Reporting by Computer Weekly was “vitally important” in ending three years of “damaging falsehoods” by Donald Trump-supporting conspiracy theorists who campaigned to hide Russian involvement in hacking during the 2016 presidential election, according to a top Washington attorney.
Lawyer Mike Gottlieb spoke this month after concluding a string of libel cases against many of Trump’s most belligerent supporters. These included Fox News, talk show host Sean Hannity and a Texan wealth fund manager, Edward Butowsky.
Just before Trump took office in 2017, US government intelligence assessed that Russian government hackers had worked to help him win. Butowsky fought back by hiring investigators and encouraging Fox TV to broadcast fabricated claims that a murdered Democratic Party employee, Seth Rich, with his brother Aaron, stole the emails and confidential files from the Democratic National Committee (DNC) and gave them to WikiLeaks. These baseless claims broadcast by Fox, if believed, would have exculpated the Russian government of having worked to rig Trump’s election.
Murdered Democratic Party voter rights specialist Seth Rich, whose brutal killing was exploited by Trump extremists and Russian propagandists
Fox quickly withdrew its claims. Butowsky and Matt Couch, a far-right activist, carried on until this month. Couch also ran the America First Media Group. All claimed that the Rich family was “in possession of material evidence indicating that Seth Rich downloaded the DNC emails, sent them to WikiLeaks, and requested payment”.
Rich, a voter rights specialist, died after being shot in a north Washington street near his home on 10 July 2016, while fighting off what police considered a botched robbery. His brutal killing was quickly exploited by Trump extremists and Russian propagandists.
But before Trump left Washington in disgrace on 20 January 2021, Butowsky and Couch became the last names in a long list of US right-wing media and conspiracy theory promoters to apologise unreservedly for publishing lies about the Rich family, and so helping cover up Russia’s role in the hacking.
The Rich family has now received a stream of full retractions, as well as millions of dollars in compensation for intentional emotional harm, for what court documents described as “threats and vicious online harassment”, lawyers acting for both sides have indicated.
On 17 January, The New York Times revealed that Fox News had insisted that its multimillion-dollar payout to the family – agreed last October – be kept secret until after Trump’s failed re-election attempt. The entire family “went through hell”, according to Seth’s mother Mary Rich.
Complex insider theories
In 2018, Computer Weekly identified one of several Britons who have spent years continuously creating streams of messages and complex theories suggesting insiders, rather than Russian agents, were responsible for the DNC hacks. These theories helped to fuel and perpetuate false claims about the Rich brothers.
When the family attorney showed Computer Weekly’s 2018 report to Aaron Rich a year later, he said he considered it “tremendously important”. They were grateful that a “damaging narrative” had been exposed, and those responsible had been identified on the public record.
One source of backup for Butowsky and Couch’s allegations came from a British IT manager, Tim Leonard, who operated under the pseudonym “Adam Carter”. Leonard (41), who lives in Darlington, began campaigning, denying Russian involvement in the hacking, in 2017. He was not then connected to Butowsky, nor was he part of the Fox News attacks on Rich.
But Leonard quickly connected to Couch – described by Yahoo News as a “ranting … one-time sales manager in the Arkansas Ozarks whose relentless tweeting and aggressive support of President Trump had garnered him more than 100,000 Twitter followers”.
After Couch published in December 2017 an hour-long video diatribe of lies about the Rich family, Leonard tweeted: “Matt & team, you’ve always had my back… anything that I can do from here, just let me know.”
Couch replied, quoting Leonard’s pseudonym: “Thank You Adam, You are a True Patriot my brother.”
In 2019, Leonard was invited to join Couch and Butowksky’s legal team to help defend a libel action brought by the Rich family. Butowsky and Couch’s attorneys planned to rely on information from a mysterious source channelled to them by Leonard.
Leonard admitted to Computer Weekly that Butowsky’s attorneys asked him to be an expert witness for their case. He told Computer Weekly: “I had no inclination to get involved. I wanted to keep a safe distance from anything relating to Seth Rich.”
However, Leonard has previously posted on Reddit that he believed Seth Rich was the source for the DNC leaks.
