The Rabbit Files 2.0: Russian Hackers, DCLeaks, and Guccifer 2

In late February 2016, Counterpunch received their first submission from “Alice Donovan,” an online persona pretending to be a freelance journalist that the U.S. intelligence community later concluded was used by Russian hackers. Other outlets like The Duran, MintPress News, WeAreChange, Activist Post, and Popular Resistance were also duped by Donovan and collectively they published at least a dozen of “her” articles, the majority of which were plagiarized to some extent.

One article published by WeAreChange.org and attributed to “Alice,” focused on the #BlacksAgainstHillary hashtag launched by a movement called “Baltimore is Everywhere,” a likely take off of the slogan used by protestors after the death of Freddy Grey. The article reported that the campaign’s activists were affiliated with BLM, they were pro-Bernie Sanders, and their goal was to “express disapproval” for Hillary Clinton as a candidate.

However, an investigation into Donovan by the Digital Forensic Research Lab (please note that the DFRLab is led by the Atlantic Council) reported that an archive of over 200,000 tweets from the main Russian troll farm and preserved by NBC News showed that they never used the #BlacksAgainstHillary hashtag. According to The Duran:

“For an intelligence agency to create and sustain the “Alice Donovan” persona for the two years of its existence in order to duplicate badly the work of other writers looks to me like an exercise in utter pointlessness…Even if one allows for gross inefficiency and wastefulness on the part of Russian intelligence this seems just too crazily disproportionate to be believable.”

Counterpunch also published some of Donovan’s stories and after their own investigation
into the mysterious persona they found that “Donovan was only a minor character in this meddling melodrama.” DFRLab also concluded that the “Baltimore is Everywhere” group led by Donovan’s voice, “appeared to belong to a separate operation.” A separate operation.

DCLeaks Facebook, Twitter, and Alice

On March 19, 2016, just a few weeks after “Alice” started submitting articles to unsuspecting media platforms, John Podesta became the target of an alleged Russian spear-phishing operation, as did others in the following weeks. According to the U.S. government, over a month later, between April 14–18th, the Russians also hacked the DNC and DCCC, after which they immediately registered DCLeaks.com, a website used to leak documents and that Guccifer 2 would later claim was a “sub-project” of WikiLeaks.

On June 8th, the same day that DCLeaks.com went live, two social media accounts were created: A DCLeaks Facebook page using a pre-existing Facebook account under the same name mentioned earlier, “Alice Donovan”; and a Twitter account using the handle @dcleaks_. For what it’s worth (probably not much), the Netyksho indictment states that the same computer used to operate the @dcleaks_ account was also used to operate the @BaltimoreIsWhr account (one of the accounts that used the hashtag #BlacksAgainstHillary).

Additionally, according to the 2019 Report on the Investigation Into Russian Interference in the 2016 Presidential Election, Volume I (“Mueller Report”), “GRU officers operated a Facebook page under the DCLeaks moniker which they primarily used to promote releases of materials. The Facebook page was administered through a small number of preesixsting GRU-controlled Facebook accounts.” The footnote that accompanies this passage reads “See, e.g. Facebook Account 100008825623541 (Alice Donovan).”

DCLeaks.com Documents

On the same day that DCLeaks.com went live, the website published several archives including the “Hillary Clinton Election Staff clips.” Stephen McIntyre (@ClimateAudit) determined that the HRC staff clips archive consisted of 72 documents, all of which were later found as attachments in WikiLeaks’ Podesta emails. Accordingly, the “distribution lists on the emails were all senior insiders of the Hillary campaign,” not DNC finance officials found in the DNC emails. McIntyre also noted that the spear-phishing of Podesta was identical to the phishing that occurred to former DNC field director, Billy Rinehart Jr., whose emails also showed up in DCLeaks.

