‘Your name is on some FSB officer’s list’ When hackers launched a cyberattack against Navalny supporters in April, they failed to cover their tracks. Meduza traced the effort back to the presidential administration itself.

On March 23, Alexey Navalny’s group announced plans to maintain nationwide protests demanding the opposition politician’s launch from jail. To assist individuals arrange, they created a web site known as “Free Navalny!” the place his supporters may register their e-mail addresses. On unknown hackers gained entry to the website’s e-mail deal with database — however the cyberattack remained undiscovered till April 16, when the attackers started sending threats to the registered addresses. The knowledge was in the end obtained each by employers and by the authorities: some individuals lost their jobs, whereas regulation enforcement investigated dozens of others. Meduza correspondents Liliya Yapparova and Denis Dmitriev adopted the hackers’ tracks, which lead all the manner to the presidential administrative directorate and the presidential administration — particularly to a “gifted programmer” and the budding younger head of a strategic analysis institute. The two are longtime enterprise companions, and they share a widespread understanding of how “particular operations on the web” ought to work.

Please word. This article was initially revealed on May 11, 2021. You can learn it in Russian here.

‘Thanks for coming — simply don’t go to the rally’

On the morning of April 21, English trainer Yevgenia Makarova obtained a name from the Kurgan metropolis prosecutor. He requested her to come see him by the finish of the day. “He even urged I get excused for work. I advised him I’d make it,” Makarova advised Meduza.

When she hung up the cellphone, Makarova realized her arms have been shaking. “It was scary, as a result of nothing like that had ever occurred to me,” she mentioned. “Before the rally [planned for April 21 in support of Navalny], they detained all of the activists. And I’d additionally taken half in rallies! I believed I might be given a few days [in jail], too.”

Before leaving dwelling, Makarova left a word for her mom — in case she didn’t return. “I wrote down the prosecutor’s deal with, in addition to the workplace they advised me to go to — and that every part could be fantastic,” she recalled. She put the word inside a greeting card on the dresser — in order that her mother wouldn’t see it instantly. “And if I got here dwelling, I’d quietly do away with it.”

Makarova had to wait in line earlier than getting into the prosecutor’s workplace. “First, a younger man and girl got here out. They have been so younger, youthful than me — virtually older youngsters. They regarded so distraught! They didn’t smile, they weren’t even one another — it was like they have been radiating worry when they walked previous me,” Makarova mentioned.

When it was Makarova’s flip to go in, deputy prosecutor Yevgeny Zarovny defined to her that he was “working off a sign” — he’d obtained info that she was planning to attend a rally in help of Navalny in the metropolis heart in a few hours. “‘But don’t you go to it! We’re making use of preventative measures to you,’” he mentioned, in accordance to Makarova. “He gave me an ‘official warning against breaking the regulation,’ and I signed it. ‘Thanks for coming — simply don’t go to the rally.’”

Makarova smiled cautiously when telling the story. After the assembly with Zarovny, she didn’t even take into consideration going to the rally.

Zarovny didn’t inform Makarova the place his “info” had come from. Several days later, nevertheless, Makarova remembered a unusual e-mail she’d obtained on April 15. “Hi, it’s Navalny,” it began out, like lots of his different messages and posts — however then it took a darkish flip. “Keep taking part in super-IT-guy [Navalny associate Leonid] Volkov’s work — and we’ll hold getting new knowledge about you, hahaha.”

Makarova decided the e-mail had most likely come from hackers who had gained entry to the a whole bunch of 1000’s of emails submitted to the “Free Navalny!” website — she’d entered her personal e-mail there.

