In March 2018, Special Counsel Robert Mueller took over investigation of Guccifer 2.0 from the FBI while it was reported that forensic determination had found the Guccifer 2.0 persona to be a "particular military intelligence directorate (GRU) officer working out of the agency's headquarters on Grizodubovoy Street in Moscow".[29]
On June 21, 2016, in an interview withVice, "Guccifer 2.0" said he isRomanian,[27][30] which is the nationality ofMarcel Lazar Lehel, the Romanian hacker who originally used the "Guccifer" pseudonym. On June 30, 2016, and January 12, 2017, "Guccifer 2.0" stated that he is not Russian.[31][32][33] However, despite stating that he was unable to read or understand Russian,metadata of emails sent from Guccifer 2.0 toThe Hill showed that a predominantly-Russian-languageVPN was used.[34] When pressed to use the Romanian language in an interview withMotherboard via online chat, "he used such clunky grammar and terminology that experts believed he was using an online translator."[34] Linguistic analysis byShlomo Engelson Argamon showed that Guccifer 2.0 is most likely "a Russian pretending to be a Romanian".[35][36] When asked about Guccifer 2.0's leaks, WikiLeaks founderJulian Assange said "These look very much like they're from the Russians. But in some ways, they look very amateur, and almost look too much like the Russians."[37][38]
Some cybersecurity experts have concluded that "Guccifer 2.0" is likely a creation of the Russian state-sponsored hacking groups thought to have executed the attack,[18][19][20][21][22][23][25] invented to cover up Russian responsibility.[17][18] The cybersecurity firm CrowdStrike, which was hired by the DNC to analyze the data breach,[39] "posits that Guccifer 2.0 could be 'part of a Russian Intelligencedisinformation campaign'", i.e. a creation to deflect blame for the theft.[17] Russia has made use of the invention of "a lone hacker or an hacktivist to deflect blame" in the past, deploying this strategy in previous cyberattacks on the German government and the French networkTV5Monde.[18] Thomas Rid ofKing's College London, a cybersecurity expert, says it is "'more likely than not' that the whole operation, including the Guccifer 2.0 part, was orchestrated by Russian spies."[18] The hackers responsible for the DNC email leak (a group calledFancy Bear by CrowdStrike) seem to have not been working on the DNC's servers on April 15 which in Russia is a holiday in honor of the Russian military's electronic warfare services.[40]
The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the U.S. election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities.[42]
In March 2018,The Daily Beast, citing U.S. government sources, reported that Guccifer 2.0 is in fact a RussianGRU officer, explaining that Guccifer once forgot to use aVPN, leaving IP logs on "an American social media company" server. The IP address was used by U.S. investigators to identify Guccifer 2.0 as "a particular GRU officer working out of the agency's headquarters onGrizodubovoy Street [ru] in Moscow."[29]
In April 2018,BuzzFeed reported that messages showed WikiLeaks' interest in Guccifer 2.0's emails and files.[43]
On July 13, 2018, theUnited States Department of Justice (DOJ) indicted twelve Russian Intelligence Officers and revealed that Guccifer 2.0 was a persona used by GRU.[44]
Twitter suspended the persona's account on July 14, 2018, for "being connected to a network of accounts previously suspended for operating in violation of our rules." The account had been dormant for at least a year and a half.[45]
On July 18, 2016, Guccifer 2.0 provided exclusively toThe Hill numerous documents and files covering political strategies,[2] including correlating the banks that received bailout funds withRepublican Party andDemocratic Party donations.[2]
On July 22, 2016, Guccifer 2.0 stated he hacked, then leaked, the DNC emails toWikiLeaks.[4][5][6][7][31][47] "Wikileaks published #DNCHack docs I'd given them!!!", tweeted Guccifer 2.0.[7]
On September 13, 2016, during a conference, an unknown and remote representative of Guccifer 2.0 released almost 700 megabytes' (MB) worth of documents from the DNC.[48]Forbes also obtained a copy of those.[8] On September 12, 2016, ahead of that conference, Guccifer posted a public Twitter message in which he confirmed that his representative was legitimate.[8] The Russian government denied any involvement.[48] The DNC, theDCCC, U.S. intelligence officials, and other experts speculated about Russia involvement.[48]NGP VAN, who state they are the "leading technology provider" for the Democratic campaigns, declined to comment on Guccifer 2.0's recent statements.[8]
On October 4, 2016, Guccifer 2.0 released documents and claimed that they were taken from theClinton Foundation and showed "corruption and malfeasance" there.[49] Security experts quickly determined that the release was a hoax; the release did not contain Clinton Foundation documents, but rather consisted of documents previously released from the DNC and DCCC thefts, data aggregated from public records, and documents that were fabricated altogether as propaganda.[11][49] Singled out as particularly unrealistic was the idea that Clinton's team would have actually named a file "Pay for Play" on their own server, as Guccifer 2.0's screenshots of the alleged "hack" show.[10][49][50]
Former Trump confidantRoger Stone was in contact with Guccifer 2.0 during the campaign.[51]
A week after Guccifer 2.0 appeared online,WikiLeaks sent the persona a message saying to "send any new material here for us to review and it will have a much higher impact than what you are doing."[52] After not receiving a reply, on July 6, 2016 WikiLeaks sent another message that said "if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC is approaching and she will solidify bernie supporters behind her after." Guccifer 2.0 responded "ok ... i see," and WikiLeaks added "we think trump has only a 25% chance of winning against hillary ... so conflict between bernie and hillary is interesting."[53][54] On July 14, 2016 Guccifer 2.0 sent WikiLeaks an email with an encrypted attachment labeled "wk dnc link1.txt.gpg."[55] According to the indictment, the email explained that "the encrypted file contained instructions on how to access an online archive of stolen DNC documents."[52]
Four days later, WikiLeaks responded that it had received "the 1Gb or so archive" and would release the files that week.[52] TheDNC emails were released several days later.
