Leaker, Liar, Hacker, Hoaxer: The Russian contractor who infiltrated Anonymous

Years before the Russian-operated persona Guccifer 2.0 appeared on the internet to claim they were a hacktivist responsible for the DNC breach, a hacker with alleged ties to the Russian government used similar obfuscation strategies. Using numerous false identities and several distribution platforms, they released hacked materials, both genuine and forged, while often lying about the real documents’ provenance. In 2016, refined versions of these tactics would infamously be used by the linked and Russian sponsored fronts Guccifer 2.0, DCLeaks and CyberBerkut.

According to leaked evidence collected by the FBI in one of the WikiLeaks investigations, the hacker’s stated goal was to sow disinformation and create conspiracies that would increase international tensions. In one exchange with an FBI informant known as Sabu, the Russian hacker/alleged contractor described a plan for a false flag cyberattack that aimed to start a “real cyberwar.” To aid in their efforts, the FBI informant offered the contractor early access to WikiLeaks’ Syria Files – which were then still several months away from public release.

While dozens of journalists have written about the contractor over the years, Kevin Poulsen (whose reporting this article builds on) was the first to report his name, Maksym Igor Popov, or his early interactions with the FBI. Former Special Agent Ernest J. Hilbert, Popov’s former handler at the FBI, has described Poulsen’s article as being about ‘70% accurate’ and ‘40% of the whole story.’ Ironically, Hilbert only knew a portion of the whole story when it came to Popov, whose story continued for years after Hilbert left the Bureau. As Popov’s tale continued to unfold, it intersected with groups ranging from intelligence agencies to corporations and hacker groups working with WikiLeaks.

In some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack.

Joint Analysis Report from FBI and DHS

Prelude to Popov

Popov and Hilbert entered the scene at roughly the same time, in 1999. By this time, Hilbert had become an FBI agent while Popov, born in Ukraine but ethnically and culturally Russian, had moved on from scamming and selling stolen credit cards to extorting victims of hacking. As Hilbert explained, Popov had become involved in a network of hackers and scammers that were then using the website tech.net.ru, but which would later use the more infamous CarderPlanet and ShadowCrew – spiritual predecessors of the Silk Road.

One of Hilbert’s first cases was captioned “Flyhook,” an operation coordinated by FBI Headquarters that involved the Seattle, New Haven, Newark and Los Angeles field offices. “Flyhook” tracked a group of hackers who had been extorting companies for pay offs and for jobs. Although the Bureau would go on to target the wider affiliation of Russian and Ukrainian hackers known as the Expert Group of Protection Against Hackers, the Bureau began by focusing on the cell containing Gorshkov and Ivanov. The Bureau started by setting up a fake company, Invita, which they used to lure Gorshkov and Ivanov to Seattle under the pretense of a job offer.

Several undercover FBI agents watched the pair of Russians demonstrate their skills by connecting to their own network and downloading the tools they would use to hack the Bureau’s honeypot. The entire affair was recorded on video, with the Russian’s keystrokes being similarly recorded – including the credentials they used to access their private network. The pair were promptly arrested, which prompted one of their associates to declare that “the FBI had started a war.”

By tricking the Russians to Seattle to arrest them, the FBI had started a war. We’ll keep stealing just like we did in the past. Better leave us alone.

What happened next is a matter of debate, with the United States and Russian governments maintaining different stories.

According to the United States government, the FBI agents attempted to coordinate their investigation with the Russian government through diplomatic channels, only to be stonewalled. After a week and a half of waiting and fearing the destruction or loss of evidence, the Bureau used the Russians’ stolen credentials to access their system and download approximately 2 GB of data over a period of five days.

One individual associated with Flyhook appears to put the total at “several hundred gigabytes of data” in one presentation, though this figure seems improbable.
The tech.net.ru office used by Gorshkov and Ivanov

In response to the FBI’s unauthorized accessing of the Russian system, the FSB charged several of the agents involved with hacking crimes. Hilbert has stated that he was one of these agents, allegedly resulting in him having to travel on a diplomatic passport in order to avoid being arrested by the Russian state when his work compelled him to travel abroad. The FBI has stood by their actions, praising the agents and what would become a legal precedent for future cases.

Hilbert said that after Gorshkov and Ivanov, the Bureau “started connecting the dots between them and several others online. One of those guys happened to be Maksym Popov, or Max.” While much of the Expert Group were operating from within Russia, the ethnically Russian Popov grew up and operated within Ukraine. Although Popov was capable of some relatively minor hacking feats, he was reliant on more technically skilled hackers. He was less of a hacker and “more of a social engineer, a manipulator,” as Hilbert put it. His true talent was in manipulating victims, and converting hacked systems and stolen data into money.

Before long, Popov claimed he wanted to make a deal with the Bureau.

Popov versus the FBI

As Hilbert described it in one interview, Popov made what seems like a bold move. While Hilbert worked undercover, the two “were crossing paths, and [Popov] started offering up product and it went back and forth. Eventually he started talking about wanting to be clean or help the FBI or something of that nature.” When Ivanov made a deal with the FBI, he had feared for his family enough to insist that they be relocated from Russia to the United States, in stark contrast to Popov apparently telling someone he thought was a criminal that he wanted to “help the FBI.” More than a decade later, Hilbert began work on a draft of his memoirs that Popov’s “family and friends would be in danger” if it was suspected he was working with the Bureau. This assessment that raises more questions about Popov’s announcing his apparent desire to work with the FBI.

