During the past few weeks, a story about a former Palm Beach Country Sheriff's Office deputy by the name of Mark Dougan has been circulating around social media. In it, Dougan has made claims to have met with and received leaked documents from Seth Rich (a DNC staffer murdered in July 2016 that many have suspected of being a source for some of the leaks published by WikiLeaks during the 2016 US general election).
Going further, Dougan also claims to have been the person responsible for the appearance of DCLeaks, a site that appeared in the Summer of 2016 that published a variety of leaked emails and documents. Dougan even claims that he had passed emails on to WikiLeaks.
For those that don't know, Dougan hosted a forum called PBSOTalk, a forum that encouraged PBSO officers and others to blow the whistle on corruption within the sheriff's office. In March 2016, following the publication of personal details of police, FBI officers and others to his site, Dougan was raided.
Dougan has stated that, following the raid, when released, he travelled to Canada and then on to Russia where he sought asylum (citing fears that he would be punished extremely harshly for what had been published despite not being charged with a crime and having his passport handed back to him by the FBI) and, we can only assume, has lived there ever since.
In the past, Dougan has only ever mentioned the publishing of documents on his PBSOTalk site as the reason for the raid, however, more recently, he has claimed he was contacted by Seth Rich (in February 2016), that he was sent some content by Rich and that this was one of the reasons for the raid.
Along with introducing these new elements to his story, he has also conceded that he had invented a hacker persona called "BadVolf" (which he openly concedes now but had insisted was a Russian hacker in the past in order to give himself cover for posting the documents to his site, even giving interviews to sites other than DataBreaches via his alter-ego at that time).
If you check his claims out by looking at the forum on pbsotalk.org and searched for "DCLeaks", you will discover that there are a few posts apparently made starting from April 19th 2016 where he cites "DCLeaks".
If you check on the original site's history (before it was taken down following the raid) you will find that PBSOtalk.com was a site Dougan had set up years prior to 2016. We can also see that back on March 14, 2016, he was apparently raided by the FBI due to content he posted on the site (around the time the BadVolf persona first emerged). You may even find a story about BadVolf revealing an apparent connection to DCLeaks as early as September 2016.
To many, this may seem compelling but for this article's author, who has had BadVolf on their radar for over a year, not only has Dougan's recent return to the spotlight served to be somewhat unconvincing (although, admittedly entertaining), it's actually helped provide useful evidence to demonstrate a deception consistent over a period of 2 years, in turn, making sense of the incident referenced at the end of the previous paragraph.
So, what are we dealing with here?
Dougan is a real person, him running the PBSOTalk site really happened, him having worked for PBSO appears to be accurate and being in Russia also seems to be true.
However, the claims relating to Seth Rich are questionable and the claims relating to DCLeaks appear not only to be lies but lies backed up by fabricated evidence.
It's also not the first time Dougan, or at least, an entity using the name "BadVolf", has attempted to use dodgy evidence to claim they have (or had) control of DCLeaks, the first instance of this was back in 2016.
[NOTE: If you don't want the backstory and details and simply want to know why Dougan's claims regarding DCLeaks are are false - you only need read the following section and the final section at the bottom of this article.]
In September 2016, a reporter for the site DataBreaches.net was contacted by an entity going by the name of "BadVolf".
BadVolf shared a video of a mundane shell prompt apparently showing a MySQL session connected to a PBSO database to the reporter, however, the video also seemed to reveal something interesting - it revealed "DCLeaks".
What BadVolf wasn't expecting, though, was for the reporter to immediately pick up on the apparent connection and even question him on it, but they did. They asked BadVolf about the presence of "DCLeaks" at the top of the shell window and requested that BadVolf demonstrate control through something verifiable (eg. placing content in the site's root directory).
Badvolf was unable to do this and excused his incapacity to do so on solely being a database manager for the site. We now see from Dougan's claims that, really, if this what he now says was genuine, BadVolf would have been able to verify control because it was, according to what we are now told, his site.
So what we really observed was BadVolf (and assume this was Dougan) producing a multimedia prop to trick a reporter into thinking he was a Russian hacker that had just accidentally exposed himself as having control over DCLeaks but when called out on it, couldn't actually prove he had control of anything and now contradicted the excuse he used for his incapacity to prove/verify it at that time.
What we saw in September 2016 was a failed attempt at using a classical deception technique called "The Unintentional Mistake":
Not much was heard from Dougan following this, the mainstream press didn't pick up on this either (probably because it was a failed attempt and those behind it would have no desire to point the article out to their media contacts) - things then went quiet.
