Guccifer 2.0’s Hidden Agenda
May 21, 2020
Why would an alleged GRU officer supposedly part of an operation to deflect
Russian culpability suggest that Assange “may be connected with Russians?”,
asks Tim Leonard.
By Tim Leonard
Special to Consortium News
In December, I reported on digital forensics evidence relating to Guccifer 2.0
and highlighted several key points about the mysterious persona that Special
Counsel Robert Mueller claims was a front for Russian intelligence to leak
Democratic Party emails to WikiLeaks:
Guccifer 2.0 fabricated evidence to claim credit for hacking the DNC (using
files that were really Podesta attachments).
Guccifer 2.0’s Russian breadcrumbs mostly came from deliberate processes &
needless editing of documents.
Guccifer 2.0’s Russian communications signals came from the persona choosing to
use a proxy server in Moscow and choosing to use a Russian VPN service as
end-points (and they used an email service that forwards the sender’s IP
address, which made identifying that signal a relatively trivial task.)
A considerable volume of evidence pointed at Guccifer 2.0’s activities being in
American timezones (twice as many types of indicators were found pointing at
Guccifer 2.0’s activities being in American timezones than anywhere else).
The American timezones were incidental to other activities (eg. blogging,
social media, emailing a journalist, archiving files, etc) and some of these
were recorded independently by service providers.
A couple of pieces of evidence with Russian indicators present had accompanying
locale indicators that contradicted this which suggested the devices used
hadn’t been properly set up for use in Russia (or Romania) but may have been
suitable for other countries (including America).
On the same day that Guccifer 2.0 was plastering Russian breadcrumbs on
documents through a deliberate process, choosing to use Russian-themed
end-points and fabricating evidence to claim credit for hacking the DNC, the
operation attributed itself to WikiLeaks.
This article questions what Guccifer 2.0’s intentions were in relation to
WikiLeaks in the context of what has been discovered by independent researchers
during the past three years.
Timing
On June 12, 2016, in an interview with ITV’s Robert Peston, Julian Assange
confirmed that WikiLeaks had emails relating to Hillary Clinton that the
organization intended to publish. This announcement was prior to any reported
contact with Guccifer 2.0 (or with DCLeaks).
On June 14, 2016, an article was published in The Washington Post citing
statements from two CrowdStrike executives alleging that Russian intelligence
hacked the DNC and stole opposition research on Trump. It was apparent that the
statements had been made in the 48 hours prior to publication as they
referenced claims of kicking hackers off the DNC network on the weekend just
passed (June 11-12, 2016).
On that same date, June 14, DCLeaks contacted WikiLeaks via Twitter DM and for
some reason suggested that both parties coordinate their releases of leaks. (It
doesn’t appear that WikiLeaks responded until September 2016).
Please Contribute to Consortium News’
25th Anniversary Spring Fund Drive
On June 15, 2016, Guccifer 2.0 appeared for the first time. He fabricated
evidence to claim credit for hacking the DNC (using material that wasn’t from
the DNC), used a proxy in Moscow to carry out searches (for mostly English
language terms including a grammatically incorrect and uncommon phrase that the
persona would use in its first blog post) and used a Russian VPN service to
share the fabricated evidence with reporters. All of this combined conveniently
to provide false corroboration for several claims made by CrowdStrike
executives that were published just one day earlier in The Washington Post.
[CrowdStrike President Shawn Henry testified under oath behind closed doors on
Dec. 5, 2017 to the U.S. House intelligence committee that his company had no
evidence that Russian actors removed anything from the DNC servers. This
testimony was only released earlier this month.]
First Claim Versus First Contact
On the day it emerged, the Guccifer 2.0 operation stated that it had given
material to WikiLeaks and asserted that the organization would publish that
material soon:
By stating that WikiLeaks would “publish them soon” the Guccifer 2.0 operation
implied that it had received confirmation of intent to publish.
However, the earliest recorded communication between Guccifer 2.0 and WikiLeaks
didn’t occur until a week later (June 22, 2016) when WikiLeaks reached out to
Guccifer 2.0 and suggested that the persona send any new material to them
rather than doing what it was doing:
[Excerpt from Special Counsel Mueller’s report. Note: “stolen from the DNC” is
an editorial insert by the special counsel.]
