By Tim Leonard
Special to Consortium News
In December, I reported on digital forensics evidence relating to Guccifer 2.0 and highlighted several key points about the mysterious persona that Special Counsel Robert Mueller claims was a front for Russian intelligence to leak Democratic Party emails to WikiLeaks:
- Guccifer 2.0 fabricated evidence to claim credit for hacking the DNC (using files that were really Podesta attachments).
- Guccifer 2.0’s Russian breadcrumbs mostly came from deliberate processes & needless editing of documents.
- Guccifer 2.0’s Russian communications signals came from the persona choosing to use a proxy server in Moscow and choosing to use a Russian VPN service as end-points (and they used an email service that forwards the sender’s IP address, which made identifying that signal a relatively trivial task.)
- A considerable volume of evidence pointed at Guccifer 2.0’s activities being in American timezones (twice as many types of indicators were found pointing at Guccifer 2.0’s activities being in American timezones than anywhere else).
- The American timezones were incidental to other activities (eg. blogging, social media, emailing a journalist, archiving files, etc) and some of these were recorded independently by service providers.
- A couple of pieces of evidence with Russian indicators present had accompanying locale indicators that contradicted this which suggested the devices used hadn’t been properly set up for use in Russia (or Romania) but may have been suitable for other countries (including America).
On the same day that Guccifer 2.0 was plastering Russian breadcrumbs on documents through a deliberate process, choosing to use Russian-themed end-points and fabricating evidence to claim credit for hacking the DNC, the operation attributed itself to WikiLeaks.
This article questions what Guccifer 2.0’s intentions were in relation to WikiLeaks in the context of what has been discovered by independent researchers during the past three years.
On June 12, 2016, in an interview with ITV’s Robert Peston, Julian Assange confirmed that WikiLeaks had emails relating to Hillary Clinton that the organization intended to publish. This announcement was prior to any reported contact with Guccifer 2.0 (or with DCLeaks).
On June 14, 2016, an article was published in The Washington Post citing statements from two CrowdStrike executives alleging that Russian intelligence hacked the DNC and stole opposition research on Trump. It was apparent that the statements had been made in the 48 hours prior to publication as they referenced claims of kicking hackers off the DNC network on the weekend just passed (June 11-12, 2016).
On that same date, June 14, DCLeaks contacted WikiLeaks via Twitter DM and for some reason suggested that both parties coordinate their releases of leaks. (It doesn’t appear that WikiLeaks responded until September 2016).
Please Contribute to Consortium News’
25th Anniversary Spring Fund Drive
On June 15, 2016, Guccifer 2.0 appeared for the first time. He fabricated evidence to claim credit for hacking the DNC (using material that wasn’t from the DNC), used a proxy in Moscow to carry out searches (for mostly English language terms including a grammatically incorrect and uncommon phrase that the persona would use in its first blog post) and used a Russian VPN service to share the fabricated evidence with reporters. All of this combined conveniently to provide false corroboration for several claims made by CrowdStrike executives that were published just one day earlier in The Washington Post.
[CrowdStrike President Shawn Henry testified under oath behind closed doors on Dec. 5, 2017 to the U.S. House intelligence committee that his company had no evidence that Russian actors removed anything from the DNC servers. This testimony was only released earlier this month.]
First Claim Versus First Contact
On the day it emerged, the Guccifer 2.0 operation stated that it had given material to WikiLeaks and asserted that the organization would publish that material soon:
By stating that WikiLeaks would “publish them soon” the Guccifer 2.0 operation implied that it had received confirmation of intent to publish.
However, the earliest recorded communication between Guccifer 2.0 and WikiLeaks didn’t occur until a week later (June 22, 2016) when WikiLeaks reached out to Guccifer 2.0 and suggested that the persona send any new material to them rather than doing what it was doing:
[Excerpt from Special Counsel Mueller’s report. Note: “stolen from the DNC” is an editorial insert by the special counsel.]
