Vladimir Putin and Hillary Clinton (2012)
Russian President Vladimir Putin (L) welcomes US Secretary of State Hillary Clinton during the Asia-Pacific Economic Cooperation (APEC) Summit in Russia's far eastern port city Vladivostok on September 8, 2012 MIKHAIL METZEL/AFP/GettyImages

Evidence is mounting that, when it comes to the identity of those behind the 'Guccifer 2.0' moniker used to leak documents reportedly hacked from the Democratic National Committee (DNC), all roads lead to Russia.

Fresh analysis conducted by US-based cybersecurity firm ThreatConnect, based on email metadata provided by Kevin Collier from technology website Vocativ, has provided the first solid links between Russian web-services and a constantly evolving propaganda effort revolving around a slew of internal documents stolen from the DNC.

Ever since a Twitter account and WordPress-hosted website emerged from the shadows under the Guccifer 2.0 pseudonym, cybersecurity experts have speculated the operation is highly likely to be being orchestrated – to some degree – by Russian operatives.

And now, ThreatConnect, in a detailed analysis released on 26 July, has been able to link the metadata to the Russia-based 'Elite VPN' service – which was reportedly being used by those responsible for the 'Guccifer 2.0' account to mask its users' true location.

While initial analysis appeared to suggest the email infrastructure used by Guccifer 2.0 was French, ThreatConnect found it was actually owned by Elite VPN – a website with a sign-up process written almost entirely in Russian.

Interestingly, when signed up, the French internet address used by Guccifer 2.0 was "not available to other users" of the VPN service, ThreatConnect said. The firm added the server in question had only been used in the past for malicious activity, including a suspected Russian bride scam.

The researchers said they were also intrigued by metadata gleaned from a French AOL account (used to send documents to The Smoking Gun) as such tactics would likely never be deployed by sophisticated hackers as such an action would allow original IP addresses to be traced.

"Their use of Russian VPN services with French infrastructure may shed light on a method Russian intelligence operatives use — domestic services coupled with foreign infrastructure — to help hide their hand and deter any potential attribution to Russia," the researchers said.

"Taken together with inconsistencies in Guccifer 2.0's remarks that make his technical claims sound implausible, this detail makes us think the individual(s) operating the AOL account are not really hackers or even that technically savvy. Instead, propagandist or public relations individuals who are interacting with journalists."

Vladimir Putin
Russian officials have maintained the government was not involved in the hack Sergei Karpukhin/AFP/Getty

Guccifer 2.0 has previously denied being from Russia – and has publicly complained about any associations with the Putin-led government. In one interview with Vice Motherboard, he claimed to be Romanian –but failed to convincingly communicate in that language when pressed.

Yet, as most cybersecurity firms will acknowledge, attribution is almost impossible to uncover with full certainty. However, in this incident, the evidence – and malware from the scene of the crime – match with previously uncovered Russian intelligence operations, including campaigns that targeted the German Bundestag and the White House.

As noted by separate security firm CrowdStrike, which was brought in by officials to investigate the initial DNC hack, two Russian hacking groups – dubbed Cosy Bear and Fancy Bear – were deemed to have been involved. This, like all similar allegations, has been denied by Russian officials.

DNC hack goes public

It was only 24 hours after the initial DNC hack was made public when Guccifer 2.0 emerged to claim responsibility. He continued to leak documents to the press and on a public-facing website – including hundreds of files on Hillary Clinton and a strategic playbook compiled by the Democrats on presidential candidate Donald Trump.

However, the actions of the adversary in the aftermath of the leaks only back up suspicions the true identity of Guccifer 2.0 is not as it first appears, ThreatConnect said. "Maintaining a ruse of this nature within both the physical and virtual domains requires believable and verifiable events which do not contradict one another. That is not the case here," the firm concluded.

"Our research into Guccifer 2.0's infrastructure further solidifies our assessment that the persona is a Russia-controlled platform that can act as a censored hacktivist. Moscow determines what Guccifer 2.0 shares and thus can attempt to selectively impact media coverage, and potentially the election, in a way that ultimately benefits their national objectives."

WikiLeaks founder Assange
Julian Assange, founder of WikiLeaks, said he would not reveal the source of the leak REUTERS

WikiLeaks has not identified its source for its release of DNC emails, however Guccifer 2.0 has previously claimed to have provided them. In an interview on 25 July with NBC News, Wikileaks founder Julian Assange brushed off accusations of Russian involvement – instead saying the DNC's cybersecurity was so weak multiple hackers could have had access to its computer networks.


While the ultimate objective of the suspected Russian campaign remain a case of speculation, the real-world implications of the leak continue to emerge. Most recently, DNC chairwoman Debbie Wasserman Schultz was forced to resign after the controversial leaks implicated the DNC in a plot that appeared to favour Hillary Clinton over rival candidate Bernie Sanders during the election primary.

As the FBI launched a probe into the DNC hack, officials from the Democratic Party have said they expect the release of more sensitive documents to be on the horizon. WikiLeaks, the infamous whistleblowing platform that has found itself at the centre of the story, appeared to confirm this on 24 July. 'We have more coming," it promised.