New Evidence For How Guccifer 2.0 Framed Russia and How The DNC May Be Behind It


Rep. Adam Schiff stated on March 20 to the House Intelligence Committee that Guccifer 2.0 was an “intermediary” used by Russian intelligence service to leak hacked information from the DNC. However, Adam Carter, a Twitter user investigating Guccifer 2.0 that created the website, Guccifer 2.0: Game Over, says that information has been uncovered that shows a DNC staffer edited Guccifer 2.0 released files only 30 minutes before they were released, and that Russian fingerprints were intentionally added to the releases. 

According to Carter’s website, “Metadata suggests it took only 30 minutes to go from a DNC tech/data strategy consultant creating documents to Guccifer 2.0 tainting them – all occurring on a date that Guccifer 2.0 claimed to be after he was locked out of the DNC Network – occurring on the same day that Guccifer 2.0 emerged. As well, “Data found deeper in files now also demonstrates there was a misdirection effort, that, in its larger scope – seems to have been intended to discredit leaks by having leaks blamed on Russian hackers.”

Regarding the file tainting, four files from the June 15 release were created by DNC Staffer Warren Flood approximately 30 minutes before being modified by Guccifer 2.0, including 2.doc, which was created at 1:38pm and modified by “Феликс Эдмундович” at 2:113.doc, created at 1:38pm and modified at2:12pm, and 5.doc, created and modified at the same time,2:13pm! This could suggest they were created and modified by Warren Flood or his computer at the same time they were being edited with a new Russian “modified by” name added to it. 

According to Carter, “there is a key fact about some non-Russian metadata that nobody seems to have reported and it certainly seems to be of critical importance – and that is the document creation timestamps.” When Guccifer 2.0 first released these documents, and shared them with TheSmokingGun, Gawker, ArsTechnica and others, the first document, “1.doc” (mirror), was given extended coverage. While the name “Warren Flood” was reported, the date in the report (rather than in the metadata) was reported and so it was attributed to Warren Flood on 12/19/15. However, Carter says that  “Gawker incorrectly claimed the metadata showed the document was created in 2015 when it actually indicated the document was created by Warren Flood at a much later date.” In actuality, the metadata shows the document being created 30 minutes before Guccifer 2.0 appears to have gotten his hands on it:

Created by Warren Flood on 15th of June at 13:38

Modified by Феликс Эдмундович on 15th of June at 14:08

The other document, “2.doc” (mirror) was not mentioned so much, but it too had interesting metadata:

Created by Warren Flood on 15th of June at 13:38

Modified by Феликс Эдмундович on 15th of June at 14:11

How did this get missed? Carter says that people who investigated were probably using MS-Word. Recent versions of MS-Word tend to show limited metadata from RTF1 format files. As an example, for “2.doc”, MS-Word 2010 shows:

If you open “2.doc” in OpenOffice though, you will note these timestamp correlations, specifically under “Modified”:

Therefore, the aforementioned media outlets failed to report on the “Modified” portion of the metadata. As well, the unreported detail regarding the Revised Time of 30 minutes before Guccifer 2.0 obtained it can be found in the raw data of “1.doc”, where in an ever closer correlation, the Revised time is noted as 2016/6/15 (14:08):

Furthermore, Carter alleges that Guccifer 2.0 engaged in “misdirection” by making it appear he was Russian, when he was not, by naming his computer account after the founder of the Soviet Secret Police. Guccifer 2.0 also created/opened and then saved documents so the Russian name was written to metadata, used a Russian VPN service to cloak his IP address and used public web-based email services that would forward his cloaked IP. He then contacted various media outlets making all of this obvious, so that any simpleton will think he is a Russian, although outwardly denying he is a Russian.

The misdirection attempt was also expressed in how a Russian template was used to create all of the following documents: (link) (link) (link)

In all 3 documents, the following text string (a stylesheet definition) exists:

{*cs107 additive rtlchfcs1 af1 ltrchfcs0 f1 sbasedon10 slink108 slocked spriority1 styrsid11758497 ‘c1’e5’e7 ‘e8’ed’f2’e5’f0’e2’e0’eb’e0 ‘c7’ed’e0’ea;}{ s108ql li0ri0widctlparwrapdefaultaspalphaaspnumfaautoadjustrightrin0lin0itap0contextualspace rtlchfcs1 af1afs20alang1025 ltrchfcs0 f1fs20lang1049langfe1049cgridlangnp1049langfenp1049 sbasedon0 snext108 slink107 sqformat spriority1 styrsid11758497 No Spacing;} Since, as noted, this text string is found in all 3 documents, this means that each was based on the same document at some point, because it’s the only way they’d have an identical RSID of 11758497. The “lang1049”, “langfe1049”, etc. parts of the string show that this is set to Russian language, according Microsoft Locale ID Values.

Therefore, according to Carter, all 3 documents were based off an original document that already had “Russian-fingerprints” associated with it even before the content in those 3 documents was added. If they were separate documents that had these specific “Russian-fingerprints” accidentally added while being handled – they would all have different RSIDs. The only way for what we observe to have happened is for all 3 files to have been based on a pre-tainted template. So Carter asks, “why would Russia frame itself”, when it didn’t have to?

The real reason for all of this, according to Carter, is that the DNC was desperate to portray information that was sent to Wikileaks as a Russian hack in order to cast doubt on the authenticity of the documents and to make the media conversation be about Russian meddling in the election. Carter says that “The campaign was in a desperate position and really needed something similar to a Russian hacker narrative and one where they would be fortunate to have a seemingly clumsy hacker that leaves lots of ‘fingerprints’ tainting files and bringing the reputation of leaks into question… Sure enough, 2-3 days later, Guccifer2.0 – the world’s weirdest hacker – was spawned and started telling lies in an effort to attribute himself to the malware discoveries, etc.”

Indeed, when Guccifer 2.0 first released its 1.doc on June 15th, it was Donald Trump who first speculated that the “DNC hacked itself” when releasing this information and pretending to be the Russians.  The FBI has not examined the DNC’s computer servers, even while requesting access to DNC servers. Even during the March 20 testimony of James Comey, it was confirmed that DNC Servers have not yet been examined by the FBI, NSA, or the CIA 

To summarize, we ought to ask, why would Russia apparently frame itself by copy and pasting files it already obtained from the DNC and then placing them into a Russian template, or was this aDNC hurriedly trying to frame Russia? And, we also ought to ask,how did Guccifer 2.0 apparently acquire and edit the documents in 30 minutes of them apparently being created by Warren Flood – a question that Flood might be able answer, as we can only speculate.

Contact Steve Cunningham at [email protected]

Self-Educated American Guest Writer, Steve Cunningham, is from New York. He has written for the American Thinker and contributed to the Federalist. He can be contacted by directing email to [email protected]


Please enter your comment!
Please enter your name here