Unpleasant emails Team Navalny apologizes after database of email addresses registered for planned protest leaks online

Unpleasant emails Team Navalny apologizes after database of email addresses registered for planned protest leaks online

The Anti-Corruption Foundation (FBK) has confirmed the authenticity of the knowledge leaked from the “Free Navalny!” website. Navalny’s chief of workers, Leonid Volkov, announced that the leak was linked to a former FBK worker. “Ninety-nine p.c of cyberattacks occur with the assist of an insider, via a ‘rat.’ A former worker with entry [to sensitive information] may have downloaded e-mail knowledge from the server,” he mentioned. In specific, Volkov blamed the leak on an FBK worker who was allegedly recruited by the Russian FSB.

In the first message, which most of the leak victims obtained on April 15 and 16, the hackers threatened to “de-anonymize your e-mail.” In the subsequent one (obtained on April 18), they demonstrated that they really may decide the names, cellphone numbers, and addresses of lots of the victims. The third wave of messages was despatched on April 21 from a totally different area, and it was geared toward the victims’ employers.

The e-mail offered a listing of “workers of your group” who “help extremists” (in mid-April, Moscow prosecutors filed a declare in search of to designate Navalny’s anti-corruption non-profits and political community as “extremist organizations”). “If these individuals don’t understand they want to observe the regulation, your organization…will… fall beneath the shut consideration of the media and the regulatory authorities,” the hackers warned.

It’s unclear how many individuals misplaced their jobs after this third wave of emails. According to former sound engineer Mikhail Bezrukavy and two of his former coworkers, nevertheless, six individuals have been fired from the All-Russia State Television and Radio Broadcasting Company (VGTRK), together with one division head. “I heard one model, that every part got here from the [VGTRK] safety division,” mentioned a former worker named Igor. “But others say it’s the reverse, that there was a ‘knock’ from the very high — after which all of it got here down from [VGTRK head Oleg] Dobrodeev. (At the time of this text’s publication, VGTRK had not responded to Meduza’s request for remark).

Former VGTRK worker Svetlana was personally fired by tv host and state media official Andrey Medvedev — it was the first time she met a senior consultant of the firm in her 16 years working there.

“Right off the bat, Medvedev requested why I used to be registered on free.navalny.com. To which I answered that this was my private enterprise. ’No,’ he mentioned, ‘it’s not your private enterprise in any respect. It can’t be your private enterprise.’ And he began lecturing me about how I can’t help a determine like that and get a paycheck from VGTRK at the similar time — and the way he ‘feels personally damage, as a result of he’s a shut buddy of [RT editor-in-chief] Margarita Simonyan, and Navalny’s bashed each her and VGTRK — and the way may I do that,” Svetlana recalled.

The assembly with Medvedev made a robust impression on Svetlana. “That smarmy look, these glassy eyes. My dad was a safety officer, and my mother made a movie about mildew,” she mentioned, laughing. “To be trustworthy, it was the first time I’ve ever been face-to-face with a character like that, and at some level, after I realized what he was getting at, I simply began observing him, and I form of zoned out. I used to be going to strive to clarify to him that I help [Navalny] extra for humanitarian causes, not even for political ones. But it was like he didn’t see me. You’re attempting to talk your viewpoint to somebody simply a little bit — and no response. None.”

Mikhail Bezrukavy, a sound operator for Vesti Moskva, was summoned by his superiors a day earlier, on the day of the rally. “[VGTRK deputy general director Irina] Filina fired me — and my place was sound engineer, simply so that you perceive,” mentioned Bezrukavy. “It was all very surreal: I used to be simply nervous about shedding my job at first, however at some level the worry disappeared — and I used to be hit with the feeling that each one of this was someway not actual. They have been asking me questions: how are you going to work at the state TV community and help the opposition? “How can it’s, we’re a federal service, we’re a massive entity, we work with the high individuals.” There wasn’t any hate in their phrases: my place wasn’t excessive sufficient for them to present any hate. No, it was extra like incomprehension. I spotted these have been individuals from a fully totally different universe. At a sure second, I even had the thought that the dialog alone was value getting fired over.”

