Cybersecurity experts who held lucrative Pentagon and homeland security contracts and high-level security clearances are under investigation for potentially abusing their government privileges to aid a 2016 Clinton campaign plot to falsely link Donald Trump to Russia and trigger an FBI investigation of him and his campaign, according to several sources familiar with the work of Special Counsel John Durham.
Durham is investigating whether they were involved in a scheme to misuse sensitive, nonpublic internet data, which they had access to through their government contracts, to dredge up derogatory information on Trump on behalf of the Clinton campaign in 2016 and again in 2017, sources say — political dirt that sent FBI investigators on a wild goose chase. Prosecutors are also investigating whether some of the data presented to the FBI was faked or forged.
These sources, who spoke on the condition of anonymity to discuss a sensitive law enforcement matter, said Durham’s investigators have subpoenaed the contractors to turn over documents and testify before a federal grand jury hearing the case. The investigators are exploring potential criminal charges including giving false information to federal agents and defrauding the government, the sources said.
The campaign plot was outlined by Durham last month in a 27-page indictment charging former Clinton campaign lawyer Michael Sussmann with making a false report to the FBI. The document cites eight individuals who allegedly conspired with Sussmann, but does not identify them by name.
The sources familiar with the probe have confirmed that the leader of the team of contractors was Rodney L. Joffe, who has regularly advised the Biden White House on cybersecurity and infrastructure policies. Until last month he was the chief cybersecurity officer at Washington tech contractor Neustar Inc., which federal civil court records show was a longtime client of Sussmann at Perkins Coie, a prominent Democratic law firm recently subpoenaed by Durham. Joffe, 66, has not been charged with a crime.
Neustar has removed Joffe’s blog posts from its website. “He no longer works for us,” a spokeswoman said.
A powerful and influential player in the tech world, Joffe tasked a group of computer contractors connected to the Georgia Institute of Technology with finding “anything” in internet data that would link Trump to Russia and make Democratic “VIPs happy,” according to an August 2016 email Joffe sent to the researchers. The next month, the group accused Trump of maintaining secret backchannel communications to the Kremlin through the email servers of Russia-based Alfa Bank. Those accusations were later determined to be false by the FBI, Special Counsel Robert Mueller, the Justice Department inspector general and a Senate intelligence panel.
The Sussmann grand jury indictment states that the federal contractors, who mined private internet records to help “conduct opposition research” in coordination with the Clinton campaign, were driven not by data but by “bias against Trump.”
Joffe’s lawyer has described his client as “apolitical.” He said Joffe brought Sussmann information about Trump he believed to be true out of concern for the nation.
Steven Tyrrell, a white-collar criminal defense attorney specializing in fraud cases, has confirmed that his client Joffe is the person referred to as “Tech Executive-1” throughout the Sussmann indictment. “Tech Executive-1 exploited his access to nonpublic data at multiple internet companies to conduct opposition research concerning Trump,” Durham’s grand jury stated. “In furtherance of these efforts, [Joffe] had enlisted, and was continuing to enlist, the assistance of researchers at a U.S.-based university [Georgia Tech] who were receiving and analyzing internet data in connection with a pending federal government cybersecurity research contract.”
The indictment also alleges that the computer scientists knew the internet data they compiled was innocuous but sent it to the FBI anyway, sending agents down a dead end: “Sussmann, [Joffe] and [Perkins Coie] had coordinated, and were continuing to coordinate, with representatives and agents of the Clinton campaign with regard to the data and written materials that Sussmann gave to the FBI and the media.”
One of the campaign representatives with whom Joffe coordinated was Jake Sullivan, who was acting as Clinton’s foreign policy adviser, as RealClearInvestigations first reported. Now serving in the White House as President Biden’s national security adviser, Sullivan is under scrutiny for statements he made under oath to Congress about his knowledge of the Trump-Alfa research project. In a potential conflict of interest, Attorney General Merrick Garland employed Sullivan’s wife Maggie as a law clerk when he was a federal judge. Garland controls the purse strings to Durham’s investigation and whether his final report will be released to the public.
At the time, Joffe was advising President Obama on security matters and positioning himself for a top cybersecurity post in an anticipated Clinton administration. “I was tentatively offered the top [cybersecurity] job by the Democrats when it looked like they’d win,” he revealed in a November 2016 email obtained by prosecutors.
