2016 Timeline and Guide

I just wanted to publish a quick timeline/guide of what I’ve covered in the last few Rabbit Files, especially because the time period between August 9-August 16, 2016 was fairly busy and things are obviously going to keep getting busier…and more convoluted. This only covers 2016. I’ll add to this as we keep going. Feel free to leave a comment or contact me at jimmysllama@protonmail.com if you see anything that needs to be corrected. This situation is complicated enough, the last thing we need is incorrect dates and information.

---

---

TIMELINE

2016

January

• One theory suggests that Guccifer 2 was a lone wolf hacker who started hacking in January 2016

February

• “Alice Donovan,” the online persona that U.S. intelligence later claimed was Russian hackers, starts submitting plagiarized articles to media outlets
• “She” lists the media outlet, WeAreChange.org, in her Twitter bio
• The Mueller report nor the Netyksho indictment mentioned this account 

March

• March 19:
  • John Podesta is the target of successful spear-phishing
• March 20:
  • BerlinLeaks.org is registered

April

• April 14-18:
  • The DCCC and DNC are allegedly hacked by Russian hackers
• April 19:
  • DCLeaks.com is registered with THCservers.com
• April 29:
  • DCLeaks.com is moved to the whistleblower-friendly hosting service, FlokiNET

May

• May 5:
  • DCLeaks.com is moved to a private server with Malaysian hosting service, Shinjiru Technology

June

• June 8:
  • DCLeaks.com starts leaking documents, at least 72 of them are later found as attachments in the Podesta emails
  • @dcleaks_ Twitter account is created
  • DCLeaks Facebook account created

• June 9:
  • Cassandra Ford opens a Twitter account

• June 12:
  • Assange announces that WikiLeaks has more material related to Hillary

• June 14
  • The Washington Post (and Crowdstrike) announce that the DNC was hacked
  • They mention that a Trump opposition file was taken but that file was later found in the Podesta emails, not the DNC emails

• June 15
  • Guccifer 2 creates a WordPress and starts leaking documents, one of which is the Trump opposition file
  • None of these initial documents were found in the DNC emails and the first five had Russian fingerprints deliberately planted in the metadata
  • Two hackers will later claim that they privately received documents from Guccifer 2
  • One of these hackers later claimed that they saw the DNC emails unencrypted and prior to WikiLeaks releasing them
  • The other hacker is closely related to and possibly had administrative access to the Anonymous Scandinavia Twitter account (@AnonScan)

• June 16
  • Cassandra Ford changes her Twitter handle to @Guccifer2, essentially beating Guccifer 2 to the punch, forcing him/her/them to use a different handle: @GUCCIFER_2 (with the underscore)

July

• July 6
  • A VPN linked to the Malaysian server and the website, DCLeaks.com, is used to log into the @GUCCIFER_2 Twitter account

• July 10
  • Seth Rich is murdered
  • White Rabbit later claims that the .7z files were released publicly (somewhere) before Seth Rich’s death

• July 22
  • WikiLeaks starts publishing DNC emails ranging from January 2015-May 2016
  • They release a second batch of DNC emails on November 6, two days before the 2016 election

August

• August 9
  • Assange mentions Seth Rich for the first time during an interview
  • WikiLeaks offers a $20K reward leading to a conviction for the murder of Rich

• August 12
  • The Guccifer 2 WordPress publishes the private email addresses and phone numbers of former and current congressional members 
  • The website encourages journalists to “DM” them if they want more DCCC material  
  • DDoSecrets’ Emma Best DMs the @GUCCIFER_2 Twitter account and is told that they are going to send WikiLeaks a tranche of documents
  • She reaches out to WikiLeaks to let them know and according to Best, WikiLeaks asks her to be their “agent” with G2, she declines 

• August 13
  • Shortly after the last conversation between Emma Best and WikiLeaks and a few hours after midnight on August 13th, the G2 Twitter account tweets that they’re going to send WikiLeaks a tranche of DCCC material which, even if they eventually did, WikiLeaks never ends up publishing anything from the DCCC
  • The G2 WordPress site and G2 Twitter account are suspended sometime during the day
  • The Shadow Brokers make their public debut