Though I knew that cases could still be made against [Popov], for hacks the FBI knew he committed but had not yet been charged, we could do what law enforcement does on a daily basis.  We could make this guy a deal to go after the bigger fish in the sea.

(The text of the draft of Hilbert’s memoir is reproduced in its unedited form throughout his article.)

Hilbert wasn’t the only person from the government who was talking to Popov at the time. Another FBI agent in Washington D.C. was also talking to Popov, as was a Secret Service agent. After a several phone calls and trips to the London embassy, Popov agreed to come to the United States. To his surprise, he was quickly arrested after his arrival and informed by the Bureau that he was not only going to work for them, but he was going to do so entirely on their terms.

Popov found himself facing charges for numerous breaches, including Western Union. Popov’s first task was to target some of his colleagues. Unwilling to do so, Popov blew the operation by warning his comrades using Russian idioms. As Poulsen reported, it took the Bureau three months to discover what Popov had done and how he’d tricked them.

Popov was soon in a jail in Kansas City. He remained there until he seemed to break and Hilbert intervened. As Hilbert explained in one interview,

He was in jail for less than a year when he got his defense attorney to get in touch with the FBI and say ‘look I can’t do this anymore, I can’t sit in jail.’ Honestly, I don’t think he was expecting what an American jail is like. And we worked out a deal, he would come to Southern California. We housed him at a local jail. Each day we would go and take him out to a secure location.

He and I would sit side by side at computers with a team of a couple of other agents behind us, and we would communicate with hackers around the world, buying stolen goods. They would talk about how they broke into company X, Y or Z, and we would talk them into giving up their information about it. Name the company, buy their product, buy their stolen goods, and then we could contact the company and let them know when intrusions had occurred and try to help secure some systems.

According to a draft of Hilbert’s memoir, he designed an ambitious undercover operation and requested permission to work it with Popov. The Bureau responded that the unprecedented cyber operation wasn’t “technically” an undercover one because Hilbert ostensibly wouldn’t be taking on an undercover role. In spite of this ostensible limitation, Hilbert was sometimes “introduced as his partner in the US or as a fellow hacking carder thus to vouch for each other.” Nevertheless, Hilbert would officially run Popov as a “‘cooperating witness’ or an ‘informant’ operation that only required AUSA approval to consensually record communication between the source and the bad guys.”

While Popov had been waiting in prison, he got in trouble for “hacking” the local prison system’s network and accessing their printers. Explanations of the event differ wildly. Poulsen’s report in Wired describes the hack as a prank. Popov “discovered that the machine was wired to a jailwide network, and with a few keystrokes Popov sent “profane comments and remarks”—as the disciplinary report later put it—spilling out of printers around the facility.” The draft of Hilbert’s memoir provides a different version of events, one in which Popov was entirely innocent.

[Popov] was getting antsy to start working.  While waiting in prison he signed up for a word processing and photoshop class.   You have to love a legal system that allows a convicted computer criminal access to unmonitored computers inside of prison.  While sitting in class one day, [Popov] tried to print some of his work as was allowed by the instructor.  When it was determined that the printer was not working, [Popov] utilized the workstation he was assigned to scan the network and find a different printer and sent [his] work there.  Of course, this action was seen as “hacking” the jail’s network and [Popov] was ban from taking computer classes.

While outside events stalled their operation several times, they were ready to resume work by August 2002. In the draft of his memoir, Hilbert described the day-to-day of the operation.

Four to five days a week for the next nine months, myself and three other agents, two in each car, would drive to the location in which [Popov] was housed.  [Popov] was hand cuffed and leg shackled and then walked to the car and seated in the back seat along with one of my fellow agents.  We would then drive to our offsite location, all the while being tailed by two agents in a follow car.

Once we arrived at the off-site, [Popov] was walked inside.  His leg shackles were removed and replaced with a leg cuff, connected to a 10 foot chain that was bolted into the wall.  Only then were his handcuffs removed and [Popov] was granted access to a computer workstation connected to the Internet.

But this was not just any work station.  Every keystroke typed into the computer was captured and recorded on a different system secured away from [Popov]. A FBI translator sat side by side with [Popov] and myself to insure when [Popov] wrote in a language I could not read, the translator would read it as he typed. Screenshots of every page viewed on the monitored were taken at a rate of 5 per second.

We also deployed a series of traffic sniffers and event logs to monitor all programs running, traffic sent from or received by the system and very piece of data touched. These sniffers would come in handy later in the operation when a number of hackers tried to crack our system from around the world to include Max Butler, the hacker profiled in Kevin Poulsen’s book “Kingpin.”

Everything done on [Popov]’s computer was recorded and copied four times from the original each night. One copy for the case file, one copy for AUSA Alikhan, one copy for the defense and one copy for Work.  The original data was stored as permanent evidence, complete with a chain of custody and locked in a vault for use if and when any of the investigations went to trial.

The plan was scary in its simplicity.  [Popov] would go online, re-connect or join the cyber underworld and identify international hackers.  In some cases I would be introduced as his partner in the US or as a fellow hacking carder thus to vouch for each other.

