Can we be certain that Russia provided the compromising emails stolen from the Democratic National Committee to WikiLeaks? In its March 17 episode Dutch investigative programme Argos highlights the contradictions within the official narrative. This timeline provides an overview of what we do and do not know about the Russian hack.

March 10, 2016
Fancy Bear sends phishing mails

Russian hacker group Fancy Bear starts sending out phishing mails to employees working for the Hillary Clinton Campaign. According a number of cybersecurity companies Fancy Bear can be linked to Russian intelligence agency GRU.

The phishing mails contain a link to a page that looks like the Gmail login page. If the receiver fills in its username and password, Fancy Bear gains access to them.

In the following weeks Fancy Bear continues to send out phishing mails. This time the mails are also sent employees of the DCCC, the Clinton Foundation and members of the Republican Party. We know this, because cybersecurity company SecureWorks gained access to Fancy Bear’s They studied the 19.000 accounts to which the phishing mails were sent and concluded that Fancy Bear must have been behind the phishing mails. This because there are many Russian enemies among the receivers, such as critical journalists, a Pussy Riot singer, targets in Ukraine, and companies specialising in defence, such as Boeing and Lockheed in the US. SecureWorks shared the with Associated Press. The database is not accessible to the public.

March 16, 2016
WikiLeaks publishes Clinton emails
WikiLeaks publishes the Hillary Clinton Email Archive: tens of thousands of emails and attachments from Clinton’s private server, which she used during her time as Secretary of State. WikiLeaks obtained these emails from the US State Department through a Freedom of Information Act request.        

March 19, 2016
Podesta receives phishing mail

John Podesta, chairman of the Hillary Clinton Campaign, receives a phishing mail. WikiLeaks publishes his emails in October 2016 (These are the Podesta-mails, not the DNC-mails). The emails are dated until March 21, 2016. From this, we can conclude that the contents of Podesta’s inbox were forged shortly after he received the phishing mail.

April 2016 (date unknown)
Democrats pay for dirt on Trump

Perkins Coie, the law firm representing the Democratic Party and Hillary 4 America, hires research and strategic intelligence firm Fusion GPS, with the objective of finding dirt on Trump.

April 6, 2016
Fancy Bear sends out new phishing mails…
… but not to the DNC-accounts that have been leaked to WikiLeaks

Fancy Bear sends sixteen phishing mails to the DNC email accounts of nine different persons,. Argos got access to these sixteen and the stats, and found that three people that were targeted actually clicked on the link. That does not necessarily mean that Fancy Bear obtained their password, for it seems that the hackers made a mistake: the phishing link leads to a fake Gmail-page. Considering the fact that the DNC does not use Gmail as its mail server it seems unlikely that these three people would have entered their DNC credentials (DNC-username and password).

We discovered which email accounts these links were sent to by decoding the code that came after “e=” using website base64decode.   

None of the people that received a phishing mail in their DNC-account belongs to the group of people that had their emails published by WikiLeaks. The three people that clicked the phishing link were also not in the position of having access to the accounts of one of the seven people whose inbox was hacked (i.e.: it was not their secretary or assistant).

April 18, 2016
Fancy Bear hacks DNC

The exact execution date of the hack of the DNC is published when the DNC files a law suit against WikiLeaks, Guccifer 2.0 and several members of the Trump Campaign (see April 20, 2018). According to the DNC claim, Fancy Bear’s attack was directed at the servers in Virginia and Washington. The main target appears to be DNC’s research department.

It has been stated in several interviews that this attack ‘set of the alarm’ at the DNC. Other Russian hacker group Cozy Bear entered the system long before that: in the summer of 2015.

Cozy Bear made headlines when Dutch newspaper Volkskrant and current affairs program Nieuwsuur found out that Dutch intelligence service AIVD hacked this Russian hacker group, and provided information to the Americans. The FBI subsequently warned the Democratic Party multiple times for the possibility of a Russian hack due to the presence of Cozy Bear. The helpdesk did not take these warnings serious.

