Guccifer 2 Game Over Logo

Guccifer 2.0: Game Over
340c 249a 8faa efc6 4bcb
5c2e 6fcd e104 d0b0 1fe2
Download Public Key

Last Updated: July 2, 2020

Follow @with_integrity

Tip-Jar / Donations

Latest Report: Guccifer 2.0: Evidence Versus GRU Attribution


1. Introduction
2. Timeline - What Happened & When Did It Happen
3. Guccifer 2.0's Claims Discredited
4. Contrived Breadcrumbs & Signal Mimicry?
5. Actions, Consequences & Convenience For Anti-Leak Narratives
6. Guccifer 2.0's Initial Proof Of Hacking The DNC Wasn't From The DNC
7. Language & Text Analysis


Additional Articles
3rd Party Articles

(1) Introduction

We have been told by the US Department of Justice that Guccifer 2.0 was a GRU officer.


When it comes to Guccifer 2.0, there is currently more hard evidence in the public domain that justifies questioning of the GRU attribution than there is hard evidence to support it. Much of this evidence also points at another possibility for Guccifer 2.0's origins

This site was created to archive evidence relating to Guccifer 2.0 and to document discoveries made regarding the persona and it's activities. Since this project started in 2017, many things have been discovered and most of these discoveries are inconsistent with what we are expected to believe.

(2) Guccifer2.0 Timeline - What Happened & When Did It Happen?

(3) Guccifer2.0's Claims Discredited

CLAIM: Hacked the DNC's servers - STATUS: Discredited

We've already addressed Guccifer 2.0's fabrication of evidence to support his claim of hacking the DNC but there's more about the hacking that doesn't add up.

Guccifer2.0 stated in an interview with Lorenzo Franceschi-Bicchierai (for Motherboard / Vice News) on the 21st of June, that he breached the server using a "0-day exploit of NGP-Van".

ThreatConnect, although still apparently unswayed from their assessment that Guccifer2.0 is a collective of Russians, did report some very useful facts that serve to debunk Guccifer2.0's claims.

a) NGP-Van is a cloud-hosted web-service separate from the DNC network, the claimed method of breach was discredted by ThreatConnect. - It was noted that phishing for credentials would be far more practical for exploiting such a service.

b) He makes claims of lateral movement within the DNC network - but doesn't realize that his effort to match the reporting of Crowdstrike falls down due to his own misinterpretation of that. - CrowdStrike's report mentions lateral movement in terms of the "BEAR" infrastructure across the whole of the Internet rather than movement within the DNC network - it looks like Guccifer2.0 s trying to make claims that correlate with what he has inferred from CrowdStrike's reportage.

c) To quote ThreatConnect at the time (and no much has been reported to contradict it since): "As it stands now, none of the Guccifer 2.0 breach details can be independently verified".

d) Guccifer 2.0's initial proof of hacking the DNC was fabricated from a set of Podesta attachments.

CLAIM: Wikileaks Source for DNC Mails - STATUS: Unverified

Circumstancial evidence does exist for this, of course,

Guccifer 2.0 put considerable effort into trying to convince people he was the source for the DNC email leaks that ended up in the public domain on July 22nd. He was clearly trying to associate himself with WikiLeaks from the moment he appeared.

The best evidence of him being a source for the DNC emails is the fact that Guccifer 2.0 asked WikiLeaks to confirm receipt of DNC emails on July 6, 2016 and WikiLeaks later confirmed receipt of an archive on July 18, 2016.

However, the size of the archive has been described as "about 1gb" and "1gb or so", while the full DNC email tranche, compressed, comes in at somewhere between 1.8 and 2GB (depending on compression used).

So, even if we assume this was an archive of DNC emails, where did the rest come from and can we be sure that all of the emails WikiLeaks published weren't therefore from a different source providing a larger collection of emails?

(Note: Guccifer 2.0 was offering Democratic staff emails to Emma Best after the DNC emails were published. For these to still have value at that point in time they would need to be different emails to those that were released. Can we be sure that what WikiLeaks published was what Guccifer 2.0 had sent?)

WikiLeaks has maintained that they did not publish the material shared by Guccifer 2.0 and we still don't know exactly whose emails the archive contained (assuming the archive did contain emails).

