Outing of FSB hit squad highlights Russia's data security problem
In early 2019, the journalist Andrei Zakharov managed to buy his own phone and banking records in a groundbreaking investigation into Russia’s thriving markets in stolen personal data, in which law enforcement and telecoms employees can be contracted anonymously to dip into their systems and pull out sensitive details on anyone.
A year and a half later, investigators from Bellingcat and the Insider used some of the same tools and clever analysis to out a secret FSB team that had been tasked with killing Alexei Navalny using a novichok nerve agent.
The recent investigations into Russia’s security services have shown that beyond being a boon for scammers and private detectives, the trade in data is an urgent issue of national security for the Kremlin.
“When I wrote about it, nothing changed,” Zakharov, who now works for the investigative outlet Proekt, said in an interview. “When Bellingcat started to use it more and more visibly, nothing changed. And I think that maybe nothing can change this time around, we’ll see.”
The Russian government may hope to prove otherwise. On Tuesday, the Duma gave preliminary approval to amendments to protect, among others, the FSB and the military intelligence officers that Bellingcat has been particularly effective in outing. And Russia’s prime minister, Mikhail Mishustin, told the state telecom agency: “You work with personal data. It’s very important. Of course, it’s very important that data is protected.”
Bellingcat’s Eliot Higgins tweeted in response: “Seems rather late though, I guess you could say the Bellingcat is out the bag.”
Perhaps the best indication of the Kremlin’s irritation with Bellingcat’s punishing investigation is that it has offered no public reaction whatsoever. (Putin’s press secretary has abruptly cancelled his daily briefings until Thursday, when Putin will hold a nationally televised press conference.)
Leaked – and often purchased – data has transformed investigative journalism about Russia, revealing intimate details about the officials and wealthy businessmen surrounding Vladimir Putin, as well as the security services.
When Zakharov co-authored a recent Proekt article suggesting Putin had a daughter from a secret mistress, one data point was a passport which indicated that the name of the girl’s father name was Vladimir. (Zakharov says he does not purchase data and that this was provided by a source with access to those databases.)
The breadth and depth of the data up for sale is staggering: geolocation and call data for mobile phones, flight records, licence plate numbers, criminal and medical records and more.
Zakharov has seen leaked databases that include a police list of clients of Moscow sex workers in the mid-2000s, ambulance patients of 2011, and drug addicts of Altufyevo, a district of Moscow. “I don’t know why Altufyevo,” he said, laughing.
Openly soliciting leaked data has become a more common, if controversial, investigative tactic. Not many journalists will openly admit they do so. In an upcoming book, Sergei Kanev, a crime reporter, writes: “This story created a lot of fuss but it all began quite simply: I bought a database for the Moscow region in an underpass by Paveletsky railway station. I came home and out of interest I put the name of the FSB director Alexander Bortnikov.”
In other cases, the database itself can be the story. In 2016 Kanev wrote of purchasing a database on HIV-infected patients, drug addicts and alcoholics in the Irkutsk region compiled by Russia’s federal drug control service.
Leaked databases from Russia’s var
ious registries have been available since at least the early 2000s, when they were sold by street dealers. “I remember that in the subway in St Petersburg there were people who went from one train to another selling them,” Zakharov said.
But what had changed, he said, was the ability to order up-to-date data on specific targets. That possibility has emerged thanks to searchable databases available to law enforcement, mobile phone companies and others, whose employees can then leak the data via online brokers and Telegram bots that take payments from electronic wallets.
The market efficiently and anonymously connects buyers and sellers, many of whom are low-paid employees from Russia’s outer regions. When police crack down on the practice, the price for information simply goes up.
Bellingcat recent explained how it could obtain a wealth of information on Anatoliy Chepiga, a GRU agent implicated in the Salisbury poisonings, by sending a request that costs €10 to a Telegram bot.
“Within two to three minutes of entering Chepiga’s full name and providing a credit card via Google Pay or a payment service like Yandex Money, a popular Telegram bot will provide us with Chepiga’s date of birth, passport number, court records, licence plate number, [vehicle identification] number, previous vehicle ownership history, traffic violations and frequent parking locations in Moscow,” Bellingcat wrote.
In an article about the investigation, Navalny credited recent national security laws which allow “corrupt employees of law enforcement agencies to freely trade our mobile phone data with you. And our air travel data too.”
Zakharov said: “I think in other countries it is more difficult for police officers to see where people travel all over the country without any prosecutor or court agreement. But here, any police officer can just take a computer and see where everyone has travelled.”
The use of probiv – solicited leaks of data on specific targets – remains controversial among journalists. Zakharov recalled a heated debate at a conference in 2019, where several highprofile journalists and editors spoke out against the practice. “But since then I see that more journalists are using these databases.”
He said the growing use of probiv would inevitably favour outlets with deep pockets. For now, each makes its own policy. “If you go to a source and a source shows it to you, you can do that,” Zakharov said. “You shouldn’t buy it. That’s my answer.”