If WikiLeaks had already received material and confirmed intent to publish
prior to this direct message, why would they then suggest what they did when
they did? WikiLeaks says it had no prior contact with Guccifer 2.0 despite what
Guccifer 2.0 had claimed.
Needing To Know What WikiLeaks Had
Fortunately, information that gives more insight into communications on June
22, 2016 was made available on April 29, 2020 via a release of the Roger Stone
arrest warrant application.
Here is the full conversation on that date (according to the application):
@WikiLeaks: Do you have secure communications?
@WikiLeaks: Send any new material here for us to review and it will have a much
higher impact than what you are doing. No other media will release the full
material.
@GUCCIFER_2: what can u suggest for a secure connection? Soft, keys, etc? I’m
ready to cooperate with you, but I need to know what’s in your archive 80gb?
Are there only HRC emails? Or some other docs? Are there any DNC docs? If it’s
not secret when you are going to release it?
@WikiLeaks: You can send us a message in a .txt file here [link redacted]
@GUCCIFER_2: do you have GPG?
Why would Guccifer 2.0 need to know what material WikiLeaks already had?
Certainly, if it were anything Guccifer 2.0 had sent (or the GRU had sent) he
wouldn’t have had reason to inquire.
The more complete DM details provided here also suggest that both parties had
not yet established secure communications.
Further communications were reported to have taken place on June 24, 2016:
@GUCCIFER_2: How can we chat? Do u have jabber or something like that?
@WikiLeaks: Yes, we have everything. We’ve been busy celebrating Brexit. You
can also email an encrypted message to office@xxxxxxxxxxxxx. They key is here.
and June 27, 2016:
@GUCCIFER_2: Hi, i’ve just sent you an email with a text message encrypted and
an open key.
@WikiLeaks: Thanks.
@GUCCIFER_2: waiting for ur response. I send u some interesting piece.
Guccifer 2.0 said he needed to know what was in the 88GB ‘insurance’ archive
that WikiLeaks had posted on June 16, 2016 and it’s clear that, at this stage,
secure communications had not been established between both parties (which
would seem to rule out the possibility of encrypted communications prior to
June 15, 2016, making Guccifer 2.0’s initial claims about WikiLeaks even more
doubtful).
Claims DCLeaks Is A Sub-Project Of WikiLeaks
On June 27, 2016, in an email chain to the Smoking Gun (exposing Guccifer 2.0
apparently being in the Central US timezone), Guccifer 2.0 claimed that DCLeaks
was a “sub-project” of WikiLeaks.
There’s no evidence to support this. “Envoy le” is also a mistake as standard
French emails read: “Envoye le.” Claims allegedly made by Guccifer 2.0 in a
Twitter DM to DCLeaks on September 15, 2016 suggest that he knew this was
nonsense:
There was no evidence of WikiLeaks mentioning this to Guccifer 2.0 nor any
reason for why WikiLeaks couldn’t just send a DM to DCLeaks themselves if they
had wanted to.
(It should also be noted that this Twitter DM activity between DCLeaks and
Guccifer 2.0 is alleged by Mueller to be communications between officers within
the same unit of the GRU, who, for some unknown reason, decided to use Twitter
DMs to relay such information rather than just communicate face to face or
securely via their own local network.)
Guccifer 2.0 lied about DCLeaks being a sub-project of WikiLeaks and then, over
two months later, was seen trying to encourage DCLeaks to communicate with
WikiLeaks by relaying an alleged request from WikiLeaks that there is no record
of WikiLeaks ever making (and which WikiLeaks could have done themselves,
directly, if they had wanted to).
The ‘About 1GB’ / ‘1Gb or So’ Archive
On July 4, 2016, Guccifer 2.0 contacted WikiLeaks:
@GUCCIFER_2: hi there, check up r email, waiting for reply.
This was followed up on July 6, 2016 with the following conversation:
@GUCCIFER_2: have you received my parcel?
@WikiLeaks: Not unless it was very recent. [we haven’ t checked in 24h].
@GUCCIFER_2: I sent it yesterday, an archive of about 1 gb. via [website link].
and check your email.
@WikiLeaks: Wil[l] check, thanks.
