAM files onto his discovery computer, CNN reported that the network of FBI’s NY Field Office focused on CSAM had been targeted in a hacking attempt.

The FBI has been investigating and working to contain a malicious cyber incident on part of its computer network in recent days, according to people briefed on the matter.

FBI officials believe the incident involved an FBI computer system used in investigations of images of child sexual exploitation, two sources briefed on the matter told CNN.

“The FBI is aware of the incident and is working to gain additional information,” the bureau said in a statement to CNN. “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.”

FBI officials have worked to isolate the malicious cyber activity, which two of the sources said involved the FBI New York Field Office — one of the bureau’s biggest and highest profile offices. The origin of the hacking incident is still being investigated, according to one source.

DOJ still insists that former CIA hacker Josh Schulte found a way to access a whole bunch of CSAM. And in the same period, reportedly, the servers involved with CSAM investigation in the NYFO were hacked.

And while the letter released yesterday doesn’t tell us — much — that’s new about what Schulte allegedly had on his laptop, it does tell us, by elimination, which of the sealed filings in his docket are not related to the CSAM investigation.

Since the October update on the investigation into Schulte, sealed documents have been filed in Schulte’s docket on the following days:

  • December 15: Sealed document
  • January 19: Ex parte update on CSAM investigation
  • January 26: Sealed document
  • March 9: Sealed document
  • March 13: Sealed document

Only the January 19 letter — along with yesterday’s letter — have been unsealed. That, plus the flurry of filings in September and October, are it for the CSAM investigation. There’s something else going on in this docket, four sealed documents worth.

Indeed, in those very long set of filings mentioned above, both dated February and finalized March 1, both docketed today, Schulte alluded to something beyond CSAM.

Judge Furman has begun claiming that there are other vague misuses or misbehavior on the laptop.

He must not have read the September and October letters very closely, because they describe there was a warrant that preceded the discovery of the CSAM.

The warrants that we know of include the following:

Since late September, this investigation was about the “substantive” amounts of CSAM found on a computer possessed by Schulte.

But before that it was based on suspicions of contraband.

That stems, in significant part, from a search of the computer DOJ did in June, when Schulte turned it over claiming it had been dropped.

It hadn’t been dropped. It needed to be charged. Indeed, in the interminable motions filed today, Schulte treated plugging in a laptop as some kind of due process violation.

Plugging in a laptop should in no way compromise the privacy of a laptop. But it did raise real questions about the excuse Schulte offered in an attempt to get a second laptop (one he effectively got once trial started anyway).

Needless to say, his description of what happened with the BIOS password differs from the government’s, as provided last June.

First, with respect to the defendant’s discovery laptop, which he reported to be inoperable as of June 1, 2022 (D.E. 838), the laptop was operational and returned to Mr. Schulte by the end of the day on June 3, 2022. Mr. Schulte brought the laptop to the courthouse on the morning of June 3 and it was provided to the U.S. Attorney’s Office information technology staff in the early afternoon. It appears that the laptop’s charger was not working and, after being charged with one of the Office’s power cords, the laptop could be turned on and booted. IT staff discovered, however, that the user login for the laptop BIOS1 had been changed. IT staff was able to log in to the laptop using an administrator BIOS account and a Windows login password provided by the defendant. IT staff also discovery an encrypted 15-gigabyte partition on the defendant’s hard drive. The laptop was returned to Mr. Schulte, who confirmed that he was able to log in to the laptop and access his files, along with a replacement power cord. Mr. Schulte was admonished about electronic security requirements, that he is not permitted to enable or use any wireless capabilities on the laptop, and that attempting to do so may result in the laptop being confiscated and other consequences. Mr. Schulte returned to the MDC with the laptop. [my emphasis]

Here’s more background on all the funky things that happened with this laptop that led me to suspect something was going on last summer.

Anyway, the government claims it found a whole bunch of CSAM on Schulte’s computer. But there’s also something else going on.

