Twitter DMs obtained by BuzzFeed News show that in the summer of 2016, WikiLeaks was working to obtain files from Guccifer 2.0, an online hacktivist persona linked to by Russian military intelligence, the clearest evidence to date of WikiLeaks admitting its pursuit of Guccifer 2.0.
“[P]lease ‘leave,’ their conversation with them and us,” WikiLeaks asked journalist Emma Best, who was also negotiating with Guccifer 2.0 for access to what it had teased on its blog as “exclusive access” to hacked Democratic Congressional Campaign Committee files. “[W]e would appreciate it if you did not dump the docs and obviously archive.org will delete them anyway.”
WikiLeaks had mentioned Guccifer 2.0 a single time before, tweeting in June 2016 — five weeks before it released its first dump of Democratic National Committee emails — that the persona had claimed it gave WikiLeaks DNC emails.
But by the time of the DM conversation with Best, WikiLeaks founder Julian Assange had shifted the story of how WikiLeaks acquired those emails, giving repeated TV interviews that floated Seth Rich, a Democratic staffer who had been murdered in what police concluded was a botched robbery, as his real source.
The messages between Assange and Best, a freelance national security journalist and online archivist, are the starkest proof yet that Assange knew a likely Russian government hacker had the Democrat leaks he wanted. And they reveal the deliberate bad faith with which Assange fed the groundless claims that Rich was his source, even as he knew the documents’ origin.
Best told BuzzFeed News she first reached out to Guccifer 2.0 in August 2016 after it posted on its WordPress account a call for journalists who wanted its files. “I sent them a Direct Message and referred to that, asking what they had in mind,” Best told BuzzFeed News over Signal. Best has experience posting large data sets, and wondered if she could host the files on archive.org, a nonprofit digital library.
But Guccifer 2.0 had another idea. “[I] gonna send a large trove to wikileaks,” it said. Best, who had DMed with WikiLeaks before, relayed that message to WikiLeaks in a direct message on Twitter. Neither party conveyed to her whether they had interacted together before.
“I told them that Guccifer 2.0 was considering giving me at least part of the cache, which is when they asked me to be their ‘agent,’ which they said I would get ‘credit’ for,” Best said. She didn’t agree to act as Assange’s agent, she said, but stopped messaging with Guccifer 2.0.
WikiLeaks was adamant in its communications with Best that it didn't want anyone else to leak the files.
“[T]hese other media groups are very likely to take a stupid initial angle,” WikiLeaks said in one message sent Aug. 12 at 9:14 p.m., adding that other news outlets would focus less on the content of the leaks than how they came to be. “‘We don’t know if its true. Possibly russians who knows blah blah blah.’”
WikiLeaks’s pitch worked. “I dropped the matter with both parties and never received or passed on any exclusive G2, DNC, Podesta, etc. documents,” Best said.
Less than an hour after WikiLeaks’s last message to Best, Guccifer 2.0 tweeted that it had handed those documents over.
Who was in control of the WikiLeaks Twitter account cannot be known with certainty. But Assange is widely considered to be the primary user of the @WikiLeaks Twitter handle, and Best believed her chats with that handle “were with him or his proxy.”
Best said she deleted all her direct messages after noticing someone was trying to hack her Twitter account, but recently found the email notifications that users receive when they get a DM on Twitter. A lawyer for WikiLeaks did not respond to a request for comment.
The following is the entirety of WikiLeaks’s messages to Best that night, according to the emails she provided. All times are ET. (Twitter does not send a user copies of their own messages, so the contents Best provided are one-sided.)
8:43 p.m.: please “leave” their conversation with them and us
8:43 p.m.: we would appreciate it if you did not dump the docs and obviously archive.org will delete them anyway
9:12 p.m.: Impact is very substantially reduced if the "news" of a release doesn't co-incide with the ability to respond to the news by searching
9:13 p.m.: non-searchable dumps are just channeled into a few orgs with technical resources. then others won't touch them because they perceive that the cherries have all been picked by techdirt or whatever.
9:14 p.m.: and these other media groups are very likely to take a stupid initial angle
9:15 p.m.: “We don’t know if its true. Possibly russians who knows blah blah blah” because they don’t properly verify prior to publication and are scared because they’re not us, contaminating the entire release
9:18 p.m.: in that regretable event, from our perspective, please just act as our agent we can ensure you get the right credit, cross promotion etc.
Before Guccifer 2.0 began speaking with Best, the account had repeatedly claimed to be Assange’s source, though it was a one-sided relationship. On June 15, more than a month before WikiLeaks published its first of two batches of Democratic emails, the persona wrote in an email to the Smoking Gun that it had “thousands of files and mails” that it already “gave to Wikileaks.” When WikiLeaks released its first batch of Democrats’ emails in the 2016 campaign, the “DNC Leaks,” Guccifer 2.0 claimed to be the source.
But Assange chose, in television interviews both immediately before and after his conversation with Best, to not publicly bring up Guccifer 2.0, and instead to tease the conspiracy theory that Seth Rich, the Democratic National Committee staffer whose murder spawned conspiracy theories, could be the source for his leaks.
The Seth Rich conspiracy held, in essence, that Rich, a DNC staffer who supported Bernie Sanders, grew disillusioned with the party after Hillary Clinton won the nomination, stole emails to give to WikiLeaks, and was killed for it.