April 19, 2016
Website DCLeaks registered

An unknown party registers the domain In June, July and August of 2016, DCLeaks releases emails from both Democrats (mostly Gmail-accounts) and Republicans (John McCain, Lindsay Graham, Michele Bachmann). We know that most of the people whose emails were published, received a phishing mail from Fancy Bear.

Cyber security company Threatconnect assesses that DCLeaks is part of a Russian operation to influence the elections.

April 22, 2016
DNC: ‘Fancy Bear exfiltrates data’

The GRU staged several gigabytes of DNC data located on the DNC’s servers for unauthorized and surreptitious exfiltration- or, more commonly, theft.
Source: DNC lawsuit.

April 25, 2016
“Fancy Bear” creates X-Tunnel malware

This is the creation date for the X-Tunnel malware found on the Democratic Party server. The hash from this malware is published by cybersecurity company CrowdStrike:


X-Tunnel malware is associated with Russian hacker group Fancy Bear. It is so-called “second stage” malware. This means that it is a different type of malware than was previously used to enter the Democrats’ computers. Thus, the actual hack took place sometime before this. CrowdStrike did not publish the hash of this stage one malware (thought to be a dropper).

We found the creation date of the malware by entering the hash into online malware-scanner VirusTotal. It is possible to manipulate the creation date, although this seldom happens. A source at CrowdStrike informed us that we can assume that April 25, 2016 is the actual creation date.

April 28, 2016
DNC discovers hack

DNC IT-staff detected and ultimately confirmed access to the DNC network by unauthorized users.
Source: DNC lawsuit.

April 29, 2016
Emergency meeting after discovery hack

A secret committee is created, consisting of Amy Dacey (CEO DNC), Debbie Wasserman-Schultz (chairperson DNC) and Michael Sussman (Perkins Coie, DNC’s law firm responsible for hiring Fusion GPS / Christopher Steele to investigate Trump).

A reconstruction by the New York Times asserts that the DNC hired CrowdStrike that same day “to scan its computers, identify the intruders and build a new computer and telephone system from scratch”. Within a day, CrowdStrike identifies the Russians as perpetrators of the hack.

CrowdStrike confirms receiving a phone call from the Democratic Party “at the end of April”.

Within 24 hours, CrowdStrike had installed software on the DNC’s computers so that it could analyse data that could indicate who had gained access, when and how.
Source: Washington Post.

May 5, 2016
CrowdStrike installs anti-malware platform Falcon
“Fancy Bear” creates another X-Tunnel malware
At this moment in the timeline a contradiction arises. Although CrowdStrike has stated that upon their hire on April 29, they immediately got to work and discovered the Russian hackers, other articles assert that they installed their flagship anti-malware platform Falcon on May 5.

Almost immediately, Falcon started lighting up with a number of indications of breaches of the DNC network," Alperovitch (Dmitri Alperovitch, founder of Crowdstike, ed.) says.Source: Wired.

The  US Federal Election Commission Database shows that payments from the DNC to CrowdStrike started on May 5.

In addition to Falcon, the DNC used Overwatch, a service where an elite team of CrowdStrike cybersecurity experts monitors the servers 24/7.

A managed threat hunting service built on the CrowdStrike Falcon® platform. Providing an additional layer of oversight and analysis to ensure that threats don’t get missed and ultimately to prevent the mega breach. This service is comprised of an elite team of security experts who proactively hunt, investigate and advise on threat activity in your environment.
Source: CrowdStrike Overwatch website

Rickey Gevers, cybersecurity expert for Dutch cybersecurity company RedSocks, tells Argos that with Overwatch in place, CrowdStrike must have witnessed it if Fancy Bear created new malware and accessed the DNC server. And if thousands of emails were exfiltrated, they should have seen that as well.  