Leonard was the main hub in a network supplying and publishing information about the DNC hacking to US campaigners supporting Donald Trump. He denies being employed or supported by Trump supporters.
Since connecting to an unknown anonymous informant in June 2017, Leonard has passed on and publicised numerous claims and detailed hacking information from an anonymous persona he identified as “Forensicator”.
Computer Weekly has examined many of the documents he passed on. All of the documents checked are technically well prepared. Some show high levels of forensic analysis and understanding, but none of them prove the US government to be wrong.
Leonard said he has no knowledge of who or what is originating the documents and charts he passes on, or their nationality. “Employment details and background have not been shared with me,” he said, admitting he had never attempted to find out who was passing him information.
Before Trump left Washington in disgrace on 20 January, Butowsky and Couch became the last names in a long list of US right-wing media and conspiracy theory promoters to apologise unreservedly for publishing lies about the Rich family, and so helping to cover up Russia’s role in the hacking.
Leonard does not dispute he sent Couch and Butowsky’s attorneys “Forensicator” data to try to back up claims about Rich in the planned trial. He said: “I may have shared evidence with them, but only to answer queries or provide corrections.”
The attacks on Seth Rich, and “Guccifer 2.0”
From the day after Seth Rich’s death, claims appeared on the internet – including some attributed to the Russian foreign intelligence service, SVR – alleging that Rich was murdered for political reasons. The killers, some said, were a “Hillary Clinton hit squad” trying to conceal alleged corruption inside the DNC.
When Rich’s brother Aaron spoke up to deny the lies, he too was targeted for years with virulent abuse from Trump supporters on far-right internet sites. They accused Aaron of assisting his brother by channelling the stolen files to WikiLeaks, in return for payment.
The 2019 report by special counsel Robert Mueller attributed the hacks to Russian intelligence, giving extensive details. In 2019, a 996-page, blow-by-blow technical account of the hacking was released by the Republican-controlled Senate Intelligence Committee. The report explained how DNC data was hacked and copied by a dedicated team of Russian military intelligence agency (GRU) agents, and sent back using rented intermediary servers in the US.
The hacking was detected five months before the 2016 US election. The Senate Intelligence Committee report explained how the GRU launched an urgent deception and denial operation to hide what they had done, based on a fake internet persona they called “Guccifer 2.0”. Guccifer 2.0 claimed to be the real DNC hacker, and to be Romanian. The pretext was quickly cobbled together in an emergency. The US found evidence of the GRU team checking English words and phrases on Google, hours before launching the deception.
Mueller’s indictments revealed the names and even the office addresses of two GRU officers, Aleksey Potemkin and Colonel Aleksandr Osadchuk, who US intelligence said arranged the Guccifer 2.0 accounts. The pair were charged with multiple criminal offences. The Mueller and Senate reports even explained exactly how their team obtained bitcoins, then used them to pay anonymously for web hosting and servers.
After the US government first identified Russian agents as the hackers four years ago, Guccifer 2.0 quickly vanished from the internet, and never returned. Then, on 5 February 2017 – two weeks after Donald Trump moved into the White House – Leonard created a “Guccifer – game over” website.
Tim Leonard, a British IT manager who lives in Darlington, ran a noisy campaign that distracted from and denied Russia’s role in the hacking and the cover-up
Computer Weekly revealed in 2018 how Leonard then began his ongoing, noisy campaign. It distracted from and denied Russia’s role in both the hacking and the cover-up.
In correspondence with Computer Weekly, Leonard admitted he used a fictional secret agent name for the project. He copied the name “Adam Carter” from the hero of the BBC TV spy series Spooks. On Reddit, “Carter” posted using the leetspeak name – the language used by hackers – “d3fi4nt”.
Tim Leonard adopted a fictional secret agent name for his campaign – that of Adam Carter, an agent in BBC drama Spooks, played by actor Rupert Penry-Jones
Spooks ended in 2011, after 10 series. Leonard was by then the technical manager of a small Welsh internet company, Creative Insomnia Ltd. It did not prosper. Business was poor and staff were leaving when Leonard started to focus on Guccifer 2.0 in 2017. The company’s founder left for a new job in March 2018.
