Guccifer 2.0: Game Over

Metadata suggests it took only 30 minutes to go from a DNC tech/data strategy consultant creating documents to Guccifer2.0 tainting them - all occurring on a date that Guccifer2.0 claimed to be after he was locked out of the DNC Network - occurring on the same day that Guccifer2.0 emerged.

Data found deeper in files now also demonstrates there was a misdirection effort, that, in its larger scope - seems to have been intended to discredit leaks by having leaks blamed on Russian hackers.

Update - April 23rd, 2017

by ADAM CARTER (email)  

Follow @with_integrity

Evidence of Intent : Preemptive Misdirection

The following articles provide you with the links and reference materials needed to to independently check and verify the evidence showing that Guccifer 2.0 was an operation that (as its very first objective) created files with fake 'Russian Fingerprints' through a clearly intentional and methodical procedure:

Isolated RTF/RSID Evidence
Correlating With Metadata & Conclusion

The above guides are simply my efforts to explain to others how to check and verify evidence that was actually found by u/tvor_22. The original article he wrote covering it (among other related topics) is linked to here for reference (see image and link to the right of this text).

 
Russia and Wikileaks: The Case of the Gilded Guccifer

Additional Featured Articles

Guccifer 2.0 - The Hack/Leak Contradiction

Guccifer 2.0 - DCLeaks - APT 28 (NEW)

UPDATES (April 24th)

New Article Published yesterday at BullTruth Magazine raises doubts about Robbin's DMs:


As a result of this, the affected evidence on g-2.space now has clear warning notifications.
(the warnings also link to a page explaining the reason behind it).

INTRODUCTION

There are individuals, who, in reality, have a higher likelihood of being linked to Guccifer2.0 than anyone in Russia. - The intention of this article is to inform readers, extensively about everything there is to know about Guccifer2.0 and from that, be armed with enough information to give motive and means the regard they deserve.

To understand who Guccifer2.0 is likely to be - it is imperative to understand WHAT Guccifer2.0 is. - What did he do? - What did he say? - Are his claims now confirmed, debunked or yet to be verified? - What were the results of his actions? - What do any lies told and the likelihood of them being debunked or remaining secret really imply about his intent? - Was there anything misreported or omitted that may have been relevant?

The answers to the above questions will probably be surprising to many considering what the USIC, CyberSecurity researchers and the MSM have repeatedly insisted over and over again.

The first step is to catalog events - and then, retrospectively review the data.


CONTENTS

1. Timeline - What Happened & When Did It Happen
2. Guccifer2.0's Claims Debunked & Discredited
3. 3rd Party Assessments - Assumptions & Conjecture vs Evidence & Facts
4. Actions, Consequences & Convenience For Anti-Leak Narratives
5. Rushing To Be Russian - The Donkey In A Bear Costume Made A Mistake
6. Language & Text Analysis
7. Recognizing Intent From Deceptions
8. With Motive & Means - Those More Likely Linked to G2 than Russians
9. Updates & Inquiries With Third Parties
10. 3rd Party Research & Further Reading
11. Frequently Asked Questions


(1) Guccifer2.0 Timeline - What Happened & When Did It Happen?


(2) Guccifer2.0's Claims Debunked & Discredited

Before looking at intent, motive, conflicting evidence and more, it's important to become aware of a few key facts about Guccifer2.0 and some of the claims he made.

CLAIM: Hacked the DNC's servers - STATUS: Discredited

Guccifer2.0 stated in an interview with Lorenzo Franceschi-Bicchierai (for Motherboard / Vice News) on the 21st of June, that he breached the server using a "0-day exploit of NGP-Van".

ThreatConnect, although still apparently unswayed from their assessment that Guccifer2.0 is a collective of Russians (we'll get on to that topic later in the article) - did report some very useful facts that serve to debunk Guccifer2.0's claims.

a) NGP-Van is a cloud-hosted web-service, the claimed method of breach was concluded "impossible" by ThreatConnect. - It was noted that phishing for credentials would be far more practical for exploiting such a service.

b) He makes claims of lateral movement within the DNC network - but doesn't realize that his effort to match the reporting of Crowdstrike falls down due to his own misinterpretation of that. - CrowdStrike's report mentions lateral movement in terms of the "BEAR" infrastructure across the whole of the Internet rather than movement within the DNC network - it looks like Guccifer2.0 s trying to make claims that correlate with what he has inferred from CrowdStrike's reportage.

c) To quote ThreatConnect at the time (and nothing has been reported to contradict it since): "As it stands now, none of the Guccifer 2.0 breach details can be independently verified".

CLAIM: Wikileaks Source for DNC Mails - STATUS: Not Verified

Guccifer2.0 put considerable effort into trying to convince people he was the source for the DNC email leaks that ended up in the public domain on July 22nd.

