The Intercept Mon, 13 Mar 2023 20:36:59 +0000 en-US hourly 1 <![CDATA[Elon Musk Is Still Silencing the Journalists He Banned From Twitter]]> Tue, 20 Dec 2022 23:01:01 +0000 To you, it looks like Musk unblocked journalists like me. It’s an illusion: The truth is that we are still locked out of our accounts.

The post Elon Musk Is Still Silencing the Journalists He Banned From Twitter appeared first on The Intercept.

Micah Lee's twitter account is seen displayed on a mobile phone screen

Photo Illustration: The Intercept/Getty Images

I’ve been writing critically about billionaire Elon Musk since he took over Twitter — particularly about his “free speech” hypocrisy and his censorship of left-wing accounts. This must have angered him. Last week, he suspended me and eight other journalists from Twitter.

We had all pointed out that Musk censored a Twitter account, @ElonJet, which used public data to post the location of his private jet, but that @ElonJet had moved to rival social networks, like Mastodon, that didn’t censor the account. Musk accused us of “doxxing” him by posting “assassination coordinates” and then tried to blame his outburst on an alleged stalking incident that had nothing to do with the @ElonJet account.

My suspension lasted just a few days before my account was reinstated. When people visit my Twitter profile, it no longer says “account suspended,” and it looks as if I’m back on the platform. Friends and strangers alike have reached out to me saying it’s good to see that I’m back on Twitter. It’s an illusion.

In reality, I’m still locked out of my Twitter account unless I agree to delete a specific tweet at the behest of the billionaire. Several of the other suspended journalists are in the same boat. (Twitter, where the communications team was decimated by Musk’s layoffs, did not immediately reply to a message for comment.)

When I log in to my Twitter account, the site is replaced with the message: “Your account has been locked.” Twitter accuses me of violating its rules against posting private information. (In the 13 years that I’ve used Twitter, I’ve never violated any rules, and my account has never been suspended or locked until now.)

To unlock my account, I must remove the offending tweet, which in my case said, “Twitter just banned Mastodon’s official Twitter account @joinmastodon with 174,000 followers, probably because it tweeted a link to @ElonJet’s Mastodon account. Twitter is now censoring posting the link, but the user is”

remove tweet screenshot

Screenshot: Micah Lee

I didn’t want to bend the knee to the Mad King of Twitter, so I submitted an appeal. “My tweet is about Twitter censoring rival social network Mastodon,” I wrote. “This is suppression of speech that never would have happened before Elon Musk took over.” After two days, I received an update from Twitter: “Our support team has determined that violation did take place, and therefore we will not overturn our decision.”

My alleged offense is that I posted private information to Twitter by linking to @ElotJet’s account on Mastodon or, in my case, mentioning the username and showing the link in a screenshot. This is on its face absurd — I didn’t post private information, much less “assassination coordinates” — but a quick Twitter search for shows that plenty of other accounts have posted this same link yet aren’t locked out.

I’m not the only suspended journalist that’s locked out of my account. Some journalists like Drew Harwell of the Washington Post have written on Mastodon about being locked out. “For anyone wondering,” Harwell wrote, “I’m still unable to access Twitter until I delete this tweet, which is factual journalism that doesn’t even break the location rule Twitter enacted a few days ago.” He appended a screenshot of the tweet.

And in an interview on CNN, Donie O’Sullivan, another suspended journalist, explained that his account is locked as well. “Right now, unless I agree to remove that tweet at the behest of the billionaire, I won’t be allowed to tweet on the platform,” he said. He also submitted an appeal.

Mashable’s Matt Binder was unsuspended following the mass banning, but he wrote on Mastodon that when he wrote to a Twitter official to ask how he had broken company policy, he was then locked out. “Seems they forgot to force me to delete the tweet the first time, like they did the other suspended journalists,” he wrote.

Steve Herman of Voice of America, whose account was also suspended last week, told CNN over the weekend: “When I got up this morning, I saw a bunch of news stories that my account had been reinstated with those of the others. Well, that’s not exactly true.” Herman explained that Musk was demanding he delete three offending tweets, all about @ElotJet.

The New York Times reported that the account of its suspended journalist, Ryan Mac, was also locked, contingent on whether he chooses to delete posts that Twitter flagged as violating rules against posting private information.

Other journalists who were suspended for their @ElonJet-related tweets are now fully back, including Aaron Rupar and Tony Webster.

I personally don’t plan on submitting to Musk’s petty demands. We’ll see if anything changes. In the meantime, you can follow me on Mastodon at, and The Intercept at

The post Elon Musk Is Still Silencing the Journalists He Banned From Twitter appeared first on The Intercept.

]]> 0 twitter-phone-account-suspended-em remove-tweet-unlock
<![CDATA[Elon Musk Is Taking Aim at Journalists. I’m One of Them.]]> Fri, 16 Dec 2022 15:45:31 +0000 The tweet — and the journalism — that got me suspended from Twitter.

The post Elon Musk Is Taking Aim at Journalists. I’m One of Them. appeared first on The Intercept.

Elon Musk waves while providing an update on Starship, on Feb. 10, 2022, near Brownsville, Texas. Twitter on Thursday, Dec. 15, 2022.

Elon Musk waves while providing an update on the SpaceX Starship, on Feb. 10, 2022, near Brownsville, Texas.

Photo: Miguel Roberts/The Brownsville Herald via AP

I got suspended from Twitter yesterday. I’m one of at least eight journalists who were casualties of Elon Musk’s “Thursday Night Massacre,” after the billionaire went on a power-hungry suspension spree. Twitter didn’t explain what rules I allegedly broke — but that’s to be expected under the new management, whose transparency has mostly consisted of Musk personally replying to tweets explaining his decision-making. My suspension is likely temporary, or it could be permanent. Who knows?

The suspensions made clear that, with the self-styled “free speech absolutist” at the helm, Twitter users are now subject to arbitrary censorship based on his whims. It all started when Musk suspended @ElonJet, an account that automatically tweeted the location of Musk’s personal private jet, using public flight information, along with college sophomore Jack Sweeney, who created that account. Musk then revised Twitter’s policy to justify his decision.

This sudden change to Twitter’s rules undercut a pledge Musk had made just six weeks earlier, when he tweeted, shortly after purchasing Twitter for $44 billion: “My commitment to free speech extends even to not banning the account following my plane.”

Shortly before I was suspended, I posted about Twitter banning the account of a competitor, Mastodon. Mastodon is a decentralized social network where millions of Twitter users have fled since Musk’s purchase. Before it was banned, Mastodon’s pinned tweet read, “At Mastodon, we present a vision of social media that cannot be bought and owned by any billionaire.”

As far as I can tell, Twitter probably banned Mastodon’s account because it had tweeted, “Did you know? You can follow @ElonJet on Mastodon over at” My tweet pointed out this latest example of Twitter censorship. Here’s what it said:


Screenshot: Micah Lee/The Intercept

Then, after @ElonJet and reporters who wrote about it were suspended from the platform, Musk claimed that Sweeney and the journalists who reported on the account had “posted my exact real-time location, basically assassination coordinates.”

Musk also briefly joined a public Twitter Spaces audio discussion on Thursday night, which included Sweeney and at least two of the tech journalists suspended for reporting on the suspension of his accounts. Twitter’s owner insisted that he had been “doxxed” by the @ElonJet account and said that he would ban “so-called journalists” who provided links to other sites where the flight-tracking information showing his private jet’s location could be found.

Musk’s claim that he had been doxxed was challenged by Drew Harwell, a Washington Post reporter whose account was suspended for reporting on the @ElonJet account. When Harwell said that he had never shared Musk’s address, Musk suggested that any links to the flight-tracking data was the same as giving out his address. Musk abruptly left the chat after Harwell pointed out that Twitter had blocked links to the flight-tracking data on Instagram and Mastodon, “using the same exact link-blocking technique that you have criticized as part of the Hunter Biden New York Post story in 2020.”

I’ve spent the last month writing articles that point out Musk’s hypocrisy as someone who promised to be “fighting for free speech in America.” While my reporting may not have provided the direct impetus for my suspension, it’s clear Musk was taking aim specifically at journalists who have covered him critically. And the best response to that is to read the work that billionaires would prefer you don’t:

Distributed Denial of Secrets

In November, I wrote about how even though Musk restored popular far-right accounts like Donald Trump and Marjorie Taylor Greene, he refused to restore the account of Distributed Denial of Secrets or to stop suppressing links to its website. DDoSecrets is a nonprofit transparency collective that distributes leaked and hacked documents to journalists and researchers. (I’m an adviser to DDoSecrets.)

During the Black Lives Matter protests in the summer of 2020, DDoSecrets published BlueLeaks, a leak of documents from over 200 law enforcement agencies that revealed police misconduct, including spying on activists. In response to apparent law enforcement pressure, Twitter permanently banned @ddosecrets and suppressed all links to

The censorship of DDoSecrets is still happening today, two and a half years later.

Silencing of Left-Wing Voices

Two weeks ago, my Intercept colleague Robert Mackey and I wrote about how prominent left-wing accounts were kicked off Twitter after Musk personally invited Andy Ngo, the far-right writer and conspiracy theorist who popularized the myth that “antifa” a secret army of domestic terrorists, to tell him which accounts to ban.

Twitter suspended the accounts of the antifascist researcher Chad Loder and the video journalist Vishal Pratap Singh. Twitter also suspended the account of the Elm Fork John Brown Gun Club, an antifascist group that provides armed security for LGBTQ+ events in North Texas, and CrimethInc, an anarchist collective that has published and distributed anarchist and anti-authoritarian zines, books, posters, and podcasts since the mid-1990s.

None of these accounts violated Twitter’s rules.

Covid-19 Misinformation

Yesterday, the same day I was suspended from Twitter, I wrote about how convicted U.S. Capitol insurrectionist Simone Gold, founder of the vaccine disinformation group America’s Frontline Doctors, offered to help Musk assemble a team of doctors to fact-check medical information on Twitter.

While the article was mostly about the ludicrous alternate reality of Covid deniers, it also pointed out various ways Musk himself has allowed Covid misinformation to flourish on Twitter. This includes Twitter restoring the accounts of two prominent anti-vaccine doctors, each with over a half a million followers, and one of whom falsely claimed that Covid-19 vaccines are “causing a form of AIDS.” It also details some of Musk’s own history with Covid misinformation, such as when he falsely claimed that “kids are essentially immune” to Covid, or when he promoted the discredited drug hydroxychloroquine as a Covid cure.

Maybe my Twitter account will become live again at some point. But for now, you can find me on Mastodon.

The post Elon Musk Is Taking Aim at Journalists. I’m One of Them. appeared first on The Intercept.

]]> 0 AP22350079049648-top Elon Musk waves while providing an update on Starship, on Feb. 10, 2022, near Brownsville, Texas. micah-lee-twitter-screenshot-suspended
<![CDATA[Covid Disinformation Doctor Wants to Help Elon Musk Do Medical Fact-Checks on Twitter]]> Thu, 15 Dec 2022 18:35:46 +0000 Convicted U.S. Capitol insurrectionist Simone Gold offered her vaccine disinformation group America’s Frontline Doctors for the job.

The post Covid Disinformation Doctor Wants to Help Elon Musk Do Medical Fact-Checks on Twitter appeared first on The Intercept.

Dr. Simone Gold, a convicted U.S. Capitol insurrectionist and the founder of the vaccine disinformation group America’s Frontline Doctors, has offered to help Elon Musk assemble a team of doctors to fact-check medical information on Twitter.

“If you would like to put together a group of honest, brilliant, courageous doctors to ‘fact check,’ then I would be glad to assist you,” wrote Gold in a December 5 letter to Musk that she shared with her 587,000 Twitter followers and over 1 million email subscribers. “Medicine will not advance unless unbiased scientists are able to resist special interest groups and the media.”

Gold is the ringleader of a network of right-wing health-care providers that have made millions selling so-called alternatives to vaccines, like ivermectin and hydroxychloroquine, which have been repeatedly discredited as treatments for Covid. Gold has referred to Covid-19 vaccines as “experimental biological agents.” She’s also currently in a legal fight with AFLDS and its board chair who are suing her, alleging extravagant spending and that she lives rent-free in a $3.6 million house bought with AFLDS charity funds.

Gold’s appeal to Twitter’s owner was not in response to any public plans to create a medical fact-checking team — Musk hasn’t said anything along those lines. Rather, billionaire Mark Cuban tweeted a suggestion to Musk, and a cryptocurrency influencer who noticed that Musk liked that tweet announced it as breaking news.

Cuban suggested that Musk compile a Twitter list of doctors to participate in public polls on issues like vaccine safety and masking. Musk liked Cuban’s tweet. Cuban did not advocate for fact-checking medical information being shared on Twitter. But Matt Wallace, who charges between $19.99 and $299.99 a month to teach “the art of crypto trading,” then posted “breaking” news that Musk “is considering putting together a team of medical experts to fact check all the false things government officials have been saying!” When asked by a Twitter user whether the information was verified, Wallace cited Musk’s like of Cuban’s tweet. Wallace’s tweet has gotten almost 200,000 likes.

Misinformation Run Amok

While there’s little evidence that Musk plans to convene the fact-checking team, he has already made decisions that enable the spread of Covid misinformation on Twitter. In fact, one of Musk’s first changes after taking over Twitter was to scrap the site’s Covid misinformation policy — essentially removing Twitter’s existing fact-checking system for medical information. Twitter’s Trust and Safety team, which is responsible for moderating misinformation, has also been depleted by layoffs and mass resignations.

Musk also immediately restored accounts that were banned for Covid misinformation, including Georgia Rep. Marjorie Taylor Greene’s personal account. Throughout the pandemic, the Republican lawmaker repeatedly posted false information to her hundreds of thousands of followers, including that Covid vaccines are deadly and that ivermectin, an anti-parasitic drug primarily used to treat livestock, is a miracle cure for Covid-19.

On Monday, Musk’s Twitter restored the accounts of prominent doctors known for spreading Covid misinformation. One was Peter McCullough, a doctor whose former employer sued him for claiming to represent them while giving interviews encouraging people not to get vaccinated and falsely claiming that 50,000 people had died from Covid-19 vaccines. The other is Robert Malone, a doctor who participated in early mRNA vaccine research 30 years ago, but more recently falsely claimed that the vaccines are “causing a form of AIDS.” After Malone did an interview on Joe Rogan’s podcast, 270 physicians, scientists, and academics wrote an open letter to Spotify, which exclusively hosts the podcast, demanding that the audio streaming service “immediately establish a clear and public policy to moderate misinformation.”

Since being reinstated, McCullough, who has 640,000 followers, and Malone, who has 686,000 followers, are both already back to spreading discredited conspiracy theories about Covid.

Musk himself has also frequently tweeted Covid misinformation and antagonized evidence-based health-care professionals. Over the weekend, Musk flirted with the anti-vaccine crowd by tweeting, “My pronouns are Prosecute/Fauci” — an apparent call to prosecute the chief medical adviser to the president, Anthony Fauci, mixed with some transphobia for good measure. The refrain to take Fauci to court for how he managed the pandemic is popular on the far right.

Musk’s spread of false information goes back to the beginning of the pandemic. On March 19, 2020, he predicted that “based on current trends, probably close to zero new cases in US too by end of April” and falsely claimed that “kids are essentially immune.” According to data from the Centers for Disease Control and Prevention, by the end of April 2020, there were nearly 200,000 weekly new cases and more than 64,000 Americans had died from Covid. Over a million more Americans have died from Covid since then.

Musk has also promoted hydroxychloroquine, an anti-malaria drug that’s also used to treat autoimmune diseases like lupus, as a miracle cure for Covid-19. Like ivermectin, hydroxychloroquine is ineffective at preventing or treating Covid-19.

“Freedom Physicians”

This brings us back to Gold and America’s Frontline Doctors. In September 2021, The Intercept obtained hacked data revealing that AFLDS and a small network of telehealth companies convinced tens of thousands of people to spend at least $15 million on phone consultations and prescriptions for ivermectin and hydroxychloroquine. This reporting contributed to a congressional investigation into AFLDS.

In Gold’s letter to Musk, she says she works with “freedom physicians across the nation and world.” Gold launched AFLDS with a July 2020 press conference on the steps of the Supreme Court, where she and other “freedom physicians,” wearing white lab coats, promoted fake remedies for Covid and opposed public health measures like masking and lockdowns. Then-President Donald Trump shared videos of the event, which were viewed millions of times before Twitter and Facebook took them down for violating Covid misinformation policies.

One of the doctors at Gold’s side, Stella Immanuel, has claimed that people develop gynecological problems like cysts and endometriosis after having sex in their dreams with demons and witches.

Also at the event was Dr. Joseph Lapado, Florida Gov. Ron DeSantis’s surgeon general. Lapado has been accused of misrepresenting his experience treating Covid patients at UCLA, argued for “herd immunity” by letting Covid spread completely unchecked, and falsely claimed that Covid-19 vaccines are dangerous. Lapado’s anti-science op-eds for the Wall Street Journal caught the attention of DeSantis, who subsequently hired him as Florida’s top health-care official, according to the Washington Post. In March, Florida became the first state to defy CDC guidance when Lapado said that healthy kids don’t need to get vaccinated for Covid.

In addition to running an organization dedicated to medical disinformation, Gold faces allegations from her own organization over a misuse of funds. While Gold served two months in prison for storming the U.S. Capitol on January 6, 2021, AFLDS’s board audited her use of its funds. A lawsuit filed last month alleges that she lives rent-free in a $3.6 million mansion purchased using AFLDS charity funds in Naples, Florida. Her boyfriend, John Strand, a former underwear model who hosts misinformation videos for AFLDS and is facing 24 years in prison for his role in the insurrection, lives with her. The lawsuit accuses Gold of using AFLDS’s money to spend $12,000 a month on a bodyguard, $5,600 a month for a housekeeper, and $50,000 a month on credit card expenses, as well as purchasing three cars, including a Mercedes-Benz, and taking unauthorized flights on private jets, including a single trip that cost $100,000.

“Just as the mother lioness will not let her baby lion be murdered, neither will I,” Gold wrote in an email demanding that three AFLDS board members resign, which was made public as an exhibit in the lawsuit.

On December 6, a federal judge dismissed the lawsuit for lack of jurisdiction, making it clear that the court didn’t consider the accusations. Neither side could make a convincing argument for whether AFLDS is based in Florida or Nevada.

Since taking over Twitter, Musk has dismantled the infrastructure that prevented users from lying about vaccine safety or profiting off fake treatments for Covid-19 — things that Gold has built her recent career doing. If Musk put her in charge of a new medical fact-checking team, it would be like putting a lioness in charge of protecting gazelles.

The post Covid Disinformation Doctor Wants to Help Elon Musk Do Medical Fact-Checks on Twitter appeared first on The Intercept.

]]> 0
<![CDATA[Left-Wing Voices Are Silenced on Twitter as Far-Right Trolls Advise Elon Musk]]> Tue, 29 Nov 2022 17:20:17 +0000 Elon Musk appears to have outsourced decisions about who to ban from Twitter to the platform's right-wing extremists.

The post Left-Wing Voices Are Silenced on Twitter as Far-Right Trolls Advise Elon Musk appeared first on The Intercept.

Elon Musk claims to be “fighting for free speech in America” but the social network’s new owner appears to be overseeing a purge of left-wing activists from the platform.

Several prominent antifascist organizers and journalists have had their accounts suspended in the past week, after right-wing operatives appealed directly to Musk to ban them and far-right internet trolls flooded Twitter’s complaints system with false reports about terms of service violations.

As the Los Angeles City Councilmember Mike Bonin noted on Twitter, the suspended users include Chad Loder, an antifascist researcher whose open-source investigation of the U.S. Capitol riot led to the identification and arrest of a masked Proud Boy who attacked police officers. The account of video journalist Vishal Pratap Singh, who reports on far-right protests in Southern California, has also been suspended.

Among the other prominent accounts suspended were the Elm Fork John Brown Gun Club, an antifascist group that provides armed security for LGBTQ+ events in North Texas, and CrimethInc, an anarchist collective that has published and distributed anarchist and anti-authoritarian zines, books, posters, and podcasts since the mid-1990s.

All four accounts had been singled out for criticism by Andy Ngo, a far-right writer whose conspiratorial, error-riddled reporting on left-wing protests and social movements has fueled the mass delusion that antifa is not just a handful of small antifascist groups that counter right-wing threats, which it is, but a shadow army of domestic terrorists, which it is not. Musk is apparently among those who have mistaken Ngo’s largely fictional reporting for fact. In a public exchange on Twitter on Friday, Musk invited Ngo to report “Antifa accounts” that should be suspended directly to him.

“Andy Ngo’s bizarre vision of ‘antifa’ seems to be the metric used to delete the accounts of journalists and publications, most of which engaged in verifiably good journalism and done so completely above board and TOS observant ways,” Shane Burley, editor of the anthology “¡No Pasarán!: Antifascist Dispatches From a World in Crisis,” observed on Twitter. “Paranoid delusions about antifa are driving it.”

As The Intercept reported last year, Ngo had previously tried and failed to have Loder suspended from Twitter, and also joined a botched attempt to have a court order the researcher to stop tweeting about one of the Proud Boys who took part in the Capitol riot.

In a phone interview on Monday, Loder, a tech company founder and cybersecurity expert, told The Intercept that their @chadloder account was initially suspended last week about 90 minutes after Musk had replied to Ngo on Twitter. After briefly regaining access to the account, Loder was suspended again and accused by Twitter of having used another account to evade the ban.

Loder said that they do have access to another dormant account, @masksfordocs — which was set up in early 2020 as part of an effort by a group of activists to donate N95 masks to doctors during the first months of the Covid-19 pandemic — but had not used it for ban evasion. (Ngo had drawn attention to the @masksfordocs account on Twitter, describing it as Loder’s “alt.”)

“What I believe happened is that I and other accounts have been mass reported for the last few weeks by a dedicated group of far-right extremists who want to erase archived evidence of their past misdeeds and to neutralize our ability to expose them in the future,” Loder said. “What I suspect happened is that Twitter’s automatic systems flagged my account for some reason and no human being is reviewing these.”

Since Loder’s account was on a list being passed around by right-wing activists as part of a coordinated campaign to mass-report fabricated violations by left-wing Twitter users, it could have been suspended as a result of that activity. Loder shared screenshots with The Intercept showing that Telegram channels with tens of thousands of followers, including QAnon adherents and Proud Boys, had coordinated a spate of complaints about Loder’s tweets and celebrated Loder’s suspension.

Although Twitter’s Trust and Safety team was made aware of the organized false-reporting campaign against Loder earlier this month — and such coordinated bulk reporting and false-flagging of accounts are violations of Twitter’s pre-Musk policy against “platform manipulation” — that team was subsequently depleted by mass resignations on November 17.

Still, in a post on the open-source social network Mastodon, Loder joked about the idea that Musk was simply doing Ngo’s bidding.

No Longer Viable

Whatever the reason for the suspension, Loder said it’s clear that Twitter is “no longer a viable platform” for antifascist and security researchers.

“If I get my account back,” Loder said, “it’s only a matter of time before I get mass reported again.”

Loder, who has shifted to Mastodon, said that for social networks, “the product you’re selling is content moderation.” Now that Musk appears to be reworking content moderation to tilt the playing field in favor of far-right extremists, Loder added, Twitter “is going to turn into Gab with crypto scams.”

