Getty Images

Briton ran pro-Kremlin disinformation campaign that helped Trump deny Russian links

A British IT manager and former hacker from Darlington ran a disinformation campaign that duped former US intelligence agents and provided Donald Trump with manufactured “evidence” to deny that Russia interfered with the US election

A British IT manager and former hacker launched and ran an international disinformation campaign that has provided US President Donald Trump with fake evidence and false arguments to deny that Russia interfered to help him win the election.

The campaign is being run from the UK by 39-year-old programmer Tim Leonard, who lives in Darlington, using the false name “Adam Carter”. Starting after the 2016 presidential election, Leonard worked with a group of mainly American right-wing activists to spread claims on social media that Democratic “insiders” and non-Russian agents were responsible for hacking the Democratic Party. The hacking attacks had damaged Trump rival Hillary Clinton’s campaign.

The claims led to Trump asking then CIA director Mike Pompeo to investigate allegations circulated from Britain that the Russian government was not responsible for the cyber attacks, and that they could be proved to be an “inside job”, in the form of leaks by a party employee. This was the opposite of the CIA’s official intelligence findings.

Trump went further at his July 2018 summit with President Putin in Helsinki, saying he believed Putin’s claim that Russia had not interfered. In doing so, he rejected multiple highly classified US intelligence agency reports given to him over the past 18 months, including by former president, Barack Obama. “I don’t see any reason … why it would be [Russia],” said Trump. 

Three days earlier, the US Department of Justice (DoJ) had charged 12 Russian Federation Main Intelligence Directorate of the General Staff (GRU) intelligence officers with conspiracy against the US, releasing unprecedented amounts of previously top secret information about the agents, offices and tools used in multiple cyber attacks on the Clinton presidential campaign.

After returning to the US, facing outrage over his conduct, Trump claimed he mis-spoke and meant to say the opposite of what he said.

The Guccifer deception 

The GRU’s hackers were caught red-handed in June 2016, when the Washington Post exposed evidence of their role. Within 24 hours, after the Post had asked Russia for comment, the hackers fabricated evidence and planted a false trail that the hacking was the work of an imaginary, lone Romanian called Guccifer 2.0. While this happened, GRU officers were spotted doing online searches to check English phrases while penning the first blog post for their Romanian fake, according to the DoJ indictment.

Guccifer 2.0’s role was “falsely to undermine the allegations of Russian responsibility for the intrusion”, according to the indictment. US and European intelligence agencies identified “Guccifer 2.0” as a Russian deception operation before Americans went to vote. Detailed evidence had not been publicly available until the publication of the indictment.

Guccifer 2.0 vanished the week after President Obama released intelligence confirming that Russia had helped Trump to the presidency – just a week before Trump’s inauguration in January 2017. “Here I am, again, my friends,” Guccifer blogged, claiming: “I have totally no relation to the Russian government.” Then he vanished. Tweets, blogs and tempting tips to journalists dried up.

The GRU actor playing Guccifer 2.0 tripped up, and gave his hoax away, several times. On one occasion, he made the catastrophic error of forgetting to turn on his virtual private network (VPN) before logging on to WordPress. WordPress is an American blogging service which records login addresses and can give them to the FBI. The exposed address led US intelligence directly to a GRU Moscow office.

As Trump moved into the White House, he faced growing suspicion – and now a full-blown investigation – that his campaign had been backed by Russia to help win the presidency. In Britain at the same time, archived evidence shows, Tim Leonard was completing a website intended to obfuscate the truth about Guccifer 2.0 and the GRU.

The Guccifer distraction

A Twitter account traced to Leonard revealed his new project – a campaign claiming that the hacking was done by a Democratic Party insider – on 3 February 2017. “What if #Guccifer2 is NOT Russian ... NOT even a hacker – but still had access to DCCC [democratic campaign] docs?” it said.

At 1.14am on 5 February 2017, Leonard registered the website He hid his involvement using nominee company Identity Protect Ltd, but was given away by internet records which showed that the site was operated from internet address, one of two UK virtual servers he ran for web design company Creative Insomnia.

His front page went live 13 hours later, and included the hidden warning: “Contingency plans are in place in case this site or its creator are compromised.” A hidden web page comment warned: “If I die under suspicious circumstances, the primary suspects should be the Clinton cartel.”’s launch page listed five prominent mainstream journalists he had contacted, and who had faced demands to disclose their evidence and sources about Guccifer 2.0. All declined or ignored him.

Leonard’s website was created in and run from the UK, using servers owned by Creative Insomnia of Newport, Gwent. Leonard is listed in company records as a shareholder and director. His activity was not known of or authorised by others in the company (see below).

Leonard admits hosting, a website which published numerous articles giving mutually contradictory and often nonsensical theories, each attempting to prove that the pretend Romanian was not a Russian disinformation invention.  

Leonard also admits that he secretly built another website inside the servers he was employed to manage. His first hidden site, Defianet (, initially campaigned on piracy and privacy, themes familiar to programmers who had worked with him on unrelated projects and who spoke with Computer Weekly.

Defianet’s front page proclaimed “United in the shadows” when it went online in September 2014. During 2017, he transformed Defianet to make it a focus for US extremist and conspiracy “independent media” groups, many of which are notorious for spreading false news. The site also promoted WikiLeaks and Russia Today (RT), the state-owned media channel.

Leonard has created and managed a library of disinformation manuals and techniques shared with his supporters, including “Weaponisation of social media”,Deception techniques” and “Information warfare”. He moved the library to after being ordered to close Defianet.

Leonard, who lives in a modest red-brick house in Darlington, is the technical director of Creative Insomnia. He admits that he built websites “making use of Creative Insomnia’s infrastructure”, including, without the knowledge of his company, a fellow director and other workers. It was “entirely my responsibility ... not a board-approved decision”, he confessed in a letter. claims to be written by an anonymous persona called Adam Carter. The name was copied from a character in Spooks, a BBC spy drama series broadcast from 2002 to 2011.

Computer Weekly has established that the email address used by the fictional Adam Carter – – was set up on Creative Insomnia’s email system in 2014, and used to run accounts on Reddit, Twitter and Disqus. The email used was on the same domain as Leonard’s Defianet site. As the company’s sole server manager, Leonard was the only person able to create new websites and email addresses.

