We owe you several things, dear readers. First, an apology for the fact that, because of our mistake, our oversight, and our carelessness, the email database of our supporters was stolen. Please forgive us. We will do everything possible to make sure this never happens again. And second, of course, an investigation into who committed this crime, when, and why.
We are unlikely to surprise or shock anyone by saying that Putin hates us. He fears us, tries to destroy us, and make our lives unbearable. For years, a real war has been waged against a relatively small nonprofit organization with the help of every state agency. Our offices were smashed up, we were detained, jailed, barred from elections, had our accounts frozen, and our relatives and loved ones were terrorized. The Anti-Corruption Foundation (ACF) was banned, Navalny was imprisoned, and countless criminal cases were opened to make sure he would never be released. Just imagine how many people are involved in all this. How much money is spent on it, how many resources, how much time and effort.
But this story is not just about another round of Putin’s repression against us, the Anti-Corruption Foundation and Navalny’s regional штабs (campaign offices). We are their enemies—that part is obvious. But now they have decided to go after you as well: people whose only “crime” is disliking permanent, unchanging rule, and standing up for a man who was unlawfully imprisoned while he was sick, starving, and denied help. Putin hates you too.
When Alexei Navalny was unlawfully arrested, we created the “Free Navalny” website, where you left your email addresses so that people could turn out in a coordinated way on a specific day for rallies against the unlawful arrest.
On April 16, registered users began receiving emails. Not from us. Emails containing threats and intimidation.
The attackers added personal data from government databases to the mailings—home registration addresses, workplaces, and data from the Gosuslugi public services portal. Similar emails were sent to employers as well: look, your employee is registered on Navalny’s website.
On April 21, 2021, protests took place in dozens of cities, and despite everything, people took to the streets to save Alexei Navalny. After the rallies, the authorities set the machinery of persecution against participants in motion: administrative arrests and fines, visits from police, and problems at work and school. Thirty-four people contacted us after being fired from state-funded organizations. The media reported information about hundreds of people being threatened with dismissal.
This is also a story about betrayal. About how one specific person who used to work with us sold all of you out for a relatively small amount of money. By his own decision, with his own hands, he caused dozens of people to lose their jobs. To lose the ability to feed their families and pay their bills.
We began examining what happened with the utmost thoroughness.
The first thing you need to do when something has been stolen is figure out where it was stolen from and how. Fortunately, there is a big difference between stealing something over the internet and stealing a wallet at a market. When something is stolen online, a huge number of digital traces are left behind, and they cannot be erased. Especially if the thief is fairly stupid. So we started looking at what evidence we had.
The first piece of evidence to examine is, of course, the stolen data itself. It contains only an email address and a time stamp.
And we do not see the most important thing of all—we do not see the home addresses of the people who registered on our website. The only reason they were not published—and surely you agree that would have caused far greater harm—is simply that the thieves did not have that data. They did not have any of your home addresses. Remember that.
Now about the time stamp—the second column we see in the leaked data. We do not recognize this time at all; we never had data like that. Nothing happened on our website at the times indicated. We recorded the time when a person registered on the site, and this is not that. The time shown in the leak is several hours later, and for many users it differs down to the minute. What could it be? We figured it out.
It is the time when emails asking users to confirm their registration on the site were sent. The first mark is the date the confirmation request was sent; the second is the date of the thank-you email for confirming. In other words, the leak did not come from our website but from the service that handles our mailings. What kind of service is that? Let me explain. Sending 10,000 or 500,000 emails, as we needed to do, is impossible manually. You need to track whether every email was sent on time, delivered, opened, and so on. That is what mailing services are for: they automate all of this and do it for you. The client—in this case, us—simply checks the status: this many delivered, this many lost. We used the email service Mailgun; it is reliable and not based in Russia. So FSB officers cannot just show up and say, “Hand over all the emails you send for Navalny.”
And that service was the thief’s actual target. We did not provide the email service with home addresses—why would they need them?—so those did not leak. But we did provide the email addresses themselves, the mailing list. Those are exactly the emails contained in the leaked database.
We carried out an additional check and finally confirmed that the time shown in the leaked database differs from the server time format of the registration record in our database not only by several hours, but in some cases by whole minutes. It was easy to see that a user registered on our website at an earlier time stamp, while the email asking them to confirm registration was sent slightly later.
For example: 2021-03-26 02:18:59.992578+00 — the actual timestamp of the user’s registration in our database 26.03.2021 5:19 — the timestamp shown in the leaked database
The format differs by three hours, which is easily explained by the difference between our server’s time format and the format used by Mailgun. On our website, the user registered at minute 18, while in the leaked database they were marked as minute 19. We checked these “borderline” registrations that fell in the last seconds of a minute and confirmed that all of them differed. If the attacker had direct access to our database, they would at the very least have had more precise times.