When it came to targeting the Russian online bazaar CarderPlanet, Hilbert said that Popov “wasn’t as big as he claimed to be, but he had the connections. He knew who to talk to, who the right people were.” Former Special Agent Hilbert said in one interview that Popov “identified over 200 separate hackers, and over 1,500 separate companies that got hacked into” in a nine-month period of working with the Bureau. Hilbert separately told Poulsen that “over 700” of these companies had been breached by Eastern European hackers. Hilbert stated in an interview that Popov allowed the Bureau to record over 2,500 conversations with hackers, fences and other cybercriminals.

With Popov’s help, Hilbert felt that the the Bureau became one of “the most well respected fences of stolen goods on the internet.” They achieved this through a history of good transactions and a willingness to show off when they needed to. It was this willingness that helped Hilbert and Popov target Dmitri Golubov, AKA Script, one of the founders of CarderPlanet. It was Hilbert and Popov’s work that apparently helped identify Golubov, leading to his eventual arrest and temporary imprisonment. As Hilbert describes it in the draft of his memoir,

At one point we were making so many cash buys that the hierarchy, Script included questioned our cash flow.  They wanted to see cash rather or they would stop selling to us.  Well the FBI does not have hundreds of thousands of dollars in cash lying around for use and the process to get the cash and then return it takes weeks and mounds of paperwork.  Instead, I contacted the agents assigned to bank robberies and asked for a favor.

Two days later, the team followed our normal routine of getting [Popov] out of jail, but this time we had him change into street clothes as if he were going to a court appearance.  Once outside of the jail’s gated sally port, rather than head to the offsite a caravan of three FBI cars and 6 agents drove to a local bank.  Once there we were ushered into a back room where the telcom equipment and computer network systems were stored.  The bank manager and three employees then joined us with $200,000 in $20, $50 and $100 bills.  [Popov] was uncuffed and a video was made of him thumbing through the cash while a sign in Russian was on the table that read, “Is this enough cash for you?”  Only [Popov]’s hands and lower torso were visible in the video.

In 2014 Hilbert claimed he was mysteriously sent this copy of the 2003 video. In 2016 he claimed he found on some forums.

According to the draft of Hilbert’s memoir, their work together was successful enough to change Popov’s circumstances. He’ continue to work with the FBI, but would no longer be imprisoned. Instead, his “housing would be taken care of and he would receive $1000 per month in spending cash from the FBI.” Despite his improved conditions, Popov’s cooperation with the Bureau was nearing a conclusion that nearly saw Hilbert indicted. As the former Special Agent wrote,

He does his time served, he gets put on probation in the United States but gets the U.S. Attorney’s office to agree to let him go home to the Ukraine. He goes back to the Ukraine and never returns to the United States. It was very clear he wasn’t coming back. It was clear to me, it was clear to the U.S. Attorney’s office, it was clear to everybody else except for the fact that he was given probation, that was not something that could be discussed. The truth is he should’ve never been given probation because he was a foreign citizen in the United States. He should’ve been removed from the United States as soon as his time in prison was done. So in the grand scheme, he did what was supposed to happen. He returned back to his home.

Precisely what happened after Popov’s 2003 departure from the United States is slightly unclear. As Hilbert explains and Poulsen reports, Popov was deported to Ukraine. But according to security researcher Jeffrey Carr, a security expert who later worked with Popov, he was deported to Russia.

Regardless of Popov’s final destination, security analyst Raoul Chiesa reported that that year saw the beginning of a series of mass scans performed by Russian hackers using the X.25 networks and SprintNet. By 2004, and possibly earlier, Popov was working closely with Russian hackers who specialized in the X.25 and SprintNet networks and would soon gain access to the FBI’s email server. Like Popov, at least one of these hackers had been tied to CarderPlanet before the bazaar’s fall in 2004.

Popov went on to launch a cybersecurity company called Cybercrime Monitoring Systems (CYCMOS). In Hilbert’s words, CYCMOS was “doing exactly what” Popov had been doing with the Bureau. As the former Special Agent explained,

He setup an opportunity of identifying victim companies, notifying those victim companies of the intrusions, and then some would say extorting them, some would say offering up a service, whatever it may be, letting them know ‘pay me and I will either delete the information and so on.’

On New Year’s Eve 2004, Popov called Hilbert in a scene the FBI agent would use to open his memoirs. Popov quickly explained that he was calling to alert Hilbert to a breach of the FBI’s email servers and the compromise of a list of government informants in the FBI’s and Secret Service’s cyber cases. Popov helped Hilbert “solve” the case for $10,000, eventually leading to a student (and compatriot of Popov’s) called Leonid Sokolov. It’s unknown who Popov attempted to sell the data to beyond the FBI and AT&T (whose New Jersey datacenter hosted the FBI’s email servers), though a number of potential clients, ranging from nation-states to organized crime, undoubtedly occurred to the hackers.

His involvement in the FBI.gov email hack [is] less about the hack itself, more about gaining the money out of it. His role was converting information into money, and he was very, very good at it.

Sokolov, who studied engineering at an armament college in Saint Petersburg, operated under the handle “Eadle.” He was part of a hacking group that called themselves X.25, having taken their name from the networks they specialized in exploring and exploiting. In Russian postings, “Eadle” is credited as helping document the X.25 and SprintNet networks which were mass-scanned from 2003 through 2008. Sokolov and Popov appear to have travelled in the same circles for years, with both having ties to CarderPlanet. “Eadle” shares an ICQ number with “Gabrik,” listed as a “Capo Di Capi” in one of the organizing documents from CarderPlanet’s founding. According to Poulsen, “Sokolov was charged in a sealed indictment in New Jersey, and a confidential Interpol Red Notice was issued for his arrest.”

