WEBVTT 00:00:04.759 --> 00:00:07.839 You're listening to a stage talk titled Mapping 00:00:07.839 --> 00:00:10.779 Militia Networks with New America. This week 00:00:10.779 --> 00:00:13.500 we were joined by Candice Rondeau and Ben Dalton 00:00:13.500 --> 00:00:16.519 from the Future Frontlines Project at New America. 00:00:16.980 --> 00:00:19.160 They broke down their incredible methodology 00:00:19.160 --> 00:00:21.679 for tracing some of the most famed Russian militia 00:00:21.679 --> 00:00:25.739 groups on both Telegram and VKontakte, as well 00:00:25.739 --> 00:00:28.179 as providing invaluable advice for staying safe 00:00:28.179 --> 00:00:31.449 online. Whilst doing this intensive work, you 00:00:31.449 --> 00:00:34.070 can find links to all of the resources mentioned 00:00:34.070 --> 00:00:37.130 in the talk in the podcast description. This 00:00:37.130 --> 00:00:39.829 talk was hosted by me, Charlotte Ma, on Thursday 00:00:39.829 --> 00:00:43.189 the 11th of September 2025, the Bellingcat Discord 00:00:43.189 --> 00:00:58.070 server. Welcome to this week's stage talk. Today 00:00:58.070 --> 00:01:00.590 we have the pleasure of hosting Ben Dalton and 00:01:00.590 --> 00:01:03.990 Candice Rondeau from New America. They both work 00:01:03.990 --> 00:01:05.989 on New America's feature frontlines projects, 00:01:06.189 --> 00:01:08.549 Ben as program manager and Candice as senior 00:01:08.549 --> 00:01:11.469 director. Within the program, they use open source 00:01:11.469 --> 00:01:14.109 investigative tools, data mining techniques and 00:01:14.109 --> 00:01:16.769 journalistic methods to explore how network technologies 00:01:16.769 --> 00:01:19.049 from cyber warfare to artificial intelligence 00:01:19.049 --> 00:01:21.730 are reshaping global conflict, competition and 00:01:21.730 --> 00:01:24.230 influence. Today though they are here to talk 00:01:24.230 --> 00:01:26.709 about their work looking into online networks, 00:01:27.310 --> 00:01:30.269 specifically tracing online networks of militia 00:01:30.269 --> 00:01:33.030 and private military groups. You can find a lot 00:01:33.030 --> 00:01:35.829 about someone online, including who they spend 00:01:35.829 --> 00:01:39.069 time with both online and offline. This is especially 00:01:39.069 --> 00:01:41.450 useful for tracking who might be fighting or 00:01:41.450 --> 00:01:45.230 supporting a group like Wagner for example. Within 00:01:45.230 --> 00:01:47.609 this discussion we're hoping to unpack what platforms 00:01:47.609 --> 00:01:50.109 you might find these people in, how you can trace 00:01:50.109 --> 00:01:52.569 their connections, and what tools might be useful 00:01:52.569 --> 00:01:55.489 in doing so. As we talk, please make sure to 00:01:55.489 --> 00:01:58.310 add your questions in the chat box via the message 00:01:58.310 --> 00:02:00.510 bubble icon in the top right corner of your screen. 00:02:00.969 --> 00:02:03.049 And please note within your question, if you 00:02:03.049 --> 00:02:05.670 do not want me to read your username out, as 00:02:05.670 --> 00:02:09.250 I just said, this is being audio recorded. Okay, 00:02:09.530 --> 00:02:13.530 Candice Ben, tell us, how do you find these groups? 00:02:15.430 --> 00:02:18.310 So we were just sort of talking about the connection 00:02:18.310 --> 00:02:22.430 between Bellingcat and and Future Frontlines 00:02:22.430 --> 00:02:25.189 and collaboration. I'll just mention that I took 00:02:25.189 --> 00:02:29.610 a course with Elliot ages ago, Elliot and team, 00:02:30.069 --> 00:02:32.650 and it really was life -changing for me. So it's 00:02:32.650 --> 00:02:35.009 really thrilled to be here. I thought I'd just 00:02:35.009 --> 00:02:37.129 open and tell you a little bit about New America 00:02:37.129 --> 00:02:40.030 and about Future Frontlines before we kind of 00:02:40.030 --> 00:02:43.069 dive into the work that we do and talk a little 00:02:43.069 --> 00:02:45.659 bit about our methodology. For those of you who 00:02:45.659 --> 00:02:49.400 don't know New America, we are a think tank based 00:02:49.400 --> 00:02:53.560 in Washington DC. We are non -partisan and non 00:02:53.560 --> 00:02:55.979 -profit quite genuinely. Unlike a lot of think 00:02:55.979 --> 00:02:58.960 tanks in DC, we are not a government in waiting. 00:02:59.840 --> 00:03:02.159 A lot of the people that work here are former 00:03:02.159 --> 00:03:05.879 journalists or people who are still have one 00:03:05.879 --> 00:03:09.520 foot in journalism, but also work in policy on 00:03:09.520 --> 00:03:13.710 specific issues. And Future Frontlines sits within 00:03:13.710 --> 00:03:17.250 our global programming. We've been around since 00:03:17.250 --> 00:03:19.930 basically 2018, around the time that I started 00:03:19.930 --> 00:03:22.610 working on looking at the Wagner Group, which 00:03:22.610 --> 00:03:27.129 is sort of the jumping off point for the project 00:03:27.129 --> 00:03:29.129 itself. And I'll give you a little bit of background 00:03:29.129 --> 00:03:35.030 about that. So, we began this project in 2018. 00:03:36.550 --> 00:03:40.460 And by that time, The war in Ukraine obviously 00:03:40.460 --> 00:03:43.960 had been going on for four years. The war in 00:03:43.960 --> 00:03:49.020 Syria was really heating up with ISIS, very active 00:03:49.020 --> 00:03:54.300 in Syria, but also in Iraq. And the origin of 00:03:54.300 --> 00:03:57.819 our work on the Wagner Group began with a question 00:03:57.819 --> 00:04:01.360 about the changing nature of proxy warfare, the 00:04:01.360 --> 00:04:05.120 ways in which states in particular, like Russia 00:04:05.120 --> 00:04:09.150 and other countries, the United States, were 00:04:09.150 --> 00:04:13.030 engaging proxy actors who were not part of their 00:04:13.030 --> 00:04:18.050 normal conventional militaries to do their bidding 00:04:18.050 --> 00:04:21.850 in places in the Middle East and also in Eurasia. 00:04:22.329 --> 00:04:24.149 And my background is in sort of Russian area 00:04:24.149 --> 00:04:27.870 of studies and so is Ben's. And I sort of took 00:04:27.870 --> 00:04:31.209 to the idea that there was a lot that was being 00:04:31.209 --> 00:04:35.110 talked about in terms of little green men and 00:04:35.110 --> 00:04:37.149 Wagner. Wagner was just kind of beginning to 00:04:37.149 --> 00:04:40.649 pick up its sort of brand recognition at that 00:04:40.649 --> 00:04:45.209 stage in 2018. But nobody really knew much about 00:04:45.209 --> 00:04:47.389 the organization. You know, it was a lot of rumors, 00:04:47.430 --> 00:04:51.970 basically. And I think the moment that changed 00:04:51.970 --> 00:04:55.750 everything for Wagner's profile, there are probably 00:04:55.750 --> 00:04:59.149 two that we can talk about today. One is the 00:04:59.149 --> 00:05:01.649 most famous, which is the Battle of Khashom, 00:05:01.850 --> 00:05:04.310 or sometimes known as the Battle of Conoco, which 00:05:04.310 --> 00:05:10.069 is when a group of Wagner forces started to try 00:05:10.069 --> 00:05:13.750 and take control of a gas plant in northeast 00:05:13.750 --> 00:05:16.930 Syria that used to be owned by Conoco, an American 00:05:16.930 --> 00:05:19.930 oil company. And it was during this clash on 00:05:19.930 --> 00:05:25.310 February 7th, 2018 that we saw just tremendous 00:05:25.310 --> 00:05:28.529 amounts of casualties on the Russian side. They 00:05:28.529 --> 00:05:31.050 clashed with US special forces who were defending 00:05:31.050 --> 00:05:35.449 the gas plant in nearby territory. And it was 00:05:35.529 --> 00:05:40.189 a breach essentially of a informal to formal, 00:05:41.230 --> 00:05:43.649 what people call a deconfliction line, where 00:05:43.649 --> 00:05:47.170 US forces and Russian forces operating in Syria 00:05:47.170 --> 00:05:51.910 and pursuing counter -terrorism operations against 00:05:51.910 --> 00:05:55.310 ISIS and other players were meant to at least 00:05:55.310 --> 00:05:57.670 communicate when they were in the same area to 00:05:57.670 --> 00:06:01.370 avoid these types of friendly fire or kind of 00:06:01.370 --> 00:06:04.129 semi -friendly fire clashes. But it happened 00:06:04.129 --> 00:06:07.220 anyway. for reasons we can get into later, mostly 00:06:07.220 --> 00:06:09.959 sort of backstory politics about what was going 00:06:09.959 --> 00:06:14.459 on in the Kremlin. And the clash led to about 00:06:14.459 --> 00:06:18.740 200 Wagner group casualties. And what was interesting 00:06:18.740 --> 00:06:21.560 about that moment was it really lit up the internet. 00:06:21.699 --> 00:06:24.360 It lit up the contactia, which is Russia's Facebook 00:06:24.360 --> 00:06:28.259 and Telegram. There were just wild rumors about 00:06:28.259 --> 00:06:32.139 how many casualties were actually you know, on 00:06:32.139 --> 00:06:36.120 both sides. At some point, one of the most prominent 00:06:36.120 --> 00:06:39.360 nationalists in Russia, his name is Igor Gurkin, 00:06:39.819 --> 00:06:42.319 who had connections to some of these far -right 00:06:42.319 --> 00:06:45.800 groups like Wagner, insisted that there had been 00:06:45.800 --> 00:06:48.339 600 casualties. And so, there was a lot of controversy. 00:06:48.959 --> 00:06:51.819 And that battle ignited a lot of interest in 00:06:51.819 --> 00:06:54.199 what Wagner was doing and who it was connected 00:06:54.199 --> 00:06:57.439 to. And luckily, it coincided with the kickoff 00:06:57.439 --> 00:07:00.579 of our project on proxy warfare. which we started 00:07:00.579 --> 00:07:03.379 with two or three primary research questions. 00:07:04.480 --> 00:07:12.620 One was to try and understand how do PMCs, private 00:07:12.620 --> 00:07:16.160 military companies, like Wagner actually operate. 00:07:16.759 --> 00:07:18.540 They were built as a private military company, 00:07:18.540 --> 00:07:20.660 but they seem to be acting really differently. 00:07:21.759 --> 00:07:26.579 And they also seem to have connections to other 00:07:26.579 --> 00:07:31.170 networks of unaffiliated masked men, little green 00:07:31.170 --> 00:07:35.089 men, including an organization many people now 00:07:35.089 --> 00:07:38.430 know as Rusich, which has deep roots in St. Petersburg 00:07:38.430 --> 00:07:41.230 and far -right ultra -nationalist movements. 00:07:42.250 --> 00:07:44.569 And so we wanted to figure out how are these 00:07:44.569 --> 00:07:47.689 groups connected. And I was just sort of starting 00:07:47.689 --> 00:07:51.310 this experiment pretty much on my own. I did 00:07:51.310 --> 00:07:53.410 have some help from Arizona State University, 00:07:53.470 --> 00:07:57.920 where I also teach classes in security studies 00:07:57.920 --> 00:08:02.379 and journalism. And I connected with some young 00:08:02.379 --> 00:08:04.800 students in computer science who were really 00:08:04.800 --> 00:08:07.040 interested in also kind of unraveling this mystery. 