Excellent. The scene of the crime has been identified precisely. Now we needed to understand how the theft was carried out. There are two ways to access our account on the email service. The first, obvious one, is with a password. You log into the service the same way you log into your email. You can go in and see what is being sent and to whom. But we checked: no one logged into the account with a password or downloaded data that way.
Now for the second method: it requires a special secret key that allows the service to recognize that you are authorized. This is called an API key. It is entered into the program that sends emails so it can work without a login and password. That way it can send emails on your behalf and do everything needed for mailing operations, including seeing what was sent to whom. The number of people with access to this key is strictly limited. It is only our staff members who are supposed to have it.
We asked the mailing service who had accessed and used our key, and we received a list of, roughly speaking, computers (addresses). Most had alibis—they were ours, and most importantly, they had not downloaded the list of email addresses. But in that list we found the criminal as well: a user who, using a simple custom-written script, systematically downloaded the data. We were able to see in detail how it happened: how many thousands of addresses were stolen on one day, how many on another. And even from where. Our databases were downloaded from Primorsky Krai (a region in Russia’s Far East) and St. Petersburg.
So far, our investigation has been going unusually well. We have determined exactly where and how the theft was carried out, and we even learned how our foolish little thief moved around the country. All that remained was to find out who he was.
And we identified him very simply: by IP address. There were only a few addresses from which the data was downloaded. At the same time, the program used to pull data from Mailgun always worked according to the same pattern, no matter which address it was run from—St. Petersburg or Primorsky Krai: it had an 11-minute pause built into it. Apparently, the attacker was afraid of Mailgun’s limits on the number of requests allowed over a certain period of time. The pause was clearly initiated in the script and was not a Mailgun restriction: their logs show how long each request took to execute, and in every case it was a tiny fraction of a second. All requests returned a successful 200 status code. The attacker apparently overlooked this detail and gave himself away. The program made it possible to specify the date and time range for which the email list was to be downloaded, as well as the subject line of the email—for example, registration confirmation—and the source, meaning the website address.
Below is a screenshot of the log from an attempt to run the program on March 24 from a Primorsky Krai address against the free.navalny.com database, with March 22 specified as the start date for collecting emails:
The data-extraction program was the same everywhere, which meant the attacker was the same person throughout. All that remained was to check the addresses and see whether they had shown up anywhere else in our systems. You never know—perhaps the thief was stupid enough to try hacking something else too. And we found exactly that. From the very same IP address used to download the emails, someone had logged into ACF’s corporate email. An account belonging to a specific employee who had been fired long ago. Using a password that no one except that employee knew.
And this person, several years after being dismissed, decided to poke around in his old work email.
That person’s name is Fyodor Gorozhanko. And, what an amazing coincidence, before leaving ACF he was responsible for mailings. In other words, he had access to the secret API key.
The inept hacker Gorozhanko literally left his fingerprints at the scene of the crime. There can be no doubt about it. And here is another amusing detail: this was not the first time he had stolen our data. In January, we received two messages from our supporters in St. Petersburg. They had unexpectedly received emails from our former employee Gorozhanko asking them to support his livestream from the January 31 rally in support of Navalny and send him money. Even though they had no idea who he was and had never subscribed to him.
It is now clear where he got those email addresses of our supporters—he stole them from our database in exactly the same way, only selecting one region that interested him.
From the logs provided by Mailgun, we saw that Fyodor continued downloading the database of people in St. Petersburg who receive emails from us. The program had a similar structure.
Gorozhanko committed a criminal offense. Article 272 of the Russian Criminal Code covers unlawful access to computer information for personal gain. In this case, that information was personal data. It is like theft, except the thing being stolen is not property or money, but information. Creating a program for unlawful access falls under Article 273 of the Criminal Code. I also see the elements of Article 137 here—violation of privacy. And Article 138 of the Russian Criminal Code—violation of the secrecy of correspondence.
But beyond ordinary theft—a criminal offense—there is another aspect. I think you will agree it is very important and very interesting. Fyodor worked at ACF for four years. For even longer, he has been a prominent liberal activist in St. Petersburg. He campaigned against abuses in the housing and utilities sector and ran for the Legislative Assembly from the Yabloko party (a liberal Russian political party). Fyodor’s father is a well-known journalist and public figure in St. Petersburg and the Pskov region. He is a sitting deputy as well, also from Yabloko.
What happened to Fyodor? Where did these posts come from, written straight from the Kremlin’s talking points? It is not Putin who jails people, but Navalny. Navalny has no program. He steps over people. And Abramovich’s yacht must not be touched. Nor should propagandist Solovyov’s either. And in general, he promised everyone that after the poisoning, Navalny would stay in Europe drinking wine.
