How Mueller Indictment Prove’s Ukraine Behind DNC Hacks

Hackers caught!12

Robert Mueller is on a roll. He’s making all the right moves and going nowhere with his indictments. If you read the following carefully, you’ll see the shell game he’s playing from every angle. He’s indicted the right group, just the wrong people.

Let’s start with what you know. Both of Mueller’s indictments are based on the political witch-hunt Washington is on to destroy Russia and Donald Trump to support Ukraine.

What you don’t know is that either Robert Mueller decided he loves Russia and wants the facts to come out or he just made the biggest gaffe in judicial history. His choice of evidence leads directly to Ukrainian Intel. It doesn’t go anywhere else and it offers a direct path to prosecute the Ukrainian government, hackers, and Information Operations groups.

This means the US Congress and former President Obama’s administration have been directing billions of dollars to support a country whose Intel units attack us. You don’t have to agree with me. Mueller names the one group that makes Ukraine responsible for all of it.

On February 16, 2018, Mueller indicted 13 Russian nationals for trying to influence the 2016 election. The story of this group was first written about by Adrian Chen as the troll factory in St. Petersburg, Russia. Mueller’s original February indictment showcased a list of supposed crimes many of the indicted people were not there to commit, and that is according to his own sources.

The problem for the Troll Farm indictment is according to legal and court records in St. Petersburg, it existed only as registered on paper. There were no bills, no payroll, no employees.  It didn’t exist in 2016 for it to be involved in the US election.

Both indictments in US Federal Courts by Robert Mueller shows why both trials were nonstarters on evidence long before it becomes a problem for him. Mueller needed a case where no defendants would show up. The evidence the FBI has was fabricated by the group Shaltai Boltai that Mueller is indicting. Their blog is where the only real evidence of the St Petersburg Troll Farm exists and Shaltai Boltai brags about creating it. This is the information Adrian Chen used for his story and the evidence used by Mueller in the February indictment.

Mueller must know all this. He just never expected to get called out on it by the Russians he indicted showing up for their day in court.

Mueller is going to have a huge problem using Shaltai Boltai to prove the Internet Research Agency even existed. From a foundational article by Scott Humor at the entitled “A Brief History of the Kremlin Trolls,” the Internet Research Agency which existed only on paper, ceased to exist in 2015. It was liquidated and merged with construction retail company called TEKA.” Humor lays the facts on the table and left little need for any extra research on the matter.

Humor notes the results of the court case in which an NGO pushed to get legal recognition of the troll farm as a working business in St Petersburg was thrown out by the courts. The woman they brought to sue for back wages could not even show the company existed.  Why the Evidence Mueller has for the Indicting 13 Russian Nationals is Fraudulent

Since the St Petersburg Troll Farm didn’t exist in the same time and space as the 2016 election, what is Mueller proposing? Do the Russians time travel? Inter-dimensional portals? Is he some kind of meta-data truther like a few of his supporters in the private Intel Community?

The article linked above laid the groundwork to look at the people inside every Fancy Bear hacker and influence group. It did so by falsifying Mueller’s sources for these indictments.  The source is the Russian hacker group Shaltai Boltai who are reportedly former GRU hackers convicted of treason that worked with the US and Ukraine Intel against Russia.

I explored Shaltai Boltai’s confession to the FBI that they were the DNC hackers. Shaltai Boltai (aka Humpty Dumpty) tried to confess to the FBI after they were caught by the Russian government for treason. They hoped to get extradited to the USA. Remember that fact for the moment.

Shaltai Boltai’s Yevgeny Nikulin was interviewed by the FBI. According to Disobedient Media’s Adam Carter “Nikulin has stated in a letter, passed to his lawyer Martin Sadilek and reported by Moscow Times, that, after his arrest on October 5, 2016, he was visited by the FBI several times, the first of which was on 14-15 November, 2016.

