The list of "Additional Articles" are articles unique to this site. These provide further information showing how, why, where and when questionable APT28/29 attributions to Guccifer 2.0 occurred (all were ultimately tenuous) as well as various other relevant topics.
2. Timeline - What Happened & When Did It Happen
3. Guccifer2.0's Claims Debunked & Discredited
4. 3rd Party Assessments - Assumptions & Conjecture vs Evidence & Facts
5. Actions, Consequences & Convenience For Anti-Leak Narratives
6. Rushing To Be Russian - The Donkey In A Bear Costume Made A Mistake
7. Language & Text Analysis
8. Recognizing Intent From Deceptions
9. With Motive & Means - Those More Likely Linked to G2 than Russians
3rd Party Articles
Frequently Asked Questions
There are individuals, who, in reality, now have a much higher likelihood of being linked to Guccifer2.0 than anyone in Russia. - The intention of this article is to inform readers extensively about everything there is to know about Guccifer2.0 and from that, be armed with enough information to give motive and means the regard they deserve.
To understand who Guccifer2.0 could possibly be - it is imperative to understand WHAT Guccifer2.0 was.
What did he do? What did he say? Are his claims now confirmed, debunked or yet to be verified? What were the results of his actions? What do any lies told and the likelihood of them being debunked or remaining secret really imply about his intent? Was there anything misreported or omitted that may have been relevant?
The best way to get a clear picture of how incidents relate to each other and recognize suspect timing is to use a timeline - The timeline below was built using references to every unique piece of information directly relevant to Guccifer 2.0 that I could find on public record (no matter whose narrative it supported - as should be fairly clear).
Guccifer2.0 stated in an interview with Lorenzo Franceschi-Bicchierai (for Motherboard / Vice News) on the 21st of June, that he breached the server using a "0-day exploit of NGP-Van".
ThreatConnect, although still apparently unswayed from their assessment that Guccifer2.0 is a collective of Russians (we'll get on to that topic later in the article) - did report some very useful facts that serve to debunk Guccifer2.0's claims.
a) NGP-Van is a cloud-hosted web-service separate from the DNC network, the claimed method of breach was discredted by ThreatConnect. - It was noted that phishing for credentials would be far more practical for exploiting such a service.
b) He makes claims of lateral movement within the DNC network - but doesn't realize that his effort to match the reporting of Crowdstrike falls down due to his own misinterpretation of that. - CrowdStrike's report mentions lateral movement in terms of the "BEAR" infrastructure across the whole of the Internet rather than movement within the DNC network - it looks like Guccifer2.0 s trying to make claims that correlate with what he has inferred from CrowdStrike's reportage.
c) To quote ThreatConnect at the time (and nothing has been reported to contradict it since): "As it stands now, none of the Guccifer 2.0 breach details can be independently verified".
Guccifer2.0 put considerable effort into trying to convince people he was the source for the DNC email leaks that ended up in the public domain on July 22nd.
He outright claimed it, multiple times.
He made a point of mentioning Wikileaks in his purposeful destruction of his own reputation on October the 4th (a reference to his Clinton Foundation claims and the files he posted supposedly demonstrating the hack) and on October 18th showed he was trying to push a perception of being associated with Wikileaks and responded to a Wikileaks tweet as though it was intended for him personally (when it wasn't).
Going back to the 4th, the supposed "Clinton Foundation Hack" - is also where his claim starts to show cracks.
He stated "I can’t post all databases here for they’re too large. I’m looking for a better way to release them now.".
Why, if he was really the source for the DNC emails, would he be at all struggling to find a solution to get the data published? - Why express this 73 days after the last large batch of data he claims to have acquired was successfully published through Wikileaks?
Even putting seemingly contradictory statements aside - Assange has implied that the emails were leaked, rather than hacked, in contradiction with Guccifer2.0's claims and there is still nothing independently verifying Guccifer2.0's claims.
On October 4th, 2016 - Guccifer2.0 claimed to have hacked the Clinton Foundation. He followed this up by posting an archive containing files that were all from previous leaks and from documents in the public domain.
Ultimately, he has never produced anything that actually shows such a hack had taken place.
These are not all of his lies or unverified claims, far from it, but they are the ones that are critical to know so that the rest of this article makes sense to you. Above all, the first is most important - his claims to breach the DNC turned out to be fantasy.