00:08:07.519 --> 00:08:10.699 And it was with their help that we began to apply 00:08:10.699 --> 00:08:14.139 a combination of network analysis and social 00:08:14.139 --> 00:08:17.139 media analysis to try and understand the footprint 00:08:17.139 --> 00:08:20.720 of this organization, at least virtually. And 00:08:20.720 --> 00:08:23.920 through that work, we stumbled on one of the 00:08:23.920 --> 00:08:28.620 earliest iterations of a Wagner Group channel 00:08:28.620 --> 00:08:31.259 or follower group, and it was called Cheve K. 00:08:31.420 --> 00:08:35.759 Wagner Military Review. At the time when we discovered 00:08:35.759 --> 00:08:39.220 this one single account, there were probably 00:08:39.220 --> 00:08:45.600 about 6 ,900 followers in the account. And the 00:08:45.600 --> 00:08:47.120 thing that was interesting about it, as you can 00:08:47.120 --> 00:08:49.279 see from this picture here on the far right, 00:08:49.659 --> 00:08:53.590 there's a picture of a statue that looks like, 00:08:53.590 --> 00:08:57.090 you know, some sort of, you know, a fighter or 00:08:57.090 --> 00:09:00.470 warrior. And this became, along with some other 00:09:00.470 --> 00:09:04.950 symbols, a pretty important marker of Wagner's 00:09:04.950 --> 00:09:07.149 identity because it was actually sitting inside 00:09:07.149 --> 00:09:11.649 a base in Syria where Wagner forces and Rusich 00:09:11.649 --> 00:09:15.350 forces were, you know, bunked out in barracks. 00:09:16.129 --> 00:09:18.409 I didn't know that at the time. I had to do a 00:09:18.409 --> 00:09:21.049 lot of digging just like everybody else does. 00:09:21.279 --> 00:09:23.820 and looking at the connections. But there were 00:09:23.820 --> 00:09:26.200 some things that jumped out of me as a Russian 00:09:26.200 --> 00:09:29.480 speaker, which was some of the symbology, this 00:09:29.480 --> 00:09:32.460 sort of throwback to the Soviet era of glory, 00:09:33.360 --> 00:09:37.019 the use of paramilitary and paratrooper symbols, 00:09:37.379 --> 00:09:40.659 and also, of course, a lot of Nazi themes throughout. 00:09:41.320 --> 00:09:44.700 So when we discovered this one singular count 00:09:44.700 --> 00:09:50.399 in late 2018, it was about 6 ,900. And over four 00:09:50.399 --> 00:09:53.240 years, those accounts of followers would go to 00:09:53.240 --> 00:09:57.879 355 ,000. So, that's a 5 ,000 % growth rate. 00:09:58.220 --> 00:10:01.000 And it was very telling because it really tracked 00:10:01.000 --> 00:10:04.820 very closely with what we saw was the expansion 00:10:04.820 --> 00:10:08.580 of Wagner's actual ranks and its operations, 00:10:09.059 --> 00:10:11.980 not only in Syria, but also a Central African 00:10:11.980 --> 00:10:16.419 Republic, Sudan, Libya, and eventually, Mali. 00:10:17.100 --> 00:10:21.940 But it was really a case that kind of floated 00:10:21.940 --> 00:10:25.799 to the top in some of these chats on this particular 00:10:25.799 --> 00:10:29.600 channel that really caught my attention. And 00:10:29.600 --> 00:10:34.080 it was actually when, in 2019, when we began 00:10:34.080 --> 00:10:37.919 to look into the case of a man who was murdered 00:10:37.919 --> 00:10:43.860 online, on camera, a man who went by the name 00:10:43.860 --> 00:10:48.279 of Hamdi Bouta. He's a Syrian. who was born and 00:10:48.279 --> 00:10:51.899 raised in northeast Syria, had departed to Lebanon 00:10:51.899 --> 00:10:56.419 to do some day labor work. And in the summer, 00:10:56.480 --> 00:11:00.379 spring of 2017, he returned to see his family. 00:11:00.639 --> 00:11:03.460 And upon his return, he was captured crossing 00:11:03.460 --> 00:11:07.360 the border. And nobody knew at the time, you 00:11:07.360 --> 00:11:10.440 know, when all this was unfolding, who he was 00:11:10.440 --> 00:11:13.019 or what his identity was. But the one thing that 00:11:13.019 --> 00:11:16.549 everybody knew was on this J .V .K. Wagner military 00:11:16.549 --> 00:11:19.970 review site was a constant stream of conversation 00:11:19.970 --> 00:11:23.549 about a video that cropped up. It was about two 00:11:23.549 --> 00:11:26.570 minutes long, depicting several men with masked 00:11:26.570 --> 00:11:28.549 faces, and you can kind of see them there to 00:11:28.549 --> 00:11:31.809 the left in the picture, wielding a sledgehammer 00:11:31.809 --> 00:11:35.950 and beating this man, unarmed man, mercilessly 00:11:35.950 --> 00:11:38.309 on the ground of some sort of industrial site. 00:11:38.620 --> 00:11:41.860 And so we used all the usual techniques that 00:11:41.860 --> 00:11:45.100 you all know very well, geolocation, to kind 00:11:45.100 --> 00:11:48.419 of try and understand where exactly this event 00:11:48.419 --> 00:11:54.500 was happening. And of course, OSINT is always 00:11:54.500 --> 00:11:56.679 a collective enterprise and there was a lot of 00:11:56.679 --> 00:12:00.059 exchange between Russian journalists and Western 00:12:00.059 --> 00:12:01.799 journalists who are trying to figure this out. 00:12:01.950 --> 00:12:05.269 And there was one in particular that bears mentioning 00:12:05.269 --> 00:12:07.610 is Kirill Mikhailov, who was really one of the 00:12:07.610 --> 00:12:10.330 first to kind of identify the scene, or at least 00:12:10.330 --> 00:12:12.049 guess that this was happening somewhere near 00:12:12.049 --> 00:12:14.549 Palmyra, Syria, where Wagner Trucks had been 00:12:14.549 --> 00:12:17.629 operating for quite some time. It was when the 00:12:17.629 --> 00:12:21.250 first two -minute video appeared that there was 00:12:21.250 --> 00:12:24.049 certainly a sense that this had happened in Syria, 00:12:24.289 --> 00:12:27.330 but still even then figuring out their identities 00:12:27.330 --> 00:12:33.289 was tricky. Then, a little while later, another 00:12:33.289 --> 00:12:36.710 two -minute snippet appeared. And this is a video 00:12:36.710 --> 00:12:40.830 where the same men were depicted basically beheading 00:12:40.830 --> 00:12:43.649 and then dismembering the body of the man that 00:12:43.649 --> 00:12:45.309 they had beaten to death, was a sledgehammer. 00:12:45.730 --> 00:12:49.049 And then carving the initials – and this was, 00:12:49.049 --> 00:12:53.009 for me, the biggest clue of their, I suppose, 00:12:53.330 --> 00:12:57.710 former military unit, the 131st Vedeve. onto 00:12:57.710 --> 00:13:00.370 the chest of the dismembered body and lighting 00:13:00.370 --> 00:13:04.309 it on fire. All of these things were kind of, 00:13:04.330 --> 00:13:08.309 you know, the regular practice of Wagner. In 00:13:08.309 --> 00:13:10.590 some ways, a lot of torture videos, a lot of 00:13:10.590 --> 00:13:13.509 trophy videos was a way for them to bond and 00:13:13.509 --> 00:13:17.029 also to kind of show their prowess to each other, 00:13:17.289 --> 00:13:20.250 but oftentimes the material was leaked, basically. 00:13:20.679 --> 00:13:24.559 We sort of were able to pull everything together 00:13:24.559 --> 00:13:26.740 through a couple of different techniques. With 00:13:26.740 --> 00:13:30.860 the help of our student team at ASU, we tweaked 00:13:30.860 --> 00:13:35.159 a tool that we found online on GitHub that was 00:13:35.159 --> 00:13:42.179 very useful for sounding out a geodata and metadata 00:13:42.179 --> 00:13:46.320 posted on Vakantaktia. And Ben is showing here 00:13:46.320 --> 00:13:50.919 actually. our tool, the Future Frontlines Ghost 00:13:50.919 --> 00:13:55.440 Tracker, where if you enter a particular location 00:13:55.440 --> 00:14:00.200 and a time and a date and you drop a pin, you'll 00:14:00.200 --> 00:14:04.179 usually find within a 50 -meter radius, if anybody's 00:14:04.179 --> 00:14:06.700 posted pictures in those areas, you can usually 00:14:06.700 --> 00:14:10.100 find those pictures. And it was through a series 00:14:10.100 --> 00:14:14.350 of soundings around the Palmira area. that we 00:14:14.350 --> 00:14:19.129 were able to locate a number of people who were 00:14:19.129 --> 00:14:22.730 posting pictures that had a very similar sort 00:14:22.730 --> 00:14:25.730 of background to what we were seeing in the background 00:14:25.730 --> 00:14:30.629 of that video of Hamdi Bhutto's murder. And it 00:14:30.629 --> 00:14:35.090 occurred to me that actually, while we could 00:14:35.090 --> 00:14:37.450 kind of see pieces of the puzzle, we couldn't 00:14:37.450 --> 00:14:41.710 see the whole picture. But when we sort of pulled 00:14:41.710 --> 00:14:44.899 back a little bit, and started to look at the 00:14:44.899 --> 00:14:47.100 networked relationships between the people who 00:14:47.100 --> 00:14:50.440 were posting pictures and the networked relationships, 00:14:50.740 --> 00:14:54.740 people who were friends of certain users in the 00:14:54.740 --> 00:14:57.559 CHVK Wagner account who were extremely active. 00:14:58.100 --> 00:15:00.799 It's then that we realized actually the network 00:15:00.799 --> 00:15:03.460 effects of this organization are much more powerful 00:15:03.460 --> 00:15:07.220 and easier to trace. And it's a way to sort of 00:15:07.220 --> 00:15:10.110 additionally verify connections between people. 00:15:10.110 --> 00:15:11.889 Of course, there's more work to do and then we'll 00:15:11.889 --> 00:15:13.769 talk a little bit more about what that looks 00:15:13.769 --> 00:15:17.190 like. But this picture that you're looking at 00:15:17.190 --> 00:15:21.870 here, this image, represents a slice of a network 00:15:21.870 --> 00:15:25.789 that we carved out of both looking at the JPEG 00:15:25.789 --> 00:15:30.330 metadata from posts using our ghost tracker on 00:15:30.330 --> 00:15:35.029 the contactia and then also looking at the friend 00:15:35.029 --> 00:15:39.070 relationships between different individuals who 00:15:39.070 --> 00:15:43.389 had signed up to J .V .K. Wagner Review and had 00:15:43.389 --> 00:15:48.590 certain profile attributes, many of whom were 00:15:48.590 --> 00:15:51.610 based in St. Petersburg, many of whom had served 00:15:51.610 --> 00:15:56.470 in the airborne VDV forces, many of whom said 00:15:56.470 --> 00:16:01.210 that they had served in Donbass in 2014 and 2015, 00:16:02.230 --> 00:16:06.629 several of whom bore Nazi logos or Rodin -Avare 00:16:06.629 --> 00:16:09.730 symbols, which was the Russian sort of pagan 00:16:09.730 --> 00:16:14.169 religion. And at the center of this network, 00:16:14.269 --> 00:16:16.669 it's kind of hard to see from this level, but 00:16:16.669 --> 00:16:19.690 there were three or four individuals that really 00:16:19.690 --> 00:16:23.210 stood out to us as A, closely connected. So we 00:16:23.210 --> 00:16:27.210 were really also tracing the tightness of the 00:16:27.210 --> 00:16:29.529 network and the closeness of the relationships. 