On March 28th 2017, shortly after discovering the DataBreaches article (which I'd found while investigating the Gucciffer 2.0 persona), I started asking questions about BadVolf. At this point I already suspected some degree of deception going on and was wondering whether PBSOtalk.ru may have been a front set up following the FBI raids and take down of PBSOtalk.com.
Unknown to me, the domain "badvolf.com" was then registered on April 10th (about 20 days after I started inquiring about BadVolf's claims, 4 months after the DataBreaches article was published) and the first I heard of it's existence was on April 24th, when I was informed, via Tweet, that BadVolf was a group and was directed to the site badvolf.com.
Knowing that the Twitter user pointing this out was a staunch defender of the premise of Guccifer 2.0 being a Russian hacker (at the same time as I was seeing evidence suggesting that was what Guccifer 2.0 intended for people to think if they looked beyond his stated claims), I did suspect this would lead me back to a cluster of domains and identies I'd seen previously, one of which was registered shortly before the incident referenced in the DataBreaches article and that I believed was created at the same time as specious hacking claims were first posted to pbsotalk.ru. (Sure enough, it was part of a cluster of domains and identities I'd became aware of previously.)
For details on what I had investigated last year, see supplemental: "The Bears, Volves & Badgers of PBSOTalk". (As well as the badger related domains that were found there, it turns out that Dougan used the pseudonym "CryptoBadger" in the past.)
As nobody was touting the DataBeaches incident as evidence of Russian collusion and I had other things to investigate at the time, I decided to stop pursuing BadVolf as I sensed I was being baited, so, I resumed investigation elsewhere.
Now, almost a year later, BadVolf has emerged, or rather, Dougan has now explained that he was BadVolf all along, has directly claimed control of DCLeaks (contradicting his former claim of not being able to verify control of DCLeaks because he was the "database guy") and has even expanded his claims to include Seth Rich.
The first signs of this latest addition appeared early in May (though the first signs of an injected post goes back at least as far April 15th).
About a month ago, I was advised that a blog titled "INV1105 Research Reports" existed, operating on the URL "iv1rr.wordpress.com".
The blog purported to be from someone going by the name of "INV1105" that had been carrying out investigations for the past 15 years.
On Google, I found no references to this identity any earlier than August 2017 and the Twitter account connected to the blog (@therealinv1105), was also a profile that was created in August 2017 (though it may have used a different name initially).
So, despite the claims made, it appeared as though this entity only existed for a little over 10 months.
The earliest article I've found on the blog cited above was posted on May 9th and was titled: "Infamous Florida Ex-Cop Claims Responsibility for DNC Leak of 2016".
Additional articles since then included (all dates are in 2018):
Of course, a blog from someone who is involved in various investigations yet only features one topic would seem a bit suspect. Fortunately, though, INV1105's blog did cover other topics, for example:
Oh, but look! It seems May 27 2018 was an unusually busy day for someone.
In fact, some may even perceive that the lack of variety became apparent to INV1105 and that the above was a poorly conceived attempt to compensate for it.
Of course, it follows that INV1105 would then realise that this actually makes things look even stranger and decide that it might be best, after all, to just take the blog offline before anyone realizes within a few days of adding those additional articles.
While @therealinv1105 is still on Twitter, it seems their role in this saga seems to have ended along with the blog vanishing.
To summarize, so far, we have a failed attempt by BadVolf to convince a reporter that he had access to DCLeaks using a multimedia prop, Guccifer 2.0 even made a guest appearance half way through and when BadVolf was challenged to provide verifiable evidence of it, he gave an excuse that he now contradicts.
Approximately 6 months after that incident and 20 days after I started seeking for more information on BadVolf, the domain "badvolf.com" was registered and a hastily constructed site soon followed which was subsequently pointed out to me by someone who had already tried to undermine the efforts to investigate and understand the Guccifer 2.0 persona.
Following that, we've got someone (that we only have evidence of existing going back to August 2017) emerging, creating a blog, claiming they've been carrying out investigations online for 15 years, posting a series of articles to their blog all about Dougan/Rich/DCLeaks, then posting 5 articles on other topics all on the same day 1-2 weeks after the others and then suddenly shutting the blog down.
Update (16 July 2018): Since posting this article, @therealinv1105 has contacted me stating that they felt they were misrepresented and shared, in considerable detail, some of the things they had been involved with previously over the past 15 years.
