WXXI AM News

Meet The Internet Researchers Unmasking Russian Assassins

Oct 12, 2018
Originally published on October 15, 2018 10:25 am

Aric Toler isn't exactly sure what to call himself.

"Digital researcher, digital investigator, digital something probably works," Toler says.

Toler, 30, is part of an Internet research organization known as Bellingcat. Formed in 2014, the group first got attention for its meticulous documentation of the ongoing conflict in Ukraine. Toler used posts to Russia's equivalent of Facebook, VK, to track Russian soldiers as they slipped in and out of eastern Ukraine — where they covertly aided local rebels.

Since then, Toler and his colleagues have been up to a whole lot more. They've used commercial satellite images to track Chinese air bases; watched security operations unfold on social media in Venezuela; and pinpointed the locations of chemical weapons attacks in Syria.

Now Toler and the nine other full-time members of Bellingcat's small, international staff are increasingly being drawn into some of the biggest news stories in the world. This week they unmasked one of two Russian agents believed to be behind a spate of poisonings in the U.K. (they exposed the other one last month). And they're collaborating with news outlets to help identify suspects in the disappearance of Saudi journalist Jamal Khashoggi.

It's a rapid rise for what was, just a few years ago, a group of amateurs. Bellingcat was founded by Eliot Higgins, a British native whose previous jobs included helping the settlement of refugees in the U.K. and administrator in a women's lingerie factory.

Chemical exposure

Higgins' work began with the brutal civil wars in Syria and Libya. He was astonished by the amount of information about the conflict that was available online in social media postings and videos. "I just asked myself, how can I prove this information was true?" he said in a 2015 interview with NPR. He didn't speak or read Arabic, so he started looking at the one thing he could identify: the weapons and munitions being used by the combatants. He posted what he found on his personal blog. "When I wrote about something, I'd say this is what I think and this is why I think it; I'd show my work," he said. The goal, he said, was to be "very transparent" about what he had discovered.

Higgins was among the first to identify the munitions used in a grisly chemical weapons attack in the Damascus suburb of Ghouta in August 2013. "I'd actually seen them before because they'd been used in previous chemical attacks that hadn't been quite as large-scale," he said. His work linking the munitions to the Syrian military was meticulous and strong enough that it was later cited by organizations such as Human Rights Watch.

In Bellingcat, Higgins has drawn together a troop of like-minded, newly professionalized researchers. They are scattered across the globe — Higgins lives in the U.K., Toler in Kansas City, Mo., others are in the Netherlands and elsewhere. They communicate via online messaging and Twitter, in a constant exchange of satellite imagery, social media postings and videos.

"It's like a game — you kind of find stuff and put it together," Toler says.

Toler says the organization is funded half through grants from places like Google and the Open Society Foundations. The other half comes from training workshops, including one NPR recently visited in the Washington, D.C., area.

"We firmly believe it's so important that more people are aware of how to do these kinds of things," says Christiaan Triebert, a 27-year-old former Dutch journalist who is also on Bellingcat's staff.

In fact, the name Bellingcat comes from one of Aesop's fables — Belling the Cat — about a group of mice who decide to put a bell on a stealthy cat to expose its presence. Triebert says that's why the group sees training sessions as a key to its success: "I hope the group of mice keeps growing, and I hope we can bell more cats."

Bellingcat's identification of the two suspected Russian intelligence agents shows the benefits of knowing where to look. On March 4, a former Russian double agent, Sergey Skripal, and his daughter, Yulia, were found unconscious on a bench in the English town of Salisbury. British authorities later determined a rare nerve agent had been used to poison the couple and that the poison was also responsible for the death of a U.K. citizen in July.

In September, British police released photographs of two Russian suspects, along with the aliases they traveled under. Bellingcat took what little information they released and got to work.

Leaky data

"Russia is extremely corrupt and everything leaks like a sieve, so you can find leaked databases of various types online," Toler says. "Things like insurance databases, driver's licenses, voter databases, stuff like that. This stuff isn't 100 percent legal, but it's out there."

Bellingcat teamed up with a Russian news site known as the Insider to mine the databases. They used some of the leaked databases to show that the passports for the two suspects in the Skripal case were issued in 2009, under aliases. Believing the two worked for Russia's military intelligence, known as the GRU, they began to work backward. Given their rough ages, the group figured one or both attended training at the Far Eastern Military Command Academy in Blagoveshchensk, near the Chinese border. Eventually they found a photo related to the academy with one of the suspects, identified as Col. Anatoly Chepiga. Subsequent searches of databases turned up numerous links between Chepiga and the GRU, including his photo on the wall of the military academy where he trained.

The group exposed the man it believes is the the second suspect on Monday. Known as Alexander Mishkin, he was tracked down through a series of database searches that showed, among other things, that his car was registered to GRU headquarters. Toler says that the group, in partnership with Russian journalists, even managed to send someone to Mishkin's hometown, in the far north of the country. "They had his picture, and were showing it around to people in the town," Toler says. Many villagers instantly recognized him. They said Mishkin's grandmother had a photo of him receiving a medal from Russian President Vladimir Putin. "She'd show it to people, but you can't touch it — it's her most prized possession," Toler says.

Russian retaliation

The Russians have noticed the group's work. After Bellingcat's initial reports, Russian state media released interviews with the two suspects, who said that they were sightseers. Russian media also attacked the Bellingcat group, stating it was funded by the U.S. government with the sole purpose of undermining Russia and other NATO adversaries.

The group members bristle at such allegations. "We've never cooperated or spoken to or had anything leaked to us by any security services," Toler says. The group does receive anonymous tips, he adds, but it tries to make sure any information it receives is independently verifiable so that "we're not being taken for a ride by some spooks."