00:16:30.429 --> 00:16:35.269 And we discovered Oddly, at the center of that 00:16:35.269 --> 00:16:37.929 were some of the most active members of Russia's 00:16:37.929 --> 00:16:41.350 ultra -nationalist movements, including a guy 00:16:41.350 --> 00:16:43.830 named Alexei Miltakov, who is now quite famous. 00:16:43.850 --> 00:16:47.090 He was the commander of Rusich, this ultra -right, 00:16:47.389 --> 00:16:50.429 ultra -nationalist neo -Nazi group. And then 00:16:50.429 --> 00:16:52.789 several members of the Russian imperial movement 00:16:52.789 --> 00:16:56.350 and the Russian imperial legion, which is an 00:16:56.350 --> 00:16:59.429 incredibly important part of the Wagner group's 00:16:59.429 --> 00:17:02.289 kind of background. as many of the individuals 00:17:02.289 --> 00:17:05.329 who trained with Wagner in the early days had 00:17:05.329 --> 00:17:09.809 paramilitary training in St. Petersburg through 00:17:09.809 --> 00:17:12.630 the Russian imperial movement, which was founded 00:17:12.630 --> 00:17:15.930 by members of the Vedeve airborne. So there's 00:17:15.930 --> 00:17:20.609 a lot of common threads. And if you sort of using 00:17:20.609 --> 00:17:25.569 network analysis techniques and big data analysis, 00:17:25.789 --> 00:17:27.890 we were able to kind of see how they all connected 00:17:27.890 --> 00:17:29.900 to each other. What was interesting about this 00:17:29.900 --> 00:17:33.279 slide, I'll just mention this before handing 00:17:33.279 --> 00:17:35.039 it over to Ben to talk a little bit about more 00:17:35.039 --> 00:17:39.140 of what we found, is that four individuals on 00:17:39.140 --> 00:17:41.480 the right, so Milchakov and the three others 00:17:41.480 --> 00:17:43.259 from Russian Imperial movement, had actually 00:17:43.259 --> 00:17:45.220 been sanctioned by this time, by the time we're 00:17:45.220 --> 00:17:48.559 doing this work. But the one on the left, Yashakov, 00:17:49.059 --> 00:17:51.400 had not been sanctioned. He was actually quite 00:17:51.400 --> 00:17:57.339 active and very important to some other operational 00:17:57.339 --> 00:18:01.140 parts of how Wagner worked that we later discovered. 00:18:01.859 --> 00:18:04.539 So what we understood is basically, if you want 00:18:04.539 --> 00:18:07.160 to really understand how these kind of shadow 00:18:07.160 --> 00:18:10.140 operators work, nine times out of 10, you're 00:18:10.140 --> 00:18:13.059 going to find them talking to each other online 00:18:13.059 --> 00:18:15.740 somewhere. And that's no mystery to most of you 00:18:15.740 --> 00:18:18.720 who do this work. But for us, what was revelatory 00:18:18.720 --> 00:18:21.720 was that the contact you in particular had some 00:18:21.720 --> 00:18:24.579 interesting design features that made it extremely 00:18:24.579 --> 00:18:27.640 exploitable. Most importantly, because the Russian 00:18:27.640 --> 00:18:32.559 state seems to be very keen that online platforms 00:18:32.559 --> 00:18:36.740 like Vakantaktia maintain metadata for surveillance, 00:18:37.279 --> 00:18:40.140 it makes it easier for other people, including 00:18:40.140 --> 00:18:43.920 public interest investigators, to also mine that 00:18:43.920 --> 00:18:46.500 metadata and put the big puzzle pieces together 00:18:46.500 --> 00:18:49.710 using network analysis. Over to you, Ben. Thank 00:18:49.710 --> 00:18:53.369 you, Candice. So, yeah, the approach that Candice 00:18:53.369 --> 00:18:55.410 was describing was working so well for us that 00:18:55.410 --> 00:18:58.250 we decided to expand it and continue it over 00:18:58.250 --> 00:19:01.589 a period of years. So there were two main waves 00:19:01.589 --> 00:19:04.569 of collection. So just to recap, you know, we 00:19:04.569 --> 00:19:10.529 have identified these VK groups of interest using 00:19:10.529 --> 00:19:12.230 the tools that Candice was describing, using 00:19:12.230 --> 00:19:14.250 tools like the Ghost Tracker to find accounts 00:19:14.250 --> 00:19:16.660 of interest. And there was a period of collection 00:19:16.660 --> 00:19:19.940 that lasted from 2019 to 2020. And then again, 00:19:20.039 --> 00:19:23.400 we did another round of collection in 2022, about 00:19:23.400 --> 00:19:26.180 six months after the full -scale invasion. And 00:19:26.180 --> 00:19:28.740 we focused really on three overlapping groups 00:19:28.740 --> 00:19:32.079 on BK. So one was that CHVK Wagner Military Review 00:19:32.079 --> 00:19:34.339 Group that Candice was talking about. The other 00:19:34.339 --> 00:19:37.059 was the main kind of official group for Rusage. 00:19:37.279 --> 00:19:39.440 And the third was the main official group for 00:19:39.440 --> 00:19:41.900 the Russian Imperial movement, all of which had 00:19:41.900 --> 00:19:45.519 overlapping memberships, as you can see if you're 00:19:45.519 --> 00:19:49.579 listening live on this chart here. And just to 00:19:49.579 --> 00:19:51.759 be clear, by collection, what I mean is that 00:19:51.759 --> 00:19:54.859 we expanded to bulk data collection of members 00:19:54.859 --> 00:19:59.099 of VK groups using the VK API. So this enabled 00:19:59.099 --> 00:20:01.539 us to create datasets with full profile data 00:20:01.539 --> 00:20:05.079 for every member of these VK groups. And that 00:20:05.079 --> 00:20:07.730 included their intergroup friendship connections. 00:20:09.069 --> 00:20:11.549 I'm told that this is an audience that appreciates 00:20:11.549 --> 00:20:14.230 some degree of technical detail. So I will note 00:20:14.230 --> 00:20:16.250 that between these two periods, we had to make 00:20:16.250 --> 00:20:18.690 some pretty significant changes to the API script 00:20:18.690 --> 00:20:22.250 to accommodate changes that VK itself was making 00:20:22.250 --> 00:20:24.490 to their API that made it a little bit more difficult 00:20:24.490 --> 00:20:27.250 to do this. And we also had to contend with the 00:20:27.250 --> 00:20:29.490 groups themselves practicing sort of greater 00:20:29.490 --> 00:20:32.509 and greater degrees of OPSEC and sort of information 00:20:32.509 --> 00:20:35.759 security as the years went on. But because of 00:20:35.759 --> 00:20:37.700 these two main periods of collection, we were 00:20:37.700 --> 00:20:40.220 able to compare how they changed over time. Candice 00:20:40.220 --> 00:20:42.799 already mentioned this huge group in the Wagner 00:20:42.799 --> 00:20:46.619 group, but pretty much they all experienced significant 00:20:46.619 --> 00:20:50.119 group over time with a significant membership 00:20:50.119 --> 00:20:54.619 core that remained substantially the same across 00:20:54.619 --> 00:20:58.859 the years. So as I said, the VK API gave us public 00:20:58.859 --> 00:21:01.900 data for members in these groups, and that enabled 00:21:01.900 --> 00:21:05.029 us to do a pretty granular analysis of graphics 00:21:05.029 --> 00:21:08.250 and the geographic distribution of the members, 00:21:08.529 --> 00:21:11.210 or at least as self -reported on their account 00:21:11.210 --> 00:21:16.349 profiles. And what I'm showing now, I'll describe 00:21:16.349 --> 00:21:18.210 it for those listening after the fact, it's a 00:21:18.210 --> 00:21:20.750 map of just one of those variables, which is 00:21:20.750 --> 00:21:24.309 specifically self -reported locations. As you 00:21:24.309 --> 00:21:26.650 might expect, the majority of them are in former 00:21:26.650 --> 00:21:28.930 Soviet countries, but there is just this massive 00:21:28.930 --> 00:21:32.849 geographic distribution. I think we found 177 00:21:32.849 --> 00:21:36.589 countries in all. around 5 ,000 of those people 00:21:36.589 --> 00:21:39.869 based in Europe. And in the interest of time, 00:21:39.890 --> 00:21:42.289 I won't show you other variables that was military 00:21:42.289 --> 00:21:44.930 unit identification. There's a field on BK where 00:21:44.930 --> 00:21:47.049 you can say where, you know, in what military 00:21:47.049 --> 00:21:50.089 unit you served. We hired a team of researchers 00:21:50.089 --> 00:21:53.190 to basically identify which of those were real 00:21:53.190 --> 00:21:55.549 existing military units, which were historical 00:21:55.549 --> 00:21:57.849 and which were fictional. People would claim 00:21:57.849 --> 00:22:01.670 to be part of Warhammer 40K and like fictional 00:22:01.670 --> 00:22:04.099 units. And then we mapped the ones that are actually 00:22:04.099 --> 00:22:06.779 existing. And long story short, we were able 00:22:06.779 --> 00:22:10.079 to identify some active duty members or service 00:22:10.079 --> 00:22:13.119 members of units in NATO countries using that 00:22:13.119 --> 00:22:18.859 method. So a couple of slides ago, Candice was 00:22:18.859 --> 00:22:20.799 showing you one network analysis that showed 00:22:20.799 --> 00:22:23.079 interlinkages as some of the central figures 00:22:23.079 --> 00:22:26.660 in these groups. What I'm now showing is sort 00:22:26.660 --> 00:22:29.660 of looks like a tangled ball of yarn. So this 00:22:29.660 --> 00:22:32.059 is one of our working network visualizations 00:22:32.059 --> 00:22:35.680 of membership links among those three main VK 00:22:35.680 --> 00:22:39.319 groups that we analyzed in 2022, which yielded 00:22:39.319 --> 00:22:42.059 some pretty interesting results. So we were able 00:22:42.059 --> 00:22:45.259 to identify highly central nodes in this network, 00:22:45.660 --> 00:22:47.599 even if they were not a member of any of those 00:22:47.599 --> 00:22:50.359 three groups. So in other words, there were VK 00:22:50.359 --> 00:22:53.180 members who had extensive friendship ties to 00:22:53.180 --> 00:22:55.420 members of these three groups, but were not themselves 00:22:55.420 --> 00:23:00.150 members. which led us to dig really deeper into 00:23:00.150 --> 00:23:03.150 some targeted profiles and yielded some interesting 00:23:03.150 --> 00:23:06.410 insights. And I will again shout out the work 00:23:06.410 --> 00:23:08.589 of the Information Competition Lab at Arizona 00:23:08.589 --> 00:23:11.069 State University, who we've worked with for many 00:23:11.069 --> 00:23:14.049 years on subjects like this and has helped us 00:23:14.049 --> 00:23:17.930 a lot with this kind of analysis. So when you 00:23:17.930 --> 00:23:20.430 put all of this together, you have data from 00:23:20.430 --> 00:23:22.869 figures that we identified through social media 00:23:22.869 --> 00:23:26.230 collection and network analysis. We had sort 00:23:26.230 --> 00:23:29.490 of a more typical OSINT collection of other public 00:23:29.490 --> 00:23:33.250 data across the web. You had public bloggers, 00:23:33.690 --> 00:23:36.170 such as these two gentlemen who are now deceased, 00:23:36.930 --> 00:23:39.170 who would often share useful information, whether 00:23:39.170 --> 00:23:42.349 or not they realized it. And this led us to identify 00:23:42.349 --> 00:23:44.750 figures of interest who we believed played a 00:23:44.750 --> 00:23:47.630 role within the recruiting and command structure 00:23:47.630 --> 00:23:51.529 and propaganda structure. of this organization, 00:23:51.849 --> 00:23:53.650 specifically the Wagner Group, but also a larger 00:23:53.650 --> 00:23:56.829 network of Russian paramilitaries as well. So 00:23:56.829 --> 00:24:01.130 I joined the team in 2021, and a couple of years 00:24:01.130 --> 00:24:04.009 after that, we gained access to a cache of internal 00:24:04.009 --> 00:24:06.710 data that belonged to companies associated with 00:24:06.710 --> 00:24:09.670 the Afghani pre -koshen. And much of what we 00:24:09.670 --> 00:24:11.589 found at that point corroborated our earlier 00:24:11.589 --> 00:24:14.670 work in terms of who we had identified that was 00:24:14.670 --> 00:24:17.130 of interest. So, you know, after collecting everything 00:24:17.130 --> 00:24:21.130 that we had, We organized it temporally, geographically. 