Enter Player Zhe

In the last post we discussed how the timezone where Guccifer2.0. altered their documents was likely  GMT+3. Examples of possible locations include:

Russian / Russian Influenced East European Islamic
MSK – Moscow Time:

Eastern Russia, Ukraine (Crimea, Donetsk …), Georgia (parts), Belarus

EEST – East Europe (Summer):

Ukraine (part), Romania, Bulgaria, Moldovia, Lithuania, {Finland}

EEST – East Europe (Summer): Turkey, Syria, Lebanon, Cyprus
AST – Arabia: Saudi Arabia, Iraq
EAT – East Africa: Somalia, Uganda

In my view there’s five main actor groups within those countries that could marry with the motivation for Guccifer2.0. The first three: 1) Russian state, 2) criminal hackers, and 3) Islamic hackers I see as less likely and I’ve done some quick pros and cons in the images below. Click here to see the text with links:

Which leaves my last two and strongest candidates: 4) “Hackerville” Romania, and 5) Cyber-Berkut.

Player 1: “Hackerville” Romania

Continue reading →


Doc 1: Part 3 … Back to Romania!

The last binary section is common to all the altered .doc files. Thus it’s the only section we can be sure of that is created by Guccifer2.0’s computer. For example, here’s 1.doc:

1doc2018-02-15 21-03-05

and here’s 2.doc:

2doc2018-02-15 21-03-41

Identical. Even though the authors of the two documents are different, the files are different, the datastore is common not just among docs 1 & 2, but among all the numbered documents. The only common thing is: Guccifer2.0. Continue reading →


#Russia can’t Google

The GRU have 130 spy satellites. They have 350,000 specialists (which is ten times that of the FBI). They have 25,000 Spetsnaz troops. They had(have) a known network of spies in the US.

Yet the #RussiaCollusion folk want us to believe that not one of them can use Google?

Continue reading →


Mueller & KGB Subversion

Two recent events highlight the importance of G2.0.’s motivation. The first is the recent analysis suggesting that it’s likely G2.0’s documents were altered in timezone GMT + 3, and the second is Special Council Mueller’s indictment (direct .pdf link) of the Russian Internet Research Agency.

On the face of it both events suggest that the Russian Collusion theory may have some basis in truth. But everything that we know about the KGB/GRU’s methods suggest that this is wrong, and that only one of those events points to a true KGB-style operation: The Internet Research Agency. Continue reading →


Doc1 Part 2: Binary Chunks.

  • Altered documents contain clues to previous versions – Binary chunks.
  • Also contain misinformation
  • They increase the filesize from the original 696Kb to 6.9Mb
  • “Confidential” watermark: from GDIC?
  • MSODatastore contains a Guccifer Clue.

Continue reading →


Doc 1 – Part One: Manipulations, Fonts & Fakery

  • G2.0 metadata is fake
  • Russian stylesheet attached
  • The file was manipulated to make the metadata visible.
  • But we have a vital Guccifer2.0 breadcrumb

Continue reading →


Say “Hi” to Guccifer2.0.

  • He registered DCLeaks.com in 2010, 2012, & 2016 under different names and two different hosting and nameserver companies for DCLeaks.com
  • Behind many known scams
  • Many linked domains seized by Microsoft
    • Strontium is MS name for Fancy Bear
    • Therefore it’s just a criminal scam. Not Russia
  • domains4bitcoins, a partner company, to Florica’s THCServers:
  • ititch.com which registered actblues.com, “used to hack” DNC uses exactly the same anonymising services as THCServers.
  • Guccifer2.0 “had access” to DCLeaks.
  • Guccifer2.0’s timestamps are GMT + 3 = EEST Romania, Ukraine .. & Moscow.
  • Guccifer1.0 was Romanian. Guccifer2.0 said he was Romanian. Guccifer2.0 is Romanian!
  • Many questions remain …

In the FBI’s own words I have “High Confidence” that Florica Catalin Gabriel (or Catalin Florica) is Guccifer2.0. And unlike the FBI I mean it. Continue reading →