Triebert also points out that they have investigated U.S. airstrikes in Syria. "When we investigate the Pentagon, [Russian media] calls us independent investigators that show the Pentagon killed civilians," he says.

But in the background, Triebert and Toler are also aware of the researchers and whistleblowers who have come before Bellingcat. Many have not succeeded in maintaining an impartial stance. The website WikiLeaks, for example, gained fame through leaking U.S. documents that many saw as shedding light on the wars in Iraq and Afghanistan. But in recent years, the organization has also gained notoriety as a conduit for hacked emails from the Democratic National Committee. It later emerged that Russian hackers had stolen those emails with the goal of swaying the 2016 election.

"When I was a student, I was inspired by the work of WikiLeaks, right? This is what got me into this stuff," Triebert says. "If I look at WikiLeaks nowadays, I'm disappointed by what it has become."

"Of course we think about that, because we don't want to be co-opted," Toler says. At the same time, he thinks their open approach provides a degree of protection. "We've been doing this for years and years and years, and we can kind of sniff out when something's been planted."

But Toler and Triebert also admit the challenges will only grow with the group's popularity. Looking to the future, Toler says that fake posts and doctored videos will only grow in sophistication. Triebert expects intel agencies may feed them leads to get classified findings into the public sphere. "You could call it whitewashing of their information, right?" he says.

Neither knows what the future holds for the group, but both say they are ready. "So I think yeah, interesting times ahead," Tiebert says.

Copyright 2018 NPR. To see more, visit http://www.npr.org/.

AILSA CHANG, HOST:

It turns out that the two Russian operatives behind the U.K. nerve agent attacks had their identities blown by a team of Internet researchers. NPR's Geoff Brumfiel has this story of who they are and how they did it.

GEOFF BRUMFIEL, BYLINE: OK, so here's the one thing you need to know for this story. Everything is on the Internet.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED PERSON: Our prime minister said there is no alternative conclusion other than the Russian state was culpable for the attempted murder...

BRUMFIEL: Back in September, British authorities held a press conference. They released passport photos and names used by two men they believe tried to kill a former Russian spy with nerve agent.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED PERSON: It is likely that they were traveling under aliases, and these are not their real names.

BRUMFIEL: To a guy like Aric Toler, that sounded like a challenge. Toler works for a group called Bellingcat. His job is so unusual even he doesn't know how to describe it.

ARIC TOLER: Something like digital researcher, digital investigator, digital something - probably works.

BRUMFIEL: Toler and his friends are very, very good at finding all kinds of things online. They've used commercial satellite images to track Chinese air bases, watched security operations unfold on social media in Venezuela, pinpointed the locations of chemical weapons attacks in Syria. The true identity of a Russian spy...

TOLER: It's tough because this guy's, you know, a military intelligence officers. So it's not going to be easy to find this guy just on Facebook.

BRUMFIEL: But remember everything is on the Internet these days, including photos of a military academy that trains intelligence officers taken by Russian tourists.

TOLER: When you look at these photos - they're all on our on our website - it's just a bunch of Russians - just random Russian guys going through and kind of sightseeing at this like military academy.

BRUMFIEL: These tourists visit the academy. And one thing they like photographing is its wall of fame, with pictures of notable graduates.

TOLER: This is a year before the poisoning. Some totally random innocuous normal Russian person uploaded a photo that shows our boy, Anatoliy Chepiga, up on the wall.

BRUMFIEL: Col. Anatoliy Chepiga, the spitting image of the man in the photo released by the British - right there on the wall with his name spelled out for all to see. And Bellingcat turned up a lot more. It turns out if you're willing to risk getting a nasty computer virus, you can download all sorts of Russian databases.

TOLER: Things like insurance databases and driver's licenses, voter database, things like that - this stuff isn't 100 percent legal, but it's out there.

BRUMFIEL: And in those databases, they found way more photos and details about their man Chepiga - old phone numbers and addresses, including one that linked him to a local military intelligence headquarters. This week they also IDed Chepiga's fellow spy, a guy they think is named Alexander Mishkin. Mishkin came from a small town in Russia's far north. Once they found him, Bellingcat worked with Russian journalists to send someone up there.

TOLER: And they had his picture, they were showing it to random people in the town. They're like, oh, yeah, that's our - that's Sasha. Alexander in short in Russian is Sasha. That's Sasha Mishkin over there. He's a good - you know, he's a good boy. He's a good lad. His grandma - 92-year-old grandma also shows us a photo of him receiving a medal from Putin.

BRUMFIEL: Russian President Vladimir Putin probably didn't give Myshkin a medal for being such a good grandson. Bellingcat has 10 full-time researchers scattered across the globe. Toler works out of Kansas City. Others are in the U.K., the Netherlands and elsewhere. They say they're funded by a combination of grant money and money from classes they run. Christiaan Triebert is another member of the group.

CHRISTIAAN TRIEBERT: We firmly believe that it's so important that more people are aware of how to do these kind of things. And most of the times, it's not too hard.

BRUMFIEL: I caught up with him and Toler during a training they were doing near Washington, D.C.

TOLER: Today we're going to start with how do you determine approximately or exactly when a photograph or video was taken.

BRUMFIEL: The students include journalists, law enforcement types, human rights workers. Triebert says getting a lot more people to do this stuff is what Bellingcat is all about. The name Bellingcat comes from one of Aesop's fables about a group of mice who decide to put a bell on a stealthy cat in order to expose its presence. Triebert says that's how they see this new kind of work.

TRIEBERT: I hope the group of mice keeps growing, and I hope we can bell more cats.

BRUMFIEL: The truth these researchers believe is on the Internet. You just have to know how to look. Geoff Brumfiel, NPR News, Washington. Transcript provided by NPR, Copyright NPR.