While registering his campaign website name – g-2.space – Leonard tweeted the suggestion that “Guccifer” might be “NOT Russian” and “NOT even a hacker”. He later added: “Those behind Guccifer 2.0 sacrificed their own hacking claims in an effort to point out that Seth Rich had dealings w/Russians when alive.” As d3fi4nt, he told Reddit: “To be clear – I believe Seth Rich was the source for the DNC Leaks.”
“A considerable volume of evidence we have contradicts the US government’s attribution,” Leonard said. “This may align with Russia’s denials of responsibility for the operation. This is not evidence of myself being ‘pro-Kremlin’ or trying to support/help Russia.”
Five months later, Leonard began channelling material from his anonymous source – material which displayed deep knowledge of the Russian hacking. He made efforts to cultivate and help activity by a group of former US intelligence officers, Veteran Intelligence Professionals for Sanity (VIPS). His actions precipitated the VIPS organisation to split, creating a divide between Trump supporters and others.
During 2017, Leonard – as “Carter” – promoted “Forensicator” charts and data to suggest that DNC data was copied onto a USB thumb drive inside the party’s Washington offices on 5 July 2016. This so-called “insider” evidence electrified far-right networks and was leveraged by Leonard’s collaborators into a widely condemned report in the established left-wing magazine The Nation.
Leonard and his information provider became frustrated that one VIPS member he had tried to cultivate, former US National Security Agency (NSA) director Bill Binney, was not fully taken in. Binney told Computer Weekly in 2018 that information about this data had been “manipulated” and was a “fabrication”. The supposed date that the DNC emails were copied internally was three weeks after the Russian hackers had been spotted and removed – but five days before Rich was killed.
Although Binney was a forthright Trump supporter, he refused to change his mind. He maintained that the files Leonard had relied on contained “no evidence” that copying or downloading DNC files had happened in Washington. After their attempts to keep the “insider” conspiracy theory alive appeared badly damaged, Leonard and “Forensicator” expressed anger and frustration, loudly, lengthily and, often, across multiple sites, as seen in the articles linked here and here.
The ‘thumb-drive theory’
In January 2019, Leonard started a new campaign that pushed information to point the finger at DNC insiders as the possible source of the stolen DNC data.
Leonard started the new campaign by tweeting a data table (see below) that analysed files held (and still held) on WikiLeaks servers. His new “insider leak” theory was then used by lawyers fighting the Rich family’s complaints. Data and charts supporting these claims came, again, from the unknown and anonymous secret source, “Forensicator”.
Writing for a now-defunct website, Disobedient Media, in February 2019, Leonard gave “credit … to Forensicator for researching, sharing observations, providing the dataset, charts and more”. The same day, “Forensicator” published a new, 6,000-word purported forensic analysis, with multiple charts and diagrams, outlining the duo’s latest “thumb-drive theory”.
These articles were the first shots in a campaign to relaunch the fiction that evidence could prove that WikiLeaks’ real source was a DNC insider, not Moscow spies. Technically and forensically it was a more blatant and transparent misdirection than previous attempts. But it worked – nearly.
After getting the material, VIPS members Bill Binney and former CIA agent Larry Johnson wrote: “According to the forensic evidence for the Guccifer 2.0 data, the DNC emails were not taken by an internet spearphising [sic] attack. The data breach was local. It was copied from the network.” Their published reports claimed that the evidence had “shredded” the Mueller report about the GRU.
Leonard quoted Binney and Johnson as saying: “A savvy defense attorney will argue, and rightly so, that someone copied the DNC files to a storage device (for example, a USB thumb drive) and transferred that to WikiLeaks.”
By then, only two defence attorneys in the US were defending cases concerning copied DNC files – Ty Clevenger of Texas and Eden Quainton of New York. Both lawyers worked for Ed Butowsky, the prominent Texan wealth fund manager and Trump backer who first promoted false claims to Fox TV, and for Matt Couch, the far-right extremist running the America First Media Group supporting Donald Trump.