Creative Insomnia

Creative Insomnia was launched as a web design business in January 2005. It is run by partners Mark Butler and Sarah Chicken, who are university lecturers at the University of South Wales and the University of the West of England. Tim Leonard joined in 2010. They currently host about 45 small sites on UK datacentres run by Simply Transit of Bracknell.

Because of this, the IP addresses which Leonard secretly used to promote his views on US politics were shared with other clients, including Newport’s gay sauna, a swinger site, Welsh businesses, and the host company.

Contacted initially in December 2017, Butler said he had no prior knowledge of Leonard’s disinformation activities. Butler said he was shocked to learn that hidden sites and email services had been secretly running on his company’s systems since 2014. He ordered them taken down. Both sites went offline within two hours. One soon reappeared online at a new site in Bulgaria, and was later moved back to the UK host Webfusion, in an IP block controlled from Leeds.

The websites had been set up “behind the backs of directors”, Butler said. There is no suggestion that Butler or Chicken previously knew about Leonard’s concealed activities.

Butler confirmed to Computer Weekly at the time that he had “disciplined Tim Leonard”. “He has apologised for using the servers,” he said. “Where we are going next, I don’t know. I have to speak to another member of the company to decide what to do with Tim,” he added.

When the Twitter account @with_integrity used the email address in 2016, the writer described himself as a “CTO/software developer/ex-blackhat” from England – a description matching Tim Leonard. During the US elections, @with_integrity and Leonard’s other accounts began circulating media attacks on Hillary Clinton, describing her as a “fracking warmonger”.  

The Twitter account, which was later also given the fake name Adam Carter, trolled mainstream journalists or academics who disagreed with conspiracy theories Leonard encouraged in early 2017. On unmoderated social networks permitting hate speech, “Carter” later linked to American neo-Nazis such as “Anna” and promoters of the Daily Stormer neo-Nazi website.

One @with_integrity tweet asked for confirmation that the cyber security expert who first spotted Russian hackers was Jewish. “Social media activity patterns [suggest] possible observance of the Sabbath,” he told followers. Leonard suggested in the tweet that social media patterns implied that the researcher and Guccifer 2.0 could be the same person.

After his hidden sites were discovered in December 2017, Leonard told Creative Insomnia founder Mark Butler that he had created for an “old friend” called Ken. In a letter, he referred to “further enquiries regarding in relation to some points Adam/Ken has asked me to look into”.

Leonard told Butler that Ken – the mysterious friend he claimed was running the Adam Carter operation – was Ken McClelland, a programmer who had worked with Leonard in Methlabs, a group building a software firewall.

This was untrue, Computer Weekly has found. Journalists traced McClelland to western Canada, and interviewed him. Asked why he had lied about McClelland and the accounts he had created, Leonard did not reply.

Hoax hits White House

One document – a tip-off file obtained in June 2017 by Leonard’s site from an “anonymous source” – took new disinformation all the way to the White House and the CIA.

The untitled file included complex details explaining how to unlock information inside a tranche of files released by Guccifer 2.0 in London. Metadata in the files had been manipulated to “prove” that the documents could have been stolen by a Democratic National Committee (DNC) employee. Until the file arrived, the information hidden in the files, created by the GRU hackers and known only to them, had not been detected by security experts.

The document, rewritten for propaganda effect, was published three weeks later and claimed to be the work of a new fake personality called Forensicator, which claimed that stolen DNC documents were copied to a computer located in the eastern US. If correct, it was devastating news for US intelligence – because it cleared the Russians.

Some former intelligence officials, from a group called Veteran Intelligence Professionals for Sanity (VIPS), backed up the claim. A group, including William Binney, a former technical director at the US National Security Agency (NSA), and former CIA officer Ray McGovern, were persuaded, without checking the file data, to say that the hacking was the work of insiders.

According to former NSA technical manager Tom Drake, “Ray’s determination to publish claims he wanted to believe without checking facts and discarding evidence he didn’t want to hear exactly reproduced the Iraq war intelligence failures which the VIPS group was formed to oppose”. He and other VIPS members refused to sign McGovern’s report.  

But the VIPS endorsement was repeated by American media, from respected left-wing publication The Nation to controversial right-wing site Breitbart News. The ploy succeeded – and made it to the White House. Binney was invited on to Fox News and said allegations that Russia had hacked the DNC were unproven. Trump then told CIA director Mike Pompeo to see Binney to find evidence to support the claims. Pompeo met with Binney on 24 October 2017.

Binney said he told the CIA chief that he had no fresh information. But he said he knew where to look – in the surveillance databases of his former intelligence agency, NSA.  

As a former top NSA insider, Binney was correct, but not in the way he expected. NSA’s top secret records, disclosed in the DoJ indictment earlier this month, lifted the lid on what the Russians did and how they did it.

A month after visiting CIA headquarters, Binney came to Britain. After re-examining the data in Guccifer 2.0 files thoroughly with the author of this article, Binney changed his mind. He said there was “no evidence to prove where the download/copy was done”. The Guccifer 2.0 files analysed by Leonard’s were “manipulated”, he said, and a “fabrication”.

William Binney (left) checks the Forensicator report with author Duncan Campbell

How Russia attacked 

The GRU used multiple units to conduct “large-scale cyber operations to interfere with the 2016 US presidential election”, according to the US hacking indictment. The operations involved “staged releases of documents stolen through computer intrusions”, including by Guccifer 2.0, WikiLeaks and DCLeaks, another front observed being set up by the GRU.

Security experts have been stunned by the depth and detail of US intelligence information on the hackers in the indictment. Some of the detail could likely only have come as the results of counter-attacks on the GRU, implanting malware that was copying screens and keystrokes, at the same time they were doing the same to officials in the Democratic Party.

The main Russian attack began in March 2016, and used large-scale phishing attacks that acquired the email accounts of members of Hillary Clinton’s campaign team, including campaign chairman John Podesta. Staged releases began in June 2016.  

Three days before the start of the Democratic National Convention on 22 July 2016, WikiLeaks published the first of 44,053 emails from the senior democrats’ accounts, including 17,761 attachments. Some of the emails appeared to show bias by top-level Democratic Party officials in favour of Clinton. Four top DNC officials quickly resigned, throwing Clinton’s nomination convention into disarray.

Guccifer 2.0 claimed credit, tweeting – accurately, it now appears – that WikiLeaks had published documents “I'd given them”. Donald Trump loved it, telling a Florida news conference that Russia should increase its cyber espionage: “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing.”