00:24:22.109 --> 00:24:25.289 We ended up building robust dossiers, we called 00:24:25.289 --> 00:24:28.849 them, of key figures within this network. We 00:24:28.849 --> 00:24:32.170 selected people who were prominent or held command 00:24:32.170 --> 00:24:35.829 positions, but also potentially for their alleged 00:24:35.829 --> 00:24:38.740 involvement in atrocity crimes. and published 00:24:38.740 --> 00:24:41.619 a set of these, about 24 of these, about a year 00:24:41.619 --> 00:24:44.480 ago, fall of 2024. And we're continuing to work 00:24:44.480 --> 00:24:47.579 on more. The slide that I'm showing you now is 00:24:47.579 --> 00:24:50.140 one of my, I don't know if I would say favorites, 00:24:50.500 --> 00:24:54.420 but a gentleman named Vladimir Katayev, former 00:24:54.420 --> 00:24:59.480 Spetsnaz GRU, who, you know, I think he's interesting 00:24:59.480 --> 00:25:02.900 because he really shows the ability to move up 00:25:02.900 --> 00:25:07.410 the ranks. So he was like I think a platoon commander 00:25:07.410 --> 00:25:11.210 of some kind in 2017. But by the time that he 00:25:11.210 --> 00:25:15.009 was participating in the assault on Bakhmut in 00:25:15.009 --> 00:25:18.109 2023, he was one of the assault attachment commanders. 00:25:19.589 --> 00:25:21.309 Is there anything that you'd like to add to what 00:25:21.309 --> 00:25:24.730 I just said, Candice? Yeah. Well, one thing I 00:25:24.730 --> 00:25:26.230 think is interesting, I'm so glad that you picked 00:25:26.230 --> 00:25:29.049 the Kataev picture because the through line here 00:25:29.049 --> 00:25:31.950 is actually Kataev was also one of the perpetrators. 00:25:32.250 --> 00:25:35.450 in the murder of Hamdi Bhutta. And it was his 00:25:35.450 --> 00:25:38.950 unit. And we all discovered this later. And that 00:25:38.950 --> 00:25:40.589 was the most fantastic part about, you know, 00:25:40.650 --> 00:25:43.630 sort of doing this work over several years with 00:25:43.630 --> 00:25:45.269 different researchers kind of coming and going 00:25:45.269 --> 00:25:47.930 and helping us, but continually applying the 00:25:47.930 --> 00:25:50.250 same methodology, which is, you know, big data 00:25:50.250 --> 00:25:55.230 collection, small sort of anecdotal OSINT verification 00:25:55.230 --> 00:25:58.450 combined with network analysis, those three things. 00:25:58.730 --> 00:26:02.109 Plus, a pretty robust knowledge of sort of how 00:26:02.109 --> 00:26:04.829 the Russian military is organized, what its traditions 00:26:04.829 --> 00:26:08.309 are, and sort of digging into that helped us 00:26:08.309 --> 00:26:10.829 to kind of actually see this through line from 00:26:10.829 --> 00:26:14.990 one crime. And, you know, nobody knew that Katayev 00:26:14.990 --> 00:26:16.990 was actually involved. But it was later when 00:26:16.990 --> 00:26:19.369 we also got access to some of these leaked documents 00:26:19.369 --> 00:26:22.829 that were shared with us from our partners, C4ADS, 00:26:23.069 --> 00:26:25.950 another organization based here in DC, that we 00:26:25.950 --> 00:26:28.390 discovered actually there was a whole set of 00:26:28.390 --> 00:26:32.190 reports in which Kataev and several other members 00:26:32.190 --> 00:26:35.130 of his unit were identified as the perpetrators. 00:26:35.569 --> 00:26:39.069 So, it was both gratifying and also kind of scary, 00:26:39.210 --> 00:26:43.069 you know, the level of accuracy that we were 00:26:43.069 --> 00:26:44.930 able to kind of produce by combining all these 00:26:44.930 --> 00:26:49.269 methods. was really quite powerful. And if you 00:26:49.269 --> 00:26:53.170 go online and you take a look at our site, which 00:26:53.170 --> 00:26:56.410 is still active and we're still trying to find 00:26:56.410 --> 00:26:59.730 ways to upload more information there, you'll 00:26:59.730 --> 00:27:03.750 see actually not only were we able to do a network 00:27:03.750 --> 00:27:07.369 analysis and identify individuals, we were also 00:27:07.369 --> 00:27:09.950 able to really put together with all of these 00:27:09.950 --> 00:27:12.849 details, the command structure, which when you're 00:27:12.849 --> 00:27:15.539 looking at war crimes, is extremely critical 00:27:15.539 --> 00:27:18.599 for understanding who was giving orders when 00:27:18.599 --> 00:27:21.920 atrocities occurred in a given area. In many 00:27:21.920 --> 00:27:25.839 cases, through triangulating all this data, we 00:27:25.839 --> 00:27:29.119 were able to also establish who was where when 00:27:29.119 --> 00:27:32.160 and which units. And so the dossiers are a reflection 00:27:32.160 --> 00:27:35.259 of a small batch, but in actual fact, we have 00:27:35.259 --> 00:27:39.500 a rather large database of about 13 ,000 personnel 00:27:39.500 --> 00:27:43.259 whose rank and their movements and their background. 00:27:43.420 --> 00:27:47.960 has been all documented. The one thing I just 00:27:47.960 --> 00:27:50.380 need to say is Bellingcat has been part of this 00:27:50.380 --> 00:27:53.039 journey along the way. We've always had them 00:27:53.039 --> 00:27:55.279 as a sounding board, along with our colleagues 00:27:55.279 --> 00:28:00.599 at ASU and C4ADS. As always, OSINT is a collective 00:28:00.599 --> 00:28:05.259 action power that we all have to tap into and 00:28:05.259 --> 00:28:07.240 rely on to get the work done. Over to you, Charlie. 00:28:07.599 --> 00:28:10.279 Thank you so much for giving us a lowdown on 00:28:10.279 --> 00:28:13.549 your methodology and how you have looked into 00:28:13.549 --> 00:28:19.069 this group. There's a thousand questions in the 00:28:19.069 --> 00:28:23.109 chat, which I'm really excited to speak to you 00:28:23.109 --> 00:28:26.670 about. Tristan actually said when we were unpacking 00:28:26.670 --> 00:28:29.789 a lot of what you've been doing, collecting information 00:28:29.789 --> 00:28:32.009 like this and platforms is always a cat and mouse 00:28:32.009 --> 00:28:34.450 game. Both the platforms and the targets change 00:28:34.450 --> 00:28:36.630 their behavior and the collection has to respond 00:28:36.630 --> 00:28:39.789 in kind. One of the biggest questions that's 00:28:39.789 --> 00:28:43.680 been coming out is how do you make sure that 00:28:43.680 --> 00:28:47.859 the people that you are IDing, how do you make 00:28:47.859 --> 00:28:50.539 sure that you haven't got any false herrings? 00:28:51.119 --> 00:28:54.359 Chris asked, what percentage of profiles mapped 00:28:54.359 --> 00:28:58.519 do you expect are red herrings? How do you confirm 00:28:58.519 --> 00:29:01.759 those IDs? Yeah, well, a lot of work has gone 00:29:01.759 --> 00:29:04.420 into the dossiers in particular, I will say, 00:29:04.559 --> 00:29:07.809 and they're I guess there's a distinction and 00:29:07.809 --> 00:29:10.589 Ben can talk a little bit about kind of the mechanics 00:29:10.589 --> 00:29:16.789 of doing transforming raw data from leak files 00:29:16.789 --> 00:29:21.029 that shows a pattern of command structure versus 00:29:21.029 --> 00:29:26.829 looking at where people were when. So, when we 00:29:26.829 --> 00:29:28.990 take the dossiers, what we're really doing is 00:29:28.990 --> 00:29:31.769 kind of scissoring down like through the network, 00:29:31.809 --> 00:29:33.549 almost like taking a piece of the spider web 00:29:33.549 --> 00:29:36.279 and then putting it under microscope. and saying, 00:29:36.519 --> 00:29:40.480 OK, what do we know about this individual that's 00:29:40.480 --> 00:29:42.359 in the public sphere? So we do all the normal 00:29:42.359 --> 00:29:47.200 things. We look for corporate registration information, 00:29:47.519 --> 00:29:53.319 tax IDs, matching birth dates. We look for their 00:29:53.319 --> 00:29:56.640 own social media profiles, which oftentimes many 00:29:56.640 --> 00:30:01.000 of them were still live. Or interestingly, Not 00:30:01.000 --> 00:30:03.839 surprisingly, the community of OSINT, who's very 00:30:03.839 --> 00:30:05.640 interested in the Wagner Group, had spent a lot 00:30:05.640 --> 00:30:08.960 of time archiving also some of these live profiles 00:30:08.960 --> 00:30:13.059 that were very popular and well known. And in 00:30:13.059 --> 00:30:15.359 addition to that, medals were also handed out 00:30:15.359 --> 00:30:18.099 to individuals in many cases from the Kremlin. 00:30:18.519 --> 00:30:21.680 And so we could also check sort of the official 00:30:21.680 --> 00:30:24.819 register to see, you know, which medals were 00:30:24.819 --> 00:30:29.210 handed out when. And actually We had a researcher 00:30:29.210 --> 00:30:32.829 from Stanford University, a fantastic statistician 00:30:32.829 --> 00:30:35.829 and data analyst who helped us kind of build 00:30:35.829 --> 00:30:38.650 a verification for our data set. And Ben will 00:30:38.650 --> 00:30:40.569 talk a little bit more about the technical aspects. 00:30:41.930 --> 00:30:47.089 Yeah. So I should note that things that are just 00:30:47.089 --> 00:30:50.259 purely social media data, we would not... published 00:30:50.259 --> 00:30:52.660 personally identifying information without extensive 00:30:52.660 --> 00:30:55.779 corroboration from other sources. So when I showed 00:30:55.779 --> 00:30:58.680 that map earlier that showed the geographic distribution 00:30:58.680 --> 00:31:02.539 of members from these groups of interest, that 00:31:02.539 --> 00:31:04.339 was not identifying who they were individually. 