How the FBI hid their “Russia Special.”

Adapted from my latest book “Loaded for Guccifer2.0.”

In normal day-to-day investigations at the FBI it’s the field-offices that take the lead. They have to answer to the ‘adults’ at FBI Headquarters in Washington. The ‘adults’ only take the lead on investigations in certain special circumstances. Ones that require they only have to answer to themselves. The case would involve ‘delicate’ issues. They may be hush, hush cases of national security, or those of political sensitivity.1

During 2015 — 2017 there were two cases that FBI-HQ were assigned by places on high. The first started because of the original Guccifer’s activities: Mid-Year Exam. The second involved Guccifer2.0 in a more than tangential way: The operation into Trump’s supposed collusion with Russia that become known as Crossfire Hurricane.

One was a case where politics required guilt to be dis-proven. The other was one where geo-politics had declared a guilty verdict before they even began.

On the 21st August 2015 Special Agent Peter Strzok was drafted from Washington Field Office into the lofty atmosphere of FBI-HQ to “take over” one of the specials. The texts released by the Department of Justice shows it was one that must have been already up and running under a different FBI agent before he arrived.

We know what “Special” means from an email that was released along with the texts. It was sent by the Deputy Director of the FBI Andy McCabe in late December 2015. It said that Secretary Clinton would get an “HQ Special” in the Mid-Year Exam (quotes) “investigation.” They’d go through the motions. There’d be a lot of light, noise, and sweat. All for a pre-defined result.

We aren’t so sure what this redacted `Special’ was, save for another pre-defined result. But for who, or for what, isn’t certain. The redacted word could fit many things. However as far as is known there should have been only the ‘Clinton special’ ongoing at FBI-HQ at the time. What was the other one?

What sort of ‘special’ would require the presence of an action-manlike Special Agent Peter Strzok? He’s too brash and abrasive to be a smarmy  political operator that could charm the politically sensitive Clintonistas. He wasn’t an ‘email-expert’.

Trump had announced he was running a month previously, and the space is correct for a `Trump’ Special. However that doesn’t answer the question of: why Strzok? He was reportedly a never-Trumper Republican, but that on it’s own is not a reason to specifically pick him to ‘Get Trump’ out of all the other choices available in the 36,500 strong FBI.

Why Strzok for this particular ‘special’? He was a Russia counterintelligence expert. That’s why.

He was the Special Agent in Charge of counter-intelligence division at the Washington field office. He spent his working days on the trail of Russian spies, and his views were patriotic and partisan:

Whatever the second special was, it was one that specifically required a go-getter Russia counter-intelligence expert. It required him at a time many months before there were any phishings or hackings of Democrat servers. There was no ‘Trump-Russia’ for a Russia counter-intelligence expert to investigate.

Hello Hawkins

Strzok wasn’t there to find lost cats. The Friday before his Monday morning start as an ‘adult’ Peter Strzok had already “met Trisha”. The Trisha was Trisha Anderson from the Department of Justice’s Office of Legal Counsel. She was then one of their most senior lawyers dealing with national security and cyber-security.

The first person that Russia expert Strzok met for the ‘Special’ was a cyber-security lawyer. They were thinking ahead.

Strzok is not there to ‘go-fetch’ Secretary Clinton’s errant emails. He’s a counter-intelligence expert and counter-intelligence operations have totally different goals to a criminal investigation. They are about gathering intelligence on suspects – in his case; Russian or Russian aligned suspects. Counter intelligence operations are open-ended. They can go on for as long as they feel it worthwhile. There doesn’t have to be any set goal, or crime to solve. They may find a crime along the way, which then triggers a criminal investigation, but the opening goal of counter-intelligence is simply intelligence.

The investigation into Secretary Clinton’s email use fits none of those things. Mid-Year Exam was a criminal “investigation”. A “special” criminal “investigation,” but a still a criminal case. There was a set goal – did she break the law, or not? She’s neither a Russian, nor a hacker, nor did they plan to keep her under surveillance. There was no reason to involve counter-intelligence experts.