The Guccifer 2.0 persona went dark just before the U.S. presidential election, and resurfaced on January 12, 2017, following the public release of theSteele dossier that asserted the Trump campaign was cooperating with the Russians in their interference in the 2016 presidential election. The dossier also asserted that "Romanian hackers" had performed the hacks.
The Guccifer 2.0 persona made a blog post denying that they had any relation to the Russian government, and calling the technical evidence suggesting links to the Russian government "a crude fake."[28] In the blog post, Guccifer 2.0 indicated they had gained access to the DNC servers through a vulnerability in theirNGP VAN software.[33]
June 15: "Guccifer 2.0" (GRU) claims credit for the DNC hacking and posts some of the stolen material to a website. CrowdStrike stands by its "findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016."[57]Gawker publishes an opposition research document on Trump that was stolen from the DNC. "Guccifer 2.0" sent the file toGawker.[54][58]
June 22: WikiLeaks reaches out to "Guccifer 2.0" via Twitter. They ask "Guccifer 2.0" to send them material because it will have a bigger impact if they publish it. They also specifically ask for material on Clinton they can publish before the convention.[54]
July 6: "Guccifer 2.0" releases another cache of DNC documents and sends copies toThe Hill.[59][60]
July 13: "Guccifer 2.0" releases over 10,000 names from the DNC in two spreadsheets and a list of objectionable quotes fromSarah Palin.[60]
July 14: Four days after themurder of Seth Rich, "Guccifer 2.0" sends Assange an encrypted one-gigabyte file containing stolen DNC emails, and Assange confirms that he received it. WikiLeaks publishes the file's contents on July 22. TheMueller report asserts that Assange was "working to shift blame onto [Seth Rich] to obscure the source of the materials he was releasing".[55] TheSenate Intelligence Committee reported that "WikiLeaks actively sought, and played, a key role in the Russian intelligence campaign and very likely knew it was assisting a Russian intelligence influence effort."[61]
July 18: "Guccifer 2.0" dumps a new batch of documents from the DNC servers, including personal information of 20,000 Democratic donors andopposition research on Trump.[62]
August 5: Stone writes an article forBreitbart News in which he insists "Guccifer 2.0" hacked the DNC, using statements by "Guccifer 2.0" on Twitter and toThe Hill as evidence for his claim. He tries to spin theDNC's Russia claim as a coverup for their supposed embarrassment over being penetrated by a single hacker.[63] The article leads to "Guccifer 2.0" reaching out to and conversing with Stone via Twitter.[64]
JournalistEmma Best has two simultaneous conversations by Twitter direct message with "Guccifer 2.0" and WikiLeaks. Best tries to negotiate the hosting of stolenDNC emails and documents onarchive.org. WikiLeaks wants Best to act as an intermediary to funnel the material from "Guccifer 2.0" to them. The conversation ends with "Guccifer 2.0" saying he will send the material directly to WikiLeaks.[66]
August 13:
Twitter andWordPress temporarily suspend Guccifer 2.0's accounts.[65] Stone calls "Guccifer 2.0" a hero.[67]
August 15:
A candidate for Congress allegedly contacts Guccifer 2.0 to request information on the candidate's opponent. Guccifer 2.0 responds with the requested stolen information.[54]
Guccifer 2.0 begins posting information aboutFlorida andPennsylvania races stolen from the DCCC.[54]
August 16: Stone sends "Guccifer 2.0" an article[70] he wrote forThe Hill on manipulating the vote count in voting machines.[71] "Guccifer 2.0" responds the next day, "@RogerJStoneJr paying u back".[67]
August 22:
"Guccifer 2.0" allegedly sends DCCC material onBlack Lives Matter to a reporter, and they discuss how to use it in a story. "Guccifer 2.0" also gives the reporter the password for accessing emails stolen from Clinton's staff that were posted to "Guccifer 2.0's" website but had not yet been made public. On August 31,The Washington Examiner publishes a story based on the material the same day the material is released publicly on Guccifer 2.0's website.[54][72]
Florida GOP campaign advisor Aaron Nevins contacts Guccifer 2.0 and asks for material. Nevins sets up aDropbox account and "Guccifer 2.0" transfers 2.5 gigabytes of data into it. Nevins analyzes the data, posts the results on his blog, HelloFLA.com, and sends "Guccifer 2.0" a link. "Guccifer 2.0" forwards the link to Stone.[54][73]