00:31:04.339 --> 00:31:06.500 It was only identifying the geographic locations. 00:31:07.559 --> 00:31:10.519 Whereas when we identify a specific person, like 00:31:10.519 --> 00:31:12.259 the Kitaya figure, that has been extensively 00:31:12.259 --> 00:31:15.880 corroborated with, obviously, their online activities, 00:31:15.960 --> 00:31:19.200 but also internal documentation. And by the time 00:31:19.200 --> 00:31:20.980 that actually we were, we published this, he 00:31:20.980 --> 00:31:22.900 was already essentially a quasi public figure 00:31:22.900 --> 00:31:24.960 because there were like news reports about him. 00:31:25.539 --> 00:31:28.779 Um, in terms of, yeah. So Ken has mentioned we 00:31:28.779 --> 00:31:31.980 have this, um, this dataset of Wagner group personnel, 00:31:31.980 --> 00:31:36.019 um, going from all the way back to 2014 up to, 00:31:36.019 --> 00:31:41.740 uh, I think it's 2022. Um, and for that, you 00:31:41.740 --> 00:31:44.420 know, this is basically, uh, you know, diskewing 00:31:44.420 --> 00:31:48.440 their own internal personnel lists into a highly 00:31:48.440 --> 00:31:52.039 organized and structured data set. And so the 00:31:52.039 --> 00:31:54.859 data is coming directly from companies that are 00:31:54.859 --> 00:31:57.119 associated with or were associated with the Gepgini 00:31:57.119 --> 00:32:02.559 precaution. And that's the corroboration that 00:32:02.559 --> 00:32:04.279 we're looking for and that we've gotten. But 00:32:04.279 --> 00:32:05.859 even in that case, we've not made that data set 00:32:05.859 --> 00:32:09.640 public. So it's not freely available on the internet, 00:32:09.640 --> 00:32:11.380 because again, it contains an enormous amount 00:32:11.380 --> 00:32:13.430 of personally identifying information. The people 00:32:13.430 --> 00:32:16.670 who we explicitly identify publicly are like 00:32:16.670 --> 00:32:19.710 sort of the crème de la crème in terms of cooperation 00:32:19.710 --> 00:32:22.849 and involvement in these activities. Absolutely. 00:32:23.230 --> 00:32:26.390 And cooperation is super important when it comes 00:32:26.390 --> 00:32:29.569 to identification. As you mentioned, there's 00:32:29.569 --> 00:32:31.789 been a couple of people asking about what you 00:32:31.789 --> 00:32:35.809 do if you find that when you're tracking someone 00:32:35.809 --> 00:32:38.690 across profiles, that they've got different usernames 00:32:38.690 --> 00:32:41.349 on different platforms. It's very common. Often 00:32:41.349 --> 00:32:43.670 people spell their name differently as well. 00:32:44.410 --> 00:32:47.289 What kind of techniques have you found across 00:32:47.289 --> 00:32:51.369 platforms from this particular group when they're 00:32:51.369 --> 00:32:56.130 trying to maybe hide who they are or obscure 00:32:56.130 --> 00:32:59.950 the ability to trace them? Being a member of 00:32:59.950 --> 00:33:03.049 a paramilitary organization or any organization 00:33:03.049 --> 00:33:09.400 that systematically uses violence for enhancement 00:33:09.400 --> 00:33:14.039 of their own influence. Even in secret organizations, 00:33:14.339 --> 00:33:18.500 there's a lot of flexing within their own networks. 00:33:18.960 --> 00:33:21.019 So, by that I mean there's kind of like a lot 00:33:21.019 --> 00:33:23.900 of symbology, there's a lot of bragging, there's 00:33:23.900 --> 00:33:26.880 a lot of, you know, seemingly secret chatting. 00:33:28.099 --> 00:33:31.420 I'll just give you one example. So, Rusich is 00:33:31.420 --> 00:33:33.640 a fantastic example. We have a colleague who 00:33:33.640 --> 00:33:35.900 was extremely obsessed, probably still is extremely 00:33:35.900 --> 00:33:39.319 obsessed with Rusich. and following the Instagram 00:33:39.319 --> 00:33:43.160 account of Rusich, which was live up until about 00:33:43.160 --> 00:33:49.140 2019 -2021, actually, and sort of had gone up 00:33:49.140 --> 00:33:51.059 and down, but was like the most active way to 00:33:51.059 --> 00:33:53.900 see what was going on with Rusich. And one of 00:33:53.900 --> 00:33:57.420 the habits that they had was putting information 00:33:57.420 --> 00:34:01.619 in kind of a coded chat to each other, sometimes 00:34:01.619 --> 00:34:05.259 using, you know, poetry from the Poetic Edda, 00:34:05.259 --> 00:34:09.820 which is this sort of Viking era poetic epic. 00:34:11.179 --> 00:34:14.940 But then also using slang that actually most 00:34:14.940 --> 00:34:18.880 of the slang comes from military culture and 00:34:18.880 --> 00:34:21.400 particularly very specific military culture. 00:34:22.199 --> 00:34:24.059 Just like the special forces in the United States 00:34:24.059 --> 00:34:26.519 have a certain way of talking, so do the airborne 00:34:26.519 --> 00:34:29.619 forces of Russia. And the vast majority of the 00:34:29.619 --> 00:34:33.260 most active and most kind of high profile members 00:34:33.260 --> 00:34:36.349 of Wagner and Rusich came from the Airborne Forces 00:34:36.349 --> 00:34:40.610 or Spetsnaz or both. And that's stuff that you 00:34:40.610 --> 00:34:44.250 just have to kind of study. But one thing that 00:34:44.250 --> 00:34:47.429 happens oftentimes is because they're so enmeshed 00:34:47.429 --> 00:34:50.630 in that culture, even when they want to separate 00:34:50.630 --> 00:34:53.230 themselves by like having different aliases, 00:34:53.530 --> 00:34:56.090 almost always there's some sort of weird signature 00:34:56.090 --> 00:34:59.210 overlap. You know, because a lot of them are 00:34:59.210 --> 00:35:01.550 Nazis, just as an example, you might see the 00:35:01.550 --> 00:35:05.090 number 88 come up quite a few times, right? You 00:35:05.090 --> 00:35:07.409 know, there are other things that are just such, 00:35:07.610 --> 00:35:10.349 you know, if you spend too much time in these 00:35:10.349 --> 00:35:12.250 far -right circles, you kind of start to recognize 00:35:12.250 --> 00:35:15.269 them and you can see the links between them. 00:35:15.530 --> 00:35:17.750 And then again, I just want to, you know, commend 00:35:17.750 --> 00:35:19.610 all the people out there who are doing such a 00:35:19.610 --> 00:35:22.130 good job of archiving a lot of this material. 00:35:22.550 --> 00:35:24.789 And the other places that we don't talk about 00:35:24.789 --> 00:35:27.150 very much but are kind of important to recognize 00:35:27.150 --> 00:35:30.809 are the kind of weird dead bases of the internet, 00:35:31.230 --> 00:35:35.349 like .su. which is the Soviet Union, the old, 00:35:35.349 --> 00:35:38.789 you know, domain area for the Soviet Union. That's 00:35:38.789 --> 00:35:41.650 where a lot of far right, ultra nationalist conversation 00:35:41.650 --> 00:35:43.929 goes on. And that's where you can do a lot of 00:35:43.929 --> 00:35:47.190 verification of how people change their identities 00:35:47.190 --> 00:35:49.909 over time based on the kind of symbology that's 00:35:49.909 --> 00:35:52.110 been used there. Probably Ben has some other 00:35:52.110 --> 00:35:54.829 tips too. Well, yeah, I mean, and this might 00:35:54.829 --> 00:35:57.170 seem a little bit obvious, but like, so on both 00:35:57.170 --> 00:35:58.969 VK and Telegram, which are the two still the 00:35:58.969 --> 00:36:00.750 two main platforms that I think that we monitor 00:36:00.750 --> 00:36:05.949 most closely, These groups, they have a dual 00:36:05.949 --> 00:36:09.429 purpose, where they're public -facing in the 00:36:09.429 --> 00:36:11.449 sense that they serve a propaganda function, 00:36:11.650 --> 00:36:13.590 they serve a recruitment function, sometimes 00:36:13.590 --> 00:36:16.530 they're being used for crowdfunding. But at the 00:36:16.530 --> 00:36:20.369 same time, they're important for internal purposes, 00:36:20.670 --> 00:36:22.929 to form a sort of internal culture and internal 00:36:22.929 --> 00:36:26.929 coordination. And so they're public, but they're 00:36:26.929 --> 00:36:29.579 quasi -public, right? Um, and because of that, 00:36:29.760 --> 00:36:31.860 we also understand they all exist on like the 00:36:31.860 --> 00:36:34.679 knife edge being banned at any moment. Um, and 00:36:34.679 --> 00:36:37.260 so they will often have one or more backup groups 00:36:37.260 --> 00:36:39.239 that they will fall back to if their account 00:36:39.239 --> 00:36:43.119 is banned. And, uh, if you just like get really 00:36:43.119 --> 00:36:45.039 obsessive and spend an enormous amount of time 00:36:45.039 --> 00:36:47.539 in these communities, you, you effectively, you 00:36:47.539 --> 00:36:49.500 know, you'll have as much information about their 00:36:49.500 --> 00:36:52.019 online structure as the, as the members themselves 00:36:52.019 --> 00:36:55.159 do such that, so just to pick one example, um, 00:36:55.639 --> 00:36:57.500 We've been talking a lot about research. They 00:36:57.500 --> 00:37:00.420 had a telegram channel that I'm going to get 00:37:00.420 --> 00:37:01.639 the dates wrong because it's been a couple of 00:37:01.639 --> 00:37:04.260 years now. But back in the fall of, I want to 00:37:04.260 --> 00:37:08.000 say 2023, it was banned because they posted explicit 00:37:08.000 --> 00:37:10.199 instructions for like how to torture prisoners 00:37:10.199 --> 00:37:12.840 of war and then extort their family members for 00:37:12.840 --> 00:37:18.420 Bitcoin by like, you know, holding the location 00:37:18.420 --> 00:37:20.519 of where the body was buried. And this was too 00:37:20.519 --> 00:37:23.059 much even for telegram. And within 24 hours, 00:37:23.360 --> 00:37:26.210 the channel was banned. Um, but they had, you 00:37:26.210 --> 00:37:28.469 know, usage too, that they had already created 00:37:28.469 --> 00:37:30.530 that stood up, um, immediately. And so they, 00:37:30.530 --> 00:37:32.469 you know, operations continued right back at 00:37:32.469 --> 00:37:34.949 it. And, um, that's maybe not the best example 00:37:34.949 --> 00:37:36.989 because research is like pretty, you know, prominent 00:37:36.989 --> 00:37:38.590 on telegram. It's not hard to find them, but 00:37:38.590 --> 00:37:40.789 like, it's a, it's a, it's a consistent pattern. 