Disillusioned? Maybe. It happens. Burned out or offended—who knows. But resentful tweets are one thing; committing a criminal offense is another. Hundreds of thousands of people were put at risk. Disillusionment is not enough to leak a supporters’ database that includes your own brother’s and father’s email addresses. Disillusionment is not enough to sabotage a rally that your own father is calling on everyone to join. There has to be another, much more compelling reason. And we found it.
It was money. Fyodor Gorozhanko is not a wealthy man. After ACF, he never really had any notable job, and he failed to build a political career. It was unclear what he was even living on. The only property he had was a room in a communal apartment.
Until recently, Fyodor was living so badly that he resorted to payday loans. He took them out and could not repay them. The debt was sold to collectors, and they sued him; here is the case file.
We contacted the debt collectors who filed the lawsuit and confirmed the amount of the claim: 96,000 rubles (about $1,300 at the time).
But everything changed after the hacking of ACF’s email database.
On April 3, Fyodor deposited 245,000 rubles in cash into his account.
On April 9, again in cash, 995,000 rubles.
More than 1 million rubles in cash over just a few days for a person who cannot repay a 96,000-ruble debt—surely you would agree that is not something you see often.
These bank statements were sent to our Black Box, for which we are extremely grateful. We verified them and confirmed them by the means available to us. An example of one of the statements is here.
The money was deposited through an ATM. So either someone brought Fyodor a suitcase with a million rubles, or he cashed out a fee that came to him in bitcoin. Thanks to investigations by journalists from Meduza and Current Time, we know that the client behind this hack was the Presidential Administration. The journalists name specific people: Andrei Yarin, head of the Domestic Policy Directorate, and Mikhail Dudin, a programmer who used to help the Presidential Administration with various special operations such as hacks and is now officially employed there. Fyodor Gorozhanko was a minor operative, the man who handed over the necessary keys. He sold half a million sets of Navalny supporters’ personal data for at least a little over 1 million rubles. All to please Putin and help keep him in power longer.
By the way, if anyone still feels there is not enough evidence. Remember how we wrote that our database was downloaded from IP addresses in St. Petersburg and Primorsky Krai? St. Petersburg is easy to explain—Fyodor lives there permanently. For example, on April 2 he was again running tests and downloading the free.navalny database with March 22 set as the start date.
And in Nakhodka, judging by his purchases at a pharmacy and a bakery, he was there at exactly the time when our database was hacked from an IP address linked to that city. Gorozhanko’s movements between Primorsky Krai and St. Petersburg perfectly match the movements of our hacker.
Perhaps the most astonishing thing in this story is how cheap a conscience can be. Fyodor Gorozhanko sold his for roughly 2 rubles per person. That is what he thought your safety and personal data were worth. That is what he got for every fired metro and transport department employee left without a job and without the ability to support their families. But Fyodor made his 2 rubles.
And one more very important thing. This story is, of course, in many ways about our mistake. We could have changed the API key, taken extra precautions, recognized the traitor sooner. We have learned this lesson and will do everything possible to make sure it never happens again.
But it is also a story about crimes. For every one of our mistakes, there are five criminal offenses committed by very specific people.
Dudin, Yarin, Kiriyenko, and everyone in the Presidential Administration responsible for persecuting the opposition. Came up with a “great” scheme involving hackers? Well done. But that amounts to five criminal charges.
Maksim Liksutov, head of Moscow’s Department of Transport, whose subordinate organizations fired dozens of people. Hundreds were intimidated. On his personal orders. Through these people, Liksutov is taking revenge on us personally—for the fact that for years we have published investigations into how this incredibly wealthy official makes money from Moscow transport and how he staged a fake divorce from his wife (the richest woman in Estonia) so he would not have to declare income from assets transferred into her name.
The management and head of VGTRK (Russia’s state broadcasting company), Oleg Dobrodeev, are also to blame. A personal conversation with one of the fired employees was conducted by the well-known host and Moscow City Duma deputy Andrei Medvedev. He said that you cannot support Navalny and receive a salary from VGTRK—and in general he takes it personally, because he is a close friend of Margarita Simonyan, and Navalny talks about how she shamelessly steals through her RT network. Hence the dismissal.
Gorozhanko, the clients in the Presidential Administration, Liksutov, VGTRK management, and the other people who decided to destroy lives over support for Navalny—these are the people who must be held responsible for what happened. We will file crime reports against each of them. We are helping, and will continue to help, everyone who was unlawfully fired, all the way to the European Court of Human Rights. Write to us at pravo@navalny.com if you were affected by this hack. We are also addressing those who permanently reside outside Russia—for the purpose of filing criminal complaints in other jurisdictions.
And do not forget: the truth is on our side. No one ever promised that a fight with a huge evil monster—the Putin regime—would be easy. But together, we will prevail.
Freedom for Alexei Navalny.