There is a difference between independently verifiable evidence and the activity somebody claims to have engaged in or that can be fabricated in an effort to misdirect and masquerade as someone they're not. - None of Guccifer2.0's claims of hacking were independently verifiable and several were debunked by ThreatConnect. - There is nothing demonstrating Guccifer2.0 was really a hacker.
The "evidence" that he's Russian, should be understood in the following context:
He CHOSE to name his computer account after the founder of the Soviet Secret Police.
He CHOSE to create/open and then save documents so the Russian name was written to metadata.
He CHOSE to use a Russian VPN service to cloak his IP address.
He CHOSE to use public web-based email services that would forward his cloaked IP.
He CHOSE to use the above to contact various media outlets on the same day.
Note: Thanks to a 3rd party's further investigation, it now appears he may have used a single document as a Russian template (with Russian stylesheet data in), saved it as a set of blank 'pre-tainted' files and then opened them later under a different username - copying/pasting in content from original documents into each blank 'pre-tainted' document before saving again - as the specific process for creating documents (Stylesheet change RSIDs correlating across files certainly suggest it and the metadata fully corroborates it too).
Guccifer2.0 covered himself and the files in the digital equivalent of "Made In Russia" labels while claiming to be a Romanian. (Giving cyber-security firms, journalists and others a flimsy veil they could easily pull off and find Russian "fingerprints" behind - not realizing that what they were revealing was a layer of misdirection that would actually prevent them from considering a 3rd possibility!)
Basically - Nothing showing he was Wikileaks source. Nothing showing he actually hacked into the DNC beyond the fact he had acquired some DNC/DCCC documents. (In fact, there was a fair bit to contradict his claims there thanks to ThreatConnect discrediting his breach claims, showing he was unduly trying to be attributed to the malware discoveries!)
Guccifer2.0 was someone who chose to use a Russian VPN (after choosing to taint documents with Russian language) and was noted to have been in possession of a password for a password-protected area of the DCLeaks site (which, plausibly, he could have been given after promising to upload some of his leaks - DCLeaks were willing to give the same password out to the press in exchange for the promise of writing a story about them!)
Pretty much everything stated about him has been based on assumptions, acceptance of questionable admissions and the public have been given little more than conjecture based on factors he seems to have been controlling and choosing.
Sam Biddle of The Intercept (one of the first people to write about Guccifer2.0 when he emerged) details the problem, in a broader sense, of blaming Russia generally for the hacks in an article released on December 14th 2016, titled: "Here’s the Public Evidence Russia Hacked the DNC — It’s Not Enough". - It covers the fact that the evidence on Guccifer2.0 looks dodgy but doesn't try to determine the intent behind his efforts to deceive and claim credit for hacking the DNC (such as this article is attempting to make clear) and instead focuses on the broader scope of allegations about the DNC being hacked.
In total, the amount of new controversies specifically exposed by Guccifer2.0's actions - was very little.
The documents he posted online were a mixture of some from the public domain (eg. already been published by OpenSecrets.org in 2009), were manipulated copies of research documents originally created by Lauren Dillon (see attachments) and others or were legitimate, unique documents that were of little significant damage to the DNC. (Such as the DCCC documents)
The DCCC documents didn't reveal anything particularly damaging. It did include a list of fundraisers/bundlers but that wasn't likely to cause controversy (the fundraising totals, etc. are likely to end up on sites like OpenSecrets, etc within a year anyway). - It did however trigger 4chan to investigate and a correlation was found between the DNC's best performing bundlers and ambassadorships. - This revelation though, is to be credited to 4chan. - The leaked financial data wasn't, in itself, damaging - and some of the key data will be disclosed publicly in future anyway.
All of his 'leaks' have been over-hyped non-controversies or were already in the public domain - the only exception being the apparent leaking of personal contact numbers and email addresses of 200 Democrats - and really that was more damaging to the reputation of Wikileaks than causing any real problems for Democrats. - Ultimately, it only really served to give the mainstream press the opportunity to announce that "leaked emails include personal details of 200 Democrats", again, seemingly an effort to undermine other leaks being released at the same time by legitimate leak publishers.
There is a key fact about some non-Russian metadata that nobody seems to have reported and it certainly seems to be of critical importance - and that is the document creation timestamps...
There were multiple documents shared with TheSmokingGun, Gawker, ArsTechnica and others.
The first document, "1.doc" (mirror), was given considerable coverage, while the name "Warren Flood" was reported, the date in the report (rather than in the metadata) was reported and so it was attributed to Warren Flood on 12/19/15.