Years later, Popov confessed to Poulsen that he had been working with the hackers from the beginning.

Popov was simultaneously attempting to extort EMC, a Boston-based government contractor. As part of his attempt to establish his bona fides and get paid, Popov told EMC that Hilbert would vouch for him. This resulted in Hilbert being questioned about the identity of Popov, then using the alias Denis Pinhaus. Hilbert’s refusal to identify Popov, which he says was prompted by his superiors in the Bureau and the Department of Justice, contributed to suspicions that he was working with or protecting the hacker. Just before he was pulled off the case, Hilbert had apparently arranged to meet with Popov “in the Orient” so that he could arrest him.

Although Hilbert claims to have known that Popov was acting out of bad faith, a possibility which Popov has conceded, Poulsen reports that he “was paid and given a commendation letter on FBI stationery to display on CYCMOS’ website: ‘We acknowledge and express our appreciation for the assistance you have provided.'”

While the Boston Assistant U.S. Attorney (AUSA) accused Hilbert of protecting Popov, rumors were circulating in the DOJ that he’d either betrayed the Bureau or was working for Popov. The AUSA reportedly called Hilbert a “rogue agent,” which would become the working title of Hilbert’s memoir. He soon found himself under investigation by the Office of the Inspector General (OIG). Although Hilbert was nearly indicted, no indictment was ever served.

In some accounts, Hilbert puts the blame firmly on the Boston AUSA. In others, he acknowledges that the Bureau was facing considerable pressure over the case. At one point, the Vice President’s office became involved, asking the Bureau to “stop hammering AT&T over and over again” and assuring them that the company would provide the requested information. Adding to the political pressure was the fact that the CEO of EMC had been an Ambassador under George Bush Sr.

The FBI did not screw me. The DOJ/OIG and the Boston based AUSA did. They operated with arrogance and ignorance. The Boston AUSA thought he had a right to know everything and when he was denied it appears he took it personally.

Infiltrating and Leveraging Anonymous

Over the next several years, Popov continued to amass stolen files and extort companies. Although some of the files later released by Popov dated to 2009 and 2010, there’s little record of his activities in this time period. It wasn’t until 2011 that Popov resurfaced under a series of pseudonyms, once again becoming embroiled in several FBI investigations. By late July 2011, Popov’s false identities were in contact with Hector Monsegur, a hacker and FBI informant going by the alias Sabu.

Chat logs collected by the FBI, and which subsequently leaked, show that Popov and Sabu developed what appeared to be a symbiotic relationship in the following months. The two shared files, data caches, and targets, all while helping amplify each other’s releases. They also planned cyber attacks on foreign government systems as discussed a false flag attack in order to “create real cyberwar.” After being told about these plans and Popov’s desire to create disinformation, Sabu offered to give Popov access to the Syria files several months before WikiLeaks released them. Popov happily accepted, saying he planned to use the emails for disinformation purposes.

As the FBI’s logs show, Popov first made contact with Sabu using IRC on July 25, 2011 when Popov sent Sabu information about an alleged hack of Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche (CNAIPIC), the Italian cyber police. Popov wanted Sabu’s help in promoting the cache’s release, which he claimed contained evidence of a vague worldwide conspiracy involving governments and corporations. The release of the cache was credited to the Legion of Anonymous Doom (LOAD) and NKWT. It eventually earned the ire of Belarus’ KGB, which accused the documents of containing forgeries, distributed and promoted by an FBI asset, which falsely implicated the KGB in supplying weapons to Pakistani terrorists.

Sabu apparently chose to help Popov, as logs from eight hours later show him coordinating with others about the release, including a rewritten pastebin release note. However, there was frustration behind the scenes over confusion about who was responsible for the release. Some media outlets were erroneously crediting various Anonymous subsets.

There were efforts throughout the day to clarify the matter, with some describing NKWT and LOAD as a “friendly vessel” sailing in AntiSec waters.

Meanwhile, Anonymous’ efforts to analyze the documents they’d helped release continued, alongside questions of who was responsible. A separate IRC channel, #n0n3, was setup to focus on the issue. At one point, Sabu warns the others to be careful with the PDFs due to there being a “phone-home enabled in a one few,” which could expose the readers’ identity. No one had any meaningful information on those responsible for the alleged hack.

(Article continues below) n0n3

By July 27th, suspicions were rising within Anonymous. In one private chat, Sabu is warned that while the documents may be real, they probably didn’t come from a CNAIPIC hack as Popov was claiming.

A few hours later, the assessment worsened: a friendly source from CNAIPIC was telling them that some of the documents had been forged. One document number, when checked against CNAIPIC’s system, reportedly corresponded to a wholly unrelated matter. The remaining real documents didn’t seem to have come from CNAIPIC either. Instead, police were apparently investigating “a small IT company that has worked for CNAIPIC in the past and that apparently some of the stolen data were on a machine they took to repair in Rome.” There was an immediate suspicion that it was “a giant op by the police to [discredit] anonymous and to tarnish our reputation and credibility.”

(Article continues below) blizzard

Despite these concerns, members of Anonymous appear to have concluded that at least some of the documents were authentic and produced by CNAIPIC, even if they hadn’t been hacked from a CNAIPIC system.