He outright claimed it, multiple times.

He made a point of mentioning Wikileaks in his purposeful destruction of his own reputation on October the 4th (a reference to his Clinton Foundation claims and the files he posted supposedly demonstrating the hack) and on October 18th showed he was trying to push a perception of being associated with Wikileaks and responded to a Wikileaks tweet as though it was intended for him personally (when it wasn't).

Going back to the 4th, the supposed "Clinton Foundation Hack" - is also where his claim starts to show cracks.

He stated "I can’t post all databases here for they’re too large. I’m looking for a better way to release them now.".

Why, if he was really the source for the DNC emails, would he be at all struggling to find a solution to get the data published? - Why express this 73 days after the last large batch of data he claims to have acquired was successfully published through Wikileaks?

Even putting seemingly contradictory statements aside - Assange has stated numerous times that the emails were leaked, rather than hacked, in persistent contradiction with Guccifer2.0's claims and there is still nothing independently verifying Guccifer2.0's claims.

CLAIM: Hacked Clinton Foundation - STATUS: Discredited

On October 4th, 2016 - Guccifer2.0 claimed to have hacked the Clinton Foundation. He followed this up by posting an archive containing files that were all from previous leaks and from documents in the public domain.

Ultimately, he has never produced anything that actually shows such a hack had taken place.

These are not all of his lies or unverified claims, far from it, but they are the ones that are critical to know so that the rest of this article makes sense to you. Above all, the first is most important - his claims to breach the DNC turned out to be fantasy.


(3) 3rd Party Assessments - Assumptions & Conjecture vs Evidence & Facts

There is a difference between independently verifiable evidence and the activity somebody claims to have engaged in or that can be fabricated in an effort to misdirect and masquerade as someone they're not. - None of Guccifer2.0's claims of hacking were independently verifiable and several were debunked by ThreatConnect. - There is nothing demonstrating Guccifer2.0 was really a hacker.

The "evidence" that he's Russian, should be understood in the following context:

He CHOSE to name his computer account after the founder of the Soviet Secret Police.
He CHOSE to create/open and then save documents so the Russian name was written to metadata.
He CHOSE to use a Russian VPN service to cloak his IP address.
He CHOSE to use public web-based email services that would forward his cloaked IP.
He CHOSE to use the above to contact various media outlets on the same day.

Note: Thanks to a 3rd party's further investigation, it now appears he may have used a single document as a Russian template (with Russian stylesheet data in), saved it as a set of blank 'pre-tainted' files and then opened them later under a different username - copying/pasting in content from original documents into each blank 'pre-tainted' document before saving again - as the specific process for creating documents (Stylesheet change RSIDs correlating across files certainly suggest it and the metadata fully corroborates it too).

Guccifer2.0 covered himself and the files in the digital equivalent of "Made In Russia" labels while claiming to be a Romanian. (Giving cyber-security firms, journalists and others a flimsy veil they could easily pull off and find Russian "fingerprints" behind - not realizing that what they were revealing was a layer of misdirection that would actually prevent them from considering a 3rd possibility!)

So what independent, verifiable evidence is there?

Basically - Nothing showing he was Wikileaks source. Nothing showing he actually hacked into the DNC beyond the fact he had acquired some DNC/DCCC documents. (In fact, there was a fair bit to contradict his claims there thanks to ThreatConnect discrediting his breach claims, showing he was unduly trying to be attributed to the malware discoveries!)

Guccifer2.0 was someone who chose to use a Russian VPN (after choosing to taint documents with Russian language) and was noted to have been in possession of a password for a password-protected area of the DCLeaks site (which, plausibly, he could have been given after promising to upload some of his leaks - DCLeaks were willing to give the same password out to the press in exchange for the promise of writing a story about them!)

Pretty much everything stated about him has been based on assumptions, acceptance of questionable admissions and the public have been given little more than conjecture based on factors he seems to have been controlling and choosing.

Sam Biddle of The Intercept (one of the first people to write about Guccifer2.0 when he emerged) details the problem, in a broader sense, of blaming Russia generally for the hacks in an article released on December 14th 2016, titled: "Here’s the Public Evidence Russia Hacked the DNC — It’s Not Enough". - It covers the fact that the evidence on Guccifer2.0 looks dodgy but doesn't try to determine the intent behind his efforts to deceive and claim credit for hacking the DNC (such as this article is attempting to make clear) and instead focuses on the broader scope of allegations about the DNC being hacked.

UPDATE (12 March)

I decided to contact Elite-VPN in relation to the claims made by ThreatConnect and received a response on March 7th. The responses and the annotated image they sent are as follows:

I wrote back asking if it was okay to publish what they had told me. My email to them and their response to it are below:

So... it turns out that if ThreatConnect had tried using the default options - they would have been allocated the "exclusive" IP address that was NEVER really exclusive.