Considering this, it stands out that more than half of the emails released by WikiLeaks is sent later than May 5: after CrowdStrike installs Falcon (see also May 25).

Information from Crowdstrike’s own website (a second hash, published on their blog) reveals that a second type of malware (again X-Tunnel) was created by Fancy Bear on May 5, and found on the servers of the DNC.


May 10, 2016
“Fancy Bear” creates spy malware X-agent

This is the compilation date of the X-Agent malware that was found on the DNC’s servers. X-Agent is espionage-malware, used in unison with the aforementioned X-Tunnel malware. Both types of malware are associated with hacker group Fancy Bear.

CrowdStrike published the hash of the malware on their website.

Hash: fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5

The compilation timestamp can be identified by entering the hash on website VirusTotal.

Something stands out when looking at the creation date: the malware has a ‘first seen into the wild’-timestamp from 2010. This is years before the malware was compiled, according to the ‘creation date’ timestamp.  We have checked both dates with the VirusTotal helpdesk, who concludes that the ‘first seen into the wild’ timestamp is wrong, whereas the creation date is correct.

A source within cybersecurity company Crowdstrike shared that they have no reasons to believe that the compilation timestamp has been tempered with. Thus, they consider the ‘first seen into the wild’ timestamp an error.

Alexis Dorais-Joncas, Security Intelligence Team Lead for cybersecurity company ESET has told Argos that the X-Agent malware ‘had its source code leaked or made available for a short period online’, ‘ESET has a copy of the source code, which we found a few years ago. There are indications that other parties, among which security investigators, also have access to this code.’

As such, ESET states that it is plausible that anyone with access to this source code for Fancy Bear’s malware and knowledge of their usual tactics (TTP’s) could impersonate a hack by Fancy Bear. ‘If someone would obtain that source code and could easily modify it and perpetrate an attack, researchers could attribute this attack to Fancy Bear while in fact anyone could have done it.’

Such an impersonation could be made even better if the attackers had access to the X-agent source code and would modify in such a way that researchers would see it as an evolution of the tool, rather than just a copy of the old one, ESET tells Argos.

May 18, 2016
Intelligence services warn Republicans and Democrats for hacks

National Intelligence Director Jammer Clapper announces that hackers intend to influence the American presidential campaign.

Clapper said the Department of Homeland Security and the Federal Bureau of Investigation are working to educate “both campaigns” about cyber threats, likely referring to the campaigns of Trump, the presumptive Republican nominee, and Hillary Clinton, the likely Democratic nominee.

Source: Reuters

May 25, 2016
Final send date of released DNC-mails

The DNC-emails released by WikiLeaks dated up until the 25th of May. As such, the person who forged these emails must have had access to the email accounts until this date.

June (exact date unknown) 2016
Democrats hire Steele for more dirt on Trump

Perkins Coie, the law firm working for the Democratic Party, expands the investigation on Trump by Fusion GPS through hiring Christopher Steele. Steele is a former employee of the British intelligence service. The aim of his research is to find out more on the link between the Trump Campaign and the Kremlin.

In one of his memos, Steele contends that the Trump Campaign knew about the DNCLeaks and even supported it. In exchange Trump’s team ‘had agreed to sideline Russian intervention in Ukraine as a campaign issue’. According to Vox, no actual evidence supporting this claim has been brought forward. This is obviously a subject of ongoing investigation, but none of the conversations about Russian dirt on Clinton that have come to light so far demonstrate what the dossier claims.’

June 8, 2016
Website DCLeaks launches

Website DCLeaks publishes internal emails from both Democrats and Republicans (see also April 19, 2016). The website states that it is run by American ‘hacktivists’. American intelligence services however, link DCLeaks to GRU, the Russian military intelligence service.

The first batch of campaign material that it published looked like a test: seventy-two inconsequential memos tracking media coverage of Clinton in 2015.
Source: The New Yorker.

The DCLeaks website is offline as of now. In this timeline we do not go into the dates of the different email releases.