00:37:40.949 --> 00:37:43.329 Um, and if you just are really obsessed and spend 00:37:43.329 --> 00:37:45.610 a huge amount of time watching them, you will 00:37:45.610 --> 00:37:47.789 be able to know about all of their little backup 00:37:47.789 --> 00:37:50.449 and, you know, monitoring can just like continue 00:37:50.449 --> 00:37:52.820 as seamlessly as their operations do. We often, 00:37:52.940 --> 00:37:55.099 whenever we're talking about network analysis 00:37:55.099 --> 00:37:58.300 and particularly identifying individual people, 00:37:58.460 --> 00:38:02.280 often we speak about the ethics of maybe infiltrating 00:38:02.280 --> 00:38:06.920 kind of closed groups or what's the difference 00:38:06.920 --> 00:38:10.059 between monitoring afar and then also kind of 00:38:10.059 --> 00:38:13.619 friending or befriending people on platforms 00:38:13.619 --> 00:38:15.820 so that you can monitor their profiles using 00:38:15.820 --> 00:38:18.260 a sock puppet. How do you kind of balance those 00:38:18.260 --> 00:38:22.019 ethical arguments within your research? Yeah, 00:38:22.019 --> 00:38:24.000 well, I mean, I think everybody wrestles with 00:38:24.000 --> 00:38:27.099 those things. And I think as the field has evolved, 00:38:27.579 --> 00:38:30.619 and also platforms have kind of evolved, as we've 00:38:30.619 --> 00:38:33.380 been talking about, you have to evolve your own 00:38:33.380 --> 00:38:35.880 ethics, of course. But generally speaking, you 00:38:35.880 --> 00:38:37.760 know, of course, I always had a lot of young 00:38:37.760 --> 00:38:39.559 students who were, you know, helping with the 00:38:39.559 --> 00:38:42.760 research. People were much more computer savvy 00:38:42.760 --> 00:38:45.519 than I am, who wanted to kind of engage with 00:38:45.519 --> 00:38:49.280 these guys. And I had to explain, you can look, 00:38:49.559 --> 00:38:52.409 but don't touch. And that was like kind of a 00:38:52.409 --> 00:38:55.510 rule of thumb for all of us, largely to protect 00:38:55.510 --> 00:39:00.150 us in our own security, because this is an organization 00:39:00.150 --> 00:39:03.869 or sort of a network of organizations that is 00:39:03.869 --> 00:39:06.650 very bent on vengeance and targeting people. 00:39:07.130 --> 00:39:10.449 And of course, they're connected, broadly speaking, 00:39:10.530 --> 00:39:14.190 they were connected to Yevgeny Prigozhin's various 00:39:14.190 --> 00:39:16.570 media enterprises and propaganda enterprises, 00:39:17.010 --> 00:39:19.800 most notably the Internet Research Agency. which, 00:39:19.800 --> 00:39:23.079 you know, has a legendary hacking capacity and 00:39:23.079 --> 00:39:26.320 trolling capacity. And still to this day, actively 00:39:26.320 --> 00:39:29.239 does a lot of trolling of individuals who study 00:39:29.239 --> 00:39:32.260 and work on the Wagner Group or look at, you 00:39:32.260 --> 00:39:34.519 know, some Russian propaganda and ultranationalism. 00:39:34.920 --> 00:39:37.960 So, for us, it was kind of a hardbound rule that, 00:39:37.960 --> 00:39:39.800 you know, we were not to engage. Of course, we 00:39:39.800 --> 00:39:42.599 use sock puppets, you know, to constantly do 00:39:42.599 --> 00:39:46.159 our monitoring. And we were very regular about 00:39:46.159 --> 00:39:49.769 it. In terms of... And we never did any sort 00:39:49.769 --> 00:39:52.170 of hacking, you know, there was no, that's also 00:39:52.170 --> 00:39:55.389 a no -go zone for us. We want to stay within 00:39:55.389 --> 00:39:58.130 the bounds of the law and sort of ethical standards 00:39:58.130 --> 00:40:00.829 as best we can so that the work can actually 00:40:00.829 --> 00:40:03.570 do the good it's meant to do, which is to expose 00:40:03.570 --> 00:40:06.449 perpetrators of war crimes and atrocity violence. 00:40:07.250 --> 00:40:09.570 I guess the follow -up question there, as Chris 00:40:09.570 --> 00:40:11.469 has just asked in the chat, is what are your 00:40:11.469 --> 00:40:15.190 top tips for OPSEC? What are the... steps that 00:40:15.190 --> 00:40:16.889 you take to protect yourselves? Well, they're 00:40:16.889 --> 00:40:19.409 the basics. I mean, obviously, you know, if you're 00:40:19.409 --> 00:40:21.449 going to be monitoring on social media, always 00:40:21.449 --> 00:40:24.469 better to do it with sock puppet. Good to rotate 00:40:24.469 --> 00:40:27.769 your sock puppets as well. Keep them active and 00:40:27.769 --> 00:40:30.250 alive and looking like they're engaged so they 00:40:30.250 --> 00:40:32.369 don't look like sort of zombies that are sort 00:40:32.369 --> 00:40:34.690 of trawling around on the platform. Try and make 00:40:34.690 --> 00:40:37.750 them to some degree fit with the culture that 00:40:37.750 --> 00:40:40.730 you're looking at. So you can sort of camouflage 00:40:40.730 --> 00:40:43.869 yourself. You shouldn't be sort of, you know, 00:40:43.880 --> 00:40:46.300 wearing maybe like a rainbow flag if you're entering 00:40:46.300 --> 00:40:48.539 an ultra -nationalist right -wing space. As an 00:40:48.539 --> 00:40:50.260 example, right, that shouldn't be your sock puppet 00:40:50.260 --> 00:40:52.960 identity because that will immediately attract 00:40:52.960 --> 00:40:56.679 attention. So trying to blend in is really important. 00:40:57.039 --> 00:41:00.480 Using a VPN, critical, must do it all the time. 00:41:00.900 --> 00:41:04.380 We use burner phones, as many people do, for 00:41:04.380 --> 00:41:06.719 a lot of our interactions. So as an example, 00:41:06.719 --> 00:41:09.340 I don't have Telegram or VKontakte on my phone. 00:41:10.019 --> 00:41:12.280 I usually have another phone for that so that 00:41:12.280 --> 00:41:14.869 I don't have any crossover between my personal 00:41:14.869 --> 00:41:18.369 or professional life and the research and investigation 00:41:18.369 --> 00:41:22.269 I'm doing. And we, you know, we don't really 00:41:22.269 --> 00:41:23.570 talk about what we're doing until after we're 00:41:23.570 --> 00:41:26.869 done doing it. And so we oftentimes work with, 00:41:26.869 --> 00:41:30.130 you know, sometimes as many as, you know, 12, 00:41:30.150 --> 00:41:33.090 15 different sort of student researchers or faculty 00:41:33.090 --> 00:41:36.110 researchers or people that we're sort of in collaboration 00:41:36.110 --> 00:41:39.420 with. And I think, you know, we've done a relatively 00:41:39.420 --> 00:41:42.579 pretty good job of sort of minding our P's and 00:41:42.579 --> 00:41:45.079 Q's when it comes to just being quiet about the 00:41:45.079 --> 00:41:47.500 work that we're doing. No point in bragging about 00:41:47.500 --> 00:41:50.440 it because there's nothing to show then. So, 00:41:50.539 --> 00:41:53.980 and in fact, this isn't really sort of an enterprise, 00:41:54.039 --> 00:41:56.219 I think, that really is good for bragging. I 00:41:56.219 --> 00:41:58.320 think there's just, you know, the work requires 00:41:58.320 --> 00:42:00.800 a certain amount of humbleness because you can 00:42:00.800 --> 00:42:02.860 also make a mistake. And I think you also have 00:42:02.860 --> 00:42:04.420 to recognize that on some level. I'm sure Ben 00:42:04.420 --> 00:42:07.349 has some other tips too. Yeah, I mean we also 00:42:07.349 --> 00:42:10.429 in addition to burner friends we've used for 00:42:10.429 --> 00:42:13.010 burner air gap laptops Occasionally over the 00:42:13.010 --> 00:42:15.590 years who've gotten I guess you could call like 00:42:15.590 --> 00:42:18.610 external hard drives of dubious origin That you 00:42:18.610 --> 00:42:20.269 don't want to just like plug into your regular 00:42:20.269 --> 00:42:21.989 device for pretty obvious reasons And so that 00:42:21.989 --> 00:42:25.090 we have a sort of sacrificial lamb laptop that 00:42:25.090 --> 00:42:29.829 you could use for that This another one more 00:42:29.829 --> 00:42:31.690 thing that I think speaks to a question like 00:42:31.690 --> 00:42:34.170 one or two questions ago Which is that if we're 00:42:34.170 --> 00:42:36.530 publishing like a major report? um, on a, on 00:42:36.530 --> 00:42:41.530 a public figure, um, we will, you know, do traditional 00:42:41.530 --> 00:42:44.769 journalistic diligence and, and ask for, um, 00:42:44.869 --> 00:42:48.050 comment. And that usually does not, you know, 00:42:48.110 --> 00:42:49.750 usually they're not interested in speaking to 00:42:49.750 --> 00:42:52.869 us, but there is a stage right before one of 00:42:52.869 --> 00:42:55.130 the last stages, uh, before going live where 00:42:55.130 --> 00:42:58.349 we will do that. Right. So that's sort of part 00:42:58.349 --> 00:43:00.969 of the, the basic ethics of of doing an investigation. 00:43:01.409 --> 00:43:03.769 Yeah. Just circling back to kind of techniques 00:43:03.769 --> 00:43:06.570 that the groups also use to try and obscure their 00:43:06.570 --> 00:43:10.190 identities. Somebody mentioned earlier, you know, 00:43:10.949 --> 00:43:13.010 how Vucic seemingly intentionally time -lags 00:43:13.010 --> 00:43:15.429 location -based content posted to its Telegram 00:43:15.429 --> 00:43:18.789 channel. Does that happen on VK as well? I think 00:43:18.789 --> 00:43:21.449 in those cases, chronolocation becomes a skill 00:43:21.449 --> 00:43:25.150 that is absolutely paramount. It takes time and 00:43:25.150 --> 00:43:28.360 effort. Um, but that's where you don't just rely 00:43:28.360 --> 00:43:31.260 on the time tag of when something was posted, 00:43:31.260 --> 00:43:33.920 you're constantly checking, um, if you can do 00:43:33.920 --> 00:43:36.260 locate and then chrono locate particular imagery 00:43:36.260 --> 00:43:38.880 or videos, for example. Um, I don't know if you 00:43:38.880 --> 00:43:40.480 have anything else to add to that particular 00:43:40.480 --> 00:43:43.099 point before we move on in terms of ways that 00:43:43.099 --> 00:43:45.920 people obscure information on mine. Um, yeah, 00:43:45.920 --> 00:43:48.320 I'll just say a few words. Uh, but research absolutely 00:43:48.320 --> 00:43:50.820 does this all the time. Uh, they're kind of notorious. 00:43:51.000 --> 00:43:52.940 They have seemingly just like an inexhaustible 00:43:52.940 --> 00:43:56.769 archive. Um, that they will post from all the 00:43:56.769 --> 00:43:59.250 way back to like, you know, here's Milchakov 00:43:59.250 --> 00:44:04.590 in Syria in 2017, or here's where we were in 00:44:04.590 --> 00:44:08.090 Ukraine circa, you know, late 2022. And they'll 00:44:08.090 --> 00:44:09.789 often actually identify it with like the location 00:44:09.789 --> 00:44:12.949 and time, which, you know, you can't really take 00:44:12.949 --> 00:44:15.550 their word for. Or, you know, alternately, they'll 00:44:15.550 --> 00:44:19.150 post without any kind of identifying information. 00:44:19.889 --> 00:44:22.190 I think that in general, they're pretty careful 00:44:22.190 --> 00:44:23.909 and pretty good about not revealing anything. 