For social networks, “the product you’re selling is content moderation.”

Loder also said that some of the right’s criticism of content moderation decisions made by pre-Musk Twitter was fair. “I also agree that Twitter shouldn’t have censored the Hunter Biden laptop story,” Loder said. “We just don’t want outright Nazis posting our home addresses.”

But, Loder said, the sweeping changes made by Musk, like the increased tolerance for far-right hate speech, mean that Twitter will probably keep functioning as a website and an app for some time, but be slowly hollowed out as a place to find varying views on matters of public importance, or a space for online organizing against far-right extremism.

“Twitter is communities of people who choose to organize online,” Loder said, noting how the site has been used by labor organizers and racial justice protesters in recent years to drive real-world change, and by the so-called sedition hunters who have used the platform to crowd-source visual investigations to identify rioters who took part in the failed coup at the Capitol in Washington on January 6, 2021.

Twitter was a place where communities could gather, despite harassment, because the worst hate speech was banned through content moderation. “Musk has made it clear that’s no longer part of the product,” Loder said. “The entire Twitter information security community has moved to Mastodon.” Some activists who helped create Black Twitter are already talking about how to rebuild their community on that site too.

“Twitter was never a healthy ‘public square’ for most of us. Let’s not rewrite history while eulogizing the hellsite,” Loder wrote on Mastodon on Sunday. “Twitter was a frightening battleground where we managed barely to claw out an uneasy existence amidst the worst violent neo-Nazi extremists who constantly published our home addresses, threatened our kids’ lives, and sent hordes of racist trolls into our mentions.”

On Mastodon, they added, “The same principles that allowed us to survive uneasily on Twitter will be required here. Community defense, thoughtful pressure on moderation policies, and eternal vigilance. There are no safe spaces but those we make safe through constant effort. We keep us safe.” Twitter, Loder says, will take a long time to die and disappear entirely, “like a rotting whale carcass.”

Broken Links

“I’ll have to repair nearly every article I’ve ever written since my tweets got wiped out,” journalist and videographer Vishal Singh wrote on Mastodon on Monday, after being banned from Twitter. “Hundreds of articles written by countless journalists used my tweets. From all sides of the political spectrum. Academic papers that cited my tweets. These links and embeds are now all broken.”

Days before Singh’s account was suspended, Ngo had posted screenshots of some of the journalist’s angry tweets along with this misleading, factually incorrect summary: “Vishal Singh, an #Antifa far-left violent extremist in Los Angeles who identifies as a journalist, is calling for deadly violence again.” Singh is a left-wing journalist but did not call for violence in the tweets shared by Ngo, and is not violent. Last year, after Singh was attacked twice by far-right anti-vaccine protesters and lashed out in self-defense, Ngo posted a misleadingly captioned video and falsely accused Singh of being the aggressor.

On Mastodon, Singh shared screenshots of emails from Twitter, showing that while reports had been filed against their account for the same tweets that Ngo had posted as screenshots, the company concluded that none of those tweets violated official policies.

On Monday, Singh was also suspended from Instagram. “The mass false report campaign by the far-right has not stopped against my social media accounts,” they wrote on Mastodon. “The goal is to suppress all of my journalism.”

Last Friday, Twitter also suspended the account of CrimethInc, an anarchist collective and publisher. The group takes its name from “thoughtcrime,” a term coined by George Orwell in the dystopian novel “1984.”

In the 14 years that CrimethInc has been on Twitter, the account has never violated Twitter policies and has never been suspended. This changed last week after a Twitter exchange between Musk and Ngo.

Ngo asked Musk to suspend the CrimethInc account, calling it an “Antifa collective” and falsely claiming the group had “claimed a number of attacks.” Within hours of Ngo’s request to Musk, and without citing any specific violations of policies, Twitter suspended the @crimethinc account.

After the CrimethInc suspension, Ngo claimed, with typically wild and incorrect hyperbole, that the “group operates like ISIS: makes propaganda & training material to radicalize militants toward violence.” He also complained that a dozen affiliated accounts had not yet been suspended. Three days later, almost all of the additional accounts Ngo pointed to had also been suspended by Twitter.

“Musk’s goal in acquiring Twitter had nothing to do with ‘free speech’ — it was a partisan move to silence opposition, paving the way for fascist violence,” CrimethInc said in a statement sent to The Intercept.

The collective also explained that, on the morning of the suspension, it received an email from Twitter saying the company had “received a complaint regarding your account,” but had “investigated the reported content and have found that it is not subject to removal under the Twitter Rules.”

The group said it had received no further emails from Twitter to explain or justify the ban. “This suggests that the decision to ban our account shortly thereafter was dictated by Musk himself, without regard for the Twitter Rules or any other protocol other than his own apparent allegiance to the far right.”

Twitter did not respond to a request for comment.

As the investigative journalist Steven Monacelli reported last week, two days after a gunman killed five people and injured 25 others in a mass shooting at Club Q, an LGBTQ+ nightclub in Colorado Springs, Twitter suspended the account of the Elm Fork John Brown Gun Club, an antifascist group in Texas that provides armed security for LGBTQ+ gatherings.

The John Brown Gun Club — named after the white abolitionist leader John Brown who, in 1859, led an armed anti-slavery revolt — assists marginalized communities in defending themselves against white supremacist violence. LGBTQ+ events in Texas, such as a family-friendly drag brunch Monacelli covered in August, frequently attract the attention of armed far-right protesters from the Proud Boys and neo-Nazi groups like Patriot Front and Aryan Freedom Network.

Twitter’s reason for suspending the account, according to the suspension report, was two tweets that supposably violated Twitter’s rules against “hateful conduct.” One was a reply to a U.S. Customs and Border Protection tweet with the text “@CBP Mugging at gun point,” and another was a joke about pronouns with the text “Every queer a riflethem.” Without being willfully misread or taken out of context, neither of those tweets constitute hateful conduct.

Since its Twitter account was suspended last week, the Elm Fork John Brown Gun Club has been tweeting from a separate account, @elmforkJBGC, which has not yet been suspended. The group has also started posting on Mastodon.

“The irony isn’t lost on us that our suspension coincides with a coordinated effort to reinstate the most vile antisemitic, transphobic hate accounts,” the Elm Fork John Brown Gun Club said in a statement to The Intercept. “Whether this is an indication of the future of leadership of Elon Musk’s running of Twitter, we cannot say but we can say that the timing and reasoning is deliberate and targeted.”

Updated: November 29, 2022, 6:05 pm ET
This article was updated to add a quote from Chad Loder in which the antifascist researcher criticized Twitter for having blocked links to a report on Hunter Biden’s laptop before the 2020 presidential election. 

The post Left-Wing Voices Are Silenced on Twitter as Far-Right Trolls Advise Elon Musk appeared first on The Intercept.

]]> 0
<![CDATA[Elon Musk’s “Free Speech” Twitter Is Still Censoring DDoSecrets]]> Tue, 22 Nov 2022 17:00:14 +0000 Twitter has censored the website of nonprofit transparency collective Distributed Denial of Secrets for more than two years.

The post Elon Musk’s “Free Speech” Twitter Is Still Censoring DDoSecrets appeared first on The Intercept.

Shortly after firing Twitter employees who criticized him on social media as well as privately on the company’s Slack, self-proclaimed “free speech absolutist” Elon Musk began reversing Twitter suspensions of prominent right-wing accounts that had previously violated Twitter’s policies. These include the accounts of former President Donald Trump, who incited a violent insurrection; Georgia Rep. Marjorie Taylor Green, who repeatedly spread Covid-19 misinformation; and Project Veritas, which posted private information about a Facebook exec.

Musk has not, however, reversed the suspension of Distributed Denial of Secrets, the nonprofit transparency collective that distributes leaked and hacked documents to journalists and researchers. During the Black Lives Matter protests in the summer of 2020, DDoSecrets published BlueLeaks, a set of documents from over 200 law enforcement agencies that revealed police misconduct, including spying on activists. Revelations from BlueLeaks were widely reported in outlets including The Intercept, The Associated Press, The Guardian, The Daily Dot, The Hill, Business Insider, The Nation, Mashable, The Daily Beast, and Reuters. (I’m an adviser to DDoSecrets.)

In response to apparent pressure from law enforcement, Twitter not only permanently suspended the @DDoSecrets account, citing its policy against distributing hacked material, but also took the extraordinary step of preventing users from posting links to If you try tweeting DDoSecrets links or even sending them to someone in a direct message, Twitter shows the error message: “We can’t complete this request because this link has been identified by Twitter or our partners as being potentially harmful. Visit our Help Center to learn more.”

The DDoSecrets website has never been malicious or harmful; rather, it’s a vital resource for journalists, researchers, and the public. In order to censor links to, Twitter relied on a security feature that was designed to block actual malicious links, such as scams or sites trying to trick visitors into installing viruses.

Twitter’s link-blocking policy states that it may block websites that distribute hacked material, but this policy has never been consistently enforced. Links to, for example, have not faced similar censorship, despite that site hosting troves of data hacked from Hillary Clinton’s 2016 presidential campaign as well as a dataset of CIA hacking tools known as Vault 7.

The most high-profile case of Twitter enforcing this policy was in October 2020, three weeks before the election, when the New York Post published a story based on documents stolen from Hunter Biden’s laptop. Citing its hacked material policy, Twitter blocked access to the article in question. But the decision was short-lived: After two days of Republican outrage and accusations of censorship, Twitter reversed course and restored access to the article. The incident is still a popular talking point in conservative media about Big Tech censorship.

But while Twitter censored a New York Post article for two days, the entire DDoSecrets website has been censored for nearly two and a half years, and there’s no sign that this will change any time soon. Twitter did not respond to questions about the company’s censorship of DDoSecrets.

Here are a few of the datasets that DDoSecrets has published while it has been censored by Twitter:

  • Over a million videos scraped from Parler, the far-right social network that anti-democracy activists used to organize the January 6 riot at the U.S. Capitol. Videos from this dataset were used as evidence in Trump’s second impeachment inquiry.
  • Emails, chat logs, donor lists, and membership records for the Oath Keepers, the far-right militia that participated in the January 6 attack. This dataset exposed hundreds of current and former law enforcement officers, members of the military, and elected officials as members of the extremist group. It was covered by news outlets including the Washington Post, ProPublica, NPR, BuzzFeed News, Rolling Stone, and Ars Technica.
  • Dozens of datasets containing terabytes of data hacked from Russian corporations and government agencies in the aftermath of Russia’s invasion of Ukraine. The Intercept is part of an international consortium of newsrooms investigating the Russian documents and has published new information based on the leaks about Yevgeny Prigozhin, the Russian oligarch and Vladimir Putin ally who founded the infamous mercenary company known as the Wagner Group.
  • Six terabytes of emails from the Mexican government agency in charge of the military, Secretaría de la Defensa Nacional. This dataset has been covered by dozens of Spanish-language news outfits.

Despite Musk’s lip service in support of free speech, for some reason he’s only ever expressed an interest in restoring the accounts of people on the far-right who are known for posting conspiracy theories or inciting violence.

The post Elon Musk’s “Free Speech” Twitter Is Still Censoring DDoSecrets appeared first on The Intercept.

]]> 0
<![CDATA[Liberty Counsel’s Donor Records and Pro-Trump Election Messaging Exposed in Data Breach]]> Thu, 25 Aug 2022 11:00:40 +0000 Thanks to its tax status, the Southern Poverty Law Center-designated hate group has largely avoided public scrutiny.

The post Liberty Counsel’s Donor Records and Pro-Trump Election Messaging Exposed in Data Breach appeared first on The Intercept.

Liberty Counsel, an evangelical Christian nonprofit that provided a brief cited by the Supreme Court in its decision to overturn Roe v. Wade, has been hacked, revealing a 25-gigabyte internal database that contains nearly seven years’ worth of donor records. The hacker, who identifies with the Anonymous movement, released the data on the hacktivist site Enlace Hacktivista, and the transparency collective Distributed Denial of Secrets is providing it to journalists who request access.

“Noticing a worrying trend of far-right and anti-abortion activists aligning themselves with the evangelical Christian movement, hiding their funding sources behind laws that allow church ministries to keep their donations secret,” the hacker wrote in a press release, “we decided to bring about some much-needed radical transparency.”

In addition to fighting abortion, Liberty Counsel — a Southern Poverty Law Center-designated hate group — has focused its legal efforts on challenging LGBTQ+ rights and vaccine mandates in the name of religious freedom. Because it is registered with the IRS as an “association of churches,” Liberty Counsel is not required to file a public tax return, meaning that its finances are largely shielded from the scrutiny applied to other tax-exempt organizations.

The hacked data includes content from Liberty Counsel’s website, emails the group sent to its supporters, and documentation of about $12 million in donations from some 44,000 donors since 2015. These donations, limited to those tracked on Liberty Counsel’s digital platform, represent only a portion of those the organization receives.

The records show that 501(c)(3) nonprofit organizations controlled by Liberty Counsel encouraged supporters to vote for former President Donald Trump despite IRS rules that prohibit such entities from directly or indirectly endorsing candidates for political office. They also reveal how Liberty Counsel has skillfully employed misinformation and partisan polarization over election integrity and the Covid-19 pandemic to build its email list and raise millions of dollars in small contributions — and done so at a breakneck pace since November 2020.

Liberty Counsel did not respond to multiple requests for comment for this article.

Apart from Liberty Counsel’s data, the hack includes another 425 gigabytes of records from dozens of Christian organizations that used the same customer relationship management software, many of them mission agencies aimed at converting humanity to Christianity.

The Guise of Religious Liberty

After the Supreme Court overturned Roe, Peggy Nienaber, vice president of Liberty Counsel’s Faith & Liberty ministry, was caught on a hot mic at an evangelical victory party bragging that her ministry prayed with sitting Supreme Court justices. Nienaber’s claim, first reported by Rolling Stone, suggested a troubling conflict of interest, considering that the court cited a Liberty Counsel brief in its decision to end 50 years of constitutional protection for abortion.

Faith & Liberty denied that it prayed with members of the court, claiming that the incidents described took place before Liberty Counsel acquired the ministry.

Mat Staver, Liberty Counsel’s founder and chair, has said that he went to law school to further the “pro-life” cause. The organization’s amicus brief in Dobbs v. Jackson Women’s Health Organization, filed on behalf of a group of religious organizations, was a work of dubious scholarship that argued that abortion is a racist tool of eugenics.

Liberty Counsel fought against anti-LGBTQ+ hate crime legislation, calling it a “radical homosexual anarchist agenda.”

Liberty Counsel has also defended so-called sidewalk counselors, who troll outside abortion clinics creating a hostile environment for those seeking care, and challenged the Freedom of Access to Clinic Entrances Act, enacted in the wake of the 1993 murder of Florida abortion provider Dr. David Gunn.

Liberty Counsel’s virulently anti-LGBTQ+ rhetoric and efforts to legalize discrimination in the name of religious freedom led the Southern Poverty Law Center to designate it as a hate group. “The organizations on our hate group list vilify others because of their race, religion, ethnicity, sexual orientation, or gender identity — this includes Liberty Counsel and their vilification of LGBTQ+ people,” said Rachel Carroll Rivas, interim deputy director of research for the SPLC’s Intelligence Project.

Rowan County Clerk Kim Davis, center with Republican presidential candidate Mike Huckabee, left, and attorney Mat Staver, right, founder of the Liberty Counsel, the Christian law firm representing Davis, at her side, greets the crowd after being released from the Carter County Detention Center, Tuesday, Sept. 8, 2015, in Grayson, Ky. Davis, the Kentucky county clerk who was jailed for refusing to issue marriage licenses to gay couples, was released Tuesday after five days behind bars.   (AP Photo/Timothy D. Easley)

Rowan County Clerk Kim Davis, center, with Republican presidential candidate Mike Huckabee, left, and Liberty Counsel Chair Mat Staver, right, greets a crowd after being released from the Carter County Detention Center on Sept. 8, 2015, in Grayson, Ky.

Photo: Timothy D. Easley/AP

Staver has advocated criminalizing homosexuality with harsh punishments as well as “curing” LGBTQ+ people, “a practice that has been condemned by every major medical and mental health organization in the country,” according to the Human Rights Campaign. Liberty Counsel fought against anti-LGBTQ+ hate crime legislation, calling it a “radical homosexual anarchist agenda.” After the Supreme Court legalized gay marriage in 2015, Liberty Counsel represented Kim Davis, a county clerk in Kentucky who refused to issue a marriage license to a gay couple.

More recently, Liberty Counsel has been involved in other right-wing causes. The day after the deadly January 6, 2021, attack on the U.S. Capitol, Staver sent an email to supporters stating that “our research and legal staff have been deeply engaged in stopping the steal of our 2020 elections.” The email, later published as a blog post, stressed that Trump could remain in power if God intervened: “We know God can intervene and turn what looks like a hopeless cause into a miraculous victory!”

During the pandemic, Liberty Counsel lawsuits successfully forced Louisiana State University’s School of Dentistry and Loyola University to abandon their vaccine mandates on religious freedom grounds. Liberty Counsel is currently suing the U.S. government over the military’s vaccine mandate.

Election Intervention

Liberty Counsel, a 501(c)(3) nonprofit, serves as an umbrella to a number of smaller groups, including Liberty Counsel Action, Faith & Liberty, and Christians in Defense of Israel, all of which share the same hacked database. Of these, only Liberty Counsel Action, a 501(c)(4), has an IRS status that allows it to endorse or oppose candidates for office.

While churches and other 501(c)(3) organizations are allowed to take stands on issues like abortion, same-sex marriage, and gun control, the IRS’s Internal Revenue Code prohibits these organizations from engaging in political campaign activity. “Because the IRS has not been very diligent in enforcing the law, many 501(c)(3) groups are pushing the envelope when it comes to politics,” Rob Boston, a senior adviser at Americans United for Separation of Church and State, told The Intercept.

After reviewing the email newsletters and blog posts in the Liberty Counsel data, The Intercept found communications in which both Faith & Liberty and Christians in Defense of Israel encouraged their supporters to vote for Trump during the 2020 election.

“Many 501(c)(3) groups are pushing the envelope when it comes to politics.”

“Today could be a turning point in the history of America. In this great country we have the freedom to vote,” a Faith & Liberty newsletter from Election Day 2020 stated. “A great responsibility rests on our shoulders. Our decision will determine who will nominate judges, and so much more.” The email went on the offensive against then-candidate Joe Biden, referencing reporting from right-wing media about the contents of Hunter Biden’s laptop. It claimed that Biden used “American tax-dollars to bribe foreign nationals to protect his son’s behavior” and “felt so comfortable with this level of corruption that he even bragged about it, on camera.”

During the two weeks before Election Day, Christians in Defense of Israel, also a 501(c)(3), was even more explicit in a series of newsletters. The emails, which promised that a second Trump term would bring peace to the Middle East, outlined points made by David Friedman, the Trump-appointed former U.S. ambassador to Israel. Friedman was also an adviser to Trump’s 2016 election campaign and had previously represented the Trump Organization as a bankruptcy lawyer.

“Israeli Jews support President Trump, because they know under a Trump administration, America has Israel’s back … and peace in the Middle East is on the near horizon,” one of the emails said. “But only if Donald Trump wins. As U.S. citizens, our vote this election will greatly affect Israel’s future, according to the ambassador.Another email warned that “on November 3, the Holy Land is counting on YOU to choose the presidential candidate who will support Israel and complete the work of achieving peace in the Middle East.”

“Some groups will attack a candidate in harsh terms but stop short of telling people not to vote for him/her,” Boston said. “I would interpret this as an obvious backdoor attempt to intervene in an election, but I’m not aware of the IRS interpreting the law that strictly.”

Behind the Scenes

Liberty Counsel’s website is based on the customer relationship management software Site Stacker, which is developed by WMTEK, a company that builds software and services exclusively for Christian nonprofits. WMTEK claims that 33 percent of Christian mission agencies use Site Stacker.

The Anonymous hacker first discovered vulnerabilities in Liberty Counsel’s Site Stacker website — among them, an administrator user who worked for WMTEK used the password “Password1” — and then realized that the rest of WMTEK’s clients were also vulnerable. So the hacker made off with membership and donor records for more than 90 other Christian nonprofits.

In all, the data shows donations to the organizations totaling over $748 million from roughly 409,000 donors, the earliest dating to September 2015. It also includes private information like names, addresses, and phone numbers for about 1.3 million people.

“We have initiated a forensic investigation into these claims,” Dan Pennell, WMTEK’s CEO, told The Intercept in response to questions about the hack. “We will be unable to comment further until we conclude our investigation.”

An administrator user who worked for WMTEK used the password “Password1.”

The security lapses weren’t limited to WMTEK. The hacked data set includes the Site Stacker source code as well as 46 gigabytes of files that were publicly available on Liberty Counsel’s website. The Intercept discovered a folder within these files containing 100 photos of U.S. passports and confirmed that these images were publicly accessible with the right web address — poor protection for such sensitive documents.

While Liberty Counsel is best known for legal battles over abortion and LGBTQ+ rights, the hacked data shows more than $1.6 million in donations resulting from petition and fax campaigns built around dubious claims about the pandemic and election integrity. These campaigns — from Liberty Counsel and its 501(c)(4) affiliate, Liberty Counsel Action — drew more than 15,000 unique donors.

The largest petition included in the data set, launched on the eve of Biden’s inauguration, makes no mention of religion: It warns of “giant pharmaceutical companies in partnership with government officials sweeping harmful and even deadly COVID-19 vaccine reactions under the rug” and demands that politicians oppose unspecified efforts “to make COVID shots mandatory, to require a Vaccine Passport or to electronically track and trace my movements.” Of the 38,000 signatures the petition received, more than 60 percent were new to Liberty Counsel’s email list.

After signing, “freedom-loving patriots” are invited to make a donation. Existing supporters are asked to pay to send a fax, with options ranging from a $5 “basic level” fax to House and Senate leaders up to a “gold level” $75 fax that also includes the Senate Judiciary Committee, all 50 governors, and all Republican members of Congress.

Some donors used their official government email accounts to make contributions.

As email sign-ups increased, digital giving swelled from a monthly average of about $100,000 pre-pandemic to more than $400,000 in the months leading up to the hack. Of the 44,000 donors included in the hack, more than 70 percent appear not to have given before the pandemic.

Some donors used their official government email accounts to make contributions, the hacked records show. Email addresses associated with the departments of Defense, Energy, Health and Human Services, Homeland Security, Interior, Justice, State, Treasury, Transportation, and Veterans Affairs were among those included in the data.

Email addresses associated with state and local governments also made an appearance, including one belonging to Republican Terry Rice, a current Arkansas state senator, whose donation came via a petition decrying “the Democrat push to legalize election fraud.” Rice told The Intercept that he might have made a small donation to Liberty Counsel but doesn’t remember. “I don’t know what business it is of yours,” he said.

The post Liberty Counsel’s Donor Records and Pro-Trump Election Messaging Exposed in Data Breach appeared first on The Intercept.