June 10, 2016
Remediation event: DNC system is thoroughly cleansed

Six weeks after CrowdStrike is hired, the DNC computer system secretly gets replaced. All employees are required to leave their laptops behind. Phones and mail accounts are deactivated for the weekend.

According to Donna Brazile’s (DNC Chair) book ‘Hacks’ it took this long to start this so-called ‘remediation event’ because the Democratic Party did not want to have their system down while the primaries for the presidential elections were happening.

In a reaction to Argos, CrowdStrike states:

‘In regards to your questions about the timeline, we were engaged by the DNC in May 2016 and scheduled the remediation event on June 10th to eject the adversary and clean the network. It is a best practice in incident response cases to coordinate the remediation event with the client to avoid alerting the adversary that they had been detected before the comprehensive remediation can take place. Otherwise, you run the risk of the adversary taking destructive actions or disrupting the network, which may make the remediation event more challenging to successfully execute. In this case, we had completed the investigation and identified the adversaries with our technology before the June 10th date.’

June 12, 2016
Assange announces WikiLeaks will publish new Clinton-mails

In an interview with ITV Network’s Robert Peston, Julian Assange, founder of WikiLeaks, states that his organization received emails related to Hillary Clinton, which await publication.

Note: this is the first time it is confirmed that WikiLeaks will publish ‘something’. Of which emails Assange is talking, or what their source is, is unknown at this point.

June 14, 2016
Democrats announce
‘Russian hack’
The Democrats state in the Washington Post that their party has been hacked.

When we discovered the intrusion, we treated this like the serious incident it is and reached out to CrowdStrike immediately. Our team moved as quickly as possible to kick out the intruders and secure our network.
Debbie Wasserman Schultz, DNC chairwoman, in the Washington Post.

The Democrats have been advised to do this by Micheal Sussmann, lawyer for Perkins Coie. That way, they figured, they could get ahead of the story, win a little sympathy from voters for being victimized by Russian hackers and refocus on the campaign. (Source: New York Times).

The Washington Post reads: One group, which CrowdStrike had dubbed Cozy Bear, had gained access last summer and was monitoring the DNC’s email and chat communications, Alperovitch said. […] The other, which the firm had named Fancy Bear, broke into the network in late April and targeted the opposition research files. It was this breach that set off the alarm. The hackers stole two files, Henry said.

What’s striking, is that the report by the NSA, FBI and CIA (see January 6, 2017) states that Fancy Bear (GRU) was behind the stolen emails. Furthermore, in this first article there is no reporting on stolen emails. Rather, according to the statement, only two files have been stolen.

‘It appears that no financial information or sensitive employee, donor or voter information was accessed by the Russian attackers’, DNC-lawyer Susmann tells the Washington Post.

June 15, 2016
Guccifer 2.0 claims Democratic Party hack

In a blog post, Guccifer 2.0 declares he is the one responsible for the Democratic Party hack. He claims to be a ‘lone hacker’ from Romania, and not a hacker group from Russia. He also publishes a number of documents on his blog to prove he was behind the DNC hack. None of these documents appear in the later WikiLeaks publication. Some of them can be found as an attachment to the Podesta-mails published by WikiLeaks at a later point in time.

Guccifer 2.0 is the first to link the DNC hack to the upcoming WikiLeaks publications. On his blog he writes: The main part of the papers, thousands of files and mails, I gave to WikiLeaks. They will publish them soon.

Cyber security company ThreatConnect connects Guccifer 2.0 to Russia. This is partly due to the fact that some of the published documents have been edited in a Russian version of Word and that he uses a Russian VPN. The American intelligence services also state with ‘high confidence’ that Russian military intelligence service GRU was behind the attacks.

Bloggers Adam Carter (pseudonym) and Forensicator have expressed their doubts with regard to Guccifer 2.0 being the Russian military intelligence service. They partly base this on the times Guccifer 2.0 publishes its tweets and blogs. They publish the information that they have gotten from the metadata of the documents and files published by Guccifer 2.0.

