Filings Reveal Even More Roger Stone Sleaze

APRIL 29--In the weeks prior to the “public unveiling” of two online personas involved in the distribution of material stolen by Russian hackers during the 2016 presidential campaign, Roger Stone apparently had advance knowledge of the existence of the cutouts, according to Google search histories obtained by federal investigators.

In a July 2018 search warrant application, an FBI agent working with Special Counsel Robert Mueller’s office revealed that investigators had “identified a series of searches that appear to relate to the personas Guccifer 2.0 and DCLeaks,” the personas created by Russian intelligence operatives.

These searches, Agent Andrew Mitchell reported, predated the appearance online of Guccifer 2.0 and DCLeaks and “were all conducted from Florida,” where Stone resides. An FBI analysis of the IP address ranges from which the searches emanated revealed that Stone had logged into Twitter and Facebook accounts from the same IP ranges.

The July 2018 U.S. District Court filing was among dozens of search warrant applications unsealed yesterday. Totaling more than 1500 pages, the documents detail aspects of the federal investigation into the 67-year-old Stone, who was convicted last November of seven felony counts.

The Stone search warrants sought an array of documents related to the Republican political consultant’s electronic communications, search histories, and social media accounts. And while the warrants yielded records from firms like Facebook, Google, Twitter, Microsoft, and Apple, investigators were unable to obtain a full accounting of Stone’s communications due to his use of encrypted apps like Signal, Wickr, and WhatsApp, and an encrypted ProtonMail account.

The criminal probe of Stone examined, among other things, whether the oily operative knew in advance that Wikileaks planned to distribute material stolen by Russian intelligence agents from Democratic National Committee computer networks, as well as the email accounts of individuals affiliated with Hillary Clinton’s presidential campaign, including John Podesta, the campaign chairman.

A U.S. intelligence community assessment attributed the illegal cyber incursions to hackers working for Russian spy agencies. This conclusion was echoed in the comprehensive report issued last April by Mueller, whose office secured indictments against 12 Russian military intelligence officers for their alleged roles in the hacking of Democratic officials.

Along with providing some of the stolen goods to Wikileaks, the hacking operation established a pair of fronts--Guccifer 2.0 and DCLeaks--that were controlled by Russia's Main Intelligence Directorate of the General Staff, or GRU. Beginning in mid-June 2016, Guccifer 2.0 and DCLeaks were the conduits for the GRU’s release of hacked material via multiple email addresses, a WordPress account, and the dcleaks.com web site.

In a June 15, 2016 email to The Smoking Gun, Guccifer 2.0 wrote to claim credit for the DNC hacking and provided an assortment of documents stolen from party’s servers. Later that day, the WordPress account appeared online, with Guccifer 2.0 claiming to be a “lone hacker” who obtained “docs I downloaded from the Democrats network.”

The emergence of Guccifer 2.0 came a day after a Washington Post story disclosed that Russian hackers had penetrated and “thoroughly compromised” DNC computer networks.

In addition to Guccifer 2.0’s appearance online, DCLeaks was launched in June 2016. On June 27, Guccifer 2.0 wrote to introduce TSG to the DCLeaks web site, which contained a small selection of hacked emails. Guccifer 2.0 provided TSG with credentials that allowed access to a password-protected part of the site containing emails from a Clinton campaign staffer. The DCLeaks site claimed to be operated by “American hacktivists.”

Upon the dissemination of the hacked DNC material, FBI agents launched a criminal investigation into Guccifer 2.0 and DCLeaks. Using subpoenas and search warrants, investigators obtained emails and subscriber records related to accounts maintained by the two Russian intelligence fronts.

The federal probe would grow to examine the Russian government’s attempt to interfere in the 2016 presidential election, and whether anyone connected with Donald Trump’s campaign played a role in that effort. As detailed in a search warrant application for Stone’s cell phone records, agents were investigating Stone in connection with the hacking of email accounts associated with the DNC, Clinton campaign officials, and the Democratic Congressional Campaign Committee, as well as the distribution of the stolen material “via the persona Guccifer 2.0 and the organization WikiLeaks, among others.”

During the FBI investigation, agents “identified a series” of Google searches “that appear to relate to the personas Guccifer 2.0 and DCLeaks, which predate the unveiling of those two personas,” according to the July 2018 search warrant application unsealed yesterday. The warrant, which was granted by Judge Beryl Howell, sought search history information associated with three Gmail accounts used by Stone.

One of the accounts, Agent Mitchell noted, was frequently used by Stone to “communicate with others via” Craigslist. While the warrant does not describe the nature of Stone’s Craigslist interactions, it appears unlikely the notorious swinger was seeking bargain furniture or a temporary sublet via a Gmail account registered under the name "Swash Buckler."

Referring to Stone’s three Gmail accounts, the search warrant noted that, “Google maintains records of the Google searches that a user conducts while signed into a particular Google email account (provided the user has not disabled the retention of this information).” When a user is not logged into a Google account, the search giant “assigns unique CookieIDs” to all searches “conducted from the same device and browser during a 24-hour window.” 

The FBI’s desire to examine search histories connected to the three Google accounts--which did not include Stone’s primary Gmail account--apparently was spurred by the discovery of a series of intriguing Google searches “between May 17, 2016 and June 15, 2016 (prior to the publication of the Guccifer 2.0 WordPress blog).”

Google records revealed that searches for the terms “dcleaks,” “guccifer,” and “guccifer june” came from two separate IP ranges and “were all conducted from Florida,” according to the search warrant application (which does not specify the dates of the searches in question). The IP ranges were assigned to T-Mobile and AT&T Mobility.

An FBI examination of Twitter records revealed that Stone used multiple IP addresses within both the T-Mobile and AT&T ranges to log into his @RogerJStoneJr account. Additionally, a Facebook account controlled by Stone used an IP address within the T-Mobile range on June 13, 2016.

A second warrant, filed in August 2018 for AT&T cell-site location information for Stone’s phone, noted that Google does not maintain “full IP addresses for searches conducted more than one year ago.” As a result, the company can only supply “truncated IP addresses” that “each encompass a range of up to 256 IP addresses.”

So perhaps an unknown Floridian had an early window into the planned activities of Guccifer 2.0 and DCLeaks.

A separate FBI analysis of Stone’s principal Gmail account showed that he searched Google for “terms that appear to be related to the DNC hack and the stolen emails, including his nexus thereto,” Agent Mitchell wrote.

But the Stone searches recovered by the FBI--including an October 13, 2016 query for “Roger Stone john Podesta”--came after Guccifer 2.0 and DCLeaks first appeared online in June 2016. The search history associated with Stone’s primary Gmail account “appears to have been deleted between January 18, 2016 and July 23, 2016,” according to the July 2018 search warrant.

Stone was convicted at trial last year of lying to Congress, obstruction, and witness tampering. He was not charged with involvement in the hacking campaign executed by Russian intelligence operatives, nor was he accused of having foreknowledge of those criminal incursions.

Sentenced to 40 months in federal custody, Stone and his supporters have been lobbying Trump for a presidential pardon. Stone’s motion for a new trial was denied April 16 by Judge Amy Berman Jackson, who ordered the convicted felon to surrender to federal prison officials within two weeks. Stone has until tomorrow, April 30, to file an appeal of Berman’s ruling. (3 pages)