00:44:24.059 --> 00:44:26.340 Um, that would give away their current operations 00:44:26.340 --> 00:44:27.920 or at least their operator, you know, in anything 00:44:27.920 --> 00:44:31.300 that could affect their ongoing operations. Um, 00:44:32.119 --> 00:44:34.320 just to, yeah, just to, you know, I'll agree 00:44:34.320 --> 00:44:35.820 with the point that you made that you have to 00:44:35.820 --> 00:44:38.440 do a lot of due diligence to actually confirm 00:44:38.440 --> 00:44:40.940 that the thing that they're showing you, um, 00:44:41.219 --> 00:44:43.880 is from the time and place that they're claiming 00:44:43.880 --> 00:44:46.079 that it's from. Yeah. Don't just take their word 00:44:46.079 --> 00:44:50.039 for it. Circling back to the tool that you mentioned, 00:44:50.099 --> 00:44:52.900 we've had a lot of questions on that. A lot of 00:44:52.900 --> 00:44:55.159 people are interested in it, as you can imagine. 00:44:55.880 --> 00:44:59.179 Is it open source? Is it available anywhere? 00:44:59.440 --> 00:45:01.199 There's been a lot of people searching for it 00:45:01.199 --> 00:45:04.059 on GitHub, for example. Can you tell us a little 00:45:04.059 --> 00:45:07.579 bit about the development of the tool? If it's 00:45:07.579 --> 00:45:11.199 open source, where is it? And if it's not, how 00:45:11.199 --> 00:45:14.619 come and is there a plan to do so? I knew this 00:45:14.619 --> 00:45:18.519 question would come. I do believe the actual 00:45:18.519 --> 00:45:23.519 original code. is somewhere in GitHub. And perhaps 00:45:23.519 --> 00:45:26.199 after the fact, we might find a way to share 00:45:26.199 --> 00:45:31.000 that. Our code is updated and cleaned and refined 00:45:31.000 --> 00:45:35.980 for location accuracy. We haven't put it online 00:45:35.980 --> 00:45:39.340 or made it open source yet. Again, for some of 00:45:39.340 --> 00:45:41.139 the same reasons that we're a little bit sort 00:45:41.139 --> 00:45:43.840 of nervous about sharing some of the data that 00:45:43.840 --> 00:45:47.659 we have. We're trying to sort of wind our way, 00:45:47.760 --> 00:45:50.719 and I think we probably will find a way to make 00:45:50.719 --> 00:45:54.000 a lot of our tools, techniques, and data more 00:45:54.000 --> 00:45:57.320 accessible, likely on a tiered basis. Again, 00:45:57.340 --> 00:45:59.340 because this is really sensitive information 00:45:59.340 --> 00:46:04.219 that we are hoping will inform war crimes investigations 00:46:04.219 --> 00:46:06.699 that are ongoing. Not only in Ukraine, I just 00:46:06.699 --> 00:46:08.980 want to mention there are places in the world 00:46:08.980 --> 00:46:12.559 where Wagner and Rusich have operated where there 00:46:12.559 --> 00:46:14.840 aren't a lot of human rights defenders out there. 00:46:15.119 --> 00:46:17.380 So Mali is a great example. Syria is another 00:46:17.380 --> 00:46:21.139 good example. And yet there is, I think, an appetite 00:46:21.139 --> 00:46:24.480 still to see some justice brought. And I guess 00:46:24.480 --> 00:46:26.800 that's why we're a little bit cautious about 00:46:26.800 --> 00:46:30.099 being too open with our tools and methods and 00:46:30.099 --> 00:46:34.219 data. However, in certain settings, we are happy 00:46:34.219 --> 00:46:36.550 to share with certain... types of folks who are 00:46:36.550 --> 00:46:38.230 kind of interested in that particular type of 00:46:38.230 --> 00:46:41.230 work. So yeah, the version, the original code 00:46:41.230 --> 00:46:47.769 does exist somewhere on GitHub in the pre -modified 00:46:47.769 --> 00:46:52.130 version, but in order for it to work functionally 00:46:52.130 --> 00:46:54.630 today, you'd have to make pretty extensive changes 00:46:54.630 --> 00:46:57.570 to it, both the ones that we made, but also literally 00:46:57.570 --> 00:47:00.250 just to like update it to work with VK's existing 00:47:00.250 --> 00:47:03.780 modern API, which changes all the time. The first 00:47:03.780 --> 00:47:07.400 version was just a week or two. We had some very, 00:47:07.400 --> 00:47:11.119 very clever mathematicians and computer scientists 00:47:11.119 --> 00:47:15.119 on our team who managed to tweak it. But Ben 00:47:15.119 --> 00:47:17.820 has progressively tweaked it again and again 00:47:17.820 --> 00:47:21.280 as the API has changed, as platform rules have 00:47:21.280 --> 00:47:23.679 changed. So it's one of those tools that has 00:47:23.679 --> 00:47:26.480 to be constantly updated. Gio Crow has just asked, 00:47:26.539 --> 00:47:28.980 what is the name of the GitHub project? I'm guessing 00:47:28.980 --> 00:47:31.280 you don't know from the original source code. 00:47:31.789 --> 00:47:34.329 I'm sure we have it somewhere. If we can find 00:47:34.329 --> 00:47:36.630 a way to share it, we will. Fabulous. Is there 00:47:36.630 --> 00:47:39.829 any tools that you would recommend outside of 00:47:39.829 --> 00:47:43.090 the ghost track tool that kind of do similar 00:47:43.090 --> 00:47:46.190 functions or are useful at least for searching 00:47:46.190 --> 00:47:51.730 telegram connections or VK connections? So I 00:47:51.730 --> 00:47:53.989 have this dream. This doesn't exist yet as far 00:47:53.989 --> 00:47:55.190 as I can tell, but it's something that I would 00:47:55.190 --> 00:47:59.460 love to see built. which is something that would 00:47:59.460 --> 00:48:02.300 do something similar for Telegram. Now, you can't 00:48:02.300 --> 00:48:04.900 build something that just like searches for geotagged 00:48:04.900 --> 00:48:07.280 content on Telegram the same way, because almost 00:48:07.280 --> 00:48:11.039 nobody posts geotagged content on Telegram. But 00:48:11.039 --> 00:48:14.539 one idea I had was, especially in parts of the 00:48:14.539 --> 00:48:18.300 world that are relatively less dense and more 00:48:18.300 --> 00:48:22.380 remote, like for example, a relatively undeveloped 00:48:22.380 --> 00:48:24.340 part of Mali or the Central African Republic, 00:48:24.880 --> 00:48:27.650 a tool that like the ghost tracker that we showed, 00:48:27.829 --> 00:48:30.210 draws a bounding box around a geographic area 00:48:30.210 --> 00:48:33.929 and then searches for recent posts that mention 00:48:33.929 --> 00:48:37.889 community names, drawing from like open street 00:48:37.889 --> 00:48:42.130 map data within that area in a variety of languages. 00:48:42.389 --> 00:48:44.809 So like Russian, English, Arabic, et cetera, 00:48:45.389 --> 00:48:47.489 which could be a way of sort of like fishing 00:48:47.489 --> 00:48:50.429 around for interesting posts and identifying 00:48:50.429 --> 00:48:52.710 channels on telegram that you might not have 00:48:52.710 --> 00:48:56.849 been aware of. previously that are posting content 00:48:56.849 --> 00:49:00.030 on that. And if anybody out there has the technical 00:49:00.030 --> 00:49:01.789 chops to build something like that, I would love 00:49:01.789 --> 00:49:06.369 to see your work. Yeah, other tools I would just 00:49:06.369 --> 00:49:07.869 mention, and these are things that actually, 00:49:08.130 --> 00:49:11.269 I mean, I'm pretty sure our methods are replicable 00:49:11.269 --> 00:49:13.769 because we've had to reiterate them over and 00:49:13.769 --> 00:49:17.610 over. But I certainly think if you're scraping 00:49:17.610 --> 00:49:20.369 data, particularly social media accounts, but 00:49:20.369 --> 00:49:22.789 I would say exclusively, I would say there are 00:49:22.789 --> 00:49:26.570 other kinds of data, too, where you can create 00:49:26.570 --> 00:49:29.389 a searchability and connectivity capacity there. 00:49:29.869 --> 00:49:32.170 So doing network analysis, for instance, on social 00:49:32.170 --> 00:49:35.510 ties or common characteristics and attributes. 00:49:35.949 --> 00:49:39.050 But also, again, the Information Competition 00:49:39.050 --> 00:49:41.750 Lab has been extremely helpful. Some of the work 00:49:41.750 --> 00:49:44.489 that we did, for instance, on the January 6th 00:49:44.489 --> 00:49:47.530 Parler data that was released very shortly after 00:49:47.530 --> 00:49:53.039 the riots on Capitol Hill here in DC, was really 00:49:53.039 --> 00:49:57.099 facilitated by the creation of essentially a 00:49:57.099 --> 00:50:01.699 SQL database that allows us to dump open data 00:50:01.699 --> 00:50:07.480 into it and then search it by text and number 00:50:07.480 --> 00:50:11.139 and moniker. Those are things that actually can 00:50:11.139 --> 00:50:13.719 be replicated, I think, with relative ease, especially 00:50:13.719 --> 00:50:17.780 now with the support of AI. And again, if we 00:50:17.780 --> 00:50:21.130 get time, and some sort of support out there 00:50:21.130 --> 00:50:24.150 in the world to continue doing our work. We could 00:50:24.150 --> 00:50:26.449 probably come back and kind of share some, just 00:50:26.449 --> 00:50:28.369 some tips on specifically how to do that. And 00:50:28.369 --> 00:50:31.550 maybe invite our colleagues from the ASU lab 00:50:31.550 --> 00:50:35.170 to join us. That sounds amazing. Saiva has put 00:50:35.170 --> 00:50:37.690 in a really good PSA though in the chat. Fair 00:50:37.690 --> 00:50:41.070 warning to any budding code developers. Any trolling 00:50:41.070 --> 00:50:43.429 tool has a high chance of leaving a significant 00:50:43.429 --> 00:50:46.360 footprint on the platform you're accessing. which 00:50:46.360 --> 00:50:48.219 means your activity could be tracked back to 00:50:48.219 --> 00:50:50.280 you and used maliciously. So please, please be 00:50:50.280 --> 00:50:55.360 careful if you are building tools to do such 00:50:55.360 --> 00:50:59.260 a job. Yeah, 100 % on that. I just want to say 00:50:59.260 --> 00:51:02.199 the tools I'm mentioning, especially, you know, 00:51:02.420 --> 00:51:06.179 kind of these specialized search tools for particular 00:51:06.179 --> 00:51:08.280 data, all of that's happening in a virtual machine. 00:51:09.019 --> 00:51:11.460 So really important to work in a virtual machine 00:51:11.460 --> 00:51:13.800 or in a virtual environment that is shielded 00:51:13.800 --> 00:51:17.739 and not connected to your target. Absolutely. 00:51:18.079 --> 00:51:20.679 I also noted in the chat, if you're interested 00:51:20.679 --> 00:51:23.320 in this specific discussion, you might want to 00:51:23.320 --> 00:51:25.260 check out our previous discussion with the All 00:51:25.260 --> 00:51:29.440 Eyes on Wagner team. They talked about monitoring 00:51:29.440 --> 00:51:33.360 Wagner mercenaries in Africa. So you can look 00:51:33.360 --> 00:51:36.760 at that conversation, if you would like, on our 00:51:36.760 --> 00:51:40.000 RSS feed. or on any podcast platform by searching 00:51:40.000 --> 00:51:41.800 StageShorts with Bell and Cat. We've only got 00:51:41.800 --> 00:51:45.139 five minutes left, which is a shame because there's 00:51:45.139 --> 00:51:48.699 so many more questions in the chat. Guys asked 00:51:48.699 --> 00:51:51.900 earlier, are there any best practices you can 00:51:51.900 --> 00:51:54.480 identify in regards to extracting an accurate, 00:51:54.480 --> 00:51:57.559 incredible pattern of life from web data, especially 00:51:57.559 --> 00:52:00.719 in the context of the platform and community? 