In July 2016, Guccifer 2.0 states again that he was behind the DNC hack. VIPS (Veteran Intelligence Officials for Sanity) analysed the timestamps and other metadata of this hack/download. They conclude that the transfer speed is too high for a trans-Atlantic hack and that there must have been a leak rather a hack.

Several websites interpret the statement by VIPS as stating that the DNC-mails were obtained through a leak. However, the finding refers to a different set of files belonging to Guccifer 2.0 and not to that download (which presumably took place in May). Former NSA-employee Bill Binney (VIPS member) discovered that Guccifer 2.0 manipulated the download dates of these files. So what does this tell us? ‘Guccifer 2.0 is playing with us’, says Binney in an interview with Argos. Nothing more, nothing less.

In March 2018, The Daily Beast reports that Guccifer 2.0 used an IP-address in Moscow that can be traced back to a specific intelligence officers in the GRU headquarters. They base this on sources familiar with the government’s Guccifer investigation.

Argos did not conduct their own research on Guccifer 2.0. He has not responded to our Twitter DMs.

July 10, 2016
DNC employee Seth Rich killed

At 4AM, DNC-employee Seth Rich gets shot in Bloomgindale, the Washington neighbourhood he lives in. According to the police Rich died from two shots in the back, possibly as part of an armed robbery. Nothing is stolen. The perpetrators were never caught.

Rich worked as Voter Expansion Data Director with the Democratic Party. This fed into theories that he was murdered because he was the one responsible for leaking the DNC-mails and providing them to WikiLeaks. WikiLeaks has put out a 20.000 dollar reward for information leading to the conviction of Rich’s killers. This added fuel to the rumour that Rich was WikiLeaks’ source, although this has neither been denied or confirmed by WikiLeaks.

Fox News retracted its publications on the link between Rich and WikiLeaks. In March of 2018 the news that Rich’s parents were starting a lawsuit against Fox, because they used Rich’s death as ‘political football’.

Argos did not do any investigating on Rich’s death. We do not have evidence that Rich was WikiLeaks’ DNC source.

July 22, 2016
WikiLeaks launches DNCLeaks
WikiLeaks publishes the first load of DNC mails as part of their new ‘Hillary Leaks series’. These emails show how the Democratic Party favours Clinton over her opponent Bernie Sanders.

The leaks come from the accounts of seven key figures in the DNC: Communications Director Luis Miranda (10520 emails), National Finance Director Jordon Kaplan (3799 emails), Finance Chief of Staff Scott Comer (3095 emails), Finance Director of Data & Strategic Initiatives Daniel Parrish (1742 emails), Finance Director Allen Zachary (1611 emails), Senior Advisor Andrew Wright (938 emails) and Northern California Finance Director Robert (Erik) Stowe (751 emails). The emails cover the period from January last year until 25 May this year.

Guccifer 2.0 wants credit for the WikiLeaks publications: [the] “docs I’d given them!!!”

Research by Argos shows that none of the abovementioned persons received a phishing mail from Fancy Bear on their DNC mail account (see April 6, 2016). It is possible that they received an email on their Gmail account. But the question remains: did they click on the link? Did that person subsequently enter their logins? And are those logins the same as the ones they use for their DNC account?

Associated Press claims (as opposed to Argos) that ‘all these Democrats’ were targeted by Fancy Bear, either through their Gmail account or through the DNC. Argos repeatedly asked the AP author for verification, for which they received permission from SecureWorks, but to no response.

Argos asked Rickey Gevers (RedSocks) to check if the passwords of the seven DNC-employees were previously leaked. For only one of them, this was the case.

July 24, 2016
“DNC hack a Russian plot to help Trump”
Robby Mook, Clinton’s campaign manager, tells CNN experts confirm that the Russians broke into the DNC, stole emails and release these to help Trump.