It’s additionally unclear whether or not the hackers despatched the leaked info to the FSB, the Investigative Committee, the Attorney General’s Office, or the Interior Ministry. (These businesses didn’t reply to Meduza’s questions). However, on April 20 and 21, representatives from all 4 businesses performed an unprecedented raid throughout dozens of cities — from the Russian North Caucasus to Karelia, from Yakutia to Sakhalin. Out of the 706 leak victims Meduza surveyed (greater than 400,000 individuals have been affected), 34 individuals, or 5%, reported having both been visited by state investigators, summoned to a prosecutor’s workplace, or in any other case contacted by the Russian intelligence businesses. Security brokers advised two of the respondents that the searches have been associated to the leak from the “Free Navalny!” website.

Several respondents have been warned that they would possibly face legal prosecution, whereas others have been advised they might be arrested or fined. “If you don’t cease, we would plant a couple of gun cartridges on you,” a police officer advised Vladimir, who lives in Pyatigorsk.

Polina, a scholar at Moscow’s Stroganov Academy, was summoned to the dean’s workplace — “Your name is on some FSB officer’s listing on his desk since you registered someplace,” they advised her. “It actually scared me,” she mentioned. “I used to be scared that the FSB had my name someplace and that these individuals may attain me someway — who is aware of how — and that they would possibly name my mother. What, am I a terrorist now?”

On the day of the rally, Anastasia Zorina obtained a name from an unknown quantity. Using the app , Meduza decided that the quantity is saved in different individuals’s telephones as “Devil,” “Son of a bitch,” and “Trash.” The man didn’t introduce himself, however spoke to Zorina as if they have been outdated pals. “[He said] that he was from some type of headquarters and that he wanted assist to participate in the rally: getting ready tear fuel, lighter fluid, and improvised explosive units,” Zorina advised Meduza. “And he gave the impression of I had no selection, since I’d already agreed to participate in the rally.”

The mysterious name appeared to Anastasia like a continuation of the “particular operation” that had begun with the hackers’ assault. “Apparently they needed to flip a peaceable occasion into a violent one.”

‘They got the brunt’ Journalists report dozens more layoffs among city employees in Moscow in response to pro-Navalny protests

‘They got the brunt’ Journalists report dozens more layoffs among city employees in Moscow in response to pro-Navalny protests

‘They simply set us up’

The infrastructure the hackers left behind is already beginning to disappear.

According to Reg.ru, a registration firm that is aware of who registered the websites, the they used have already been

The registration website mentioned that no person has tried to seek for the domains’ house owners: “there hasn’t been any communication” from any safety company. (Neither the FSB nor the Interior Ministry responded to Meduza’s questions on whether or not an official investigation has begun).

Meduza was in a position to discover one different area related to the emails. On the night of April 15 — simply hours after the hackers began creating infrastructure for their assault — a number of individuals obtained messages from the deal with [email protected] (4 out of greater than 700 individuals who responded to Meduza talked about this).

These emails contained all the similar threats — the solely distinction was that they have been some of the first (the bigger wave of messages went out about a day later) and appeared to be a part of a form of take a look at run. Or a mistake.

According to knowledge from SPARK-Interfax, the area moscow-baku.ru and “Moscow-Baku,” the website it hosts, belong to Musa Muradov — and it’s troublesome to think about that he’d be behind a pro-Kremlin cyberattack. A journalist initially from the Chechen capital, Grozny, Muradov is the former editor-in-chief of the newspaper Groznensky Rabochy. During the Chechen wars, the paper was named “the solely really unbiased newspaper revealed and distributed in Chechnya.” The paper was first printed in Grozny, then in Moscow, then in Nazran; due to Muradov’s editorial coverage, the publication came into conflict each with the Russian authorities and with the Chechen rebels — and finally with Ramzan Kadyrov himself. Human rights activists have referred to Muradov as somebody who “merely doesn’t enable himself to be intimidated and is not silent about crimes dedicated on both aspect.”