They've caused concern and distress unduly for a VPN Service provider by misrepresenting the service and produced false-positive indicators by suggesting the IP address was used by a shady group of Russians/Guccifer2.0 with exclusivity.

Why didn't someone ask them sooner?

NOTE: While I have uncovered an apparent mistake made by ThreatConnect, I still do respect the research they did and their reporting of facts even when they didn't necessarily support their conclusions was helpful for my investigation - without their transparency and willingness to share their research openly with the public, my research would have been much tougher, so, despite my criticisms I have to say: Thank you to all at TC for the valuable information you shared with us all. :)


(4) Actions, Consequences & Convenience For Anti-Leak Narratives

In total, the amount of new controversies specifically exposed by Guccifer2.0's actions - was very little.

The documents he posted online were a mixture of some from the public domain (eg. already been published by OpenSecrets.org in 2009), were manipulated copies of research documents originally created by Lauren Dillon (see attachments) and others or were legitimate, unique documents that were of little significant damage to the DNC. (Such as the DCCC documents)

The DCCC documents didn't reveal anything particularly damaging. It did include a list of fundraisers/bundlers but that wasn't likely to cause controversy (the fundraising totals, etc. are likely to end up on sites like OpenSecrets, etc within a year anyway). - It did however trigger 4chan to investigate and a correlation was found between the DNC's best performing bundlers and ambassadorships. - This revelation though, is to be credited to 4chan. - The leaked financial data wasn't, in itself, damaging - and some of the key data will be disclosed publicly in future anyway.

All of his 'leaks' have been over-hyped non-controversies or were already in the public domain - the only exception being the apparent leaking of personal contact numbers and email addresses of 200 Democrats - and really that was more damaging to the reputation of Wikileaks than causing any real problems for Democrats. - Ultimately, it only really served to give the mainstream press the opportunity to announce that "leaked emails include personal details of 200 Democrats", again, seemingly an effort to undermine other leaks being released at the same time by legitimate leak publishers.


(5) Rushing To Be Russian - The Donkey In A Bear Costume Made A Mistake

5a. "Russia-Tainted Metadata" Reportage Mostly Ignored A Key Piece of Metadata

There is a key fact about some non-Russian metadata that nobody seems to have reported and it certainly seems to be of critical importance - and that is the document creation timestamps...

There were multiple documents shared with TheSmokingGun, Gawker, ArsTechnica and others.

The first document, "1.doc" (mirror), was given considerable coverage, while the name "Warren Flood" was reported, the date in the report (rather than in the metadata) was reported and so it was attributed to Warren Flood on 12/19/15.

Gawker incorrectly claimed the metadata showed the document was created in 2015 when it actually indicated the document was created by Warren Flood at a much later date.

The truth is that the metadata shows the document being created 30 minutes before Guccifer2.0 appears to have gotten his hands on it:

Created by Warren Flood on 15th of June at 13:38
Modified by Феликс Эдмундович on 15th of June at 14:08

The other document, "2.doc" (mirror) was not mentioned so much, but it too had interesting metadata:

Created by Warren Flood on 15th of June at 13:38
Modified by Феликс Эдмундович on 15th of June at 14:11

How did this get missed? - My guess is that people who investigated were using MS-Word. Recent versions of MS-Word tend to show limited metadata from RTF1 format files, for example, MS-Word 2010 shows:

If you open "2.doc" in OpenOffice though, you will spot what first alerted me to the timestamp correlations in the first place:

If you look at the raw data of "1.doc" you can see an ever closer correlation:

UPDATE (18 Feb)

It was pointed out to me that I'd only focused on 2 documents and that there were more released by Guccifer2.0. - He had actually released a set of 5 RTF1-format documents, all had creation/modification dates as 15th of June and another one of them had Flood listed as it's creator:

File Created By Time Modified By Time
1.doc Warren Flood 1:38pm Феликс Эдмундович 2:08pm
2.doc Warren Flood 1:38pm Феликс Эдмундович 2:11pm
3.doc Warren Flood 1:38pm Феликс Эдмундович 2:12pm
4.doc Blake 1:48pm user 1:48pm
5.doc jbs836 2:13pm Феликс Эдмундович 2:13pm

MD5 sums and mirror links are provided below in case the originals are altered or removed in future:

File Size MD5 Mirror
1.doc 6.8mb a0977ccf006a9e9b5d2c396986cc8da7 link
2.doc 194.6kb 4409de44ef522b583e38a5ed79bf09f0 link
3.doc 211.0kb e44f494ed23907c5298b645063a5dbc3 link
4.doc 1.3mb f79972d72f5304bf1dc4cd2ae6c3a2d4 link
5.doc 67.9kb e2c432bb1e0ef06226594699876292dc link

A more detailed look at the actual contents of documents (eg. RSIDs of different changes and correlations across files) gives further clues about the procedures used to intentionally stick "Russian fingerprints" on some of the files.