Meanwhile, the Georgia Tech researchers were vying for a $17 million Pentagon contract to research cybersecurity, which they landed in November 2016, federal documents show.
Government funding in hand, they continued mining nonpublic data on Trump after he took office in 2017 — as Sussmann, Sullivan and other former Clinton campaign officials renewed their effort to connect Trump to Alfa Bank. This time, they enlisted former FBI analyst-turned-Democratic-operative Dan Jones to re-engage the FBI, while Sussmann attempted to get the CIA interested in the internet data, as RCI first reported. Investigators have also subpoenaed Jones, who did not respond to requests for comment.
South African-born Joffe left his job at Neustar last month, after hiring a top fraud attorney in Washington several months earlier, when Durham first began presenting his case to the grand jury. Tyrrell declined to comment when asked by RCI about his client’s cooperation with the federal grand jury hearing Durham’s broadening case. Tyrrell also had “no comment” when asked whether the Special Counsel’s Office has notified him that his client is a target of the ongoing investigation. However, Tyrrell defended Joffe in a public statement, asserting that the special counsel and the grand jury presented a “misleading picture of his actions” in the so-called “speaking indictment,” which the sources said is a prelude to additional indictments that could culminate in conspiracy charges.
That indictment, which details a conspiracy involving widespread deception, was followed by a flurry of fresh subpoenas aimed at Perkins Coie itself, rocking the Democratic political machine in Washington. Millions of dollars secretly flowed through Perkins to the Clinton campaign’s opposition-research projects against Trump, leaving an extensive money trail for Durham’s investigators to trace and check for possible Federal Election Commission and other violations, the sources say.
Tyrrell insisted that Joffe had “no idea [Sussmann’s] firm represented the Clinton campaign,” even though he worked closely with Sussmann and another well-known campaign lawyer, Marc Elias — as well as with Glenn Simpson of Fusion GPS, an opposition-research firm hired by the Clinton campaign to dig up dirt on Trump in 2016. He added that his client “felt it was his patriotic duty to share [the report on Trump] with the FBI.”
What Did Durham Find?
However, Durham’s investigation uncovered emails revealing that Joffe knew the narrative they were creating about Trump having a secret hotline to Russian President Vladimir Putin was tenuous at best. In fact, Joffe himself called the data used to back up the narrative a “red herring.” In another email, Joffe said he had been promised a high post if Clinton were elected, suggesting he may have had a personal motivation to make a sinister connection between Russia and Trump. He added that he had no interest working for Trump: “I definitely would not take the job under Trump.”
“Joffe was doing what he was doing to get that plum job,” former FBI counterintelligence official Mark Wauck said in an interview. “And Sussmann was working with Joffe because Joffe was needed for the Clinton campaign’s ‘confidential project,’ ” which was the term Sussman used to describe their data research in billing records.
At the time, Joffe was a volunteer cybersecurity adviser to Obama and visited the White House several times during his administration, Secret Service entrance logs show. In 2013, then-FBI Director James Comey gave him an award recognizing his work helping agents investigate a major cybersecurity case.
Joffe is the “Max” quoted in media articles promoting the secret cyber plot targeting Trump, a code name likely given him by Simpson, who has a son named Max. The stories described “Max” as a “John McCain Republican.” In 2017, Joffe, who spent much of his career in the late McCain’s home state of Arizona before moving to Washington,helped rekindle the Trump-Alfa tale by plumbing more data and helping feed the information to the Senate Armed Services Committee, which McCain chaired.
Joffe’s boss during the 2016 campaign was then-Neustar President Lisa Hook, a major Democratic Party donor who publicly endorsed Clinton and contributed to her campaigns. Records show her contributions to Democrats, including Joe Biden and Obama, total more than $249,000. In 2011, Obama appointed Hook to his National Security Telecommunications Advisory Committee.
Joffe has started a number of small internet companies. One of them, Packet Forensics, reportedly landed a recent Pentagon contract to manage a large chunk of internet domains owned by the military. The bid was awarded the day Biden was inaugurated president. His company also sells federal law enforcement wiretapping equipment that allows authorities to spy on private web browsing through fake internet security certificates, instead of real ones that websites employ to verify secure connections. Joffe has worked on cybersecurity cases with federal law enforcement and intelligence agencies for 15 years.
