I’ve started and stopped writing the following for the better part of a year. There is a balance to be found between speculation and the failure to ask certain questions.

Today we are going to pose a question that has become irresponsible not to ask. That comes with some caveats.

I wanted to try to be objective and the first iterations of this post gave more time entertaining the notion that the Russians had hacked the DNC. I don’t think that is worthy of our time any longer. Sources have indicated that the hack of the DNC was a false flag operation and that specifically, President Obama, who you may recall was briefed in the summer of 2016 on a Clinton plan to tie Trump to Russia, knew when he approved the October 7, 2016 joint attribution statement that the Russians had not hacked the DNC and knew it was a Clinton operation. Post-election, sources tell me the creation of the Intelligence Community Assessment was contrived to fit a per-conceived outcome and that Obama explicitly ordered the ICA to support an interference/collusion narrative and to exclude any materials that indicated otherwise.

Based on those sources, the following represents my opinions and analysis, which is inherently flawed due to the lack of available information and open questions. There is a confirmation bias and a perception bias that is very difficult to account for, especially in attempting to separate my own thoughts from reporting from my sources.

I am not accusing any specific individuals of being involved in criminal activity. Even if certain individuals were involved in the DNC hack investigation, we don’t know where their data came from or whether they were witting of any malfeasance in the data they were provided or used.

As a starting point, in my opinion, there is a striking similarity between Guccifer 2.0 and the Clinton-connected cyber researchers (which is a poorly defined group that includes Fusion GPS and whose number may exceed 15 individuals). This also comes with a caveat that Clinton was in contact with many cyber experts historically, most of whom we don’t know much about and who likely had similar capabilities.

The modus operandi of each group involved adopting pseudonyms (“Tea Leaves”), creating wordpress sites, pushing their claims to specific members of the media and they operated in roughly the same time periods. That’s not to say they selected the same journalists, I just find it notable as a method of procedure that both groups proactively sought out media contacts. What are the odds that real Russians were doing the same things at the same time as Clinton people? Guccifer 2.0’s persona was active between June 15, 2016 through January 12, 2017 and “Tea Leaves” operated a blog at least between September 9, 2016 through October 2016, yet we know the researchers were active between June 15, 2016 through February 2017 based on court filings and public reporting. They both operated within the election cycle and largely stopped at or around the Presidential transition period.

Guccifer 2.0 is either a group of Russians that are truly stupid, who made numerous mistakes leaving evidence screaming “RUSSIA!”, or it is a group of Americans tied to the Clinton campaign with exceptional technical capabilities and who may have studied Russian hackers.

There is an additional theory subscribed to by some of the sleuths that there is a nexus between “Guccifer 2.0” and “The Shadow Brokers” (TSB) who leaked stolen NSA cyber tools during the 2016 election. That will be the subject of a future thread, suffice to say it is notable that many of these Clinton cyber researchers have extensive ties to the NSA - including several who are not commonly discussed as central figures of the Alfa Bank story. To some extent, it appears they even investigated TSB on behalf of the DOJ.

There are a few things about “Guccifer 2.0” that suggest ties to academia, at least in my opinion. For starters, I find the creation of a FAQ page for his blog to be unusual. That is something more commonly found in academia or at least in vain elitist bloggers who want to seem interesting.

I also find the September 2016 conference that Guccifer 2.0 “spoke” at by submitting a paper to be unusual and suggestive of ties to academia or the professional cyber industry. This might be an example of something Guccifer 2.0 didn’t think all the way through. Guccifer “spoke” at a London conference - The Future of Cyber Security Europe 2016 by submitting a speech. Within the speech, Guccifer offers vague points on software vulnerabilities, government contracts, and data. In the most specific paragraph, Guccifer raises a point on Democrat politics that was outdated even by that time:

This strikes me as oddly specific and something real Russians wouldn’t care about. Guccifer 2.0 then launches into general criticisms of NGP-VAN (which is also how he suggested he gained access to the DNC).

This episode doesn’t support Russian attribution. I can’t imagine a group of Russian intelligence officers sitting around a card table until one guy says “you know what this conspiracy really needs? A speech to academics and cybersecurity industry folks in London!”

Why not a conference in the United States? It would be interesting to see the attendance list for the London conference, both for 2016 and other years. Our “Guccifer 2.0” suspect(s) may or may not have attended, but at the least I would suspect they travel to conferences in Europe with some regularity. This was a comfort zone for him.

If it were the Russians, we’d expect a speech to an American conference. 

But if it’s a group of American conspirators, who likely have ties to the cybersecurity industry, there would be a challenge of choosing a conference in the US of enough significance for a “Guccifer” appearance that they would also not be expected to attend as part of their day jobs. They probably wouldn’t want to show up to a conference in the United States that Guccifer 2.0 just happened to be speaking at.

On October 4, 2016 Guccifer tweeted a link to an alleged new cache of documents:

On the same day, an unnamed person associated with the Alfa Bank scandal also uploaded a file using Mediafire (which was *immediately* discovered by Fusion GPS):

Within hours of one another, Guccifer 2.0 and Alfa Bank researchers used the same file upload site to share documents. That’s notable. Mediafire is a modestly popular site for file sharing but I have never heard of anyone using it outside of these 2 instances.

I have a theory that the unnamed CHS from the 1023 we covered last week, who is tied to the Alfa Bank allegations, may be involved with the Guccifer 2.0 persona - if it’s confirmed that the interview took place in Springfield Illinois. That theory builds on early analysis that suggested Guccifer 2.0, or at least some portion of the people comprising the persona, may have ties to the central time zone. In theory, changing the system time on his computer to the central time zone could have produced some of the early forensic data, but if the hacker isn’t scrubbing files for metadata before releasing them, I don’t imagine they would care to change the time zone on their computer knowing technically savvy folks wouldn’t necessarily put alot of weight in the timestamps associated with files or emails.

This is where I wish we had gotten alot more information from any number of investigations, because I have developed a theory of who the unnamed CHS is and building from that theory I began the process of conducting a challenging linguistic analysis (challenging because Guccifer 2.0 might comprise multiple people and they clearly made efforts to scramble things up as not to leave clues). Still, I believe I have isolated a few idiosyncratic pieces that are replicated in my target’s posts. As one example:

guccifer2.wordpress.com/2016/06/30/faq

Amidst the bluster of *no i’m not a Russian, wink wink*, Guccifer uses “blah-blah-blah” which is a bit uncommon with the hyphens.

The same usage shows up in posts made by my target:

Weird huh?

There is a certain irony in the selection of “Guccifer 2.0” as a moniker that Clinton operatives probably enjoyed. The original Guccifer had caused a fair number of headaches for Clinton operatives, including exposing the existence of a home email server for Hillary Clinton after hacking Sidney Blumenthal.

While the original Guccifer was in the news around the time of the DNC hack spoof, I suspect real hackers might’ve adopted an original name. I also suspect real hackers would have re-used the Guccifer 2.0 persona at some point.

It’s a slow grind, but I think we’ll get there. I’ll leave it here for now (always keep stuff in reserve).

We will hear from the Department of Justice on Friday.