During those visits, Nikulin alleges that the FBI had asked him to confess to hacking John Podesta’s emails. To quote the Newsweek article that reported it: the FBI visited him at least a couple of times, offering to drop the charges and grant him U.S. citizenship as well as cash and an apartment in the U.S. if the Russian national confessed to participating in the 2016 hacks of Clinton campaign chief John Podesta’s emails in July.”

On Friday July 13th, According to the New York Times story, Robert Mueller indicted 12 Russian military intelligence officers. They are accused of hacking the Democratic National Committee, the Clinton presidential campaign, and the Democratic Congressional Campaign Committee. But according to the Times, “the indictment made no reference to previous  DNC hacks by a different Russian Intel Agency. That agency was accused of spying, these 12 Russians indicted are accused of trying to influence the election.”

The Times, Washington Post, and every other news outlet knows Robert Mueller finally got his man. Even the CyberSec, InfoSec, and other Sec communities are supporting the indictments. In their eyes, Robert Mueller won one for the team.

Over the last few days, I’ve been involved in Twitter chats with respected CyberSec/InfoSec people that ridiculed my ID of Fancy Bear because it didn’t jibe with Robert Mueller. That’s not something I’d always call a bad thing but when they changed their tune without realizing it, it made me wonder if they understood the information the way it was being presented.

Marcy Wheeler @emptywheel linked an article at the Intercept “What Mueller’s Indictment Reveals About Russian and US Spycraft.” She made the point that she had seen this evidence and it was compelling.

What new information was this cyber expert smitten with? According to Mueller’s indictment of the 12 Russian Nationals, he has the email address that identified DNC hackers that made up the group of indicted Ruskie phishermen.

According to the Intercept article “For example, the spear-phishing emails that John Podesta, Clinton’s campaign chair, and others received included links to the URL shortening service Bitly. The Bitly account that created these links was registered using the email address “” The attackers used that same email address to create an account on a provider where they leased a server, which they paid for using an “online cryptocurrency service” (based on the wording of some instructions quoted in the indictment, I think the service in question may be BitPay).”

If you know anything about that specific email and the cryptocurrency service you know exactly how Mueller got that particular email address.  The group of hackers the email address belongs to are notorious dirtbags and didn’t pay King Servers for server rentals they used for their exploits.

The Russian company King Servers was understandably put-off and called the FBI to teach the little criminals a thing or two about crime on Russian soil. Mueller didn’t get this information through his CyberSec community ninja kung fu. The moral is if you choose to do bad things, make sure to pay your bills.

So whose email was it? The email accounts belong to Shaltai Boltai who provided all the false information for the February indictment about the St. Petersburg Troll Farm. If you read the article linked to Mueller’s evidence,  Shaltai Boltai explicitly state their purpose was to hurt Russia. They made the documents, emails, and other evidence to create the Internet Research Company. Some of what’s left on their blog entries are notable and undeniable.

For evidence of the Troll factory existence, they built a trail with faked corporate emails from Russians that don’t speak Russian well and are supposed to be lawyers.

All of this information is vital for properly identifying the hackers and influencers based on Mueller’s indictment. The owners of that email address are Shaltai Boltai and except for one member are all in jail for treason against Russia. Shaltai Boltai was working against Russia and giving information to the US and Ukraine. That would be the best reason Mueller can’t extradite them. The FBI’s history of trying to work deals with them would be another good reason for leaving them in Russian jails.

If you read the linked articles, it’s clear the evidence so far shows the 12 Russians indicted by Mueller are there out of political expediency.  According to the NYT he’ s going after election influence and hacking. His indictment lists Fancy Bear specific malware and tools like X-Agent and supposedly the hackers that used them.

Marcy Wheeler gave her complete support of Mueller’s attributions on her blog. She wrote nothing contrary to it even when Mueller unabashedly includes Fancy Bear signature tools like X-Agent. This is a bit different from her opinion in January 2017 after the ODNI Report.