Trump repeated his view a month before US election day, telling a Pennsylvania crowd: “I love WikiLeaks!”  

The Russian attacks included creating fake social media “posing as US persons... to interfere with US political and electoral processes” in order to defeat “the lawful governmental functions of the United States”, according to another grand jury indictment released in February. The indictment charged 13 Russians working for the St Petersburg Internet Research Agency – known as the “troll factory”. Impersonating a US citizen to interfere in elections is a crime in the US, irrespective of the country where it takes place.

Leonard’s @with_integrity Twitter account had also posed as a US citizen in the same period.

Darlington’s disinformation warrior

At the start of his career, Leonard (pictured left) helped create a firewall system, PeerGuardian, which was designed to block music industry investigators from infiltrating networks where computer users shared music in breach of copyright laws. Leonard worked with a group of privacy and piracy activists in Europe, Canada and the US. His online name was Method.

Leonard’s website Methlabs was used to develop and support PeerGuardian. His blog posts on Methlabs promoted Ecstasy test kits, shared cracked programs and hacks, and threatened distributed denial of service (DDOS) attacks on film industry anti-piracy teams.

Leonard was later hired to run servers for Simplyclick, a now-defunct portal which provided intranets for British schools.

Evidence recorded by the Internet Archive shows that he hid blocking lists of film industry investigators’ addresses inside Simplyclick’s infrastructure. Archived evidence from Simplyclick also refers to a Methlab tool, XS (see image below).  

Methlab XS shown on Simplyclick

Leonard began creating networks of anonymous media accounts after he joined Welsh internet firm Creative Insomnia. In many of the accounts, he pretended to be a US citizen and Democratic Party supporter, posting thousands of angry, expletive-loaded comments. With a hissing cat as avatar, in August 2010 he signed up to blog host Disqus as @Retaliate. He added more anonymous Disqus accounts – @InconvenientProof and @OptimumCognition.

Leonard again offered to exploit servers he was responsible for managing. In November 2010, he told other programmers: “I can certainly host a site ... the boxes I’ve got should be able to handle a fair bit of traffic ... of course it would be free.”

Leonard has refused to explain why he started building and running profiles in which he pretended to be a US citizen. Social media activity seen by Computer Weekly shows that he subscribed to US conspiracy theory sites, including Breitbart News, Infowars and Bulltruth.

After building Defianet’s website, he added a new Disqus account – @Inviolable – and joined Reddit as d3fi4nt (Defiant). Both accounts used his Creative Insomnia email address, On Reddit, d3fi4nt posed as a US-based Democrat supporter of Bernie Sanders, publishing hate messages targeted at Clinton, and signed up to The Donald, an exclusive Reddit location for Trump supporters, as well as r/Conspiracy, a notorious watering hole for conspiracy theorists.

On Disqus, @Retaliate and @InconvenientProof posted attacks on Clinton, following the same messaging at the same times as known Russian trolls. @InconvenientProof and d3fi4nt also operated as sockpuppets, referencing other Leonard-operated accounts and activity. @OptimumCognition focused on media industry claims to be losing revenue to pirates, writing: “Prove your alleged losses ... or shut up and fuck off.”

His @Retaliate and @InconvenientProof  Disqus accounts participated in alt-right US news groups, including Breitbart News Network, a far right-wing internet platform managed until  January 2018 by former Trump advisor Steve Bannon. Disqus adopted a hate speech policy to deal with the Breitbart group in 2017 after it was described as “one of the vilest cesspools on the internet ... the worst of humankind” for supporting racism and neo-Nazis. 

On a Creative Insomnia domain called, Leonard created multiple private personal mailboxes, using initials and false names. According to the website Have I been pwned?, email address subscribed to games hacking websites PS3hax and Multiple Game Player Hacks (MGPH) in 2014 and 2015.  

On a single day in 2015, Leonard created two new Disqus accounts using addresses: @InconvenientProof, linked to; and @OptimumCognition, linked to a mail address for a Sarah Thomas.

IP addresses used to log in to these accounts, seen by Computer Weekly, showed that the user often used a VPN anonymiser service. When, like Guccifer, Leonard forgot to switch on his VPN, he was using addresses provided by Virgin Media broadband in the UK. Fixed Virgin IP addresses used were assigned to Haughton Le Skerne – the small Darlington district where Leonard purchased a house in 2007.

Defianet proxy page

At first, Defianet looked like the work of an ambitious hacktivist. The site focused on torrents and security, advertised discussion fora, claimed to run unique “d3fcrypt” encrypted chat channels, as well as a torrent “magnet link collection” called MASS.

“proxy relay” offered to users was built inside Creative Insomnia’s systems (see image above). The Defianet link was running at the time of publication, and is archived here. Logged in test users included Method and Retaliate. 

Defianet’s original front page (see image below) stated that it was created by m3th0d (Method) and three others. Method is Leonard’s nickname. On Reddit, Disqus and Twitter, Leonard published the email address Emails sent by that account passed through Creative Insomnia’s mail server,

Defianet’s original front page

“I’m with integrity”

As US election campaigns ramped up in May 2016, Leonard’s Defianet email address,, was used to create a new Twitter account, @with_integrity. The name, he said, was a parody of Clinton’s campaign slogan, “I’m with Hillary”. The profile displayed a WikiLeaks avatar. 

For 10 days in 2016, @with_integrity trolled and attacked the Democratic Convention, accusing the Democrats of collusion, conspiracy, cheating, corruption, rigging elections and sabotage. 

On 22 July 2016, @with_integrity tweeted a link to the Russian propaganda and news channel, RT, claiming that primary elections had been rigged. On 26 July, as delegates voted, @with_integrity tweeted a new RT attack on Hillary Clinton.  

After Clinton was nominated, @with_integrity followed the Russian trolls’ path in supporting Donald Trump, retweeting Trump slogans, including #CrookedHillary, #LockHerUp, #MakeAmericaGreatAgain and #VoteOnlyTrump, and a third link to a “special episode” on RT.

Two months after was launched, Leonard’s @with_integrity Twitter account also started claiming to be run by Adam Carter. The previous WikiLeaks symbol was replaced by angular lettering (IWI – I’m with Integrity) created in an obscure typeface called Critical Mass LDR. Leonard used the identical typeface to create Defianet’s logo and for a special program used by “Carter”, which he called Hexcell (see image below).