Who is Warren Flood?

IMPORTANT: Before getting into the details of Warren Flood - please be clear on one critical fact: There is still a possibility that someone else could have accessed a computer he owned to create these initial documents on or it could turn out there's some other innocent explanation for his name being attached to the documents. - Even if he is involved, it's an issue for government officials, FBI, etc. to resolve, please do NOT harass Warren Flood because of this report stating that Warren Flood appears to have done something... all we know for certain is that someone used an account with that name.

The corpus/language analyses carried out also show Guccifer 2.0's communications lack a subtle punctuation flaw that appears to be present in Flood's writing elsewhere. - So, even if Flood does have any involvement, it's likely to have been a minor role in the overall Guccifer 2.0 operation (eg. sourcing files) - it does seem that somebody else was taking care of communicating and likely managing the overall operation.

The above statement supercedes and overrides any assertions expressed on this page or anywhere else on this site on the subject of any attribution to Warren Flood.

So... who is Warren Flood? - How did the documents get from Flood apparently creating them to the "hacker" within 30 minutes AND how did that happen when Guccifer2.0 claimed that he had been kicked out of the DNC's systems as of June 12th according to the conversation he had on the 21st of June with Lorenzo Franceschi-Bicchierai for Motherboard/Vice? (An article in which Guccifer2.0 shows he can easily change the identity of the person who last modified the file)

We can answer the first question by looking at Warren's linkedin and facebook profiles (these profiles have almost no private or personal character information - we're only revealing things about his work, experience, professional skill set and his history with DNC, etc.).

How Guccifer2.0 apparently acquired and edited the documents in 30 minutes of them apparently being created by Flood AND at a time that he would later claim was AFTER he had been kicked out of the DNC's network... is a question that Warren Flood might be able answer - we can only speculate.


From left-to-right: Joe Biden, Alice McAlexander, Warren Flood, Jill Biden.

While Warren's name may have been relatively unknown to many reading this article, he has worked for Obama for America, the DNC, served as Joe Biden's technical director and is no stranger to the White House, as his photograph with Joe and Jill Biden (embedded) suggests.

As for the main file (Trump Opposition Research) - it's basically copied from this file (which is also attached to this leaked email).

It was actually a document originally authored by Lauren Dillon (DNC research director) and modified (and sent to John Podesta) by Tony Carrk (Research Director at Hillary for America).

As it's clear the original source document was not authored by Flood it seems odd that Flood's name would be there! - Was he or his company hired to provide technical assistance (possibly to help manage the op)? - While re-opening and saving the documents did record the desired Russian metadata, it only did so in relation to the last modification - maybe in the rush to get the documents out to media he forgot his name was on these as the original creator?

Note: While the paragraph above mentions opening and saving documents, it has now come to light that it was likely to have been a Russian template document used - and that content from original documents was copied and pasted into the template and the results were saved as a new file (a process that appears to be repeated for the first 3 documents due to correlating RSIDs on stylesheets).


(6) Corpus & Language Analysis

Several experts and their assessments have been cited, Motherboard (Vice) reference 3 such experts but only one appeared willing to be identified. - Carrying out our own analysis (and highlighting the process), we can see why the others may have chosen anonymity - their assessments seem to be limited and pick up on things that in aggregate, Guccifer rarely actually does.

Guccifer2.0 used a "Russian smiley" (")))") ONCE! - This was in one of his first posts. The other thing that made him appear Russian was that he referred to hacks as "deals" a couple of times. - HOWEVER, he ONLY does this in the interview with Motherboard/Vice on the 21st of June - he never repeats this behavior in any other communications - so, it seems it was just put on for the purpose of the interview. - These are the main 2 things pointed out by the anonymous experts and are bizarrely both things he does only in 2 isolated incidents.

Professor M.J. Connolly of the Slavic & Eastern European languages department at Boston University had the most valuable assessment - and could explain the syntactical traits that were missing from Guccifer2.0's writing.

For our own non-expert analysis, details about differences between Russian/Slavonic Languages & English language can be found here, here and here.

As a brief example, TSG article's quoted statements from Guccifer are below. Definite and indefinite article use and prepositions are highlighted:

“I stand against Guccifer's conviction and extradition. I will continue Guccifer's business and will fight all those illuminati the way I can. They should set him free!!!!”

“Hi. This is Guccifer 2.0 and this is me who hacked Democratic National Committee.”