]]> 0 Mat Staver, Kim Davis, Mike Huckabee Rowan County Clerk Kim Davis, center with Republican presidential candidate Mike Huckabee, left, and attorney Mat Staver, right, founder of the Liberty Counsel, the Christian law firm representing Davis, at her side, greets the crowd after being released from the Carter County Detention Center, Tuesday, Sept. 8, 2015, in Grayson, Ky.
<![CDATA[Donald Trump Has His Own History With the Espionage Act]]> Tue, 16 Aug 2022 17:01:43 +0000 The Trump administration used the controversial law to target media outlets and sources who provided important information to the public.

The post Donald Trump Has His Own History With the Espionage Act appeared first on The Intercept.

Last week, FBI agents executed a search warrant on former President Donald Trump’s Mar-a-Lago estate in Florida, seizing 11 sets of classified documents, including one at the highest classification level in the U.S. government. The search warrant cited three criminal statutes. One related to obstruction — which the New York Times said could be because a lawyer working for Trump signed a written statement asserting that they had already returned all classified documents, which wasn’t true. Another related to the theft of government records. And the last one involved Section 793 of the Espionage Act, a statute that covers “gathering, transmitting or losing defense information.”

The 1917 Espionage Act has become controversial. Despite its name, it isn’t really used much anymore to prosecute spies. In recent years, both Democratic and Republican administrations wielded it as a weapon to intimidate media as well as sources who have provided important information to the public — raising the ire of civil rights advocates.

This isn’t Trump’s first brush with the Espionage Act, though it is the first time he’s the one being accused. According to the U.S. Press Freedom Tracker, Trump’s Department of Justice charged five journalist sources — none of them spies — under the Espionage Act. (Several more journalistic sources were prosecuted under lesser statutes.) Here’s how the Espionage Act charges went for the people Trump used it against.

Reality Winner

During the 2016 presidential election, Russia’s Main Intelligence Directorate of the General Staff, or GRU, launched cyberattacks in support of Trump’s campaign. In one of them, GRU sent spearphishing emails to local election officials in swing states hoping to trick them into opening the malicious attachment that would hack their computers. At the time, Trump called all of this “fake news.”

In 2017, then-National Security Agency contractor and whistleblower Reality Winner, who was 26, leaked a classified NSA document to The Intercept that described this GRU plot in detail. Trump’s Justice Department charged and convicted her under the Espionage Act. Midway through a trial, Winner entered into a plea agreement with prosecutors and pleaded guilty to one charge. She was sentenced to five years and three months in prison, and three years of supervised release: the longest sentence ever given for the unauthorized release of classified documents to the media. (In June 2021, Winner was released early from prison.)

State election officials first learned about GRU’s spearphishing attack against them because of media reports, but only thanks to Winner; the NSA had failed to warn them. Two former election officials told CBS News’s “60 Minutes” that Winner’s disclosure helped secure the 2018 midterm election.

Terry Albury

In early 2017, The Intercept published a series of revelations based on confidential FBI guidelines from an internal FBI whistleblower, including details about controversial tactics for investigating minorities and spying on journalists.

In 2018, Trump’s Justice Department charged and convicted Terry Albury, at the time an FBI special agent, under the Espionage Act for leaking. After pleading guilty, he was sentenced to four years in prison and three years of supervised release.

During Albury’s distinguished 16-year counterterrorism career at the FBI, he “often observed or experienced racism and discrimination within the Bureau,” according to court documents. The only Black FBI special agent in the Minneapolis field office, he was especially disturbed by what he saw as “systemic biases” within the bureau, particularly when it came to the FBI’s mistreatment of informants.

Joshua Schulte

In early 2017, WikiLeaks began publishing a series of documents and hacking tools detailing the CIA’s offensive cyber capabilities, collectively known as Vault 7 — the single largest leak of classified information in CIA history. These releases lead Trump’s CIA Director Mike Pompeo to declare WikiLeaks a “hostile intelligence service.” The CIA even considered kidnapping or assassinating Julian Assange, the WikiLeaks founder, over this release of documents and hacking tools.

This was a wild reversal of Trump’s attitude towards WikiLeaks. Less than a year earlier, during the 2016 election, WikiLeaks had published GRU-hacked emails from the Democratic National Committee, perfectly timed to distract the public from a video of Trump bragging about sexual assault. Trump declared, “I love WikiLeaks.”

In 2018, the disgruntled CIA software developer Joshua Schulte, who worked on programming the hacking tools that WikiLeaks published, was charged under the Espionage Act for leaking the Vault 7 documents to WikiLeaks. Last month, Schulte was convicted in a trial by jury on nine Espionage Act counts. He hasn’t been sentenced yet, but he faces up to 80 years in prison. He also faces additional charges related to sexual assault and child pornography.

Daniel Hale

In 2015, The Intercept published a series of stories that provided the most detail ever made public about the U.S. government’s unaccountable program for targeting and killing people around the world, including U.S. citizens, with drones. The disclosures were based on leaked classified documents.

In 2014, FBI agents raided the home of whistleblower Daniel Hale, a former NSA drone operator and later an outspoken anti-war activist, who they suspected of being the source. President Barack Obama’s Justice Department, though, declined to file any charges. The Trump administration, on the other hand, was more than happy to prosecute the case. In 2019, Trump’s Justice Department charged Hale under the Espionage Act. After pleading guilty to one of the charges, he was sentenced to three years and nine months in prison.

Henry Kyle Frese

In 2018, CNBC published eight articles containing classified information about China’s weapons systems, including that China had installed anti-ship cruise missiles and surface-to-air missile system in the South China Sea.

In 2019, Henry Kyle Frese, a counterterrorism analyst for the U.S. Defense Intelligence Agency, was charged under the Espionage Act for leaking documents about China’s weapons systems to the CNBC reporter, who he was dating, and her colleague at NBC News. Frese pleaded guilty and was sentenced to two years and six months in prison.

Donald Trump

Now, Trump has found himself on the other end of an Espionage Act investigation. (President Joe Biden’s Justice Department authorized a search of Mar-a-Lago that cited the Espionage Act in its justification, but no charges against Trump have been filed yet.)

Unlike most of the people charged with the Espionage Act under the Trump administration, except perhaps Schulte, Trump’s theft of classified documents wasn’t aimed at exposing attacks on democracy, shining a light on government atrocities, or adding anything newsworthy to the public discourse.

In their allegations, authorities have not offered any explanations about Trump’s motives for retaining classified documents on his way out of the White House in 2020. Knowing Trump, it wasn’t anything altruistic. We do, however, know that Section 793 of the Espionage Act carries a maximum sentence of 10 years in prison.

The post Donald Trump Has His Own History With the Espionage Act appeared first on The Intercept.

]]> 0
<![CDATA[Rússia está perdendo guerra contra hackers]]> Fri, 06 May 2022 09:00:36 +0000 Dezenas de empresas e agências governamentais russas foram invadidas em uma aparente retaliação pela invasão à Ucrânia.

The post Rússia está perdendo guerra contra hackers appeared first on The Intercept.

A Rússia é conhecida pelo seu exército de hackers, mas desde o início da invasão à Ucrânia, dezenas de organizações russas – incluindo agências governamentais, empresas de petróleo e gás, e instituições financeiras – foram hackeadas, com terabytes de dados roubados sendo vazados na internet.

O Distributed Denial of Secrets, ou Negação Distribuída de Segredos, um coletivo de transparência conhecido por ter liberado 270 gigabytes de informações policiais dos EUA em 2020 (em meio aos protestos por justiça racial após o assassinato de George Floyd), tornou-se, na prática, o lar dos conjuntos de dados russos que foram hackeados. Os conjuntos de dados são submetidos ao DDoSecrets principalmente por hackers anônimos, e depois são disponibilizados ao público no site do coletivo e distribuídos usando BitTorrent (eu sou um conselheiro do DDoSecrets).

“A inundação de dados russos significou muitas noites sem dormir, e é realmente algo imenso”, disse ao Intercept Emma Best, co-fundadora do DDoSecrets, através de um aplicativo de mensagens criptografadas. “Eu seus primeiros 10 anos, o WikiLeaks disse ter publicado 10 milhões de documentos. Em menos de dois meses desde que a invasão começou, já publicamos 6 milhões de documentos russos – e a sensação é que foi tudo isso mesmo”.

Depois de receber um conjunto de dados, o DDoSecrets os organiza e compacta; depois, começa a distribuir os dados usando o BitTorrent para consumo público, divulga-os e ajuda jornalistas de diversos veículos a acessar e noticiar sobre eles. O DDoSecrets publicou cerca de 30 conjuntos de dados hackeados da Rússia desde que a invasão da Ucrânia começou no final de fevereiro.

A grande maioria das fontes que forneceram os dados russos hackeados parecem ser indivíduos anônimos, muitos dos quais identificam a si próprios como parte do movimento hacktivista Anonymous. Algumas fontes fornecem endereços de e-mail ou outras informações de contato como parte dos dados liberados, e alguns, como o Network Battalion 65, têm sua própria presença nas redes sociais.

“JSC Bank PSCB, você agora é controlado pelo Network Battalion 65. Estamos muito gratos por você armazenar tantas credenciais no Chrome. Bom trabalho.

É óbvio que sua resposta ao incidente já começou. Boa sorte na recuperação dos dados sem contar conosco. Diga ao seu governo para dar o fora da #Ucrânia”

Via @xxNB65 em 17 de abril de 2022

Ainda assim, com tantos conjuntos de dados enviados por hackers anônimos, é impossível ter certeza sobre suas motivações ou se eles são mesmo hacktivistas de verdade. Por exemplo, em 2016 hackers comprometeram a rede do Comitê Nacional do Partido Democrata dos EUA e vazaram para o WikiLeaks uma série de e-mails roubados em uma tentativa de prejudicar a campanha presidencial de Hillary Clinton. Guccifer 2.0, como se identificava o hacker responsável, alegou ser um agente solitário, mas depois foi exposto como uma invenção do GRU, a agência de inteligência militar da Rússia. Por essa razão, os conjuntos de dados russos recentemente publicados pelo DDoSecrets incluem uma isenção de responsabilidade: “este conjunto de dados foi divulgado nos preparativos, no meio ou no rescaldo de uma guerra cibernética ou guerra híbrida. Portanto, há uma chance maior de malware, motivações posteriores e dados alterados ou implantados, bem como bandeiras falsas/personalidades falsas. Como resultado, encorajamos os leitores, pesquisadores e jornalistas a tomarem mais cuidado que o normal com os dados”.

Ações hackers começaram em fevereiro

Em 26 de fevereiro, dois dias após o início da invasão russa, o DDoSecrets publicou 200 gigabytes de e-mails do Tetraedr, um fabricante de armas de Belarus, enviados pelo hacktivista identificado como Anonymous Liberlad e o Pwn-Bär Hack Team. Belarus é um aliado próximo da Rússia na guerra contra a Ucrânia. Uma mensagem publicada com o conjunto de dados anunciou “#OpCyberBullyPutin”.

“Os conteúdos desse vazamento parecem ser legítimos. E-mails das caixas de entrada dos funcionários da fabricante de armas belarussa Tetraedr. Viram imagens de testes de mísseis, esquemas em PDF para sistemas de armas e folhetos detalhados para veículos blindados.”

Via @MikaelThalen

  • “Agora: Anonymous Liberland & e o Pwn-Bär Hack Team vazaram para o coletivo de jornalismo DDoSecrets mais de 200GB de e-mails do fabricante de armas belarusso Tetraedr.”

Em 25 de fevereiro, a famosa gangue russa de ransomware conhecida como Conti manifestou publicamente seu apoio à guerra da Rússia, e dois dias depois, em 27 de fevereiro, um pesquisador de segurança ucraniano que havia hackeado a infraestrutura interna do Conti vazou dois anos de registros de conversas de texto internas do Conti, juntamente com documentação de treinamento, ferramentas para ações hacker e código-fonte dos hackers criminosos. “Não posso atirar em nada, mas posso lutar com um teclado e um mouse”,  disse o pesquisador anônimo à CNN em 30 de março, antes de fugir da Ucrânia em segurança.

No início de março, o DDoSecrets publicou 817 gigabytes de dados hackeados da Roskomnadzor, a agência federal russa responsável por monitorar, controlar e censurar os meios de comunicação de massa do país. Esses dados vieram especificamente da filial regional da agência na República do Bascortostão, uma das subdivisões que compõem a Rússia. O Intercept tornou esse conjunto de dados pesquisável e compartilhou o acesso com jornalistas independentes russos do Meduza, que relataram que a Roskomnadzor vinha monitorando a internet para fiscalizar o “antimilitarismo” desde 2020, pelo menos. No início de março, a Roskomnadzor começou a censurar o acesso ao Meduza dentro da Rússia “devido à disseminação sistemática de falsificações sobre a operação especial na Ucrânia”, disse um porta-voz da agência ao site de notícias russo RIA Novosti.

As invasões hackers continuaram. Em meados de março, o DDoSecrets publicou 79 gigabytes de e-mails da Omega Co., braço de pesquisa e desenvolvimento da maior empresa de oleodutos do mundo, a Transneft, que é controlada pelo Estado na Rússia. Na segunda quinzena de março, o hacktivismo contra a Rússia começou a esquentar. O DDoSecrets publicou outros cinco conjuntos de dados:

  • 5,9 gigabytes de e-mails da Thozis Corp., uma firma de investimentos russas de propriedade do bilionário Zakhar Smushkin.
  • 110 gigabytes de e-mails da MashOil, uma empresa russa que desenha e fabrica equipamento para as indústrias de perfuração, mineração e fracking.
  • 22,5 gigabytes de dados supostamente pertencentes ao banco central da Rússia. A fonte para esses dados é identificada como The Black Rabbit World no Twitter.
  • 2,5 gigabytes de e-mails do RostProekt, uma empresa de construção russa. A fonte para esses dados é identificada como @DepaixPorteur no Twitter.
  • 15,3 gigabytes de dados da Rosatom State Nuclear Energy Corp., a empresa estatal russa especializada em energia nuclear responsável por 20% da produção doméstica de eletricidade do país. Também é uma das maiores exportadoras do mundo de produtos de tecnologia nuclear. A fonte para esses dados incluiu um endereço de e-mail hospedado no provedor gratuito de e-mail criptografado ProtonMail.

No último dia de março, o coletivo de transparência também publicou 51,9 gigabytes de e-mails do Marathon Group, uma empresa de investimentos de propriedade do sancionado oligarca russo Alexander Vinokurov.

Abril é cruel para a Igreja Ortodoxa

No primeiro dia de abril, o DDoSecrets publicou 15 gigabytes de e-mails do braço de caridade da Igreja Ortodoxa Russa. Como os e-mails podem incluir informações sensíveis e privadas de indivíduos, o DDoSecrets não está distribuindo esses dados para o público. Ao invés disso, jornalistas e pesquisadores podem contatar o DDoSecrets para solicitar uma cópia deles.

Em 3 de abril, o DDoSecrets publicou 483 gigabytes de e-mails e documentos da Moskspertiza, uma empresa estatal que fornece serviços especializados para a comunidade empresarial na Rússia. Em 4 de abril, a DDoSecrets publicou 786 gigabytes de documentos e e-mails da All-Russia State Television and Radio Broadcastiong Co., referida com a sigla VGTRK. A VGTRK é a emissora estatal russa, e opera dezenas de estações de televisão e rádio em todo o país, incluindo estações regionais, nacionais e internacionais em vários idiomas. Ex-funcionários da VGTRK disseram à publicação digital que o Kremlin frequentemente ditava como as notícias deveriam ser abordadas. O Network Battalion 65 é a fonte tanto para os dados hackeados do VGTRK quanto para os da Mosekspertiza.

“A All-Russian State Television and Radio Broadcasting Company (VGTRK), braço de propaganda da Federação Russa, pode ir se foder. @Telecomix vai se divertir com isso. #datalove @YourAnonNews @ITarmyUA Glória para a Ucrânia! A liberação completa dos dados estará pronta em breve.”

Via @xxNB65

O setor jurídico da Rússia também foi invadido. Em 8 de abril, a DDoSecrets publicou 65 gigabytes de e-mails do escritório de advocacia Capital Legal Services. Um hacker identificado como wh1t3sh4d0w enviou os dados ao coletivo de transparência.

Nos dias seguintes, o DDoSecrets publicou mais três conjuntos de dados:

Em 11 de abril, a DDoSecrets publicou outros três conjuntos de dados:

  • 446 gigabytes de e-mails do Ministério da Cultura da Rússia, responsável pelas políticas estatais em relação à arte, filmes, direitos autorais, patrimônio cultural e, em alguns casos, pela censura.
  • 150 gigabytes de e-mails do governo municipal de Blagoveshchesk, na mesma região da Rússia de onde o conjunto de dados do Roskomnadzor foi hackeado.
  • 116 gigabytes de e-mails do escritório do governador de Tver Oblast, uma região russa a noroeste de Moscou.

Na metade de abril, a DDoSecrets publicou vários conjuntos de dados das indústrias de petróleo e gás:

  • 440 gigabytes de e-mails da Technotec, um grupo de empresas que desenvolve reagentes químicos e fornece serviços para companhias de petróleo e gás.
  • 728 gigabytes de e-mails da Gazprom Linde Engineering, uma firma que projeta instalações de processamento de gás e petroquímica e refinarias de petróleo. Essa empresa era uma joint venture entre a empresa estatal russa de gás Gazprom – a maior corporação da Rússia – e a empresa alemã Linde. No final de março, em resposta às sanções econômicas contra a Rússia, a Linde anunciou que estava suspendendo seus empreendimentos comerciais russos.
  • 222 gigabytes de dados da Gazregion, uma empreiteira de construção que se especializa em gasodutos e instalações de gás. Três fontes diferentes – Network Battalion 65, @DepaixPorteur, e outro hacker anônimo – invadiram essa empresa aproximadamente ao mesmo tempo e enviaram os dados ao DDoSecrets, que publicou os três conjuntos de dados sobrepostos para “fornecer uma visão o mais completa possível, e para proporcionar uma oportunidade de comparação e verificação cruzada”.

Em 16 de abril, a DDoSecrets publicou mais dois conjuntos de dados:

No final de abril, a DDoSecrets published os seguintes conjuntos de dados:

  • 107 gigabytes de e-mails da Neocom Geoservice, uma empresa de engenharia focada em petróleo, gás e perfuração.
  • 1,2 gigabytes de dados da empresa belarussa Synesis, que desenvolve sistemas de vigilância.
  • 9,5 gigabytes de e-mails do Departamento Geral de Tropas e Construção Civil, uma empresa de construção mantida pelo Ministério de Defesa russo. Esses dados foram hackeados por @DepaixPorteur.
  • 160 gigabytes de e-mails da Tendertech, uma empresa que processa documentos financeiros e bancários em nome de outras empresas.
  • 130 gigabytes de-emails da Worldwide Invest, uma empresa de investimentos russa.
  • 432 gigabytes de e-mails da empresa russa de administração de propriedades Sawatzky. Seus clientes incluem grandes marcas como Google, Microsoft, Samsung, e Johnson & Johnson.
  • 221 gigabytes de e-mails da Accent Capital, uma firma de investimentos em imóveis comerciais.

Ainda em 22 de abril, a DDoSecrets publicou 342 gigabytes de e-mails da Enerpred, a maior produtora de ferramentas hidráulicas da Rússia que trabalha com as indústrias de energia, petroquímica, carvão, gás e construção civil.

Pesquisando os dados hackeados

Apesar da enorme escala desses vazamentos de dados russos, poucos jornalistas escreveram sobre eles até agora. Desde o início da guerra, a Rússia reprimiu severamente sua mídia doméstica, introduzindo penas de anos de prisão para jornalistas que usam as palavras erradas quando descrevem a guerra na Ucrânia – como chamá-la de “guerra” ao invés de “operação militar especial”. A Rússia também intensificou seus esforços de censura, bloqueando Twitter e Facebook e censurando o acesso a sites de notícias internacionais, deixando o público russo em grande parte às escuras quando se trata de opiniões que não são sancionadas pelo Estado.

Uma das barreiras para organizações de notícias de fora da Rússia é a língua: os dados hackeados estão principalmente em russo. Além disso, os conjuntos de dados hackeados sempre vêm com consideráveis desafios técnicos. O Intercept, que foi fundado em parte para noticiar sobre o arquivo de documentos da Agência Nacional de Segurança dos EUA vazados por Edward Snowden, tem usado seus recursos técnicos para construir ferramentas para tornar esses conjuntos de dados russos pesquisáveis, e depois compartilhar essas ferramentas com outros jornalistas. Repórteres de língua russa do Meduza – que é obrigado a operar na Letônia para evitar os avanços do Kremlin – já publicaram uma matéria baseada em um dos conjuntos de dados indexados pelo Intercept.

“Vai levar ANOS para que jornalistas, pesquisadores e o público em geral vejam todos os dados russos que estão sendo vazados em resposta à invasão à Ucrânia.”

Via @NatSecGeek


Tradução: Maíra Santos

The post Rússia está perdendo guerra contra hackers appeared first on The Intercept.

]]> 0
<![CDATA[Russia Is Losing a War Against Hackers Stealing Huge Amounts of Data]]> Fri, 22 Apr 2022 20:40:32 +0000 Dozens of Russian companies and government agencies have been hacked in apparent retribution for the invasion of Ukraine.

The post Russia Is Losing a War Against Hackers Stealing Huge Amounts of Data appeared first on The Intercept.

Russia is known for its army of hackers, but since the start of its invasion of Ukraine, dozens of Russian organizations — including government agencies, oil and gas companies, and financial institutions — have been hacked, with terabytes of stolen data leaked onto the internet.

Distributed Denial of Secrets, the transparency collective that’s best known for its 2020 release of 270 gigabytes of U.S. law enforcement data (in the midst of racial justice protests following the murder of George Floyd), has become the de facto home of the hacked datasets from Russia. The datasets are submitted to DDoSecrets mostly by anonymous hackers, and those datasets are then made available to the public on the collective’s website and distributed using BitTorrent. (I am an adviser to DDoSecrets).

“The flood of Russian data has meant a lot of sleepless nights, and it’s truly overwhelming,” Emma Best, co-founder of DDoSecrets, told The Intercept via an encrypted messaging app. “In its first 10 years, WikiLeaks claimed to publish 10 million documents. In the less than two months since the invasion began, we’ve published over 6 million Russian documents — and it absolutely feels like it.”

After receiving a dataset, DDoSecrets organizes and compresses the data; it then starts distributing the data using BitTorrent for public consumption, publicizes it, and helps journalists at a wide range of newsrooms access and report on it. DDoSecrets has published about 30 hacked datasets from Russia since its invasion of Ukraine began in late February.

The vast majority of sources who provided the hacked Russian data appear to be anonymous individuals, many self-identifying as part of the Anonymous hacktivist movement. Some sources provide email addresses or other contact information as part of the dumped data, and some, like Network Battalion 65, have their own social media presence.

Still, with so many datasets submitted by anonymous hackers, it’s impossible to be certain about their motives or if they’re even truly hacktivists. For instance, in 2016 hackers compromised the network of the Democratic National Committee and leaked stolen emails to WikiLeaks in an attempt to hurt Hillary Clinton’s presidential campaign. Guccifer 2.0, the hacker persona responsible, claimed to be a lone actor but was later revealed to be an invention of the GRU, Russia’s military intelligence agency.

For this reason, the recent Russian datasets published by DDoSecrets include a disclaimer: “This dataset was released in the buildup to, in the midst of, or in the aftermath of a cyberwar or hybrid war. Therefore, there is an increased chance of malware, ulterior motives and altered or implanted data, or false flags/fake personas. As a result, we encourage readers, researchers and journalists to take additional care with the data.”

