Why the FBI Dismissed Claims of Secret Trump–Russia Link

FBI agents, just weeks before the 2016 election, opened an investigation into allegations of a secret communication channel between Donald Trump and Russia. The bureau closed the probe after several months but did not make public that it had dismissed the claims, which came from Hillary Clinton’s campaign and a group of researchers.

Scott Hellman, an agent who specializes in investigating cyber crimes, took the first crack at the allegations with Nathan Batty, a colleague. The pair spent inside of a day examining the data, and quickly concluded that whoever penned the white paper “had jumped to some conclusions that were not supported by the technical data,” Hellman testified.

The allegations were based on purported “look-ups,” or Domain Name System requests, between mail1.trump-email.com, the server allegedly controlled by Trump’s business, and servers belonging to the Russian bank. DNS lookups are a way for a computer to find another computer’s Internet Protocol address (IP address), a unique number needed for communication between computers.

The researchers said they tried to connect with the Trump server and that the server would not accept mail from their IP address, or returned what was essentially an error message, Hellman said. The researchers used that, among other data, to suggest the Trump server would only communicate with certain devices, such as those linked to Alfa Bank.

“That didn’t make sense to me. It was sort of like if I knocked on your door, and you told me to go away—I don’t want to talk to you—I’m then going to assume that you’re only willing to talk to other people. I can’t make that assumption. I don’t know if you’re willing to talk to anybody. But that’s what they had done,” he said. “When they received an error message, they assumed that that computer wasn’t willing to talk to them, but it was willing to talk to others, and there was no evidence to suggest that. So assumptions like that is what I was referring to.”

They also said that Russia’s state-sponsored technical abilities “exceed the [operations] of that suggested in the report.”

Thumb drives containing the white paper and the underlying data outlined the conclusions reached by the researchers and some of the data they used, but that was just a “snapshot,” forcing FBI investigators to “create the whole picture from scratch,” Allison Sands, the agent who led the investigation, said on the stand.

Sands, now with Roku, compared it to trying to assemble a puzzle without the benefit of having a box at which to look.

The Trump domain was on a server in Pennsylvania owned by a company named Listrak, an internet server provider. The domain was registered to a company named Central Dynamics, which is based in Florida. The domain was being leased from GoDaddy.

Agents reached out to the companies for data and answers. Listrak confirmed that the server was only configured to send emails, not receive any. It also provided some 135,000 records. Central Dynamics provided closer to 500,000 records and GoDaddy handed over a similar amount.

The determination was based on an examination of the allegations conducted on behalf of Alfa Bank. The examination concluded the Alfa Bank servers may have conducted the DNS lookups in response to spam emails sent by Listrak or Central Dynamics.

“Alfa Bank’s conclusions corroborate current FBI investigative activity, which has not identified any evidence to support the whitepaper’s hypothesis that Alfa-Bank and Trump Organization servers intentionally, covertly communicated via DNS channels,” the document stated.

It was learned that Central Dynamics established the domain in partnership with the Trump Organization in 2009 but the company never used the domain, which had only received about 14 emails, all of which were blocked as spam or malware.

“It was largely dormant for the lifespan of its life, was currently inactive, and that it was entirely a ‘from’ email address, so it only sent outbound messages,” Sands explained.

“From all of the U.S. companies we had spoken to, of the logs that we had looked at, as well as the Mandiant report from the Alfa Bank servers, there was no evidence that this covert communication channel existed,” Sands said.

“Our investigation was unable to substantiate any of the allegations in the white paper,” said Curtis Heide, another FBI agent involved in the probe.

FBI investigators went to a website, TORproject.org, to see if any of Spectrum’s servers were or had ever been used as a TOR node, and found that they had not.

The agents also received logs and records from Spectrum, and “did not see any unusual activity,” Sands said.

That part of the allegations “did not pass analytical muster,” Ryan Gaynor, an agent monitoring the investigation for senior leaders from the Washington area, testified. “It didn’t have merit.”

“In 2016, media coverage alleged internet traffic between a computer server affiliated with the Trump organization and the computer servers of Alfa Bank (a Russian bank) and Spectrum Health. Spectrum Health does not and never has had any relationship with Alfa Bank or any of the Trump organizations,” a Spectrum spokesperson told The Epoch Times in an email.

Sussmann went to the CIA in early 2017, apparently frustrated by the FBI’s investigation. He met with a retired agent first, then with two agents on Feb. 9, 2017.

In court papers, prosecutors referred to the CIA as “Agency-2.” They said that CIA analysts believed the data from the researchers was fabricated.

“While the FBI did not reach an ultimate conclusion regarding the data’s accuracy or whether it might have been in whole or in part genuine, spoofed, altered, or fabricated, Agency-2 concluded in early 2017 that the Russian Bank-1 data and Russian Phone Provider-1 data was not ’technically plausible,‘ did not ’withstand technical scrutiny,‘ ’contained gaps,‘ ’conflicted with [itself],‘ and was ’user created and not machine/tool generated.'” prosecutors said in a filing before the trial.

Little was said on the subject during the trial because U.S. District Judge Christopher Cooper, an Obama appointee, ruled that prosecutors could not broach the possibility of the data being spoofed unless the defense did. Defense lawyers did not bring it up.

There were several moments, however, when statements slipped through.

When presented with an email Joffe sent to his group just five days before Sussmann gave the data to the FBI, Heide said that “it appears, from this email, that this report may have been fabricated.”

Cooper also ordered redacted a portion of the report authored by Hellman and Batty that said the data “might have been intentionally generated and might have been fabricated,” according to Andrew DeFilippis, one of the prosecutors.

“I will not allow [Hellman] to talk about whether it’s fabricated or spoofed,” Cooper said, adding that doing so would encroach on his order.

The first stories about a possible secret link between the Trump Organization and Alfa Bank ran in Slate and the New York Times on Oct. 31, 2016—just one week before the presidential election.

The logs the researchers studied “suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence,” Slate reporter Franklin Foer wrote in his article. “We don’t yet know what this server was for, but it deserves further explanation,” he added later.

The New York Times said the FBI was investigating the purported link but “ultimately concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts.”

In March 2017, CNN reported, citing anonymous sources, that the FBI investigation into the matter was still ongoing. That was false, according to the trial documents and testimony.

The New Yorker, in late 2018, published a lengthy article suggesting there was a secret channel between Trump’s business and the Russian bank.

Only Slate’s article has been corrected, and not since a day after publication. Some of the stories still contain false information; all have outdated details. Spokespersons for the publications did not respond to requests for comment.

The allegations divided technology experts when first promoted, but reporters found a number willing to make comments supporting the researchers’ theories.

Of the eight researchers mentioned or quoted in the pieces as suggesting the allegations made sense, none were willing to talk on the record about what they think now based on the newly emerged information.

“Thanks for reaching out, but I’m not interested,” Vixie, now with Amazon Web Services, told The Epoch Times in a LinkedIn message. “I know nothing of how they came to their conclusions,” Clayton added via email, referring to the FBI and the CIA. Of the Sussmann trial, he said, “I haven’t been following that.”

Steven Bellovin, a professor at Columbia University, referred a request for comment to his lawyer. “We are not going to comment on the matter,” the lawyer said.

“While I of course think the DNS logs were nonsense, I’m still not sure how [t]he FBI came to that conclusion,” Graham told The Epoch Times in a Twitter message. “I think the basic issue is that it looks like an unsubstantiated conspiracy theory, and that this is why they didn’t do more.”