“Guccifer may have been the first one who penetrated Hillary Clinton's and other Democrats' mail servers. But he certainly wasn't the last. No wonder any other hacker could easily get access to the DNC's servers.”

“First I breached into mail boxes of a number of Democrats. And then using the info collected I got into Committee servers.”

Compare this to the use of English language expected from someone who is really a Russian, as demonstrated in this screenshot of a video featured in an article by ThreatConnect on 2nd of September 2016. - The difference is stark to say the least!

It's clear from the above (as well as an analysis of a much larger corpus of Guccifer's words that I have compiled - see below) that he habitually uses definite articles, even when communicating in a live chat with Lorenzo Franceschi-Bicchierai of Vice's Motherboard, he rarely fails to include them. - The amount of instances where his definite and indefinite articles are correctly used (when they are used) is around 96%. - In other words, while he mangles English language selectively, he doesn't do it in a way that is consistent or in the way that is expected from those whose native language is one lacking definite and indefinite articles (such as is true with Russian language).

We never see Guccifer struggle with prepositions either:

He never claimed to hack through a server, or get under security or wait around being detected. His command of prepositions is very strong and he seldom drops the use of them.

AUTHOR'S NOTE: As author of this article, I am not pretending to be an expert. I'm just applying some knowledge from the public domain to a large collection of sample data in a manner that demonstrates various factors that relate to the aspects of English language that Russian's would typically struggle with.

Backups of DMs: Robbin Young | Cassandra Fairbanks | Roger Stone


(7) Recognizing Intent From Deceptions

When you consider all of these various facts in aggregate and understand that Guccifer2.0 never demonstrated any genuine hacking skills, realize his actions only ever served to undermine leaks, ultimately caused no harm to the reputation of anyone except himself and needlessly and inexplicably gave the mainstream press fodder on which they could write headlines branding leaks as "fake", "discredited", "tainted by Russia", etc., had some non-hacking means of acquiring the DCCC documents and has had his claims of breaching the DNC network debunked by ThreatConnect. - It becomes clear that Guccifer2.0 did more to serve the interests of the DNC than really act maliciously against it.

Anyone critically analysing the nature of Guccifer2.0 can see enough to identify whom he was most likely was or was serving through his activities online. - His lack of credibility and the inevitability of his Clinton Foundation server hack 'take' being exposed as nonsense makes it clear that Guccifer2.0 was a fraudulent construct intended to counter the leaks and try to take-down the credibility of Wikileaks as collaterol in the self-destruction of it's own reputation.


(8) With Motive & Means - Those More Likely Linked to G2 than Russians

It seems like there's a good chance Warren Flood has involvement to some degree but even if that's true - he personally had nothing to lose due to the emails, so, who would really be behind such a scheme?

The more thought I've given it, it seems most probable that one particular group would have been particularly desperate precisely at that time, for the emergence of a narrative about Russian hackers to discredit proper leaks / justify claims that all leaks are 'probably doctored' and they will have very likely known Flood too.

That group is the Clinton Campaign.

As of June 12th, they were in a position where Julian Assange had just announced WikiLeaks' upcoming release of Hillary's emails, she was still under FBI investigation, Trump was attacking Hillary for her use of a private server with his supporters frequently chanting "lock her up!" at rallies).

The campaign was in a desperate position and really needed something similar to a Russian hacker narrative and one where they would be fortunate to have a seemingly clumsy hacker that leaves lots of 'fingerprints' tainting files and bringing the reputation of leaks iinto question... Sure enough, 2-3 days later, Guccifer2.0 - the world's weirdest hacker - was spawned and started telling lies in an effort to attribute himself to the malware discoveries, etc.

While this may seem like the final conclusion, there are still more leads to investigate and unanswered questions that need answering. - This article will expand frequently to include new information and the conclusion here will update as and when that information is added.

If you have any tips, know of anything significant that's missing from the timeline at all or want to chat about anything related to Guccifer2.0 feel free to contact by email (link at top of article).


(9) Updates & Inquiries With Third Parties

On or before February 1st, 2017 - the following people were emailed with requests for any information they could provide on Guccifer2.0 that had not already been included in their previous reports and explained that I was trying to be exhaustive in case there is anything that may conflict with a conclusion I had reached:

The following individuals/organizations were contacted with queries on various topics covered in the article beteen January 23rd and February 8th:

The following individuals/organizations were contacted with queries between February 25th and March 1st:

Emails were sent to the following on March 14th to:

An Open Letter was published on March 14th to:

On March 18th an email was sent to:

Planned contact with universities has been delayed due to numerous additions needed on the corpus files (due to recent additions from Twitter activity to the timeline & recently released DMs from Robbin Young)


(10) 3rd Party Research & Further Reading

This Fancy Bear's House Is Made of Cards: Russian Fools or Russian Frame-Up
by nyetneynyet aka u/tvor_22

Russia and Wikileaks - The Case of The Gilded Guccifer
by nyetneynyet aka u/tvor_22

Did Russia Really Hack The DNC?
by Gregory Elich

Is Guccifer 2 One Person or Multitude of People
by Steve Cunningham

Cyber-analyst: No evidence to connect Guccifer 2.0 to Russian DNC hack
by Steve Cunningham

The Guccifer 2.0 Chat Hoax
by Hannibal Moot


(11) Frequently Asked Questions

There are questions often asked and various alternate hypotheses offered regarding Guccifer2.0. - I'll try to cover most of those here.

