Categories
Saved Web Pages

From Discord to 4chan: The Improbable Journey of a US Intelligence Leak

2005-06-15T000000Z_172805314_RP6DRMSGHYA

In recent days, the US Justice Department and Pentagon have begun investigating an apparent online leak of sensitive documents, including some that were marked “Top Secret”. 

A portion of the documents, which have since been widely covered by the news media, focused on Russia’s invasion of Ukraine, while others detailed analysis of potential UK policies on the South China Sea and the activities of a Houthi figure in Yemen. 

The existence of the documents was first reported by the New York Times after a number of Russian Telegram channels shared five photographed files relating to the invasion of Ukraine on April 5 – at least one of which has since been found by Bellingcat to be crudely edited. 

These documents appeared to be dated to early March, around the time they were first posted online on Discord, a messaging platform popular with gamers.

However, Bellingcat has seen evidence that some documents dated to January could have been posted online even earlier, although it is unclear exactly when. Bellingcat also spoke to three members of the Discord community where the images had been posted who claimed that many more documents had been shared across other Discord servers in recent months.

As the channels were deleted following the controversy generated by the leaked documents, Bellingcat has not been able to confirm this claim. 

An aerial view of the Pentagon building in Washington, June 15, 2005, with the Potomac river in the foreground. Photo (c): REUTERS/Jason Reed JIR/CN

Bizarrely, the Discord channels in which the documents dated from March were posted focused on the Minecraft computer game and fandom for a Filipino YouTube celebrity. They then spread to other sites such as the imageboard 4Chan before appearing on Telegram, Twitter and then major media publishers around the world in recent days.

Ukrainian officials have cast doubt on the veracity of the documents, with Mykhailo Podolyak, the adviser to the head of the Office of the President of Ukraine, stating on Telegram that he believes Russia is behind the purported leak. But US security officials quoted by the New York Times appeared to hint at their authenticity.

Russian Presidential spokesperson, Dmitry Peskov, told CNN that the documents showed the extent of US and NATO involvement in Ukraine. Yet one pro-Russian Telegram channel that has been providing updates on the conflict wasn’t convinced and said it was possible the documents could be Western disinformation.

The documents appear to detail events and offer analysis of Russia’s invasion of Ukraine up until March 2023.

None of the documents seen by Bellingcat had been scanned but rather had been photographed. Creases can be seen on the documents with items, such as a hunter’s scope box and some Gorilla Glue visible in the background of those dated from early March. This appears to indicate that at least some of the documents were photographed in the same location. 

The content of the shared documents ranges widely, with some topics including maps of hotspots in Ukraine such as Bakhmut and Kharkiv, a delivery timetable for Western munitions to Ukraine as well as maps and catalogues of Ukrainian air defence assets – including a calendar of ammunition expenditures. A “CIA Operations Center Intelligence Update” marked “Top Secret” for March 2 is also included in the images, although much of the information in these documents had previously been publicly available through media reports.

While it has as yet not been possible to uncover the original source of these apparent leaks, it has been possible to trace the spread of the documents over a variety of internet forums in recent months before they were reported by pro-Russian Telegram channels and then major media outlets.

Telegram and 4chan

On April 5, the documents started propagating through pro-Russian Telegram channels, with the first version found by Bellingcat being on the Telegram channel “Donbass Devushka” at 9:29pm (Ukraine time). 

A post on the Donbas Devushka channel detailing the documents. The time reads 1:29pm as it was captured on a device operating on US Central time.

This post contained four images before another post with a further image was shared shortly after

Just a couple of hours earlier, a user on 4chan had posted the first of eight messages in a thread on the Politically Incorrect (/pol/) board, three of which had attached images of seemingly similar, but mostly different, documents. 

These eight messages, some of which can be seen below, were made by the same anonymous user, as indicated by the same ID being used – CXWfLHRB.

A series of posts on 4chan which were posted roughly two hours before similar documents appeared on the Donbas Devushka Telegram channel. The time on the first post reads 10:33 am US Central time, which is eight hours behind Ukraine.

In a further post without an image, the same poster argued with another 4chan user about the veracity of the information contained within their posts.

There was only one image in common between the Telegram and 4chan posts: a map that showed a number of statistics, including the cumulative number of KIA (killed in action) soldiers on the Russian and Ukrainian sides through the course of the war. 