Today, nevertheless, Muradov leads a totally different outlet: the information company Moscow-Baku. “The concept of our website is to cover Russian-Azerbaijani relations,” Muradov advised Meduza. “We’re extra of a PR mission, you see? We don’t even use the media format. We solely discuss stunning issues.”

The mission devoted to Russian-Azerbaijani friendship has 684 followers on VKontakte and 66 on Twitter. Former VGTRK workers work on its YouTube channel, and former RIA FAN workers work on the essential website.

“They don’t fairly do journalism because it’s supposed to be,” one in every of the company’s former workers advised Meduza. “It’s propaganda journalism about the relationship between Russia and Azerbaijan.”

News about Navalny on the Moscow-Baku website reads nearly impartial — when it’s coated in any respect. Ruslan Sagayev, the website’s editor-in-chief (who beforehand worked with pro-Kremlin media supervisor Aram Gabrelyanov) rejects the notion that any of his workers may have used the website’s infrastructure to distribute threats to the free.navalny.com cyberattack victims. “It’d be absurd if any of our workers took half in that,” Sagayev advised Meduza. “Plus, no hacker would act so overtly. They simply set us up!”

“That our workers would do one thing like that?” mentioned Musa Muradov. “Without a doubt, it’s out of the query. Why on earth would we do this? It’s commonplace for hackers to use the names of different websites, so far as I perceive. And if they selected to use our website for one thing as despicable as this, we’re victims identical to everybody else.”

According to know-how consultants Meduza spoke to, it’s potential that somebody used the Moscow-Baku area by mistake when they despatched out the preliminary “take a look at” emails — somebody who as soon as had entry to the community, or who nonetheless does.

“Let’s think about it’s a bodily mailbox,” Leonid Yevdokimov, a researcher from the University of Michigan’s Censored Planet mission, advised Meduza. “An individual as soon as printed some envelopes for Moscow-Baku. Then he was requested to print some for ’Navalny Fail’ — and he solely edited the structure half of the time. As a end result, half of the envelopes have been despatched from Moscow-Baku. But in this case, substitute the printer with an e-mail distribution script.”

However, Moscow-Baku may additionally haven’t any connection to the hackers in any respect — in reality, it might need been simply one other one in every of their victims. According to consultants Meduza spoke to, the reality is that e-mail headers are fairly straightforward to pretend. “In order to ship an e-mail with the return deal with [email protected], you barely have to do something,” mentioned Yevdokimov.

At Meduza’s request, Censored Planet researcher Leonid Yevdokimov performed an experiment utilizing the IP deal with and the e-mail server that the first set of emails from [email protected] got here from. He discovered that they don’t settle for messages from the actual Moscow-Baku area. This disconnection means it’s unlikely that the hackers used the information company’s actual infrastructure.

When requested whether or not the actual Moscow-Baku has enemies of its personal, Muradov was at a loss. “As far as the latest occasions in Karabakh, there is perhaps publications the Armenian aspect doesn’t like,” he determined. “But I’m not saying this was finished by ‘Armenian hackers’ — I don’t have the slightest concept who this might have been.”

Digital footprints

Whoever attacked free.navalny.com, one factor is sure: it’s not their first time doing this. That a lot is clear from the registration knowledge of the domains used to arrange the e-mail listing — all of which are connected to a single virtual number (+4674575456433) and two e-mail addresses: [email protected] and [email protected]

Those two addresses have been found by the outlet Current Time TV in their investigation of the cyberattack.

The proprietor of the e-mail deal with [email protected] has participated in provocations against Navalny’s Anti-Corruption Foundation earlier than, according to OSINT-enthusiast Reworr: it was listed as the contact deal with in an announcement for a “cash handout” at a protest rally initiated by opposition determine Ilya Yashin and backed by FBK workers. “We want individuals for a rally on August 3 from 11:20 to 12:30 close to the Trubnaya metro station. No ages or gender necessities,” said a message on the discussion board politrabota.ru.