Can't metadata be manipulated just by downloading and couldn't it have been manipulated by saving the file at times you haven't considered?

While downloading the files to your PC will cause the file headers to have the current time/date recorded - these are completely separate from the RTF metadata (which remains untouched and will still have the creation/modification dates in June of 2016). - So the downloading, etc. process and copying/moving the file around in your OS won't cause the RTF metadata to be altered.

That said, there still ARE circumstances in which the data can be reset, etc. (when opening and saving the file in apps, etc).

We have given a lot of consideration to this too...

To figure out the sort of application behaviors we were likely dealing with - it helped to know what application was likely used to save them. - fortunately, this can be evaluated to some degree because we can see that all 5 RTF files have the following string in them:

{\xmlns1 http://schemas.microsoft.com/office/word/2003/

You can test using OpenOffice, LibreOffice, WordPad and other apps that can save to the RTF format and check which ones produce the above string and which ones don't . We can't entirely rule out the possibility of other apps producing this but of those tested - only MS-Word seemed to leave this in the files. (There are other things we can test if it ever does turn out there are other applications that have this behavior).

So we tested further with a few recent copies of MS-Word to see the various circumstances when the actual RTF metadata changes.

What we found was:

Author name - Set on creation, retained when saving and saving-as (people who edit the document subsequently are recorded as 'operator' rather than 'author'.)
Creation date - Set on creation, CAN BE REFRESHED by someone saving the document as ("Save As..") a new copy.
Operator name (last person who edited) - Set on creation, set when saving.
Modified date - Set on creation, set when saving.

We have tried to consider various possibilities and even if the creation timestamps are modified on the documents in a way we had not accounted for (eg. due to a Save-As event we perhaps had not considered) - the only difference it really makes is that it changes the time/date on which someone using an account named "Warren Flood" created the initial Russian-tainted template that the first 3 files are all based on.

(This is because the RTF-RSID correlations on the Russian language stylesheets in the first 3 documents allow us to evaluate the chronological order in which they and the actual content became present in each of the files - regardless of the metadata.).

Could Justin Cooper (Clinton aide / CGI spyware installer) be Guccifer 2?

Justin Cooper was known to have installed spyware on machines at the Clinton Global Initiative, an email from Chelsea Clinton in 2011 explains as much.

Justin was also involved in setting up the private mail server that Hillary Clinton had used while she was Sec. of State.

To assume Justin is Guccifer 2 - you'll have to assume that installing spyware at CGI would have given Justin remote access to everything on the DNC's mailserver and assume nobody managed to resolve the issue in the 5 years that followed the threat being identified.

Either assumption is a leap of faith with Justin being a Clinton aide that worked on the CGI side of things rather than the DNC/DCCC/etc.

To further diminish the likelihood of this - you can also add the fact Bryan Pagliano took over managing the server shortly after Hillary became Sec. of State (2008) and then another company called "Perfect Privacy" took ownership of the domain in 2014.

It's very unlikely to be Justin!

 

Isn't Guccifer 2 really a group of 7 or 8 Ukrainians/Serbians/Romanians?

Maybe Commander X can give more details or a demonstration or explanation of this?! (I'm expecting this questions from those who have listened to a recent interview Commander X did with Susan Lindauer)

The corpus suggests G2 is someone who speaks English as their first language and merely feigns sloppiness, while this doesn't really fit the theory here - it is at least more conceivable that G2 would be Romanian/Serbian due to closer similarities between English language and their languages than it is likely to be a Russian (solely from linguistics analysis).

The intent demonstrated in the framing effort shows it was an operation motivated to discredit Wikileaks and damage the reputation of leaks (which as far as I can tell, only the Clinton campaign had any desperate need to do at the time!).

I'm unaware of anything that would have suddenly given Ukrainians, Serbians or Romanians motive to discredit leaks at that time - I'm not ruling out the possibility but I struggle to find any correlations to support the premise..

I think maybe I'm lacking some of the information that Commander X is using so have had difficulty ascertaining exactly what Russian arrests, etc. the hypothesis is based on..