On June 12th, four days after DCLeaks.com started dumping documents, Julian Assange announced on iTV’s Preston on Sunday that WikiLeaks would be publishing more material related to Hillary Clinton (more about the confusion that followed his announcement via MintPress News). McIntyre pointed this out over two years ago:

“[O]n June 12, 2016, @JulianAssange announced ‘upcoming leaks in relation to Hillary Clinton … We have emails pending publication’. This announcement is believed by many to have precipitated DNC’s announcement of hack (via WaPo and Crowdstrike) however, there was relevant incident on June 8, thus far unnoticed in this respect. On June 8, DCLeaks published https://web.archive.org/web/20160613143949/http://dcleaks.com/… several archives, one of which was entitled ‘HILLARY CLINTON ELECTION STAFF CLIPS’.

Is it possible that when Assange announced they had more material related to Hillary Clinton that he was referring to the Podesta emails and could it be that his announcement was actually in response to DCLeaks’ leaks? I don’t think it’s known when WikiLeaks obtained Podesta’s emails (yes, I’m aware of Craig Murray’s claims and the date of the raw files — September 19th) but if they did have them by June 8th then surely Assange must have been aware that DCLeaks was leaking emails already in his possession? And it wouldn’t have been the only time he publicly countered someone else’s leaks (e.g. The Shadowbrokers).

Guccifer 2.0

Two days after Assange’s announcement, the Washington Post reported that the DNC was hacked and within 24 hours Guccifer 2 showed up on WordPress taking credit for it. On the day of G2’s arrival, a (manipulated) Trump Opposition Research file later found in the Podesta emails was released on G2’s site. This isn’t terribly surprising since the Washington Post gave the (Russian) hackers a head’s up by specifically reporting that they had “gained access to the entire database of opposition research on GOP presidential candidate Donald Trump.” Even their headline read, “Russian government hackers penetrated DNC, stole opposition research on Trump.” Metadata shows that the first five documents Guccifer 2 released, including the Trump Opposition Research document, were all manipulated within “a single half-hour in the early afternoon of June 15,” the day after the WP article was published.

What is surprising is that you would think someone would have noticed that DCLeaks.com leaked at least 72 documents on June 8th that didn’t come from the DNC and sure, maybe they weren’t aware of the spear-phishing attacks at that point but here’s the thing: The very data that the Washington Post reported on that was allegedly “hacked” and stolen from the DNC — the Trump opposition research files — didn’t even come from the DNC! So who fed them this information? Not to get wildly speculative but was this the intelligence community’s way of telling the hackers, “We know what else you have”?

Going back to McIntyre’s early observations, I think it’s safe to say that if you want to keep rolling with the theory that the CIA, DNC, and Crowdstrike were the creators of a Romanian hacker named Guccifer 2, you have to consider the fact that they could have been putting the G2 operation together as early as late April-early May (when Crowdstrike was first called in by the DNC), or June 8th (when DCLeaks.com started leaking documents) — both of which happened before Assange made his announcement.

McIntyre has done a lot of research into DCLeaks and Guccifer 2’s documents and I respect his work although admittedly I don’t understand half of it due to its technical nature. In October 2017, he theorized that G2 may have started hacking the DNC as early as January 2016, and that they might indeed have been a lone wolf hacker. Perhaps like “Alice Donovan,” Guccifer 2 was a separate operation? But please note that I spoke with McIntyre and he doesn’t subscribe to the lone wolf theory as THE theory for Guccifer 2. Based on his research, it’s just one theory proposed. And any theories that I put forth are just that, my own theories, and they should not be attributed to anyone else.

You can read his entire Twitter thread HERE where he discusses the 72 emails that can be attributed to the Podesta emails, a connection, he stated, that “has not been reported.” It should also be noted that he revealed some of the documents Guccifer 2 dropped on his WordPress (on June 30th and July 6th) “also occur as attachments in DNC hack emails.” This means that Guccifer 2 published emails that were found in both the DNC and Podesta emails later published by WikiLeaks.

The Fake Guccifer 2.0

In case it’s of any importance, which I’m not sure if it is, the day after DCLeaks.com started posting online, former #OpIsis activist (read more about #OpIsis and GhostSec here) and alleged member of an Anonymous group called “BunnySec,” Cassandra Ford, created a Guccifer 2 Twitter account prior to the online appearance of the “real” Guccifer 2. Ford claims that she created the account on June 9th under a different handle and didn’t change it until after G2 showed up, essentially beating G2 to the punch and grabbing the handle name first.

Ford was interviewed by the Mueller investigation and there doesn’t appear to be any wrong doing on her part but there’s still an interesting tell here. Whoever was behind Guccifer 2 either had no initial plans to use Twitter as a platform or incompetency led to their failure to think ahead. Either way, it doesn’t exactly scream that the Russians (or whoever was behind DCLeaks and Guccifer 2) were planning on storming social media, does it?

The Alice Donovan Links

By mid-June 2016, there were at least ten social media accounts and websites in play that were allegedly — or one would surmise based on the U.S. government’s conclusions — controlled by the Russians, some of which both Mueller and the Netyksho indictment addressed, while others were completely ignored:

• (April 19, 2016) DCLeaks.com
• (May 2016) Alice Donovan Twitter account @_alicedonovan_
• (unknown) Alice Donovan Facebook account
• (unknown, earliest tweet to them is June 2, 2016) @baltimoreiswhr
• (unknown) @dcleaks
• (June 8, 2016) DCLeaks Facebook page
• (June 8, 2016) @dcleaks_
• (June 15, 2016) Guccifer 2’s WordPress
• (June 9/16th) @guccifer2
• (June 16, 2016) @GUCCIFER_2

Again, the first @guccifer2 Twitter account was created by Cassandra Ford and there doesn’t appear to be anything terribly sketch about her, she just had the unfortunate idea to use a Twitter handle that landed her a visit from the FBI. There were also two DCLeaks Twitter accounts but only the one with the underscore (@dcleaks_) was mentioned in the Mueller report and indictment. Like the 2015 Cozy Bear intrusion into the DNC, there wasn’t a peep made about @dcleaks. Same goes for the Alice Donovan Twitter account despite the fact that Counterpunch reported that the @_AliceDonovan_ Twitter account contacted them directly “asking if we’d received her submission on Venezuela.”

I also don’t know if the @dcleaks account pre-dated the @dcleaks_ which could indicate another Cassandra Ford situation. Lastly, why don’t we know anything about Guccifer 2’s WordPress? Did the feds subpoena WordPress for the information G2 used to create the account? I find this all very bizarre. If we exclude all of the accounts that weren’t mentioned in the Mueller report/indictment or were cleared, we’re left with:

• (May 2016) Alice Donovan Twitter account @_alicedonovan_
• (unknown) @dcleaks
• (June 14, 2016) Guccifer 2’s WordPress
• (June 9/15th) @guccifer2
• (unknown) Alice Donovan Facebook account
• (unknown, earliest tweet to them is June 2, 2016) @baltimoreiswhr
• (June 8, 2016) DCLeaks Facebook page
• (June 8, 2016) @dcleaks_
• April 19, 2016)) DCLeaks.com
• (June 15, 2016) @GUCCIFER_2

So how do these six accounts link not only to each other and Russian operatives, but to the DCCC and DNC attacks using targeted spear-phishing and malware like X-Agent and X-Tunnel? Let’s start with Alice Donovan.

The Netyksho indictment said that the same computer used to log into the @baltimoreiswhr account, which was allegedly tied to the freelance journalist “Alice Donovan” based on messaging and content, was also used to log into the @dcleaks_ Twitter account. There was also an Alice Donovan Facebook account that was used to manage (and/or create) the DCLeaks Facebook page.

So we have the two Twitter accounts @baltimoreiswhr and @dcleaks_ linked by a computer and these two accounts were allegedly linked to the two Facebook accounts (Alice Donovan and DCLeaks) only by a name. Additionally, nothing in the indictment or Mueller’s report ties these four accounts to spear-phishing or malware implanted on the DCCC and DNC networks.

DCLeaks.com and @GUCCIFER_2

This leaves us with DCLeaks.com and the GUCCIFER_2 Twitter account. Going through the indictment, here’s what we find:

• Page 13: An bitcoin account registered to the email account @dirbinsaabol@mail.com was used to register (pay for) the domain DCLeaks.com
• Page 13: A URL-shortening link account used to spearphish John Podesta (and others) was registered to @dirbinsaabol@mail.com.
• Page 17: The same “pool of bitcoin funds” was used to purchase a VPN account and lease a server in Malaysia.
• Page 16: The Malaysian server was used to host DCLeaks.com
• Page 17: On July 6, 2016, the same VPN mentioned above was used to log into the @Guccifer_2 Twitter account
• Page 17: The VPN account was opened from the same server that was used to register malicious domains. Which server was that??
• Page 24: A bitcoin address was used to purchase a VPN account, to lease a Malaysian server that hosted DCLeaks.com, and then the VPN was used to log into Guccifer_2’s Twitter account.

First, we have DCLeaks.com, a VPN account, a server in Malaysia, a URL-shortening account used for spear-phishing, malicious domains used for spear-phishing, and the Guccifer 2 Twitter account all linked through the same pool of money, server, VPN, and/or email address. Again, not a word about Guccifer 2’s WordPress where G2 was releasing documents.

Second, the indictment says that the Russians purchased the Malaysian server sometime between March 14-April 28, 2016, but, oddly, the server wasn’t the first one to host DCLeaks.com. After the domain was (re)registered with a Romanian hosting company called THCServers.com on April 19th, it was moved ten days later to a hosting company called FlokiNET, an Icelandic hosting company that also hosts WikiLeaks. The service is friendly towards journalists and whistle-blowers and the founder, Kolja Weber, used to be chairman of the Bergedorf Pirates, a former district association within the German Pirate Party. It wasn’t until May 5th that the domain moved to Shinjiru Technology in Kuala Lumpur, Malaysia.

The question is not only why they didn’t use the Malaysian server from the start, the question is also why Mueller didn’t mention FlokiNet or how those pesky Russians paid for that hosting? AP journalists visited the Romanian office of THCServers.com and Shinjiru Technology in Malaysia, and they were told by both companies that neither the FBI nor any other U.S. officials ever approached them about DCLeaks.com.

X-Agent and X-Tunnel

So let’s look at X-Agent and X-Tunnel, the malware that was implanted on the DNC and DCCC systems. Here’s what we have from the indictment: Two alleged Russian bitcoin accounts using the names “Ward DeClaur” and “Mike Long” (or maybe one account using two fictitious names) leased a server in Illinois to administer X-Tunnel, a type of malware that was used to extract emails and documents from the networks. These same two fictitious names were also used to lease two servers that were allegedly used to hack the DNC’s cloud network (this alleged hack didn’t happen until September 2016).

At no point in the indictment does it say that these two accounts came from the Russian bitcoin mining operation that was mentioned or the “same pool of funds” used for other things like purchasing the VPN, registering DCLeaks.com, or the Malaysian server. DeClaur and Long fall under a subsection of the indictment that reads, “The Conspirators used the same funding structure — and in some cases, the very same pool of funds — to purchase key accounts, servers, and domains used in their election-related hacking activity.” Right. The Russians used the same funding structure and in some cases the same pool of funds — so was DeClaur and Long representative of the Russians’ funding structure or did the accounts use bitcoin from same pool of funds?

As a fun side note, there’s a Ward DeClaur Facebook page that’s still online and the words in the picture, “Jenter kan ogsa drepe,” aren’t Russian. It’s Norwegian and it means “Girls can also kill.” Based on the date of the upload, this was likely another social media account posing as something it wasn’t.

As for DeClaur and Long’s ties to the Russian hacking operation outside of the fictitious names that leased some servers, we’re given no answers so that leaves us with “Daniel Farell.” According to the indictment:

“The bitcoin mining operation that funded the registration payment for dcleaks.com also sent newly-minted bitcoin to a bitcoin address controlled by “Daniel Farell,” the persona that was used to renew the domain linuxkrnl.net. The bitcoin mining operation also funded, through the same bitcoin address, the purchase of servers and domains used in the GRU’s spearphishing operations, including accountsqooqle.com and account-gooogle.com.”