Future releases in the CNAIPIC series focused on LOAD, omitting references to NKWT. The latter of the two alleged groups seemed to disappear. It wouldn’t reemerge until 2015 when an ostensibly Italian group using the NKWT moniker registered a website which listed their alleged members (including the well known hacker Swiss-Italian hacker Phre, listed as the “ex-founder”) and claimed credit for various exploits, including Popov’s CNAIPIC hack.

Exposing the lie that the CNAIPIC hack was he work of Italian hackers, Popov’s Yama Tough persona took credit for the hack in a private chat with Sabu. In the January 2012 chats, Popov was claiming to be one of a number of hacktivists in an ostensibly Indian group known as the Lords of Dharmaraja (LoD). As proof that he wasn’t blowing smoke about the CNAIPIC hack, Popov accurately described the person who given the files to Sabu as the guy without a nickname. He then explained that the person was LoD’s alleged “enforcer arm in Pakistan.”

Notably, this strategy of using “a lone hacker or an hacktivist to deflect blame” would become a familiar one for Russia, later used much more infamously by CyberBerkut and Guccifer 2.0. As Popov would later tell security researcher Jeffrey Carr, ‘The FSB regularly recruits blackhats for contract work, and one of the standing orders is to leave evidence pointing to an entirely different government as the perpetrator of the attack.’ At one point in his chat with Sabu, Popov admits that he’s “not Hindu” and that the moniker existed to throw people off the trail of his true identity.

Popov was establishing contact with Sabu to ask for help with Symantec. At the time, Popov wanted to monetize copies of Symantec’s source code. His plan was to use Sabu in order to raise his profile and distribute initial bits of source code. He also wanted help looking for potential exploits in the software, an endeavor Sabu acted happy to help with.

12:44 <LoD> so I want to ask you 12:44 <LoD> if you have time and wish 12:44 <LoD> to start operation 0day 12:45 <LoD> my team doesnt have 12:45 <LoD> time at all to explore 12:45 <LoD> the codes 12:45 <LoD> but I am sure if we all do 12:45 <LoD> it will give us some ways to 0day shit 12:45 <Sabu> my team has been doing 0day research. so we can both take advantage of this 12:45 <Sabu> whatever we find we'll send your way 12:45 <Sabu> so you can further expand your bots 12:45 <Sabu> and we'll own police/feds 12:45 <LoD> good

While the FBI informant helped him distribute the software, Popov was emailing with an FBI agent posing as Sam Thomas, an alleged representative of Symantec who was negotiating a payment to Popov in exchange for withholding the same source code. A partial copy of the email chain be found here.

In a rare and telling moment that hinted at his true identity and methodology, Popov told Sabu that “most of them agencies still use x25.” Popov also revealed that his interests extended beyond hacking and distributing data – he was also interested in active measures. Popov said he wanted to withhold certain materials for a “private operation” that would “setup a conspiracy between two nazi orgs.” To compensate for the apparent withholding, Popov gave Sabu credentials for a number of Brazilian servers, including what he vaguely described as the ‘Brazilian police department or military police or something.’

12:49 <LoD> most of them agencies still use x25 12:49 <LoD> =) 12:49 <LoD> lame? 12:49 <Sabu> ;) 12:50 <LoD> which country ? Ill show you some stuff 12:50 <Sabu> hmm 12:50 <Sabu> since you mentioned germany :) I have lots of friends there. OR brazil many good friends there 12:51 <LoD> We have access to all npd-hamburs emails 12:51 <LoD> but we wanna use them for our private operation 12:51 <Sabu> thats fine 12:51 <LoD> we want to setup a conspiracy between two nazi orgs 12:51 <Sabu> what about austria ? 12:51 <LoD> I give you brazil now 12:52 <LoD> wait 12:52 <Sabu> ok sounds good

Sabu (using the leondavidson handle) happily shared the good news with Jeremy Hammond (using the yohoho handle) about the Symantec source codes, as well as the Brazilian credentials. Sabu’s chat with Hammond implies that some of the discussions with Popov are at virtually the same time as discussions with Julian Assange or his representatives. Immediately after relaying the Brazilian credentials from Popov, Sabu tells Hammond that Assange was hinting for them to hack Kroll. Coincidentally, Hilbert had become Kroll’s Head of Cyber Investigations days earlier.

Sabu called the affair a “Gibsonian novel.” He also described described Popov’s desire to stage a false flag attack and “hack Israel from Saudi intelligence servers they hacked to create real cyberwar.”

(9:14:35 AM) leondavidson@jabber.org/jabber.org: this is some gibsonian novel I'm living son (9:14:46 AM) yohoho@jabber.ccc.de: high stakes homey (9:14:51 AM) yohoho@jabber.ccc.de: we might win this thing tho (9:15:03 AM) yohoho@jabber.ccc.de: how much do they gotta get knocked around till they quit (9:15:05 AM) leondavidson@jabber.org/jabber.org: nigga just told me they want to hack .il from saudi intelligence servers they hacked to create real cyberwar (9:15:08 AM) leondavidson@jabber.org/jabber.org: I'm sittin here like (9:15:09 AM) leondavidson@jabber.org/jabber.org: lol (9:15:17 AM) leondavidson@jabber.org/jabber.org: yeah

Sabu’s chat with Popov shows that the proposal came about when Sabu asked Popov if he was going to get involved in the Israeli/Arab conflict that was heating up at the time. Popov responded by proposing that they could create any conspiracy they wanted using his stolen access to Israeli, Saudi, Lebanese and Egyptian servers. “We can make stuff like Saudi will fuck Israelis on something,” Popov suggested.