@GUCCIFER_2: let me know the results.
@WikiLeaks: Please don’t make anything you send to us public. It’s a lot of
work to go through it and the impact is severely reduced if we are not the
first to publish.
@GUCCIFER_2: agreed. How much time will it take?
@WikiLeaks: likely sometime today.
@GUCCIFER_2: will u announce a publication? and what about 3 docs sent u
earlier?
@WikiLeaks: I don’t believe we received them. Nothing on ‘Brexit’ for example.
@GUCCIFER_2: wow. have you checked ur mail?
@WikiLeaks: At least not as of 4 days ago . . . . For security reasons mail
cannot be checked for some hours.
@GUCCIFER_2: fuck, sent 4 docs on brexit on jun 29, an archive in gpg ur
submission form is too fucking slow, spent the whole day uploading 1 gb.
@WikiLeaks: We can arrange servers 100x as fast. The speed restrictions are to
anonymise the path. Just ask for custom fast upload point in an email.
@GUCCIFER_2: will u be able to check ur email?
@WikiLeaks: We’re best with very large data sets. e.g. 200gb. these prove
themselves since they’re too big to fake.
@GUCCIFER_2: or shall I send brexit docs via submission once again?
@WikiLeaks: to be safe, send via [web link]
@GUCCIFER_2: can u confirm u received dnc emails?
@WikiLeaks: for security reasons we can’ t confirm what we’ve received here.
e.g., in case your account has been taken over by us intelligence and is
probing to see what we have.
@GUCCIFER_2: then send me an encrypted email.
@WikiLeaks: we can do that. but the security people are in another time zone so
it will need to wait some hours.
@WikiLeaks: what do you think about the FBl’ s failure to charge? To our mind
the clinton foundation investigation has always been the more serious. we would
be very interested in all the emails/docs from there. She set up quite a lot of
front companies. e.g in sweden.
@GUCCIFER_2: ok, i’ll be waiting for confirmation. as for investigation, they
have everything settled, or else I don’t know how to explain that they found a
hundred classified docs but fail to charge her.
@WikiLeaks: She’s too powerful to charge at least without something stronger. s
far as we know, the investigation into the clinton foundation remains open e
hear the FBI are unhappy with Loretta Lynch over meeting Bill, because he’s a
target in that investigation.
@GUCCIFER_2: do you have any info about marcel lazar? There’ve been a lot of
rumors of late.
@WikiLeaks: the death? [A] fake story.
@WikiLeaks: His 2013 screen shots of Max Blumenthal’s inbox prove that Hillary
secretly deleted at least one email about Libya that was meant to be handed
over to Congress. So we were very interested in his co-operation with the FBI.
@GUCCIFER_2: some dirty games behind the scenes believe Can you send me an
email now?
@WikiLeaks: No; we have not been able to activate the people who handle it.
Still trying.
@GUCCIFER_2: what about tor submission? [W]ill u receive a doc now?
@WikiLeaks: We will get everything sent on [weblink].” [A]s long as you see
\”upload succseful\” at the end. [I]f you have anything hillary related we want
it in the next tweo [sic] days prefable [sic] because the DNC is approaching
and she will solidify bernie supporters behind her after.
@GUCCIFER_2: ok. I see.
@WikiLeaks: [W]e think the public interest is greatest now and in early october.
@GUCCIFER_2: do u think a lot of people will attend bernie fans rally in
philly? Will it affect the dnc anyhow?
@WikiLeaks: bernie is trying to make his own faction leading up to the DNC.
[S]o he can push for concessions (positions/policies) or, at the outside, if
hillary has a stroke, is arrested etc, he can take over the nomination. [T]he
question is this: can bemies supporters+staff keep their coherency until then
(and after). [O]r will they dis[s]olve into hillary’ s camp? [P]resently many
of them are looking to damage hilary [sic] inorder [sic] to increase their
unity and bargaining power at the DNC. Doubt one rally is going to be that
significant in the bigger scheme. [I]t seems many of them will vote for hillary
just to prevent trump from winning.
@GUCCIFER_2: sent brexit docs successfully.
@WikiLeaks: :))).
@WikiLeaks: we think trump has only about a 25% chance of winning against
hillary so conflict between bernie and hillary is interesting.