As the trial date approached, Butowsky’s lawyer, Quainton, notified the Rich family that Leonard would be their expert witness for the Washington libel trial. The case was then scheduled for federal court in June 2020, but was postponed as the Covid epidemic began.
When the trial witness list was published in August, Johnson and Binney were listed. Leonard’s name did not appear. Binney and Johnson then explained to supporters how they would use the “thumb-drive theory” from “Forensicator”. Supporters trumpeted news of their testimony, with the headline “Feces to hit fan?”.
By then, VIPS members, Leonard and “Forensicator” had together published more than 20,000 words about the “thumb-drive theory”, with dozens of illustrations.
The “thumb-drive theory” about the DNC insider, created and pushed by Leonard and “Forensicator”, was easy to see through. It amounted to a single finding (tweeted by Leonard) that “evidence strongly suggests that the first three batches of DNC emails were transferred via a USB storage device at some stage between acquisition and then subsequently being published by WikiLeaks”.
Scientifically, this statement is likely to be right. When leaked DNC email files are examined on the WikiLeaks website server, many have “last modified” file times spaced in two-second intervals. This is a standard property of the FAT file system format, normally used in thumb drives.
But it is irrelevant to claims about “DNC insiders”. It only means that WikiLeaks founder Julian Assange, or another WikiLeaks member, could have copied or loaded some of the DNC files to the internet from a thumb drive plugged into their computer. It provides no clue as to when, where or how the thumb drives were loaded. Far from “smashing” the Mueller report, as claimed, the FAT format information fits precisely with the Mueller report’s suggestion that a specific, named courier could have taken thumb drives containing the files to Assange while he sheltered in the Ecuadorian Embassy in London.
Leonard’s first tweet of new “Forensicator” data showed, correctly, that WikiLeaks had published six batches of stolen emails – four from the DNC and two from Clinton campaign chair John Podesta. Three of the batches appeared to have come from FAT media; three did not (as seen in the tables above, with an X marking FAT formatted input files).
Johnson and Binney went further than “Forensicator” or Leonard in making claims that were used to support Butowsky’s libels. Binney and Johnson’s edited table excluded the three batches that did not fit with their theory. They also misreported the date of the third FAT batch, created on 26 August 2016, as 26 May 2016 – so altering the date of the third batch to before the date of Seth Rich’s murder.
These incorrect claims never got tested in court. In October 2020, Butowsky and Couch’s lawyers asked to settle the case by arbitration. Both men admitted that what they had said was false. Getting the truth out, and lies admitted, had by then taken the Rich family four years since losing their son.
Leonard said he advised the attorneys representing Butowksy and Couch that he would “NOT argue that the DNC emails had to have been transferred by thumb drive and stated that I knew another possibility for this pattern”.
His explanation of “another possibility” was to suggest that the hacked emails could have been sent over the internet before being put on a thumb drive by a Wikileaks helper. He did not spell out that, if this was true, the “DNC insider” theory would be untrue.
Leonard’s standard template for his articles denying Russian involvement has normally been to promote “possibilities”, intended to cause other people to take his claims further by adding additional false material and unsupported conclusions. This happened again in 2019, when claims about insiders were found in the Disobedient Media report provided to Butowsky’s lawyer.
The February 2019 report first quotes Binney and Johnson in large letters explaining that the DNC could not have been hacked by the Russians. Leonard adds a caveat questioning where the thumb drive was used. He then reverses it, keeping open the idea of a DNC insider being responsible, saying: “Thus, this scenario does not necessarily rule out the possibility of an insider acquiring the emails.”
This technique, used by Leonard and “Forensicator”, has the effect of persuading readers that the DNC hack was an insider job while simultaneously being able to deny doing so if challenged.
Leonard said that he pushed back on certain theories relating to Seth Rich: “In 2017, I stated publicly that the evidence we were discovering did NOT support Seth Rich conspiracy theories and said that people shouldn’t be making unsubstantiated claims about this. I have also combated disinformation and hoaxes in relation to Seth Rich.”
To support these claims, Leonard cited five tweets, including this one. However, in none of these does he retract his original claim on Reddit saying he believed Seth Rich was the source for the DNC leaks.
He added: “My editor at Disobedient Media also stated in an interview that we were in no way saying that the evidence has anything to do with Seth Rich and also advised against people mixing these things up”. Leonard was unable to provide a reference to this interview.
When asked directly if he still thought Seth Rich was responsible for the DNC leaks, he did not answer.
Until mid-2018, Leonard tweeted numerous times about Rich. On 2 March 2018, he tweeted as @with_integrity: “Increasingly it’s looking like Seth’s existence was a threat to the G2 operation’s integrity, Don’t really wanna say more as going further would be accusing people of high-crimes for which I lack evidence to adequately support.” He has pushed back on any claims that Seth Rich was connected to Guccifer 2.0 (G2).
The “thumb-drive theory” campaign was knocked again after it was shown that WikiLeaks’ second huge batch of hacked data – the “Podesta” emails – could have nothing to do with a DNC insider, as they were a hack of a personal Gmail account. Podesta’s emails were hacked from Google by the Russian GRU. They were never in reach of insiders at the DNC for that reason.
Realising this, Leonard started leaving out the Podesta emails. On 20 July 2018, Leonard tweeted this revised message: “I think the DNC insider assumption is more related to the DNC Leaks emails. I’m still curious who phished Podesta and how the emails went from there to WikiLeaks.”
Even after dropping public references to Rich, Leonard continued to talk about “insiders”. To Trump supporters following the subject, this could only mean Seth Rich.
The “insider” possibility as a “general forensic concept” was shown by US security writers to be unrealistic early on. It had been considered as a technical possibility, based on what was stolen and how it could be accessed.
How the conspiracy theory unravelled
Soon after the first false claims about Seth Rich were published, they proliferated on 4chan, Reddit and a host of alt-right websites. They were backed by Russian government media outlets RT television and Sputnik radio, and in thousands of tweets. Early in 2017, campaigning by an influential group of Trump advisers, led by Butowsky, led to the Washington Times and primetime Fox News publishing false claims.
According to the Senate Intelligence Committee report, one of Trump’s top advisers, Roger Stone, was in frequent and direct contact with Guccifer 2.0 in 2016, calling him a “hero”.
The first prominent news site to repeat false claims about the Rich family was Fox News in May 2017. The reports were orchestrated by Butowsky, according to NPR. Commentator Sean Hannity, a Trump favourite until recently, then claimed that Rich leaked because he was “upset” that the DNC “was conspiring to hurt Bernie Sanders”. That invention also fell apart. Fox News was quick to apologise and retract – but then took nearly four years to agree a final settlement and payment.
As Trump reached the end of his term in office at the end of last year, more far-right media platforms admitted publishing lies without evidence and apologised. In September 2018, the Washington Times withdrew false claims that “Seth Rich and his brother, Aaron Rich, downloaded the DNC emails and were paid by WikiLeaks for that information”. The Times admitted that it “does not have any basis to believe any part of that statement to be true”.
In March 2019, the notorious Infowars site, run by Alex Jones and Trump advisor Jerome Corsi, apologised for claims about Seth and Aaron Rich, which were “not based upon any independent factual knowledge”. Corsi also apologised independently, blaming the Washington Times.
Butowsky was last to back down. “I never had physical proof to back up any such statements or suggestions, which I now acknowledge I should not have made,” Butowsky said this month, in a pinned tweet and linked statement published as part of the settlement. Butowsky has agreed to keep the apology tweet pinned to his Twitter page for 60 days, as has co-defendant Couch.
Couch admitted he had repeatedly vilified the family on his now-folded pro-Trump America First Media network by claiming that Rich and brother Aaron were involved in providing DNC documents to WikiLeaks, receiving money in exchange.
Despite having broadcast more insinuations about the Rich family days before, Couch told thousands of followers in an unreserved climbdown on video that its reports “were largely driven by information given to us by a single source, who we now believe provided us with false information”. Couch told reporters that his “single source” for the Rich allegations was Butowsky.
