Stories

Exclusive: The Illinois Republican who catfished Guccifer 2.0

Putin seen through the Twitter Logo
Russian President Vladimir Putin is seen through a Twitter logo in this photo illustration. (Photo: Jaap Arriens / NurPhoto via Getty Images)

In August 2016, John Bambenek, a former Republican state senate candidate in Illinois, launched his own clandestine investigation of Guccifer 2.0, the public face of the Russian cyber break-in at the Democratic National Committee. What Bambenek found was that the Guccifer 2.0 persona — believed to be a cover for Russia's military intelligence arm — reflected a more slapdash chapter in the operation to sow U.S. election chaos than usually presented.

Why it matters: In transcripts of Twitter messages that Bambenek shared with Axios, Guccifer 2.0 seemed to be either careless or indiscriminate, apparently failing to do even a cursory check on Bambenek, and with only a vague understanding of what he was sharing.

How it happened: In June 2016, the DNC told the Washington Post that hackers apparently working for the Russian government had penetrated its computer networks. The day after, Guccifer 2.0 surfaced with the first of a trove of stolen DNC documents, including a 231-page dossier on Donald Trump, the start of a drumbeat of leaks that would dog Hillary Clinton's presidential campaign until she ultimately lost in November.

Not long after, Bambenek approached Guccifer 2.0, asking for documents to help the Republican cause. "I knew I had a good chance of passing the Google test for being a Republican, and it came at a time when Guccifer was probably receiving many inquiries from the press," he told Axios.

  • The two agreed that leaking documents on Illinois state races to arrange "for maximum impact" might aid Guccifer 2.0's efforts.
BAMBENEK: Among other things I am a Republican operative.

GUCCIFER 2.0: what r u gonna do with the docs?

BAMBENEK: Well it depends on the document. Emails about meeting for lunch, who cares. Emails that can affect an election, well, they'd be used for maximum impact.

GUCCIFER 2.0: i'll let u know if i find any
— From the introductory DM conversation on Aug. 12, 2016
  • So began what would become a two-month correspondence with Guccifer 2.0 over Twitter direct message, ultimately netting leaks of apparent DCCC files profiling Illinois districts (he named himself 2.0, apparently attempting to piggy-back on a Romanian hacker who called himself Guccifer.).

The catch: Bambenek wasn't wearing a GOP hat while conducting the conversation. Instead, he was an executive at Fidelis, a Bethesda, MD, cybersecurity firm that, along with CrowdStrike, had quickly attributed the attack to Russia. Bambenek was more or less just continuing the investigation out of curiosity.

The FBI was in the loop: "Every [direct message] I sent, every [one] I received was turned over to the FBI immediately. I assumed they would have been monitoring the account to begin with," Bambenek said.

  • Though Guccifer 2.0 provided him exclusive documents, they focused on almost comedically non-competitive races.

Bambenek's interactions show Guccifer 2.0 was not a precision operation:

  • With any vetting — even just a glance at Bambenek's Twitter bio, which mentioned his role at Fidelis — Guccifer 2.0 could have easily discovered that Bambenek was not who he said he was.
  • The documents Guccifer 2.0 funneled to Bambenek concerned races in Illinois House districts 01 and 08, neither of them competitive. Illinois 01, the south side Chicago district represented by Democrat Bobby Rush, hasn’t elected a Republican since the Roosevelt administration. Illinois 08, Sen. Tammy Duckworth's old district, wasn't a much safer bet.
  • "They were dumping documents in places there were no real Republicans. Even if there was a there there, it’d have to be something extreme — Roy Moore extreme," Bambenek told Axios.

Though an issue in the Mueller investigation, the Guccifer 2.0 campaign appeared to lack the US political savvy that would have suggested coordination with a domestic expert.

  • At one point, Guccifer 2.0 lost track of who Bambenek was entirely and appeared unaware he was not currently running for any position.
GUCCIFER 2.0: what's ur interest in these docs? r u gonna get nomination?
BAMBENEK: Will take a look. What do you mean get nomination?
GUCCIFER 2.0: u r a republican, ain't u? may be u gonna become a senator :) i mean why r u interested in these docs?
— DMs on August 23, 2016.
  • At another juncture, Guccifer 2.0 complained that a reporter for the Wall Street Journal quoted him in a story. “[I] didn't think he gonna quote my words, he didn't warn me,” Guccifer 2.0 messaged. “It didn’t seem like he understood how the media worked,” Bambenek told Axios.

This was nothing new — Guccifer 2.0 never seemed to be a precision operation: While I was a reporter for The Hill, I corresponded regularly with Guccifer 2.0, who regularly leaked documents to me.

  • Guccifer 2.0 kept abreast of which articles mentioned him, but rarely appeared to read them. Articles regularly included descriptions of his deceptive cover persona and likely connections to Russia.
  • While the leaks targeted swing states, Guccifer 2.0's understanding seemed to stop there, amplifying publicly available voter data as well as long-resolved scandals.

The end: Guccifer 2.0 cut off contact after figuring out Bambenek's true employment (he has since changed jobs to the firm ThreatStop).

  • Bambenek held off announcing his interactions with Guccifer 2.0 until he was sure they were not a component of the FBI's Russia investigation, he said.
  • He said he will publicly describe his experiences with Guccifer 2.0 on Thursday at Kaspersky Lab's Security Analyst Summit in Cancun, Mexico.
GUCCIFER 2.0: r ur company gonna make a story about me? :)
BAMBENEK: Want me to?
— The last DMs between Bambenek and Guccifer 2.0.
More stories loading.