@GUCCIFER_2: so it is.
@WikiLeaks: also, it’ s important to consider what type of president hillary
might be. If bernie and trump retain their groups past 2016 in significant
number, then they are a restraining force on hillary.
[Note: This was over a week after the Brexit referendum had taken place, so
this will not have had any impact on the results of that. It also doesn’t
appear that WikiLeaks released any Brexit content around this time.]
On July 14, 2016, Guccifer 2.0 sent an email to WikiLeaks, this was covered in
the Mueller report:
It should be noted that while the attachment sent was encrypted, the email
wasn’t and both the email contents and name of the file were readable.
The persona then opted, once again, for insecure communications via Twitter DMs:
@GUCCIFER_2: ping. Check ur email. sent u a link to a big archive and a pass.
@WikiLeaks: great, thanks; can’t check until tomorrow though.
On July 17, 2016, the persona contacted WikiLeaks again:
@GUCCIFER_2: what bout now?
On July 18, 2016, WikiLeaks responded and more was discussed:
@WikiLeaks: have the 1 Gb or so archive.
@GUCCIFER_2: have u managed to extract the files?
@WikiLeaks: yes. turkey coup has delayed us a couple of days. [O]therwise all
ready[.]
@GUCCIFER_2: so when r u about to make a release?
@WikiLeaks: this week. [D]o you have any bigger datasets? [D]id you get our
fast transfer details?
@GUCCIFER_2: i’ll check it. did u send it via email?
@WikiLeaks: yes.
@GUCCIFER_2: to [web link]. [I] got nothing.
@WikiLeaks: check your other mail? this was over a week ago.
@GUCCIFER_2:oh, that one, yeah, [I] got it.
@WikiLeaks: great. [D]id it work?
@GUCCIFER_2:[I] haven’ t tried yet.
@WikiLeaks: Oh. We arranged that server just for that purpose. Nothing bigger?
@GUCCIFER_2: let’s move step by step, u have released nothing of what [I] sent
u yet.
@WikiLeaks: How about you transfer it all to us encrypted. [T]hen when you are
happy, you give us the decrypt key. [T]his way we can move much faster. (A]lso
it is protective for you if we already have everything because then there is no
point in trying to shut you up.
@GUCCIFER_2: ok, i’ll ponder it
Again, we see a reference to the file being approximately one gigabyte in size.
Guccifer 2.0’s “so when r u about to make a release?” seems to be a question
about his files. However, it could have been inferred as generally relating to
what WikiLeaks had or even material relating to the “Turkey Coup” that
WikiLeaks had mentioned in the previous sentence and that were published by the
following day (July 19, 2016).
The way this is reported in the Mueller report, though, prevented this
potential ambiguity being known (by not citing the exact question that Guccifer
2.0 had asked and the context immediately preceding it).
Four days later, WikiLeaks published the DNC emails.
Later that same day, Guccifer 2.0 tweeted: “@wikileaks published #DNCHack docs
I’d given them!!!”.
Guccifer 2.0 chose to use insecure communications to ask WikiLeaks to confirm
receipt of “DNC emails” on July 6, 2016. Confirmation of this was not provided
at that time but WikiLeaks did confirm receipt of a “1gb or so” archive on July
18, 2016.
Guccifer 2.0’s emails to WikiLeaks were also sent insecurely.
We cannot be certain that WikiLeaks statement about making a release was in
relation to Guccifer 2.0’s material and there is even a possibility that this
could have been in reference to the Erdogan leaks published by WikiLeaks on
July 19, 2016.
Ulterior Motives?
While the above seems troubling there are a few points worth considering:
There is a considerable volume of evidence that contradicts the premise of
Guccifer 2.0 being a GRU operation.
The persona lied about WikiLeaks and even stated that Assange “may be connected
with Russians”.
Guccifer 2.0’s initial claim about sending WikiLeaks material (and that they
would publish it soon) appears to have been made without justification and
seems to be contradicted by subsequent communications from WikiLeaks.
If the archive was “about 1GB” (as Guccifer 2.0 describes it) then it would be
too small to have been all of the DNC’s emails (as these, compressed, came to
1.8GB-2GB depending on compression method used, which, regardless, would be
“about 2GB” not “about 1GB”). If we assume that these were DNC emails, where
did the rest of them come from?