If WikiLeaks had already received material and confirmed intent to publish prior to this direct message, why would they then suggest what they did when they did? WikiLeaks says it had no prior contact with Guccifer 2.0 despite what Guccifer 2.0 had claimed.
Needing To Know What WikiLeaks Had
Fortunately, information that gives more insight into communications on June 22, 2016 was made available on April 29, 2020 via a release of the Roger Stone arrest warrant application.
Here is the full conversation on that date (according to the application):
@WikiLeaks: Do you have secure communications?
@WikiLeaks: Send any new material here for us to review and it will have a much higher impact than what you are doing. No other media will release the full material.
@GUCCIFER_2: what can u suggest for a secure connection? Soft, keys, etc? I’m ready to cooperate with you, but I need to know what’s in your archive 80gb? Are there only HRC emails? Or some other docs? Are there any DNC docs? If it’s not secret when you are going to release it?
@WikiLeaks: You can send us a message in a .txt file here [link redacted]
@GUCCIFER_2: do you have GPG?
Why would Guccifer 2.0 need to know what material WikiLeaks already had? Certainly, if it were anything Guccifer 2.0 had sent (or the GRU had sent) he wouldn’t have had reason to inquire.
The more complete DM details provided here also suggest that both parties had not yet established secure communications.
Further communications were reported to have taken place on June 24, 2016:
@GUCCIFER_2: How can we chat? Do u have jabber or something like that?
@WikiLeaks: Yes, we have everything. We’ve been busy celebrating Brexit. You can also email an encrypted message to firstname.lastname@example.org. They key is here.
and June 27, 2016:
@GUCCIFER_2: Hi, i’ve just sent you an email with a text message encrypted and an open key.
@GUCCIFER_2: waiting for ur response. I send u some interesting piece.
Guccifer 2.0 said he needed to know what was in the 88GB ‘insurance’ archive that WikiLeaks had posted on June 16, 2016 and it’s clear that, at this stage, secure communications had not been established between both parties (which would seem to rule out the possibility of encrypted communications prior to June 15, 2016, making Guccifer 2.0’s initial claims about WikiLeaks even more doubtful).
Claims DCLeaks Is A Sub-Project Of WikiLeaks
On June 27, 2016, in an email chain to the Smoking Gun (exposing Guccifer 2.0 apparently being in the Central US timezone), Guccifer 2.0 claimed that DCLeaks was a “sub-project” of WikiLeaks.
There’s no evidence to support this. “Envoy le” is also a mistake as standard French emails read: “Envoye le.” Claims allegedly made by Guccifer 2.0 in a Twitter DM to DCLeaks on September 15, 2016 suggest that he knew this was nonsense:
There was no evidence of WikiLeaks mentioning this to Guccifer 2.0 nor any reason for why WikiLeaks couldn’t just send a DM to DCLeaks themselves if they had wanted to.
(It should also be noted that this Twitter DM activity between DCLeaks and Guccifer 2.0 is alleged by Mueller to be communications between officers within the same unit of the GRU, who, for some unknown reason, decided to use Twitter DMs to relay such information rather than just communicate face to face or securely via their own local network.)
Guccifer 2.0 lied about DCLeaks being a sub-project of WikiLeaks and then, over two months later, was seen trying to encourage DCLeaks to communicate with WikiLeaks by relaying an alleged request from WikiLeaks that there is no record of WikiLeaks ever making (and which WikiLeaks could have done themselves, directly, if they had wanted to).
The ‘About 1GB’ / ‘1Gb or So’ Archive
On July 4, 2016, Guccifer 2.0 contacted WikiLeaks:
@GUCCIFER_2: hi there, check up r email, waiting for reply.
This was followed up on July 6, 2016 with the following conversation:
@GUCCIFER_2: have you received my parcel?
@WikiLeaks: Not unless it was very recent. [we haven’ t checked in 24h].
@GUCCIFER_2: I sent it yesterday, an archive of about 1 gb. via [website link]. and check your email.
@WikiLeaks: Wil[l] check, thanks.
@GUCCIFER_2: let me know the results.