CLAIM: Hacked Clinton Foundation - STATUS: Discredited

On October 4th, 2016 - Guccifer2.0 claimed to have hacked the Clinton Foundation. He followed this up by posting an archive containing files that were from previous leaks and other organizations.

Ultimately, Guccifer 2.0 never produced anything that actually shows such a hack had taken place and these claims were dismissed by mainstream sources too.

(4) Contrived Breadcrumbs & Signal Mimicry?

The early evidence of Guccifer being Russian was interesting, especially considering we're told this was an operation intent on deflecting from Russian culpability.

Guccifer 2.0 chose to...

Guccifer2.0 covered itself and its files in the digital equivalent of "Made In Russia" labels through deliberate processes and decisions made about which infrstructure to hide behind. Most of these were blatant and quickly found. Guccifer 2.0 was being called out as a Russian within a day of appearing (almost a week before the persona claimed to be Romanian).

Detailed analysis of Guccifer 2.0's Russian breadcrumbs can be found here and here.

(5) Actions, Consequences & Convenience For Anti-Leak Narratives

The documents Guccifer 2.0 posted online were mostly of little value. We saw many stale files (some going back to 2008 or further) and some documents covered things already known and reported on in the public domain long ago (eg. TARP funds controversy already covered by in 2009, etc).

The DCCC documents didn't reveal anything particularly damaging. It did include a list of fundraisers/bundlers but that wasn't likely to harm to the reputation of Clinton and her campaign (the fundraising totals, etc. are likely to end up on sites like OpenSecrets, etc within a year anyway). The leaked financial data and personal details of donors wasn't damaging to the Clinton campaign but will have caused headaches for the Democratic party.

The apparent leaking of personal contact numbers and email addresses of 200 Democrats, while controversial, didn't cause more than inconvenience as it didn't hurt the reputation of the Democratic party.

Almost everything Guccifer 2.0 released failed to expose anything significantly damaging to the reputations of the campaign many assume he was working against. The persona's apparent access to Podesta and DNC emails (and the fact that more damaging revelations emerged there) suggests that the persona could have released more damaging material than they chose to if they had wanted to.

Guccifer 2.0 did a great job of giving the press reasons to condemn leaking and leaks before WikiLeaks had even published the first DNC email.

(6) Guccifer 2.0's Initial Proof Of Hacking The DNC Wasn't From The DNC

There were multiple documents shared with The Smoking Gun, Gawker, Ars Technica and others. These were presented by Guccifer 2.0 to claim credit for hacking the DNC, however, they didn't come from the DNC.

Metadata from the first document Guccifer 2.0 released showed:

Created by Warren Flood on 15th of June at 13:38
Modified by Феликс Эдмундович on 15th of June at 14:08

The other document, "2.doc" (mirror) was not mentioned so much, but it too had interesting metadata, again, with the name of Warren Flood:

Created by Warren Flood on 15th of June at 13:38
Modified by Феликс Эдмундович on 15th of June at 14:11


UPDATE (18 Feb 2017)

It was pointed out to me that I'd only focused on 2 documents and that there were more released by Guccifer2.0. - He had actually released a set of 5 RTF1-format documents, all had creation/modification dates as 15th of June and another one of them had Flood listed as it's creator:

File Created By Time Modified By Time
1.doc Warren Flood 1:38pm Феликс Эдмундович 2:08pm
2.doc Warren Flood 1:38pm Феликс Эдмундович 2:11pm
3.doc Warren Flood 1:38pm Феликс Эдмундович 2:12pm
4.doc Blake 1:48pm user 1:48pm
5.doc jbs836 2:13pm Феликс Эдмундович 2:13pm

MD5 sums and mirror links are provided below in case the originals are altered or removed in future:

File Size MD5 Mirror
1.doc 6.8mb a0977ccf006a9e9b5d2c396986cc8da7 link
2.doc 194.6kb 4409de44ef522b583e38a5ed79bf09f0 link
3.doc 211.0kb e44f494ed23907c5298b645063a5dbc3 link
4.doc 1.3mb f79972d72f5304bf1dc4cd2ae6c3a2d4 link
5.doc 67.9kb e2c432bb1e0ef06226594699876292dc link

A more detailed look at the actual contents of documents (eg. RSIDs of different changes and correlations across files) gives further clues about the procedures used to stick "Russian fingerprints" on some of the files.