• August 14
  • Both of the G2 accounts come back online

• August 15
  • The Shadow Brokers release a free taster of stolen NSA cyber weapons
  • WikiLeaks responds that they have their own copy of the Shadow Brokers’ archive and that they’ll release their own “pristine copy,” they never do 
  • Ray Johansen (@NorwayAn0n) infers on Twitter that the Shadow Brokers directly contacted BerlinLeaks.org

• August 16
  • The 2016 Future of Cyber Security Europe announces that Guccifer 2 is going to be appear via livestream at their September 13th event

September 

• September 13
  • Guccifer 2 never appears at the cyber conference
  • A PowerPoint presentation allegedly written and submitted by G2 is presented by one of the event’s organizers
  • Within the PowerPoint presentation is a link and password to the .7z files, the same files that White Rabbit would give to Trish, Webb, and Goodman on or around June 1, 2017, under the guise they were the “Seth Rich files”
  • White Rabbit’s associate, Beth Bogaerts (@HumanOfMind), later claims that she saw White Rabbit download the .7z files during the 2016 election from a link posted by WikiLeaks
  • As far as I know, no one has ever confirmed that the PowerPoint came from Guccifer 2
  • The Twitter account Anonymous Scandinavia (@AnonScan) will later appear as the keynote speaker at the same cyber conference in 2018 and 2019

October

• October 4
  • The Guccifer 2 WordPress releases the cf.7z files (“Clinton Foundation” files) that have nothing to do with the foundation
  • After WikiLeaks retweets the files, someone suggests that the Guccifer 2 WordPress may have been compromised
  • Some of the .7z files are found in the cf.7z files
  • The Guccifer 2 WordPress had previously released some of the cf.7z files indicating that the actors behind the G2 WordPress may have had a larger tranche of files that included both the .7z and the cf.7z file

• October 7
  • WikiLeaks starts releasing the Podesta emails

FILES

ngpvan.7z files (.7z files)

• The password and link to these files were originally released in a PowerPoint presentation via a September 13, 2016 cyber conference 
• @AnonScan was the key note speaker at the same conference in 2018 and 2019
• The .7z files were never published on the Guccifer 2 WordPress
• These are the same files that White Rabbit gave to Webb, Goodman, and Trish almost a year later and under the guise they were the Seth Rich files 

cf.7z files (“Clinton Foundation” files)

• These files were released on October 4, 2016 via Guccifer 2’s WordPress 
• They contain some of the same documents from the .7z files. Some of the cf.7z files were also found in an earlier G2 release in June 2016, leading to speculation that G2 had a larger cache of documents that contained both the cf.7z files and the .7z files

LINKED ACCOUNTS AND PERSONAS

1. Twitter accounts @dcleaks_ and @baltimoreiswhr (allegedly part of the pro-Bernie, Alice Donovan operation) linked via the same computer used for both accounts

2. DCLeaks’ Facebook page linked to an “Alice Donovan” Facebook page

3. The @GUCCIFER_2 Twitter account, DCLeaks.com website, a VPN account, the Malaysian server, and spear-phishing operations were all linked

4. Bitcoin account user names “Ward DeClaur” and “Mike Long” were used to lease servers tied to X-Tunnel malware implanted on DNC and DCCC networks (used to extract emails and documents), they haven’t been linked to anything else

5. Bitcoin account user name “Daniel Farell” was tied to the domain linuxkrnl.net which was tied to implanted X-Agent malware on DNC and DCCC networks according to Mueller investigation (Mueller’s theory, more specifically the domain, has so far been debunked)

6. Bitcoin account user name “Daniel Farell” was also linked to DCLeaks.com because the account was used to pay for the website’s registration with THCservers.com (see #3)

7. Aside from releasing fairly insignificant documents and having the password to password-protected content on the DCLeaks.com website on at least two different occasions, the Guccifer 2 WordPress has never been linked to any hacking operations or #1-6 above