@WikiLeaks: Please don’t make anything you send to us public. It’s a lot of work to go through it and the impact is severely reduced if we are not the first to publish.
@GUCCIFER_2: agreed. How much time will it take?
@WikiLeaks: likely sometime today.
@GUCCIFER_2: will u announce a publication? and what about 3 docs sent u earlier?
@WikiLeaks: I don’t believe we received them. Nothing on ‘Brexit’ for example.
@GUCCIFER_2: wow. have you checked ur mail?
@WikiLeaks: At least not as of 4 days ago . . . . For security reasons mail cannot be checked for some hours.
@GUCCIFER_2: fuck, sent 4 docs on brexit on jun 29, an archive in gpg ur submission form is too fucking slow, spent the whole day uploading 1 gb.
@WikiLeaks: We can arrange servers 100x as fast. The speed restrictions are to anonymise the path. Just ask for custom fast upload point in an email.
@GUCCIFER_2: will u be able to check ur email?
@WikiLeaks: We’re best with very large data sets. e.g. 200gb. these prove themselves since they’re too big to fake.
@GUCCIFER_2: or shall I send brexit docs via submission once again?
@WikiLeaks: to be safe, send via [web link]
@GUCCIFER_2: can u confirm u received dnc emails?
@WikiLeaks: for security reasons we can’ t confirm what we’ve received here. e.g., in case your account has been taken over by us intelligence and is probing to see what we have.
@GUCCIFER_2: then send me an encrypted email.
@WikiLeaks: we can do that. but the security people are in another time zone so it will need to wait some hours.
@WikiLeaks: what do you think about the FBl’ s failure to charge? To our mind the clinton foundation investigation has always been the more serious. we would be very interested in all the emails/docs from there. She set up quite a lot of front companies. e.g in sweden.
@GUCCIFER_2: ok, i’ll be waiting for confirmation. as for investigation, they have everything settled, or else I don’t know how to explain that they found a hundred classified docs but fail to charge her.
@WikiLeaks: She’s too powerful to charge at least without something stronger. s far as we know, the investigation into the clinton foundation remains open e hear the FBI are unhappy with Loretta Lynch over meeting Bill, because he’s a target in that investigation.
@GUCCIFER_2: do you have any info about marcel lazar? There’ve been a lot of rumors of late.
@WikiLeaks: the death? [A] fake story.
@WikiLeaks: His 2013 screen shots of Max Blumenthal’s inbox prove that Hillary secretly deleted at least one email about Libya that was meant to be handed over to Congress. So we were very interested in his co-operation with the FBI.
@GUCCIFER_2: some dirty games behind the scenes believe Can you send me an email now?
@WikiLeaks: No; we have not been able to activate the people who handle it. Still trying.
@GUCCIFER_2: what about tor submission? [W]ill u receive a doc now?
@WikiLeaks: We will get everything sent on [weblink].” [A]s long as you see \”upload succseful\” at the end. [I]f you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC is approaching and she will solidify bernie supporters behind her after.
@GUCCIFER_2: ok. I see.
@WikiLeaks: [W]e think the public interest is greatest now and in early october.
@GUCCIFER_2: do u think a lot of people will attend bernie fans rally in philly? Will it affect the dnc anyhow?
@WikiLeaks: bernie is trying to make his own faction leading up to the DNC. [S]o he can push for concessions (positions/policies) or, at the outside, if hillary has a stroke, is arrested etc, he can take over the nomination. [T]he question is this: can bemies supporters+staff keep their coherency until then (and after). [O]r will they dis[s]olve into hillary’ s camp? [P]resently many of them are looking to damage hilary [sic] inorder [sic] to increase their unity and bargaining power at the DNC. Doubt one rally is going to be that significant in the bigger scheme. [I]t seems many of them will vote for hillary just to prevent trump from winning.
@GUCCIFER_2: sent brexit docs successfully.
@WikiLeaks: we think trump has only about a 25% chance of winning against hillary so conflict between bernie and hillary is interesting.
@GUCCIFER_2: so it is.