According to Popov, the details of the conspiracy would depend on the goal. In the instance of the Symantec source code, he claimed the purpose was “to fuck up Pakistan by confronting India and USA,” with the source codes supposedly having been taken from the servers of an Indian military intelligence agency. “Together we can do many many evil/good things brother,” Popov told Sabu.

13:01 <Sabu> you going to work on .il soon? shits heating up between iraeli/arab hackers now 13:01 <LoD> actually 13:01 <LoD> here's what I propose 13:01 <LoD> we can create anyconspiracy 13:01 <LoD> we want 13:01 <LoD> to achieve the goal 13:01 <LoD> I have accesses to il 13:02 <LoD> and to all arabic countries 13:02 <LoD> saudi 13:02 <LoD> lebanon 13:02 <LoD> egypt 13:02 <LoD> etc 13:02 <LoD> we can make stuff like saudi will fuck israelis on something 13:02 <Sabu> yeah 13:02 <LoD> or we can create some stuff that egypt works with il on slave trade 13:02 <LoD> etc 13:02 <LoD> depends on the goal 13:02 <LoD> =) 13:03 <LoD> our goal here was to fuck up Pakistan 13:03 <LoD> by confronting india and usa 13:03 <LoD> =) 13:03 <Sabu> :P 13:04 <LoD> together we can do many many evil/good things brother 13:04 <LoD> =)

The current and former FBI informants went on to discuss a plan to use compromised Australian military email accounts to spear phish Palantir.

13:07 <Sabu> palantir is an evil security company in u.s. they're doing surveillance for military 13:07 <Sabu> we've been tryin to own them since I hacked hbgary 13:07 <Sabu> and found emails of them trying to own wikileaks 13:07 <LoD> hmm 13:08 <LoD> I got a plan 13:08 <LoD> how about we use official military emails 13:08 <LoD> and 13:08 <LoD> start talking to fellas of palantir 13:08 <LoD> not spoofed 13:08 <LoD> but real owneed boxes 13:08 <LoD> create a story 13:09 <LoD> like we wanna order from them 13:09 <LoD> a big deal 13:09 <LoD> talk to them over email for 2 weeks 13:09 <LoD> gain some trust 13:09 <LoD> etc 13:09 <LoD> and send them over pdf our rat 13:09 <LoD> which will be undetectable 13:10 <LoD> thats how we got our botnet setup 13:10 <LoD> undetectalbe rat 13:10 <Sabu> mhm 13:10 <Sabu> that would work - I will do research on which military emails I should use for this 13:10 <LoD> or I can get into military mail server creat couple of accounts 13:10 <LoD> and do it on our own without scheduled cleaning of mailbox 13:10 <LoD> so the owner wont notice 13:11 <LoD> lets say I use Australian mil 13:11 <LoD> or I give you acccess to them mailboxes and help you with the documents so they look good and nefty 13:11 <LoD> ;) 13:12 <Sabu> lets definitely work on that soon

Popov’s interactions with Sabu went beyond active measures and alleged hacktivism and into hacking purely for the sake. At various points, Popov asks for Sabu’s help hacking a Ukrainian taxi database and other targets. Popov said that if Sabu or his people were successful, they could share in the unnamed client’s five-figure payment. Although he declined the offer of the payment, Sabu seemed agreeable to the requests. He told Popov that “what’s ours is yours. We’ll gladly give you access if we root it.”

After it was discovered that a fake memo had been included in a release Popov claimed was related and that the Symantec codes had come from a 2006 breach rather than a breach of Indian intelligence agency, Popov doubled down on his claim in chats with Sabu.

As their discussions continued, it demonstrated how some things had changed for Popov. For instance, in the days of the Expert Group of Protection Against Hackers, they’d observed a simple rule – no hacking Russian targets. As one former member put it, “You may go to jail and that’s the best case… More likely, you’ll be killed.” According to Hilbert, this attitude had carried over into CarderPlanet, which “started as a Russian hacking group. In fact they couldn’t even attack anybody within the former [Soviet] states.” In February 2012, Popov told Sabu that the opposite was then true for them, writing that the “former soviet block is our primary target of interest.” Elsewhere, Popov claimed to Sabu that he was against Putin and was going “after russian scumbac [sic] traitors.”

In the following days, Popov revealed his plan to create a new identity on Twitter to release a cache of documents allegedly hacked from Norinco and Wan Bao mining company. According to the chat logs, he planned to disguise the origin of the files by making it look like a leak from American intelligence and a Nepalese hack.

Simultaneously, Sabu, who had been boasting about an alleged breach of Iranian systems, pivoted to the then-pending Syria files. “We owned central syrian bank and got all their emails,” he told Popov. There were “a lot of scandals” in those emails. In the 2012 exchange, Popov is told about an alleged email revealing that Syria had secretly sent Russia billions of Euros. Sabu appears to confuse the amount, which was 2 billion, with an amount from a similar transfer involving an Austrian bank. Reporting by The Daily Dot implies that the two emails were often discussed in the same conversation, while also revealing that the email Sabu was describing to the alleged Russian contractor was omitted from WikiLeaks’ eventual release.