Who is Warren Flood? (UPDATED June 3rd, 2018)

Warren Flood was Biden's former IT director at the White House, however, he does not appear to have done anything wrong and his name getting mixed up in all of this is due to the way Guccifer 2.0 constructed his documents.

A document that Flood authored in 2008 and that was attached to one of John Podesta's emails, was used by Guccifer 2.0 as a template into which he then copied the contents of the Trump Opposition Research, copied from this file (which is also attached to this leaked email). It is Flood's original document that the "CONFIDENTIAL" text in the background of Guccifer 2.0's first document derives from.

The copy of the Trump research Guccifer 2.0 had was actually a document originally authored by Lauren Dillon (DNC research director) and modified (and sent to John Podesta) by Tony Carrk (Research Director at Hillary for America).

Detailed analysis covering this (and a lot more) can be found here, an overview of what Guccifer 2.0 did to produce his first documents is here and the original discovery relating to matching RSIDs across several documents is here.

Guccifer 2.0's initial proof of hacking the DNC was a fabrication (apparently merging two Podesta attachments) and the persona lied about the source of it's material.

(7) Corpus

Guccifer 2 Twitter DM Sources:
Robbin Young | Cassandra Fairbanks | Roger Stone
Anon1 | Lee Stranahan | HelloFLA (aka Aaron Nevins)
Flipper4Trump | Charlie Grapski | Lorenzo Franceschi-Bicchierai
John Bambenek | Raphael Satter | Thomas Rid

Featured Articles On Guccifer 2.0

Guccifer 2.0: Evidence Versus GRU Attribution

Guccifer 2.0 Evidence MD5/SHA Hashes

Guccifer 2.0's Hidden Agenda

Isolated RTF/RSID Evidence / Correlating With Metadata

Guccifer 2.0's First Five Documents: The Process

Facebook Detected Russian Hackers Setting Up Guccifer 2.0 Account?

Guccifer 2.0 Twitter And Blogging Activity Fits Central (US) Timezone

Guccifer 2.0's US Time Zone Indicators

Guccifer 2.0's VPN Node Was Publicly Accessible And Not Exclusive

Articles On Other RussiaGate Topics

The Mueller Report - Expensive Estimations And Elusive Evidence

Why Were Miranda's Mails Missed By Mueller?

The Man Who Cried Volf

3rd Party Research & Further Reading

Guccifer 2.0 NGP/VAN Metadata Analysis (archive)

Did Guccifer 2.0 Plant His Russian Fingerprints? (archive)

Guccifer 2.0's Russian Breadcrumbs (archive)

Guccifer 2 Returns To The East Coast (archive)

Guccifer 2's West Coast Fingerprint (archive)

More Evidence That Guccifer 2 Planted His Russian Breadcrumbs (archive)

Transfer Rate Suggests Guccifer 2.0 Used A Thumbdrive In Central US Timezone (archive)

Media Mishaps: Early Guccifer 2 Coverage (archive)

Guccifer 2.0 CF Files Metadata Analysis (archive)

The Campbell Coincidence (archive)

A Closer Look At Guccifer 2's DNC Email Attachments (archive)

Time Zone of Guccifer 2 cf.7z (archive)
Stephen McIntyre

Guccifer 2 Email Time Zone (archive)
Stephen McIntyre

Guccifer 2 and “Russian” Metadata (archive)
Stephen McIntyre

Guccifer 2: From January to May, 2016 (archive)
Stephen McIntyre

The documents (archive)
Bruce Leidl

This Fancy Bear's House Is Made of Cards: Russian Fools or Russian Frame-Up

Russia and Wikileaks - The Case of The Gilded Guccifer

Doc 1 – Part One: Manipulations, Fonts & Fakery (archive)
David Jonathan Blake

Doc 1 Part 2: Binary Chunks. (archive)
David Jonathan Blake

Doc 1: Part 3 … Back to Romania! (archive)
David Jonathan Blake

Did Russia Really Hack The DNC? (archive)
Gregory Elich

Guccifer 2 and the Podesta Emails (archive)
by JimmysLlama