Guccifer 2 Game Over Logo

Guccifer 2.0: Game Over
340c 249a 8faa efc6 4bcb
5c2e 6fcd e104 d0b0 1fe2

Last Updated: May 22, 2020

Follow @with_integrity

Tip-Jar / Donations

Latest Report: Guccifer 2.0: Evidence Versus GRU Attribution


1. Introduction
2. Timeline - What Happened & When Did It Happen
3. Guccifer 2.0's Claims Discredited
4. 3rd Party Assessments - Assumptions & Conjecture vs Evidence & Facts
5. Actions, Consequences & Convenience For Anti-Leak Narratives
6. Rushing To Be Russian - The Donkey In A Bear Costume Made A Mistake
7. Language & Text Analysis
8. Recognizing Intent From Deceptions
9. With Motive & Means - Those More Likely Linked to G2 than Russians


Additional Articles
3rd Party Articles

(1) Introduction

We have been told by the US Department of Justice that Guccifer 2.0 was a GRU officer.

No conclusive evidence has been presented to support this attribution.

In contrast, evidence has emerged over the past three years that reveals:

The available evidence points to an operation, most likely US-based, that sought to be perceived as Russian and fabricated evidence to claim credit for a hack that had already been attributed to Russians.

This site was created to document discoveries relating to Guccifer 2.0 and is maintainted because the "GRUccifer" attribution is inconsistent with the available evidence.

(2) Guccifer2.0 Timeline - What Happened & When Did It Happen?

(3) Guccifer2.0's Claims Discredited

CLAIM: Hacked the DNC's servers - STATUS: Discredited

Guccifer2.0 stated in an interview with Lorenzo Franceschi-Bicchierai (for Motherboard / Vice News) on the 21st of June, that he breached the server using a "0-day exploit of NGP-Van".

ThreatConnect, although still apparently unswayed from their assessment that Guccifer2.0 is a collective of Russians (we'll get on to that topic later in the article) - did report some very useful facts that serve to debunk Guccifer2.0's claims.

a) NGP-Van is a cloud-hosted web-service separate from the DNC network, the claimed method of breach was discredted by ThreatConnect. - It was noted that phishing for credentials would be far more practical for exploiting such a service.

b) He makes claims of lateral movement within the DNC network - but doesn't realize that his effort to match the reporting of Crowdstrike falls down due to his own misinterpretation of that. - CrowdStrike's report mentions lateral movement in terms of the "BEAR" infrastructure across the whole of the Internet rather than movement within the DNC network - it looks like Guccifer2.0 s trying to make claims that correlate with what he has inferred from CrowdStrike's reportage.

c) To quote ThreatConnect at the time (and nothing has been reported to contradict it since): "As it stands now, none of the Guccifer 2.0 breach details can be independently verified".

d) Guccifer 2.0's initial proof of hacking the DNC was fabricated from a set of Podesta attachments.

CLAIM: Wikileaks Source for DNC Mails - STATUS: Not Verified

Guccifer2.0 put considerable effort into trying to convince people he was the source for the DNC email leaks that ended up in the public domain on July 22nd.

The best evidence of this being true seems to be the fact that WikiLeaks confirmed receipt of an archive on July 18, 2016 that Guccifer 2.0 shared with them.

However, the size of the archive has been described as "1gb or so", while the full DNC email tranche, compressed, comes in between 1.84GB and just over 2GB (depending on compression method used) and we don't know what the archive contained.

WikiLeaks has maintained that they did not publish the material shared by Guccifer 2.0.

CLAIM: Hacked Clinton Foundation - STATUS: Discredited

On October 4th, 2016 - Guccifer2.0 claimed to have hacked the Clinton Foundation. He followed this up by posting an archive containing files that were all from previous leaks and from documents in the public domain.

Ultimately, he has never produced anything that actually shows such a hack had taken place.

(4) 3rd Party Assessments - Assumptions & Conjecture vs Evidence & Facts

There is a difference between independently verifiable evidence and the activity somebody claims to have engaged in or that can be fabricated in an effort to misdirect and masquerade as someone they're not. - None of Guccifer2.0's claims of hacking were independently verifiable and several were debunked by ThreatConnect. - There is nothing demonstrating Guccifer2.0 was really a hacker.