Hacks Begin in February

On February 26, two days after Russia’s invasion started, DDoSecrets published 200 gigabytes of emails from the Belarus weapons manufacturer Tetraedr, submitted by the hacktivist persona Anonymous Liberland and the Pwn-Bär Hack Team. Belarus is a close ally to Russia in its war against Ukraine. A message published with the dataset announced “#OpCyberBullyPutin.”

On February 25, the notorious Russian ransomware gang known as Conti publicly expressed its support for Russia’s war, and two days later, on February 27, an anonymous Ukrainian security researcher who had hacked Conti’s internal infrastructure leaked two years of Conti chat logs, along with training documentation, hacking tools, and source code from the criminal hackers. “I cannot shoot anything, but I can fight with a keyboard and mouse,” the anonymous researcher told CNN on March 30 before he safely slipped out of Ukraine.

In early March, DDoSecrets published 817 gigabytes of hacked data from Roskomnadzor, the Russian federal agency responsible for monitoring, controlling, and censoring Russian mass media. This data specifically came from the regional branch of the agency in the Republic of Bashkortostan. The Intercept made this dataset searchable and shared access with independent Russian journalists from Meduza who reported that Roskomnadzor had been monitoring the internet for “antimilitarism” since at least 2020. In early March, Roskomnadzor began censoring access to Meduza from inside Russia “due to systematic spread of fakes about the special operation in Ukraine,” a spokesperson for the agency told the Russian news site RIA Novosti.

The hacks continued. In mid-March, DDoSecrets published 79 gigabytes of emails from the Omega Co., the research and development wing of the world’s largest oil pipeline company, Transneft, which is state-controlled in Russia. In the second half of March, hacktivism against Russia began to heat up. DDoSecrets published an additional five datasets:

  • 5.9 gigabytes of emails from Thozis Corp., a Russian investment firm owned by billionaire oligarch Zakhar Smushkin.
  • 110 gigabytes of emails from MashOil, a Russian firm that designs and manufactures equipment for the drilling, mining, and fracking industries.
  • 22.5 gigabytes of data allegedly from the central bank of Russia. The source for this data is the persona The Black Rabbit World on Twitter.
  • 2.5 gigabytes of emails from RostProekt, a Russian construction firm. The source for this data is the persona @DepaixPorteur on Twitter.
  • 15.3 gigabytes of data from Rosatom State Nuclear Energy Corp., Russia’s state-run company that specializes in nuclear energy and makes up 20 percent of the country’s domestic electricity production. It’s also one of the world’s largest exporters of nuclear technology products. The source for this data included an email address hosted at the free encrypted email provider ProtonMail.

On the last day of March, the transparency collective also published 51.9 gigabytes of emails from the Marathon Group, an investment firm owned by sanctioned Russian oligarch Alexander Vinokurov.

April Is Cruel to Orthodox Church

On the first day of April, DDoSecrets published 15 gigabytes of emails from the charity wing of the Russian Orthodox Church. Because the emails might include sensitive and private information from individuals, DDoSecrets isn’t distributing this data to the public. Instead, journalists and researchers can contact DDoSecrets to request a copy of it.

On April 3, DDoSecrets published 483 gigabytes of emails and documents from Mosekspertiza, a state-owned corporation that provides expert services to the business community in Russia. On April 4, DDoSecrets published 786 gigabytes of documents and emails from the All-Russia State Television and Radio Broadcasting Co., referred to with the English acronym VGTRK. VGTRK is Russia’s state-owned broadcaster; it operates dozens of television and radio stations across Russia, including regional, national, and international stations in several languages. Former employees of VGTRK told the digital publication that the Kremlin frequently dictated how the news should be covered. Network Battalion 65 is the source for both the VGTRK and Mosekspertiza hacks.

Russia’s legal sector also got hacked. On April 8, DDoSecrets published 65 gigabytes of emails from the law firm Capital Legal Services. The persona wh1t3sh4d0w submitted the data to the transparency collective.

In the following days, DDoSecrets published three more datasets:

By April 11, DDoSecrets had published another three datasets:

  • 446 gigabytes of emails from the Ministry of Culture of the Russian Federation. This government agency is responsible for state policy regarding art, film, copyright, cultural heritage, and in some cases censorship.
  • 150 gigabytes of emails from the city administration of Blagoveshchensk. This is in the same region of Russia that the Roskomnadzor dataset was hacked from.
  • 116 gigabytes of emails from the governor’s office of Tver Oblast, a region of Russia northwest of Moscow.

In mid-April, DDoSecrets published several datasets from the oil and gas industries:

  • 440 gigabytes of emails from Technotec, a group of companies that develops chemical reagents for and provides services to oil and gas companies.
  • 728 gigabytes of emails from Gazprom Linde Engineering, a firm that designs gas and petrochemical processing facilities and oil refineries. This company was a joint venture between the state-owned Russian gas company Gazprom — the largest corporation in Russia — and the German company Linde. In late March, in response to economic sanctions against Russia, Linde announced that it was suspending its Russian business ventures.
  • 222 gigabytes of data from Gazregion, a construction company that specializes in building gas pipelines and facilities. Three different sources — Network Battalion 65, @DepaixPorteur, and another anonymous hacker — hacked this company at roughly the same time and submitted data to DDoSecrets, which published all three overlapping datasets to “provide as complete a picture as possible, and to provide an opportunity for comparison and cross-checking.”

On April 16, DDoSecrets published two more datasets:

Just during the last week, DDoSecrets published these datasets:

  • 107 gigabytes of emails from Neocom Geoservice, an engineering company that focuses on oil, gas, and drilling.
  • 1.2 gigabytes of data from the Belarusian firm Synesis, which develops surveillance systems.
  • 9.5 gigabytes of emails from the General Department of Troops and Civil Construction, a construction company owned by the Russian Ministry of Defense. This was hacked by @DepaixPorteur.
  • 160 gigabytes of emails from Tendertech, a firm that processes financial and banking documents on behalf of businesses.
  • 130 gigabytes of emails from Worldwide Invest, a Russian investment firm.
  • 432 gigabytes of emails from the Russian property management firm Sawatzky. Its clients include major brands like Google, Microsoft, Samsung, and Johnson & Johnson
  • 221 gigabytes of emails from Accent Capital, a Russian commercial real estate investment firm.

Earlier today, DDoSecrets published 342 gigabytes of emails from Enerpred, the largest producer of hydraulic tools in Russia that works in the energy, petrochemical, coal, gas and construction industries.

Researching the Hacked Data

Despite the massive scale of these Russian data leaks, very few journalists have reported on them so far. Since the war began, Russia has severely clamped down on its domestic media, introducing penalties of years in prison for journalists who use the wrong words when describing the war in Ukraine — like calling it a “war” instead of a “special military operation.” Russia has also ramped up its censorship efforts, blocking Twitter and Facebook and censoring access to international news sites, leaving the Russian public largely in the dark when it comes to views that aren’t sanctioned by the state.

One of the barriers for non-Russian news organizations is language: The hacked data is principally in Russian. Additionally, hacked datasets always come with considerable technical challenges. The Intercept, which was founded in part to report on the archive of National Security Agency documents leaked by Edward Snowden, has been using our technical resources to build out tools to make these Russian datasets searchable and then sharing access to these tools with other journalists. Russian-speaking journalists from Meduza — which is forced to operate in Latvia to avoid the Kremlin’s reach — have already published a story based on one of the datasets indexed by The Intercept.

The post Russia Is Losing a War Against Hackers Stealing Huge Amounts of Data appeared first on The Intercept.

]]> 0
<![CDATA[Leaked Chats Show Russian Ransomware Gang Discussing Putin’s Invasion of Ukraine]]> Mon, 14 Mar 2022 17:16:51 +0000 Chat logs reveal that members of the Conti ransomware gang repeated Putin's lies about Ukraine — and bemoaned their inability to buy Apple products.

The post Leaked Chats Show Russian Ransomware Gang Discussing Putin’s Invasion of Ukraine appeared first on The Intercept.

Internal chat logs leaked from the notorious Russian ransomware gang Conti reveal unfiltered conversations between ultranationalist hackers in which they repeat Russian President Vladimir Putin’s conspiratorial lies about Ukraine, discuss the impact of early Western sanctions against their country, and make antisemitic comments about Ukraine’s Jewish president.

The logs were leaked late last month, reportedly by a Ukrainian security researcher, after Conti publicly announced its support for Putin’s invasion of Ukraine and threatened to retaliate against any cyber warfare targeted at the Russian-speaking world. The logs span two years and multiple chat services and were released alongside training documentation, hacking tools, and source code.

The Intercept reviewed the most recent month of logs, focusing on those originating from RocketChat, a group-chat system similar to Discord or Slack, that Conti hosted on the anonymity network Tor. The messages are full of typos, slang, and a heavy use of mat — vulgar Russian profanity. We translated these messages using Google Translate and DeepL, and then a native Russian speaker manually corrected them. As with any translations, there are sometimes multiple possible interpretations, so we are making the original Russian available here. All time stamps from chat messages are in Coordinated Universal Time.

Logs of only some chat rooms appear to have been leaked. Most of the recent messages are from the #general channel, a room where the hackers candidly discussed non-ransomware topics like drug use, pornography, cryptocurrency, an obsession with investigative journalist Brian Krebs, and occasionally technical topics. While the #general channel had 160 users — Conti is a very large criminal enterprise — only a handful of these users actually posted messages during the monthlong period.

The conversations quickly turned political on February 21 when Putin announced that Russia recognized the separatist territories Donetsk and Luhansk in eastern Ukraine as independent nations, and on February 24 when Russian troops invaded Ukraine. The Russian hackers openly repeated Putin’s falsehoods as fact, such as that Ukraine is run by a “neo-Nazi junta” and that its government is seeking nuclear weapons. Members of the chat continually shared news updates that exaggerated Russia’s success so far in the war.

The chat logs also include a heavy dose of misogyny, including discussions of child sexual abuse content and jokes about rape, as well as antisemitism aimed at Ukrainian President Volodymyr Zelenskyy.

Also on February 21, Conti announced internally to its employees that the leader of the criminal enterprise had gone into hiding. While it’s unclear exactly what happened, the announcement said that “close attention to the company from the outside has led to the fact that the boss apparently decided to lay low.” It added that Conti did not have enough money to pay everyone’s salaries and asked that they take two to three months of vacation. While Conti’s active operations had ceased, the server hosting RocketChat was still up, so the conversations after that were purely about Russia’s war in Ukraine. CyberScoop this week quoted sources saying Conti recovered from the leaks and is operational.

The Conti Ransomware Gang

Conti is the most successful ransomware gang in operation today. As Check Point Research has reported, the gang appears to operate much like a large corporation, with twice-monthly payroll, five-day workweeks, staggered shifts to ensure around-the-clock operation, and even physical offices. According to a 2022 report on cryptocurrency crime from the company Chainalysis, Conti extorted at least $180 million from its hacking victims last year.

Many of the victims have been in the health care sector, including, Ireland’s public care system. In May 2021, in the midst of the Covid-19 pandemic, Conti encrypted data on 85,000 Irish health care computers and demanded a $20 million ransom payment in exchange for the decryptor, according to a report in CPO Magazine. Ireland’s Health Service Executive refused to pay the ransom, but it’s still costing Ireland 100 million euros to recover from the attack. The FBI also warned that Conti ransomware attacks targeted at least 16 health care networks in the United States.

Conti employees appear to be active during work hours in the Moscow time zone and all internal communication is in Russian, though some people involved don’t live in Russia. One frequent poster in the chat rooms, who goes by the username “Patrick,” appears to be a Russian citizen living in Australia. An older member of Conti is a 55-year-old Latvian woman, according to reporting by Krebs. Based on these chat logs, Conti appears to be an independent criminal enterprise without formal ties to the Russian government.

But it appears that Russian intelligence reached out to members of Conti on at least one occasion. After the ContiLeaks were published, Christo Grozev, executive director of the investigative journalism group Bellingcat, tweeted that his organization had been warned that “a global cyber crime group acting on an FSB [Russia’s security agency] order has hacked one of your contributors,” and they were looking for information about Alexey Navalny, the imprisoned  Russian opposition leader. In 2020, FSB agents were implicated in a poisoning attack on Navalny.

Chat logs in ContiLeaks, from a chat service called Jabber, seem to indicate that Conti was this cybercrime group, acting on an order from the FSB. A user called “Mango” told a user called “Professor” that he had encrypted chat messages from a Bellingcat journalist but didn’t know how to decrypt them. Mango pasted a snippet from a separate chat that he had with a user called “Johnnyboy77,” who told him about targeting a Bellingcat journalist and mentioned “NAVALNI FSB.”

2021-04-09 18:13:13 mango: So, are we really interested in such data?
2021-04-09 18:13:24 mango: I mean, are we patriots or what?)))
2021-04-09 18:13:31 professor: Of course we are patriots
2021-04-09 18:13:49 mango: I understand. if they decipher it there – I will beacon
2021-04-09 18:14:23 mango: and I also wrote there the other day to you about the auction, but as I understand it, you are still busy and did not delve into)
2021-04-09 18:31:25 mango:
[21:21:02] <johnyboy77> in short, there is a person’s mail from bellingcat
[21:21:06] <johnyboy77> who specifically works in the RU and UA direction
[21:21:06] <johnyboy77> say so
[21:21:08] <johnyboy77> and all his passwords are
[21:21:17] <johnyboy77> and she’s still valid
[21:30:56] <mango> well, pull the correspondence, at least screen them
[21:31:05] <mango> need specifics bro what to talk about
[21:31:07] <johnyboy77> now download files
[21:31:12] <johnyboy77> NAVALNI FSB
[21:31:13] <johnyboy77> even this
[21:31:18] <johnyboy77> right now
2021-04-09 18:31:26 mango: :)
2021-04-09 18:35:42 professor: why not just dump the whole thing

The day after Russian troops began their invasion of Ukraine, Conti posted a statement on its website, a site normally used used for publishing data from companies that refuse to pay ransom. Conti announced its “full support of Russian government,” and warned that if anyone attacked Russia, cyber or otherwise, they would use “all possible resources to strike back at the critical infrastructures of an enemy.”


Original statement from Conti

Screenshot by Check Point Research

Hours later, they tempered their statement, but many had already noticed their unequivocal support for Russia in its war against Ukraine.


Conti’s modified statement

Screenshot by Check Point Research

Repeating Putin’s Conspiratorial Lies

When Russian soldiers invaded Ukraine on February 24, people in Conti’s #general channel began discussing the war. One member of the chat, Patrick, was by far the most swayed by Putin’s lies about Ukraine. Patrick insisted that war was inevitable because Ukraine was attempting to obtain nuclear weapons. This is false, but this conspiracy theory made up a large part of a speech Putin gave on February 21 just prior to the invasion.

2022-02-24 09:53:54 patrick: war was inevitable, ukraine made an application for nuclear weapons
2022-02-24 09:54:37 patrick: in their possession
2022-02-24 09:55:00 weldon: monkeys don’t explain things, they climb trees
2022-02-24 09:55:02 elijah: @patrick well done and done. Still, no one will ever use it. Yes, just to scare
2022-02-24 09:56:38 elijah: Look, missiles from North Korea periodically arrive in the territorial waters of the Russian Federation. But no one cares. And they have nuclear weapons, by the way. But somehow no one was alarmed
2022-02-24 09:56:47 patrick: old man, you’re wrong, there is no doubt about north korea now
2022-02-24 09:58:42 patrick: no one is happy about the war, brothers, but it is high time to put this neo-Nazi gang of Canaris’s foster kids on trial

In his speech, Putin also falsely claimed that Ukraine’s democratic government is a neo-Nazi dictatorship. Throughout the first days of fighting, Patrick repeatedly insisted that Ukraine is run by a “neo-Nazi junta.” It’s not. Ukraine does a have a legitimate Nazi problem (so does the United States and Russia), but Ukranian neo-Nazis are a small minority and don’t hold any positions in government.

Zelenskyy is Jewish. His grandfather, Semyon Ivanovich Zelenskyy, fought the Nazis during World War II. All three of Zelenskyy’s grandfather’s brothers were shot and killed by Nazi soldiers occupying Ukraine.

2022-02-24 10:01:33 patrick: Putin will answer all questions today, I hope that by the evening Kyiv will be ours
2022-02-24 10:02:47 biggie: what’s the point
2022-02-24 10:03:02 elijah: `by the evening kiev will be ours` – and??? What is the profit in this, well, besides boosting the guy’s ego and an additional reason for the quilted jackets [patriots/nationalists] to fap on the king?
2022-02-24 10:03:07 biggie: only people will die and that’s it
2022-02-24 10:05:11 patrick: the neo-Nazi junta will be liquidated and prosecuted, civilians will not suffer

In another message, Patrick says he’s not fighting in the separatist regions of eastern Ukraine because he’s in Australia, donating money to “the victims of the genocide of the neo-Nazi junta.” Putin accused Ukraine of committing genocide against Russian-speaking civilians in Donbas—this also isn’t true.

2022-02-24 11:02:25 kermit: and why are you here and not a volunteer in the DNR or LNR?
2022-02-24 11:03:34 patrick: I’m in australia helping the the victims of the genocide of the neo-Nazi junta with money
2022-02-24 11:03:45 kermit: you’re hiding far away
2022-02-24 11:04:24 kermit: in any such movement you have to back it up with deeds. right now you’re just another spectator and instigator
2022-02-24 11:04:33 kermit: money is bullshit in a matter like this
2022-02-24 11:04:58 patrick: Zelia [Zelensky] is the one hiding, it’s his last day, our people are already in the suburbs of Kiev

Zelenskyy and Antisemitism

Although Putin has justified his invasion by framing it as a war on Nazi ideology, numerous discussions in the chats point toward antisemitic sentiment within Conti. Such bigotry has been a prominent part of an ascendant far-right movement throughout the U.S. and Europe, including in Russia and Ukraine. On February 21, a user named “Weldon” pointed out that Zelenskyy is Jewish. Several others joined in with antisemitic jokes.

2022-02-21 13:03:18 weldon: Zelensky is a jew
2022-02-21 13:03:24 kermit: oh fuck
2022-02-21 13:03:26 kermit: Jews
2022-02-21 13:03:28 kermit: great
2022-02-21 13:03:31 kermit: my favorite
2022-02-21 13:03:39 weldon: that’s right, not Jewish, but a Jew
2022-02-21 13:04:26 kermit: fuck, I wish I was a jew
2022-02-21 13:04:55 kermit: just be born Jewish and you’re considered a member of a secret society and you mess up the Russians’ life
2022-02-21 13:05:46 weldon: come on. A Tatar was born – a Jew cried :joy:
2022-02-21 13:06:58 kermit: a Crimean Tatar?
2022-02-21 13:08:07 gelmut: black Crimean Tatar born in Odessa, who received Russian citizenship :-D
2022-02-21 13:09:11 weldon: obama?
2022-02-21 13:19:39 gelmut: A Jewish boy approaches his parents and says – I want to be Russian. To which the parents reply: – If you want to be Russian, you go to the corner and stand there all day without food. Half a day later, his parents ask: “How do you live as a Russian? And the boy answers: – I’ve only been Russian for two hours, but I already hate you Jews!

After Russia’s invasion was in full swing, the topic of Jews appeared again. This time, Patrick suggested that Jews ruined the Russian empire, and a user named “Biggie” said that it’s necessary to “de-Jewishize” Israel by force. “Pindo” is a slightly pejorative term for an American, and “Pindostan” is slang for the United States.

2022-02-25 09:10:45 patrick: everyone, up to and including the pindostan [America], must answer for the destruction of my homeland – the USSR, so be it
2022-02-25 09:11:53 patrick: Vinnytsia is surrounded
2022-02-25 09:14:19 biggie: that’s how sovok [Soviet Union, or Soviet nationalists] responded to the breakup of the Russian empire
2022-02-25 09:14:41 biggie: All’s fair
2022-02-25 09:15:52 angelo: wait Soviet factories were built by Americans and Europeans with the hands of our comrades. The empire was ruined by Jews with English money
2022-02-25 09:15:59 angelo: I’m getting confused who got what for what and why.
2022-02-25 09:16:38 angelo: we need Jesus, only he will judge and tell the truth, who God is for!
2022-02-25 09:16:55 angelo: @jesus !
2022-02-25 09:17:18 biggie: yeah, that means we have to conduct a military operation in Israel for de-Jewishization

Earlier in the month, the user named “Thomas” joked with the user “Angelo” that he’d be sentenced to eight years in prison for “anti-patriotism” but quickly said he was kidding. Angelo said, “I know you’re kidding. We are brothers!” Thomas made a casual Nazi joke about being Aryan brothers, adding that “the skinhead theme is my favorite.”

2022-02-16 08:43:42 angelo: we are brothers!
2022-02-16 08:43:48 thomas: Slavs?
2022-02-16 08:43:51 thomas: or Aryans?
2022-02-16 08:44:01 thomas: Ooh, the skinhead theme is my favorite.
2022-02-16 08:44:05 thomas: whoever has cleaner blood

Russian Liberal Democratic Party Leader Vladimir Zhirinovsky attends a meeting of Russian President Vladimir Putin with lawmakers of the new convocation of the State Duma in Moscow, Russia on Dec. 10, 2021. Photo: Ramil Sitdikov/Sputnik via AP

Russian Liberal Democratic Party Leader Vladimir Zhirinovsky attends a meeting of Russian President Vladimir Putin with lawmakers of the new convocation of the State Duma in Moscow, Russia on Dec. 10, 2021. Photo: Ramil Sitdikov/Sputnik via AP

Photo: Ramil Sitdikov/Sputnik via AP

“It’s Gonna Be Sad Without” Zhirinovsky

In early February, the 75-year-old ultranationalist Vladimir Zhirinovsky, a demagogic politician and leader of Russia’s Liberal Democratic Party of Russia, was reportedly hospitalized for Covid-19 and in critical condition.

Zhirinovsky is a far-right authoritarian populist known for decades of controversial views. According to a 1994 article in the New York Times, Zhirinovsky called for “the preservation of the white race” in a 1992 television appearance to the U.S., which he warned was being turned over by the white population to black and Hispanic people. In 2016, Zhirinovsky strongly supported the election of Donald Trump for U.S. president over Hillary Clinton, telling Bloomberg, “Trump and I could impose order on the whole planet. … Everyone would shut up. There wouldn’t be any extremists, no Islamic State, and white Europeans could feel at ease as we’d send all the immigrants home.”

The Conti hackers seem more than just Putin-supporting Russian patriots — they identify with Zhirinovsky’s far-right, authoritarian, racist politics. In the chat room, they discussed Zhirinovsky’s condition, as well as conspiracy theories about why he’s really in the hospital and if he’s even really sick.