Gawker incorrectly claimed the metadata showed the document was created in 2015 when it actually indicated the document was created by Warren Flood at a much later date.
The truth is that the metadata shows the document being created 30 minutes before Guccifer2.0 appears to have gotten his hands on it:
The other document, "2.doc" (mirror) was not mentioned so much, but it too had interesting metadata:
How did this get missed? - My guess is that people who investigated were using MS-Word. Recent versions of MS-Word tend to show limited metadata from RTF1 format files, for example, MS-Word 2010 shows:
If you open "2.doc" in OpenOffice though, you will spot what first alerted me to the timestamp correlations in the first place:
If you look at the raw data of "1.doc" you can see an ever closer correlation:
IMPORTANT: Before getting into the details of Warren Flood - please be clear on one critical fact: There is a good chance that he's completely innocent. - Even if he was involved, it's an issue for government officials, FBI, etc. to resolve, please do NOT harass Warren Flood because of this report stating that Warren Flood "appears" to have done something... all we know for certain is that someone used an account with that name.
The corpus/language analyses carried out also show Guccifer 2.0's communications lacks a subtle trait that appears to be present in Flood's writing elsewhere. It seems that it was likely somebody else taking care of communicating and likely managing the overall operation.
The above statement supercedes and overrides any assertions expressed on this page or anywhere else on this site on the subject of any attribution to Warren Flood.
So... who is Warren Flood? - How did the documents get from Flood apparently creating them to the "hacker" within 30 minutes AND how did that happen when Guccifer2.0 claimed that he had been kicked out of the DNC's systems as of June 12th according to the conversation he had on the 21st of June with Lorenzo Franceschi-Bicchierai for Motherboard/Vice? (An article in which Guccifer2.0 shows he can easily change the identity of the person who last modified the file)
We can answer the first question by looking at Warren's linkedin and facebook profiles (these profiles have almost no private or personal character information - we're only revealing things about his work, experience, professional skill set and his history with DNC, etc.).
How did Guccifer2.0 apparently acquire and edit the documents in 30 minutes of them apparently being created by Flood AND at a time that Guccifer 2.0 would later claim was AFTER he had been kicked out of the DNC's network?
While Warren's name may have been relatively unknown to many reading this article, he has worked for Obama for America, the DNC, served as Joe Biden's technical director and is no stranger to the White House, as his photograph with Joe and Jill Biden (embedded) suggests.
As for the main file (Trump Opposition Research) - it's basically copied from this file (which is also attached to this leaked email).
It was actually a document originally authored by Lauren Dillon (DNC research director) and modified (and sent to John Podesta) by Tony Carrk (Research Director at Hillary for America).
As it's clear the original source document was not authored by Flood it seems odd that Flood's name would be there. There was however, another clue in the meta data, the company name was recorded as "GSA" (General Services Administration), this suggests that the license was installed when Flood was working for the government and the only place I recalled seeing that in his work history was at the White House.
This leaves us with a few logical explanations:
Considering Flood's absence from the White House since 2011, no indication he had the skill set needed to fool so many cyber-security experts and a poor match up on syntax analysis, it seems the latter of these possibilities is far more probable.
Several experts and their assessments have been cited, Motherboard (Vice) reference 3 such experts but only one appeared willing to be identified. - Carrying out our own analysis (and highlighting the process), we can see why the others may have chosen anonymity - their assessments seem to be limited and pick up on things that in aggregate, Guccifer rarely actually does.
Guccifer2.0 used a "Russian smiley" (")))") ONCE! - This was in one of his first posts. The other thing that made him appear Russian was that he referred to hacks as "deals" a couple of times. - HOWEVER, he ONLY does this in the interview with Motherboard/Vice on the 21st of June - he never repeats this behavior in any other communications - so, it seems it was just put on for the purpose of the interview. - These are the main 2 things pointed out by the anonymous experts and are bizarrely both things he does only in 2 isolated incidents.
Professor M.J. Connolly of the Slavic & Eastern European languages department at Boston University had the most valuable assessment - and could explain the syntactical traits that were missing from Guccifer2.0's writing.
For our own non-expert analysis, details about differences between Russian/Slavonic Languages & English language can be found here, here and here.