The "evidence" that he's Russian, should be understood in the following context:

Note: Thanks to a 3rd party's further investigation, it now appears he may have used a single document as a Russian template (with Russian stylesheet data in), saved it as a set of blank 'pre-tainted' files and then opened them later under a different username - copying/pasting in content from original documents into each blank 'pre-tainted' document before saving again - as the specific process for creating documents (Stylesheet change RSIDs correlating across files certainly suggest it and the metadata fully corroborates it too).

Guccifer2.0 covered himself and the files in the digital equivalent of "Made In Russia" labels while claiming to be a Romanian. (Giving cyber-security firms, journalists and others a flimsy veil they could easily pull off and find Russian "fingerprints" behind - not realizing that what they were revealing was a layer of misdirection that would actually prevent them from considering a 3rd possibility!)

What independent, verifiable evidence is there? (Updated Jan 12th 2019)

Nothing showing he actually hacked into the DNC beyond the fact he had acquired some DNC/DCCC documents. (In fact, there was a fair bit to contradict his claims there thanks to ThreatConnect discrediting his breach claims, showing he was unduly trying to be attributed to the malware discoveries!)

With regards to providing WikiLeaks with anything, it appears (according to Mueller's indictment) that this didn't occur until July (long after WikiLeaks had announced possession of leaks) and it's not even clear what files Guccifer 2.0 had sent them (or whether they actually published anything he had sent).

Guccifer2.0 was someone who chose to use a Russian VPN (after choosing to taint documents with Russian language) and was noted to have been in possession of a password for a password-protected area of the DCLeaks site (which, plausibly, he could have been given after promising to upload some of his leaks - DCLeaks were willing to give the same password out to the press in exchange for the promise of writing a story about them!)

Pretty much everything stated about him has been based on assumptions, acceptance of questionable admissions and the public have been given little more than conjecture based on factors he seems to have been controlling and choosing.

Sam Biddle of The Intercept (one of the first people to write about Guccifer2.0 when he emerged) details the problem, in a broader sense, of blaming Russia generally for the hacks in an article released on December 14th 2016, titled: "Here’s the Public Evidence Russia Hacked the DNC — It’s Not Enough". - It covers the fact that the evidence on Guccifer2.0 looks dodgy but doesn't try to determine the intent behind his efforts to deceive and claim credit for hacking the DNC (such as this article is attempting to make clear) and instead focuses on the broader scope of allegations about the DNC being hacked.

UPDATE (12 March)

I decided to contact Elite-VPN in relation to the claims made by ThreatConnect and received a response on March 7th. The responses and the annotated image they sent are as follows:

I wrote back asking if it was okay to publish what they had told me. My email to them and their response to it are below:

So... it turns out that if ThreatConnect had tried using the default options - they would have been allocated the "exclusive" IP address that was NEVER really exclusive.

They've caused concern and distress unduly for a VPN Service provider by misrepresenting the service and produced false-positive indicators by suggesting the IP address was used by a shady group of Russians/Guccifer2.0 with exclusivity.

Why didn't someone ask them sooner?

NOTE: While I have uncovered an apparent mistake made by ThreatConnect, I still do respect the research they did and their reporting of facts even when they didn't necessarily support their conclusions was helpful for my investigation - without their transparency and willingness to share their research openly with the public, my research would have been much tougher, so, despite my criticisms I have to say: Thank you to all at TC for the valuable information you shared with us all. :)

(5) Actions, Consequences & Convenience For Anti-Leak Narratives

In total, the amount of new controversies specifically exposed by Guccifer2.0's actions - was very little.

The documents he posted online were a mixture of some from the public domain (eg. already been published by in 2009), were manipulated copies of research documents originally created by Lauren Dillon (see attachments) and others or were legitimate, unique documents that were of little significant damage to the DNC. (Such as the DCCC documents)

The DCCC documents didn't reveal anything particularly damaging. It did include a list of fundraisers/bundlers but that wasn't likely to cause controversy (the fundraising totals, etc. are likely to end up on sites like OpenSecrets, etc within a year anyway). - It did however trigger 4chan to investigate and a correlation was found between the DNC's best performing bundlers and ambassadorships. - This revelation though, is to be credited to 4chan. - The leaked financial data wasn't, in itself, damaging - and some of the key data will be disclosed publicly in future anyway.