2022-02-16 13:59:48 kermit: everything is okay in the kremlin
2022-02-16 14:00:00 thomas: how’s Zhirik [Zhirinovsky] doing?
2022-02-16 14:00:03 thomas: is he alive?
2022-02-16 14:00:07 thomas: It’s gonna be sad without him.
2022-02-16 14:00:09 kermit: I don’t know, he’s sick
2022-02-16 14:00:15 kermit: he’s not in the kremlin
2022-02-16 14:00:32 thomas: there was a video that said he is not being treated for covid, his lovers poisoned him
2022-02-16 14:00:35 thomas: and on the news
2022-02-16 14:00:42 kermit: lol
2022-02-16 14:00:43 thomas: not mistresses but male lovers
2022-02-16 14:00:46 weldon: :joy:
2022-02-16 14:00:52 kermit: yeah that’s a known fact
2022-02-16 14:01:31 weldon: *Petrosyans *fuck with Stepanenkas :rofl:
2022-02-16 14:01:36 kermit:
2022-02-16 14:07:11 gelmut: By the way, everything is bullshit about Zhirik. Their party man said that everything is fine with him, it’s just hype and journalist faggots. In fact he is just lying in the hospital just in case and working there, feeling fine. They bring him documents to sign right there.
2022-02-16 14:09:18 kermit: Trust the party members from the LDPR
2022-02-16 14:09:22 kermit: That’s just the way it is.
2022-02-16 14:10:01 kermit: They’ll tell you that Volfovich [Zhirinovsky] is dying out there and people don’t know what to do

Feeling the Sanctions

On February 24, at the very beginning of the West’s sanctions against Russia, members of Conti were clearly already feeling squeezed, including by their inability to buy digital gear from Apple. After urging from Ukraine, Apple had quickly cut off sales of products like iPhones and MacBooks to Russia. The value of Russian’s ruble had plummeted to 85 rubles for each U.S. dollar (by March 7, each dollar cost 150 rubles).

2022-02-24 07:04:43 angelo: I take it now the latest model iPhone and Macbook are the ones you have now and that’s it
2022-02-24 07:05:22 weldon: so it is
2022-02-24 07:10:26 biggie: as long as the dollar is 85
2022-02-24 07:11:09 weldon: screw GDP on the dollar
2022-02-24 07:11:25 biggie: What about the iPhone?
2022-02-24 07:12:07 weldon: Shove your iPhones up your ass
2022-02-24 07:12:58 biggie: what about macbooks

They joked about Russia joining NATO so they could switch from the free-falling ruble to the euro. Angelo said he couldn’t even buy a brand of juice because it’s American.

2022-02-24 07:17:23 biggie: we should join NATO, then the euro would replace the ruble and nothing would drop
2022-02-24 07:17:34 angelo: I even couldn’t buy Dobry Juice now – it’s American
2022-02-24 07:18:31 angelo: you should take Viagra, nothing will drop.
2022-02-24 07:19:20 weldon: @biggie you shouldn’t miss the shitter when you piss
2022-02-24 07:19:44 biggie: :smiley:
2022-02-24 07:43:20 biggie: “In half an hour, a quarter of Russia’s stock market is like a cow lapped it up… MOEX index -28,8%”.
2022-02-24 07:43:41 biggie: we’re broke.
2022-02-24 07:45:42 biggie: on the other hand we could soon be stocked up
2022-02-24 07:46:12 angelo: but
2022-02-24 07:46:15 angelo: but
2022-02-24 07:46:19 angelo: I haven’t fucking figured it out yet
2022-02-24 07:46:48 weldon: close up before they close you down

The Conti members even discussed a rumor that PornHub, the major American pornography site, would block Russian users. This was false; PornHub didn’t actually block Russians from using its service.

2022-02-24 22:02:38 thomas: Some American senators suggest blocking PornHub in Russia in addition to social networks!
2022-02-24 22:02:44 thomas: That’s it, we’re done)
2022-02-24 22:02:49 thomas: They will take away our last joys!

Obsession With Brian Krebs

In late January, during a conversation about drug use, the user “Kermit” said, “We should send our correspondence to Krebs.” Angelo replied, “The worst that can happen.” They’re referring to Krebs, the investigative journalist who covers cybercrime groups like Conti. This is especially interesting because since ContiLeaks was published, Krebs has, in fact, been analyzing the group’s correspondence.

2022-01-28 20:01:08 kermit: we should send our correspondence to krebs
2022-01-28 20:01:10 angelo: the worst that can happen
2022-01-28 20:02:03 angelo: I come back once in the evening,
Stoned on hash.
Life becomes beautiful
And it’s madly good.
2022-01-28 20:02:17 angelo: going….. smoking…
2022-01-28 20:02:26 angelo: he’s freaking out, he’s gonna say the Chelyabinsk delinquents
2022-01-28 20:02:48 stanton: Cannabis is supposed to be good for your head.
2022-01-28 20:03:04 angelo: everything is relative
2022-01-28 20:03:24 angelo: if you’re prone to schizophrenia you might end up in a mental hospital
2022-01-28 20:04:30 kermit: or join the KPRF [Communist Party of the Russian Federation]

It’s clear that members of Conti read Krebs’s work. They frequently mention him when they’re talking about anything particularly inappropriate. For example, on February 2, in a conversation about porn, masturbation and articles about performing oral sex on yourself, Kermit posted, “that’s the kind of correspondence krebs won’t leak :/”.

2022-02-02 20:56:41 elliott: :rofl:
2022-02-02 20:57:01 kermit: that’s the kind of correspondence krebs won’t leak :/
2022-02-02 20:57:08 angelo: he was reading something about giving himself a blowjob

On February 16, Conti members discussed how to remain anonymous using different Jabber clients, chat programs that can be used to connect decentralized chat servers. They discuss Jabber clients called Pidgin, Psi+, and MCabber, how cool and hackery using them looks, and how well their encryption plugins work. They also discuss how their different anonymous Jabber accounts could get linked if they lose internet access and disconnect from multiple accounts at once. Thomas described his technique for mitigating this threat as “Krebs level.”

2022-02-16 08:34:19 thomas: i have each Jabber account on a different client or in a different sandbox
2022-02-16 08:34:22 thomas: and turn them on manually
2022-02-16 08:34:27 thomas: so there could be no timing attacks
2022-02-16 08:34:34 thomas: no autostarts
2022-02-16 08:35:00 thomas: in short, the security is krebs level

Misogyny, Homophobia, Child Sexual Abuse

The messages in this RocketChat channel #general include the sort of misogyny, casual sexism, and crude anatomical references that have historically been endemic among certain groupings of young computer hackers. In one message, Angelo explained that the #general channel was for “pussy and boobs” and the #announcements channel and private messages were for work.

2022-02-08 14:56:47 angelo: you see, in general, pussy and boobs and announcements, in PM work

In one conversation on February 3, Angelo joked with others about raping a girl in her sleep. The replies included “iconic move” and “no, don’t touch them, they’re for meat when the pigeons and bums run out.”

Members of Conti also frequently used homophobic slurs in the chats. Human rights groups have denounced Russian prohibitions, under Putin, of so-called gay propaganda — acts considered to promote homosexuality — saying it contributes to an increasingly homophobic environment where acts of brutality against gay people are common.

On February 25, Patrick posted about how the Safe Internet League, an internet censorship organization in Russia, was going to declare Yuri Dud a foreign agent after a video he published about Ukraine. Dud is a well-known Russian journalist and YouTuber who identifies as Ukrainian. Patrick ended with “Kill the faggots!”

On February 28, Angelo and Kermit discussed child sexual abuse videos (what Kermit openly referred to as “child pornography”) and the ages of girls they liked to watch.

“The Boss” Is Missing

On February 21, the user “Frances,” who had only posted twice before that month strictly about work, posted a long and surprising update in the #general channel.

The “boss” of the Conti ransomware gang apparently disappeared and couldn’t be reached, probably because of “too much attention to the company from outside” and because of internal leaks. Conti didn’t have enough money in emergency reserves to even pay everyone’s salaries. Frances asked everyone to send him up-to-date contact information, take two to three months of vacation from work, and erase their tracks and clean up their accounts used for hacking in the meantime.

It’s unclear why Conti didn’t have enough money to pay salaries. John Shier, a senior security adviser at the security firm Sophos, told CyberScoop that Conti reportedly has a bitcoin wallet with $2 billion in it. And despite the request for employees to take vacation, there have been nearly two dozen news posts with hacked documents from ransomware victims on Conti’s extortion website since February 21.

2022-02-21 13:30:25 frances: @all

I sincerely apologize for having to ignore your questions the last few days. About the boss, Silver, salaries, and everything else. I was forced to because I simply had nothing to say to you. I was dragging my feet, screwing around with the salary as best I could, hoping that the boss would show up and give us clarity on our next steps. But there is no boss, and the situation around us is not getting any softer, and pulling the cat by the balls further does not make sense.

We have a difficult situation, too much attention to the company from outside resulted in the fact that the boss has apparently decided to lay low. There have been many leaks, post-New Year’s receptions, and many other circumstances that incline us all to take some time off and wait for the situation to calm down.

The reserve money that was set aside for emergencies and urgent team needs was not even enough to cover the last paycheck. There is no boss, no clarity or certainty about what we will do in the future, no money either. We hope that the boss will appear and the company will continue to work, but in the meantime, on behalf of the company I apologize to all of you and ask for patience. All balances on wages will be paid, the only question is when.

Now I will ask all of you to write to me in person: (ideally on Jabber:))
– Up-to-date backup contact for communication (preferably register a fresh, uncontaminated public Jabber account
– Briefly your job responsibilities, projects, PL [programming language] (for coders). Who did what, literally in a nutshell

In the near future, we, with those team leaders, who stayed in line – will think how to restart all the work processes, where to find money for salary payments and with renewed vigor to run all our working projects. As soon as there is any news about payments, reorganization and getting back to work – I will contact everyone. In the meantime, I have to ask all of you to take 2-3 months off. We will try to get back to work as soon as possible. From you all, please be concerned about your personal safety! Clean up the working systems, change your accounts on the forums, VPNs, if necessary, phones and PCs. Your security is first and foremost your responsibility! To yourself, to your loved ones and to your team too!

Please do not ask about the boss in a private message – I will not say anything new to anyone, because I simply do not know. Once again, I apologize to my friends, I’m not excited about all these events, we will try to fix the situation. Those who do not want to move on with us – we naturally understand. Those who will wait – 2-3 months off, engaged in personal life and enjoy the freedom :)

All working rockets and internal Jabbers will soon be off, further communication – only on the private Jabbers. Peace be with you all!

The post Leaked Chats Show Russian Ransomware Gang Discussing Putin’s Invasion of Ukraine appeared first on The Intercept.

]]> 0 conti1 Original statement from Conti conti2 Conti's modified statement Russia Putin State Duma Russian Liberal Democratic Party Leader Vladimir Zhirinovsky attends a meeting of Russian President Vladimir Putin with lawmakers of the new convocation of the State Duma in Moscow, Russia on Dec. 10, 2021. Photo: Ramil Sitdikov/Sputnik via AP
<![CDATA[Canadian Conservative Denied Giving to “Freedom Convoy,” but His Name Was on Donor List]]> Thu, 17 Feb 2022 23:47:17 +0000 An analysis of hacked data shows that someone using the name Richard Ciano did, in fact, donate to the “Freedom Convoy.”

The post Canadian Conservative Denied Giving to “Freedom Convoy,” but His Name Was on Donor List appeared first on The Intercept.

Data from a site used to collect money for Canada’s “Freedom Convoy” protest movement against public health measures contains an entry listing a “Richard Ciano” as a donor to the group. The donation list is part of a larger set of hacked data from the Christian crowdfunding site GiveSendGo.

Richard Ciano, a prominent member of Canada’s conservative political circles, denied that he made this $100 donation, both to the Toronto Star and to the Global News. “I did not make any contributions whatsoever to the trucker convoy. I don’t know why or how my name appears on that list,” Ciano said.

It appears that Ciano’s denial was false. An analysis of the hacked data from GiveSendGo shows that someone using the name Richard Ciano did, in fact, donate to the “Freedom Convoy.” The information in the donor listing matches information from other sources, such as Toronto public records, tied to Ciano. (Ciano did not immediately respond to a request for comment.)

Ciano is the former president of the Ontario chapter of the Progressive Conservative Party. He also runs the political strategy firm Campaign Research Inc., which the party uses for polling.

Evidence in the Data

The GiveSendGo data shows that on February 6, someone made a $100 donation, with a $5 tip, to GiveSendGo’s “Freedom Convoy 2022” campaign using an American Express credit card. The donor marked the gift as “anonymous” but entered the name “Richard Ciano” in the form. The donation listing uses Ciano’s email address at, which is the website of his firm.

The donation record also lists a Canadian postal code as well as a unique identifier that represents a specific credit card charge associated with Stripe, the company that processes credit card payments for GiveSendGo.

The hacked data not only includes lists of GiveSendGo donors but also a separate database containing a wealth of detailed information about all Stripe transactions. By looking up the unique identifier from the donor rolls, it’s clear that Stripe successfully processed that transaction using the name “Richard Ciano” and the same postal code as the donor database.

The Stripe data also includes a link to the receipt for this transaction for $105 — $100 for the “Freedom Convoy” and an additional $5 for GiveSendGo. The receipt says, “Receipt from Jacob Wells.” Wells co-founded GiveSendGo.


Screenshot of the Stripe receipt for the transaction.

Credit: The Intercept

Canadian Postal Codes

The postal code attached to the GiveSendGo donation to the “Freedom Convoy” is also tied to Ciano in several ways.

Unlike American ZIP codes, Canadian postal codes are extremely specific. The postal code listed on the Ciano donation can be mapped to a single city block in Toronto. Since the Stripe transaction successfully went through, whatever credit card was used to do the transaction was associated with the postal code in the donor rolls.

The city of Toronto runs a website on which the public can search for donations to municipal political campaigns. A search of donations made during the 2018 municipal elections for the postal code from GiveSendGo lists two donations from Ciano.

Either someone else who shares the same name as Richard Ciano, has a billing address on the same Toronto city block as him, and uses his email address donated to the “Freedom Convoy” — or Ciano’s denial about the donation was false.

Donations to Anti-Vaccine Doctor

The “Freedom Convoy” is the second donation to a GiveSendGo campaign from Ciano. The first donation, on December 23 for $50, was in support of Dr. Peter McCullough, a cardiologist from Dallas who was fired from Baylor University Medical Center for spreading misinformation about Covid-19 vaccines.

McCullough has repeatedly lied about Covid-19 vaccines. “With all due respect, none of McCullough’s ideas have been supported by any randomized, double-blind, controlled clinical trials,” Dr. Anuj Malik, an infectious disease physician, told the Bartlesville Examiner-Enterprise, an Oklahoma news outlet, in an interview about McCullough.

The GiveSendGo listing for the Ciano donation to McCullough used a different credit card than the one used for the December donation — a Visa instead of an American Express — but both donations were successfully processed by Stripe using the same postal code. The GiveSendGo data also shows that the Campaign Research email address was subscribed to the crowdfunding site’s email list twice: once in December after the McCullough donation and again this month after his “Freedom Convoy 2022″ donation.

The post Canadian Conservative Denied Giving to “Freedom Convoy,” but His Name Was on Donor List appeared first on The Intercept.

]]> 0 stripe-receipt-the-intercept Screenshot of the Stripe receipt for the transaction.
<![CDATA[Oath Keepers, Anti-Democracy Activists, and Others on the Far Right Are Funding Canada's "Freedom Convoy"]]> Thu, 17 Feb 2022 18:29:52 +0000 The Intercept obtained the hacked donor data of GiveSendGo, including roughly 104,000 donors who contributed $9.6 million to “Freedom Convoy 2022” and “Adopt a Trucker.”

The post Oath Keepers, Anti-Democracy Activists, and Others on the Far Right Are Funding Canada’s “Freedom Convoy” appeared first on The Intercept.

Like many other major websites used by the far right, the self-described Christian crowdfunding site GiveSendGo, which was used by Canada’s “Freedom Convoy” protest movement against public health measures to raise millions of dollars, has been hacked very badly, exposing a massive amount of data about the movement’s donors. The data shows that this movement is supported by a broad-based international network of far-right activists, as well as wealthy donors, who are also involved in activism against Covid-19 vaccines, American democracy, and the Black Lives Matter movement in the United States.

On February 10, the Ontario Superior Court of Justice ordered GiveSendGo to freeze access to the money raised in both of these campaigns. “Know this! Canada has absolutely ZERO jurisdiction over how we manage our funds here at GiveSendGo,” the company tweeted in response. Shortly afterward, the hacker broke into the crowdfunding company’s website and stole the donation records — and a whole lot more.

Activists on the right are not happy about this.

The Intercept obtained the hacked donor data — including records of roughly 104,000 donors who gave $9.6 million to two separate GiveSendGo crowdfunding campaigns, “Freedom Convoy 2022” and “Adopt a Trucker” — from the transparency collective Distributed Denial of Secrets, which is releasing it to journalists and researchers who request access. (For the record, I’m an adviser to DDoSecrets.)

After analyzing the dataset, The Intercept discovered that the majority of donors to the “Freedom Convoy” included in the data are Americans, including U.S. billionaire Thomas Siebel, who is listed as donating $90,000, the largest individual donation. Hundreds of donors are members of the Oath Keepers, an American far-right paramilitary organization. Stewart Rhodes, the Oath Keepers’ founder, was the first January 6 insurrectionist to be charged with seditious conspiracy.

On Wednesday, a Washington Post analysis of U.S. ZIP codes in the data concluded that “the richer an American community was, the more likely residents there were to donate, and the biggest number of contributions often came from communities where registered Republicans made up solid majorities.”

“Freedom Convoy” donors also contributed $7.6 million to other fundraising campaigns on GiveSendGo’s platform.

Thousands of donors gave money to various anti-vaccine causes promoted by Project Veritas, a far-right group known for deceptively editing videos of its undercover operations. On Monday, The Intercept reported that Project Veritas has collaborated on a video project with America’s Frontline Doctors, a major anti-vaccine propaganda group that works with telehealth companies to rake in millions of dollars selling bogus treatments for Covid-19. After that article was published, Project Veritas and AFLDS both denied that they were working together despite the fact that the video trailer lists a Project Veritas staffer as a consulting producer and promotional materials prominently mention Project Veritas.

And thousands more helped fund efforts to overturn President Joe Biden’s 2020 electoral victory over Donald Trump. Many had also previously given in support of Kyle Rittenhouse, the far-right teenage vigilante who in 2020 shot three Black Lives Matter protesters, killing two of them, in Kenosha, Wisconsin. Rittenhouse was found not guilty on all counts.

Several donors used government email addresses from agencies like the Transportation Security Administration, the Department of Justice, the Federal Bureau of Prisons, and NASA. The Intercept found one donor who used an email address from the Correctional Service of Canada, the Canadian prison system.

Jacob Wells, co-founder of GiveSendGo, verified the authenticity of the hack to the Washington Post. The Globe and Mail confirmed that at least one donor listed in the hacked data donated to the campaign. Brad Howard, the president of a Canadian pressure washer company who donated $75,000 to the fund, issued a statement in support of the “Freedom Convoy.” Gizmodo reached out to several top donors listed in the data, but “only a single donor had responded—only to say Gizmodo should investigate Black Lives Matter instead.”

Most of the Money Came From Canadians

Of the 104,180 donations, 59 percent came from Americans, while only 39 percent came from Canadians. However, Canadians gave just over 50 percent, $4.8 million, of the total money raised, while American donations made up 44 percent, or $4.2 million.


The Intercept

The largest donation record in the hacked data is for $215,000 but does not include data about the donor or which country the money came from. The only information included is the note “Processed but not recorded.” Wells told the Washington Post that this isn’t a single donation at all but rather “an attempt by GiveSendGo to make the public-facing total amount raised accurate, lumping together many donations that came in offline or before its Freedom Convoy campaign page went live.”

The second-largest donation record is $90,000 from Siebel, a Silicon Valley billionaire who founded the enterprise software company Siebel Systems. The email address associated with his donation is hosted on the domain Siebel has supported right-wing causes in the past: In 2008 he hosted a fundraiser for then-vice presidential candidate Sarah Palin.

The third-largest donation record is $75,000 from Brad Howland, president of the Canadian pressure cleaner company Easy Kleen Pressure Systems. The hacked data marks Howland’s donation as “anonymous,” though he confirmed to the Globe and Mail that he made this donation and supports the “Freedom Convoy.” His donation included the comment “HOLD THE LINE!!!”

Hundreds of Oath Keepers Donated to the “Freedom Convoy”

By cross-referencing data from this hack with last year’s hack of the Oath Keepers, which included membership and donor records, The Intercept discovered 355 matches.

The Oath Keepers were key players in the deadly January 6 Capitol attack that was aimed at overturning Biden’s victory in the 2020 presidential election. Prosecutors allege that Oath Keepers stashed weapons at a nearby hotel as part of “quick reaction forces” that could activate if violence escalated.

Oath Keepers left comments with their donations such as: “NWO Tyrants need to be crushed by the fist of Liberty and Freedom. God bless these truckers and their supporters! Thank you!”; “Make Canada Great Again helps Make America Great Again”; and “The communist pigs in uniform are going to try and steal fuel and food. The Biden Junta is afraid of this happening here. this may be why DHS issued a domestic terrorist threat against americans exercising their first amendment rights. They want to silence free speech and separate people from forming groups to fight the communist coup.”

Thousands of “Freedom Convoy” Donors Gave to Other Anti-Vaccine and Far-Right Causes

The hacked data includes the history of every donation ever made through the GiveSendGo platform. “Freedom Convoy” donors gave a total of $7.6 million to other GiveSendGo campaigns as well as the $9.6 million to the “Freedom Convoy” campaigns.

By comparing the email addresses of “Freedom Convoy” donors with donations from other GiveSendGo campaigns, The Intercept discovered that many of the same donors also gave money to other anti-vaccine causes championed by Project Veritas.

  • 1,693 “Freedom Convoy” donors also donated $63,000 to Morgan Kahmann, an anti-vaccine former Facebook employee and self-styled “whistleblower” who leaked an internal document about the social network’s Covid-19 misinformation moderation policy to Project Veritas. Kahmann’s GoSendMe campaign earned him over $500,000.
  • 1,612 donors also gave $66,000 to Jodi O’Malley, who is described as a “Covid-19 Federal whistleblower.” O’Malley, a registered nurse who worked for Phoenix Indian Medical Center, recorded a video for Project Veritas making unsubstantiated claims that Covid-19 vaccines harmed patients and that ivermectin is an effective treatment for the virus. Public health experts advise against using ivermectin to treat Covid-19. O’Malley earned $475,000 from this GiveSendGo campaign.
  • 1,532 donors also donated $55,000 to Melissa Strickler, a former Pfizer manufacturing quality auditor who leaked company emails to Project Veritas that she believed showed the vaccine contained aborted fetal cells. This is false, but she still earned $347,000 from her GiveSendGo campaign.

The Intercept also discovered that many donors gave to anti-democracy efforts in the U.S., legal defense funds for January 6 prisoners, the legal defense fund for Rittenhouse, and various funds supporting the Proud Boys, an American hate group that also played a role in the January 6 Capitol attack.