@WikiLeaks: also, it’ s important to consider what type of president hillary might be. If bernie and trump retain their groups past 2016 in significant number, then they are a restraining force on hillary.
[Note: This was over a week after the Brexit referendum had taken place, so this will not have had any impact on the results of that. It also doesn’t appear that WikiLeaks released any Brexit content around this time.]
On July 14, 2016, Guccifer 2.0 sent an email to WikiLeaks, this was covered in the Mueller report:
It should be noted that while the attachment sent was encrypted, the email wasn’t and both the email contents and name of the file were readable.
The persona then opted, once again, for insecure communications via Twitter DMs:
@GUCCIFER_2: ping. Check ur email. sent u a link to a big archive and a pass.
@WikiLeaks: great, thanks; can’t check until tomorrow though.
On July 17, 2016, the persona contacted WikiLeaks again:
@GUCCIFER_2: what bout now?
On July 18, 2016, WikiLeaks responded and more was discussed:
@WikiLeaks: have the 1 Gb or so archive.
@GUCCIFER_2: have u managed to extract the files?
@WikiLeaks: yes. turkey coup has delayed us a couple of days. [O]therwise all ready[.]
@GUCCIFER_2: so when r u about to make a release?
@WikiLeaks: this week. [D]o you have any bigger datasets? [D]id you get our fast transfer details?
@GUCCIFER_2: i’ll check it. did u send it via email?
@GUCCIFER_2: to [web link]. [I] got nothing.
@WikiLeaks: check your other mail? this was over a week ago.
@GUCCIFER_2:oh, that one, yeah, [I] got it.
@WikiLeaks: great. [D]id it work?
@GUCCIFER_2:[I] haven’ t tried yet.
@WikiLeaks: Oh. We arranged that server just for that purpose. Nothing bigger?
@GUCCIFER_2: let’s move step by step, u have released nothing of what [I] sent u yet.
@WikiLeaks: How about you transfer it all to us encrypted. [T]hen when you are happy, you give us the decrypt key. [T]his way we can move much faster. (A]lso it is protective for you if we already have everything because then there is no point in trying to shut you up.
@GUCCIFER_2: ok, i’ll ponder it
Again, we see a reference to the file being approximately one gigabyte in size.
Guccifer 2.0’s “so when r u about to make a release?” seems to be a question about his files. However, it could have been inferred as generally relating to what WikiLeaks had or even material relating to the “Turkey Coup” that WikiLeaks had mentioned in the previous sentence and that were published by the following day (July 19, 2016).
The way this is reported in the Mueller report, though, prevented this potential ambiguity being known (by not citing the exact question that Guccifer 2.0 had asked and the context immediately preceding it).
Four days later, WikiLeaks published the DNC emails.
Later that same day, Guccifer 2.0 tweeted: “@wikileaks published #DNCHack docs I’d given them!!!”.
Guccifer 2.0 chose to use insecure communications to ask WikiLeaks to confirm receipt of “DNC emails” on July 6, 2016. Confirmation of this was not provided at that time but WikiLeaks did confirm receipt of a “1gb or so” archive on July 18, 2016.
Guccifer 2.0’s emails to WikiLeaks were also sent insecurely.
We cannot be certain that WikiLeaks statement about making a release was in relation to Guccifer 2.0’s material and there is even a possibility that this could have been in reference to the Erdogan leaks published by WikiLeaks on July 19, 2016.
While the above seems troubling there are a few points worth considering:
- There is a considerable volume of evidence that contradicts the premise of Guccifer 2.0 being a GRU operation.
- The persona lied about WikiLeaks and even stated that Assange “may be connected with Russians”.
- Guccifer 2.0’s initial claim about sending WikiLeaks material (and that they would publish it soon) appears to have been made without justification and seems to be contradicted by subsequent communications from WikiLeaks.
- If the archive was “about 1GB” (as Guccifer 2.0 describes it) then it would be too small to have been all of the DNC’s emails (as these, compressed, came to 1.8GB-2GB depending on compression method used, which, regardless, would be “about 2GB” not “about 1GB”). If we assume that these were DNC emails, where did the rest of them come from?