All of his 'leaks' have been over-hyped non-controversies or were already in the public domain - the only exception being the apparent leaking of personal contact numbers and email addresses of 200 Democrats - and really that was more damaging to the reputation of Wikileaks than causing any real problems for Democrats. - Ultimately, it only really served to give the mainstream press the opportunity to announce that "leaked emails include personal details of 200 Democrats", again, seemingly an effort to undermine other leaks being released at the same time by legitimate leak publishers.

(6) Rushing To Be Russian - The Donkey In A Bear Costume Made A Mistake

"Russia-Tainted Metadata" Reportage Mostly Ignored A Key Piece of Metadata

There is a key fact about some non-Russian metadata that nobody seems to have reported and it certainly seems to be of critical importance - and that is the document creation timestamps...

There were multiple documents shared with TheSmokingGun, Gawker, ArsTechnica and others.

The first document, "1.doc" (mirror), was given considerable coverage, while the name "Warren Flood" was reported, the date in the report (rather than in the metadata) was reported and so it was attributed to Warren Flood on 12/19/15.

Gawker incorrectly claimed the metadata showed the document was created in 2015 when it actually indicated the document was created by Warren Flood at a much later date.

The truth is that the metadata shows the document being created 30 minutes before Guccifer2.0 appears to have gotten his hands on it:

Created by Warren Flood on 15th of June at 13:38
Modified by Феликс Эдмундович on 15th of June at 14:08

The other document, "2.doc" (mirror) was not mentioned so much, but it too had interesting metadata:

Created by Warren Flood on 15th of June at 13:38
Modified by Феликс Эдмундович on 15th of June at 14:11

How did this get missed? - My guess is that people who investigated were using MS-Word. Recent versions of MS-Word tend to show limited metadata from RTF1 format files, for example, MS-Word 2010 shows:

If you open "2.doc" in OpenOffice though, you will spot what first alerted me to the timestamp correlations in the first place:

If you look at the raw data of "1.doc" you can see an ever closer correlation:

UPDATE (18 Feb 2017)

It was pointed out to me that I'd only focused on 2 documents and that there were more released by Guccifer2.0. - He had actually released a set of 5 RTF1-format documents, all had creation/modification dates as 15th of June and another one of them had Flood listed as it's creator:

File Created By Time Modified By Time
1.doc Warren Flood 1:38pm Феликс Эдмундович 2:08pm
2.doc Warren Flood 1:38pm Феликс Эдмундович 2:11pm
3.doc Warren Flood 1:38pm Феликс Эдмундович 2:12pm
4.doc Blake 1:48pm user 1:48pm
5.doc jbs836 2:13pm Феликс Эдмундович 2:13pm

MD5 sums and mirror links are provided below in case the originals are altered or removed in future:

File Size MD5 Mirror
1.doc 6.8mb a0977ccf006a9e9b5d2c396986cc8da7 link
2.doc 194.6kb 4409de44ef522b583e38a5ed79bf09f0 link
3.doc 211.0kb e44f494ed23907c5298b645063a5dbc3 link
4.doc 1.3mb f79972d72f5304bf1dc4cd2ae6c3a2d4 link
5.doc 67.9kb e2c432bb1e0ef06226594699876292dc link

A more detailed look at the actual contents of documents (eg. RSIDs of different changes and correlations across files) gives further clues about the procedures used to intentionally stick "Russian fingerprints" on some of the files.

Who is Warren Flood? (UPDATED June 3rd, 2018)

Warren Flood was Biden's former IT director at the White House.

A document that Flood authored in 2008 and that was attached to one of John Podesta's emails, was used by Guccifer 2.0 as a template into which he then copied the contents of the Trump Opposition Research, copied from this file (which is also attached to this leaked email).. It is Flood's document that the "CONFIDENTIAL" text in the background derives from.