We may find out reasonably soon. The impossibly dated filing from this week promised an update in a week, which (if the impossibly dated filing was actually dated March 21) might be Tuesday.

The Government expects to provide the Court with a supplemental status letter in approximately one week.

At the same time that CIA hacker Josh Schulte was allegedly finding a way to load CSAM onto his discovery laptop, the local FBI office’s CSAM servers were hacked.

That might be a crazy coincidence.

Update: DOJ filed an ex parte update today, which may or may not have to do with the CSAM investigation.

SDNY Calls DOJ’s Definition of the Espionage Act an “Academic Interest”

DOJ has now responded to my intervention in the Joshua Schulte case. Presumably because my motion, written by Kel McClanahan, focused on how flimsy the government’s claim to keep transcripts of a CIPA conference hidden, the government’s response pitches this as exclusively a CIPA battle. It’s totally a reasonable legal stance.

But along the way, in apparent effort to distract from the topic at issue — in part, the application of the Espionage Act to journalism — SDNY suggests it is just an academic interest whether DOJ would charge someone for sharing classified information already published by the NYT.

The mere fact that someone would like to know information is not a part of the right-of-access analysis, however, and the Government’s motion should be granted.


Intervenor’s desire to speculate as to the potential application of the Government’s articulation of the elements of an offense to other circumstances has no bearing on the ability of the public to monitor or assess the actual rulings of the Court in the CIPA § 6 hearings to which Intervenor demands access.


[T]he question is not whether redacted transcripts are coherent as a matter of language or whether they might be relevant to Intervenor’s academic interest.

I’m the intervenor here, not McClanahan (who is a professor on national security law at GW Law). I need to know this stuff not just to cover WikiLeaks (I’m more of an expert than the expert SDNY relied on in the first trial, Paul Rosenzweig), but also to understand my own exposure as a journalist.

Not once in the filing does the government use the words “Espionage Act.” Not once does DOJ mention “journalist.” Not once does it mention the NY Times, the hypothetical that DOJ is attempting to hide, which (as Judge Jesse Furman described in a court hearing) is this:

I gave you two hypotheticals. I think one is where a member of the public goes on WikiLeaks today and downloads Vault 7 and Vault 8 and then provides the hard dive with the download to someone who is not authorized to receive NDI, and I posed the question of whether that person would be guilty of violating the Espionage Act and I think your answer was yes. That strikes me as a very bold, kind of striking proposition because in that instance, if the person is not in a position to know whether it is actual classified information, actual government information, accurate information, etc., simply providing something that’s already public to another person doesn’t strike me as — I mean, strikes me as, number one, would be sort of surprising if that qualified as a criminal act. But, to the extent that the statute could be construed to the extend to that act one would think that there might be serious constitutional problems with it.

I also posed the hypothetical of the New York Times is publishing something that appears in the leak and somebody sharing that article in the New York Times with someone else. That would be a crime and there, too, I think you said it might well be violation of the law. I think to the extent that that would extend to the New York Times reporter for reporting on what is in the leak, or to the extent that it would extend to someone who is not in position to know or position to confirm, that raises serious constitutional doubts in my mind. That, to me, is distinguishable from somebody who is in a position to know. I think there is a distinction if that person transmits a New York Times article containing classified information and in that transmission does something that confirms that that information is accurate — right — or reliable or government information, then that’s confirmation, it strikes me, as NDI. But it just strikes me as a very bold and kind of striking proposition to say that somebody, who is not in position to know or does not act in a way that would confirm the authenticity or reliability of that information by sharing a New York Times article, could be violating the Espionage Act. That strikes me as a kind of striking proposition.

