By Propagating Campbell's Conspiracy Theories Defense One Becomes Debunked One

By Adam Carter - September 9th, 2018

On August 2, 2018, Defense One published an article by journalist Patrick Tucker, titled "How Russian Hackers Amplified the Seth Rich Conspiracy Until it Reached Donald Trump and the CIA".

The article presents a set of conspiracy theories that formed part of a stunningly desperate hit-piece by journalist Duncan Campbell that targeted this author, Forensicator and Disobedient Media (as well as throwing various unrelated third party researchers under the bus).

Campbell's efforts have been exposed in several articles [here and here, with a final part to the series to be published very soon] and his conspiracy theories have been technically debunked by Forensicator.


The headline and lede reference an argument of Campbell's for a premise in which Guccifer 2.0 chose to set files to have a date of July 5, 2016 in order to push a conspiracy theory related to Seth Rich.

While this is theorized by Campbell, it's entirely supposition on his part. The only adjustment to timestamps demonstrated is inherent in the way in which RAR (v4) and 7-zip store timestamps in different ways - there is no evidence of the dates being arbitrarily or intentionally manipulated in relation to what is observed in the NGP-VAN archive.

The NGP-VAN archive also didn't have anything to do with what WikiLeaks had released and those of us that were reporting on the NGP-VAN archive release last year cautioned in articles (as far back as July 2017) and in subsequent interviews that these discoveries had no demonstrable link to Seth Rich, facts that are inconvenient to Campbell's conspiracy theories (which is likely why he ignores and omits these from his report).

Whoever Guccifer 2.0 was, they did manipulate some metadata manually (eg. their first batch of documents, as was reported in February 2017) but that's not something we actually see indicated within the NGP-VAN archive.

We also have no public information demonstrating that the NGP-VAN archive was ever provided to WikiLeaks, so this seems to be another questionable and unqualified assumption presented as though it's factual.

If Guccifer 2.0 was trying to "throw dust over the trail", he couldn't have done a worse job. Deliberately planting Russian language meta data and stylesheet entries, providing press with versions of documents with Russian error messages present and providing this to press using a commercial Russian VPN service along with an email service that forwards the IP address of the sender goes far beyond mere sloppiness. There was a broad and consistent effort to leave a lot of Russian breadcrumbs which required conscious decisions by Guccifer 2.0.

Why would the Russia's military intelligence service (GRU) do this? Why would the GRU put so much effort into leaving a Russian trail?

We also know that the construction of his first batch of documents involved Podesta's attachments which were hosted by Google rather than retained at the DNC, so, the evidence used does not really appear to have been the result of a breach of the DNC's network, as Guccifer 2.0 claimed from the outset when apparently trying to release content correlating with claims made by CrowdStrike executives on June 14, 2016 (for which they admitted they had no hard evidence).

[This author did reach out to CrowdStrike last year seeking confirmation that there was evidence demonstrating that the Trump opposition research had been targeted, a request that, along with several others, never received any reply.]

We don't know who Rich's murderer was so we don't actually know that he was "a victim in the wrong place at the wrong time". This may be the 'official' story that's been presented to us as the 'mainstream' accepted view, however, it is just a theory and there is evidence to at least suggest there is more to the story than is widely known, but Patrick Tucker clearly accepts the presupposition that these theories are facts.

The GRU also didn't need a way to point to Seth Rich. Even if we suppose that Guccifer 2.0 is a GRU hacker for the sake of understanding this assertion, the persona had already claimed to have hacked the DNC, so when Guccifer 2.0 tried to claim Seth Rich was their source a month or so later, it directly contradicted what they had already claimed.

(A story about this blatant contradiction on the provenance of materials released and more was covered in detail in an article titled "The Hack/Leak Contradiction" published by this author in April 2017. It explains a more practical reason why Guccifer 2.0 may have wanted to associate himself to Seth Rich at that exact time, however, it does cover reasoning that diverges from the assumptions and unproven allegations that Guccifer 2.0 was a GRU operative).

The way the files were processed simply gave two sets of files that had timestamps that were hours apart (due to how the two archive formats stored timestamps) which, in turn, allowed a probable timezone of the final archiving operation to be determined.

[An example of exactly how this works (as a collection of screenshots from browsing the archives under different timezone settings) is available here.]

This process did not inherently result in dates being altered and there is no evidence that the dates of these files were set or adjusted arbitrarily. There is simply no evidence to support that assumption and the way the files were processed in relation to the archives is absolutely not the reason for the dates being what they are.

What the differing archive formats actually showed is that it was most probable that the 7-zip archiving operation was carried out in the Eastern time zone.

Campbell's spin and unsubstantiated assertions seem to have caused considerable confusion to some journalists and distract and divert from what the evidence has really indicated.