WikiLeaks responded to the reporting by claiming that they “either never had the data or [that it was] in some strange MIME format so it isn’t indexed,” and that the reporting was an attack on WikiLeaks that was meant “to help HRC.”

Popov was impressed by Sabu’s description of the Syria emails, though he briefly confused them with another, unspecified cache that Sabu hinted Popov helped release. “If you want real access to the emails, I can [give it to you],” Sabu offered. Popov responded ecstatically, saying he could use it to create disinformation and fabricate conspiracies. Undaunted by Popov’s intended use for the emails, Sabu said he’d “try to set it all up soon.”

This exchange occurred several months after WikiLeaks received the first batch of the Syria files and several weeks after WikiLeaks gave the LulzSec hackers private access to a search engine to help parse the Stratfor emails which the group had also provided to WikiLeaks.

19:16 <Sabu> though we did very well on syria.. we owned central syrian bank and got all their emails 19:16 <LoD> and Nepalese hack 19:16 <Sabu> a lot of scandals ... like syria sending russia 5 billion euros before civil unrest and when russia sent warsip to trait of whateves its called 19:16 <LoD> Ive actually checked it RESPECT syria gave me some things to mastermind my next operations those email accounts were of much help to improve our strategy 19:17 <LoD> i give you thumbs up 19:17 <Sabu> well we didn't realease it yet ... that was another small hack you released. if you want real access to emails I can ive you 19:17 <LoD> really? 19:17 <LoD> can you? 19:17 <LoD> man I WILL BE in DEBT 19:17 <LoD> I can utilize it in my release 19:18 <LoD> to create a conspiracy 19:18 <Sabu> ya I'll try to set it all up soon

If Popov acquired early access to the Syria files, it would have been the score of a lifetime, giving him an exclusive early inside look at corporations and governments. However, as any later logs of discussions between Popov and Sabu aren’t part of the leaked file, it’s unclear if Popov actually received early access to the Syria files. Due to the scope of the the files, its logs do not and would not document any direct contact between Popov and a representative of WikiLeaks.

(Article continues below)lod

It was around this time that Popov reached out to Hilbert one final time. In a phone call Hilbert seems perpetually proud to describe, Popov thanked Hilbert for helping him go straight, avoiding a life of drugs or a life that would endanger his family. Popov’s description of his family’s safety stands in stark contrast to the fears Popov had expressed to Sabu, while his claim of having gone legitimate stands in stark contrast to the events described in the FBI’s files. As Poulsen reported, the phone call came just after Popov’s publication of the VMWare source code under the Hardcore Charlie moniker he had told Sabu about. The publication of the VMWare source code was itself motivated by revenge for the apparent failure to pay Popov the second installment they had agreed to give him if the source code went unreleased.

The Hardcore Charlie persona also released what was described as a hacked cache of materials from CEIEC, though even those experts who accepted that the documents were genuine remained skeptical about their origin. Others noted that some of the files in the cache were malicious, similar to the PDFs Sabu had flagged in the alleged CNAIPIC breach. As Shadowserver reported, these malicious files included Remote Access Tools which connected to at least one server that “could be tied back to a known set of persistent actors engaged in cyber espionage,” later known as Naikon, also known as APT 30.

Some of the malware samples extracted from the CEIEC dump connect to infrastructure used in previous APT campaigns.

At around the same time Popov was creating the Hardcore Charlie persona, a “WikiLeaks-like site” was launched by members of Anonymous. While the website, Potentially Alarming Research: Anonymous Intelligence Agency (Par:AnoIA), launched in March of 2012, they wouldn’t publish their first sizable cache of (mostly) new data until that July. Par:AnoIA’s source for the cache was none other than Popov himself.

The release of 1.9 GB of data from Innodata, described by Wired at the time as “an outsourcing company that handles document processing and IT.” The full cache allegedly totaled 40 GB of data, though only an additional 600 MB of alleged Innodata materials would be published by Par:AnoIA. Popov claimed credit for the hack in his communications with Jeffrey Carr. Corroborating this confession, an individual who had been associated with Par:AnoIA at the time described the source as a “shady” hacker who seemed to be Eastern European or Russian.

In addition to the Innodata release, Par:AnoIA hosted a copy of Popov’s alleged CEIEC hack. Several months after the Innodata release, Par:AnoIA released just over 1 GB of data allegedly taken from the Italian State Police’s server, poliziadistato.it. At the time, the release wasn’t explicitly claimed by a specific subset of Anonymous, though it associated itself with #OpItaly. However, when the NKWT moniker associated with Popov became briefly active again in 2015, it claimed credit for the poliziadistato.it hack.

Coincidences and Confessions

In the following years, Popov’s behavior underwent another set of transformations before he seemed to disappear from public sight.

In 2014, Popov adopted the moniker RuCyborg, or Russian Cyber Command for a series of releases which were allegedly motivated by anger over the annexation of Crimea. Popov told CyberWarNews that “in this particular case I just got pissed off with Putin’s annexation of Crimea, even though I am Russian ethnically to the bone and Russia is my motherland.” However, Popov’s release was once again found to contain forgeries and much of the material dealt with other targets.

While Popov’s RuCyborg ostensibly opposed Putin, Popov’s Yama Tough persona aligned with Russian state-sponsored hackers. On August 14, 2014 CyberBerkut announced that they had compromised the Ukrainian Prosecutor-General’s office, specifically Vitaliy Yarema’s. However, CyberBerkut, which has been tied to the Donetsk People’s Republic, only released a few items from the alleged cache. In the final days of 2014 and the first days of 2015, Popov released a series of videos and over 5.5 GB of data alleged to come from Ukraine’s Prosecutor-General’s offices.