Obscure typeface Critical Mass showed link betweeen different deception sites

Fragments of Hexcell were left inside Creative Insomnia’s servers after Leonard was ordered to shut down Defianet. Leonard has admitted that he ran the Hexcell program from his personal folder inside Creative Insomnia, called Timtest. Leonard created the Hexcell program in a failed attempt to find data proving Guccifer was a former Democratic Party manager.

On, Leonard published multiple contradictory descriptions of who Carter was supposed to be. His blog first claimed: “I am NOT a journalist or reporter ... I’m just a civilian that noticed some oddities.” 

Days later, it claimed the opposite: “An independent, investigative ‘citizen journalist’ from the UK.” Meanwhile on Twitter, “Carter” described himself as a chief technology officer (CTO), a software developer and ex-blackhat, an Englishman living in England – an accurate description of Leonard.

“[I was] schooled by other hackers while working as a software developer and maintaining servers,” Leonard posted on Disqus in 2011, as @Retaliate. Last month, his Carter account claimed on Steemit: “I know what it feels like to have unauthorised access to hundreds of servers that you’re not supposed to have access to. Fortunately, for the past 15 years, I’ve been working in IT in a far more legitimate capacity and currently manage an array of servers.”

Hacking to gain unauthorised access to computer stystems – blackhat hacking – is an offence in the UK under the Computer Misuse Act, punishable by a maximum of 10 years in prison and a fine.

A bucket of conspiracy theories

Leonard’s first theory about Guccifer 2.0, posted to Reddit’s “r/conspiracy” subreddit in October 2016, was that “the feds (FBI) did it”. Guccifer 2.0 (G2) was really being used by the FBI, similar to compromised Lulzsec hacker Sabu in 2011, he claimed. Leonard had blogged at the time that he was the first person accurately to spot that the FBI had got control of Lulzsec.

In February 2017, Leonard’s site proclaimed “Game Over”. On Reddit, he threatened a campaign of “disruption” against media outlets unless they agreed to stop reporting the US intelligence assessment on Russia, or failed to report as fact his theory that Guccifer 2.0 was a Democratic Party insider.

“Media entities will then be given seven days from confirmation of receipt to clean up their act and cease reporting” – otherwise, he would “red card violators”, he told Reddit.

The second theory, published on, was that G2 could not be a hacker, because a stolen DNC “opposition research” file published on 15 June 2016 “took a mere 30 minutes to go from a DNC contractor creating documents to Guccifer2”. This theory was unfounded.  

Leonard’s third theory involved the program called Hexcell, which he had installed on a Creative Insomnia server. Hexcell’s purpose was to decode “binary large objects” to prove that G2 was “a misdirection effort”. He tweeted short links using the program to hashtag #Guccifer2.

When run, the links accessed cached copies of analyses stored inside Creative Insomnia. The cached copies recorded giveaway internal filepaths to his Timtest folder (blocked from external access). After Leonard admitted creating the Timtest folder and the giveaway Hexcell links, the files disappeared. 

Theory number four claimed that the DNC was hacked by Crowdstrike, the security company it had hired to kick out the Russian hackers. Four days later, according to g-2-space theory number five, a group of Ukrainians were claimed to be the real hackers – citing evidence that they had visited the White House on the day of the hack.

His site then complained to 100 US senators that they had ignored his finding that the hacking could not have been done by Russians. None were interested. He then circulated 150 foreign ambassadors in London complaining of a “serious ... threat to global stability” if his theories were “not investigated properly”.

The theory that worked – the theory that President Trump pushed to the CIA – was based on a unique document dump by Guccifer 2.0, in Britain.

Guccifer appears in London (not)

On 20 August 2016, UK conference organisers PSBE Events, part of iMember Media group (iMM), announced a world exclusive. They had booked the world’s then most notorious hacker – Guccifer 2.0.

Guccifer 2.0 would appear in person for the first time, they promised, in a video “live stream” at their September conference in London, Future of Cyber Security Europe 2016. Publicity for his talk, called Hacking Insights from Guccifer 2.0, generated “an awful lot of excitement”, they tweeted.

The GRU team had three weeks to decide what to say and do in London, after getting the conference invite. They played up a theory which had started to circulate in obscure conspiracy-focused chat-rooms on 4chan and Reddit, placing blame on Seth Rich, a then recently murdered DNC employee, for the DNC leaks. 

Two bullets in the back had taken the life of 27-year-old DNC researcher Rich, as he walked home from work late at night in Washington. The date, significant to how his death was later exploited, was 10 July 2016. Six weeks later, in a private message exchange with Guccifer 2.0 published by a US actress, the pretend hacker referred to Rich’s death and claimed, “His name is Seth, he was my whistleblower”.  

Rich’s bereaved parents have repeatedly pleaded for the torrent of conspiracy claims about their dead son to come to an end. “Anyone who claims to have such evidence is either concealing it from us or lying,” his father Joel said, adding: “They have a transparent political agenda or are a sociopath.”

WikiLeaks founder Julian Assange also planted a public pointer to Rich, after Guccifer 2.0 claimed to have provided the stolen DNC emails to WikiLeaks – a claim also shown to be accurate, according to evidence described in the latest US indictment. On 9 August 2016, WikiLeaks tweeted a $20,000 reward offer for information leading to the conviction of Rich’s killer. WikiLeaks had previously offered rewards for leaks, but never, before or since, used the tactic to point to a possible confidential source. WikiLeaks attempted to backtrack the next day.

Forensic analysis of the files prepared for the conference suggests that the GRU team then hoped to exploit the London conference opportunity by framing Rich.

By early September 2016, Guccifer 2.0’s operators had 2,280 stolen DNC files ready to publish at the conference. None of the files concerned Rich or his work. File internal data analysis shows that they were all stale, deadwood information, and of no relevance in 2016. All had been completed and closed before the previous presidential election in 2012.

Using a combination of copying and compression techniques, the “last modified” timestamps of all but 12 of the aged files was changed to 5 July 2016, just five days before Rich was killed and 17 days before WikiLeaks published its first share of the DNC hacks. While this was done, the computer in use for copying had its clock set to Eastern Daylight Time (EDT), the zone covering Washington DC and the eastern US seaboard.

Conference organisers had previously asked former British hackers to present the speech, but they declined. Mustafa Al-Bassam, a former hacker from the Lulzsec group, said: “I didn’t want to be a representative for potentially illegal hacking activities.”

