WikiLeaks release excludes evidence of €2 billion transfer from Syria to Russia
A trove of hacked emails published by WikiLeaks in 2012 excludes records of a €2 billion transaction between the Syrian regime and a government-owned Russian bank, according to leaked U.S. court documents obtained by the Daily Dot.
WikiLeaks has become an ever-prominent force in the 2016 presidential election through its publishing of tens of thousands of emails, voicemails, and documents stolen from the Democratic National Committee by hackers that U.S. authorities and cybersecurity experts believe are linked to the Russian government. The transparency organization, which boasts of a commitment to use “cryptography to protect human rights” against repressive regimes, has faced criticism from supporters of Democratic nominee Hillary Clinton and praise from Republican opponent Donald Trump and Russian President Vladimir Putin.
The court records, placed under seal by a Manhattan federal court and obtained by the Daily Dot through an anonymous source, show in detail how a group of hacktivists breached the Syrian government’s networks on the eve of the country’s civil war and extracted emails about major bank transactions the Syrian regime was hurriedly making amid a host of economic sanctions. In the spring of 2012, most of the emails found their way into a WikiLeaks database.
But one set of emails in particular didn’t make it into the cache of documents published by WikiLeaks in July 2012 as “The Syria Files,” despite the fact that the hackers themselves were ecstatic at their discovery. The correspondence, which WikiLeaks has denied withholding, describes “more than” €2 billion ($2.4 billion, at current exchange rates) moving from the Central Bank of Syria to Russia’s VTB Bank.
“I hope Russia doesn’t kill me. I’m more scared of Russia than Bashar.”
By the fall of 2011, the Syrian government had lost control over most of its computer networks—presuming it ever had control to begin with. So thoroughly “owned” was the regime of President Bashar al-Assad, whom Russia currently backs in Syria’s ongoing civil war, that by late October one hacker declared mastery over “all forms of IP traffic” in the country.
“Basically, we have access to several internal routers, the main telecom gateway in Syria, the phone infrastructure to some extent, and yes, possibly television,” that hacker announced in a chatroom, speaking to fellow members of RevoluSec, a group of pro-revolution activists who repeatedly carried out sophisticated cyberattacks against the Syrian government for roughly a year.
“To be honest, people have been trying to hack these for years,” a representative of RevoluSec said of Syrian websites in a September 2011 interview with Al Jazeera. “But we were extremely thorough in searching for vulnerabilities, and when it came down to it, there were a ton.”
“We also have a team full of extremely knowledgeable people who are very, very good at what they do, while the system administrators in Syria, it seems, are not. Their internet security was lax, and as a result, anyone looking hard enough for vulnerabilities was able to find what they wanted,” the RevoluSec member said.
More than 500 pages of sealed documents reveal in extraordinary detail how a handful of activists seized near-total control of Syria’s internet and then employed that power to conduct real-time surveillance on many of the nation’s top ministry officials. The leaked records, amassed during the U.S. government investigation into WikiLeaks founder Julian Assange and affiliated hackers worldwide, likewise confirm RevoluSec to be the source of “The Syria Files,” a cache of more than 2 million Syrian government emails published by WikiLeaks over the summer of 2012.
The leaked documents offer evidence that not every email intercepted by RevoluSec found its way into WikiLeaks’ database, despite the fervor of the hackers who wished them exposed.
By their own account, RevoluSec secretly held unfettered access to “all routing and switching” of Syria’s Autonomous Systems (AS), the collection of IP networks by which, essentially, all of the country’s internet access is controlled. Additionally, the hacktivists had infiltrated SCS-Net, the internet service provider owned by the Syrian Computer Society, a technical group once headed by Assad that has alleged ties to the Syrian Electronic Army, a hacking group infamous for its attacks on Western media outlets (the Daily Dot included).
One of the emails captured by RevoluSec hackers—but not published by WikiLeaks—is signed by Salim Toubaji, head of treasury at Central Bank of Syria. The email, dated Oct. 26, 2011, informs VTB Bank of Russia that it has “raised the total amount of deposit[s]” to more than €2 billion. Also contained in the email is a request by Toubaji to VTB’s finance director, Andrey Galkin, for an account “in Russian rubles.”
ATTN: Mr. Sergey Avakov Managing Director Financial Institutions JSC VTB Bank
Dear Mr. Avakov,
In reply to your message dated 26.10.2011 please be informed that following your good bank’s proposals, which we have received previously, we have raised the total amount of deposits up to more than EUR 2 bln. Please note that the matter of extending the terms of the Central Bank of Syria existing deposits at the moment remains under consideration. We shall inform you accordingly when any decision in this regard is taken.
Meanwhile, we kindly ask you to open an account in Russian rubles in the name of our bank or provide us with your instructions on the actions that we should take in order to open such an account.
We remain in anticipation of your reply and look forward to expanding our fruitful cooperation.
The Syria-Russia exchange first appeared on the open web roughly three years ago in a leaked chatlog from November 2011, between a former WikiLeaks staffer and LulzSec hacker Hector Monsegur, who had signed an FBI cooperation agreement five months before in a bid to maintain custody of two children under his care. Ironically, and unbeknownst to Monsegur, the WikiLeaks staffer, Sigurdur Thordarson, had volunteered to assist the bureau three months earlier. (Thordarson is currently serving the remainder of a six-year prison sentence near Reykjavik, Iceland, for embezzlement, fraud, and sex with minors.)
The documents delivered to WikiLeaks that November represent a fraction of the Syria Files, which today contains an additional five months’ worth of emails. At some point after March 2012, RevoluSec, or one of its members, passed WikiLeaks a larger batch of backup email files.
Regardless, the Syria Files should still contain the central bank’s emails from Oct. 26, 2011, concerning its €2 billion and bank account in Moscow: For one, WikiLeaks has published several emails received by the same account ([email protected]) from that day. Secondly, the court records leaked to the Daily Dot reveal the Moscow bank’s emails were, in fact, part of the larger backup file containing numerous emails currently found on the WikiLeaks site. One such email, discussed in depth by RevoluSec members more than nine months before the WikiLeaks release, details the transfer of €5 million from a bank in Frankfurt, Germany, to a European central bank in Austria, the recipient of the email being Central Bank of Syria.
“I hope Russia doesn’t kill me,” one of the hackers said, discussing their intent to expose the alleged transfer. “I’m more scared of Russia than Bashar.”
(At the request of a source familiar with RevoluSec members, the Daily Dot has decided not to publish the documents concerning RevoluSec’s activities at this time out of concern the hackers may be identified, captured, and possibly harmed in their home countries, which include Yemen and Syria.)
In response to a request for comment, WikiLeaks said the preceding account “is speculation and it is false.” The spokesperson continued: “The release includes many emails referencing Syrian-Russian relations. As a matter of long standing policy we do not comment on claimed sources. It is disappointing to see Daily Dot pushing the Hillary Clinton campaign’s neo-McCarthyist conspiracy theories about critical media.” (WikiLeaks threatened to retaliate against the reporters if they pursued the story: “Go right ahead,” they said, “but you can be sure we will return the favour one day.”)
A few days after discovering the Syrian–Russian bank emails, one of RevoluSec’s principal hackers—the others often sought this individual’s permission before making any drastic moves—offered up another idea: “It’d be so funny to change some details on these mails and send a hundred million to WikiLeaks,” they said. “I know in theory it shouldn’t work, but they’re so stupid about email.”
While there’s no evidence RevoluSec acted on the suggestion, which in all likelihood was a joke, the mere mention by an actual WikiLeaks source of concealing counterfeit emails within a legitimate leak touches on concerns about the website’s practice of publishing en masse the unverified and anonymously sourced material it receives.
Asked about the possibility it could be duped, WikiLeaks responded flatly: “All Syria files obtained by WikiLeaks have been published and are authentic.”
SEE ALSO: Meet Ahmed Mansoor, the world’s most spied-on man: Layer 8 Podcast
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.