The theory didn't account for how a regular staffer would have had access to Clinton campaign manager John Podesta’s email account, which WikiLeaks released in October, or files stored on the DCCC’s server, which Guccifer 2.0 released slowly over the summer on its WordPress account and in emails to reporters. Nor did it account for why the NSA, FBI, and CIA, as well as a number of US and foreign private threat intelligence companies, would each conclude there was sufficient evidence that the GRU, Russia’s military intelligence arm, had indeed hacked those targets.
Rich's murder, two weeks after Assange first began leaking the hacked DNC documents, was likely the result of a robbery attempt gone bad, police concluded. But the conspiracy theory was spread quickly by alt-right social media figures and conservative news sites, and lasted far beyond the election, with people like Fox News commentator Sean Hannity talking about it for months after Trump took office.
Rich's parents have since sued Fox News over “the pain and anguish that comes from seeing your murdered son's life and legacy treated as a mere political football.” His brother Aaron has sued two other right-wing commentators who pushed the theory that Aaron aided his brother and illegally helped cover it up. Fox declined to comment on the legal action, but noted it has retracted the story and that Hannity announced in May 2017 that he would stop coverage of the hoax out of respect for Rich's family.
Three days before the conversation with Best, Assange brought up Rich unprompted during an appearance via livestream on Netherlands' Nieuwsuur, a nightly public news broadcast: “Whistleblowers go to significant efforts to get us material, at often very significant risks,” he said. “There's a 27-year-old that works for the DNC who was shot in the back, murdered, just a few weeks ago for unknown reasons, as he was walking down the street in Washington,” he said.
When host Eelco Bosch van Rosenthal echoed what DC police had concluded, that Rich’s death was a botched robbery, Assange replied, “No, there’s no findings.”
That same day, the WikiLeaks Twitter account announced it would offer a reward for information leading to the conviction of Rich's killer.
In those interviews, despite privately angling for Guccifer 2.0’s files, Assange continued to push the Seth Rich story. Two weeks after the conversation with Best, Assange appeared on Fox News, and while he didn’t claim Rich was murdered over the leaks, he refused to deny it either, and made no mention of any other source.
“If there’s any question about a source of Wikileaks being threatened, people can be assured that this organization will go after anyone who may have been involved in some kind of attempt to coerce or possibly kill a potential source,” Assange said.
“I know you don't want to reveal your source, but it certainly sounds like you're suggesting a man who leaked information to WikiLeaks was then murdered,” said host Megyn Kelly.
“If there's someone who's potentially connected to our publications and that person is then murdered in suspicious circumstances, it doesn't necessarily mean that the two are connected. But that type of allegation is very serious and it's taken very seriously by us,” Assange replied. Since then, WikiLeaks has tweeted numerous times about the theory, never disputing it.
Beyond the June 2016 tweet, Assange made no mention of Guccifer 2.0. As with previous misdirections, hinting that Rich was responsible gave WikiLeaks a means of not implicating the Russian government.
WikiLeaks has been caught covering for Russia at least twice before, both in the summer of 2016, when it declined to publish a huge cache of Russian government data, and in its 2012 exclusion, in its published “Syria Files,” of a $2.4 billion transaction from the Central Bank of Syria to the VTB Bank in Russia. In September, it finally published 35 files from a private Russian intelligence company, but most of them were already public and of little news value, leading experts to allege that was a decision to quiet criticism that WikiLeaks was too friendly to Russia.
Details about the true identity of Guccifer 2.0 are still coming to light. But in many ways, it was obvious from the start.
Guccifer 2.0 first appeared online on June 15, exactly one day after the Washington Post broke the story that the DNC had been hacked and that Russia’s military intelligence agency was behind it. Guccifer 2.0 claimed to be Romanian, but didn’t understand the language. It used a shady Russian VPN service that gave it access to IP addresses that weren’t commercially available. Despite having files from congressional races all over the country, it prioritized leaks of swing states.
In a joint report released after the election, in January 2017, the US’s top intelligence agencies announced that “We assess with high confidence that the GRU relayed material it acquired from the DNC and senior Democratic officials to WikiLeaks. Moscow most likely chose WikiLeaks because of its self-proclaimed reputation for authenticity.” The GRU, the report said, “used the Guccifer 2.0 persona.”
Last month, the Daily Beast reported that either Twitter or WordPress noticed at least once that someone logged into the Guccifer 2.0 account without turning on a VPN, revealing an IP address belonging to the GRU in Moscow.
The files that Guccifer 2.0 published on its WordPress account would later appear in both of WikiLeaks's major drops during the 2016 election: the DNC Email Archive and the Podesta Emails dumps.
In between those releases, on Aug. 12, 2016, it was clear from those messages to Best that the WikiLeaks Twitter account knew that Guccifer 2.0 was the source of hacked Democratic documents.
WikiLeaks’s formal policy is to never publicly identify a source of its leaks, and Assange still refers to Chelsea Manning, the whistleblower who has admitted and spent years in prison for giving WikiLeaks Army Intelligence documents, as an “alleged source.” He never mentioned Guccifer 2.0 or any other party as a potential source in those interviews.
With the exception of one final post, in which it shot back at the joint US intelligence report that detailed the Russian hacking campaign, Guccifer 2.0 went silent after Trump was elected.
Material posted on Guccifer 2.0's blog later appeared in each of WikiLeaks's major dumps during the 2016 election. An earlier version stated that was only true of the Podesta Files.
Kevin Collier is a cybersecurity correspondent for BuzzFeed News and is based in New York.
Contact Kevin Collier at email@example.com.
Got a confidential tip? Submit it here.