The FBI report is based solely on Crowdstrike’s evidence which has become a laughing stock across the cybersecurity industry. Cybersecurity professionals are standing up saying how laughable Dimitri Alperovitch’s information is. For there to be any evidence of a hack, the DNI report has to use the FBI report and Crowdstrike’s evidence. This includes the tool X-Agent.

X-Agent was a key proof for Crowdstrike. In the NPR interview with Judy Woodruff, Crowdstrike’s CTO, Dimitri Alperovitch says the use of X-agent shows guilt as clearly as DNA results. This proof, according to him is unique to a single hacker group. Crowdstrike labeled this hacker group “Fancy Bear.” Just as important is the timeline it was used in.

According to Marcy Wheeler, Crowdstrike’s story of a Russian hacker falls apart on this point. Part of the problem is that Alperovitch stated his final undeniable and overwhelming proof was that it was used to target Ukrainian artillerymen throughout 2014.  She argues given that timeline for the GRU, X-Agent had to be in development at least 6 months BEFORE Victor Yanukovych was ousted in a coup. Ukraine and Russia were on friendly terms.

Further, citing Jeffery Carr, X-Agent doesn’t have anywhere near the functionality that Crowdstrike claims it does. Carr goes on further to say two other entities have access to X-Agent which Crowdstrike presents as unique. The first is Crowdstrike itself. The second is the Ukrainian hacking group RUH8 which self-identifies with Pravy Sektor.”

I feel Marcy Wheeler’s position change on Fancy Bear signature items is very refreshing. I think she should really commit to reading @emptywheel more thoroughly. I couldn’t be more happy about Robert Mueller hanging his hat on the email address and Fancy Bear tools.

The reason I’m thrilled about it is the same people who want to argue about Fancy Bear’s attribution have clearly identified the Russian GRU and FSB criminal hackers.  They are called Shaltai Boltai aka Humpty Dumpty aka Anonymous International as the culprits. Good show!

The”it” I’m thrilled with is Shaltai Boltai’s exclusivity in the indictment. Every journalist and politico should jump on this and understand why they point directly to Ukraine.

I believe if any of the named and unnamed CyberSec experts spent a little more time researching instead of tweeting, they would have seen this at some point during the last 2 years. Along with Mueller, they would also see choosing the evidence he did to work with, Mueller just hung THE DNC HACKS, SURKOV HACKS, PODESTA HACKS, GERMAN PARLIAMENT HACKS, TV 5 MONDE HACKS, NATO HACKS, AND REPUBLICAN HACKS on UKRAINE’s ultranationalist Intel.

RUH8 credits “mostly CyberHunta” with the Surkov e-mail theft (Why this is a theft, not a hack is discussed in Fancy Bear ID article) and says it was not the result of a spear-phishing scam but rather what he describes cryptically as “special software.” He claims the malware allowed CyberHunta not only to retrieve Surkov’s e-mail but to “take the entire [Russian] presidential administration system under their control, and they gathered information right from the computers.”


Everything going forward is premised on identifying Fancy Bear whose actions, tools, blogs, interviews, and indictments are in the above and below linked articles. Below we have their confessions to Fancy Bear hacks made to Ukrainian Intelligence, the Atlantic Council, and Bellingcat. We have them announcing they used the same methods for the Podesta email hack.

Since we have a basis for falsifying Fancy Bear in place, the hackers were identified in part through their qualified confessions to hacks Fancy Bear did. This was supported by RFE/RL, the Atlantic Council, and journalists that identified their association with Fancy Bear through an alternate name they were using.

If you are reading the support material in the linked articles, it’s clear that the sources are kept in context. Most are friendly to Ukraine and even Mueller investigation. In these instances, the facts mattered and they reported them.

Sources I used to identify Fancy Bear include Ukrainian Intel, Bellingcat, the Atlantic Council, the hackers, the Russian traitors, Dimitry Alperovich, Crowdstrike, the SBU, RFE/RL, Newsweek, Jeffery Carr, a slew of other MSM news sources, of course, @Emptywheel’s Marcy Wheeler.

