this is a thread on an interesting idea that @Guccifer2Henry had, but which we've decided didn't quite work out. I'll set out the original theory - see if you can figure out why we've walked back from it. (And then I'll explain.)
2/ we'll start with paragraph 60 in the Mueller Indictment and work towards an apparent connection to Profexer, the Ukrainian author of malware featured in the DHS attribution of DNC hack. First, here's paragraph 60.
3/ in a blogpost in Apr 2019, Tim Cotten reported the identification of the transaction cited by Mueller (0.02604399 BTC on 2016-02-01) here blockchain.com/btc/tx/3c4c026…
4/ Cotten followed a chain of mostly uninformative blockchain transactions which he traced up to April 18, 2016 before stopping at two addresses 1Mo8of.... and !FnRRM... blockchain.com/btc/address/1B…
5/ returning now to DHS study. On Dec 29, 2016 - the same day as expulsion of diplomats and sanctions on GRU and FSB, DHS published us-cert.cisa.gov/sites/default/…, DHS report promised "technical details" on "tools and infrastructure" used in hacks.
6/ the report was a fiasco - the full degree of its inadequacy not being fully appreciated to this day. DHS provided NO data that demonstrated attribution to Russia and the information that they provided was laughable. Meybe there was better info somewhere, but it wasnt provided.
7/ the lead item in their section on Technical Details was the "YARA signature" of the PAS_TOOL_PHP_WB_KIT.
8/ but this was immediately shown to be an embarrassment. Errata Security reported almost immediately blog.erratasec.com/2016/12/some-n… that the PAS web shell was used by "hundreds", if not "thousands" of hackers throughout the world - and not diagnostic.
8/ the next day, Wordfence reported wordfence.com/blog/2016/12/r… that DHS report "shows Russia used outdated Ukrainian malware", downloadable on internet from Ukraine from "profexer" whose Bitcoin address 1PASv4... was supplied for donations.
9/ about 10 days later, Petri Krohn identified Jaroslav Panchenko, a young Ukrainian university student, as the proprietor of the profexer website and apparent author of the PAS malware off-guardian.org/2017/01/09/did…. Story later covered in NYT.
10/ #Guccifer2Henry had the bright idea of checking whether there was a connection between the end of the "GRU" blockchain described in the Cotten article and the profexer Bitcoin address in Ukraine.
11/ 17 transactions are recorded for the 1PASv4... address, with two right after the last transaction in Cotten chain and one on July 29, 2016 - a big day in Russiagate. walletexplorer.com/address/1PASv4…
12/ Guccifer2Henry looked in walletexplorer at the last entry in the Cotten blog article 1FnFRM... walletexplorer.com/address/1FnFRM… and determined that it belonged to wallet 11847ddf0a, which he proceeded to.
13/ he looked at the first transaction for "GRU" wallet 11847ddf0a
walletexplorer.com/wallet/11847dd… on Apr 6, 2016 at 15:23:37Z, just as DNC spearphishing started (according to Mueller)
14/ the record of this opening transaction for "GRU" wallet 11847ddf0a walletexplorer.com/txid/bcf80bbc8… also showed a deposit to wallet 00011ad30e. This really caught @Guccifer2Henry's eye.
15/ because the SAME wallet appears in the July 29, 2016 Profexer 1PASv4... account. Its transaction was 0a459748..., which showed source of funds was 00011ad30e.
16/ so the blockchain shows a fairly direct connection between a "GRU" wallet cited in Mueller indictment of Netyshko etc and the Bitcoin address of the Ukrainian student, who had apparently authored the malware cited in embarrassing DHS report.
17/ on further reflection, it doesn't appear to be quite as smoking a gun as it first appeared. An exercise for interested readers that I'll explain further tomorrow.
18/ but since Mueller was evasive (to the point of obfuscation) on details of Bitcoin connections alleged in Netyshko indictment, I'm also wondering how good these would actually be in full sunlight. More tomorrow.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.