In some Sunday texts we get some more hints about why he’s there.Whatever it was his appointment to HQ was a sudden thing. Washington field office had no warning that Strzok was going to HQ, so had no time to find a replacement Special Agent in Charge of counter-intelligence. Lisa believed that he’d have to do both jobs at once. He told her he couldn’t. There’d be no time. The special was ‘special’.

He let her know what he’ll be up to on the Monday morning. First he has to go to Washington Field office for an 8:30 briefing. A few texts later we find out that he planned to ask them for some cyber people.

After that, his first big meeting as the leader of the new ‘special’ is at the State Department. It’s a big meeting involving “a billion” people from FBI-HQ. He may be exaggerating. A bit. It does at least involve ‘Andy’ McCabe, who will shortly become the Deputy Director of the FBI.



State Department.

Cyber people.

A few days later, he’s shaking the resource tree. He’s putting together a team. It’s not clear why, but he wants some of them to come from outside of the counter-intelligence Division. It suggests that whatever the ‘special’ is, it’s not a regular counter-intelligence operation.He either needs a broader skill-set, or he wants to keep some things outside of their purview.

One thing he still needs are cyber people and ‘Computer Analysis Response Team’ people. They are the geeks that give pro-active warnings to companies and corporations that are being attacked by hackers. He specifically wants the ones he knows from Washington field office. He knows that the chiefs there aren’t going to be willing to let their geeks go.

To get them he’d have to “escalate it up the chain of command.”It suggests that his ‘special’ really is ‘Special’. He has enough backing from on high that he’d be able to go over the heads of his old bosses.He’d be able to take their best geeks, and there was nothing they could do apart from shut the hell up.

Who were those geeks? We know of one. The timing is suggestive. A few weeks after Strzok is looking to borrow geeks from Washington field office the DNC received a call from such a cyber expert from Washington field office. He would have been part of their ‘Computer Analysis Response Team.’ They give pro-active warnings about hackers. Russian hackers even.

The New York Times called him Special Agent ‘Adrian Hawkins’.

Russia counter-intelligence expert Peter Strzok came to be in charge of both FBI ‘HQ Specials’ for good reason. While he was, he was doing exactly the same thing as Secretary Clinton. Lisa Page was too. So were a Taskforce of different agencies.

They had set-up a special private email system to communicate outside of government channels. Secretary Clinton could plausibly claim the need for convenience. She could also convincingly claim technical ignorance. The users of could make no such excuses. They were breaking the same rules Mid-Year Exam was investigating. They were hiding an evidence trail from oversight by their own government.

In the Strzok — Page texts the first mention of 324mail is only days after Strzok joins FBI-HQ.

“1500” would be a reference to the US Treasury who are located at 1500 Pennsylvania Ave NW, Washington. Mrs. Page had worked closely with them during the money laundering case against the ally of the deposed Ukrainian president Yanukovych.

As they were the ones handing out the pin-numbers to 324mail it seems to confirm that they were the primary agency in the Taskforce. The end-goal of the second `HQ Special’ would appear to be financial. It’s the Treasury’s Office of Foreign Assets Control (OFAC) that are the entity who would implement economic sanctions. Against Russia for example.

Later on we get some more details of who was in the cross-agency Taskforce. They included the Treasury, FBI-HQ, the DOJ and their National Security Division (NSD) and something called `CIV’. The FBI love their acronyms but `CIV’ even had Strzok beat. He didn’t know who they were, and Lisa had to explain that it meant the DOJ’s Civil Division. They were “The folks who defend us when we get sued, like over non-disclosure of an NSL (National Security Letter)”2. It’s illuminating to know that they thought the users may have need of legal protection. From whom? A property mogul turned politician?

The Taskforce on

In December 2015 there was no `DNC’ hacking investigation. There wasn’t any official `Trump-Russia’ investigation, because he had only announced his run six-months previously. He was still a `joke candidate’. The Taskforce couldn’t have been a `Trump Taskforce’, and the second `HQ Special’ couldn’t have been a `Trump Special.’