The copy of the Trump research Guccifer 2.0 had was actually a document originally authored by Lauren Dillon (DNC research director) and modified (and sent to John Podesta) by Tony Carrk (Research Director at Hillary for America).


(7) Corpus

Guccifer 2 Twitter DM Sources:
Robbin Young | Cassandra Fairbanks | Roger Stone
Anon1 | Lee Stranahan | HelloFLA (aka Aaron Nevins)
Flipper4Trump | Charlie Grapski | Lorenzo Franceschi-Bicchierai
John Bambenek | Raphael Satter

(8) Recognizing Intent From Deceptions

When you consider all of these various facts in aggregate and understand that Guccifer 2.0's claims to hack failed to stand up to scrutiny and were not verifiable, realize his actions only ever served to undermine leaks, ultimately caused no harm to the reputation of anyone except himself and WikiLeaks, needlessly and inexplicably gave the mainstream press fodder on which they could write headlines branding leaks as "fake", "discredited", "tainted by Russia", etc., had some non-hacking means of acquiring the DCCC documents and has had his claims of breaching the DNC network discredited by ThreatConnect... it becomes clear that Guccifer 2.0 is more complex than certain figures in the intelligence community would like us to believe.

Anyone critically analysing the nature of Guccifer2.0 can see enough to identify whom he was serving to benefit through his activities online. - His lack of credibility and the inevitability of his Clinton Foundation server hack 'take' being exposed as nonsense makes it clear that Guccifer2.0 was a fraudulent construct intended to counter the leaks and try to take-down the credibility of Wikileaks as collaterol in the self-destruction of it's own reputation.

(9) With Motive & Means - Those More Likely Linked to G2 than Russians

Those with a motive mostly strongly correlating with this at the time would have been those that had potential leaks to worry about.

Obviously with Podesta and other DNC staff being phished, the Clinton Campaign and DNC leadership will have had concerns over leaks and would likely have had a reason to seek mitigation.

As of June 12th, these groups were in a position where Julian Assange had just announced WikiLeaks' upcoming release of Clinton's emails, Clinton was still under FBI investigation, Trump was attacking Clinton for her use of a private server with his supporters frequently chanting "lock her up!" at rallies).

The campaign and the DNC were in a desperate position and really needed a deflection (something that leaks have since shown the DNC had started building a month or two prior to the hacking claims in relation to Russia) and one where they would be fortunate to have a seemingly clumsy hacker that leaves lots of 'fingerprints' tainting files and bringing the reputation of leaks into question. - Sure enough, 2-3 days later, Guccifer2.0, the world's weirdest hacker was spawned and started telling lies in an effort to attribute himself to the malware discoveries and to Wikileaks.

Of course, attribution to the HRC camp or DNC leadership is somewhat contradicted by the fact that what we've seen from Guccifer 2.0 suggests an operation carried out by someone with considerable cyber-security and counter-intelligence skills (the misdirection and deception fooled a lot of the cyber-security industry and, apparently, had multiple intelligence agencies convinced) and while their breach claims were discredited, they still had access to the files.

With CrowdStrike deciding to start their NGP-VAN investigation within a week of Podesta's emails being acquired (and 3 months after the actual incident they were apparently investigating) and CrowdStrike making the claims they made in an article released on 14 June 2016 then being supported by Guccifer 2.0 fabricating evidence to support two of their claims the day after publication... AND doing so using Podesta's emails (among other things such as Guccifer 2.0's uncanny recall of Uretsky's breach)... many questions remain about the relationships between these entities, questions that I doubt will ever be answered and questions that I doubt will ever be formally pursued.

UPDATE March 13, 2019:
I've removed the concluding statement about my suspicions as I think my questioning of relationships between entities above is enough. This isn't to say that my position has changed, I just feel that, with all the evidence available, my theory on attribution to specific individuals is unnecessary and gives critics ammunition to call me a conspiracy theorist when the primary purpose of this project is to debunk a conspiracy theory (part of pattern of debunking conspiracy theories on all sides).