Over 1.25 GB of Popov’s release allegedly came from Yarema’s system, including over 3,000 emails ranging between 2010 and September 2014. The cache and the accompanying press release accused the prosecutors of corruption and impropriety, some of which involved one Lt. Col. Iegor Bodrov. Bodrov had been arrested on November 25, 2014 (after the email cache cuts off) under the charge of aiding and abetting the pro-Russian terrorist groups known as the DNR and LNR.

According to Popov and the documents he presented, Bodrov had allegedly been framed by Yarema for attempting to expose the prosecutor’s alleged corruption. Popov told Jeffrey Carr that he had worked with Bodrov and seemed determined to either act on his behalf or use him as a prop, uploading videos and transcripts, some of which were reposted by Carr. According to Carr’s report, his coverage of the release and of Bodrov prompted Popov to “help” Carr investigate the Sony hack, though their relationship apparently predated this.

With Popov’s help, Carr issued an unexpected report implicating Russian actors in the hack of Sony’s systems, rather than North Korea. Popov’s only proof for this was his word and a handful of files and emails, several of which Carr was able to verify by contacting individuals who had sent the materials to or received them from Sony. In his reporting on the Sony hack and the alleged involvement of an unnamed FSB contractor, Carr disclosed a significant datapoint: “Yama Tough” had told Carr that he’d done contract work with “both the Russian and Ukrainian governments as well as private companies outside of Russia.” While a self-aggrandizing confession of a con artist cannot be taken as the sole evidence of something, it adds significant weight to the parallels between the methods and targets of Popov and hackers known to be Russian state sponsored actors.

Despite his near total reliance on Popov for this reporting, Carr, who had worked with Popov for years and documented his history of releasing forged documents and false provenance, admitted that Popov might be conning him. “I have not met with the hackers, nor have I communicated them or know for certain that they exist,” Carr told Motherboard. “There is the possibility that Yama is involved and that he pulled the documents himself, but he’s denying that he did. There’s only so much that we know for sure, so we have to trust the information that’s given to us.”

After this, Popov once more retreated into the shadows until November 2015 when NKWT Crew reemerged, claiming a credit for several of Popov’s releases. The earliest activity associated with the revived NKWT moniker was a series of defacements by “theneogod” (listed on the site as the “founder”) beginning on October 13, 2015 and ending on December 28th, with 85% of them classified as “mass defacements.” A Twitter account for the handle was created in January 2016 and has remained inactive since then.

While Popov was a con artist and a manipulator, this doesn’t prove that he didn’t work for Russia anymore than Hilbert lying when going undercover proves he didn’t work for the FBI. It’s difficult to dismiss his claim to have done contract work with the Russian government. It’s extremely unlikely that Popov would attempt to sell the list of FBI and Secret Service hacker informants to the U.S. government, who would pay for the silence in the hopes of protecting both their reputation and their sources, but not to the Russian government. His ability to target individuals and organizations within Russia and the former Soviet Union can also be seen as an indicator of potential ties to the state and a datapoint that lends credence to his confession.

Popov’s work, conducted under a legion of pseudonyms and legends, drew the attention of law enforcement, intelligence agencies and diplomatic services from across the world. He earned the ire of American, Belarusian, Chinese, Egyptian, Italian, Pakistani, and Ukrainian officials along with other nation-states and numerous corporations. His stated goal was to create conflict and cyberwar between nations using disinformation and false flag attacks. At several points, Popov’s releases ostensibly targeted various Russian interests, which would’ve brought him to the attention of Russia’s security services in the unlikely event they weren’t already watching him.

In addition to the obvious questions of “what was Russia involved in” and “what were Popov’s motives,” the above raises an additional question: “how much did Russia know, and where did they apply this knowledge?” The undeniable similarities between Guccifer 2.0, DCLeaks, CyberBerkut and Popov raises the possibility that Popov’s history helped inform and improve Russia’s future operations.

Regardless of whether the Russian government employed Popov or considered him as a case study when building or operating any of their fronts, the leaked logs show Popov used an FBI informant to arrange early access to files WikiLeaks wouldn’t release for several more months, with the explicit intent of creating disinformation. They also show the two discussing plans for a false flag operation with the explicit goal of starting a cyberwar between nation-states. The logs confirm that they shared resources, and that an FBI informant was promoting and amplifying the work of a former FBI informant/contractor and an alleged Russian contractor, even after the forgeries and infected files in Popov’s releases were brought to Sabu’s attention.

When Sabu was no longer useful to Popov, he continued the masquerade of a hacktivist, but increased his distribution methods. Soon he was not only using file sharing sites, but the “WikiLeaks-like” platform devised by Anonymous, which first made headlines with help from him and one of his caches of documents. While Popov’s motives and the identities of his clients remains murky, one thing is made clear from his forgeries: he wanted to create disinformation that would hurt corporations and nation-states alike. The responses to these releases show that he wasn’t entirely unsuccessful, at least not as far as various intelligence services and diplomatic corps are concerned.

If nothing else, Popov can honestly say he successfully accomplished what few have: he took on both the FBI and the KGB.

1 Comment

Comments are closed.