The Clinton Campaign issues a statement to the press: This is further evidence the Russian government is trying to influence the outcome of the election.

Debbie Wasserman-Schultz announces that she will step down as DNC chairman after the Democratic Convention. Vice-chairman Donna Brazile is assigned the position of ad interim chairman until the elections.

July 25, 2016
FBI start WikiLeaks investigation
The Democratic Convention starts in Pennsylvania.

The FBI announces it will start an investigation on the DNC emails. The FBI is investigating a cyber intrusion involving the DNC and are working to determine the nature and scope of the matter. A compromise of this nature is something we take very seriously.

The FBI does not obtain access to the Democratic Party servers (see January 10, 2017).

WikiLeaks founder Julian Assange tells NBC that there is no proof that the DNC mails have been provided to WikiLeaks by Russia.

NSA whistleblower Edward Snowden states on Twitter that the NSA should have proof if the Russians would have hacked the DNC.

Even if the attackers try to obfuscate origin, #XKEYSCORE makes following exfiltrated data easy. I did this personally against Chinese ops. […] Evidence that could publicly attribute responsibility for the DNC hack certainly exists at #NSA, but DNI traditionally objects to sharing.

July 26, 2016
Russia denies involvement in hack
Russian foreign minister Sergey Lavrov denies that Russia has anything to do with the DNC hack. "I don't want to use four-letter words."

Anonymous U.S. officials declare to a number of American news outlets that the Russians hacked the DNC in order to help Trump. See: the New York Times, , CNN and the Daily Beast.

July 27, 2016
Assange announces more Clinton mails
There are more DNC emails and we will be publishing more related to Hillary Clinton’s campaign, WikiLeaks founder Jullian Assange tells the Washington Post.

Donald Trump tweets: Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing. According to his spokesperson Sean Spicer he was joking. However, several media outlets see it as a sign that Trump wants the Russians to hack Clinton.

July 28, 2016
Reuters reveals DCCC hack
In addition to the DNC, the Democratic Congressional Campaign Committee (DCCC) is hacked. According to Reuters the hack took place in June of 2016. The FBI investigates the hack, and sees similarities with the DNC hack. The break in is aimed at donation website ActBlue. The internet traffic from the donation website was led to a fake website.

August 12, 2016
Guccifer 2.0 publishes DCCC-documents
Guccifer 2.0 claims that he was behind the DCCC hack and publishes phone numbers and private email accounts from donors. Wordpress has since removed this blogpost.

August 26, 2016
Assange: “New sources thanks to DNCLeaks”
WikiLeaks founder Assange appears on Fox & Friends, where he declares that WikiLeaks will publish even more documents surrounding the American presidential campaign. The publication of the DNC mails by WikiLeaks encouraged new sources to come forward, according to Assange.

So they stepped forward and hopefully that process will continue as we continue to publish and we can see a kind of cascade of information hopefully also coming out about [the] Republican campaign, and then Americans and others can be better informed about whose new policy is going to be U.S. policy," Assange said, while adding that it is difficult for an organization like WikiLeaks to "publish much more controversial material than what comes out of Donald Trump's mouth every single day.

September 20, 2016
Communication between WikiLeaks and Trump’s son
WikiLeaks sends Donald J. Trump (the oldest Trump son) a DM message on Twitter. He responds after twelve hours. The messages have been handed to Congress as part of the investigation on the Russian influence on the presidential campaign. The Atlantic obtains the correspondence. They claim that the contact lasted until July 2017.

October 7, 2016
Homeland Security accuses the Russians of hacking…
…WikiLeaks publishes first load of Podesta emails

We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities, said the office of the director of national intelligence and the Department of Homeland Security (DHS) in a joint statement.