News teams arrived at Prospero House, a conference centre near London Bridge, on 13 September 2016, and were disappointed. There would be no live streaming. Instead, the hackers had sent the organisers instructions, including a prepared speech, a PowerPoint show published here for the first time, and a link to a uniquely structured compressed file of stolen data.

Conference presenter Tim Holmes read Guccifer’s long, rambling, ungrammatical statement. Holmes displayed a slide giving an internet address from which to download the files, and the password to unlock them (see image below).

Tim Holmes shows slide giving url from which to download files

Guccifer’s PowerPoint presentation, a pseudo-hacktivist rant, mixed much-derided Comic Sans lettering with images lifted from TV’s Mr Robot. The Guccifer script claimed that the hacks had exploited flaws in NGP-VAN, the voter analysis system used by the Democrats. This claim was not supported by an explanation, or by the contents of the stolen files, and has been refuted by the company.

Mark Hilton, solicitor for iMM group and Cyber News, told Computer Weekly: “My client simply invited [Guccifer 2.0] to present at the conference. My client did not stipulate or dictate the concept of the presentation. My client ... was never informed as to the existence and content of the hacked information/data.” 

When users on Twitter asked how to open the hacked container of DNC files, the Twitter account run from Leonard’s’s email server – @with_integrity – tweeted the password “for anyone struggling”. The password was GuCCif3r_2.0 – the fake hacker’s name in “leet speak”.

How the Forensicator fraud worked

The team that created Forensicator, including Leonard, gave away that they were not the real authors of the analysis when they inaccurately copied a Linux “Bash” script they had been sent, breaking it. This suggested that they did not write, understand, or test the script before they published. Someone else had sent the script, together with the fake conclusion they wanted discovered and published – that DNC stolen files had been copied in the US Eastern Time zone on 5 July 2016, five days before DNC employee Seth Rich was killed.

Uncritical reporters failed to spot that the Forensicator blog gave no evidence for its conclusion, which was that the data analysed was evidence of theft by local copying happening within the eastern US. The Forensicator report avoided pointing out that the time stamps examined were present only in the special London group of documents, and not in tens of thousands of other DNC files published by WikiLeaks or Guccifer 2.0.

The files were manipulated using an unusual method of file packing, forensic checks show. Because of computer clock settings, the packing operations appeared to have created “evidence” that the stolen files had been copied in the US Eastern Time zone, which includes Washington.

US Eastern Standard Time (EST) is normally five hours behind Coordinated Universal Time (UTC) – better known in Britain as Greenwich Mean Time (GMT). In summer months, clocks are set forward, placing the US Eastern Daylight Time (EDT) four hours behind UTC. The difference between a time zone and UTC is the offset. It is trivially easy for any computer user to change their time, date and time zone offset, using standard controls.

The files released in London, we found, had first been processed in this way to show timestamps for 5 July 2016. Some 13 groups had then been compressed using WinRAR 4.2. Nine additional files were compressed using 7zip. The archive, called 7dc58-ngp-van.7z, was published in this format, as a single file of 680MB.

This dual compression method was unique to the London documents. It was not used in other file dumps released by Guccifer 2.0, WikiLeaks or other publishers of stolen DNC material. The special method used two different file compression systems, 7zip and WinRAR, and required using a four-year-old, superseded version of WinRAR to obtain the required result. The way the Russians did it, the two compression operations appeared to overlap within a single 20-minute period. The tampering may have been done on 1 September, a week before the London conference. 

On inspecting the full data analysis, Binney agreed: “It’s clear G2 is messing with the data. Everything G2 says is suspect and needs to be proven by other sources/means. I agree there is no evidence to prove where the download/copy was done.” 

He added: “The merger of data from 5 July and 1 September ... makes all the G2 crap a fabrication ... we should only say what we can prove with evidence.” 

[Updated 13 August:] Binney subsequently repeated and confirmed his views in an interview with the Lyndon LaRouche Political Action Committee, a campaign vehicle for the controversial seven-time presidential candidate Lyndon LaRouche.

Privately, Binney says his colleague Ray McGovern, who has also pushed the Forensicator theories, accepts that there is no evidence where the files were really copied. “Ray no longer argues that point – except to call it an ‘alleged location’,” said Binney. McGovern has refused to confirm this, or to answer questions about evidence for his claims.

Despite accepting that there was no evidence, Binney and McGovern have not retracted the claims in the 2017 VIPS report at the time of writing.

In a bizarre and telling sequel, a retired engineer later spotted that some files released in London had popped up a second time in a batch of so-called “Clinton Foundation” files published by Guccifer 2.0 in October. But the file modification times were one hour different. This happens if computer time zone settings are being manipulated as files are copied and recopied, as described above. This was an inconvenient truth. Accepting that the engineer, Steve McIntyre, was factually correct, the Forensicator came up with a comic and far-fetched explanation to avoid talking about clock tampering.

Their explain-it-away theory was that in 2016 their alleged DNC leaker had transferred the aged problem files from Washington to a computer using US Central Time, one hour behind DC time. The leaker then copied the files to a thumb drive in the Central Time zone, flew “back to the East Coast” and copied it again for public release. To assist readers’ understanding, they published a large map showing how to fly memory sticks from Washington to New Orleans, and back again (see image below).  

Fantasy explanation of timestamp faking

The obvious, simple explanation was that hackers were manipulating computer clock settings. The observed changes would have taken seconds.

A hike to the Rockies

It took a month to locate Ken McClelland, the Canadian programmer who Leonard told his boss was the real Adam Carter – the friend he claimed to have built the sites for. With the assistance of Canadian TV company Global, we found and spoke to McClelland.

McClelland lives in Kelowna, a scenic British Columbia town in the eastern Rockies, astride Canada’s main east-west highway.

Leonard’s claim that McClelland was the real Russian disinformation agent had initially appeared to have substance. At the time Leonard and McClelland worked together, McClelland’s online name had been d3f, as used in the Defianet site name, 

Leonard and McClelland, then 16 years old, had worked together to build PeerGuardian, the firewall system designed to block music industry investigators from infiltrating P2P networks.

Leonard was “lying”, says McClelland. Leonard had “set him up to cover himself”. He had never heard or known of or Defianet. McClelland added that he had stopped using d3f as an online nickname by 2010, he and Leonard had never met in person, and Leonard had not asked for permission to use his online name.  