August 23:The Smoking Gun reaches out to "Guccifer 2.0" for comment on its contacts with Stone. "Guccifer 2.0" accusesThe Smoking Gun of working with the FBI.[67]
September 3–5: Wealthy Republican donorPeter W. Smith gathers a team to try to acquire the30,000 deleted Clinton emails from hackers. He believesClinton's private email server was hacked and copies of the emails were stolen.[76] Among the people recruited are formerGCHQ information-security specialist Matt Tait,[77]alt-right activistCharles C. Johnson, formerBusiness Insider CTO and alt-right activist Pax Dickinson, "dark web expert" Royal O'Brien, and Jonathan Safron.[78] Tait quickly abandons the team after learning the true purpose of the endeavor.[78] Hackers contacted in the search include "Guccifer 2.0" and Andrew Auernheimer (a.k.a. "weev").[78] The team finds five groups of hackers claiming to have the emails. Two of the groups are Russian. Flynn is in email contact with the team. Smith commits suicide on May 14, 2017, about ten days after telling the story toThe Wall Street Journal but before the story is published in June.[76]
September 15: "Guccifer 2.0" sends a Twitter direct message to DCLeaks informing them that WikiLeaks is trying to contact them to set up communications using encrypted emails.
October 5:Trump Jr. retweets a WikiLeaks tweet announcing an "860Mb [sic]" archive of various Clinton campaign documents from "Guccifer 2.0".[79]
October 7: At 12:40 p.m. EDT,[80] TheDHS and theODNI issue a joint statement[81] accusing the Russian government of breaking into the computer systems of several political organizations and releasing the obtained material viaDCLeaks, WikiLeaks, and "Guccifer 2.0", with the intent "to interfere with the U.S. election process."[82]
2017
January 12: "Guccifer 2.0" denies having any relation to the Russian government.[33][54]
March 10:Roger Stone admits to communicating with Guccifer 2.0.[64]
March 22:The Daily Beast reports that Guccifer 2.0, the "lone hacker" who took credit for providing WikiLeaks with stolen emails from theDemocratic National Committee, was in fact an officer of Russia's military intelligence directorate (GRU) and that Mueller has taken over the investigation into his criminal activities and his direct contact with Stone.[29]
June 18: Lawyers for Andrew Miller, a former associate of Roger Stone, challenge in court a subpoena he received for information about Stone, WikiLeaks, "Guccifer 2.0", "DCLeaks", and Julian Assange. Miller's lawyer Alicia Dearn asserts at the hearing that Miller had asked for immunity regardingpolitical action committee transactions involving himself and Stone.[84]
^abcPoulsen, Kevin; Ackerman, Spencer (March 22, 2018)."EXCLUSIVE: 'Lone DNC Hacker' Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer".The Daily Beast.Archived from the original on March 23, 2018. RetrievedMarch 23, 2018.But on one occasion (...) Guccifer failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company. (...) Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency's headquarters on Grizodubovoy Street in Moscow.
^abcGuccifer 2.0 (June 30, 2016)."FAQ from Guccifer 2.0".guccifer2.wordpress.com.Archived from the original on July 25, 2016. RetrievedJuly 24, 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)
^abcGuccifer 2.0 (January 12, 2017)."Here I am Again, My Friends!".guccifer2.wordpress.com.Archived from the original on March 12, 2017. RetrievedFebruary 25, 2017.{{cite web}}: CS1 maint: numeric names: authors list (link)
^abPoulsen, Kevin (April 18, 2019)."Mueller Report: Assange Smeared Seth Rich to Cover for Russians".The Daily Beast.Archived from the original on April 19, 2019. RetrievedApril 22, 2019.Julian Assange not only knew that a murdered Democratic National Committee staffer wasn't his source for thousands of hacked party emails, he was in active contact with his real sources in Russia's GRU months after Seth Rich's death. At the same time he was publicly working to shift blame onto the slain staffer "to obscure the source of the materials he was releasing," Special Counsel Robert Mueller asserts in his final report on Russia's role in the 2016 presidential election.
^"Counterintelligence Threats and Vulnerabilities"(PDF).senate.gov. Senate Intelligence Committee.Archived(PDF) from the original on January 22, 2021. RetrievedDecember 12, 2021.WikiLeaks actively sought, and played, a key role in the Russian intelligence campaign and very likely knew it was assisting a Russian intelligence influence effort.
.jpg)