As part of a considerable body of evidence, we have 6 unique forms of indication pointing to Guccifer 2.0's activities being in US timezones and can show he was deliberately constructing files to have Russian metadata in them... we really don't need to go further... it's up to those who have legitimate access to intelligence and the United States Intelligence Community itself to pursue this further, that is, assuming any have the will to do so.

If you have any tips, know of anything significant that's missing from the timeline at all or want to chat about anything related to Guccifer 2.0 feel free to contact me by email (link at top of article) - Challenges to conclusions are welcomed and won't be greeted with hostility.

Additional Articles (On This Site)

Isolated RTF/RSID Evidence / Correlating With Metadata

Guccifer 2.0 - The Hack/Leak Contradiction (8 April 2017)

Guccifer 2.0 - DCLeaks - APT 28 (17 April 2017)

CrowdStrike & The DNC's Phantom Intruder (OPINION) (25 April 2017)

WH Meetings on Ukraine Coincide With Fingerprint Fabrications (29 April 2017)

The Guccifer 2.0 Advisory Sent To Every US Senator (17 May 2017)

Further RTF Analysis Supports Russian Fingerprint Fabrication (26 May 2017)

The Constant Storm of Controversy & Chaos (31 May 2017)

Guccifer 2.0's First Five Documents: The Process (31 May 2017)

The Webb of Deceit (7 June 2017)

The Washington Post Article on the DNC Hack - Fact or Fiction? (14 June 2017)

RussiaGate Complexities (8 July 2017)

CrowdStrike, Comey & Conflicting Claims? (17 July 2017)

Guccifer 2.0: Game Over - Six Months In (4 August 2017)

The DNC Responds To The Nation Article (12 August 2017)

The First Attack Dog Steps Forward - New York Magazine (12 August 2017)

Distortions & Missing The Point (16 August 2017)

Dirty Techniques (20 August 2017)

Focus On The Decision-Makers - They Have Been Informed (11 September 2017)

Is Salon's Sheffield Skipping & Spinning? (18th September 2017)

Phase #5 Completed (19th September 2017)

United Nations Notified (22nd September 2017)

Facebook Detected Russian Hackers Setting Up Guccifer 2.0 Account? (25 September 2017)

Data From Twitter And WordPress Is Giving Intelligence Committees The Opportunity To Gain Insights Into The Real "Guccifer 2.0" (2nd October 2017)

Khatchadourian's Collusion Delusion (24th October 2017)

Henry, Sabu & Guccifer 2 (9th November 2017)

RussiaGate Redux - Introduction (November 14th 2017)

(part 2) - BuzzFeed's "He Solved The DNC Hack" Article (November 14th 2017)

(part 3) - Smears & Distortions (November 14th 2017)

Did CrowdStrike Engage In A Clandestine Leak Investigation? (27th November2017)

3rd Party Research & Further Reading

This Fancy Bear's House Is Made of Cards: Russian Fools or Russian Frame-Up
by nyetneynyet aka u/tvor_22

Russia and Wikileaks - The Case of The Gilded Guccifer
by nyetneynyet aka u/tvor_22

Did Russia Really Hack The DNC?
by Gregory Elich

Is Guccifer 2 One Person or Multitude of People
by Steve Cunningham

Cyber-analyst: No evidence to connect Guccifer 2.0 to Russian DNC hack
by Steve Cunningham

The Guccifer 2.0 Chat Hoax | Part 2 | Part 3
by Hannibal Moot

Guccifer 2 and the Podesta Emails
by JimmysLlama

US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware
by Mark Maunder / WordFence

Guccifer 2.0 NGP/VAN Metadata Analysis
by The Forensicator

The Russiagate Hoax — Cutting to the Chase
by Mark McCarty

Non-Existent Foundation for Russia Hacking Charge
by Skip Folden

New Report Suggests DNC Hacker Was Collecting Opposition Research on Donald Trump
by Steve Cunningham

Time Zone of Guccifer 2 cf.7z
by Stephen McIntyre

Guccifer 2.0 CF Files Metadata Analysis
by Forensicator

Guccifer 2 Email Time Zone
by Stephen McIntyre

Guccifer 2 and “Russian” Metadata
by Stephen McIntyre

Guccifer 2: From January to May, 2016
by Stephen McIntyre