However, the numbers on these two sources differed, with the first source (4chan) showing more Russian losses than Ukrainian, and the second source (Donbass Devushka) the reverse.

A closer examination of the second image, with the much higher Ukrainian KIA numbers, that was posted on Telegram shows crude image manipulation. 

As well as the later posting time and far blurrier resolution, the numbers are out of alignment. Spacing between some numbers and letters is also too large to be consistent with the font. 

It therefore seems that either the Donbass Devushka Telegram account, or a previous source posted by this account, altered the original image to paint the Ukrainian losses as heavier than in the original assessment.

Nevertheless, neither of the sources for the 4chan or Telegram posts are the original.

Onto Discord

On 4 March – over a month before the Telegram and 4chan posts – 10 documents were posted in a Discord server called “Minecraft Earth Map”. Minecraft is a popular computer game with millions of players around the world. After a brief spat with another person on the server about Minecraft Maps and the war in Ukraine, one of the Discord users replied “here, have some leaked documents” – attaching 10 documents about Ukraine, some of which bore the “Top Secret” markings.

Image content pixelated by Bellingcat

All seven of the documents from the 4chan and Telegram posts – including the map with the lower casualty figures from Ukraine – were present in this post, along with three additional ones not posted in any Telegram, Twitter, or 4chan post at the time.

The user who shared this map later claimed on Twitter that he found them posted by another user on a Discord server called WowMao, run by and for fans of a popular YouTuber of the same name. 

On March 1 and March 2, a WowMao user posted over 30 documents, many of which are marked “Top Secret”, on the server, therefore predating the Minecraft server posting. 

This same user also posted dozens of other documents about Ukraine on this server before they were purged on April 7. While Bellingcat has seen these posts, it has not been able to independently verify the authenticity of the documents within them.

Thug Shaker Central

However, the WowMao server may still not be the original source of these documents.

Bellingcat spoke to members of a separate Discord community who claimed that other images had been posted earlier on yet another, since deleted, server often called “Thug Shaker Central” but which also had several other names at different times. Image files shown to Bellingcat detailed a further document in the same style and formatting of those posted in the WowMao server that was dated to January 13. 

Yet given the images shared were screengrabs and not a link to the original server post which has been taken down, it is not possible to independently verify their authenticity. The content of these documents beyond the date and classification was also blurred out when shown to Bellingcat.

The Thug Shaker Central server was originally named after its original founder, one member of the server with the username “Vakhi” told Bellingcat. Server administrator duties then passed through various users before a new member took on the responsibility and it went through one of many name changes. Vakhi did not want to name this person but said they were the original source of the leaked documents. According to Vakhi, and two other users who spoke to Bellingcat but declined to be identified by their usernames, the files that were leaked onto WowMao are only the “tip of the iceberg” compared to the quantity of documents posted onto Thug Shaker Central.

There are no traces left of this server outside of testimony from these users, and scattered references to its existence on 4chan. Bellingcat is therefore unable to independently verify all of the information shared by these users, including the aforementioned January document or if the other uploader described as the source of the leak was indeed the original source. 

However, Bellingcat was able to confirm that Vakhi and the other users who spoke to Bellingcat, as well as another who shared documents on the WowMao server, were part of the Thug Shaker server given that they shared member lists with Bellingcat which matched in key details.

Their accounts of the server’s general nature also independently coincided. The name of the Thug Shaker server frequently changed, sometimes to that of a racial slur, and had around 20 active users making up a tight-knit community, members said. Posts and channel listings show that the server’s users were interested in video games, music, Orthodox Christianity, and fandom for the popular YouTuber “Oxide”.

This server was not especially geopolitical in nature, although its users had a staunchly conservative stance on several issues, members told Bellingcat. Racial slurs and racist memes were shared widely.

Bellingcat contacted Discord to ask about the existence of the Thug Shaker Central, WowMao and Minecraft Earth Map servers, as well as whether Discord had any knowledge that “Top Secret” documents were apparently being shared there

Bellingcat also asked the Department of Defense (DoD) whether the documents shared in the channels were genuine and if it was aware of the source of the apparent leak.

Discord said it was not able to provide comment at this time when contacted by Bellingcat.

The DoD told Bellingcat in an email that it was “actively reviewing the matter, and has made a formal referral to the Department of Justice for investigation”.