It seems appropriate to convert an old Twitter thread exploring the Department of Homeland Security’s response to BlueLeaks into a more accessible and permanent format. Why now? It’s been on my endless To Do list for months, given that other journalists haven’t examined the documents. But it seems (almost) necessary now while we explore other pieces of history like Thomas White’s early involvement with DDoSecrets, and outlets like The Verge don’t read beyond their own past headlines when summarizing previous coverage of DHS’ targeting DDoSecrets.
We’ll start at the end, because that’s what’s been widely reported, and it’s the part that’s most known – The Verge’s 2020 reporting about a DHS bulletin (obtained by Lucy Parsons Labs) dated June 29, 2020, ten days after the release of BlueLeaks. The bulletin opens by accusing Distributed Denial of Secrets (DDoSecrets, or “DDS” as DHS incorrectly abbreviated it) of conducting a “hack-and-leak operation” and calling it “a criminal hacker group.”
How it came to this conclusion isn’t explained beyond a vague attribution “to initial media and DHS reporting.” Unfortunately, its lacks actual citations and it’s unclear whether it refers to the entire paragraph, or only the sentence preceding it. The bulletin was equal parts accusation and dead end.
After filing hundreds of FOIA requests, thousands of pages about BlueLeaks have been released and can be found on MuckRock, but the relevant ones here come from DHS. Thankfully, some of those memos both cite specific sources and include both URLs and timestamps.
This FOIA release (2020-HQFO-01339) includes two key things. An “Initial” “Awareness Message” from June 19, 2020 at 20:31 describing DDoSecrets as a “hacking group.” More significantly, it refers to another document about BlueLeaks and DDoSecrets that wasn’t included in that release but which was obtained through a follow-up request, MMC IOI #1694-20.
MMC IOI #1694-20 is the earliest known DHS record about BlueLeaks, timestamped June 19, 2020 18:44, predating the Initial Awareness Message above by nearly two hours. It calls DDoSecrets a “hacking group”, both citing and largely coping and pasting a rushed tweet from Al Arabiya English.
It took Al Arabiya English less than 24 hours to correct their article to acknowledge that Anonymous was responsible for the hack and that DDoSecrets are publishers. At least ten days later, DHS was still using the inaccurate language from MMC IOI #1694-20 as a template.
Notably, Al Arabiya is owned by the Middle East Broadcasting Center which is owned by the Saudi government. Which brings us back to the infamous DHS bulletin. In its summary paragraph, it accuses DDoSecrets of hacking the Russian government, when in reality the Dark Side of the Kremlin was a collection of existing material. The source that DHS relied on isn’t mentioned until later, but DHS reveals it was the Russian media. If DHS had taken the time to consult any American media sources, like The Daily Beast or The New York Times or even third-party foreign sources like Al Jazeera, it would have found they make the origins quite clear and name some of the hacktivists groups responsible. DDoSecrets was then, as we are now, a publisher.
In both instances, Homeland Security relied on unreliable foreign media to label DDoSecrets a “hacking group” and continued to rely on those sources’ statements well after they’d amended and corrected them or better sources became available.
Open Source Analysts are meant to produce “results,” a pressure that was surely felt more acutely given the subject matter. So results are what the analyst produced, finding and regurgitating a tweet like one bird puking into another’s gaping mouth. Unfortunately, this is not the except for DHS/Fusion Center Intel (which is one reason among many why BlueLeaks was important).
I strongly suspect this shaky ground is why the gov interest in DDoSecrets as a target over BlueLeaks seemed to mostly wither up and die away after some misguided attempts to recruit informants against me. They realized it was based on nothing, and that the seizure of the server in Germany (which according to German officials was done without a warrant or an official request) would prove troublesome.
Certainly, as leak publishers they want us and our sources gone. It was inevitable that they realized the idea that DDoSecrets are hackers is absurd, because their source – a propaganda outlet on Twitter – recanted.
In short, a low level analyst at DHS saw a tweet less than two hours after BlueLeaks was announced and made the wrong snap decision. They copied a tweet from a news outlet run by the Saudi government, and at the same time, DHS took the reporting of Kremlin-controlled media at face value when it plainly shouldn’t have. That was the foundation of DHS’s intel for way too long.