They also advised me that they frequently remove their work in order to avoid leaving too much of a trail online and explained how they discovered the DCLeaks email address.
To be clear, I have no evidence indicating that there is a causative relationship between Dougan and INV1105. What I've suggested about this individual was drawn from my own inference based on timing, limited evidence available online about their identity and the sudden removal of the site a week prior to Dougan giving interviews to a couple of YouTube channels on these new claims and INV1105's explanations regarding their activity certainly appears, to me, to be plausible.
We'll now return to the surface briefly for some third parties interviews of Dougan that started just over a week later...
About a week after the erasure of INV1105's blog, Dougan started to feature in a number of interviews on various YouTube channels.
(All dates cited are in 2018)
The clip from Last Born In The Wilderness in the list above is from podcast #124.
They also interviewed Dougan 6 months earlier, for their podcast #94, however, the previous podcast was primarily about his history at PBSO and the PBSOTalk site.
Dougan, at least, has confirmed that the claims to have met with Seth Rich and to have controlled DCLeaks were, indeed, coming from him.
So, the big question is, of course, can we confirm or refute the claims being made?
Dougan claims that Seth Rich contacted him in February 2016 and that leaks not posted to DCLeaks were passed on to WikiLeaks.
These are key dates in relation to phishing/leaks/etc from 2016:
The DNC Leaks and Podesta Leaks published by WikiLeaks were from batches that were acquired after Dougan alleges Seth had first contacted him.
Certainly, it's possible that Dougan could have met Seth but there's plenty of room for doubt and skepticism seeing as though Dougan has already tied himself to a questionable hacker persona who was involved in an incident in which they appear to have been lying about DCLeaks in a way that would have tied DCLeaks to someone identifying themselves as a Russian hacker.
For context, it's also important to know that, last year, there was an effort to propagate a claim that Seth could have been in trouble with Russians (and that this may have been related to his murder). Jack Burkman, who had set up an organization to investigate, was even sent what appears to have been a false lead suggesting this and there's a chance Guccifer 2.0 may have been suggesting this in a conversation with Robbin Young in August 2016.
If Dougan is lying about both Seth and DCLeaks he will be lying about two loose ends regarding RussiaGate attributions that some individuals in the USIC (and cyber-security industry) would like to see tied up in accordance with the narratives they've perpetuated.
If he's lying about either, it will also make it likely that he's lying about both.
Keeping that in mind, we'll now take a look at his most recent claims regarding DCLeaks and also consider the evidence that shows someone is either lying or they're a time-traveller.
A couple of weeks ago, shortly after Jason Goodman had first started interviewing Dougan, a friend and ally I've come to know through Twitter archived and pointed out some interesting posts from the latest reincarnation of Dougan's site (now existing as "pbsotalk.org").
Well, there you have it, April 19 2016, the same day DCLeaks was re-registered and sure enough Dougan was talking about DCLeaks in his post on PBSOTalk.
It seems bizarre though.
Many people investigated DCLeaks in 2016, I found the article about the BadVolf persona and effort to link itself to DCLeaks that many hadn't spotted and yet this reference, a piece of evidence of someone admitting knowledge of the domain on the day of the domain registation and we all missed it?
I checked the usual archival sites but the only copies of that forum thread that I could find were from before the post was made, it probably didn't help that PBSOTalk.com had been taken down around March 24 2016. The screenshot below is of all page snapshots in descending order of most recent snapshot date. PBSOTalk.com didn't come back until over a year later.
So, simple question, how did Dougan post to his site if it had been taken down?
Looking at the rest of that forum post does offer us a clue...
Also, looking at archived pages and forum posts, and WhoIs history on the domain, it looks like the site was resurrected on the domain "pbsotalk.ru" with that domain being registered on April 24 2016 and a "we're back" forum post being made to the forum on April 25 2016.
Did you spot the chronological mistake?
We are expected to believe that, on April 19 2016, Mark Dougan was posting to his forum which no longer had a domain and wouldn't have had one for another 5 days and that he was linking to a URL that wouldn't even exist until at least 5 days later as though there was content already there.
Of course, there could be an explanation for it, couldn't there? Maybe he could have edited his post a month or so later and his copy of phpBB was configured to not display editing date/time on edits?