The government is no doubt exploiting the emphasis in my filing, but the notion that whether I can be charged for doing journalism is not an academic interest! It’s not just that there is an acute interest, amid the Julian Assange extradition proceedings, to know the government’s thinking about the Espionage Act, it goes to the chilling effect of not knowing what I can safely publish in the course of doing my job. I don’t have the luxury of “speculating” about the application of the Espionage Act, because if I guess wrong, I could be imprisoned for a decade.

The government wants this to be about CIPA. But the problem is that the government is attempting to hide something that is not classified — the elements of offense for a serious crime that can chill the ability to do journalism — via claims about CIPA.

Third, Intervenor asserts a First Amendment right of access premised on the assertion that “the Government present[ed] legal arguments about elements of the crime itself,” which Intervenor claims both have traditionally been open to the public and are of value to the monitoring of the judicial process. (D.E. 988 at 2). Intervenor’s contention that legal arguments the Government may have advanced at the Section 6 hearings are “something that interested persons in the field should know” (id. at 3) simply “cuts too wide a swath—taken to its extreme, considerations of logic would always validate public access to any judicial document or proceeding.” United States v. Cohen, 366 F. Supp. 3d 612, 631 (S.D.N.Y. 2019). Contrary to Intervenor’s suggestion that discussion of the elements of an offense “stray[s] far from a simple discussion of evidentiary issues” (D.E. 988 at 3), such discussion is integral to virtually any assessment of the relevance and admissibility of evidence, including that occurring in CIPA § 6 hearings, in which courts “look to what elements must be proven under the statute,” United States v. McCorkle, 688 F.3d 518, 521 (8th Cir. 2012); see also United States v. Bailey, 444 U.S. 394, 416 (1980) (describing need to “limit[] evidence in a trial to that directed at the elements of the crime”).

Tellingly, SDNY’s citation of a 2019 District opinion relating to the unsealing of Michael Cohen’s search warrants — which were released with redactions, the desired goal here! — is inapt to the question of whether the government should be able to hide its discussions of how it understands the Espionage Act by claiming that that needs to be protected as classified information.

Considerations of logic also counsel against recognizing a First Amendment right to access search warrant materials. Of course, public access to search warrant materials may promote the integrity of the criminal justice system or judicial proceedings in a generalized sense. United States v. Huntley943 F.Supp.2d 383, 385 (E.D.N.Y. 2013) (remarking that “the light of the press shining into the innards of government is necessary to inhibit violation of the public trust”). But such an argument cuts too wide a swath—taken to its extreme, considerations of logic would always validate public access to any judicial document or proceeding. Cf. Times Mirror Co.873 F.2d at 1213 (rejecting as overbroad the argument that the First Amendment mandates access to any proceeding or document that implicates “self-governance or the integrity of the criminal fact-finding process”); In re Bos. Herald, Inc.321 F.3d at 187 (“In isolation, the [rationale that the public must have a full understanding to serve as an effective check] proves too much—under it, even grand jury proceedings would be public.”). As the Ninth Circuit aptly observed, “[e]very judicial proceeding, indeed every governmental process, arguably benefits from public scrutiny to some degree, in that openness leads to a better-informed citizenry and tends to deter government officials from abusing the powers of government.” Times Mirror Co.873 F.2d at 1213.

Understanding the law is a matter that precedes the media’s scrutiny of whether the government abused the Espionage Act in this case (or in Julian Assange’s). And while the elements of the offense of the Espionage Act does dictate whether evidence would be helpful or not to the defense — the consideration of a CIPA hearing — ultimately this debate was about (and significantly appeared in) jury instructions, the law as applied.

Again, SDNY’s stance seems tactical, a response to our filing’s greater focus on matters of classification than the status of the press. But the outcome — SDNY’s claim that I have the luxury of merely “speculating” about the application of the Espionage Act — is alarmingly arrogant.

I was only able to make this challenge because McClanahan was able and willing to help — and he can only do so through the support of his non-profit. If you believe fights like this are important and have the ability to include it in your year-end donations, please consider supporting  the effort with a donation via this link or PayPal. Thanks!