DOCUMENTS AND LEAKERS

I also wanted to review how many leakers, email sources, and rumors were swirling around by mid-August because the 2016 election season was off its rocker. Some of this I’ve already covered but I’m throwing in some new stuff, too, like Marcel Lehel’s leaks because there are similarities between what he leaked in 2012, and what we saw in 2016. That, and “Guccifer 2” obviously took the name from Lehel (the original “Guccifer”), which surely has some sort of significance. I’ve also included some information about Hillary’s (missing) emails because that played a big role in the 2016 election season, as well. *Please note that below I posted the start date for when emails/documents were released. Some accounts/organizations leaked information multiple times especially over the course of the 2016 election season. I didn’t record every one of these events.

2013: Marcel Lazar Lehel and Applebaum

• • In 2013, Marcel Lazăr Lehel, a Romanian hacker and the original “Guccifer,” targeted a host of people, including republicans
  • He hacked Colin Powell’s website, his AOL account, and Sidney Blumenthal’s emails 
  • In 2016, he claimed that he “easily broke into” Hillary Clinton’s private server after “gaining access to the email account” of Sidney Blumenthal
  • Lehel said the emails were underwhelming, he never backed up his claims, nor did he ever release any Clinton emails
  • In December 2013, Jacob Applebaum released the NSA ANT catalog (to clarify, he wasn’t the original source/leaker of the catalog)
  • Some of the tools that the Shadow Brokers released in 2016 were found in the ANT catalog

•  

2014-2015: CyberBerkut

• • Described as a Ukrainian, pro-Russian hacking group, CyberBerkut leaks George Soros’ letters
  • They’ve been accused of manipulating documents as well as releasing a staged ISIS video
  • In January 2014, they also attacked NATO websites
  • In November 2015, CyberBerkut released documents related to Soros’ Open Society Foundation

2016:  DCLeaks.com, Guccifer 2 WordPress, WikiLeaks, Shadow Brokers

June 8: DCLeaks.com

• • DCLeaks.com leaks documents related to/from Soros and Open Society Foundation
  • They publish emails from former NATO Supreme Commander of Europe, General Philip M. Breedlove (last modification date was April 10, 2016)
  • They publish Hillary Clinton Election Staff Clips found in Podesta email attachments
  • They publish Colin Powell emails
  • They publish information stolen from Republicans in 2015
  • Most, if not all of the DCLeaks.com leaked emails came from personal gmail accounts and were spear-phished. They were not pilfered from the DNC or DCCC computer networks

June 15: Guccifer 2 WordPress

• • G2’s WordPress starts leaking documents three days after Julian Assange announced WikiLeaks had more material related to Hillary Clinton, and one day after the DNC (via Crowdstrike and the Washington Post) announced they had been hacked 
  • The first five documents the account released were manipulated to include Russian fingerprints 
  • The account released emails that were found in both Podesta and DNC emails later published by WikiLeaks

July 22, 2016: Wikileaks DNC Emails

• • WikiLeaks starts publishing DNC emails
  • The email dates range from January 2015 to May 2016
  • They released a second batch of DNC emails on November 6, 2016, two days before the 2016 election

August 13-15: The Shadow Brokers

• • The Shadow Brokers make their first public appearance on August 13th
  • On August 15th, they release NSA cyber weapons that WikiLeaks claims later that day they have the same archive 

October 7: WikiLeaks Podesta Emails 

Hillary’s Missing Emails and the Clinton Foundation

In case anyone’s interested in the whole missing emails saga, below is a quick summary of the dumpster fire I like to call Hillary Clinton and her staff. Clinton’s missing emails played a significant role during the 2016 election. For example, Erik Prince and Barbara Ledeen ran an operation to find her emails on the dark web. Republic operative, Peter Smith, also tried to find her missing emails (I believe he later claimed that he found them and sent them to WikiLeaks) before committing suicide in 2017.

