On Monday, we published an investigation that is very important to us. In it, we explained in detail and proved who was behind the leak of email addresses from the "Freedom for Navalny" website.
The hacker turned out to be former ACF (Anti-Corruption Foundation) employee Fyodor Gorozhanko. We would like to believe it was not him, because betrayal by a former colleague is painful, but the facts say otherwise.
Fyodor, coincidentally enough, was the one who handled email newsletters for us.
Since our investigation was published, Fyodor has given several interviews (1,2,3,4,5) in which he chose a very unusual line of defense. He tried to convince everyone that he had nothing to do with the hack by confirming virtually every single piece of evidence we had gathered.
See for yourselves.
We say that Fyodor deposited 1.2 million rubles (about $13,000 at the time) into his account.
Fyodor confirms these cash deposits. But within a single day, his story changes. Earlier in the day, he told journalists that he earns very well and had saved the 1.2 million rubles in cash from officially declared salary income:
But by the evening, the source of that cash was no longer his official salary, but bitcoins he had sold:
Gorozhanko says that he had actually been very wealthy all along — a great salary, a stash of bitcoins. But then he immediately says that as soon as the money hit his account, he repaid a debt of 200,000 rubles (about $2,200):
We say that Fyodor sent out a mailing to activists in St. Petersburg.
In January, we received messages from supporters in St. Petersburg. They complained that they had not subscribed to any mailing lists except ours, yet they received emails from a project called "Gorozhanin," which is run by Fyodor Gorozhanko. In March, he was also asking them to send him money:
Journalists asked him about these mailings, and he confirmed that he had sent them.
But at the same time, he denies stealing those email addresses from ACF's database.
You could almost believe even that theory, but people who ended up on that very mailing list read Fyodor's words — and they were very surprised. Here are some examples: one, two, three, four, five, six, seven.
We say that Fyodor logged into his @fbk.info email account and downloaded the database.
And here is the main piece of evidence. The king of all evidence. The rest, frankly, hardly even needed to be mentioned. They are just nice, optional extras.
So.
At the end of March, the theft of our database began from IP address 31.200.238.184.
That IP address is registered in Primorsky Krai (a region in Russia's Far East):
Fyodor confirmed that he was in Nakhodka, Primorsky Krai, at the time.
Now let's look at where else this same IP address, 31.200.238.184 — the one from which the database was downloaded — showed up. There it is: the user gorozhanko logged into his @fbk.info email from that IP just before the hack. And believe it or not, he confirmed that he logged in himself.
In fact, Fyodor checked his email once or twice a month until we blocked him. Every time, he logged in from the same Primorsky Krai IP address, 31.200.238.184 — the very same one from which the database would soon be siphoned off.
And the fact that this was done not through email clients, as he claims, but through a browser, is clear from his account activity history:
From that same IP, at the end of December, Gorozhanko — who had long since stopped working for us — opened on the Google Drive linked to ACF's work email his old document, "How to manually send a mailing through Mailgun." Mailgun, let us remind you, is the very service through which we sent our mailings. And it was from there that the email database was stolen.
That document contains a link to a mailing script written by Fyodor.
Inside are comments by Fyodor, folders bearing his name, his email address, and notes in the comments saying that the key can be found in the Mailgun admin panel.
From this script, written in February 2019, we can say for certain that Fyodor knows how to code, that he had the secret key, and that he knows perfectly well what data can be accessed with that key — no matter how hard he tries to wriggle out of it now:
Now back to Fyodor's travels. In one of his interviews, he says he had "returned to St. Petersburg." Those words matter to us too. Because after Fyodor flew from Primorsky Krai to St. Petersburg on March 29, the theft of the database continued from an IP address linked to St. Petersburg.
That should end the discussion. Gorozhanko admitted that he used the IP address 31.200.238.184 in Primorsky Krai. From that address, he logged into his email; from that same address, the database of email addresses was downloaded — the same database later used to intimidate innocent people and get them fired. A matching IP address is evidence in courts all over the world. Fyodor will not be able to wriggle out of this evidence.
We are preparing complaints for law enforcement agencies in Russia and in the countries whose citizens ended up in the database and received threats. As for Russia, everything is clear: the people who ordered the hack are unlikely to conduct a proper investigation and punish themselves, although of course we will push for that. But if you happen to have dual citizenship or a residence permit in a European country, write to us at pravo@navalny.com, and together we will work to ensure that Fyodor Gorozhanko and those behind this hack can also be held accountable in other countries.