00:52:00.900 --> 00:52:03.159 I mean, I think it's really specific to the community. 00:52:03.380 --> 00:52:08.570 I have to say that This is such a specialized 00:52:08.570 --> 00:52:12.949 community, and yet the signature of how they 00:52:12.949 --> 00:52:16.409 kind of tend to act and to flex and to communicate 00:52:16.409 --> 00:52:21.329 does have a lot of transferability. So for instance, 00:52:21.349 --> 00:52:23.329 we've looked at others of American far -right 00:52:23.329 --> 00:52:27.050 groups that have kind of similar ways of communicating 00:52:27.050 --> 00:52:30.489 with each other. And I guess as a result of a 00:52:30.489 --> 00:52:33.510 lot of our work, we've also inherited a lot of 00:52:33.510 --> 00:52:36.019 data that people want to share with us. because 00:52:36.019 --> 00:52:38.380 I think they kind of have a sense that maybe 00:52:38.380 --> 00:52:41.659 with combining our methods, we can kind of, you 00:52:41.659 --> 00:52:44.000 know, get a sense of the pattern of life. The 00:52:44.000 --> 00:52:48.440 pattern of life is super hard. I don't even think, 00:52:48.440 --> 00:52:50.960 you know, some of these AI programs like Lavender 00:52:50.960 --> 00:52:53.780 or whatever that the Israelis are using. I mean, 00:52:53.880 --> 00:52:56.440 they're just... they're always going to be dirty 00:52:56.440 --> 00:52:58.260 because the data is always going to be dirty. 00:52:58.760 --> 00:53:02.179 So you shouldn't be expecting like 90 % accuracy. 00:53:02.739 --> 00:53:04.780 You're just always going to have to triangulate 00:53:04.780 --> 00:53:08.239 to understand pattern of life, which is mostly 00:53:08.239 --> 00:53:10.880 really familiarizing yourself with the history 00:53:10.880 --> 00:53:14.440 and culture of the social group that you're looking 00:53:14.440 --> 00:53:17.519 at. You can't just go on faith of kind of leaked 00:53:17.519 --> 00:53:19.719 corporate data and then some social media and 00:53:19.719 --> 00:53:22.739 then that's it. Because you really need to understand 00:53:22.739 --> 00:53:25.710 what is it that glues this this network of people 00:53:25.710 --> 00:53:28.869 together. And people work in networks. The only 00:53:28.869 --> 00:53:33.130 biggest lesson is every social group in the world 00:53:33.130 --> 00:53:38.130 operates in a network format. And it tends to 00:53:38.130 --> 00:53:45.530 be, you know, the more extreme, I suppose, in 00:53:45.530 --> 00:53:48.369 kind of commitments to violence, the more likely 00:53:48.369 --> 00:53:50.710 the signaling amongst that network is going to 00:53:50.710 --> 00:53:54.730 become super obvious and quite routine. and very 00:53:54.730 --> 00:53:56.949 easily recognizable. I don't know if Ben has 00:53:56.949 --> 00:54:01.429 any other observations. Yeah, I don't know. A 00:54:01.429 --> 00:54:03.570 word of caution, I guess, which is that at this 00:54:03.570 --> 00:54:07.230 point, you know, I assume that most of the accounts 00:54:07.230 --> 00:54:11.630 that we track are probably using a sort of a 00:54:11.630 --> 00:54:15.750 hybrid pattern of sort of generative content 00:54:15.750 --> 00:54:18.349 and then human generated content. And it will 00:54:18.349 --> 00:54:20.909 switch back and forth between them. I think most 00:54:20.909 --> 00:54:24.469 platforms at this point have gotten I don't know, 00:54:24.809 --> 00:54:26.710 relatively good at detecting just like purely 00:54:26.710 --> 00:54:29.210 automated content and you just like the pure 00:54:29.210 --> 00:54:32.730 bot. Um, and, uh, but at the same time, if you're 00:54:32.730 --> 00:54:34.829 just like a single human plugging away during 00:54:34.829 --> 00:54:37.630 your sort of information operations, then you're, 00:54:37.630 --> 00:54:40.889 you're not, you know, competing at the level 00:54:40.889 --> 00:54:43.289 that you need to in today's information ecosystem. 00:54:43.489 --> 00:54:47.250 And so I, yeah, I, my, my hypothesis dealing 00:54:47.250 --> 00:54:49.269 with these, these groups and entities is that 00:54:49.269 --> 00:54:52.590 it's sort of like a hybridized. pattern, which 00:54:52.590 --> 00:54:54.349 makes, yeah, pattern of life really difficult 00:54:54.349 --> 00:54:57.730 because you can't really tell when their online 00:54:57.730 --> 00:55:01.349 activity is sort of the human or whatever sort 00:55:01.349 --> 00:55:04.769 of generative content is also potentially posting 00:55:04.769 --> 00:55:07.909 on that account. What tipped you off for high 00:55:07.909 --> 00:55:10.590 level command profiles identifying the command 00:55:10.590 --> 00:55:14.849 structure? What was the key signifier that you'd 00:55:14.849 --> 00:55:17.460 found someone who had a high level command? So, 00:55:17.639 --> 00:55:20.019 this really started with that Chebyka -Wagner 00:55:20.019 --> 00:55:22.940 review group that we mentioned on Vkontaktia 00:55:22.940 --> 00:55:26.340 that we kind of stumbled on in 2018, just as 00:55:26.340 --> 00:55:27.920 all that stuff was happening with the Battle 00:55:27.920 --> 00:55:30.639 of Khashom and their world was kind of lighting 00:55:30.639 --> 00:55:33.900 up. One thing that happened on the anniversary 00:55:33.900 --> 00:55:37.239 of that, so in February 2019, so one year later, 00:55:38.619 --> 00:55:42.500 was that somebody, and I still theorize to this 00:55:42.500 --> 00:55:45.159 day that it was probably a Ukrainian off. But 00:55:45.159 --> 00:55:48.599 somebody threw up a message saying, you know, 00:55:48.599 --> 00:55:52.239 I remember, you know, the fallen of the Battle 00:55:52.239 --> 00:55:55.940 of Khashim, I'm paraphrasing here, you know, 00:55:55.940 --> 00:55:59.639 and then the next chat line was, who served where? 00:56:00.800 --> 00:56:06.900 And weirdly, at that moment, just suddenly like 00:56:06.900 --> 00:56:11.400 dozens and then dozens and then hundreds of guys 00:56:11.400 --> 00:56:15.639 would just... answer with their Vechay number, 00:56:15.679 --> 00:56:21.099 which is their military unit number. And I realized, 00:56:21.159 --> 00:56:25.300 holy shit, these guys are just openly identifying 00:56:25.300 --> 00:56:27.320 themselves. And I'll note that that's when I 00:56:27.320 --> 00:56:30.760 also realized that many user accounts on Bacontactia, 00:56:31.159 --> 00:56:33.659 you know, especially for guys, it's pretty typical 00:56:33.659 --> 00:56:37.199 to have the unit that you served in as commscript 00:56:37.199 --> 00:56:39.079 posted. It's kind of like where you went to high 00:56:39.079 --> 00:56:41.539 school, where you went to college, university. 00:56:42.269 --> 00:56:44.550 It's part of your profile. You don't have to 00:56:44.550 --> 00:56:47.030 fill it out, but many guys do because it's a 00:56:47.030 --> 00:56:49.690 way to find each other and also to show that 00:56:49.690 --> 00:56:51.570 you've done your service, you've been a patriot 00:56:51.570 --> 00:56:54.409 and so forth. And so we collected all of those, 00:56:54.489 --> 00:56:56.809 put them into a spreadsheet, and then we did 00:56:56.809 --> 00:56:59.170 a lot of verification. This is the early days 00:56:59.170 --> 00:57:02.369 even before Ben was around. You know, our first 00:57:02.369 --> 00:57:04.150 attempt at this was kind of the data was a little 00:57:04.150 --> 00:57:07.250 bit dirty and we didn't understand at first how 00:57:07.250 --> 00:57:10.969 many were imitating units and how many were real. 00:57:11.150 --> 00:57:13.369 It was only later as we started to refine our 00:57:13.369 --> 00:57:15.989 methods and realize, oh, we can actually segment 00:57:15.989 --> 00:57:20.809 this profile data on military unit affiliation. 00:57:21.630 --> 00:57:24.849 But that was the most telling piece was just 00:57:24.849 --> 00:57:27.769 where people had served and then having an understanding 00:57:27.769 --> 00:57:30.670 of who was central to the network. And the vast 00:57:30.670 --> 00:57:33.329 majority of having a particular profile and a 00:57:33.329 --> 00:57:36.050 particular affiliation with units that were known 00:57:36.050 --> 00:57:39.710 to be very active, for instance, in Georgia in 00:57:39.710 --> 00:57:42.960 2008. and some other sort of ghost operations 00:57:42.960 --> 00:57:45.159 that well preceded the incursion in Ukraine. 00:57:45.840 --> 00:57:48.039 So a lot of it, again, is this combination of 00:57:48.039 --> 00:57:50.900 kind of understanding the culture, like the literal 00:57:50.900 --> 00:57:53.840 culture, not the online culture, and then doing 00:57:53.840 --> 00:57:55.960 a lot of historical research to put it all together. 00:57:56.079 --> 00:57:58.380 Amazing. Thank you so much for giving us that 00:57:58.380 --> 00:58:00.980 detail. I know Chris, who asked the question 00:58:00.980 --> 00:58:04.480 initially, really appreciates it. Thank you so 00:58:04.480 --> 00:58:08.079 much for coming into chat today. I have a bunch 00:58:08.079 --> 00:58:10.420 of people in the chat right now saying how much 00:58:10.420 --> 00:58:13.400 you've humbled them and also how much they've 00:58:13.400 --> 00:58:16.400 enjoyed this talk. Please do check out both Candice 00:58:16.400 --> 00:58:19.639 and Ben's work at New America. I put the link 00:58:19.639 --> 00:58:21.659 in the chat and I'll also put it in the description 00:58:21.659 --> 00:58:23.639 of this podcast, along with all of the links 00:58:23.639 --> 00:58:26.599 that we've discussed today. And please tune in 00:58:26.599 --> 00:58:29.800 in two weeks time for the next stage talk. But 00:58:29.800 --> 00:58:32.639 until then, take care and thank you again, Ben 00:58:32.639 --> 00:58:36.079 and Candice, for your time today. Thanks so much. 00:58:37.239 --> 00:58:41.480 Thanks, all. Thank you, everybody. Thank you 00:58:41.480 --> 00:58:44.239 for listening to the Stage Talk. If you'd like 00:58:44.239 --> 00:58:47.219 to catch a Stage Talk live where you can ask 00:58:47.219 --> 00:58:50.159 the guest questions, join the Bellingcat Discord 00:58:50.159 --> 00:58:57.730 server by visiting www .discord .gg The music 00:58:57.730 --> 00:59:01.210 you've heard is titled Dawn by Newer Self and 00:59:01.210 --> 00:59:02.869 is courtesy of Artlist.