Enter Player Zhe

In the last post we discussed how the timezone where Guccifer2.0. altered their documents was likely  GMT+3. Examples of possible locations include:

Russian / Russian Influenced East European Islamic
MSK – Moscow Time:

Eastern Russia, Ukraine (Crimea, Donetsk …), Georgia (parts), Belarus

EEST – East Europe (Summer):

Ukraine (part), Romania, Bulgaria, Moldovia, Lithuania, {Finland}

EEST – East Europe (Summer): Turkey, Syria, Lebanon, Cyprus
AST – Arabia: Saudi Arabia, Iraq
EAT – East Africa: Somalia, Uganda

In my view there’s five main actor groups within those countries that could marry with the motivation for Guccifer2.0. The first three: 1) Russian state, 2) criminal hackers, and 3) Islamic hackers I see as less likely and I’ve done some quick pros and cons in the images below. Click here to see the text with links:

Which leaves my last two and strongest candidates: 4) “Hackerville” Romania, and 5) Cyber-Berkut.

Player 1: “Hackerville” Romania

Continue reading →


Doc 1: Part 3 … Back to Romania!

Edit 1st May 2018:

  • The last binary section contains a timestamp giving GMT+3
  • Since I wrote this I’ve realised that this *can* be faked by either altering the computer clock on boot, using a virtual machine with an altered timezone, or (in Linux anyway) typing “TZ=utc+3” before a script command.
  • To me it seems likely that this was the reason *why* G2 went to all the trouble of altering the documents in this way.
  • Hot off the presses, The Forensicator has an awesome breakdown of the steps required to change the document in this way.

The last binary section is common to all the altered .doc files. Thus it’s the only section we can be sure of that is created by Guccifer2.0’s computer. For example, here’s 1.doc:

1doc2018-02-15 21-03-05

and here’s 2.doc:

2doc2018-02-15 21-03-41

Identical. Even though the authors of the two documents are different, the files are different, the datastore is common not just among docs 1 & 2, but among all the numbered documents. The only common thing is: Guccifer2.0. Continue reading →

Mueller & KGB Subversion

Two recent events highlight the importance of G2.0.’s motivation. The first is the recent analysis suggesting that it’s likely G2.0’s documents were altered in timezone GMT + 3, and the second is Special Council Mueller’s indictment (direct .pdf link) of the Russian Internet Research Agency.

On the face of it both events suggest that the Russian Collusion theory may have some basis in truth. But everything that we know about the KGB/GRU’s methods suggest that this is wrong, and that only one of those events points to a true KGB-style operation: The Internet Research Agency. Continue reading →

Say “Hi” to Guccifer2.0.

  • He registered DCLeaks.com in 2010, 2012, & 2016 under different names and two different hosting and nameserver companies for DCLeaks.com
  • Behind many known scams
  • Many linked domains seized by Microsoft
    • Strontium is MS name for Fancy Bear
    • Therefore it’s just a criminal scam. Not Russia
  • domains4bitcoins, a partner company, to Florica’s THCServers:
  • ititch.com which registered actblues.com, “used to hack” DNC uses exactly the same anonymising services as THCServers.
  • Guccifer2.0 “had access” to DCLeaks.
  • Guccifer2.0’s timestamps are GMT + 3 = EEST Romania, Ukraine .. & Moscow.
  • Guccifer1.0 was Romanian. Guccifer2.0 said he was Romanian. Guccifer2.0 is Romanian!
  • Many questions remain …

In the FBI’s own words I have “High Confidence” that Florica Catalin Gabriel (or Catalin Florica) is Guccifer2.0. And unlike the FBI I mean it. Continue reading →