“I haven’t talked to the man in a decade. It’s a pissoff,” McClelland added, in the TV interview.


In a letter admitting setting up the hidden Creative Insomnia sites, Tim Leonard wrote: “No crime has been committed by myself nor has any crime been committed through those sites.” Computer Weekly is not suggesting that Leonard or any of the websites associated with him has committed any crime. 

Last December, after another IT publication asked about Carter, staff received threats, sent through Creative Insomnia’s email systems, managed by Leonard and signed Adam Carter.

The emails threatened: “I can generate a lot of noise... I already have an article prepared. I am prepared to write a much more muted, sanitised version that won’t inherently be propagated by a bunch of independent media outlets ... all depends on how everyone else wishes to proceed.”

If a story was published, he said, the publication would “end up spontaneously combusting”, and the author of this article would “burn”.

When Leonard was called, he claimed the author of this article was an “American-style Russiagater”. On Imgur, Leonard published all the enquiries sent to “Carter”, accompanied by his own evasive responses. On Twitter, “Carter” published part of an email addressed to Leonard.

Two days later, the “Carter” operation  merged with Disobedient Media, and Carter appeared on the site as a “technology correspondent”.  

Leonard’s other responses have been revealing about his operations. Within two hours of being approached and photographed by the Sunday Times at home in Darlington, the Adam Carter account was used to tweet: “I’m anticipating character attacks, straw man attacks and other flak from MSM [mainstream media] outlets. Of course, I’m not anticipating they’ll focus on the evidence and research raised.”

Within two hours of a Computer Weekly editor asking Leonard’s company for comment, the Carter account clicked to start following him on Twitter.

Last week, Computer Weekly sent Leonard a detailed email for comment, addressed to him as Mr Leonard, to his Creative Insomnia email address and his email. The reply was signed “Adam Carter” and came from the email address, which Leonard has used since the start of 2018. Leonard did not respond to the specific questions we asked.

As Carter, he has tweeted: “Those behind Guccifer 2.0 sacrificed their own hacking claims in an effort to point out that Seth Rich had dealings w/Russians when alive.” On Reddit, as “d3fi4nt”, he has stated his target: “To be clear – I believe Seth Rich was the source for the DNC leaks.”  

According to US deputy attorney general Rod Rosenstein when releasing the latest indictment, the hacking and disinformation activities he described were part of a larger plan to “spread divisive messages” and to “spread disinformation and to sow discord on a mass scale in order ... ultimately to undermine the appeal of democracy itself”.

Additional research: This extensive investigation would not have been possible without essential help from Global Kelowna TV, Canada; Global TV video journalist Kelly Hayes; data and forensic analysis by programmer Matt Fowler; media network analysis by Lawrence Alexander; and research assistance from former hackers Lauri Love and Mustafa Al Bassam.  

Note: This article was updated on 7 August to make it clear that former Trump advisor Steve Bannon managed Breitbart News Network, but was not its founder, and that Disqus did not expel Breitbart, but created a hate speech policy in 2017 after Breitbart was criticised for supporting racism and neo-Nazis.

The US disinformation team

Disobedient Media is a so-called “independent media” site that describes “Adam Carter” as its technology correspondent. It claims to “bring honesty and integrity back into journalism”. The site has recycled paedophile allegations directed at Hillary Clinton and fellow democrats, and has made repeated attempts to frame murdered DNC official Seth Rich.

Newspapers in France, Germany, Spain and Britain have identified Disobedient Media as an epicentre of Russian-backed attacks on Europe, using forged documents, including smears against Angela Merkel, Sadiq Khan and Emmanuel Macron.

The site, which has run since Trump took office, claims to be run by four young Americans whose records say they each live with their parents. Co-founder and head researcher Ethan Lyle, 23, registered the business name to his parents’ house in a remote part of rural Iowa’s plains. Lyle is no longer listed as a member of the team.

Disobedient Media was started by William Craddick, who claims to have been the prime spreader of a conspiracy story known as Pizzagate, which claimed that Hillary Clinton and her election staff ran a child sex and torture ring in the non-existent basement of a Washington pizzeria.

On startup, Craddick publicised a Pastebin dump of false information claiming that Angela Merkel was bringing ISIS terrorists into Europe so that she could unleash an “EU Army” against other EU states. The article displayed Merkel appearing to give a fascist salute (pictured left).

Following the Westminster Bridge terror attack, Craddick published false claims that London mayor Sadiq Khan was linked to ISIS and the Muslim Brotherhood. In September, Disobedient Media reported that cancellation of the Catalan referendum had put in doubt Spain’s membership of the EU. The report was identified by El Pais as Russian disinformation. Craddick has also tweeted fictitious quotes never spoken by Winston Churchill.

The day before the French presidential election, which took place on 5 May 2017, Disobedient Media was chosen as the channel to release 9GB of hacked email and files from associates of now-President Emmanuel Macron. According to the new US indictment, one of the officers whose name leaked into Macron’s hacked mail, Georgy Petrovich Roshka, was an employee of GRU unit 26165 and also took part in the DNC attacks – further, if indirectly, connecting Leonard to the Russian disinformation activity.


Two days after publication of this article, Russian government news agency Sputnik News also confirmed that Adam Carter’s real name was Tim Leonard. In an interview on the channel’s Faultline programme, Disobedient Media editor-in-chief Elizabeth Lea Vos was asked if Tim Leonard was indeed Adam Carter, and she said: “That is correct.”

Leonard has since written several letters from Creative Insomina Ltd to comment extensively on the article. In the correspondence Leonard has acknowledged that he is also known as "Adam Carter".

Content Continues Below

Read more on Privacy and data protection

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Nice hit piece. Since when is doxxing acceptable practice in liberal media?
Also, I notice that you failed to disprove any of many metadata bits that make Adams theories much more probable than DNC/FBI official narrative.
At least disprove beyond shadow of doubt. All you did was present alternative theories.
You know that "Detailed evidence had not been publicly available until the publication of the indictment."
Please explain to me, if this Adams theories reaching congress are such problem, why didnt FBI release the logs that would easily disprove Adams theories?
Also Vox article that you cite, Cites The Daily Beast, who cite anonymous insider. And that insider didnt say that IP was from moscow GRU office but that it was just Moscow IP.
Oh, look. What a surprise: a story revealing the fraudulent nature of the pro-Kremlin disinformation campaign has fraudulent comments on it defending the disinformation.