WikiLeaks publishes its first load of Podesta emails. These are emails from the Gmail account belonging to John Podesta, Clinton’s campaign manager. In the period leading up to the elections WikiLeaks continues to publish new emails. These have been selected through an algorithm, Assange tells the New Yorker. (See also March 19, 2016)

October 9, 2016
Clinton: Trump profits from Russia
The link between Trump and Russia starts to play a larger role in Clinton’s presidential campaign. In the second presidential debate Clinton claims Trump profits from the Russian involvement in the elections.

October 19, 2016
Clinton: Trump is Putin’s puppet
In the third and final presidential debate, Clinton reiterates the alleged bond between Trump and Russia. In a reaction to questions on the leaked WikiLeaks mails, she claims that Putin supports Trump because he prefers to have ‘a puppet as president of the United States’.

November 3, 2016
WikiLeaks: Podesta emails not provided by Russia
Julian Assange says, in an interview broadcast by RT, that Russia is not behind the leaked Podesta emails.

November 8, 2016
Trump wins American presidential elections

December 9, 2016
Anonymous sources CIA: Russians interfered to help Trump win election
The Washington Post publishes an article in which anonymous sources (who claim that they have been briefed on the issue) declare that the CIA has published a secret report stating that the Russians hacked the DNC in order to prevent Clinton from becoming president.

According to the Post’s report, officials briefed on the matter were told that intelligence agencies had found that individuals linked to the Russian government had provided with thousands of confidential emails stolen from the Democratic National Committee (DNC) and others.

The New York Times also publishes an article, based on anonymous sources, on how the intelligence services discovered that the Russian hackers hacked the Republican Party network too, but conspicuously chose to solely publish information on the Democrats. (Recap by The Guardian)

December 10, 2016
Russia was not WikiLeaks’ source
Former British ambassador to Uzbekistan and WikiLeaks supporter Craig Murray, tells The Guardian that he met the person who provided the emails to WikiLeaks. This person was not a Russian but an insider, according to Murray.

A day later, Murray publishes a blog on his website. In it he writes:

Now both Julian Assange and I have stated definitively the leak does not come from Russia. Do we credibly have access? Yes, very obviously. Very, very few people can be said to definitely have access to the source of the leak. The people saying it is not Russia are those who do have access.

Argos contacted Murray several times, but to no avail.

December 16, 2016
FBI and DNI confirm CIA findings
FBI director James Comey and the director of national intelligence, James Clapper, confirm the CIA assessment that Russia interfered with the American elections in order to let Donald Trump win. A letter by CIA-director Brannan supports this, according to officials who have seen the letter and anonymously report to The Independent. The CIA and FBI refrain from commenting.

December 29, 2016
FBI and Homeland Security publish report
The FBI and Homeland security publish the result of its joint analysis on Russian cyber-attacks, Grizzly Steppe. Russian Malicious Cyber Security. The report states that two hacker groups, APT28 (Fancy Bear) and APT29 (Cozy Bear), were involved in entering a political party. No new evidence is presented.

January 6, 2017
Report CIA, FBI, NSA: high confidence in Russian hack
American intelligence agencies CIA, FBI and NSA publish a joint report: Assessing Russian Activities and Intentions in Recent US Elections. This is a declassified version of a secret assessment that has been handed to the president and others that have been approved by the president.

On the Democratic Party hack, and WikiLeaks’ publications, the report states:

The General Staff Main Intelligence Directorate (GRU) probably began cyber operations aimed at the US election by March 2016. We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC.

We assess with high confidence that the GRU used the Guccifer 2.0 persona,, and WikiLeaks to release US victim data obtained in cyber operations publicly and in exclusives to media outlets.

We assess with high confidence that the GRU relayed material it acquired from the DNC and senior Democratic officials to WikiLeaks. Moscow most likely chose WikiLeaks because of its self- proclaimed reputation for authenticity. Disclosures through WikiLeaks did not contain any evident forgeries.

In early September, Putin said publicly it was important the DNC data was exposed to WikiLeaks, calling the search for the source of the leaks a distraction and denying Russian “state-level” involvement.