If Commander X has something to demonstrate or reference to explain intent/motivations/etc or evidence of some kind to support this theory (or any other information), please let me know and I'll update this article to cover it.

 

Have you considered Guccifer 2 may be a female?

Yes, I've considered most possibilities but there's nothing I've seen to actually suggest that G2 was female. Roger Stone referring to G2 as "her" once accidentally, in a sentence in a recent interview - is really nothing.

Even putting aside what we already know, start off with the simple statistical likelihood. - Black-hat male to female ratio is somewhere between 20:1 and 100:1. -What substantive indicators are there that Guccifer 2 was a female?

If we don't cherry-pick and instead treat everything Roger Stone says in interview as being significant, we can see he has said "he", "him" or "his" in reference to Guccifer 2 at least 20 times in the last month.

Using either, if we don't cherry pick it still looks like there's at least a 20:1 ratio. - To automatically assume Guccifer 2 must be of the gender that has a 5% (or less) likelihood due to Roger Stone ushering a single word once in one interview - is bizarre - yet it seems there's been a push on social media to claim that it's proof of Guccifer 2 being female.

Then there's the other factor - Guccifer 2 stated, in conversation with Robbin Young - that an erotic poem was making him 'hard'. - This in itself is a strong indicator that the Guccifer 2.0 persona is a male - at least in the minds of those who invented Guccifer 2.0.

 

Couldn't Guccifer 2 just have been a disgruntled Sanders supporter?

Guccifer 2's first action, contrary to his stated intent - was a clear effort to undermine the reputation of leaks by having them blatantly 'tainted' with a Russian name and stylesheet (overlooking the fact that the RTF data stream records clues about each document's construction besides timestamps, etc).

Considering WHAT Guccifer 2 actually was and was clearly trying to achieve, it means neither Sanders nor Trump supporters would have had a motive to actually act in the way Guccifer 2 did.

At the time (15 June), many Sanders supporters were happy to wait for Assange to deliver on the promise of Clinton related leaks that he'd given on the 12th.

Nobody opposing Hillary, immediately following news of upcoming leaks - would try to release dodgy leaks AND try attributing them to Wikileaks... those were tactics only one campaign had any need for.


(For those that don't know why this was even suggested - it's because Guccifer 2.0, as part of his misdirection - was willing to hint at allegiance with Hillary's current opponent at the time! - Initially, after his emergence and during the primary, he was seeking to attribute his activities to Sanders and would inquire with reporters about the DNC lawsuit, express sympathy for Bernie and berate the rigged process, etc.) - Then once Bernie was out of the way, Guccifer 2.0 switched - and - as many already know, he was willing to openly express admiration for Trump supporters and in one interview with the BBC he oddly blurted out something about making "America Great again".

This chicanery had many reporters convinced that Guccifer 2.0 sided with Hillary's opponents (and his actions show he actually did little to harm Hillary, if he was really a source for Wikileaks, as he claimed, he would have had more damaging material to publish at that time and would have been able to at least give some foresight as to what revelations would be coming from Wikileaks - but he didn't) - many listened to his words but didn't scrutinize his actions closely and the classic addage: "Actions Speak Louder Than Words" could never be more applicable to a hacker investigation than they have been in the case of Guccifer 2.

If G2 Was Working For Clinton Campaign Why Did He Hurt the DNC/Clinton?

He did very little to hurt the DNC and practically nothing to hurt Hillary's campaign (despite his vociferous opposition to her in word, he did little to oppose her in deed).

He did release some exclusive content but it was mostly inconsequential and largely to establish media and public trust. - There were fundraising totals that will likely end up on OpenSecrets and other sites due to records requests, outdated low-security shared-access passwords, outdated contact information of donors and lots of dull content that sapped public interest in the leaks. - The TARP-related documents were old and the only controversy they covered was one already exposed by OpenSecrets 8 years ago. - Even the ambassadorships wasn't intentional. - It's only because sleuths on 4chan cross referenced a list of ambassadorships with the list of big fund-raisers that it even became a controversy.

And so... before Wikileaks had even released the first email, G2 had gained notoriety, the Clinton objection handling talking points were being framed as a 'dossier' and in some cases 'opposition research' (when it was in fact the exact opposite - talking points to counter Clinton criticisms), the narrative of Russian hackers had been created (as we now know - very intentionally and very falsely!) and justification for claiming the leaks were "probably doctored" had been seeded. Headline's already included:

"DNC Hacker Dumps Trove of Clinton Documents"
"'Guccifer 2.0' Claims Responsibility for DNC Hack"
"Hillary Clinton 'dossier' released by hacker Guccifer 2.0"
"Contrary to DNC Claim, Hacked Data Contains a Ton of Personal Donor Information"
"Will Hillary Survive Barrage of Email Leaks From Russia and WikiLeaks?"

and when Wikileaks finally did release the emails, we had outright false attribution from authors like Bluestone @ Gawker, with gems such as:

"Russia (via Wikileaks) Releases 20,000 Hacked DNC Emails Just in Time For the Convention"

This was accompanied by a choir of MSM entities admonishing Wikileaks in unison over the apparent release of donor SSNs/credit card numbers. - For every headline covering the media-collusion and primary rigging, there were 10 angrily berating Wikileaks.