Judging by the similarity in registration knowledge, the similar group registered the area navalny.ru.com; so far as Meduza is aware of, it hasn’t been used in any mailing lists or phishing assaults.

The remainder of the domains registered by the group seem like imitations of actual authorities websites.

These sorts of domains are sometimes used in phishing assaults. Their essential objective is to get bank card info. They do that via deceit: the scammers create clone websites the place inattentive customers are doubtless to enter their login info and bank card knowledge.

Imitation websites have been registered to three e-mail addresses — [email protected], [email protected], and [email protected] — and two digital numbers (one Swedish and one Icelandic) that the hackers have used a number of instances. These websites have been made to seem like fee websites, authorities company websites, and tax websites. The latter instantly redirects the consumer to the e-mail and password kind – most likely to steal their knowledge.

A supply offered Meduza with technical details about a distinctive identifier of the proprietor of navalnyfail.ru, which was additionally used to ship threats to Navalny’s supporters. According to this info, the organizers of the assault on the FBK additionally personal the domains mchs-mail.ru, r77-fssprus.ru, and roskozna.ru (which simulates the Federal Treasury web site).

However, two different domains created by the of hackers are related neither with fraud nor with the makes an attempt to provoke the FBK. As Reworr first noted, the websites zasekin.press and zasekin.house have been registered on February 26, 2021 — the day earlier than a provocation against Samara-based outlet Zasekin.ru.

On February 27, the same thing occurred to Zasekin.ru that may have occurred to Moscow-Baku: hackers created a pretend e-mail deal with that used the Zasekin.ru area name and began sending emails from it. The emails reminded Samara officers and celebration branches about the upcoming regional duma elections, suggesting they “not vote for the bunker midget or the phony rabbit [derogatory nicknames for local politicians],” and help Alexey Navalny’s “Smart Voting” technique as an alternative.

They used address-swapping know-how to ship out pretend emails beneath our names,” mentioned Zasekin.ru proprietor Dmitry Loboiko (who, by his personal admission, is not a Navalny supporter).

But Loboiko has his personal concept about who’s behind the assault on his publication and the digital infrastructure used in the wider cyber marketing campaign against Navalny — he believes it’s “individuals from the presidential administration” who conduct “particular operations on the Internet.”

‘They purchase these items identical to everybody else’

Early in the morning of February 22, 2021, pages on the information and evaluation website Zacekin.ru started to fill with temporary descriptions of suicide strategies, hyperlinks to baby pornography, and the band Kolovrat — all issues which are intently tracked and blocked by Russia’s federal censorship company, Roskomnadzor.

The extremist materials was put on the website via the feedback: the website, which usually will get about 10,000 to 12,000 views a day, immediately obtained tens of 1000’s commenters — and an avalanche of banned content material appeared in the feedback.

“They have been counting on us not having the ability to cope with such a massive assault — and getting blocked by Roskomnadzor,” mentioned Dmitry Loboiko. “About 60,000 commenters got here inside a couple hours. And at the similar time, we have been hit with a DDoS assault.”

Loboiko quickly discovered which web page had caught the hackers’ consideration. “Our tech guys advised me straight away that it was due to 30781. I imply, after ‘zasekin.ru’ and a slash,” mentioned Loboiko. “We solely noticed the variety of the article they have been DDoS-ing. And for the first half hour, I couldn’t actually determine what they have been speaking about. But when the website began working once more and we took a look, a lot turned clear.”

The system directors instantly noticed from the knowledge that the DDoS assault was geared toward a single web page that the hackers have been attempting to destroy. “It was hit by 150,000–200,000 in the first hour of the assault — principally, a gigantic quantity of views — and 46,000 feedback. Obviously, it wasn’t reside individuals who left these feedback. Pavel Seleznev isn’t a standard sufficient determine for 100,000 individuals to log on to discover out, ‘what’s up with that former FSB agent who traveled overseas?’,” Loboiko mentioned.

At the second of the assault, the publication was in battle with just one particular person: Pavel Seleznev, a former agent from the FSB’s Samara workplace. The day earlier than the cyberattack, the website had published a brief article about Seleznev “succumbing to temptation.”

Making reference to varied court docket paperwork, the article told the story of the FSB veteran’s makes an attempt to go away the nation. Former intelligence officers are forbidden to go away Russia for 5 years after their termination, however Seleznev managed to procure a overseas passport beneath a pretend name and flew to Dubai.

“Actually, we didn’t even publish every part we find out about him,” mentioned Loboiko. “And our details about the Emirates was primarily based on materials from the Samara regional court docket! After that, individuals with connections to Seleznev began inquiring: Wasn’t the materials commissioned by somebody? How can we do away with it? And they have been knowledgeable via all potential channels that this wasn’t commissioned, and no person was particularly attempting to sabotage Seleznev — and the major supply is revealed on the court docket’s web site.”

The DDoS assault started the subsequent day — and simply saved going. “In April, there have been a little over 31 million visits from the attackers. Most of them got here via Tor, so no person can inform who’s behind them. I feel they would cease if we eliminated the article,” mentioned Loboiko.

On April 23, Seleznev tried to get the web page blocked by going to Roskomnadzor. But regardless of all his efforts, the article about his journey to Dubai is the main factor persons are googling about him proper now. Until February, Seleznev was solely mentioned in Samara-based Telegram channels — and on the website Kompromat.ru, the place his web page described how he performed playing cards with bankers, retired safety officers, and crime bosses.

Aware of Seleznev’s resentment, journalists from Zasekin.ru performed their personal investigation into the cyberattack. (Seleznev himself didn’t reply to Meduza’s request for remark). “It turned on the market was no manner the ex-officer may arrange an operation like this himself,” mentioned Loboiko. But in accordance to a supply who’s been following the battle, Seleznev may have gotten assist organizing the DDoS assault from his shut buddy and enterprise associate Mikhail Dudin — “a gifted mathematician and programmer.”

Meduza has decided that Dudin and Seleznev’s connections run deep: their households have finished enterprise collectively no less than 3 times.

Until 2015, Dudin held shares in AktivKapital Bank, the place Seleznev’s spouse Dilyara was deputy chairwoman for a very long time. “As I perceive it, Dudin was one in every of AktivKapital Bank’s founders throughout a disaster, when the financial institution misplaced its license. He successfully arrived proper when the actual beneficiaries have been leaving, when the lefties who would find yourself nominal chairmen hadn’t arrived but — and so we had this transitional administration,” mentioned Loboiko. “And he was in that transitional administration, led by Dilyara Selezneva.

According to knowledge from SPARK-Interfax, Dudin was the official founder and normal director of the IT firm Alex-Konsalt LLC till 2018. In August 2018, he stopped being normal director, and in October he stopped being founder. A month later, his spouse, Lyudmila Dudina, who was in enterprise with Pavel Seleznev, turned the firm’s founder.

In 2018, in accordance to knowledge from SPARK-Interfax, Dudin and Seleznev turned co-owners of Principle of Law LLC.

Dudin is a expert programmer who has labored with federal safety businesses, in accordance to a supply educated about his profession. “About 10 years in the past, he tried to promote FSB officers his methodology for figuring out a consumer’s particular location utilizing cell towers,” mentioned the supply. “Back in these days, they say, they had to ship three specifically geared up automobiles to a location, create a native community, then use this community to discover the actual location. Mikhail got here up with a system for the way to decide somebody’s location inside one or two meters — remotely, with out these three automobiles.”

Dudin has since relocated to Moscow, the place he seems to work for the presidential administration, in accordance to Meduza’s supply. “He’s not a public particular person in any respect. He’s now working for [head of the Presidential Executive Office’s domestic policy department Andrey] Yarin,” he mentioned. “They say he’s a very well-paid specialist.”

Meduza was unable to decide whether or not Dudin has an official place in the presidential administration. But in accordance to sources, the administration has already identified him for over 10 years. “Even back in his Volga days,” a former administration official advised Meduza. “He’s a good man, doesn’t drink. Loves animals.” And he actually does “collaborate with Yarin,” sources shut to the FSB and the presidential administration confirmed. According to a contact aggregator Meduza consulted, Dudin’s quantity is saved in somebody’s cellphone as “Mikhail President Admin.”

In 2017, Yarin was put in charge of the Kremlin’s initiative to shield against overseas cyberattacks, and in the fall of 2020, he was one in every of the people sanctioned by the European Union in response to Navalny’s poisoning — in accordance to knowledge from the EU, he was a part of the group working to discredit Navalny.

Meduza’s supply, a particular person conversant in Dudin’s work in the presidential administration, joked that the programmer is “doing every kind of fascinating tasks’’ for Yarin. On the different hand, the knack for math that Dudin turned famend for in Samara hasn’t come in helpful at his new job to this point, in accordance to a supply shut to the FSB — the administration doesn’t have the infrastructure obligatory for large-scale cyberattacks. “They purchase these items identical to everybody else. Everything’s finished by third-party corporations,” mentioned the supply.

However, in accordance to two sources Meduza spoke to, together with a particular person shut to the FSB who’s conversant in the particulars of the final “particular effort” against the FBK, Mikhail Dudin was positively concerned in the assault on free.navalny.com. “I’m assured that the assaults against Zasekin.ru and the assaults against the Navalny supporters have been each organized by Dudin,” mentioned one other supply, who lives in Samara and is aware of Dudin effectively. (At the time of this text’s publication, the Russian presidential administration hadn’t answered Meduza’s questions on the cyberattack and Dudin’s function in it. Dudin himself didn’t reply to Meduza’s request for remark).

Dudin additionally has connections to a analysis institute beneath the presidential administration, which, in accordance to Meduza’s sources, have been additionally concerned in the cyberattack against Navalny’s supporters.

‘How many Navalny followers did you take a look at for the feds?’

On April 20, two Investigative Committee officers spent the complete morning sitting in a automotive. They went out early to make sure that they obtained to Pudozh — a small city on Russia’s Lake Onega — by the afternoon at the newest. Their objective was to discover Alyona Mironova, a girl who had registered her e-mail with the “Free Navalny!” website.

“They most likely drove down our horrible roads and shot the shit,” mentioned Mironova herself, who had lengthy since moved to St. Petersburg. Around 5 p.m., the officers reached a two-story home with dusty pink siding — Alyona’s mom’s home. “The final road earlier than the forest,” mentioned Alyona. “They requested, ‘Does Alyona Mironova reside right here?’ ‘Nope, in Petersburg.’ So they stood there for a bit, regarded round, then left.”

By that point, the hackers had already despatched Mironova an e-mail together with her private knowledge. There was only one mistake: the deal with. Not all of the info the hackers obtained turned out to be up to date — however they have been in a position to flip a listing of simply e-mail addresses into a detailed database of Navalny supporters’ cellphone numbers and addresses.

They could have finished this by matching the e-mail listing with different knowledge leaks on the database black market; the solely downside was that there are dozens of those databases.

But in accordance to black market contributors who sustain with database updates, the knowledge collected by the Navalny website hackers got here from a database known as Sprut, considered one in every of the most full collections of private knowledge.

The database of Navalny supporters “contains fairly up-to-date employment info — solely Sprut has knowledge like that,” mentioned a supply from the Russian knowledge market. “Sprut has direct contracts with GlavNIVTs — for all intents and functions, with the presidential administration.”

The Russian Presidential Affairs Department’s Scientific Research Computing Center (GlavNIVTs) is one other Kremlin group liable for high-tech tasks. As Meduza beforehand reported, this quasi-secret establishment is led by former Russian intelligence officers, and its group of programmers has developed deanonymization know-how to meet the authorities’ wants. Their software program can return a number of details about any Russian resident — from passport knowledge and to a automotive’s VIN quantity, to overseas actual property holdings.

On April 14, the day earlier than the cyberattack against free.navalny.com customers started, GlavNIVTs was taken over by Vadim Gaisin — a longtime enterprise associate of Mikhail Dudin.

According to knowledge from SPARK-Interfax, Gaisin turned proprietor of Piknik LLC in June 2012. In March 2013, he bought the firm to Mikhail Dudin.

In 2018, Gaisin took over Yutek-NN LLC, which till then had been owned by Dudin.

In 2016, Gaisin bought his shares of ZhBI Stroi-holding LLC to Samara native Vitaly Belodubrovsky. In 2015, Belodubrovsky turned the proprietor of the administration firm Volgasbytservis, which Dudin based.

According Meduza’s sources, Gaisin’s arrival is a part of a broader shift inside the establishment, which, after a variety of monetary issues and personnel modifications, is slated to return to its “actual work” — growing know-how for Russia’s safety forces.

As Meduza has beforehand reported, in 2014, when high-ranking FSO (Russian Secret Service) employee Alexander Kolpakov turned a supervisor of the division that GlavNIVTS falls beneath, the Research Institute turned a improvement platform for regulation enforcement businesses. But after a sequence of economic difficulties, the painstakingly-assembled group of programmers and analysts parted methods.

“Everything in GlavNIVTs has modified. The actual work is theoretically supposed to begin now, nevertheless it hasn’t began but,” a supply shut to the FSB advised Meduza. “And he [Gaisin] is a whole darkish horse proper now — not even a grey one. It’s completely unclear how he plans to show himself.”

But Mikhail Dudin has his personal expertise working with databases of personal info. In 2006, in accordance to knowledge from SPARK-Interfax, Dudin started main a firm known as “Alex-Consult,” which, in accordance to consumer directions on its web site, offers entry to a “subsystem of data searches in textual content databases” (together with the Interior Ministry’s inner memos). In 2020, a division of Rosneft bought entry to the database — one in every of many such purchases.

According to Current Time TV’s personal investigation into the cyberattack against Navalny supporters, Yutek-NN, one other of Dudin’s corporations, has a license from the FSB to implement particular technical strategies of covertly receiving info.

The FSB can also have taken half in updating the database of Navalny supporters’ info. At the very least, its officers reached out to the non-public info black market with such a request, in accordance to a supply from the black market who has connections to the authorities. “They tried to promote a candy fairy story about state contracts, cooperation, friendship and mutual help,” he added. (The FSB didn’t reply to Meduza’s request for remark).

Meduza’s supply didn’t know what number of whole gamers from the knowledge market labored on the database at intelligence businesses’ request. “It’s embarrassing to even ask,” he mentioned. “‘Vasily Viktorovich, what number of Navalny supporters did you take a look at for the feds?’ He’ll say, ‘What are you, an fool? Don’t name right here anymore.’”

* * *

At first, Alyona Mironova couldn’t imagine that the officers who traveled an additional 250 miles due to a knowledge mistake would stop on the lookout for her. “For the first two days, I couldn’t cease trying round at the police on the metro: will they query me or not?” Mironova mentioned.

Mironova nonetheless doesn’t know what the officers needed to inform her on their go to to Pudozh. “If this was their technique, they’ve failed miserably,” she mentioned. “Because we nonetheless don’t perceive: am I supposed to be scared or one thing?”

Meduza is you.
We’re solely right here thanks to you.

Story by Liliya Yapparova and Denis Dmitriev with extra reporting by Andrey Pertsev and Alexey Kovalev, edited by Valery Igumenov

Translated by Sam Breazeale

Related Posts