- Assange has maintained that WikiLeaks didn’t publish the material that Guccifer 2.0 had sent to them. Of course, Assange could just be lying about that but there are some other possibilities to consider. If true, there is always a possibility that Guccifer 2.0 could have sent them material they had already received from another source or other emails from the DNC that they didn’t release (Guccifer 2.0 had access to a lot of content relating to the DNC and Democratic party and the persona also offered emails of Democratic staffers to Emma Best, a self-described journalist, activist and ex-hacker, the month after WikiLeaks published the DNC emails, which, logically, must have been different emails to still have any value at that point in time).
- On July 6, 2016, the same day that Guccifer 2.0 was trying to get WikiLeaks to confirm receipt of DNC emails (and on which Guccifer 2.0 agreed not to publish material he had sent them), the persona posted a series of files to his blog that were exclusively DNC email attachments.
- It doesn’t appear any further communications were reported between the parties following the July 18, 2016 communications despite Guccifer 2.0 tweeting on August 12, 2016: “I’ll send the major trove of the #DCCC materials and emails to #wikileaks keep following…” and, apparently, stating this to The Hill too.
- As there are no further communications reported beyond this point it’s fair to question whether getting confirmation of receipt of the archive was the primary objective for Guccifer 2.0 here.
- Even though WikiLeaks offered Guccifer 2.0 a fast server for large uploads, the persona later suggested he needed to find a resource for publishing a large amount of data.
- Despite later claiming he would send (or had sent) DCCC content to WikiLeaks, WikiLeaks never published such content and there doesn’t appear to be any record of any attempt to send this material to WikiLeaks.
- Digital forensics evidence places Guccifer 2.0 in the Eastern (US) timezone on July 6, 2016, the day on which he was trying to get WikiLeaks to confirm receipt of DNC emails.
Considering all of this and the fact Guccifer 2.0 effectively covered itself in “Made In Russia” labels (by plastering files in Russian metadata and choosing to use a Russian VPN service and a proxy in Moscow for it’s activities) on the same day it first attributed itself to WikiLeaks, it’s fair to suspect that Guccifer 2.0 had malicious intent towards WikiLeaks from the outset.
If this was the case, Guccifer 2.0 may have known about the DNC emails by June 30, 2016 as this is when the persona first started publishing attachments from those emails.
Seth Rich Mentioned By Both Parties
WikiLeaks Offers Reward
On August 9, 2016, WikiLeaks tweeted:
ANNOUNCE: WikiLeaks has decided to issue a US$20k reward for information leading to conviction for the murder of DNC staffer Seth Rich.
— WikiLeaks (@wikileaks) August 9, 2016
In an interview with Nieuwsuur that was posted the same day, Julian Assange explained that the reward was for a DNC staffer who he said had been “shot in the back, murdered”. When the interviewer suggested it was a robbery Assange disputed it and stated that there were no findings.
When the interviewer asked if Seth Rich was a source, Assange stated, “We don’t comment on who our sources are”.
When pressed to explain WikiLeaks actions, Assange stated that the reward was being offered because WikiLeaks‘ sources were concerned by the incident. He also stated that WikiLeaks were investigating.
Speculation and theories about Seth Rich being a source for WikiLeaks soon propagated to several sites and across social media.
Guccifer 2.0 Claims Seth Rich As His Source
On August 25, 2016, approximately three weeks after the reward was offered, Julian Assange was due to be interviewed on Fox News on the topic of Seth Rich.
On that same day, in a DM conversation with the actress Robbin Young, Guccifer 2.0 claimed that Seth was his source (despite previously claiming he obtained his material by hacking the DNC).
[Note: I am not advocating for any theory and am simply reporting on Guccifer 2.0’s effort to attribute itself to Seth Rich following the propagation of Rich-WikiLeaks association theories online.]
Special Counsel Claims
In Spring, 2019, Special Counsel Robert Mueller, who was named to investigate Russian interference in the 2016 U.S. general election, delivered his final report.