Before Wikileaks even had chance to respond to the criticism... the next act of G2 was to throw fuel on the fire of criticism already scorching Wikileaks by releasing personal information for the sake of generating even more negative headlines and admonishment of leaks...

"Personal Information of Nearly 200 Democrats Leaked in Latest Hack"
"New leak releases personal data of 200 Democrats"
"DNC Hacker Leaks Personal Info Of Nearly 200 Congressional Democrats"
"Democrats hacked again! New leak releases personal data of 200 party leaders"

Guccifer 2.0 successfully maligned the reputation of leaks in various ways before Wikileaks even started releasing emails and persisted even at the time of release. - The consistent negative outcomes from his actions was one of the earliest clues suggesting his stated intent and actual intent were likely to differ, the near-zero impact on Clinton from his leaks was another hint.


Who is Guccifer 2 then? - Warren Flood or someone else?

This depends on who you ask. - If you ask those who listen to Louise Mensch, it's someone working for Putin. - If you look at the evidence, it's someone trying to frame Russia or have leaks attributed to Russia and the person who initiatially handled the pre-tainted template file that Guccifer 2's first documents were based on - appears to have used a user account in the name of "Warren Flood".

So... It's Warren Flood?

Not necessarily but there's a possibility of him being involved and knowledgeable of the scheme. - The overall misdirection effort, to me, seems very professional (let's face it, it fooled most of America for at least 9 months) and I don't think Warren will have had the full skill set for all of it. (If anything, I suspect his job was to acquire and taint files initially but suspect that others were involved, especially with regards to communications).

Looking at the statements of CrowdStrike from the 14th of June and how it correlates in one regard to Guccifer 2's activities the next day but also (a) contradicts it due to Guccifer 2 having more files than they stated had been taken and (b) it seems odd they'd detect an intrusion because of an access attempt to a Trump opposition research file and not at a litany of other, far more typical detection points (identifying hostiles as soon as they hit the TCP/IP stack, identifying malicious packets, identifying brute/wordlist password cracking attempts, identifying CPU spikes and activity of specific processes, etc.).. that I have recently been wondering exactly what CS were doing back at the DNC suddenly after Assange's announcement, wondering whether they submitted evidence to any intelligence agencies to support their detection claims - and wondering if they may be outright complicit in the Guccifer 2 operation. - Certainly, Alperovitch and Henry would have had the skills and experience needed to spearhead such an operation and the opacity with which they've operated in comparison to firms like ThreatConnect (who have been very transparent and accountable in their work) doesn't make them seem as credible to me as when I first started investigating this back in January.

Either way, regardless of attrbution of the actors/operators - what is fairly clearly is that the intent demonstrated by the consistent outcomes of Guccifer 2's actions falls perfectly in line with the motives of the Clinton campaign at that precise moment in time. - So, ultimately, it was an entity, probably consisting of a few individuals, that, judging on the merit of it's actions (contrary to it's stated intent/desires/goals/etc) - was really working to serve the Clinton campaign's agenda.

Why should I believe you over MSM/DNC/ODNI/DHS/CIA/FBI/etc?

Ideally, I don't want you to have to believe anyone - you don't really need to believe anything to know that the FSB/GRU/Russian-State/etc attribution is highly likely to be phony.

This is why the "Evidence of Intent" series of documents exists in isolation to the main article. - It's so that you can check and verify the evidence that u/tvor_22 discovered for yourself by using the primary source (Guccifer 2's blog) and Microsoft's RTF document specification as a reference... so you can check and verify the evidence using primary source and reputable sources for reference materials... rather than have to rely on my words.

I've tried to provide the tools for people to be able to do more than believe in something.

You're working for Putin! - You're a #TrumpZombie!

No. - I'm just an independent, investigative 'citizen journalist' from the UK that has no loyalty to any political parties in the US.

If you have loyalty to the Democratic party leadership and my research offends you, I'm sorry about that - I just hope you will at least try to check and verify what I've reported on and can recognize that I'm not trying to engage in partisan smears or spin.

The evidence is what it is, it's not fabricated, there's no tin foil hats here, no agenda to insult and undermine your party (or any other party)... I'm just reporting honestly on what has been found and is now being reported by multiple researchers.

Over the last 3 months, the research has: