The Rabbit Files 4.0: Revisiting the .7z Files

Previous: The Rabbit Files 3.0: In the Shadow of the Brokers

On August 16th, three days after the Guccifer 2 WordPress and @GUCCIFER_2 Twitter accounts were suspended and the Shadow Brokers made their first public appearance, the 2016 Future of Cyber Security Europe conference announced that “Guccifer 2” would be appearing via livestream at their September 13th conference. As we know now, Guccifer 2 never showed up and on the day of the event a PowerPoint presentation assumedly prepared and submitted by G2 was presented and read by Tim Holmes, one of the program’s organizers. 

Within the presentation was a link and a password to the ngpvan.7z files (.7z files), the same files that White Rabbit gave to Trish Negron under the guise they were the Seth Rich files.  As I noted about the .7z files in the first article of this series, The Rabbit Files 1.0: 

“@ClimateAudit pointed out that the latest internal document date from the files was 2011, and thousands of others were as old as 2005. ‘There is no way that a DNC operative would have wasted his time copying this garbage…nor is there any reason why a skillful operative who had been watching individual keystrokes of DNC and DCCC operatives would have any interest in this obsolete not-even chickenfeed…and yet 2.8 GB of this obsolete garbage was copied and exfiltrated,’ wrote ClimateAudit.”

What you may not be aware of is that according to the Mueller investigation, Russians (allegedly) planted malware like X-Agent on the DCCC and DNC networks which allows a hacker to do things like install a keylogger in order to gain passwords and watch victims’ computer screens in real time. In other words, (alleged Russian) hackers would have had access to a heck of a lot more juicy material than old files like the .7z files which were copied, exfiltrated, and linked to in the cyber conference’s PowerPoint presentation. 

Furthermore, G2 never posted this particular set of “not-even-chickenfeed” files to WordPress, G2 never acknowledged them, nor did WikiLeaks ever publish them to their website although the latter did publish the file link and password on Twitter at least three times. With that said, less than a month after the conference, on October 4, 2016, the Guccifer 2 WordPress posted something called the cf.7z files that the website claimed were hacked from the Clinton Foundation. More importantly, they seemed to be tied to the .7z files. 

Guccifer 2’s Possession of the .7z Files

Let’s call it what it is. Guccifer 2 lied. The files weren’t from the Clinton Foundation but they did contain some of the same files that were found in the .7z files. Additionally, Stephen McIntyre (@ClimateAudit) was able to conclude that some of the cf.7z files were found in a leak that the G2 WordPress posted on June 18, 2016, indicating that someone may have had a larger cache of documents that included both subsets: the .7z and cf.7z files. 

We can’t say for sure that the actors behind the G2 WordPress had the entire tranche of .7z files in their possession three months before the conference but, again, there’s a strong indication that they had an entire cache of files that included both subsets. Revisiting The Rabbit Files 1.0, I reported on a 2018 interview that was conducted with White Rabbit, a (former?) close associate of Beth Bogaerts (@HumanOfMind), who led George Webb, Jason Goodman, and Trish Negron to believe that he had the Seth Rich thumb drive. During the interview, White Rabbit stated:

“He [Seth Rich] died July 10th, I believe, which was only a few days before I received the information online, I mean, uh, I’m sorry, the information [files] came out on Twitter a few days before he was killed…”

The files that White Rabbit had in his possession were NOT the Seth Rich files, they were the .7z files released at the cyber conference. As I also noted in the first article:

“So these are the files that White Rabbit claimed he downloaded before Seth Rich’s death or at the very least said they were released before his murder which obviously appears to be a massive pile of horse shit unless, of course, he was working with Guccifer 2—or someone else who was working with G2—who passed him the files before the conference took place.”

Again, it’s possible that whoever was behind the G2 WordPress may have had all of the .7z files (released at the conference) before Seth Rich’s death and if White Rabbit’s claims are true, it’s a bit comical because the majority of the WikiLeaks community thinks G2 was created by the CIA and DNC. Perhaps White Rabbit has a bit of explaining to do about who and what exactly he was involved in around mid-2016.

But even if the actor(s) behind Guccifer 2 had the entire cache of .7z files in their possession prior to the conference, it doesn’t prove that G2 was the creator of the PowerPoint and/or password and link found in it. It also means that there’s a possibility that G2 gave the documents to other people. It certainly wouldn’t have been the first time that the account sent files to people.

WikiLeaks Promotes Garbage Files; Some Speculate G2 Was Compromised

As I mentioned earlier, WikiLeaks not only posted the link and password to the .7z files, they also promoted the cf.7z files aka “Clinton Foundation” documents despite the fact that not only did the G2 WordPress lie about what was in the files, they weren’t particularly worthwhile or meaningful. It would continue to be a pattern with the WikiLeaks community to push unverified or even erroneous information—or fail to give their followers a head’s up about the significance, or lack thereof, of information being released or leaked. 

NEW: Guccifer 2.0 archive of 860Mb of various "Clinton campaign" related documents. Use "7zip" to unpack https://t.co/rfDMm8MRV2

— WikiLeaks (@wikileaks) October 5, 2016

In the comments below WikiLeaks’ tweet, Adam Carter of g2-space wrote, “Easily debunked claim over arch of existing leaks, exposes nothing, only hurts G2’s rep! – G2’s WP acct comprom/seized, perhaps?” Carter makes some interesting points. First, the files indeed exposed nothing and had nothing to do with the Clinton Foundation. Second, his observation that G2’s WordPress account may have been seized or compromised sticks out in terms of both the WordPress and @GUCCIFER_2 Twitter accounts being taken down at the same time and then were both back up within 24 hours. 

Three days after the suspensions, G2 was making plans to attend a cyber conference and having some interesting conversations with former Playboy model, Robbin Young (spoiler alert). Of course the down time could be nothing more than legitimate suspensions. Finally, is it possible someone took over the WordPress account with the purpose proposed by Carter—to debunk Guccifer 2?

The entire situation involving the G2 WordPress account which Mueller gave us exactly zero details about, the .7z files, and the cyber conference is sketchy AF and based on circumstantial evidence it’s entirely plausible that other hackers working on behalf of Assange (or “pro-Assange hackers); hackers and “hacktivists” with a record of sowing chaos and division; or those looking to further the Seth Rich conspiracy in an effort to help Trump, Assange, or both, created the presentation for the September 2016 cyber conference under the guise it came from Guccifer 2.

I reached out to the cyber conference’s organizer, Tim Holmes, and asked him if they were able to confirm that the .7z file link and password in the PowerPoint came from Guccifer 2. He never returned my email. So, without confirmation or any more information, again, I believe there’s a good chance someone else provided the ngp-van .7z material. Part of my reasoning? At least two self-proclaimed hackers within the Assange and transparency movement both claimed that not only were they in contact with Guccifer 2, the online persona sent them documents.

Additionally, at least one of them is closely connected to Anonymous Scandinavia (@AnonScan), a recently (and suspiciously-timed) suspended Twitter account of which I believe this hacker had administrative access. Appearing as the Anonymous Scandinavia persona, @AnonScan also just happened to be the keynote speaker for two years in row (2018 and 2019) at the exact same cyber conference that presented the .7z PowerPoint. 

BerlinLeaks.org

On August 15, 2016, the day that WikiLeaks announced that they had the same archive of NSA cyber weapons as the Shadow Brokers, Raymond Johansen (@NorwayAn0n), a self-proclaimed “hacktivist” who I believe had administrative access to the @AnonScan account, inferred on Twitter that the Shadow Brokers had contacted a whistleblower platform called BerlinLeaks.org. The link to the article that assumedly detailed this encounter is no longer available. He also posted a Medium article on August 24, 2016, in which he stated:

“There are indications that a twitter account and another social media account I cannot identify…prepared to release the tools at that point in time. It was created feb2k15 and went active again just before the [Shadow Brokers] release. Both BerlinLeaks and I was contacted by mentioned accounts 24/48 hours before the auction was launched.”

As previously reported in The Rabbit Files 2.0, a few weeks after the online persona “Alice Donovan” started submitting plagiarized articles to media outlets like WeAreChange.org, John Podesta became the target of a spear-phishing operation. Three days later, the whistleblower platform called BerlinLeaks.org was launched by Eric Hartsuyker, a self-described security engineer who, comically, based on the nature of this article, described himself as someone “who professionally phished users,” adding, “In the case of targeted spearphishing, there is little that can be done…in once [sic] campaign against the CTOs of financial companies, I had a ~75% success rate.” 

Hartsuyker described the leaks platform, now with a defunct website and an email address listed as berlinleaks@riseup.net, as being started by a “small group of people who invest time when we can. We have no funding. We have no office.” After speaking with a few friends who seemed interested in the project, they started running Secure Drop servers and “threw up a webpage.” When asked about neutrality in journalism, he focused on WikiLeaks:

“Going back to how WikiLeaks treated the U.S. election, I think Assange having a bit of a vendetta against Clinton is a net negative for the entire world if that helped Trump win the election.” 

The reason I bring up BerlinLeaks.org is because Johansen not only claimed that the Shadow Brokers directly reached out to BerlinLeaks.org, he also claimed that the CIA was behind Guccifer 2 and that part of their operation included sharing documents with transparency activists, including himself. He said that he had been “selected” (by who, the CIA??) to receive Guccifer 2 documents through BerlinLeaks, an obscure, short-lived, German whistleblower platform. 

I have no idea if Johansen’s claims are true or not, or if he was even a part of BerlinLeaks.org since it has been subsequently proven that he’s a prolific liar. He and his associates like Aaron Kesel, also appear to be online instigators who consistently work both sides of political issues and peddle in disinfo, trolling, division, threats, and social engineering via social media (and beyond). With that said, they both claimed that Guccifer 2 sent them documents.

Aaron Kesel a.k.a. An0nAkn0wledge, An0nKn0wledge, Cens0redAK

Aaron Kesel, a long-time and close associate of Johansen, used a myriad of Twitter handles over the course of the last four years to push the Seth Rich conspiracy theory; convince others that he had been in direct contact with G2 privately; was given documents from G2; and was privy to the DNC emails before they were published.  

Guccifer 2

As early as May 21, 2017, Kesel led two individuals on Twitter to believe that he had been in direct contact with Guccifer 2. Almost a year later (and based on the responses from another Twitter user because Kesel’s Twitter account in this thread has since been suspended), he made the extraordinary claim that he was the one to introduce Guccifer 2 to the encrypted mail service, Protonmail. Below are the Twitter responses to Kesel’s now deleted comments:

“Let’s back the hell up for a second, you stated that you introduced Guccifer 2 to proton mail right? So that means you had other communications with him personally besides proton mail? What type of comms?” (tweet) (archive)


“You claimed to have email contact with G2.0; please share with the community before I have to call BS. If you had contact with G2.0 you’d be under investigation and running the risk of indictment. I’d stop talking if I were you.” (tweet) (archive)


“You said you had email correspondence with G2.0 bro.” (tweet) (archive)


I’m going to say that you didn’t have conversations with him – because if you did you would have been turning that stuff over to be analysed by data experts / or you would have been hauled in and all of your computers confiscated.” (tweet) (archive)


“Uh, one email YOU sent to him is not correspondence as you claimed. There’s no proof he ever responded to you, or you had any kind of association with him. Stop while you’re behind, AK. Really.” (tweet) (archive)


“So open the one that is from Guccifer 2 that hasn’t been deleted and give us all of the information then – because, it’s right there – you said they were deleted. It wasn’t.” (tweet) (archive)


“So, you’re 100% sure this was Guccifer 2? Why did you hide your association with him from the public and ongoing criminal investigations?” (tweet) (archive)

A year later, Kesel was still going (w/ emphasis), “However, I did have a bunch of brute force attempts on my proton mail email for half a year that I communicated with fraud Guccifer 2.0 on. Ppl need to wake up this isn’t just about Julian Assange its anyone who supports WikiLeaks. Anyone who knows the evidence against their narrative.”

Fraud, indeed.

Last year I published at least two articles (here and here) about Kesel and other highly questionable and dubious claims he’s made over the years which have included being detained and tortured by the FBI, placed on a U.S. no-fly list, and working with the CIA during #OpIsis, a claim he has since denied after he himself posted it. Kesel responded with targeted threats to my wellbeing; threats that were “liked” on Twitter by Johansen and his and White Rabbit’s associate, @HumanOfMind. P.S. For the sensitive types, this isn’t targeted harassment, it’s called reporting the facts and if you don’t like it, perhaps you shouldn’t ::checks notes:: like tweets and articles that openly threaten the physical harm of journalists.

As for #OpIsis, it was an Anonymous operation led by GhostSec where some members of the collective worked directly with the U.S. government. In fact, a handful of Anonymous hackers left and formed their own company working hand in hand with the federal intelligence agencies. It was also mentioned in the The Rabbit Files 2.0 because of Cassandra Ford’s involvement with it, the woman who created the fake Guccifer 2 Twitter account. Due to a myriad of reasons, I personally believe that the operation, which started in 2015 and ran straight into the 2016 election season and WikiLeaks’ publications, was ground zero for fed infiltration and fed snitches after the significant arrests that took place between 2012 – 2013 because of Sabu (p.s.s. that’s not a take on Ford, I know virtually nothing about her).

On October 12, 2018, Kesel said that his Twitter account had been banned during the 2016 U.S. election “for trolling that I was Guccifer 2.0” (there’s literally no evidence for this), and on May 1, 2019, he said that Guccifer 2 had sent him fake “Clinton Foundation” files that contained a folder called “Pay to Play.” Based on this information, we can confirm that he’s talking about the cf.7z files, one of the subsets of documents (along with the .7z files) that the actors behind the G2 WordPress may have had in their possession as early as June 2016, if not earlier. However, there’s no evidence that anyone sent him those files before the G2 WordPress published them. Below are the claims he made that day:

“Files Guccifer 2.0 posted was nothing significant & that account sent me fake files on Clinton Foundation & it had a folder in it called Pay To Play lol. Obviously fake, if it was a hack why fake docs? If u look at metadata of G 2.0 docs ull see Russian locale language copy pasta.”


“Incorrect, G 2.0 and Podesta data is obviously different. Podesta’s password was p@ssword I could teach a cat or monkey to hack Podesta. G 2.0’s leak was separate from the DNC leak. I personally viewed the documents myself and he sent me fake Clinton Foundation files.”


“G2.0 was not privy to all of them. G 2.0 released NOTHING significant & faked documents on the Clinton Foundation which I was personally sent by them. Those files proved to be fake. The metadata of G 2.0’s files shows a copypasta job like Downing St’s infamous memo on WMDs.”

There’s so much to unpack here. First, as I noted in my last article, I find it fascinating that Guccifer 2, as Kesel points out, never released anything terribly interesting nor anything that spoiled WikiLeaks’ upcoming publications (even more extraordinary, neither did DCLeaks or the Shadow Brokers). Second, Kesel is wrong. The “Clinton Foundation” files (cf.7z files) were real files, they just didn’t come from the Clinton Foundation and no, Russian “locale language” was not found in the cf.7z files. 

The only documents that the G2 WordPress released that had Russian fingerprints inserted into the metadata were the first five documents leaked on July 15, 2016. That’s it. If memory serves correct, I believe that Guccifer 2 manipulated a few other documents like removing the header but G2 did not manipulate every single document they released, ffs. And just for good measure, none of the DCLeaks.com documents had Russian fingerprints added.

As for Podesta’s password being p@ssword, that’s fake news and it’s fake news that even Julian Assange himself disseminated:

“Podesta gave out that his password was the word ‘password.’ His own staff said this email that you’ve received, this is totally legitimate. So, this is something … a 14-year-old kid could have hacked Podesta that way.”

Did Podesta use easy passwords like “Runner4567”? Yup. But “p@ssword” was the password for Podesta’s Windows 8 computer and according to CyberScoop, Gmail doesn’t even let you use the word “password” as a password. CyberScoop also pointed out that the password “has absolutely nothing to do with how his emails were hacked and leaked, making it irrelevant to the entire hacking incident.” Indeed, in the bigger scheme of alleged Russian hacking, Podesta was spear-phished, not hacked because someone guessed his password… unless there’s something Assange and Kesel would like to share with the rest of us. Lastly, I’m curious how Kesel would know what Guccifer 2 was privy to or not. 

Alice Donovan

Kesel posted a host of tweets about the online persona “Alice Donovan,” who submitted plagiarized articles to media outlets like WeAreChange.org. Kesel and Cassandra Fairbanks, a fascist, right-wing activist who had close ties to the Trump administration and U.S. intelligence via Arthur Schwartz (among others) and once said she wished Trump would rain pain down upon Americans, were both working for WeAreChange.org when the outlet started publishing Donovan’s work. WeAreChange is the same outlet that also published Fairbank’s “Spirit Cooking” article, one of the—if not THE—article that set Pizzagate ablaze less than a week before the 2016 election, especially after WikiLeaks retweeted it.

On July 17, 2019, Kesel tweeted again about “Alice” and insinuated that “she was really CIA and that the intelligence agency was publishing plagiarized articles in order to “watch” him. Wut? In fact, Kesel posted a brimming hot bowl of wild, unsubstantiated claims about Alice including he did more damage to the 2016 election than Alice did by plagiarizing other writers; a number of writers at WeAreChange.org including himself were targets of the U.S. government and “know” WikiLeaks; and WeAreChange.org was hacked because of Alice.

He also claimed in 2018 and 2019, that he was named in the Maria Butina indictment because of Alice but he said that his alias and real name wasn’t used so it remains a super duper Scooby Doo mystery how exactly he was detailed in this indictment. Just kidding. He changed that story back in January 2020. Now he’s says that he was named in the Mueller report as the “useful idiot” who promoted Alice’s articles.

Well, here’s the 4-page criminal complaint against Butina so it shouldn’t be that hard to figure out if he was mentioned as himself, an alias, or as the “useful idiot.” Here’s the 17-page affidavit, the Mueller report (Volume I and Volume II), the Netyksho indictment, and a link to Google. All of it searchable, none of it mentioning this guy in terms of Alice Donovan or Maria Butina. Here’s an archive to most some of his tweets involving Alice:

2016-2018:
https://archive.is/f9UuO

2019:
https://archive.is/4O7aO

2020 (most):
https://archive.is/BslAF

2021:
https://archive.is/CWdtl

Seth Rich

Kesel also pushed the Seth Rich conspiracy stating in September 2019, that the “GRU didn’t hack DNC, leak came from Seth Rich. I saw the files prior to the drop encrypted w/o decrypt key.” Did this guy just say he saw the full unencrypted DNC files that he claims came from Seth Rich prior to WikiLeaks publishing them? Yup, he sure did. Full f*cking yikes.

On September 20, 2019, he also said that what WikiLeaks released wasn’t from Guccifer 2 because “if it was then @KimDotCom wouldn’t have known yrs before the leak…” What he’s referring to is when Dotcom told Bloomberg in May 2015, that Julian Assange was going to Hillary’s “worst nightmare.” I’ve stated ad nauseam that this was not Dotcom’s initial statement. On December 1, 2014, he tweeted, “I’m your Internet Freedom fighter AND Hillary’s worst nightmare in 2016!” He changed his statement to Assange five months later.  

Even still, what exactly is Kesel’s point? That Seth Rich was pilfering DNC emails prior to May 2015, during which time he contacted Dotcom and Assange to let them know, “Yo, I’m pilfering emails,” and then he kept doing it for over a year without getting caught? I thought the conspiracy included Rich being disillusioned with the DNC, what they did to Bernie, and voter fraud that he decided to leak the files so how exactly was any of that happening prior to May 2015? Hillary announced her candidacy only 31 days prior to Dotcom’s Bloomberg interview. Literally these people are as full of shit and propaganda as the U.S. government.

Endnote

To be clear, this article is not accusing a specific person(s) or group of planting Guccifer 2 files at the conference because I don’t have any conclusive evidence proving it although I wouldn’t put it past certain individuals within the Assange/WikiLeaks/transparency/hacktivist community. The point is that there were “hackers” making claims that they had been in private contact with Guccifer 2, received documents, and it’s possible that G2 sent them the .7z files before the conference. Although the two hackers mentioned in this article peddle heavily in disinfo, it doesn’t preclude the possibility that there were a host of encrypted communications that took place between G2 and others (not just them) that we’re not aware of—communications where the .7z files later used at the cyber conference were passed between them.

Also be aware of what I stated in The Rabbit Files‘ first article. The direction of this  series is not to solve the Guccifer 2 problem, it’s to illuminate what I personally consider are bad actors in the Assange and transparency community who I believe have been running malicious ops together for at least the last four years. The disinfo that Kesel has continuously churned out over the years is a perfect example.

Next: The Rabbit Files 4.1: Timeline and Guide

---

Warning: Do not use your hairdryer in the bathtub. Ten pages of disclaimers to follow —
If you were mentioned in this article because your associate(s) did or said something stupid/dishonest, that’s not a suggestion that you did or said something stupid/dishonest or that you took part in it. Of course, some may conclude on their own that you associate with stupid/dishonest individuals but that’s called having the right to an opinion.

If I haven’t specifically stated that I believe (my opinion) someone is associated with someone else or an event, then it means just that. I haven’t reported an association nor is there any inference of association on my part. For example, just because someone is mentioned in this article, it doesn’t mean that they’re involved or associated with everyone and everything else mentioned such as what happened at the 2016 cyber conference and the G2 presentation. If I believe there’s an association between people and/or events, I’ll specifically report it. 

If anyone mentioned in this article wants to claim that I have associated them with someone else or an event because I didn’t disclose every single person and event in the world that they are NOT associated with, that’s called gaslighting an audience and it’s absurd hogwash i.e. “They mentioned that I liked bananas but they didn’t disclose that I don’t like apples. Why are they trying to associate me with apples???” Or something similar to this lovely gem, “I did NOT give Trish the thumb drive!” in order to make their lazy audience believe that it was reported they gave Trish the thumb drive when, in fact, that was never reported, let alone inferred.

That’s some of the BS I’m talking about so try not to act like a psychiatric patient, intelligence agent, or paid cyber mercenary by doing these things. If you would like to share your story, viewpoint, or any evidence that pertains to this article, or feel strongly that something needs to be clarified or corrected (again, that actually pertains to the article), you can reach me at jimmysllama@protonmail.com with any questions or concerns.

This is an opinion piece about my own theories and viewpoint. You should research this story and events yourself and come to your own conclusions.