Share this page!

Maybe Scrolly?
Stephen McIntyre Profile picture
Twitter logo
4 Oct, 19 tweets, 8 min read
this is a thread on an interesting idea that @Guccifer2Henry had, but which we've decided didn't quite work out. I'll set out the original theory - see if you can figure out why we've walked back from it. (And then I'll explain.)
2/ we'll start with paragraph 60 in the Mueller Indictment and work towards an apparent connection to Profexer, the Ukrainian author of malware featured in the DHS attribution of DNC hack. First, here's paragraph 60.
3/ in a blogpost in Apr 2019, Tim Cotten reported the identification of the transaction cited by Mueller (0.02604399 BTC on 2016-02-01) here blockchain.com/btc/tx/3c4c026…
4/ Cotten followed a chain of mostly uninformative blockchain transactions which he traced up to April 18, 2016 before stopping at two addresses 1Mo8of.... and !FnRRM... blockchain.com/btc/address/1B…
5/ returning now to DHS study. On Dec 29, 2016 - the same day as expulsion of diplomats and sanctions on GRU and FSB, DHS published us-cert.cisa.gov/sites/default/…, DHS report promised "technical details" on "tools and infrastructure" used in hacks.
6/ the report was a fiasco - the full degree of its inadequacy not being fully appreciated to this day. DHS provided NO data that demonstrated attribution to Russia and the information that they provided was laughable. Meybe there was better info somewhere, but it wasnt provided.
7/ the lead item in their section on Technical Details was the "YARA signature" of the PAS_TOOL_PHP_WB_KIT.
8/ but this was immediately shown to be an embarrassment. Errata Security reported almost immediately blog.erratasec.com/2016/12/some-n… that the PAS web shell was used by "hundreds", if not "thousands" of hackers throughout the world - and not diagnostic.
8/ the next day, Wordfence reported wordfence.com/blog/2016/12/r… that DHS report "shows Russia used outdated Ukrainian malware", downloadable on internet from Ukraine from "profexer" whose Bitcoin address 1PASv4... was supplied for donations.
9/ about 10 days later, Petri Krohn identified Jaroslav Panchenko, a young Ukrainian university student, as the proprietor of the profexer website and apparent author of the PAS malware off-guardian.org/2017/01/09/did…. Story later covered in NYT.
10/ #Guccifer2Henry had the bright idea of checking whether there was a connection between the end of the "GRU" blockchain described in the Cotten article and the profexer Bitcoin address in Ukraine.
11/ 17 transactions are recorded for the 1PASv4... address, with two right after the last transaction in Cotten chain and one on July 29, 2016 - a big day in Russiagate. walletexplorer.com/address/1PASv4…
12/ Guccifer2Henry looked in walletexplorer at the last entry in the Cotten blog article 1FnFRM... walletexplorer.com/address/1FnFRM… and determined that it belonged to wallet 11847ddf0a, which he proceeded to.
13/ he looked at the first transaction for "GRU" wallet 11847ddf0a
walletexplorer.com/wallet/11847dd… on Apr 6, 2016 at 15:23:37Z, just as DNC spearphishing started (according to Mueller)
14/ the record of this opening transaction for "GRU" wallet 11847ddf0a walletexplorer.com/txid/bcf80bbc8… also showed a deposit to wallet 00011ad30e. This really caught @Guccifer2Henry's eye.
15/ because the SAME wallet appears in the July 29, 2016 Profexer 1PASv4... account. Its transaction was 0a459748..., which showed source of funds was 00011ad30e.
16/ so the blockchain shows a fairly direct connection between a "GRU" wallet cited in Mueller indictment of Netyshko etc and the Bitcoin address of the Ukrainian student, who had apparently authored the malware cited in embarrassing DHS report.
17/ on further reflection, it doesn't appear to be quite as smoking a gun as it first appeared. An exercise for interested readers that I'll explain further tomorrow.
18/ but since Mueller was evasive (to the point of obfuscation) on details of Bitcoin connections alleged in Netyshko indictment, I'm also wondering how good these would actually be in full sunlight. More tomorrow.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephen McIntyre