On May 9, 2016, Judge Napolatino announced on Fox News that the Russians had 20,000 of Hillary’s missing emails which was followed up by an article written by Edmund Kozak entitled, “Kremlin Has Hillary’s Emails,” in which he reported that the “Kremlin was considering whether or not to release some 20,000 hacked Clinton emails reportedly in its possession.” These stories appeared to be part of the whole Papadopoulos operation.

When it came to light that Huma Abedin had transferred 650,000 emails to her husband’s laptop, Eric Prince used the occasion to push the story that the New York police department had found evidence of money laundering and Clinton/Epstein island escapades on the laptop—a story that fueled the brewing Pizzagate fiasco. So how incompetent was Hillary and her staff with her emails and was there a good reason for everyone to be talking about them? Additionally, is there a good chance that every foreign government in the world has her missing emails? Yeah, probably. So…

In response to Marcel Lehel’s 2013 hack of Sidney Blumenthal (and without getting into details but you can read my in-depth analysis about Hillary’s email adventures HERE), computer wizard, Paul Combetta, tried to help Hillary’s aide, Monica Hanley, move some of Hillary’s emails. In the process, they lost a thumb drive and a laptop that contained all of the emails. They’ve never been recovered.

Also due to the hack, the Clintons decided to chuck their private server and move to Platte River Network’s (PRN) servers. According to a Platte River employee, a backup device from Datto, Inc. was configured to take snapshots of the Clinton’s PRN server but Datto inadvertently backed up their server to Datto’s cloud. In simplest terms, Datto likely has a copy of all of Hillary’s emails, including the missing ones.

After moving over to PRN, sometime in mid-2014, the Clintons directed the company not to encrypt their emails on the server because naturally. Then, in July 2014, Cheryl Mills had Hillary’s emails extracted from the PRN server to a .PST file. A copy of the .PST file was then sent to both her and Heather Samuelson’s laptops. Wizard king, Paul Combetta, later used BleachBit to delete the exported .PST files. In December 2014, Combetta also realized that he forgot to change the retention date for Clinton’s emails. This was Combetta’s “Oh shit” moment.

On June 21, 2016, shortly after DCLeaks.com and the Guccifer 2 WordPress showed up, the FBI realized that 900+ emails (some of them marked “classified”) associated with Clinton’s personal email account were left on Combetta’s gmail account after he migrated the emails from that lost laptop (before it got “lost”) to the PRN server.

Then there was the 650,000 emails that Abedin transferred to her husband’s computer, the ICIG investigation that found that almost every single Clinton email was sent to a “foreign entity unrelated to Russia,” and the FBI Vault release that reported the FBI recovered 17,448 emails from “additional data sources” that were never turned over to the state.

Again, I only mention these events because Hillary’s missing emails played a role during the election and based on her incompetency and that of her staff, it doesn’t seem like it would have been that difficult to get one’s paws on her emails, including the missing ones.

A quick blurb on the Clinton Foundation: The Clinton Foundation and its alleged dirty dealings in money laundering and pay to play was pushed heavily by Steve Bannon and Barbara Ledeen ( the one working with Prince to find Hillary’s missing emails). It was also the topic of a book Bannon helped publish in 2015 (Clinton Cash), and James Corsi’s mid-2016 book. FBIanon, who showed up on the scene in mid-2016, also pushed the Clinton Foundation heavily. Then there’s Roger Stone who pushed the narrative that WikiLeaks was going to be dropping Clinton Foundation emails based on a misinterpretation of Assange’s June 2016 interview. Lot of emails, documents, operations, and idiots in play during 2016:

• Podesta spear-phished
• DCCC and DNC hacked with malware
• DCLeaks.com
• Guccifer 2 WordPress
• WikiLeaks (DNC emails, Podesta emails)
• Shadow Brokers (NSA cyber weapons)
• Seth Rich
• Clinton Foundation (Bannon, Ledeen, Corsi, FBIanon, Stone)
• Hillary’s missing emails (dumpster fire)
• Papadoupolos (“Hillary emails” debunked)
• Steele dossier, Shearer dossier, Crossfire Hurricane
• FBIanon
• Epstein/Pizzagate