As a brief example, TSG article's quoted statements from Guccifer are below. Definite and indefinite article use and prepositions are highlighted:
“I stand against Guccifer's conviction and extradition. I will continue Guccifer's business and will fight all those illuminati the way I can. They should set him free!!!!”
“Hi. This is Guccifer 2.0 and this is me who hacked Democratic National Committee.”
“Guccifer may have been the first one who penetrated Hillary Clinton's and other Democrats' mail servers. But he certainly wasn't the last. No wonder any other hacker could easily get access to the DNC's servers.”
“First I breached into mail boxes of a number of Democrats. And then using the info collected I got into Committee servers.”
Compare this to the use of English language expected from someone who is really a Russian, as demonstrated in this screenshot of a video featured in an article by ThreatConnect on 2nd of September 2016. - The difference is stark to say the least!
It's clear from the above (as well as an analysis of a much larger corpus of Guccifer's words that I have compiled - see below) that he habitually uses definite articles, even when communicating in a live chat with Lorenzo Franceschi-Bicchierai of Vice's Motherboard, he rarely fails to include them. - The amount of instances where his definite and indefinite articles are correctly used (when they are used) is around 96%. - In other words, while he mangles English language selectively, he doesn't do it in a way that is consistent or in the way that is expected from those whose native language is one lacking definite and indefinite articles (such as is true with Russian language).
We never see Guccifer struggle with prepositions either:
He never claimed to hack through a server, or get under security or wait around being detected. His command of prepositions is very strong and he seldom drops the use of them.
AUTHOR'S NOTE: As author of this article, I am not pretending to be an expert. I'm just applying some knowledge from the public domain to a large collection of sample data in a manner that demonstrates various factors that relate to the aspects of English language that Russian's would typically struggle with.
When you consider all of these various facts in aggregate and understand that Guccifer2.0 never demonstrated any genuine hacking skills, realize his actions only ever served to undermine leaks, ultimately caused no harm to the reputation of anyone except himself and needlessly and inexplicably gave the mainstream press fodder on which they could write headlines branding leaks as "fake", "discredited", "tainted by Russia", etc., had some non-hacking means of acquiring the DCCC documents and has had his claims of breaching the DNC network debunked by ThreatConnect. - It becomes clear that Guccifer2.0 did more to serve the interests of the DNC than really act maliciously against it.
Anyone critically analysing the nature of Guccifer2.0 can see enough to identify whom he was most likely was or was serving through his activities online. - His lack of credibility and the inevitability of his Clinton Foundation server hack 'take' being exposed as nonsense makes it clear that Guccifer2.0 was a fraudulent construct intended to counter the leaks and try to take-down the credibility of Wikileaks as collaterol in the self-destruction of it's own reputation.
It seemed like there was a good chance Warren Flood had involvement at first, however, he doesn't appear to have been actively working for anyone's campaign in 2016 and it had been 6 years since he had worked at the White House. His name and the fact it's on the GSA license could suggest that the dodgy Russian template document was generated on a computer at (or previously from) the White House (from when Flood was Senator Biden's technology director).
However, Flood himself didn't appear to be someone (or likely to be working for someone) with a motive to discredit Wikileaks and have Russian hackers blamed (nor the experience to pull off the mimicry and deceptions observed).
Those with a motive mostly strongly correlating with this at the time would have been the Clinton Campaign (to mitigate damage to HRC's electoral campaign) and the DNC leadership (who also had reputations at stake from the real leaks being published)
As of June 12th, they were in a position where Julian Assange had just announced WikiLeaks' upcoming release of Clinton's emails, Clinton was still under FBI investigation, Trump was attacking Clinton for her use of a private server with his supporters frequently chanting "lock her up!" at rallies).
The campaign and the DNC were in a desperate position and really needed something similar to a Russian hacker narrative (something that leaks have since shown the DNC had started building a month or two prior to the hacking claims) and one where they would be fortunate to have a seemingly clumsy hacker that leaves lots of 'fingerprints' tainting files and bringing the reputation of leaks into question. - Sure enough, 2-3 days later, Guccifer2.0, the world's weirdest hacker was spawned and started telling lies in an effort to attribute himself to the malware discoveries & to Wikileaks.
Of course, attribution to the HRC camp or DNC leadership is difficult because what we've seen from Guccifer 2.0 suggests an operation carried out by someone with considerable cyber-security and counter-intelligence skills (the misdirection and deception fooled a lot of the cyber-security industry and had multiple intelligence agencies convinced - they knew exactly what they were doing) and while their breach claims were discredited, they still had or had been given access to files.