Ukraine’s Fancy Bear Unit started by supplying information about the situations in Ukraine and Syria. The information is the basis for a lot of Bellingcat’s identifications. Ukraine’s Intel provides evidence for the reports and articles they fabricate for the Atlantic Council and NATO. The Fancy Bear Intel unit supports ISIS and allied groups in Ukraine and Syria.

According to Ukrainian Intelligence Hackers (now identified as Fancy Bear), even Bellingcat is clearly a part of Ukrainian Intelligence.

  • “identification of persons who could be involved in the shootdown of Flight MH17 over the occupied Donbas (this information was used in the reports by our colleagues from Bellingcat team)” – Cyberhunta aka Fancy Bear

The first thing CyberSec people like Wheeler and prosecutors like Mueller will say is the Fancy Bear hackers are Russian FSB and GRU hackers and not Ukrainian. The Fancy Bear hackers are only Russian to the degree you include rogue Russian FSB and GRU hacker group Shaltai Boltai whose own story is linked above.

Shaltai Boltai provides a treasonous (convicted of treason, not hacking) connection to the Russian government. They worked for the Ukrainian Information Ministry which is also Cyber Intelligence by dumping Russian government data into the Ukrainian Intel CyberHunta website.

The leader of Shaltai Boltai was in Ukraine working for Intel until tricked into leaving. They belonged to Ukraine’s CyberHunta and Ukrainian Cyber Alliance spy units whose members testify to the US Congress and get large sums of money for Ukraine. This is why Shaltai Boltai was surprised when they tried to confess to being Fancy Bear and no one believed them. 

According to a RFE/RL interview, “RUH8 says the Cyber Alliance uses “all tools and methods” at its disposal to hack into their perceived foes’ accounts. In particular, he says, spear-phishing — using messages that mimic those of legitimate companies along with a request and link to change personal security information — “is quite efficient. People readily give up their passwords and personal info,” he says. “They receive something in their [e-]mail like, ‘Your account will be suspended if you don’t confirm [your security details].’ They click that link and we have them.”

The second thing you are going to say is the DNC hack was a leak that went from Seth Rich to Julian Assange and not a hack. I didn’t hang the DNC hack on Fancy Bear but Mueller is. In fact, there hasn’t been enough evidence supplied to do much of anything since the DNC servers were never released to be examined.

What Crowdstrike did do was supply enough information from the hacks to make the hackers able to confess believably. They used proprietary tools and specific methods. According to Barrack Obama and Donna Brazile, the hacks went on until Sept/December 2016 and it wasn’t an isolated event like so many seem to believe.

Last, we showed them in action fabricating information and deciding what information State Governments were going to receive about events in Eastern Europe and Syria that have a global impact. According to Ukrainian Intel, they want nothing less than to start a war with Russia by any and every means possible.

Part of the qualifier for the hacking group is they are also identified as having possession of tools known only to be in the possession of Crowdstrike and Fancy Bear according to Dimitry Alperovich and cybersecurity expert Jeffery Carr. No other group had them at the time.  This was the second time I was able to tie this particular group to Fancy Bear. The first was Dec 2016.

Fancy Bear is Ukrainian Intelligence and Information Operations groups CyberHunta and the Ukrainian Cyber Alliance and Shaltai Boltai before they were arrested, charged and sentenced for the actions listed above.

Over the last 4 years, I’ve researched and written many stories that are still breaking in other media today.

If you want to support a strong investigative journalism effort thank you for supporting my Patreon page. You can also support my work through PayPal as we expand in new directions over the coming year. For the last 4 years, it’s been almost entirely self-supportive effort which is something when you consider I live in Donbass.

Take a look at the stories I’ve broken so far this year. The biggest is yet to come.

Thank you for supporting a proven effort that’s working.