Guccifer 2.0 contradicted his own hacking claims to allege that Seth Rich was his source and did so on the same day that Julian Assange was due to be interviewed by Fox News (in relation to Seth Rich).
No communications between Guccifer 2.0 and Seth Rich have ever been reported.
Suggesting Assange Connected To Russians
In the same conversation Guccifer 2.0 had with Robbin Young where Rich’s name is mentioned (on August 25, 2016), the persona also provided a very interesting response to Young mentioning “Julian” (in reference to Julian Assange):
Guccifer 2.0’s Mentions of WikiLeaks and Assange
Guccifer 2.0 mentioned WikiLeaks or associated himself with their output on several occasions:
- June 15, 2016: claiming to have sent WikiLeaks material on his blog.
- June 27, 2016: when he claimed DCLeaks was a sub-project of WikiLeaks.
- July 13, 2016: Joe Uchill of The Hill reported that Guccifer 2.0 had contacted the publication and stated: “The press gradually forget about me, [W]ikileaks is playing for time and have some more docs.”
- July 22nd, 2016: claimed credit when WikiLeaks published the DNC leaks.
- August 12, 2016: It was reported in The Hill that Guccifer 2.0 had released material to the publication. They reported: “The documents released to The Hill are only the first section of a much larger cache. The bulk, the hacker said, will be released on WikiLeaks.”
- August 12, 2016: Tweeted that he would “send the major trove of the #DCCC materials and emails to #wikileaks“.
- September 15, 2016: telling DCLeaks that WikiLeaks wanted to get in contact with them.
- October 4, 2016: Congratulating WikiLeaks on their 10th anniversary via its blog. Also states: “Julian, you are really cool! Stay safe and sound!”. (This was the same day on which Guccifer 2.0 published his “Clinton Foundation” files that were clearly not from the Clinton Foundation.)
- October 17, 2016: via Twitter, stating “i’m here and ready for new releases. already changed my location thanks @wikileaks for a good job!”
Guccifer 2.0 also made some statements in response to WikiLeaks or Assange being mentioned:
- June 17, 2016: in response to The Smoking Gun asking if Assange would publish the same material it was publishing, Guccifer 2.0 stated: “I gave WikiLeaks the greater part of the files, but saved some for myself,”
- August 22, 2016: in response to Raphael Satter suggesting that Guccifer 2.0 send leaks to WikiLeaks, the persona stated: “I gave wikileaks a greater part of docs”.
- August 25, 2016: in response to Julian Assange’s name being mentioned in a conversation with Robbin Young, Guccifer 2.0 stated: “he may be connected with Russians”.
- October 18, 2016: a BBC reported asked Guccifer 2.0 if he was upset that WikiLeaks had “stole his thunder” and “do you still support Assange?”. Guccifer 2.0 responded: “i’m glad, together we’ll make America great again.”.
Guccifer 2.0 fabricated evidence to claim credit for hacking the DNC, covered itself (and its files) in what were essentially a collection of “Made In Russia” labels through deliberate processes and decisions made by the persona, and, then, it attributed itself to WikiLeaks with a claim that was contradicted by subsequent communications between both parties.
Guccifer 2.0 then went on to lie about WikiLeaks, contradicted its own hacking claims to attribute itself to Seth Rich and even alleged that Julian Assange “may be connected with Russians”.
While we are expected to accept that Guccifer 2.0’s efforts between July 6 and July 18 were a sincere effort to get leaks to WikiLeaks, considering everything we now know about the persona, it seems fair to question whether Guccifer 2.0’s intentions towards WikiLeaks may have instead been malicious.
Tim Leonard is a software developer that started a project to catalog and archive evidence in relation to Guccifer 2.0 in 2017 and has frequently reported on digital forensics discoveries made by various independent researchers over the past three years.
The views expressed are solely those of the author and may or may not reflect those of Consortium News.
Please Contribute to Consortium News’ 25th Anniversary Spring Fund Drive
Donate securely with PayPal here.