Matt Tait didn't write the above. Pathetic.
Yeah....some people just can't let it go.  You think they'd at least bow out with some dignity.
That's the Democratic Party for you. 
Ohh, look even further and you see a pot calling a kettle "black", a xenophobe's mania manifesting itself in print and hundreds of millions of people using fake names to post online.
Try harder. Better yet, find something else to do. You're not making inroads.
They effectively proved and communicated all they needed to regarding what the average American needs to understand or know.  The only real question is whether the Average American is smart enough to listen.
Just to clarify, I am not Matt Tait. I have no affiliation with him.
Whatever I wrote has nothing to do with him.

I just chose him as my nickname, to nudge him, since I remember he also looked into this some time ago and made some rushed conclusions.
Since when was this liberal Media? Or is that just what you call anything that isn't a Crazy Conspiracy theory involving Aliens and the Illuminati? Also, hit piece? Doxxing? More like expose on an infamous individual who assisted in a foreign effort to destabilize and legitimize our American Government. Nice try.
No one can "legitimize our American Government".
Well, actually, people can legitimize our happens in courtrooms and places of governance everyday.   However, I meant "De-legitimize" and by that nature of your comments I can already tell you aren't nearly as clever as you obviously think you are.
It IS in the courtrooms and places of governance that the US, state and local government de-legitimize themselves - every day.

To any that are paying attention.

As for your ability to "tell"? It is very questionable.
I'm glad you know english so well.  Here in America we don't nit pick our language in order to better communicate ideas.

As a Russian troll and Hacker friend I'm sure you are very proud of your precise english--Sadly, nobody here cares. 

Keep trolling all you want, though.  I'm bored.

P.S. Trump is Temporary, your Putin Pal is for win.
Maybe you should stop being "a Russian troll and Hacker friend". It doesn't mesh well with the persona you are pushing.  But, you know, you are doing pretty well for a non-English speaker.
Wow, 9 months, a bunch of people involved, having to go back 15 years and all you can effectively attack are irrelevant character flaws.

You pretty much fail to tackle Carter's work as a journalist since beginning of 2017, attribute work that isn't his to him and demonstrably misrepresent Carter's work.

I've never seen such a blatantly desperate attempt to undermine someone.

Carter doesn't even exist, you twat.  He isn't a real person.  He was created out of thin air by Russian operatives.  Of course, you already know this and are just here commenting here to muddy the waters.....probably as a Russian operative, yourself.   God, you Russians are Schmucks.
Simply because someone does not accept the CIA/Washington line does not make them some kind of Russian agent. Skepticism regarding CIA/Washington claims can and does exist independent of the Kremlin. What you are doing above is simply a new form of McCarthyism. There is good reason to believe that the alleged hacking of DNC emails was in fact a leak. Indeed a group of former US intelligence analysts came to this very conclusion. See article below, and stop with the McCarthyism. 

"New report claims DNC hack was an inside job — not Russia" 
Ding ding - thank you. :-)
@Yndmeeup I just traced you and confirmed you are posting as Yndmeeup, seedeevee, AND Matttait13.   Get a life.
How can you trace anything? Won't that tinfoil hat cause a disruption? Otherwise, its not nice to lie about others.
@JeffersonBee That 'New Report' you linked is OVER A YEAR OLD and has already been Debunked, as referenced by THIS article!  Are you KNOWINGLY trying to muddy the waters and spread misinformation to assist the KNOWN attempts by Russia to sow confusion and dissent......or are you just a utter moron?
This piece says Binney was misquoted in this article and stands by his statements in letter to Trump.  The DNC material was LEAKED not hacked.
@Yndmeeup Yes, and that article you linked was writing by Elizibeth Vos who is well known for her conspiracy theories, suspected Russian connections, and a willingness to write articles without bothering to cite any sources or back up her assertions with any facts. I trust the FBI and CIA over this one woman anyday.
Who needed to hack Hillary and the DNC (which she owned)? The only reason she and Podesta used private servers was to avoid FOIA requests. They were utterly indifferent to foreign hackers, Russians or otherwise.
Did you trust FBI and CIA when they said Iraq has WMDs too?

There are plenty of sources saying that Binney was misrepresented by Campbell, here are two with Binneys own voice, both recorded after Campbell was talking to Binney:
A long winded, rather obtuse article that starts of on the premise that Wapo exposed (evidence) that the DNC hack was by Russia and cites the "evidence" from unnamed DNC "committee" members and unnamed cyber security "experts" hired by the DNC, does not, ah, inspire much confidence. I'd call it laughable.  
@DrNo76 I'm sorry that a well written and articulated article that informs the reader based on easily accessible and well sourced FACTS doesn't meet your standard of journalism. Perhaps, oh en-lighted Russian Troll, you could provide us your sources and documented evidence as to why we, as unbiased readers, should believe you over the mountains of evidence that run contrary to what you say? Thanks, and have a nice day!
I am sure your facts that prove DrNo76 is a Russian troll will be on the same level of assuredness as Duncan Campbell's.
@SeeDeeVee I'm not espousing facts, I'm just making broad, speculative, accusations with more probability of being accurate than anything your yapping about.  As for this article itself....its got links citing its facts and sources all up and down. All reliable.  You, however, are just a random dude in a comment section.  As am I.   Anyways, I'm off to bed...but I suppose it is about time to get to work in Russia....I imagine that is why the Comment section suddenly lit up!  Have a Great day!
You are making "broad, speculative, accusations" with the same amount of snake-oil as Duncan Campbell.  I, for one, am not a fan of snake-oil salesmen.  But you can carry-on with your snake-oil salesman convention and your xenophobic tendencies.  This is appears to be the place for that.
The back and Forth with all you has been fun, but I think any reasonable person can plainly see you are either  corrupt actors or complete loons at this point based off your replies making no sense (Duncan Campbell cited his sources which are verifiable and credible----non snake oil salesmen like).  I'm done wasting my time with you as I think I've already effectively made my point and was never trying to convince YOU anyways!  Good day!
Wild speculation by the corrupt American justice system and equally wild speculation from verifiably xenophobic Duncan Campbell are not credible sources.

"GRU officers were spotted doing online searches to check English phrases while penning the first blog post for their Romanian fake, according to the DoJ indictment....Detailed evidence had not been publicly available until the publication of the indictment."