We can rule that premise out without even needing to scour for edited posts because Dougan fabricated a few replies and in doing so, he quoted his April 19 2016 post in a reply apparently posted on April 24 2016 so he'd have had to edit his post to add it in AND edit someone elses post to alter the quote in their reply too:
When challenged about how people had managed to find his forum on these dates, Dougan explained that there was a backup URL people could use, citing the URL "http://cb60472.tmweb.ru".
However, that site seems to be unavailable now (at least, it is for me) but it was up shortly before this article was published, before he'd made that claim.
Also, in contadiction with Dougan's claims, there is actually a snapshot from March 22 2016 that clearly shows it wasn't acting as a backup URL for the forum at that time.
Going further, it appears as though, while forum and thread IDs have all remained the same, there's been some alteration of post ID numbers since the site moved from the .ru domain to .org domain.
What used to be post #78985 (the "we're back" one I referenced previously) when the site was in it's .com and .ru incarnations is now #37007 (decreased by 41978) and post #78581 is now #36610 (decreased by 41971).
So, initially, it appears that a gap of 7 posts has been created somewhere. Exactly how many posts have been inserted, though, is unclear as the gap between posts before and after the period around April 19 2016, differs from thread to thread.
I should point out, too, that the latest deception was actually getting planned in or before April 2018 on the pbsotalk.ru domain. Google cache (taken on April 15 2018) of a page on pbsotalk.ru shows one particular post as being made on August 29th 2016:
However, the current version has had "DCLeaks" inserted to the quoted part (to match with the 19 April 2016 fabrication cited) and the date of the post has been altered to April 24 2016:
You will also find that the first post on the archived pbsotalk.ru page has the ID #83428 and was apparently posted on Wed Aug 24, 2016.
However, there are examples showing that posts made considerably later than this date had lower IDs (scroll to the bottom and you'll see posts made in May were still in the 79xxx's) - this is why the IDs had to be altered for the pbsotalk.org version of the site - it would have otherwise been very obvious which posts had been injected.
So, it appears that Dougan is lying about this AND fabricated evidence to support his lies AND when caught out lying has told more lies to try to cover up the other lies. Of course, all of this is preceded by an old lie, now exposed by a more recent lie.
Dougan's history regarding PBSO may be legitimate but it appears his legitimacy was compromised at some point in 2016.
I don't know why Dougan has chosen to lie about this or know for sure whose interests he is serving and the fact he's trying to sell a book right now does suggest a profit motive, however, the DataBreaches encounter suggests a more long-term strategy has been in play. The book actually gives Dougan a legitimate excuse for lying if caught out but is that the real reason for lying?
Among reasons to suspect the book isn't the primary motive are:
In isolation, his latest lie would appear to benefit him over others due to his intention to sell a book. However, they also support the premise that DCLeaks was, in some form, ran by someone in Russia - a premise that has long been suggested by the USIC but for which only circumstantial evidence exists.
Taking into account the incident from two years ago (long before any intention to sell a book was apparent) it's fair to suspect that something else could be motivating this.
If he's lying about Seth Rich too (and it does seem probable) it could also be explained by similar motives. It could be his book but it could also be to bolster rumors that were propagated in 2017 suggesting Rich had been associating with Russians and that this might have been related to his murder.
Finally, there's Dougan's claim to have passed materials to WikiLeaks. If true, this would mean that someone in Russia gave DNC emails to WikiLeaks, which is, of couse, another narrative that some in the USIC are very eager to see bolstered and publicly accepted.
Ultimately, each of Dougan's new claims are interlinked with what we now know to be a lie. To treat his claims relating to "RussiaGate" with anything less than extreme skepticism would be very foolish.
Thank you to the indie media allies and Twitter research groups with which I had shared this information during the past couple of weeks for keeping revelations discreet and giving us all a chance to gather more evidence to work with. Also h/t and thanks to GHOSTCRAB for bringing the DCLeaks references to my attention in the first place and for helping dig for answers, questioning Dougan about the anomalies and keeping me updated on the various responses received.
All videos referenced have been backed up. All archive.is links have been downloaded as ZIP files. If any links do become unavailable please let me know and I'll use the backups and/or host the videos... but only as a last resort.
Thanks also to Internet Archive, archive.is, DsNet Corp whose archival services and stream-ripping tools have been invaluable research and evidence capture tools in this instance and seeing as though a key piece of evidence came from them, it's only fair I say thank you to Google for their web page cache too - without that I wouldn't have been able to show the out-of-sync interim post IDs on the pbsotalk.ru domain where the insertion of manufactured posts originally occurred!