Who we're really dealing with requires understanding the full picture (everything outlined above for starters), knowing about CrowdStrike's activities in April of 2016 (which you'll find in additional articles provided further down this page), considering the claims they made in an article released on 14 June 2016 and then considering that there is only really one party that could feasibly have pulled of the whole fake Russian hacker persona.
Surely, it had to be those who had access to everything and that, thanks to the DNC's handling of DHS/FBI, were the only party ever allowed to directly assess the alleged crime scene of the DNC's server, didn't it?
They also issued specious claims about the "Trump Opposition Research" being targeted (never demonstrated or explained) which, in turn, actually gave the Guccifer 2.0 persona the means of "authenticating" himself to the press the very next day (on which he, of course, appeared and used a deliberately "Russia-tainted" version of the Trump opposition research document to lure the press with).
So, at present, in my personal opinion, it looks a lot like Shawn Henry & Dmitri Alperovitch (CrowdStrike executives), working for either the HRC campaign or DNC leadership were more likely to have been behind the Guccifer 2.0 operation.
If you have any tips, know of anything significant that's missing from the timeline at all or want to chat about anything related to Guccifer2.0 feel free to contact me by email (link at top of article) - Challenges to conclusions are welcomed and won't be greeted with hostility.
The following articles provide you with the links and reference materials needed to independently check and verify the first critical piece of evidence showing that Guccifer 2.0 was an operation that (as its very first objective) created files with fake 'Russian Fingerprints' through what was apparently an intentional and methodical procedure:
The above guides are simply my efforts to explain to others how to check and verify evidence that was actually found by u/tvor_22. The original article he wrote covering it (among other related topics) is linked to here for reference (see image and link to the right of this text).
Russia and Wikileaks: The Case of the Gilded Guccifer
Guccifer 2.0 - The Hack/Leak Contradiction (8 April 2017)
Guccifer 2.0 - DCLeaks - APT 28 (17 April 2017)
CrowdStrike & The DNC's Phantom Intruder (OPINION) (25 April 2017)
WH Meetings on Ukraine Coincide With Fingerprint Fabrications (29 April 2017)
The Guccifer 2.0 Advisory Sent To Every US Senator (17 May 2017)
Further RTF Analysis Supports Russian Fingerprint Fabrication (26 May 2017)
The Constant Storm of Controversy & Chaos (31 May 2017)
Guccifer 2.0's First Five Documents: The Process (31 May 2017)
The Webb of Deceit (7 June 2017)
The Washington Post Article on the DNC Hack - Fact or Fiction? (14 June 2017)
RussiaGate Complexities (8 July 2017)
CrowdStrike, Comey & Conflicting Claims? (17 July 2017)
Guccifer 2.0: Game Over - Six Months In (4 August 2017)
The DNC Responds To The Nation Article (12 August 2017)
The First Attack Dog Steps Forward - New York Magazine (12 August 2017)
Distortions & Missing The Point (16 August 2017)
Dirty Techniques (20 August 2017)
Focus On The Decision-Makers - They Have Been Informed (11 September 2017)
Is Salon's Sheffield Skipping & Spinning? (18th September 2017)
Phase #5 Completed (19th September 2017)
United Nations Notified (22nd September 2017)
This Fancy Bear's House Is Made of Cards: Russian Fools or Russian Frame-Up
by nyetneynyet aka u/tvor_22
Russia and Wikileaks - The Case of The Gilded Guccifer
by nyetneynyet aka u/tvor_22
Did Russia Really Hack The DNC?
by Gregory Elich
Is Guccifer 2 One Person or Multitude of People
by Steve Cunningham
Cyber-analyst: No evidence to connect Guccifer 2.0 to Russian DNC hack
by Steve Cunningham
Guccifer 2 and the Podesta Emails
US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware
by Mark Maunder / WordFence
Guccifer 2.0 NGP/VAN Metadata Analysis
by The Forensicator
The Russiagate Hoax — Cutting to the Chase
by Mark McCarty
Non-Existent Foundation for Russia Hacking Charge
by Skip Folden
Time Zone of Guccifer 2 cf.7z
by Stephen McIntyre
Guccifer 2.0 CF Files Metadata Analysis
Guccifer 2 Email Time Zone
by Stephen McIntyre
Guccifer 2 and “Russian” Metadata
by Stephen McIntyre