In the Argos broadcast former NSA-employees Bill Binney and Kirk Wiebe react to the report. Binney: ‘They didn't say they know. They said they had high confidence.’

Binney and Wiebe wrote several intelligence papers themselves. ‘You state initially everything you clearly know. And you say, this is what I can show by evidence directly. Period’, says Binney. ‘Then at the bottom, if you wanna give a guess, then you qualify it by saying 'this is my estimate, or guess.’

The word ‘assess’ or ‘assessment’ is mentioned 95 times in the FBI, CIA and NSA report. Firm wordings like ‘we know’, ‘we have seen’, ‘fact’, ‘evidence’, ‘prove’ or ‘sure’ cannot be found in the report.

January 10, 2017
Comey: DNC denied the FBI access to the DNC server
In a Senate Intelligence Committee hearing on the Russian influence on the US presidential campaign FBI-director states that the FBI did not get access to the Democratic Party servers.

Chairman: Were you given access to do the forensics on those servers?
Comey: We were not. We were... A highly respected private company eventually got access and shared with us what they saw there.
Chairman: But is that typically the way the FBI would prefer to do the forensics? Or would your forensics unit rather see the servers and do the forensics themselves.
Comey: We always prefer to do the forensics ourselves if that's possible.
Chairman: Do you know why you were denied access to those servers?
Comey: I don't know for sure. I don't know for sure.
Chairman: Was there one request or multiple request?
Comey: Multiple request at different levels.

January 17, 2017
VIPS memo to Obama: a demand for Russian ‘hacking’ proof
Over 20 American intelligence veterans (VIPS, Veteran Intelligence Professionals for Sanity) demand proof for Russian hacks with the goal of aiding Trump; for the Russians providing the Democratic Party emails to WikiLeaks, and, if this evidence does not exist, to acknowledge this.

In the past, VIPS wrote memos on the lack of evidence for the presence of weapons of mass destruction in Iraq.

January 18, 2017
Obama: evidence against WikiLeaks not conclusive
In his final press conference as president, Barack Obama declares that it has not been proven that WikiLeaks received the DNC emails from the Russians. He says this after having read the complete, highly classified report by the FBI, NSA and CIA on Russian interference in the elections.

The conclusions of the intelligence community with respect to the Russian hacking were not conclusive as to whether WikiLeaks was witting or not in being the conduit through which we heard about the DNC e-mails that were leaked.

April 20, 2018
DNC files lawsuit against Russians and WikiLeaks
The Democratic Party files a complaint for a civil lawsuit against Russian military intelligence service GRU, Guccifer 2.0, Aras Iskenerovich Agalarov, Emin Araz Agalarov, Joseph Mifsud, WikiLeaks, Julian Assange, Donald J. Trump for President Inc., Donald J. Trump Jr., Jared Kushner, Paul J. Manafort, Roger Stone, George Papadopoulos and Richard Gates. The DNC request a jury process with the District Court of the Southern District in New York. The complaint reads that these parties had a preconceived plan to influence the presidential campaign by hacking the DNC and publish internal DNC emails. According to the DNC, the party spent over a million dollars to repair the computer system and to hire cyber consultants. At least eleven servers had to be rebuilt, and the operating systems of over 180 computers were reinstalled.


This is an edited version of the timeline we used for our investigation. We limited this timeline to the events that can be linked directly to the Russian hacking of the Democratic Party and the publication of DNC emails by WikiLeaks. The timeline surrounding the George Papadopoulos Russia links for example, have not been included in this version. (His meeting on emails with dirt on Clinton took place on April 26, 2016, the DNC mails are dated until May 25 2016). The same goes for the Steele dossier timeline, on the FBI investigation on the Clinton’s private email server and the timeline for the Dutch intelligence service AIVD infiltration of Cozy Bear.

Are we missing something? We will continue to update this timeline with new findings. For tips contact Encrypted? Key-ID EFBB278C