  • Over 2,000 donors also gave more than $120,000 to campaigns aimed at reversing the 2020 election results. The most prominent campaign was for the Voter Integrity Project, run by former Trump campaign operative Matt Braynard. Braynard raised nearly $700,000 through GiveSendGo for his project, which he claimed would acquire voter data from swing states and use this data to prove that there was voter fraud in states where Trump lost to Biden. Braynard’s efforts have been widely discredited. In a Georgia case that cited his data, Democratic lawyers pointed out that “Braynard does not have the appropriate qualifications to opine on these topics, he does not follow standard methodology in the relevant scientific field, and the survey underlying several of his opinions is fatally flawed.” The case was eventually dismissed.
  • Over 2,000 donors also gave more than $130,000 to campaigns related to supporting the legal defense of people arrested for participating in the January 6 Capitol attack, including a fund started by a lawyer representing Ashli Babbitt’s family. Babbitt was shot and killed by a Capitol Police officer on January 6 inside the U.S. Capitol.
  • 1,166 donors also gave nearly $50,000 to Rittenhouse’s legal defense fund. This campaign raised a total of $629,000. Hundreds of donors also donated $16,000 to campaigns supporting the Proud Boys.

Donors Used Government Email Addresses

A handful of small donations were made using government email addresses.

Someone donated using an email address from the Correctional Service of Canada, the Canadian agency responsible for running prisons. While the user listed his real first and last name in the donation, he put “George Soros” as his display name.

Another person donated multiple times with their U.S. Department of Justice email address. Two people donated using Federal Bureau of Prisons email addresses, and two others donated using NASA email addresses. One donor used their email address. Someone with a U.S. Navy email address donated $50 and listed their display name as “Lets Go Brandon,” and someone with a U.S. Army email address donated $25.

One person used his TSA email address to donate $50 to the anti-vaccine mandate “Freedom Convoy.” The transportation agency has enforced mandates, like requiring passengers to remove their shoes when going through airport checkpoints, in the name of security since September 11, 2001.

The post Oath Keepers, Anti-Democracy Activists, and Others on the Far Right Are Funding Canada’s “Freedom Convoy” appeared first on The Intercept.

]]> 0 freedon-convoy-charts
<![CDATA[Disinformation Doctors and Project Veritas Deny Teaming Up to Harass Medical Officials]]> Mon, 14 Feb 2022 13:05:55 +0000 America's Frontline Doctors launched a video series devoted to Covid-19 disinformation and claimed it was teaming up with Project Veritas.

The post Disinformation Doctors and Project Veritas Deny Teaming Up to Harass Medical Officials appeared first on The Intercept.

Project Veritas, the far-right group known for deceptively editing videos of its undercover operations, has denied partnering with anti-vaccine propaganda group America’s Frontline Doctors on a video series called “Doc Tracy: Physician Investigator.” The series appears to be aimed at harassing medical regulators and spreading Covid-19 pandemic disinformation.

After publication, both AFLDS and Project Veritas disputed that they were working together, despite the fact that “Christian Hartsock, Project Veritas” was credited in the series trailer as a “consulting producer” and Project Veritas was prominently mentioned in promotional materials. An email received by The Intercept after signing up for a “Doc Tracy” promotions list stated: “Thank you for joining me and my fellow detectors on the Project Veritas Muckraker tour.” That reference has now been removed from the “Doc Tracy” promotional email and the consulting producer credit has been removed from the trailer. Neither Project Veritas nor AFLDS responded to requests for comment prior to publication.

The series stars Christopher Rake, a former anesthesiologist at UCLA Health. “I’m willing to lose everything — job, paycheck, freedom, even my life for this cause,” he said in a video he recorded of himself as UCLA staff escorted him out of the medical facility where he worked in October for refusing to take the Covid-19 vaccine. He’s the founder of the anti-vaccine group Citizens United for Freedom. In a crowdfunding campaign for his group, he wrote, “I’m a physician, a follower of Jesus, and a patriot who lost his job because I stood up for freedom.”

A trailer for the “Doc Tracy” video series — which the group released on January 29 to its more than 400,000 Twitter followers, its over 200,000 Telegram channel subscribers, and on its email newsletter — includes a few seconds of Kristina Lawson, president of California’s medical board, being accosted in a parking garage. On December 6, people who identified themselves as members of AFLDS followed and intimidated Lawson. In interviews and on a Twitter thread, Lawson said the group parked an SUV at the end of her driveway in Walnut Creek, California, flew a drone over her house, watched her children drive to school, and then followed her to work. When she left work, Lawson said, four men “ambushed” her in a dark parking garage with cameras, saying they wanted to interview her.

AFLDS’s founder, Dr. Simone Gold, who has reached a plea agreement for her role in the deadly January 6 attack on the U.S. Capitol, is a licensed medical doctor in the state of California. In September, The Intercept revealed that AFLDS works with a network of telehealth companies to rake in millions of dollars selling hydroxychloroquine, ivermectin, and online consultations to Covid-19 vaccine skeptics. Most doctors, as well as the Food and Drug Administration, National Institutes of Health, American Medical Association, and World Health Organization, advise against prescribing these two medicines to treat or prevent Covid-19. Because of Gold’s work with AFLDS spreading disinformation about the vaccine’s safety and efficacy and selling unproven treatments for Covid-19, the state medical board has been under pressure by other medical doctors and pro-science activists to strip her of her license. The Intercept confirmed that the board is actively investigating Gold.

The AFLDS website has a form to sign up for updates about the new “Doc Tracy” video series, which it says will be released this month. The form includes the question, “Are you a social media influencer (any size) and would you like to be involved (paid or unpaid) in promoting Doc Tracy?”

After signing up for updates, the website sent an automated email that stated, “Thank you for joining me and my fellow fraud detectors on the Project Veritas Muckraker Tour. What an event!” The email said the video series will ask “tough questions from people who really don’t want to answer them” and that “They’re going to cry crocodile tears like Kristina Lawson did.” Project Veritas subsequently denied involvement in the video series. AFLDS eventually removed references to Project Veritas from its promotional materials.


Automated email sent after signing up for updates about the Doc Tracy video series.

Image: The Intercept

The trailer originally listed “Christian Hartsock, Project Veritas” as a consulting producer. Hartsock is a “senior investigative reporter” for Project Veritas. On February 1, just after promoting the trailer for the video series, Gold posted to Twitter and Telegram, “What a joy and an honor to join Project Veritas this week in the freedom state of Florida.”

The post includes a photo of Gold and her colleague John Strand — a professional model and actor who hosts short “fake news” segments for AFLDS and who has also been charged in the January 6 riot at the Capitol — standing with Rep. Matt Gaetz, R-Fla. Gaetz is currently under federal investigation for allegedly sex trafficking a 17-year-old girl.


Photo of Matt Gaetz (R-FL), Simone Gold, and John Strand, posted to AFLDS social media accounts.

Photo: AFLDS

Gold and Gaetz were likely attending an event related to the launch of Project Veritas founder James O’Keefe’s new book, “American Muckraker.” O’Keefe is calling his book tour the “Project Veritas Muckraker Tour.”

The trailer for the new AFLDS video series includes images of discredited scientist Dr. Robert Malone and his suspended Twitter account, while a voiceover says, “In a time where stating the facts is made illegal.”

On December 31, Malone was a guest on “The Joe Rogan Experience,” the $100 million Spotify podcast, where he used his credentials as an early researcher on mRNA gene transfer techniques to promote disinformation about Covid-19 vaccines. He also compared Covid-19 vaccination efforts in the U.S. to Germany when the Nazi Party rose to power.

In response to the episode, over 1,300 doctors, nurses, scientists, and professors signed an open letter to Spotify demanding that the company “immediately establish a clear and public policy to moderate misinformation on its platform.” This letter sparked a backlash against Spotify, with major artists including Neil Young and Joni Mitchell boycotting the platform and users canceling their accounts en masse.

Update: February 24, 2022

This article has been updated to reflect the fact that AFLDS has removed a credit listing “Christian Hartsock, Project Veritas” as consulting producer from the trailer promoting its new video series.

Update: February 22, 2022

This article has been updated to reflect the fact that AFLDS has removed references to Project Veritas from its Doc Tracy promotional emails.

Update: February 17, 2022

After publication, Project Veritas and AFLDS both denied that they were working together, despite the fact that the video trailer listed a Project Veritas staffer as a consulting producer and promotional materials prominently mentioned Project Veritas. The Intercept gave both AFLDS and Project Veritas ample opportunity to provide comments before publication, but neither group responded to our inquiries.

Winston Smith from Project Veritas provided the following statement: “The references to Project Veritas in America Frontline Doctors’ production was neither done with Project Veritas’ knowledge or approval. Project Veritas was not involved in the creation and production of Doc Tracy. Christian Hartsock is not a credited producer. This error is being corrected. Mr. Hartsock has had conversations with AFD about journalism, but his involvement goes no further.”

The post Disinformation Doctors and Project Veritas Deny Teaming Up to Harass Medical Officials appeared first on The Intercept.

]]> 0 doc-tracy-email Automated email sent after signing up for updates about the Doc Tracy video series. aflds-gaetz Photo of Matt Gaetz (R-FL), Simone Gold, and John Strand, posted to AFLDS social media accounts.
<![CDATA[America’s Frontline Doctors Plans to Open Clinics as California Medical Board Investigates Founder]]> Mon, 20 Dec 2021 11:00:42 +0000 The “disinformation doctors” are expanding, even as Congress and state medical boards scrutinize the operation and the group’s founder, Simone Gold.

The post America’s Frontline Doctors Plans to Open Clinics as California Medical Board Investigates Founder appeared first on The Intercept.

America’s Frontline Doctors, an organization that has been widely criticized for spreading false information about Covid-19 vaccines and advocating for potentially dangerous replacements, is expanding. According to a newsletter the group sent to its supporters last week, “AFLDS is opening its first medical clinic in the coming months, with many more planned shortly after.” The email includes a link to forms that can be filled out by doctors and nurses who want to work with AFLDS, and pharmacists who want to fill prescriptions for unproven Covid-19 medications, so they can become part of the AFLDS network.

The expansion comes amid increased scrutiny of AFLDS from the media, Congress, and the Medical Board of California. Doctors associated with AFLDS have prescribed hundreds of thousands of patients hydroxychloroquine and ivermectin through a telemedicine service, hacked records obtained by The Intercept revealed in September. And the network of online health care companies associated with AFLDS have charged patients millions of dollars. In October, citing The Intercept’s report and related reporting by Time magazine, the House Select Subcommittee on the Coronavirus Crisis announced an investigation into AFLDS and the companies it works with, calling them “predatory actors” that have been “touting misinformation and using it to market disproven and potentially hazardous coronavirus treatments.”

Pressure has been mounting for the California medical board to strip AFLDS’s founder, Simone Gold, of her license in the state. Gold, who was arrested and charged after the deadly attack on the U.S. Capitol on January 6, refers to Covid-19 vaccines as “experimental biological agents.” The Intercept confirmed that the board is actively investigating Gold, though it declined to share further information about the investigation or make any statements about Gold, saying that such matters are confidential until the state attorney general’s office files a complaint.

Earlier this month, the president of California’s medical board, Kristina Lawson, alleged that people who identified themselves as members of AFLDS followed and intimidated her. Lawson described the ordeal in a Twitter thread. She said the group parked an SUV at the end of her driveway in Walnut Creek, flew a drone over her house, watched her children drive to school, and then followed her to work. When she left work, she said four men “ambushed” her in a dark parking garage with cameras, saying they wanted to interview her. Lawson said they never contacted her, the medical board’s press office, or her company asking for an interview through professional channels. “I’m not going to be intimidated by these terrorizing tactics,” Lawson told MSNBC, noting that she has since hired private security. The California board declined to answer specific questions from The Intercept about the incident.

AFLDS did not respond to a request for comment.

State Medical Boards

In July, the Federation of State Medical Boards, the national organization representing all U.S. state medical boards, issued a statement saying that “physicians who generate and spread COVID-19 vaccine misinformation or disinformation are risking disciplinary action by state medical boards, including the suspension or revocation of their medical license” and that “spreading inaccurate COVID-19 vaccine information contradicts that responsibility, threatens to further erode public trust in the medical profession and puts all patients at risk.”

Last week, an organization founded by emergency room doctors working on the frontlines of the Covid-19 pandemic, No License for Disinformation, released a scathing new report urging state medical licensing bodies to investigate doctors who deliberately spread misleading or false Covid-19 information and hold them accountable. “State medical boards must act immediately to support the overwhelming, evidence-based medical consensus, stop the attack on science and medicine, and most importantly, prevent further unnecessary COVID-19 deaths,” the report, published in collaboration with the public health nonprofit the de Beaumont Foundation, states.

The report argues that a “small but vocal minority of physicians” — including those affiliated with AFLDS — “are intentionally and publicly spreading disinformation about COVID-19 and vaccines.” They are “putting lives at risk and violating their professional oath,” the report says, noting that state medical boards have so far failed to act. Nine out of 10 Americans believe that doctors who intentionally mislead the public about Covid-19 and vaccines should be held accountable, according to a poll included in the report, and 91 percent believe that doctors do not have the right to intentionally spread misinformation or false health information.

AFLDS’s Expanding Reach

In recent months, AFLDS has also ramped up its efforts to undermine the Covid-19 vaccine. AFLDS distributes high-quality propaganda videos to its more than 200,000 followers on Telegram, and to Gold’s 380,000-plus followers on Twitter, often publishing multiple videos a week. AFLDS “correspondent” John Strand, a professional model and actor, hosts short fake news segments called “Frontline Flash” about the dangers of Covid-19 vaccines. AFLDS also posts videos to social media under the brand “Frontline Films” showing seemingly ordinary Americans sharing anecdotes about ivermectin saving their lives.

In addition to the telemedicine provider SpeakWithAnMD, which The Intercept has previously reported on, AFLDS is also now using a second telemedicine platform, GoldCare Telemed. When visitors request medication through the AFLDS website, those who self-report symptoms are directed to SpeakWithAnMD, and asymptomatic people are sent to GoldCare Telemed, a new website set up in late November. The two sites appear to be using the same underlying platform. Like SpeakWithAnMD, GoldCare Telemed includes a disclaimer requiring patients to acknowledge that public health organizations deem ivermectin and hydroxychloroquine “Highly Not Recommended.”


Like SpeakWithAnMD, GoldCare Telemed includes a disclaimer requiring patients to acknowledge that public health organizations deem ivermectin and hydroxychloroquine “Highly Not Recommended.”

Screenshot: The Intercept

AFLDS’s efforts have even edged their way into Pennsylvania’s state legislature. In July, Republican state Rep. Dawn Keefer introduced a bill in the Pennsylvania legislature that would allow doctors to prescribe ivermectin and hydroxychloroquine to treat Covid-19, despite both being ineffective at treating the virus, and would require pharmacists to dispense these medications.

The bill came up for debate last Monday. Dr. Robert Schmidt, a family medicine doctor who falsely claimed that hydroxychloroquine was an effective treatment for Covid-19 and brought up a discredited theory about ivermectin use in the Indian state of Uttar Pradesh, cited the story of Darla and Keith Smith. On November 10, the Pennsylvania couple both tested positive for Covid-19. It’s not known if they had been vaccinated against the virus. “We both did teleconsults with America’s Frontline Doctors and we both got ivermectin scripts approved, but it never came in the mail,” Darla told a local ABC News station. Keith, 52, was hospitalized. His condition deteriorated, and by November 21 he was transferred to the intensive care unit. When doctors at UPMC Memorial refused to treat him with ivermectin because it was not part of the hospital’s Covid-19 protocols, Darla sued the hospital and won.

On December 5, a nurse administered ivermectin to Keith, who at this point was in a medically induced coma, through his feeding tube. After he received a second dose, the doctor overseeing his ivermectin administration ended the treatment because his condition had deteriorated. Last Sunday, a week after receiving ivermectin, Keith Smith died of Covid-19.

The post America’s Frontline Doctors Plans to Open Clinics as California Medical Board Investigates Founder appeared first on The Intercept.

]]> 0 goldcaretelemed-disclaimer Like SpeakWithAnMD, GoldCare Telemed includes a disclaimer requiring patients to acknowledge that public health organizations deem ivermectin and hydroxychloroquine “Highly Not Recommended.”
<![CDATA[House Coronavirus Committee Launches Investigation Into Organizations Pushing Hydroxychloroquine, Ivermectin]]> Mon, 01 Nov 2021 19:46:25 +0000 The investigation into America’s Frontline Doctors and comes after an Intercept story revealed a right-wing network making millions.

The post House Coronavirus Committee Launches Investigation Into Organizations Pushing Hydroxychloroquine, Ivermectin appeared first on The Intercept.

On Friday, Rep. James Clyburn, D-S.C., chair of the House Select Subcommittee on the Coronavirus Crisis, announced an investigation into the right-wing, anti-science propaganda group America’s Frontline Doctors and telemedicine provider following an Intercept investigation. Clyburn called the two organizations “predatory actors” that have been “touting misinformation and using it to market disproven and potentially hazardous coronavirus treatments” such as ivermectin and hydroxychloroquine.

The committee, citing The Intercept, requested documents from America’s Frontline Doctors, or AFLDS, and SpeakWithAnMD about their business practices and profits. It wrote to the Federal Trade Commission requesting that the agency investigate whether these companies are in violation of federal laws.

“Attempts to monetize coronavirus misinformation have eroded public confidence in proven treatments and prevention measures and hindered efforts to control the pandemic,” Clyburn wrote in his letter to AFLDS. “Some Americans who have been influenced by misinformation have chosen not to get vaccinated, delayed receiving evidence-based treatment, and ingested unapproved substances in harmful quantities.”

An investigation by Time in August, also cited by Clyburn, revealed that hundreds of AFLDS patients paid SpeakWithAnMD $90 for Covid-19 consultations hoping to get ivermectin or hydroxychloroquine, which public health authorities say should not be taken to treat or prevent Covid-19, but never received the medicine. Some were charged for the consultations but never got a call back from a physician; others who did get prescriptions were charged up to $700 for the medication.

In September, The Intercept obtained hacked data revealing that the network of right-wing health care companies was making millions advertising, prescribing, and distributing ivermectin and hydroxychloroquine as an alternative to the highly effective Covid-19 vaccines. Between July and September, 72,000 patients whom AFLDS referred to SpeakWithAnMD were charged an estimated $6.7 million for telemedicine consultations alone. AFLDS began referring patients to SpeakWithAnMD in January, and The Intercept does not have data between January and July, so the total revenue from the operation is likely considerably higher.

SpeakWithAnMD then wrote prescriptions for the questionable treatments that were filled by the online pharmacy Ravkoo, which is not a subject of the House investigation. Ravkoo, according to the hacked data, charged patients an additional $4.7 million for ivermectin, $2.4 million for azithromycin, and $1.2 million for hydroxychloroquine between November and August.

The SpeakWithAnMD site was taken offline for a week after The Intercept’s story, which revealed security holes around sensitive patient data on and Ravkoo. Both sites are now up and running again. “[SpeakWithAnMD] is not part of the anti-vax movement, and we do not oppose vaccinations,” Jim Flinn, a public relations agent working for SpeakWithAnMD, told The Intercept. Alpesh Patel, Ravkoo’s CEO, told The Intercept that his online pharmacy no longer works with AFLDS.

In letters to Simone Gold and Jerome Corsi, the founders of AFLDS and SpeakWithAnMD, respectively, Clyburn requested detailed records from both companies, including documents related to ownership, organizational structure, and staffing; details about the doctors’ training and qualifications; numbers of patients and what they were prescribed; and descriptions of the companies’ total revenue and net income for each quarter.

The idea behind AFLDS was first floated during a May 11, 2020, conference call between a senior staffer in former President Donald Trump’s reelection campaign and the Republican activist group CNP Action, during which they reportedly discussed finding “extremely pro-Trump” doctors to go on TV and defend Trump’s plan to rapidly reopen the economy despite the more cautious safety guidance coming from the Centers for Disease Control and Prevention. Gold, who was arrested and charged after the deadly attack on the U.S. Capitol on January 6, calls Covid-19 vaccines “experimental biological agents.”

Corsi is a former host of InfoWars who reportedly spoke to Trump before he was elected president on several occasions about the false “birtherism” conspiracy theories about former President Barack Obama’s citizenship. Corsi was also caught up in special counsel Robert Mueller’s investigation into Russian interference in the 2016 election.

In another letter to Lina Khan, chair of the FTC, Clyburn requested that the agency “investigate the deceptive conduct of companies promoting and profiting from misinformation” about the pandemic, singling out AFLDS and SpeakWithAnMD. “Misinformation endangers public health and fuels vaccine hesitancy by promoting the false ideas that coronavirus vaccines are unsafe and ineffective and that alternative drugs can prevent or cure coronavirus infections,” Clyburn wrote. “Exploiting these falsehoods for financial gain puts American lives at risk and sets back our nation’s efforts to combat the spread of the coronavirus. I am concerned that these predatory practices are endangering American lives and harming our efforts to stop the spread of the virus.”

Clyburn’s letter says he believes that the companies’ deceptive practices could “violate the FTC Act, the COVID-19 Consumer Protection Act, or other relevant laws. For these reasons, I urge FTC to open an investigation into these matters and appropriately exercise its enforcement authority.”

The post House Coronavirus Committee Launches Investigation Into Organizations Pushing Hydroxychloroquine, Ivermectin appeared first on The Intercept.

]]> 0
<![CDATA[Network of Right-Wing Health Care Providers Is Making Millions Off Hydroxychloroquine and Ivermectin, Hacked Data Reveals]]> Tue, 28 Sep 2021 21:37:20 +0000 The data also reveals that 72,000 people paid at least $6.7 million for Covid-19 consultations promoted by America’s Frontline Doctors and vaccine conspiracist Simone Gold.

The post Network of Right-Wing Health Care Providers Is Making Millions Off Hydroxychloroquine and Ivermectin, Hacked Data Reveals appeared first on The Intercept.

A network of health care providers pocketed millions of dollars selling hydroxychloroquine, ivermectin, and online consultations, according to hacked data provided to The Intercept. The data show that vast sums of money are being extracted from people concerned about or suffering from Covid-19 but resistant to vaccinations or other recommendations of public health authorities.

America’s Frontline Doctors, a right-wing group founded last year to promote pro-Trump doctors during the coronavirus pandemic, is working in tandem with a small network of health care companies to sow distrust in the Covid-19 vaccine, dupe tens of thousands of people into seeking ineffective treatments for the disease, and then sell consultations and millions of dollars’ worth of those medications. The data indicate patients spent at least $15 million — and potentially much more — on consultations and medications combined.

The Intercept has obtained hundreds of thousands of records from two companies, and Ravkoo, revealing just how the lucrative operation works. America’s Frontline Doctors, or AFLDS, has been spreading highly politicized misinformation about Covid-19 since the summer of 2020 and refers its many followers to its telemedicine partner, which uses Cadence Health as a platform. People who sign up then pay $90 for a phone consultation with “AFLDS-trained physicians” who prescribe treatments such as hydroxychloroquine and ivermectin to prevent and treat Covid-19. The drugs are delivered by Ravkoo, a service that works with local pharmacies to ship drugs to patients’ doors. Of course, that’s if patients ever get the consultation; many customers told Time they never received the call after paying.

The data from the Cadence Health and Ravkoo sites was provided to The Intercept by an anonymous hacker who said the sites were “hilariously easy” to hack, despite promises of patient privacy. It was corroborated by comparing it to publicly available information. The Intercept is not publishing any individual patient data and has taken steps to secure the data. After The Intercept reached out, Cadence Health’s Roque Espinal-Valdez said he shut the platform down, not wanting any part in profiting off of Covid-19 “quackery.”

America’s Frontline Doctors, which debuted in the summer of 2020, has close ties to a network of right-wing efforts to undermine public health during the pandemic, including the Tea Party Patriots. AFLDS’s founder, physician Simone Gold, was arrested and charged after the deadly attack on the U.S. Capitol on January 6. She and other doctors have appeared in widely shared videos arguing that the drugs hydroxychloroquine and ivermectin — which are primarily used to treat malaria in humans and parasitic worms in livestock, respectively — are effective treatments for Covid-19, despite warnings from the World Health Organization and Centers for Disease Control and Prevention against using them.

The extremely partisan group also misleads people about Covid-19 vaccines, which they refer to as “experimental biological agents,” and against public health measures like vaccine mandates, masking, social distancing, and restrictions on businesses. In a video titled “The Truth About Covid-19 Vaccines,” which has received over 1.3 million views, Gold falsely argues that Covid-19 is not very deadly and that the vaccines are more dangerous than the virus itself. Over 690,000 Americans so far have died from the virus, and unvaccinated people now make up 99 percent of recent Covid-19 deaths.

“Misinformation can be really powerful to swindle people into buying products.”

“Misinformation can be really powerful to swindle people into buying products,” Dr. Kolina Koltai, who researches vaccine misinformation in digital communities at the University of Washington’s Center for an Informed Public, told The Intercept. “America’s Frontline Doctors are able to scale this up massively.”

The hacked data includes information on 281,000 patients created in the Cadence Health database between July 16 and September 12, 2021 — 90 percent of whom were referred from America’s Frontline Doctors. In just those two months, patients paid an estimated $6.7 million for consultations. The data also includes notes from patients’ phone consultations, which sometimes include medical histories and prescription information.

Roque Espinal, Cadence Health’s CEO, told The Intercept that he was unaware of the scheme and that Cadence Health simply provided a telehealth platform for, its patients, and physicians. “I’m totally flabbergasted. I had to look up exactly who these people were,” he said. “I’m fully vaccinated. My children are fully vaccinated. I’m trying to make heads and tails of this right now.” After talking with The Intercept on Monday, Espinal said he terminated service with SpeakWithAnMD. He added, “I don’t want to be associated with any crap like that. None of that quackery that’s going on.” SpeakWithAnMD’s telemedicine platform, which relies on Cadence Health, is currently down.

“[SpeakWithAnMD] is not part of the anti-vax movement and we do not oppose vaccinations,” Jim Flinn, a public relations agent working for the site’s parent company, Encore Telemedicine, told The Intercept.

“American Frontline Doctor’s [sic] take these issues very seriously,” Thomas Gennaro, a lawyer for America’s Frontline Doctors, told The Intercept in a statement. “For AFLDS, positive patient-physician outcomes and confidentiality is critical. We understand that the information from this was reported to the FBI, and AFLDS launched a third-party audit and are responding to this issue with the utmost attention.”

The hacker also provided records of 340,000 prescriptions that Ravkoo has filled between November 3, 2020, and September 11, 2021 — amounting to an estimated $8.5 million in drug costs. Forty-six percent of the prescriptions are for hydroxychloroquine or ivermectin, and another 30 percent are for zinc or azithromycin, two other ineffective medications that the SpeakWithAnMD physicians, who America’s Frontline Doctors claims it trains, prescribe in their Covid-19 consultations.

“We take data breaches very seriously,” Ravkoo CEO Alpesh Patel told The Intercept. Patel claims that Ravkoo stopped doing business with SpeakWithAnMD and AFLDS at the end of August because “the volume over there went up crazy, and we didn’t feel comfortable. And we don’t have that much capacity to fill that many prescriptions.” The hacked data shows that they filled hundreds more prescriptions for AFLDS in the first weeks of September. “That might be refills or prescriptions that got stuck and we had to fill it,” Patel claimed.

The WHO recommends against taking hydroxychloroquine to treat Covid-19 because it’s ineffective and can have negative side effects. Cardiologists warn that hydroxychloroquine taken with azithromycin, a combination that former President Donald Trump publicly supported, increases the risk of dangerous irregular heartbeats that could be fatal. The CDC advised people not to take ivermectin, saying that it can cause “severe illness.” The Food and Drug Administration issued similar warnings and tweeted, “You are not a horse. You are not a cow. Seriously, y’all. Stop it,” with a link to an article explaining that taking it for Covid-19 can cause extreme health issues.

At least one of the prescribers is aware that medical experts recommend against using these drugs to prevent or treat Covid-19 but prescribed them anyway, according to patient records. One physician included this disclaimer in their consultation notes with several patients: “I, [physician’s name], have a complete understanding of the recent release from the WHO, FDA, CDC, and NIH on March 5th, 2021 as it pertains to the use and prescribing of Hydroxychloroquine and Ivermectin. I understand that these two medications have been deemed ‘Highly Not Recommended’ by the for-mentioned [sic] medical governing bodies but are not illegal to prescribe. … I have explained that I will not be held legally or medically responsible for an adverse reaction by this patient should they choose to take them and have explained they will not be able to hold me medically neglectful, pursue any form of malpractice, nor any criminal and civilly [sic] suits.”

Beginning last week, the intake form began showing a similar disclaimer to all patients. “As a potential patient, I acknowledge and understand that the Hydroxychloroquine (HCQ) and Ivermectin have been deemed ‘Highly Not Recommended’ by the WHO, FDA, CDC, and NIH,” the disclaimer says. “Should a patient choose to not disclose their proper medical history, the clinician cannot be held liable nor can any medical license in any state be reviewed or held accountable.” Patients must check a box that says “I understand” to continue.

“In facilitating the doctor/patient relationship, our MD’s are fully licensed and operate within the rules and regulations of the medical profession,” Flinn, the spokesperson for SpeakWithAnMD’s parent company, said. “If a TeleMD in the Speak program decides any FDA medication is appropriate, then the MD can prescribe an FDA-approved medication off-label for any medical condition the TeleMD considers appropriate.”


Chart: Soohee Cho/The Intercept

“Extremely Pro-Trump” Doctors

The foundation for America’s Frontline Doctors was laid in a May 11, 2020, conference call between a senior staffer in Trump’s reelection campaign and the Republican activist group CNP Action. They reportedly discussed finding “extremely pro-Trump” doctors to go on TV and defend Trump’s plan to rapidly reopen the economy despite the more cautious safety guidance coming from the CDC.

Then, on June 24 of last year, Gold started an Arizona nonprofit called the Free Speech Foundation with a million-dollar annual budget and fiscal sponsorship from the Tea Party Patriots Foundation. America’s Frontline Doctors, which is a project of this nonprofit, launched on July 27, 2020. Gold, who NPR confirmed is a licensed physician in California, along with other doctors in white lab coats, held a press conference on the steps of the Supreme Court building where they falsely claimed that a cocktail of hydroxychloroquine, azithromycin, and zinc could “cure” Covid-19. Another of the group’s doctors who spoke outside the court was Stella Immanuel, who called the use of masks unnecessary, and quickly earned viral fame when it was revealed that she had previously claimed that the uterine disorder endometriosis is caused by sex with demons that takes place in dreams. The event was livestreamed on Breitbart, and videos of it were viewed millions of times on social media after being shared on Twitter by then-President Trump before tech companies took them down for violating rules against pandemic misinformation. More recently, the group has been promoting ivermectin as a miracle cure for Covid-19.

“[America’s Frontline Doctors] are really good at manipulating science to seem like the vaccine is not safe, or is not tested, or is not necessary, which is why they’ve been particularly impactful in the last year plus,” Koltai said.

But it wasn’t until early 2021, when over 345,000 Americans had already died from the pandemic, that America’s Frontline Doctors started to advertise $90 telehealth consultations to receive prescriptions for alternative treatments to Covid-19 on its site.

On January 3, Gold told a packed, maskless church audience in Tampa, Florida, that America’s Frontline Doctors made “hydroxychloroquine available for the entire nation by going to our website.” A video of the lecture, “The Truth About the Covid-19 Vaccine,” has been viewed 1.3 million times on the video-hosting site Rumble after being removed from YouTube. “Then you can consult with a telemedicine doctor. And whether you have Covid, or you don’t have Covid, or you’re just worried about getting Covid, you can get yourself a prescription and they mail it to you.” She added, “The big fight wasn’t the virus, it was the fear.”

Simultaneously, America’s Frontline Doctors began referring its followers for telemedicine appointments. Its website leads prospective customers through a series of preliminary questions before directing them to “Find out how to obtain prescription medication for COVID-19 with our AFLDS-trained physicians in three easy steps,” it reads, before a prominent “Get Medication” button.

AFLDS reaches its audience through a variety of social media platforms. Gold, the group’s founder, has more than 340,000 Twitter followers, and she regularly posts anti-vaccine content, such as this video of podcaster Joe Rogan falsely claiming that ivermectin and other drugs that have been shown to be ineffective at treating Covid-19 has cured him of the virus.

On Saturday, Gold started an account on Gab, a social media site popular with right-wing extremists, and she already has more than 36,000 followers who have posted thousands of comments on her page. AFLDS’s Facebook page has 112,000 followers, its Telegram channel has 184,000 subscribers, and 28,000 people are subscribed to the group’s channel on Rumble.

Their anti-vaccine propaganda also shows up in religious email newsletters, like this one from a group called Bridge Connection Ministries, which contains a plug for AFLDS that asks, “Have you been exposed to COVID by someone who was recently VAXXED?”


Bridge Connection Ministries newsletter.

Screenshot: The Intercept

Cadence Health

The two months’ worth of patient records that The Intercept has access to show that AFLDS referred over 255,000 people to speak with physicians in order to get Covid-19 treatments. Of those people, 72,000 paid $90 for phone consultations, and many of those had follow-up consultations costing $59.99 each. The hacked data from Cadence Health does not include payment data itself, but doing the math, in just that two-month period, patients appear to have paid more than $6.7 million for phone consultations alone. This data does not include all of the $90 phone consultations from January to July, when SpeakWithAnMD appears to have hosted the intake forms for $90 telemedicine consultations directly, according to archived versions of the site. The telemedicine site appears to be billing patients directly and not their insurance companies.

Espinal claims that Cadence Health didn’t collect credit card payments and that the $90 charges for telehealth were made using SpeakWithAnMD’s payment processor. Espinal told The Intercept he charged SpeakWithAnMD a total of $17,500 for using its platform and that SpeakWithAnMD was his first and only customer.

After The Intercept reached out to the companies for comment on Monday, SpeakWithAnMD’s parent company, Encore Telemedicine, had an emergency meeting with lawyers from AFLDS, according to Espinal, who briefly attended the meeting via Zoom. “There were 16 different attorneys,” he told The Intercept, though Gold was not present. According to Espinal, he told the lawyers, “I’m ending my contract with you guys immediately,” and then left. Afterward, he took down Cadence Health’s service, preventing SpeakWithAnMD from operating.

The hacked data from Cadence Health gives insight into the patients themselves. Of those 72,000 patients in that two-month period, 58 percent were female, 38 percent were male, and 4 percent chose not to answer the question. While people of all ages sought consultations with AFLDS’s health care providers, people in their 50s and 60s were more likely to engage than other age groups. According to data provided by the CDC, Covid-19 patients aged 50 to 64 are four times more likely to be hospitalized and 30 times more likely to die than people aged 18 to 29. Covid-19 patients aged 65 to 74 are five times more likely to be hospitalized and 90 times more likely to die.

People in every state in the country, as well as Washington, D.C., sought the unproven Covid-19 treatments. 8,600 people in California paid $90 for telehealth consultations, as did another 8,000 in Florida and 7,400 in Texas. More than 1,000 people in each of an additional 21 states consulted health care providers through the service. The only states that contained less than 100 patients were Delaware and Vermont. Houston, Las Vegas, Phoenix, and Jacksonville all had over 300 patients.

This map, based on the hacked data, shows how many people sought unproven Covid-19 treatments from each city, for cities that have at least 10 users. Each dot is mapped to the geographic center of the city. No individual home addresses are represented in the map.


Ravkoo filled its first prescription from AFLDS just 10 days after Gold’s “The Truth About the Covid-19 Vaccine” speech, on January 13, for hydroxychloroquine. In the data for the prescription, “AMERICAS FRONT LINE DOCTORS – ENCORE” is listed under the “remarks” field.

In the hacked data, each of the 340,000 prescriptions filled by Ravkoo between November 3, 2020, and September 11, 2021, lists a price. Adding up the prices of each type of medication shows that the online pharmacy apparently charged people a total of $4.7 million for ivermectin, $2.4 million for azithromycin, $1.2 million for hydroxychloroquine, $175,000 for zinc, and $52,000 for vitamin C. It appears that the vast majority of these medicines were paid for out-of-pocket rather than through insurance. Only $500 of these medicine sales were paid by insurance providers. Patel told The Intercept that Ravkoo doesn’t take a cut of prescription sales and that they run a platform that delivers prescriptions to local pharmacies — “Just like Uber,” he said — but didn’t answer follow-up questions about Ravkoo’s business model.

The Better Business Bureau warns that there are “current alerts” for Ravkoo, where the pharmacy has one out of five stars. Customers describe the pharmacy ignoring calls and emails about prescriptions for Covid-19 medicine from AFLDS.

On September 2, the pharmacy responded to complaints to the Better Business Bureau, saying, “We are no longer affiliated with AFLD [sic] or We are working diligently to resolve this issue.” Yet the hacked data includes 268 prescriptions that mention AFLDS between September 2 and September 11, the date Ravkoo was hacked.


Chart: Soohee Cho/The Intercept

When asked why the vast majority of prescriptions filled by Ravkoo appear to be for unproven Covid-19 treatments, Patel explained, “We don’t control who sends us business. Let’s put it that way. We don’t have formal contracts with particular companies. Patients can send us business.” Ravkoo could “find pharmacies for our patients who can pull ivermectin and get them at a lower cost. So patients are talking to each other, and that’s how that business might have — how America’s Frontline might have got to know us and started sending us business.”

Patel also claimed that he “got a threatening letter from one of the doctors saying, ‘Hey, if you don’t fill that prescription I’m gonna sue you.’ So pharmacists are put in a really tough position here.”

“Hilariously Easy” to Hack

“The whole online and telemedicine space is a bit of a Wild West because of the way the pandemic forced everyone to deal with telehealth right away,” Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, told The Intercept.

The websites involved in this telemedicine operation were all built during the pandemic to take advantage of this Wild West. Certificate transparency records, which list which SSL certificates are created and when, show that the domain was first set up in March last year, was first set up in September last year, and was first set up in February of this year.

While the pandemic popularized telehealth, “patients still had to go to the pharmacy to pick up the prescription, and that’s where we came up with the idea to make a prescription delivery platform offering free nationwide same-day delivery,” Patel said while describing his motivation for starting the company.

The hacker told The Intercept that Cadence Health and Ravkoo were “hilariously easy” to hack. The websites of both companies had broken access controls, one of the most common mistakes in web application security.

The Cadence Health website only validated user input on the client side, not the server side, according to the hacker. This means that when a user accesses the telemedicine site the normal way, by loading the site in their browser, they can only access their own data, but if they write a program that tries to access other data on the server, the server will respond with that data. The hacker simply asked the server for all patient data.

Cadence Health’s website describes itself as the “most secure PCI & HIPAA-compliant VirtualCare Platform.” “Our website is still in development,” Espinal told The Intercept. “We don’t even have content. This was not supposed to be live.”

The Ravkoo website had a “hidden admin panel that every user can log in to and view all the data,” according to the hacker. Using this admin panel, the hacker was able to exfiltrate all of the online pharmacy’s prescription data. The vulnerability in Ravkoo’s website also appears to be fixed, according to the hacker, who reached back out to The Intercept after checking.

“It’s quite possible that [the companies] violated HIPAA by having such weak security,” Tien said. The Health Insurance Portability and Accountability Act is a federal law that requires health care providers to protect sensitive “patient health information” from being disclosed without the patient’s consent or knowledge. The current security rule defined by HIPAA requires providers to “implement technical policies and procedures that allow only authorized persons to access electronic protected health information.”

HIPAA also defines a breach notification rule that requires health care providers to “notify affected individuals following the discovery of a breach” within two months of discovering the breach. Providers must individually notify affected patients by first-class mail or email, and if they have outdated contact information for enough patients, they’re required to post a public notice on their website or “in major print or broadcast media where the affected individuals likely reside.” If the breach affected more than 500 people, like the Cadence Health and Ravkoo breaches do, they are also required to “provide notice to prominent media outlets” serving the jurisdiction where the patients live.

While HIPAA rules have been loosened during the pandemic to accommodate telemedicine, health care providers are still required to protect sensitive patient health information that they collect.

The companies were left pointing fingers at each other. Espinal, Cadence Health’s CEO, told The Intercept that the patient database is hosted in Encore Telemedicine’s Amazon Web Services account and that his company does not have access to this data. Flinn, the public relations agent working for Encore, insists that the database is in Cadence’s AWS account, not in Encore’s.

“Following the money is a really important thing,” Koltai, of Center for an Informed Public, said.

Update: September 29, 2021
The map has been updated to clarify that each dot represents the geographic center of each city with ten or more users. No individual home addresses are represented in the map.

The post Network of Right-Wing Health Care Providers Is Making Millions Off Hydroxychloroquine and Ivermectin, Hacked Data Reveals appeared first on The Intercept.

]]> 0 scam-chart-1 consult-screenshot Caption TKTK. scam-chart-12
<![CDATA[Major Tea Party Group Was Backed by Salsa Billionaire and Other Wealthy Donors, Hacked Documents Reveal]]> Thu, 05 Aug 2021 17:10:55 +0000 Tea Party Patriots' web database contained only a small fraction of the "3 million patriots" it heralds on its site.

The post Major Tea Party Group Was Backed by Salsa Billionaire and Other Wealthy Donors, Hacked Documents Reveal appeared first on The Intercept.

Tea Party Patriots, a major conservative organization that bills itself as one of the largest grassroots groups on the right, was in fact heavily backed by three ultra-wealthy individuals in recent years, according to internal data reviewed by The Intercept.

The largest donor was Texas billionaire Christopher Goldsbury, who made his fortune selling the salsa company Pace Foods to Campbell Soup in 1994. On September 11, 2019, Goldsbury donated $1 million to the TPP Foundation via wire transfer. According to tax documents, the TPP Foundation took in $1.2 million in revenue that year. Goldsbury had been a TPP member since 2014 and had already donated $20,000 to TPP’s three separate organizations in previous years. Goldsbury did not respond to a request for comment.

Meanwhile, activity by the group’s members appears to have waned. The Intercept found just 144,000 members marked “active” in the online data, versus claims on the TPP website of a “network of 3 million activists,” of “more than 3 million supporters,” and of “over 3 million patriots.” Data from local chapters show members are clustered in fast-growing areas like Colorado and all along the Sun Belt, from California through Arizona, Texas, Georgia, and Florida.

The 327 gigabytes of TPP data were provided to The Intercept anonymously by a source who claimed to have hacked the group’s web back end. In January, The Intercept obtained documents that exposed the identity of a handful of wealthy TPP donors, but the new data fleshes out the understanding of the group’s big-money backing.

The data includes a trove of information about people who are members of Tea Party Patriots local chapters, have signed petitions, or have donated: their names, phone numbers, home addresses, and a detailed activity history for each user. The Intercept is not naming or otherwise exposing information on individual members of the organization other than the group’s three biggest donors (at least two of whom were reported billionaires).

Because the data obtained by the hacker comes only from the group’s web infrastructure, there could be important records missing. For example, there might be TPP supporters who signed up at a live event or made in-person donations but are not tracked by the web database. Some of the data provided by the hacker was corroborated with publicly available information, including some donations and TPP petitions. Still, it’s impossible to authenticate all of the data, and after The Intercept obtained the data a hacker altered pages on TPP’s website.

TPP did not answer specific questions about the breach but instead provided The Intercept an email sent to members from co-founder Jenny Beth Martin, notifying them of the hack and adding that the group had contacted law enforcement and worked “to ensure that our systems are not compromised and are secured even further to ensure that an event of this type does not happen again.” The email continued, “And you can be certain that we will take every step possible to find and help prosecute these criminals who have broken into our electronic home and stolen proprietary and confidential information.”


New users created in TPP’s web database each year.

Graphic: The Intercept

“Over 3 Million Patriots”

TPP was founded in 2009, shortly after the inauguration of President Barack Obama. The group, according to numerous accounts, was inspired by an on-air rant by CNBC editor Rick Santelli against an Obama administration proposal to help homeowners avoid foreclosure in the early days of the financial crisis. TPP spent its first years organizing against the Affordable Care Act and government spending in general; today, reining in federal expenditures remains central to the group’s stated priorities. But racial and anti-immigrant animus has regularly appeared within the group, which was also involved in organizing the “March to Save America” rally culminating in the deadly January 6, 2021, storming of the U.S. Capitol, aimed at preventing Congress from certifying Joe Biden’s electoral victory. (TPP has said it did not fund the rally and stated it was “shocked, outraged, and saddened at the turn of events on January 6,” condemning the violence.)

Records from the hacked database shed light on its major backers. Now-deceased California real estate mogul Sanford Diller was another billionaire who provided major funding to TPP. According to tax documents, the TPP Foundation took in $106,318 in revenue in 2015. And according to the hacked data, they only took in two donations that year, and one of them was a $100,000 check from Diller. Diller donated another $100,000 in 2016, and $50,000 more in 2017, to the foundation. In 2016 he also donated $150,000 to TPP’s super PAC. The Intercept reported on some of Diller’s foundation donations earlier this year, and late last year ABC News said Justice Department documents implicated Diller in a secret lobbying scheme to trade political donations to entities associated with former President Donald Trump for a pardon.

Another major funder of TPP is David Gore, an Oregon libertarian whose family owns the Gore-Tex fabric company. Between 2018 and January 2021 he donated $50,000 to TPP Action, $275,000 to TPP’s super PAC, and $124,000 to TPP Foundation, according to the internal data obtained by The Intercept. Gore could not be reached for comment.

Tea Party Patriots has three separate organizations: a 501(c)(3) public charity called TPP Foundation; a 501(c)(4) social welfare organization, which is allowed to engage in more extensive lobbying than a 501(c)(3), called TPP Action; and a super political action committee, which can spend unlimited amounts of dark money to support political candidates, called TPP Citizens Fund.

The hacked data includes information about individual donations to these three organizations, but it doesn’t include money raised from interest groups and corporations. For example, TPP’s super PAC raised a total of $2.9 million to support Trump’s 2020 election campaign, but individual donor records from the hacked data only add up to $460,000 that election cycle.

The hacked records also indicate that while TPP has cultivated the image of a mass movement, less than half a million people have either joined a local chapter or even just signed an online petition starting in 2013 or earlier. Of those members, roughly a third are marked “active.”

The data describes roughly 800 local chapters, including a list of members for each chapter. Local TPP chapters have a total of 15,000 users who are marked active, meaning that only about 10 percent of active users in TPP’s database are members of a local chapter — everyone else are people who have signed petitions, donated, or subscribed to mailing lists.

Tea Party Patriots active users by city, July 2021

This map, based on the hacked data, shows how many active Tea Party Patriots users live in which cities, for cities that have at least 10 users.