And there’s your tie between the malware implanted on the networks and the website, DCLeaks.com. To be clear, the indictment doesn’t say that the “Daniel Farell” account was used to pay for the DCLeaks.com registration, it simply received newly minted bitcoin from the same mining operation. We don’t know the name used to register DCLeaks.com, we only know that the email address attached to the bitcoin account that paid for it was dirbinsaabol@mail.com.” That address was tied to spear-phishing, not malware. “Daniel Farell” was also tied to spear-phishing but malware? Let’s take a look.

“Starting in June 2016, the GRU posted stolen documents onto the website dcleaks.com, including documents stolen from a number of individuals associated with the Clinton Campaign.
These documents appeared to have originated from personal email accounts (in particular, Google and Microsoft accounts), rather than the DNC and DCCC computer networks.”

- Mueller Report

The issue with linuxkrnl.net is that even though the Russians allegedly used this domain to stay in contact with/control X-Agent (it’s a type of malware used screenshooting victims’ computer screens, keylogging e.g. to gain passwords), McIntyre did some digging into linuxkrnl.net and found that the domain appeared to be defunct approximately three weeks after the Daniel Farell account renewed it in mid-2015. Here’s McIntyre’s deep dive Twitter thread on linuxkrnl.net.

So how in the world did the Russians use the domain to control X-Agent implanted on DNC and DCCC networks in 2016, if it was defunct by the end of July 2015? Right, they couldn’t unless there’s some technical nugget we haven’t figured out yet. If what McIntyre discovered is accurate, that means that the links between malware and DCLeaks.com (and everything else allegedly tied to the website) doesn’t appear to exist. Sure, maybe the same mining operation gave bitcoin to “Daniel Farell” and the account that registered DCLeaks.com, but there’s no ties to X-Agent without linuxkrnl.net. At least not according to the indictment and the Mueller report.

Russian Bitcoin Accounts

Maybe I missed it but where was the evidence that pointed to any of the bitcoin accounts mentioned in Mueller’s report or the indictment, you know, the ones used to purchase servers, VPNs, and hosting services, being tied to the GRU? The evidence is that they say so? The first Russian “dedicated account” they used to track bitcoin transactions and facilitate payments (and appears to be Mueller’s ground zero) is “gfadel47,” and we don’t even know what that account did aside from receiving “hundreds of bitcoin payment requests from approximately 100 different emails accounts,” and Mueller doesn’t tell us which email accounts.

On February 1, 2016, the account also received instructions to “please send exactly 0.026043 bitcoin,” to another account and, sure, that transaction was found in the chain but what was it used for? What ties “gfadel47,” a bitcoin account only mentioned in one short paragraph in the entire indictment, to Russian hacking?

And for those of you that are familiar with the crypto exchanges BTC-e and CEX.io that were also mentioned in the Mueller report, regardless of which country or nationalities those companies are linked to (Ukraine seems to come up a lot), they’ve never been tied to the Russians’ alleged hacking operations aside from being exchanges that they allegedly used like thousands of other people. For instance, the U.S. indictment against the Russian computer expert and former CEO of BTC-e, Alexander Vinnik, doesn’t even mention the DNC or DCCC operations. He was charged with 21 counts of money laundering, none of which relates to 2016 election hacking.

So Where Does That Leave Us?

Alice

The Alice Donovan persona and the Baltimore is Everywhere campaign were small potatoes, baby spuds, if you will, in the big scheme of happened during the 2016 U.S. election. DFRLabs thought that “Alice Donovan” might have been a separate operation, Counterpunch thought Donovan was a “minor character in this meddling melodrama,” and the Washington Post reported that the Russians struggled to publicize “hacked” documents.

It seems almost trite that the government mentioned Donovan while simultaneously burying the @_alicedonovan_ Twitter account. On June 14th, the DCLeaks’ Facebook page posted, “Check restricted documents from Hillary Clinton’s presidential campaign staff,” with a link to the DCLeaks.com website but it only received 11 likes and 17 shares. One has to wonder why Russia didn’t use their own troll farms to direct more traffic and attention to their own leaks. Senator Richard Burr said the Senate Intelligence report helped them “better understand how the GRU conducts its information warfare operations,” but if Alice Donovan is any indication as to how Russia conducts cyber warfare on social media, I’d say we have nothing to worry about.