April ‘Tea Leaves’ Lorenzen
Joffe worked closely with another top computer scientist assigned to the Alfa project, who has used the pseudonym “Tea Leaves,” as well as masculine pronouns, in media stories to disguise her identity. The operative has been identified by her attorney as April D. Lorenzen, who supplied so-called Domain Name System (or DNS) logs from proprietary holdings — the foundation for the whole conspiracy charge — and helped compile them for the spurious report that was fed to the FBI, according to the indictment.
A registered Democrat, Lorenzen was tasked by Joffe with making a Trump connection from the data along with the researchers from Georgia Tech, where she has worked as a guest researcher since 2007.
Prosecutors suggested Lorenzen was trying to create an “inference” of Trump-Russia communications from DNS data that wasn’t there.
The DNS system acts as the phonebook of the internet, translating domain names for emails and websites into IP (internet protocol) addresses in order for Web browsers to easily interact. The traffic leaves a record known as DNC “lookups,” which is basically the pinging back and forth between computer servers.
Lorenzen has retained white-collar criminal defense lawyer Michael J. Connolly of Boston, who said in a statement that Lorenzen was acting in the interest of national security, not politics, and “any suggestion that she engaged in wrongdoing is unequivocally false.”
The 59-year-old Lorenzen helped found two tech firms operating out of Rhode Island where she lives — Dissect Cyber Inc. and Zetalytics LLC. Her companies have contracted with the U.S. Department of Homeland Security’s cybersecurity division and other agencies. In that role, she oversees one of the world’s largest and most diverse systems of “passive,” or stored, DNS records, which can be searched to uncover potential security incidents. The year before the 2016 presidential campaign, she boasted, “Massive passive DNS data is what I comb daily, providing the most interesting IPs and domains, real time.”
She specializes in identifying “spoofed domains” used for email phishing scams.
In her bio, Lorenzen also said she currently serves “as the principal investigator for a critical infrastructure supply-chain cybersecurity notification research project.” She did not provide further details about the project. However, she regularly trains and briefs federal law enforcement agencies about cybersecurity issues.
A colleague of Lorenzen who features prominently in the project to link Trump to the Russian bank, but who is not referenced in the indictment, is L. Jean Camp, an Indiana University computer science professor who posted the dodgy data on her website and helped propagate the conspiracy theory in the media. “This person has technical authority and access to data,” she said of “Tea Leaves,” the originator of the data, vouching for her friend Lorenzen while hiding her identity.
Camp is a Democratic activist and major Hillary Clinton booster and donor. Federal campaign records show she contributed at least $5,910 to Clinton’s 2008 and 2016 campaigns, including thousands of dollars in donations around the time she and the Clinton campaign were peddling the Trump-Alfa conspiracy theory.
Camp called for a full-blown FBI investigation into the data she pushed in the media. When the FBI dropped the case in February 2017, Camp lashed out at the bureau for closing the Trump email probe after reopening the Clinton email case. In a March 2017 tweet, she fumed, “Why did FBI kill this story before election to focus on Her Emails?” She also called for people to “join the resistance” against Trump.
Camp did not return a request for comment.
Another “computer scientist” tied to the project was Paul Vixie, a colleague of Joffe who, like Joffe, gave $250 in 2000 to Rep. Heather Wilson of New Mexico, who was close to the late Sen. John McCain, who feuded with Trump, federal campaign records show. Vixie, who reviewed the DNS logs and suggested in the media that Trump and Alfa Bank were engaged in a “criminal syndicate,” supported Clinton’s run for president and bashed Trump on Twitter.
“Hillary presented herself as an experienced politician who is prepared to assume the presidency,” he tweeted in 2016. He called Trump a “fake Republican” who “will finish out his life in prison,” he asserted in a 2020 tweet.
Faked Evidence?
The sources familiar with the investigation note that Durham is also using the grand jury to probe whether some of the internet data files the Clinton campaign shopped to the FBI were forged or fabricated to create the appearance of suspicious internet communications between the Russian bank and Trump.
Providing the FBI false evidence is a crime. Former assistant FBI director Chris Swecker told RCI that statutes enforcing mail and wire fraud may be invoked as part of the “criminal conspiracy case” Durham is building.