Stephen McIntyre Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ClimateAudit

Stephen McIntyre Profile picture
30 Sep
US intel stenographers Savage and Goldman present arguments of Joffe and Dagon
nytimes.com/2021/09/30/us/…
ALL of the identifications of co-conspirators and participants in the Sussmann Indictment previously proposed in this corner of Twitter have been confirmed by Savage (just as he grudgingly confirmed identifications of Danchenko etc last year)
Joffe is Tech Exec 1/Max; Lorenzen is Originator-1/TeaLeaves; Dagon is Researcher-2; Antonakkis is Researcher-1; University-1 is Georgia Tech.
Read 7 tweets
Stephen McIntyre Profile picture
30 Sep
false Cohen in Prague story is curious anomaly in Steele dossier. US intel agencies worked overtime to portray it as "Russian" disinformation (rather than Beltway disinformation). But false story persisted (e.g. McClatchy), attributed to sources supposedly independent of Steele
my working theory on this anomaly has been the topic of Cohen in Prague was assigned to Danchenko by Fusion/Perkins Coie, with Danchenko then constructing an elaborate and entirely fictional account of the meeting in best Our Man in Havana style, attributing story to Galkina
but the provenance of the specific wrong information of Cohen in Prague remained a mystery, other than it probably had something to do with US surveillance operations (making a mistake).
Read 5 tweets
Stephen McIntyre Profile picture
28 Sep
on Sep 1, the Ontario Institute of Exponential Projections (aka Ontario Science Table) projected doom unless Ontario repented, wore sackcloth and ashes and located themselves on isolated columns like Stylite monks Image
2/ dire predictions from Ontario Science Table have, in past, been reliable indication that any given wave had its peak and this seems to be the case once again for so-called Fourth Wave - thus far (touch wood) a ripple in Ontario, tho you'd never know it from media hysterics Image
3/ as October approaches, cases and ICU occupancy are both below the lowest envelope of the Institute of Exponential Projections. This lower bound presumed policies that were wisely not adopted by govt. So projection even worse than indicated by envelope.
Read 5 tweets
Stephen McIntyre Profile picture
27 Sep
in 2007, David Dagon of Georgia Tech (subpoenaed by Alfa Bank and probably Researcher at University-1) made presentation on "corrupted DNS resolution paths" - an issue in DDOS attacks on which Joffe an authority. Image
dns-oarc.net/files/workshop…
Dagon observed that "rogue DNS" servers could give false information in a name search and send people against a target victim. Image
Dagon's presentation included the following diagram showing (on log scale) something to do with rogue DNS, that reminded me of the log scale graphic of time intervals between hits "from" Spectrum Health (similar in Alfa). Beyond that, I can't say. ImageImage
Read 5 tweets
Stephen McIntyre Profile picture
27 Sep
Breaking news: Alfa Bank issued subpoenas to Neustar, Packet Forensics, Vostrom Ventures and Raymond Saulino - linking all four to Rodney Joffe in the subpoena requests. Dated Sep 22, 2021 but prob not online until more recently.
subpoenas at Florida 15th Circuit court records appsgp.mypalmbeachclerk.com/eCaseView/sear…
subpoena to Neustar, as @hansmahncke points out, contains multiple reference to Joffe and companies that he's associated with
Read 7 tweets
Stephen McIntyre Profile picture
20 Sep
Look at this data. In the Spectrum Health subset, I've isolated subset of "distinct DNS hits". (Hits are repeated multiple times within a second or two, then a pause for a multiple of one hour plus a small delta. In subset from Aug 7 to Aug 12 (and looks like more generally), Image
when "hour hand" advances by n hours, "minute hand" advances by n minutes. This holds for every single row in the excerpt shown here. I'm checking to see whether this applies to all periods.
the timing of these hits is obviously not random, but generated by an algorithm. How is it possible that so many supposedly non-corrupt scientists and specialists didn't report this?
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ClimateAudit has new unrolls!

Check out other threads from @ClimateAudit!

Read all threads by @ClimateAudit

:(