With that said, @dcleaks_ and @baltimoreiswhr were linked in the indictment via the same computer. These two accounts were then linked in name alone to the DCLeaks Facebook page which was linked to another Facebook page using the name “Alice Donovan.” I’m comfortable saying that these four social media accounts may indeed have been linked, or at least this:

@dcleaks_ = @baltimoreiswhr

DCLeaks Facebook = Alice Donovan Facebook

…but I do not believe that these four social media accounts had any ties to spear-phishing or planting malware in the DNC and DCCC networks. And yes, the DCLeaks Facebook page and the @dcleaks_ Twitter account contacted reporters and were able to give them the password to password-protected content on the DCLeaks.com website on at least two different occasions but the only conclusion we can come to with such limited information is that for reasons unknown they were given or had the password. Don’t forget that Donovan’s “Baltimore is Everywhere” campaign was not pro-Trump. It was pro-Bernie Sanders.

DCLeaks.com and @GUCCIFER_2

I also believe that the @Guccifer_2 Twitter account, DCLeaks.com (website, not Twitter), the VPN account, the Malaysia server, and spear-phishing operations were all linked. I don’t believe that any of these accounts/website are linked to planting malware. That doesn’t mean I think the Russians were behind these accounts. I simply don’t know. A super interesting tidbit that the mainstream media won’t report on is that DCLeaks.com not only shared documents found in Podesta’s emails, they released at least three documents that the Ukrainian hacking group, CyberBerkut, had released previously. One online user asked, “Same hack or did they share?”

Researchers have actually found a myriad of similarities between CyberBerkut and DCLeaks.com including the fascination with George Soros. In June 2015, CyberBerkut released letters allegedly written by Soros about his heavy involvement in the Ukraine, and on November 13, 2015, the hacking group discussed Soros, his NGOs in Russia, and how Russian law on foreign agents had become a concern for the Open Society Foundation. Two weeks later, Soros was essentially kicked out of Russia and as I noted on Twitter a few days back, it always surprised me that during the 2016 election season, no one took notice of his expulsion from Russia and his considerable interest in the Ukraine.

As for DCLeaks.com, some of their first leaks on June 8, 2016, were about Soros’ Open Society Foundation. Then, on August 13, 2016, they published “Soros Internal Files — Big Data,” , which even WikiLeaks retweeted.

Malware

As for any links to the leased servers used to implant malware, we’re stuck with Ward DeClaur, Mike Long, and Daniel Farell and per the indictment, the first two names/bitcoin accounts aren’t even linked to anything except the leasing of servers. Additionally, “Daniel Farell” is only tied to malware via linuxkrnl.net, a domain which so far has been debunked.

Last Word

Besides publishing documents on WordPress, Guccifer 2’s site (and whoever signed up for it and used it) hasn’t been tied to a single thing in the Mueller report or the indictment which is pretty extraordinary. Yes, two years after G2 showed up, the Daily Beast reported that “Guccifer 2” forgot to “activate the VPN client before logging on,” which allegedly led authorities straight to the GRU but we still don’t even know which social media account this supposedly happened with!

The point in all of this is that the Russian hacking story with its myriad of social media accounts has been debunked in some areas and doesn’t even make sense in others. With regards to this series, I believe that there were separate social media operations being conducted by different actors although it’s impossible to say if they had the same goals.

Note: I would like to thank Stephen McIntyre for his patience and insight, kindly listening to all of my conclusions, and for the amazing research that he and others have done in the past that made mine that much easier.

*The creation date of the Guccifer 2 WordPress was corrected to reflect June 15, 2016 (updated on March 10, 2021)

Post Disclaimer

This is an Op-ed article. The information contained in this post is for general information purposes only. While we endeavor to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information contained on the post for any purpose. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site.

The views or opinions represented in this blog do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.

The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.