The materials Sussmann provided bureau headquarters in September 2016, in the heat of the presidential race, included two thumb drives containing DNS logs that Sussmann and Joffe claimed showed patterns of covert email communications between the Trump Organization and Alfa Bank, according to the indictment.
The authenticity of the DNS lookup records Sussmann presented to the FBI in the electronic files, along with three “white papers” portraying innocuous marketing pinging between Alfa and Trump servers as a nefarious Russian backchannel, has been called into question by several sources.
Alfa Bank, which also operates in the U.S., commissioned two studies that found the DNS data compiled by Joffe and his computer operatives were formatted differently than the bank server’s DNS logs, and one study posited that the DNS activity may have been “artificially created.”
Also, independent cyber forensics experts found that the emails released by researchers bore timestamps that did not match up with actual activity on the servers, suggesting they may have been altered. The Florida-based marketing firm Cendyn, which administered the alleged Trump server (which was owned by a third-party tech firm and housed in Pennsylvania, not New York), reported its device sent its last marketing email in March 2016, but the DNS logs provided by computer researchers claimed to show a May-September window of high-volume traffic.
Experts have also noted that the DNS logs Sussmann and his group presented as evidence to the FBI had been pasted into a text file, where they could have been edited.
In the Sussmann indictment, the grand jury described the DNS logs as appearing to be real, but not necessarily so. For instance, it noted that one of the computer researchers — cited as “Tea Leaves,” or Lorenzen — had “assembled purported DNC data reflecting apparent DNS lookups between [the] Russian bank and [a Trump] email domain.” The caveats “purported” and “apparent” indicate Durham and his investigators may be skeptical the data are real.
Also, the indictment stated that Joffe “shared certain results of these data searches and analysis” with Sussmann for the FBI to investigate, suggesting he may have cherry-picked the data to fit a preconceived “narrative,” – or “storyline,” as the computer researchers also referred to it in emails obtained by Durham.
Emails the independent prosecutor uncovered reveal that Joffe and the research team he recruited actually discussed “faking” internet traffic.
“It would be possible to ‘fill out a sales form on two websites, faking the other company’s email address in each form,’ and thereby cause them ‘to appear to communicate with each other in DNS,’ ” Lorenzen suggested.
One Georgia Tech researcher warned Joffe in mid-2016, in the middle of their fishing expedition, of the lack of evidence: “We cannot technically make any claims that would fly public scrutiny. The only thing that drives us at this point is that we just do not like [Trump].”
Tyrrell asserted that his client Joffe “stands behind the rigorous research and analysis that was conducted, culminating in the report he felt was his patriotic duty to share with the FBI.”
Using nonpublic data from a federal research contract to bait the FBI into investigating Trump could constitute a breach of contract and nondisclosure agreements. Swecker, who has worked with Durham on past white-collar criminal cases, said the special prosecutor may be seeking further indictments on government grant and contract fraud charges.
Washington agencies provide such tech contractors privileged access to massive caches of sensitive, nonpublic information about internet traffic to help combat cyber-crimes.
On Nov. 17, 2016, the Pentagon awarded Georgia Tech a cybersecurity research contract worth more than $17 million. The project, dubbed “Rhamnousia,” would allow researchers to “sift through existing and new data sets” to find “bad actors” on the internet. The indictment said the researchers had been provided “early access to internet data in order to establish a ‘proof of concept’ for work under the contract.” Of course, the government did not pay the researchers to look for dirt on Trump in the sensitive DNS databases.
“The primary purpose of the contract,” the indictment noted, “was for researchers to receive and analyze large quantities of DNS data in order to identify the perpetrators of malicious cyber-attacks and protect U.S. national security.”
Instead, the scientists took the political fishing expedition. According to the indictment, Joffe directed Lorenzen and the two university researchers to “search broadly through internet data for any information about Trump’s potential ties to Russia.”
The Georgia Tech researchers named as “investigators” on the project included David Dagon and Manos Antonakakis, who the sources confirmed are the two university researchers cited by Durham in his indictment. Antonakakis is the “Researcher-1” referenced in the indictment whom the grand jury said remarked in an email that “the only thing that drives us is that we just do not like [Trump.].”
The original $17 million Rhamnousia contract was approved for five years, federal contracting records show. But the program was recently renewed and has grown into a more than $25 million Defense Department contract — led by the same Georgia Tech research team.