This “Special” needed the Russia expertise of Strzok, Page and all the other new-boys at FBI-HQ. It involved the Treasury as the key agency. As I cover in my book “Loaded for Guccifer2.0” (page 172) under Obama’s Executive Order no 13660 “all agencies of the United States Government” were instructed to carry out the commands of the Secretaries of Treasury and State to help fix `the problem’ of the Crimeans preferring Russia to Ukraine.

The second `Special’ that FBI-HQ are carrying out can only be a Russia Special. The Taskforce that were using can only be a “Ukraine” Taskforce.

The Certificate Trail

We can get an impression of the importance of during the peak Russiagate hysteria from the trail of SSL certificates.

The Certificate Trail

In mid-2009, started off all on it’s lonesome. It had it’s own singular SSL certificate — no 476868 — allocated to it alone and nobody else. (These numbers refer to comodo’s reference number for the certificate.) There were no sub-domains covered on the certificate. Just itself.

Just before that first one expired, as is good practice, a new one — no 4651730 — was added in it’s place. It was just the same as the last and seems to have been good enough for Peter Strzok, Lisa Page and the people at the Treasury the first few times that they used the site.

Then 324mail grew. It grew into something important enough that the existing set-up clearly wasn’t good enough any more. On Sunday, the 11th December 2015, even though the existing certificate had over a year and a half left to run, a new SSL certificate — no. 13688125 — was issued.

Overnight the system was upgraded to something really professional and it seemed suddenly important that it had to be done now. On a Sunday. There were new sub-domains added that show was suddenly important enough to upgrade the system to a Microsoft Exchange setup.

A Microsoft Exchange setup is overkill for a normal website. It’s what large organisations use. It enables multiple users — be it tens, hundreds, or thousands — to exchange emails, Skype calls, documents, calendars and messages with each other. All of their multiple devices from laptops to iPads to phones can be synced via one central system.

The chances of finding anything at all on at this stage are likely to be zero.

Note the timing of that big change: 11th December 2015. It’s the same Sunday as the late evening text exchange shown where Lisa was having trouble logging on to “check DOJ comments”. It’s clear that 324mail was being used as the central point of all the Taskforce action. The flurry of activity suggests that there was a big Taskforce decision due in the week commencing the 12th December 2015.

The change of system reflected increased activity on this “private” — outside of government — email system that was being used by the Taskforce. Something was going down, and whatever it was they didn’t want to use the official FBI system that already had these, and better, features. They wanted it on and `off the books’.

From May to September 2016, Strzok and Page frequently text about Mostly it’s in negative tones about not being able to log in due to issues with security tokens, or having to call “1500” — the Treasury — to reset PIN numbers.

They’re using it so much that by the 15th May 2016 Page is running out of space on the system, and Strzok had been forced to do a “mass cull down on 324mail”. Deleting work-related emails from a .gov system would be an offence, but this is a .com just like Clinton’s own network. She’s hardly likely to take them to task on it once she became `Madam President’ so it’s all good.

Communication problems came to a head in September 2016. Some stressful texts were sent about “teams not sharing info”.

“Mike” is likely to be Mike Steinbach, who was then the Executive Assistant Director, of the National Security Branch of the FBI. He told them to “Fix it”. All wasn’t rosy.

It seems part of the “fix” was to make the drastic step of including the external “private” on the official SSL certificate — no. 45057413. Despite the existing two valid certificates still having a year or so to run, this third SSL valid certificate was added on the 12th September 2016. This one was different to the others. They were all standard Go-Daddy certificates issued in the name of 324mail (plus sub-domains), but this one was an official certificate issued by Entrust.

And which “teams” are these? Another advantage of having as opposed to using a .gov system was that individuals, or `teams’, who were not part of government could access it. These `teams’ could be `private’ intelligence firms, or they could be political or media associates. It solved more than just the government oversight `issue’ it allowed for a public-private partnership that went beyond an SSL certificate.

Including a .com on the official certificate of the FBI is beyond unusual. It seems obvious that it would have been done as a last resort. It was considered a risk — if it wasn’t they’d have just included it in December 2015, when they first made the changes. They wanted to keep “secret”, but in September 2016, necessity with the election only two months away, forced their hand. Now is linked indelibly with the FBI.

In December 2017 when the Russiagate investigation healed over,’s new SSL certificate –no. 28084726 — reverted back to a normal Go-Daddy one. Once again it was just on it’s lonesome. Crossfire Hurricane had moved to the Office of Special Counsel run by former FBI Director Robert Mueller.

Bob’s Network

There’s a guy on the internet called Bob.

Online searches show that his part of the internet is called “Bob’s Network”, and it owned the IP address that served when Strozk and Page were accessing it.

Company IP Date
Amazon Technologies Inc. January 03, 2018
Bob’s Network August 15, 2014
MCI Communications Services, Inc May 25, 2011

Note the similar IP’s of the last two entries. The mysterious `Bob’ of Bob’s Network is registered to the fictitious address of: 11951 Springfield Ave, Reston, Virginia 20191.

There is no Springfield Avenue in Reston. Yet, Bob’s Network lives there and owns the internet, or at least all the IP address between and

Currently his bit of the internet is completely empty. The phone number is fake, and is linked online to multiple different people. None of them are called Bob.

If one asks the American Registry for Internet Numbers (ARIN) nicely they’ll provide a “Who-Was” service for the IP’s in their control. Their results for the IPs in Bob’s part of the internet tell a story. Back in May 2008 they were assigned to ARIN’s customer “C01931950.” We’ve all heard of them: the FBI:

FTS FBI Data Services, 1 Justice Way 5 modem, Dallas, TX

Shortly afterwards, the IP range got turned over to another ARIN customer; `BOBSN’, or simply `Bob’ to his mates:

Bob’s Network, 1 Justice Way 5 modem, Dallas, TX

Eagle eyed readers will note that Bob and the FBI in Dallas have the same address. Bob, at that stage, is the FBI in all but name.

In late May 2008, Bob’s Network got a new webmaster; “WEBMA88-ARIN”, with the fictitious address at Springfield Avenue, Reston, VA. For his or her contact details the new webmaster gave the fake telephone number and a non-functional email at a his non-existent website;

Finally on the 11th June 2008 the Dallas address got removed from Bob’s registration for the IP he was using for ( The IP was no longer officially an FBI IP and the only points of contact were all fake. With now moved to its’ new IP, the previous IP ( uncloaked on the same day (11th June 2008) and was given an additional `point of contact’ that confirmed it was the FBI all-along. The new contact (code DTH87-ARIN}) gave a couple of names as confirmation:

Daniel Thompson, 1 Justice Way 5 modem, Dallas, TX.
+1-972-559-50XX (Office),

The end result is that the ownership of the IP hosting had been laundered. It was then `outside of government control’. There was no reason for those bothersome Senators who talk about “oversight” to ask about it.


“Bob’s Network” has a possessive apostrophe. It’s a network `belonging to Bob’. It’s not the government’s network, it’s Bob’s personal non-FBI network. It was created while the then FBI Director Robert “Bob” Mueller was “the man” at the FBI. Would he appreciate some other lesser FBI Bob having his own personal vanity FBI-private network while he was “FBI Bob no. 1”?

Why 324? Who knows. The number’s not random. There’s a less active companion site, that was also hosted on the current IP of It’s not a reference to an FBI form like the famous FD-302 witness statement as there is no form FD-324 (as far as can be told).

My best bet is that “Bob” is old-school. He’s from a generation before mobile phones with on-board memory when — imagine this kids– you actually had to dial and remember phone numbers. He would have dialled the telephone number of FBI-HQ hundreds of times…

(202) 324-3000

It’s a tantalising possibility. If “Bob” is Robert Mueller it suggests that he wasn’t just involved as Special Counsel to clean-up the end of the Russiagate affair.

His internet was involved from the very beginning. He may have been too.


1 FBI-HQ are akin to the Metropolitan Police’s Counter Terrorism Command in London – the luckiest policemen in the whole wide world – who are discussed further in my book ‘Russiagate Genesis’. Suffice to say that with both the Alexander Litvinenko case and the Sergei Skripal case they managed to (quote time) “find” evidence in a most remarkable fashion. They come in and take over cases where politics – or geo-politics – requires a certain result.

3: A National Security Letter is an administrative subpoena that doesn’t require approval by a judge, that forces the recipient — typically a phone, email, or internet provider — to hand over all records about an individual’s communications — but not the contents of them.


Organization Bob’s Network(BOBSN)
ARIN customer code C01942708
NetName UU-63-96-238-D6
AS Name Verizon Business/UUNet
Location Fort Worth, United States

Doc 1: Part 3 … Back to Romania!

Edit 1st May 2018:

  • The last binary section contains a timestamp giving GMT+3
  • Since I wrote this I’ve realised that this *can* be faked by either altering the computer clock on boot, using a virtual machine with an altered timezone, or (in Linux anyway) typing “TZ=utc+3” before a script command.
  • To me it seems likely that this was the reason *why* G2 went to all the trouble of altering the documents in this way.
  • Hot off the presses, The Forensicator has an awesome breakdown of the steps required to change the document in this way.

The last binary section is common to all the altered .doc files. Thus it’s the only section we can be sure of that is created by Guccifer2.0’s computer. For example, here’s 1.doc:

1doc2018-02-15 21-03-05

and here’s 2.doc:

2doc2018-02-15 21-03-41

Identical. Even though the authors of the two documents are different, the files are different, the datastore is common not just among docs 1 & 2, but among all the numbered documents. The only common thing is: Guccifer2.0. Continue reading

Enter Player Zhe

In the last post we discussed how the timezone where Guccifer2.0. altered their documents was likely  GMT+3. Examples of possible locations include:

Russian / Russian Influenced East European Islamic
MSK – Moscow Time:

Eastern Russia, Ukraine (Crimea, Donetsk …), Georgia (parts), Belarus

EEST – East Europe (Summer):

Ukraine (part), Romania, Bulgaria, Moldovia, Lithuania, {Finland}

EEST – East Europe (Summer): Turkey, Syria, Lebanon, Cyprus
AST – Arabia: Saudi Arabia, Iraq
EAT – East Africa: Somalia, Uganda

In my view there’s five main actor groups within those countries that could marry with the motivation for Guccifer2.0. The first three: 1) Russian state, 2) criminal hackers, and 3) Islamic hackers I see as less likely and I’ve done some quick pros and cons in the images below. Click here to see the text with links:

Which leaves my last two and strongest candidates: 4) “Hackerville” Romania, and 5) Cyber-Berkut.

Player 1: “Hackerville” Romania

Continue reading

Mueller & KGB Subversion

Two recent events highlight the importance of G2.0.’s motivation. The first is the recent analysis suggesting that it’s likely G2.0’s documents were altered in timezone GMT + 3, and the second is Special Council Mueller’s indictment (direct .pdf link) of the Russian Internet Research Agency.

On the face of it both events suggest that the Russian Collusion theory may have some basis in truth. But everything that we know about the KGB/GRU’s methods suggest that this is wrong, and that only one of those events points to a true KGB-style operation: The Internet Research Agency. Continue reading


Updated 18th Feb 2018

It seems I was lucky, and caught the site in a state where it was showing it’s innards, so some of the below links now don’t resolve. So I’ll share the files and screenshots I do have. I downloaded the mailserver software that was on the landing page (they were publicly accessible) and they are available here as a .zip HERE  (17Mb).

Here’s some additional screenshots: Continue reading