Assange has maintained that WikiLeaks didn’t publish the material that Guccifer
2.0 had sent to them. Of course, Assange could just be lying about that but
there are some other possibilities to consider. If true, there is always a
possibility that Guccifer 2.0 could have sent them material they had already
received from another source or other emails from the DNC that they didn’t
release (Guccifer 2.0 had access to a lot of content relating to the DNC and
Democratic party and the persona also offered emails of Democratic staffers to
Emma Best, a self-described journalist, activist and ex-hacker, the month after
WikiLeaks published the DNC emails, which, logically, must have been different
emails to still have any value at that point in time).
On July 6, 2016, the same day that Guccifer 2.0 was trying to get WikiLeaks to
confirm receipt of DNC emails (and on which Guccifer 2.0 agreed not to publish
material he had sent them), the persona posted a series of files to his blog
that were exclusively DNC email attachments.
It doesn’t appear any further communications were reported between the parties
following the July 18, 2016 communications despite Guccifer 2.0 tweeting on
August 12, 2016: “I’ll send the major trove of the #DCCC materials and emails
to #wikileaks keep following…” and, apparently, stating this to The Hill too.
As there are no further communications reported beyond this point it’s fair to
question whether getting confirmation of receipt of the archive was the primary
objective for Guccifer 2.0 here.
Even though WikiLeaks offered Guccifer 2.0 a fast server for large uploads, the
persona later suggested he needed to find a resource for publishing a large
amount of data.
Despite later claiming he would send (or had sent) DCCC content to WikiLeaks,
WikiLeaks never published such content and there doesn’t appear to be any
record of any attempt to send this material to WikiLeaks.
Digital forensics evidence places Guccifer 2.0 in the Eastern (US) timezone on
July 6, 2016, the day on which he was trying to get WikiLeaks to confirm
receipt of DNC emails.
Considering all of this and the fact Guccifer 2.0 effectively covered itself in
“Made In Russia” labels (by plastering files in Russian metadata and choosing
to use a Russian VPN service and a proxy in Moscow for it’s activities) on the
same day it first attributed itself to WikiLeaks, it’s fair to suspect that
Guccifer 2.0 had malicious intent towards WikiLeaks from the outset.
If this was the case, Guccifer 2.0 may have known about the DNC emails by June
30, 2016 as this is when the persona first started publishing attachments from
those emails.
source: https://theforensicator.wordpress.com/guccifer-2s-russian-breadcrumbs/
Seth Rich Mentioned By Both Parties
WikiLeaks Offers Reward
On August 9, 2016, WikiLeaks tweeted:
WikiLeaks
✔
@wikileaks
ANNOUNCE: WikiLeaks has decided to issue a US$20k reward for information
leading to conviction for the murder of DNC staffer Seth Rich.
9,803
11:58 AM - Aug 9, 2016
Twitter Ads info and privacy
10.1K people are talking about this
In an interview with Nieuwsuur that was posted the same day, Julian Assange
explained that the reward was for a DNC staffer who he said had been “shot in
the back, murdered”. When the interviewer suggested it was a robbery Assange
disputed it and stated that there were no findings.
When the interviewer asked if Seth Rich was a source, Assange stated, “We don’t
comment on who our sources are”.
When pressed to explain WikiLeaks actions, Assange stated that the reward was
being offered because WikiLeaks‘ sources were concerned by the incident. He
also stated that WikiLeaks were investigating.
Speculation and theories about Seth Rich being a source for WikiLeaks soon
propagated to several sites and across social media.
Guccifer 2.0 Claims Seth Rich As His Source
On August 25, 2016, approximately three weeks after the reward was offered,
Julian Assange was due to be interviewed on Fox News on the topic of Seth Rich.
On that same day, in a DM conversation with the actress Robbin Young, Guccifer
2.0 claimed that Seth was his source (despite previously claiming he obtained
his material by hacking the DNC).
Why did Guccifer 2.0 feel the need to attribute itself to Seth at this time?
[Note: I am not advocating for any theory and am simply reporting on Guccifer
2.0’s effort to attribute itself to Seth Rich following the propagation of
Rich-WikiLeaks association theories online.]