There is no "evidence" in the indictment. They are allegations. Unproven, Unsupported. And they wont be proven or supported in a court because this was a 'for show' indictment of individuals beyond the power of the US Courts. It is a play document. Mueller's boys and girls could say anything their fancy wanted since they don't have a body to respond. Asking ain't gettin'. And alleging ain't evidence.

The back and Forth with all you has been fun, but I think any reasonable person can plainly see you are either corrupt actors or complete loons at this point based off your replies making no sense. The evidence comes at the Trial and there is nothing 'strange' or 'unusual' about this current process compared to any other investigation ever done.
You equate allegations to evidence. Sorry, but  you're the loon if not the corrupt actor. You certainly dont understand the difference.
I agree.
Leonard just exposed Campbell's emails and it makes for some very interesting reading.

Full context makes it very clear Campbell had no interest in tackling Leonard's work and only ever sought for character attacks and ways to smear him.

Apparently reporting on the falsehoods published by ComputerWeekly in this article and a breakdown of Campbell's techniques (beyond those already exposed by Leonard) will be coming next week.

Leonard's identity was volunteered to the Department of Justice after assisting in the reporting of his (and others) discoveries to Special Counsel Robert Mueller and Deputy Attorney General Rod Rosenstein.

Clearly Campbell doesn't want us to know about this as it destroys the narrative he's built up here.

Did ComputerWeekly's editorial team properly vet this article?  (It doesn't seem like they did!)
So, now it looks like reporters such as campbell have been fed a host of "official debunking points" by the very intelligence agencies that are guilty of putting out the "Russia did it" hoax. He was obviously sent on a chase to try and find discrediting information about the extremely competent analyst Adam carter. That, in liu of taking on the claims made on the basis of deep analysis that indicate that all the evidence lead to the G2 being an American persona, invented at the behest of the DNC, which dowloaded the information disclosed later under the Guccifer 2.0 banner. Even at the time, G2 seemed off, nothing like an actual "hacker', be they Romanians or Russians or Americans, or whatevers.

Campbell does not succeed in refuting a single item based on the detailed analysis of the metadata as presented by the capable Forensicator and analysed and expanded by Carter. But then again, that was not his job here, which was more along the lines of "undermining the messenger' which is why he went off to try and doxx whoever Carter is.

I should say, that I mean the word "job" because the way this slander article is laid out has the tell tale signs of a paid assignment. WE just don't know who the payer was exactly. As for ComputerWeekly, this publication has been deeply compromised now.

As it stands, most of is who were able to read through the carter analysis and follow the evidence of the metadata to wherever it led (ie, back to the US East Coast) will not be persuaded by a mere hit piece, of which there have already been quite a few.

It is of course obvious why the deep State - and/or operative who may or may not know they work for the deep state, would go after carter. It is not because the analysis was questionable but because it wasn't. There are probably quite a few in the FBI/CIA/Mueller team who know what we all know. They also know the Indictment of some "Russian GRU" people (who must be the stupidest intelligence agents in the world to have left Russian "smileys" behind) is bogus. IOW, tyhey know Guccifer2.0 was a deliberate false flag every bit as much as the Iraqi WMDs and the Gulf of Tomkin. They know the truth but go along with a bold face lie.

That, as well as the ease with which columnists like campbell can be enticed to do the bidding of malevolent state actors, are the problem we, the people, need to think about.
@Karin84 Leonard IS Carter. Did you even read the Article you are commenting on? Also, I used to work in the Government and can assure you that there is no 'Deep State'. All there are, is a bunch of honest hard working folks---even at the highest levels---wanted to serve their country for some decades, and then collect a lifetime of pension checks.
The real story isn't who hacked the DNC anyway (unless Trump was a participant). It isn't Russian interference either as they've been using every medium available for the past century to meddle (always to benefit leftist parties throughout the west).  The real story is what did U.S. authorities know, when did they know and what did they do?  Stonewalling when they began looking at Trump/Russia aside, there is actual evidence that looking for collusion pre-dates the DNC hack.  Stop and think about the ramifications of this. The Mueller investigation seems to be more about covering all that up than exposing any collusion.  Getting dirt on an opponent from any source is perfectly legal. Ask Hillary as she "colluded" with Russian intelligence to put together her "dossier." Then Obama & Co. "colluded" with Clinton and the DNC to watch and even infiltrate their opposition's presidential campaign (a first in U.S. history) using it to legitimize their intra-party espionage. Then, while they were sitting back letting the Russians try to infiltrate Team Trump, Russia hacked the DNC right under their noses!  Covering all this up, preserving the reputation and integrity of DOJ, FBI, CIA, et al has been job one for the establishment's good soldier Robert Mueller, who I believe sees protecting institutions very near and dear to his heart as much more important than seeing that loathsome POS Trump exonerated.    
Where'd you get the idea that the transfers had to happen in different physical/geographic locations to explain the timestamp differences?

One could have a laptop see to Central, because that's their home timezone, but also work on a desktop that's sweet to the local timezone, Eastern.

If one were to believe this was a leak, one would have to allow for the fact that DNC personnel are from all over the country and include a lot of contractors that use their personal laptop for work purposes, which would keep their home timezone even when on site.

What garbage! You attempt to bury the premise is irrelevant background information in the hopes that the average reader won’t notice that you failed to debunk the premise of the VIPS report. Then you cite Washington post articles which cite other articles which cite unnamed sources. Then you dox leanord. And to top it off they are using this a a citation for Wikipedia! Looks like the deep state got to wikipedia too—so much for that website... What a joke.
Your author claimed indicators of US timezones only appeared in the NGP-VAN files.  Several examples showing that this is false (with links to the evidence) have been provided to your editor in chief.

Your author was also caught knowingly lying about positions held by those he has attacked.  In other words, the person accusing others of engaging in a disinformation campaign (which you never actually demonstrate), has engaged in disinformation in this article.

This has been explained to your editor in chief with further information to substantiate this.

Your editor in chief, when challenged on over 40 errors in the article conceded in a private conversation that statements made in this article were on the basis of "belief" and "opinion" but you have failed to communicate this to your readers and statements asserting fact that are false and defamatory remain uncorrected and without qualification.

You should retract this hit-piece, it disgraces your publication and has harmed people who only ever sought to learn the truth about Guccifer 2.0.

If you care about the facts relating to Guccifer 2.0, backed by verifiable evidence, you will find them at: