Guccifer 2.0: A Two Tier Masquerade & The Forbidden Facts

By Adam Carter - September 24th, 2018

There are two claims about Guccifer 2.0 that this article will tackle:

Special counsel Robert Mueller's recent indictment (which I tackled shortly after it came out) pushing these claims and the mainstream press articles replicating it all suffer from 3 key setbacks:

  1. They are based on claims that are unproven.
  2. They are contradicted by evidence in the public domain.
  3. They rely on routinely omitting any mention of evidence discovered and the things that have been revealed by independent researchers on this topic during the past 21 months.

They have to do the last of the above items because, in reality, the evidence in the public doman, in aggregate, implies that Guccifer 2.0 was a two-tier masquerade and this goes against the narrative they are pushing.


The Two-Tier Masquerade

First we'll deal with the "Guccifer 2.0 was an effort to distract from Russian culpability" myth.

The reality is that Guccifer 2.0 actually put a lot more effort into appearing to be Russian than he did into appearing to be Romanian (or any other nationality).

To truly understand the masquerade, you need to be familiar with what was published in the Washington Post on June 14, 2016 as this is what set the stage for Guccifer 2.0's entrance.

CrowdStrike, whose claims were featured in the article, had clearly only just spoken with the author and there were three primary claims that were being communicated:

  1. There were hackers on the DNC network right up to the time Assange had announced upcoming leaks relating to Hillary Clinton (something that happened on June 12, 2016).
  2. Trump opposition research had been targeted a month before. (This was mentioned 4-5 times in the article including in the headline.)
  3. Russians were probably responsible (though one of CrowdStrike's executives conceded that they had no hard evidence).

The headline was literally: "Russian Government Hackers Penetrated DNC, stole opposition research on Trump".

Guccifer 2.0 then emerged the following day and lured press in with bizarrely modified copies of the Trump opposition research.

Guccifer 2.0 chose to use a commercial Russian VPN provider to cloak his IP address.

[The premise that the GRU would use a commercial Russian VPN service as the final node in their efforts to cloak their identity is a highly doubtful one and I really can't believe more people in the cyber-security industry and intelligence community aren't questioning this claim as it seems utterly ridiculous to me, I can only hope those with SIGINT experience and credentials will speak up on this topic some day in the future.]

He also used an email provider that would forward that IP address to recipients within email headers.

Not only did he lure press in with the Trump opposition research, he did so with a copy that had been constructed through a deliberate process which resulted in the document having Russian metadata along with several other documents that accompanied it.

In some copies provided to press, there were even Russian error messages literally embedded into them through processes that were also clearly not accidental.

Every document released on the first day was needlessly modified.

Not content with tainting the files handed to the press, Guccifer 2.0 went even further and dropped a Russian smiley in his first blog post even though this was not something he habitually used.

And versus this layer of Russian-themed evidence, all arising from decisions and considerable effort made by Guccifer 2.0 - his initial Romanian masquerade was little more than claiming to be a Romanian, something he didn't even do until June 21, 2016, by which time people had already suspected him of being a Russian and found evidence that seemed to confirm this.

The only evidence that was found regarding Guccifer 2.0 on the day he appeared that came close to suggesting he was Romanian was in timestamps of datastore objects embedded in the RTF files which, oddly, suggested he was operating in both UCT+3 and UCT+4 timezones.

Under the circumstances (following the Washington Post story and what it's headline stated), even just the act of waving around the Trump opposition research (which was already attributed to targeting by Russian hackers due to CrowdStrike's claims) was, of course, enough to trigger a frenzied hunt for clues of Russian origin by journalists and researchers alike.

It was incredibly effective.

Those hoping to find clues of Russian origin had their efforts promptly rewarded in a number of different ways (some of which we now know were based on evidence constructed through deliberate choices Guccifer 2.0 had made). Everyone was making discoveries that matched with what they had suspected and hoped to find.

Ultimately, though, Guccifer 2.0 had fabricated evidence to corroborate intertwined claims made by CrowdStrike, created indicators of Russian origin through a series of conscious decisions and appeared shortly after CrowdStrike's claims were published, taking credit for hacking the DNC and attributing himself to WikiLeaks whilst essentially being covered in "Made in Russia" signs constructed through his own choices.


The Forbidden Facts

A reasonable question to ask, in light of the above, is:

"Was there any evidence that suggested a third possibility?"

The answer to this is yes, quite a few things:

  1. Social media activity aligned with US work hours.
  2. Blogging activity aligned with US work hours.
  3. E-mail headers suggested he had operated in a US time zone.
  4. Probable time zones identified in analysis of archives released (and obscured due to being detected through how different archive formats use different timestamp storage conventions) suggest final archiving operations were carried out in US time zones.
  5. After inserting Russian timestamps into one of his documents, a subsequent change was made suggesting US origin (and at the least, was a different timezone to the Russian time zone indicator).
  6. A Slavic language professor at Boston University (the only language expert willing to identify themselves) stated that Guccifer 2.0 did not appear to communicate in a way that was typical for Russians. This was something I've attempted to demonstrate through an analysis of Guccifer 2.0's communications, statements, etc. It suggests that Guccifer 2.0 was a competent English language communicator that was attempting to pretend otherwise.

Going beyond the nationality/origin attribution dilemma there are other contradictions and anomalies that the mainstream press seem to disregard too.

Guccifer 2.0's initial documents also don't appear to have come from hacking the DNC. They appear to have been attachments from Podesta's emails, this is what analysis has shown and what a DNC official has even conceded.

Despite apparently having access to Podesta's attachments (and we now know his emails did contain information harmful to his and Clinton's reputations since WikiLeaks published them), Guccifer 2.0 chose to only release content that was of no harm to Podesta and the Clinton campaign and never made prior mention of any of the significant controversies that were later revealed in either the DNC emails or Podesta emails.

Overall, Guccifer 2.0:

There is a troubling possibility, backed by a surprising amount of evidence, that there may have been a US-based effort to frame Russians for hacking the DNC.

Mueller's investigation and the mainstream press seem unwilling to give the evidence and independent discoveries any consideration and, in fact, seem to relentlessly omit what has been discovered when they write about the RussiaGate investigation.

You can accept what is alleged in Mueller's indictment but in doing so, you have to disregard or be unaware of the evidence now available in the public domain.

For those interested in the evidence, please check out this site's homepage for links to further information on the topic of Guccifer 2.0.