The investigative team of the #VulkanFiles was able to identify several hundred Twitter accounts based on the clues in the documents. The investigation of @christo_buschek@flornrnd and Damian Leloup @lemondefr. A Thread.
The leads in the documents are often easy to miss. In one document, we found an Email address. It looks like many others, a first name, last name, a year. Next to it, we see a date.
A Twitter account with the same first name, last name, and year in its profile name tweets on that same date we saw in the documents.
Another example can be found in a screenshot in the documents. We see a profile picture – a young woman, legs crossed, plaid dress, green background, smiling into the camera.
Several other Twitter accounts also used the same profile picture. Duplicate profile pictures were a strong indicator for us to find further usage of the bot program.
More and more, we were able to map clusters of accounts. We linked accounts through shared hashtags or profile pictures, mutual followers, or links, which were tweeted. This allowed us to connect many disinformation campaigns with the #VulkanFiles.
For example, many accounts spread falsehoods about Hillary Clinton during the 2016 presidential campaign.
Several Tweets mention the downing of flight MH17. Several accounts shared multiple websites claiming that Russia had nothing to do with it and that these allegations are part of an “information war.”
Another campaign revolves around a former employee of the German Consulate in Ukraine. The bots shared a link pointing to a forged letter in which the employee urged stronger sanctions against Russia.
This letter was used as proof of an anti-Russian conspiracy. But it gets even weirder: The victory of @ConchitaWurst at the Eurovision Song Contest was presented as a response of the west to the annexation of Crimea.
Shortly after the Ukraine war escalated in 2022, several accounts were reactivated. They tweeted just one sentence:
In November 2019, an anonymous Twitter account called @m4lwatch posted some tweets. He says he found hacking software belonging to Sandworm - the hackers of the Russian secret service. And he draws a connection between Sandworm and NTC Vulkan - the company of the #VulkanFiles.
@m4lwatch writes about “Znatok”, a Russian name for someone who seems to know everything. "Znatok" is said to be used for cyber attacks. M4lwatch suspects that such targets could be people or embassies. Where he got this information from, he leaves open.
"Znatok" also appears in the #VulkanFiles - for example, a virtual computer is set up - a digital computer that does not need its own hardware. It is also called “Znatok”.
2019 setzt ein anonymer Twitter-Account namens @m4lwatch einige Tweets ab. Er habe eine Hacking-Software gefunden, die zu Sandworm gehört - den Hackern des russischen Geheimdienstes. Und er stellt eine Verbindung her zu NTC Vulkan – der Firma aus den #VulkanFiles.
@m4lwatch schreibt über “Znatok”, ein russischer Name für jemanden, der scheinbar alles weiß. "Znatok” soll für Cyberangriffe genutzt werden. M4lwatch vermutet, Ziele könnten Personen oder Botschaften sein. Woher er diese Informationen hat, lässt er offen.
Auch in den #VulkanFiles kommt “Znatok” vor - zum Beispiel wird ein virtueller Rechner eingerichtet – ein digitaler Computer also, der ohne eigene Hardware auskommt. Auch er wird “Znatok” genannt.