Special Counsel Claims
In Spring, 2019, Special Counsel Robert Mueller, who was named to investigate
Russian interference in the 2016 U.S. general election, delivered his final
report.
It claimed:
Guccifer 2.0 contradicted his own hacking claims to allege that Seth Rich was
his source and did so on the same day that Julian Assange was due to be
interviewed by Fox News (in relation to Seth Rich).
No communications between Guccifer 2.0 and Seth Rich have ever been reported.
Suggesting Assange Connected To Russians
In the same conversation Guccifer 2.0 had with Robbin Young where Rich’s name
is mentioned (on August 25, 2016), the persona also provided a very interesting
response to Young mentioning “Julian” (in reference to Julian Assange):
The alleged GRU officer we are told was part of an operation to deflect from
Russian culpability suggested that Assange “may be connected with Russians”.
Guccifer 2.0’s Mentions of WikiLeaks and Assange
Guccifer 2.0 mentioned WikiLeaks or associated himself with their output on
several occasions:
June 15, 2016: claiming to have sent WikiLeaks material on his blog.
June 27, 2016: when he claimed DCLeaks was a sub-project of WikiLeaks.
July 13, 2016: Joe Uchill of The Hill reported that Guccifer 2.0 had contacted
the publication and stated: “The press gradually forget about me, [W]ikileaks
is playing for time and have some more docs.”
July 22nd, 2016: claimed credit when WikiLeaks published the DNC leaks.
August 12, 2016: It was reported in The Hill that Guccifer 2.0 had released
material to the publication. They reported: “The documents released to The Hill
are only the first section of a much larger cache. The bulk, the hacker said,
will be released on WikiLeaks.”
August 12, 2016: Tweeted that he would “send the major trove of the #DCCC
materials and emails to #wikileaks“.
September 15, 2016: telling DCLeaks that WikiLeaks wanted to get in contact
with them.
October 4, 2016: Congratulating WikiLeaks on their 10th anniversary via its
blog. Also states: “Julian, you are really cool! Stay safe and sound!”. (This
was the same day on which Guccifer 2.0 published his “Clinton Foundation” files
that were clearly not from the Clinton Foundation.)
October 17, 2016: via Twitter, stating “i’m here and ready for new releases.
already changed my location thanks @wikileaks for a good job!”
Guccifer 2.0 also made some statements in response to WikiLeaks or Assange
being mentioned:
June 17, 2016: in response to The Smoking Gun asking if Assange would publish
the same material it was publishing, Guccifer 2.0 stated: “I gave WikiLeaks the
greater part of the files, but saved some for myself,”
August 22, 2016: in response to Raphael Satter suggesting that Guccifer 2.0
send leaks to WikiLeaks, the persona stated: “I gave wikileaks a greater part
of docs”.
August 25, 2016: in response to Julian Assange’s name being mentioned in a
conversation with Robbin Young, Guccifer 2.0 stated: “he may be connected with
Russians”.
October 18, 2016: a BBC reported asked Guccifer 2.0 if he was upset that
WikiLeaks had “stole his thunder” and “do you still support Assange?”. Guccifer
2.0 responded: “i’m glad, together we’ll make America great again.”.
Guccifer 2.0 fabricated evidence to claim credit for hacking the DNC, covered
itself (and its files) in what were essentially a collection of “Made In
Russia” labels through deliberate processes and decisions made by the persona,
and, then, it attributed itself to WikiLeaks with a claim that was contradicted
by subsequent communications between both parties.
Guccifer 2.0 then went on to lie about WikiLeaks, contradicted its own hacking
claims to attribute itself to Seth Rich and even alleged that Julian Assange
“may be connected with Russians”.
While we are expected to accept that Guccifer 2.0’s efforts between July 6 and
July 18 were a sincere effort to get leaks to WikiLeaks, considering everything
we now know about the persona, it seems fair to question whether Guccifer 2.0’s
intentions towards WikiLeaks may have instead been malicious.
Tim Leonard is a software developer that started a project to catalog and
archive evidence in relation to Guccifer 2.0 in 2017 and has frequently
reported on digital forensics discoveries made by various independent
researchers over the past three years.