There is no evidence and no suggestion that any British party was involved in starting Butowsky’s allegations about Rich. But as his claims became louder and more extreme, important material used by these Trump supporters to keep false allegations going came from and through British hands.
Alt-right US media platform Disobedient Media, which formerly published Carter’s articles and claims, has also removed all content. It was identified by media bias analysts as a “conspiracy-pseudoscience site”. Before collapsing, Disobedient Media switched to platforming North Korean propaganda. Leonard’s final article for the site promoted his “thumb-drive theory”.
By 2019, Leonard’s company, Creative Insomnia, was dissolved and struck off by Companies House. Leonard told Computer Weekly he subsequently asked for the company to be restored, so he could have some income and run websites.
“The company retained contracts and I was able to continue to receive a living wage,” he said. Creative Insomnia’s income now comes from hosting about 15 small websites running on one server at a UK datacentre, according to internet domain and company records.
After restoration, Creative Insomnia’s website featured a “team” of fictional staff, US researcher Justin Kriger discovered. Kriger found that most of the team, except Leonard, were inventions. The team page (see above) used images lifted without permission from personal websites. The picture of “Senior UX/UI designer Matt Craven” belonged to an American professor. The picture for “Designer Chez Holt” was a Chinese language translator.
Leonard said: “The creation of those false profiles and the selection of their names, and, uploading those, are all things that [a co-director] was responsible for.”
More British connections
Tim Leonard is not alone among Britons (not “bots” or “trolls” pretending to be British) who have spent years supporting and promoting the Putin government’s denials of involvement in major events, including the 2016 US hacking and the 2018 nerve gas attack in Salisbury intended to kill defector Sergei Skripal.
One year after Leonard launched his Guccifer 2.0 site, the Darlington-based IT manager was joined by Sussex-trained winemaker David Jonathon Blake. Blake launched a second WordPress site, Loaded for Guccifer, in February 2018.
In 2010 and after, Blake’s Twitter account showed him as a regular beer-drinking, music-loving English wine enthusiast. Suddenly, in 2017, he reached out with Twitter messages (now deleted) to a group of the most notorious conspiracy theorists supporting Donald Trump. They included Roger Stone, Infowars and Jack Posobiec, who ran a Canadian disinformation site. Blake started continually posting in support of Russian government issues of the day – including Syria, Crimea, Ukraine and the Salisbury attacks.
Blake and Leonard then connected and held public conversations on Twitter, backing Russia on issues such as the Salisbury nerve gas attacks. In late 2018, they stopped exchanging messages in public.
Blake’s debut blog included intricate and complex forensic file system analysis purporting to raise new questions about the Guccifer 2.0 persona. He later used this information to attack the Mueller report.
Blake says he has never had computer training. He says he taught himself Linux and advanced file format system forensics while passing winter nights at a small Burgundy vineyard. After Computer Weekly confirmed with wine school Plumpton College that someone else was not improperly using his accounts to push conspiracy theories supporting Russian police, Blake wrote back angrily: “Who made you God?”
Blake then worked with Leonard in publishing material created by “Forensicator”. Amazon lists a recent book by Blake called Loaded for Guccifer 2.0. The book has not been reviewed in any periodical at the time of writing, according to Google.
A third Briton, Ian Shilling, was originally suspected of being a fake Russian troll persona because of the virulence of his exceptionally prolific pro-Russian tweets. His Twitter profile picture was lifted from supermodel David Gandy. After the Salisbury attacks, Shilling proved his British identity and gave an interview to Sky TV. He put his real picture online. Twitter recently suspended his profile. Shilling could not be contacted for comment.
Computer Weekly asked Tim Leonard if he now accepted that his original claim that Seth Rich was the source for the DNC leaks was wrong. Would he join Fox TV and others who have apologised for harming the Rich family? Leonard refused to apologise for what he said was “a belief” and not “an allegation”, adding that Computer Weekly was “hectoring me over apologising to the Rich family for making false allegations”.
Researcher Justin Kriger, who assisted in preparing this report, is also a musician and songwriter working in Maryland, US.
Duncan Campbell provided computer forensic reports to attorneys representing Aaron Rich, prior to their libel claims being settled.