The chapters with the most users are in Arapahoe County, Colorado, and Atlanta, Georgia, as well as a geographically dispersed chapter called United and Standing, which have between 130 and 190 members each. Groups have 20 members on average, though some have not been active for many years. Of the 144,000 active users, nearly 1,000 of them live in Houston, Texas, the largest city concentration, and hundreds more in San Antonio, Dallas, and Fort Worth. Other top hubs of active users include Las Vegas, Nevada; Phoenix and Tucson, Arizona; Jacksonville and Tampa, Florida; San Diego, California; Colorado Springs and Denver, Colorado; among others.

There are 148 petitions in the database, with dates from 2014 to 2021, and information about everyone who signed a petition and whether they also sent a message to Congress or donated.

The most recent petition, entitled “Stop Critical Race Theory,” had only garnered 34 signatures in the two weeks between June 23, when it was created, and July 7, when the site was hacked. Over 70,000 people signed the most popular petition on the site, entitled “Make Adam Schiff Resign,” during Trump’s first impeachment inquiry; Schiff, a California Democrat and chair of the House Intelligence Committee, was a lead investigator into allegations that Trump withheld funds from Ukraine in exchange for investigations into the Bidens.


TPP petitions signed each year, according to the hacked web back-end data.

Graphic: The Intercept

From mid-2015 through mid-2017, TPP routinely had petitions reach over 20,000 signatures with names like “No Funding for Illegals,” “Save Our Constitution,” “Support Senator Jeff Sessions,” and “Trump Won, Get Over It,” but the number of signatures on their petitions has significantly dwindled in recent years.

In 2018, a petition to confirm Brett Kavanaugh to the Supreme Court got 16,000 signatures. Since then, only two petitions have breached 8,000 signatures, and they were both during Trump’s first impeachment inquiry: the aforementioned Schiff petition and another, addressed to the Office of Congressional Ethics demanding they conduct an ethics inquiry into House Speaker Nancy Pelosi, which received 14,000 signatures.

Also exposed in the TPP breach were password hashes, or encrypted representations of passwords that members use to login to the website, for over 13,000 users. The password hashes appear to use an algorithm called “salted MD5.” MD5 is a hash function that was proven to be insecure in 2010. Anyone with this hacked data could likely recover most of the original passwords using off-the-shelf hardware.

A Trivial Vulnerability

The hacker who obtained all this data told The Intercept they were motivated by the Tea Party Patriots’ role in helping advocate for the use of hydroxychloroquine as a treatment for Covid-19. The vast bulk of evidence indicates the anti-malaria drug, pushed by former President Donald Trump, does not work for that use. A video advocating for hydroxychloroquine, featuring a group called America’s Frontline Doctors, was reportedly funded by and promoted at an event organized by TPP. The video was later blocked by Facebook, YouTube, and Twitter for containing false statements or otherwise violating their standards.

“Since [Tea Party Patriots] were responsible for a large part of the misinformation in the early stages of the COVID-19 pandemic by promoting hydroxychloroquine with the America Frontline Doctors stunt, I’m sharing the data in hopes that it can shed some light on the people involved and where their funding comes from,” the hacker told The Intercept in an encrypted text message. “I read some articles about the America’s Frontline Doctors stunt, took a look at their website, and one thing led to another.”

The identity of the hacker is not known to The Intercept. They said they identified with the decentralized hacktivist collective Anonymous. Law enforcement in Georgia is now investigating the cyber break-in, and a detective at the Cherokee County Sheriff’s Office contacted The Intercept about the case.

The person said they discovered a trivial, but fatal, security flaw in the database that powered Examining one of the group’s petitions, “Wear Red on Trump’s Birthday” in which people could pledge to wear red on June 14 to support Trump, they discovered the page’s source code contained an administrator API key — essentially, a secret password that grants access to TPP’s database.


The Tea Party Patriots petition where the hacker found the administrator API key.

Screenshot: Anonymous

It’s common for web applications like this one to use an API, or application programming interface, and to embed API keys in the code of web pages, allowing the browser to access the data that it needs. However, API keys are supposed to have limited permissions: For example, an API key on a petition page should only have permission to access data related to the petition.

But the API key that TPP included was not limited at all. It had administrator access. It allowed anyone who had it (by viewing the source of the web page, for example) to access all the information in TPP’s massive database. The Intercept confirmed that this administrator API key was not only on the “Wear Red on Trump’s Birthday” petition, but also on all other petitions as well.


Source code for a vulnerable web page, with the API key.

Screenshot: Anonymous

Armed with the API key, the hacker was then able to load addresses at over 800,000 times, exfiltrating hundreds of gigabytes of data from the conservative activist group’s database.

With an administrator API key, hackers not only are able to access information from the database, but they can also change that information. This appears to have happened with TPP’s web pages: For a few weeks in July, after The Intercept obtained the hacked database, all the featured petitions on TPP’s website had been renamed to “Stop Computer Fraud and Abuse Act.”


Screenshot from July 23, 2021.

Screenshot: The Intercept

At the time of writing, the petitions on TPP’s website have all been taken down.

The post Major Tea Party Group Was Backed by Salsa Billionaire and Other Wealthy Donors, Hacked Documents Reveal appeared first on The Intercept.

]]> 0 users-created New users created in TPP’s database each year. petitions-signed TPP petitions signed each year. vuln-petition Tea Party Patriots petition where the hacker found the administrator API key. vuln-petition-source Source code for vulnerable a web page, with the API key. cfaa-petitions Screenshot from July 23, 2021.
<![CDATA[Browse The Intercept Anonymously and Securely Using Our New Tor Onion Service]]> Wed, 28 Apr 2021 15:39:01 +0000 Reading The Intercept entirely within the "dark web" minimizes the visibility of your visits.

The post Browse The Intercept Anonymously and Securely Using Our New Tor Onion Service appeared first on The Intercept.

Tor, the decentralized anonymity network, has been an integral part of our workflows at The Intercept since we launched in 2013. We use Tor to securely communicate with confidential sources using our SecureDrop server, and individual journalists routinely use Tor Browser to covertly investigate companies and powerful people.

Now, there’s a new way for readers of The Intercept to browse this website more securely and anonymously over the Tor network. Just open up Tor Browser and navigate to our new Tor onion service at https://27m3p2uv7igmj6kvd4ql3cct5h3sdwrsajovkkndeufumzyfhlfev4qd.onion/. You can also get there by loading in Tor Browser and clicking the “.onion available” button in the address bar. in Tor Browser

Tor Browser users can click the “.onion available” button in the address bar to get to the onion service.

Websites that end in “.onion” are known as Tor onion services — or if you want to be dramatic about it, the “dark web.” Here’s how it all works.

Tor Browser Lets People Browse the Web Anonymously

When you load a website in a normal web browser like Chrome, Firefox, Safari, or Edge, you make a connection over the internet directly from your house (or wherever you happen to be) to the web server you’re loading. The website can see where you are coming from (and track you), and your internet service provider can see which website you’re loading (and track what you’re doing and sell advertising based on your activity).

But if you open Tor Browser and load the same website, none of those parties can spy on you. Even Tor itself won’t know what you’re up to. Within the network, consisting of thousands of nodes run by volunteers across the internet, you do not connect from your house directly to the web server. Instead, your connection first bounces between three Tor nodes and then finally exits the Tor network and goes to the website. The website can’t see where you’re coming from, only that you’re using Tor. Your ISP can’t see what website you’re visiting, only that you’re using Tor. And the Tor nodes themselves can’t fully track you either. The first node can see your home IP address, because you connect directly to it, but can’t see what site you’re loading, and the last node (also called the exit node) can see what site you’re loading but doesn’t know your IP address.

In short, Tor Browser makes it so people can load websites anonymously. Tor onion services do the same thing, except for websites themselves.

Tor Onion Services Let Websites Themselves Be Anonymous

So what exactly is an onion service? Just like when people use Tor Browser to be anonymous, web servers can use Tor to host anonymous websites as well. Instead of using normal domain names, these websites end with “.onion”.

If you load an onion site in Tor Browser, both you and the web server bounce encrypted data packets through the Tor network until you complete an anonymous connection, and no one can track anyone involved: Your ISP can only see that you’re using Tor, and the website’s ISP can only see that it’s using Tor. You can’t learn the website’s real IP address, and the website can’t learn yours either. And the Tor nodes themselves can’t spy on anything. All they can see is that two IP addresses are both using Tor.

Onion services have another cool property: The connection never exits the Tor network, so there are no exit nodes involved. All the communication between Tor Browser and the web server happens in the dark.

The Most Popular Site on the Dark Web

When people hear about the “dark web,” they tend to think about shady things like drug markets and money laundering. That stuff is, in fact, facilitated by anonymous websites running Tor onion services, just as it’s facilitated by the normal, non-anonymous internet. But it’s not the only use of onion services by a long shot.

The Intercept along with dozens of other newsrooms around the world, including pretty much every major news organization, run Tor onion sites for SecureDrop, a whistleblower submission platform. With The Intercept’s new onion service for readers of our website, we’ll also join the ranks of the New York Times, ProPublica, BuzzFeed News, The Markup, and other news organizations in making their core websites available as onion services.

I also develop an open source tool called OnionShare which makes it simple for anyone to use onion services to share files, set up an anonymous drop box, host a simple website, or launch a temporary chat room.

But, by far, the most popular website on the dark web is Facebook. Yup, Facebook has an onion service. For when you want some — but not too much — anonymity.

The post Browse The Intercept Anonymously and Securely Using Our New Tor Onion Service appeared first on The Intercept.

]]> 0 in Tor Browser Tor Browser users can click the ".onion available" button in the address bar to get to the onion service
<![CDATA[Inside Gab, the Online Safe Space for Far-Right Extremists]]> Mon, 15 Mar 2021 10:00:11 +0000 The hacked data from Gab contains 65 gigabytes of data, including 4 million Gab accounts, 31,000 groups, and 39 million posts.

The post Inside Gab, the Online Safe Space for Far-Right Extremists appeared first on The Intercept.

In late February, somebody hacked Gab, an online safe space for white supremacists and other extremists. The hacker, who self-identifies as “JaXpArO and My Little Anonymous Revival Project,” exfiltrated roughly 65 gigabytes of data, including 4 million Gab accounts, 31,000 groups, and 39 million posts (over 100,000 of which were posted to private groups).

The hacker then leaked this data, which spans the site’s launch in August 2016 until February 19, to the transparency collective Distributed Denial of Secrets. In a Gab post, the hate site’s CEO Andrew Torba falsely accused DDoSecrets of hacking Gab, using an anti-trans slur while he was at it.


Screenshot: The Intercept

Due to privacy concerns, DDoSecrets is only offering GabLeaks to journalists and researchers who request access rather than publishing the full leak on the internet. (For the record, I’m a member of the DDoSecrets advisory board.)

For everyone else, here’s a broad overview of the GabLeaks data. Some of it is fairly technical, so bear with me. I’ll try to explain what I mean when I use unfamiliar terms.

Database Dumps and Chat Logs

JaXpArO provided DDoSecrets with data exported from a PostgreSQL database containing accounts, groups, and posts as well as a text file containing thousands of chat messages.

Out of the over 4 million accounts, 38,175 include email addresses (though not all of them appear to be valid email addresses) and 7,110 include password hashes, which are basically scrambled representations of passwords, from which in some cases the original password can be recovered (more on this below).

For example, here is the data associated with QAnon-believing, school-shooting-survivor-harassing Rep. Marjorie Taylor Greene’s Gab account:


Hacked data from Rep. Marjorie Taylor Greene’s Gab account.

Screenshot: The Intercept

Her account was created with the email address on January 11, and at the time Gab was hacked in late February, she had 217,544 followers, a verified account, and had 72 posts. It also includes her password hash but not the password itself.

The chat logs are all contained in a single 9.5-megabyte text file. In addition to chat logs showing Torba courting prominent anti-Semites for his site, the text file includes more than 70,000 messages from over 15,000 users. For example, here’s a snippet of the chatter going on during the January 6 insurrection at the U.S. Capitol:

@666666: Just so you know, I’m going to terrorize and burn some Democrats places. Come bail me out

@666666: If you ever want info on someone, let me know. I [can] hunt anyone down. I’m using my skip tracing skills to “give back” to the democratic community. It’s only fair

Gab by the Numbers


Gab accounts created between Feb. 15, 2020, and Feb. 15, 2021.

Screenshot: The Intercept

By January 6, the day that Donald Trump supporters tried to violently prevent Congress from certifying Joe Biden’s electoral victory, Gab had 1.6 million accounts. After the insurrection, Amazon’s cloud hosting business kicked the extremist social network Parler off its platform, a decision that prompted a flood of exiled Parler users to flee to Gab. Between January 6 and February 19, an additional 2.4 million Gab accounts were created.

The vast majority of these over 4 million accounts aren’t actually active. Only 1.5 million of them have posted any content to the site at all, and only 400,000 of those have posted more than 10 times. Just over 100,000 accounts have posted more than 10 times since December 1, 2020, making that number much closer to Gab’s actual active user base.


Public and private Gab groups created shortly before and shortly after the January 6 insurrection at the U.S. Capitol.

Screenshot: The Intercept

The post-insurrection spike in Gab accounts also holds true for Gab groups. However, there’s also a spike in private groups that were created before the insurrection. The night of December 22, someone created 46 private groups for chapters of the Oath Keepers, a far-right anti-government militia that helped storm the Capitol weeks later, but the groups were either never used or their members deleted all of the posts in them and left the groups before Gab was hacked in late February.


The last two years of anti-Semitic, anti-Black, anti-LGBTQ+, and anti-trans slurs used in Gab posts.

Screenshot: The Intercept

Most Popular Content on Gab

Here are the 20 most popular public groups on Gab:

  • /g/The_Donald (299,156 members)
  • Trump 2020 (225,711 members)
  • News (210,733 members)
  • QAnon and the Great Awakening (210,201 members)
  • WeLoveTrump (185,007 members)
  • Conservative News (178,843 members)
  • Stop The Steal (165,184 members)
  • QAnon (156,739 members)
  • QAnon Patriots (147,193 members)
  • Guns of Gab (146,938 members)
  • Joe Biden Is Not My President (141,452 members)
  • Christianity (135,789 members)
  • Memes, memes, and more memes. (125,753 members)
  • Introduce Yourself (124,341 members)
  • Libertarians of Gab (110,378 members)
  • #QAnons Supporters (109,876 members)
  • Q Research (109,629 members)
  • Politics (100,584 members)
  • Survival (95,070 members)
  • HISTORY BUFFS (83,781 members)

And here are the 20 most popular private groups on Gab (though some of them, like Internet Censorship, appear to be public now):

  • Internet Censorship (76,820 members)
  • Conservative Teachers of America (18,711 members)
  • Hunting and Fishing (17,886 members)
  • Thank heaven Biden is President… said no one ever. (6,727 members)
  • American Patriot Reality Check (2,583 members)
  • Parler people (2,370 members)
  • County by County (1,580 members)
  • The Patriot Party (1,250 members)
  • US / UK Patriots (1,112 members)
  • The Right Side (914 members)
  • Patriot Business Network (681 members)
  • Women For Trump (659 members)
  • Catholic Prayer Group (631 members)
  • Conservatives and Trump Supporters – Middle Tennessee (541 members)
  • MAGA PARTY IS ALIVE AND WELL (500 members)
  • Flu You Baker Class Action (445 members)
  • Shane’s Ice Fishing Unfiltered (414 members)
  • Taiwanese American Patriots Supporting President Trump (371 members)
  • Sewing Enthusiasts of Gab (366 members)
  • Forum (338 members)

Here are the Gab users with the most followers:

  • Andrew Torba, @a, the CEO of Gab (2,187,241 followers). New users automatically follow him.
  • Gab Help, @help, (1,649,252 followers). New users automatically follow this account too.
  • @gab (1,604,953 followers). New users automatically follow this one too.
  • Donald J. Trump, @realdonaldtrump (1,300,952 followers). New users automatically follow this account, and it’s not actually used by Trump.
  • @NeonRevolt (658,673 followers). This is a major QAnon conspiracy account.
  • Paul Joseph Watson, @PrisonPlanet (525,685 followers). This is a prominent conspiracy theorist and editor of the site InfoWars.
  • The Epoch Times, @TheEpochTimes (506,975 followers). This is a far-right news organization run by a Chinese cult that spent more money on pro-Trump Facebook ads in 2020 than any entity other than the Trump campaign itself.
  • Ron Watkins, @codemonkey (433,084 followers). This is the former admin of the image board 8chan, frequented by white supremacists and multiple mass shooters and the birthplace of the QAnon conspiracy movement.
  • Donald Trump Jr. Feed, @DonaldJTrumpJrFeed (432,583 followers). This is a bot that reposts tweets from Donald Trump Jr.’s Twitter account.
  • National File, @NationalFile (404,809 followers). This is a far-right news organization.

The Gab post with the most engagement on the whole platform is this post from @realdonaldtrump (which, again, isn’t actually run by the real Donald Trump).


Screenshot: The Intercept

The Gab post that ranks ninth in engagement is from the major QAnon account @StormIsUponUs.


Screenshot: The Intercept

Needless to say, his predictions did not come to pass.

Cracking Gab Passwords

Like most websites, instead of storing passwords itself, Gab scrambles the passwords using a “hash function” and stores the scrambled versions instead, called a “password hash.” For example, if someone used the password “Trump2020,” GabLeaks would only contain the scrambled version of that. The only way to confirm if that’s their password is to try running it through the same hash function Gab uses and see if any accounts are using that hash.

It turns out that at least three Gab users are using the password “Trump2020,” at least one is using “Trump2024,” and at least one is using “trump2024” (with a lowercase “t”). A few Gab users are using typical insecure passwords like “123456,” “asdf1234,” “letmein,” and “password1.” And at least one user is using an anti-Black racial slur as their password.

Armed with the 7,710 password hashes from GabLeaks, a list of nearly 9,000 password guesses that I created, and my gaming PC, which has a graphics processing unit, or GPU — hardware that can quickly do the math required for 3D graphics as well as things like cracking passwords — I used a tool called hashcat to see which passwords were weak. It took about three days to crunch the numbers, and at the end I successfully cracked 88 passwords, 49 of which were unique.

Among the Gab accounts I found using incredibly weak passwords was an account with the username “OneManAuschwitz” that shares Nazi propaganda used a weak password, as did an account belonging to a “Proud White Man” that shares racist and anti-Semitic memes. Several accounts devoted to QAnon had weak passwords, and so did several accounts that share run-of-the-mill conspiracy theories about the Covid-19 vaccine and the 2020 election.

Thirty-one of the cracked passwords used the same extremely weak password, and nearly all of them used email addresses from the disposable email service These are all Gab “fan” accounts that repost tweets from popular extremist Twitter accounts. For example, the Candace Owens fan account has 10,200 followers on Gab, the Dinesh D’Souza fan account has 7,800 followers, and the Breitbart News fan account has 7,100 followers. None of these accounts have posted since November 2018 and are now abandoned.

Correction: March 16, 2021

A previous version of this article stated that one of the Gab accounts with weak passwords belonged to Spencer Brown, the spokesperson for the Young America’s Foundation, a conservative youth organization with alumni that include former Trump senior policy adviser Stephen Miller and former Attorney General Jeff Sessions. Brown did not respond to a request for comment prior to publication but an attorney for the Young America’s Foundation contacted The Intercept after publication and stated that the Gab account was not associated with Brown.

The post Inside Gab, the Online Safe Space for Far-Right Extremists appeared first on The Intercept.

]]> 0 torba-false-accusation-11 greene-password-hash-2 Hacked data from Rep. Marjorie Taylor Greene’s Gab account. accounts-created-one-year Gab accounts created between February 15, 2020 and February 15, 2021. groups-created Public and private Gab groups created shortly before and shortly after the January 6 insurrection. slurs The last two years of antisemitic, anti-black, homophobic, and transphobic slurs used in Gab posts. status-trump-1 status-qanon-1
<![CDATA[Donald Trump’s Gab Account Uses an Email Address Belonging to the Extremist Platform’s CEO]]> Wed, 03 Mar 2021 16:58:29 +0000 When I got my hands on the Gab data, the first thing I did was look up Trump’s account.

The post Donald Trump’s Gab Account Uses an Email Address Belonging to the Extremist Platform’s CEO appeared first on The Intercept.

Gab, the far-right social network that’s known as a safe space for hate speech, QAnon believers, Trump election fraud conspiracists, and white supremacist terrorists, was hacked pretty badly. The site exploded in popularity after the January 6 insurrection when Amazon kicked Parler, another social network used by right-wing extremists, offline, which caused Gab’s user base to explode from about 1 million users to roughly 4 million.

The hacker made off with the email addresses and encrypted passwords of all 4 million of the site’s users and the content of more than 39 million posts, including everything posted to 7,632 private groups, and leaked them to the radical transparency group Distributed Denial of Secrets. On Monday, DDoSecrets released the nearly 70 gigabytes of hacked data to journalists and researchers. Gab’s CEO Andrew Torba has falsely accused DDoSecrets of hacking Gab — a source provided DDoSecrets with the data, they didn’t hack it themselves — and then used an anti-trans slur when posting about the group.


The Gab account for @realdonaldtrump.

Screenshot: The Intercept

Former President Donald Trump’s verified Gab account was among those that were compromised (though the account’s description says it’s “reserved” for Trump, and Torba has stated that Trump himself doesn’t use it). When I got my hands on the Gab data, the first thing I did was look up Trump’s account, and the first thing I noticed was the email address associated with it: Why was Trump using this obscure email address, and what is Kuhcoon?

It turns out that Torba, the current CEO of Gab, is the former CEO and founder of Kuhcoon (later renamed Automate Ads and acquired by AdHawk in 2017), a tech startup that offered automated Facebook ad campaigns. According to a 2015 interview, Torba started Kuhcoon in 2011 with his college roommate. The company received venture capital backing from Y Combinator in 2014; in August 2016, Torba stepped down as CEO, and he, along with his co-worker Ekrem Büyükkaya, founded Gab.

Since it launched, Gab has been a haven for far-right extremists. Torba’s Gab account was created on August 10, 2016, and the next account created later that day was for the “alt-right” personality Milo Yiannopoulos. Other extremists who created early accounts include anti-feminist conspiracist Mike Cernovich and prominent neo-Nazi Richard Spencer (best known for getting punched in the face at Trump’s inauguration in 2017). The accounts on Gab that have the most followers on the whole platform include unhinged QAnon-sympathizing Republican Reps. Marjorie Taylor Greene and Lauren Boebert and personalities like Alex Jones. Half of the 20 most popular Gab groups are devoted to Trump and QAnon.

Trump’s account is the only one on Gab that uses an email address from I sent an email to, but the email bounced.

Torba didn’t reply to my email requesting his comment, but he did publicly tweet a response from Gab’s Twitter account, stating, “As per my policy of not communicating with non-Christian and/or communist journos, I will not be replying to this non-story,” and “It’s not a real email address, therefore it is not checked.”

He then mentioned me to make sure I’d see it:

Disclosure: I’m on the DDoSecrets advisory board.

Update: The story has been updated to make it clear that Torba has been open about the fact that Trump does not use the @realdonaldtrump Gab account.

The post Donald Trump’s Gab Account Uses an Email Address Belonging to the Extremist Platform’s CEO appeared first on The Intercept.

]]> 0 gab-realdonaldtrump-1 Donald Trump’s Gab account.