The reality is that this author does far more to debunk conspiracy theories, including those citing Seth Rich, than anything else and not just the 'mainstream' ones concerning Guccifer 2.0.

It's just as valid for me to refer to Patrick Tucker and Duncan Campbell as "conspiracy theorists". In fact, it would probably be a more accurate use of the term as they clearly don't do much to test assertions and assumptions before propagating them, leading to the sort of mess that their recent articles have been shown to be.

Unfortunately for Defense One, it is now added to the list of sources that it's become necessary for me to debunk.

The "mysterious anonymous source" referenced was actually an individual operating under the pseudonym "Forensicator", a third-party who is quite separate from myself and Disobedient Media who simply analyzed the NGP-VAN archive and found some interesting anomalies. It was Forensicator who investigated and reported on these discoveries; not me unlocking the data (or to be more technically accurate, creating derivative datasets from which transfer rates, etc could be calculated) - that was all done by Forensicator himself.

July 5th, 2016 was never a pivotal date to me. The fact that the files were moved around on a USB device and then later apparently archived in the Eastern time zone have long been the key points that I've raised. I have actually warned repeatedly against associating the NGP-VAN archive release to Seth Rich.

Patrick Tucker seems to have everything back to front, upside down and inside out compared to what is actually in the public domain and seems to have adopted many misconceptions and propagated many distortions in his article.

In fact, it seems as though the article written for Defense One has simply passed through Campbell's claims wholesale, without carrying out any due dilligence at all, resulting in a hollow replication of Campbell's article, advancing the latter's baseless claims without question.

How much wrong can you fit in one paragraph?

There is no group called Forensicator, it's an individual who contacted me and has been in contact with both myself and Elizabeth Lea Vos, editor of Disobedient Media, since Summer 2017.

The analysis carried out absolutely did NOT purport to prove anything about WikiLeaks documents at all. The reason for this is that we never made the mistake of conflating Guccifer 2.0’s output with WikiLeaks’ output, given that the only proof that Guccifer 2.0 was WikiLeaks’ source is Guccifer 2.0’s own very noisy and repeated insistence on it – a very strange thing for someone leaking to a platform designed for anonymous whistleblowers to do.

There's nothing that has been demonstrated to have been faulty in the analysis.

You can stick inverted commas around words such as "evidence" and "analysis" but if you're not quoting someone, you're likely only doing it to taint your audience's perception of what is actually far better evidence and analysis than Tucker or Campbell could produce themselves.

It is disturbing to see those whose work on this topic doesn't come anywhere near the quality (and technical validity) of Forensicator's try to tear apart it's credibility by misleading their audience about it.

Files with timestamps on a certain date can easily be preserved by simply putting them in a single archive. There's absolutely no need to use multiple archives of different types to do this.

What was actually preserved was an indicator of the timezone and it was so obscure that until Forensicator stumbled on it and figured it out, none of those who had been investigating Guccifer 2.0 in the 11 months preceding this had managed to spot it.

How exactly the GRU were trying to make this known is something Campbell has not explained unless he is now trying to allege that Forensicator is a GRU agent!?

This author wonders if those anonymous sources will retain their speculative opinions after having read the Forensicator's recently released technical rebuttal of Campbell's conspiracy theory?

The remainder of Tucker's article presents allegations made in Mueller's indictment as accepted facts and concludes:

Neither Forensicator's work nor my work has really served the purpose of reinforcing any Seth Rich related conspiracy theories.

Elizabeth Lea Vos and I have repeatedly cautioned against conflating the NGP-VAN analysis or Guccifer 2.0 with Seth Rich.

The July 5 date has not been mentioned by any of us as proof of anything related to Seth Rich.

There was no anonymous tipster. What Campbell referred to as a "tip-off file" was really just an early draft of Forensicator's work that was only being hosted on this (g-2.space) site because peer review was being sought at that time and any stylometric or syntactical analysis of Forensicator's work will show that this draft is consistent with the rest of his material.

Subsequently, there was, of course, no metaphorical "map" and this is just a construct formed by Duncan Campbell's overactive imagination and something that Forensicator has debunked now anyway.


To be fair to Patrick Tucker and Defense One, they probably expected editorial oversight at Computer Weekly to have picked up the inaccuracies and lack of technical validity in Campbell's theories and claims. However, they too should have checked what Campbell was telling them (there's enough countervailing evidence in the public domain for them to have been able to do this) and they really should have done more to ensure what they were telling their readers was actually true.

As it stands, Defense One has now propagated debunked conspiracy theories and false claims that were part of a third-party's smear campaign to their own readers.

[Retraction or corrections would be appreciated and would, of course, be the decent thing for them to do under the circumstances. I can be contacted via the email address and Twitter account linked from this page to answer any queries in relation to this.]