Sometimes an international offensive begins with a few shots that draw little notice. So it was last year when Melvin Redick of Harrisburg, Pennsylvania, a friendly-looking American with a backward baseball cap and a young daughter, posted on Facebook a link to a brand-new website.
“These guys show hidden truth about Hillary Clinton, George Soros and other leaders of the US,” he wrote on June 8, 2016. “Visit #DCLeaks website. It’s really interesting!”
Redick turned out to be a remarkably elusive character. No Melvin Redick appears in Pennsylvania records, and his photos seem to be borrowed from an unsuspecting Brazilian. But this fictional concoction has earned a small spot in history: The Redick posts that morning were among the first public signs of an unprecedented foreign intervention in U.S. democracy.
The DCLeaks site had gone live a few days earlier, posting the first samples of material, stolen from prominent Americans by Russian hackers, that would reverberate through the presidential election campaign and into Donald Trump’s presidency. The site’s phony promoters were in the vanguard of a cyberarmy of counterfeit Facebook and Twitter accounts, a legion of Russian-controlled impostors whose operations are still being unraveled.
An investigation by The New York Times, and new research from the cybersecurity firm FireEye, reveals some of the mechanisms by which suspected Russian operators used Twitter and Facebook to spread anti-Clinton messages and promote the hacked material they had leaked. On Sept. 6, Facebook officials disclosed that they had shut down several hundred accounts that they believe were created by a Russian company linked to the Kremlin and used to buy $100,000 in ads pushing divisive issues during and after the U.S. election campaign.
On Twitter, as on Facebook, Russian fingerprints are on hundreds or thousands of fake accounts that regularly posted anti-Clinton messages. Many were automated Twitter accounts, called bots, that sometimes fired off identical messages seconds apart — and in the exact alphabetical order of their made-up names, according to the FireEye researchers. On Election Day, they found that one group of Twitter bots sent out the hashtag #WarAgainstDemocrats more than 1,700 times.
The Russian efforts were sometimes crude or off-key, with a trial-and-error feel, and many of the suspect posts were not widely shared.
It remains unclear whether any agency is focused specifically on tracking foreign intervention in social media. Both Facebook and Twitter say they are studying the 2016 experience and how to defend against such meddling.
“We know we have to stay vigilant to keep ahead of people who try to misuse our platform,” Alex Stamos, Facebook’s chief security officer, wrote Wednesday in a post about the Russia-linked fake accounts and ads. “We believe in protecting the integrity of civic discourse.”
Critics say that because shareholders judge the companies partly based on a crucial data point — “monthly active users” — they are reluctant to police their sites too aggressively for fear of reducing that number. The scale of the sites — 328 million users on Twitter, nearly 2 billion on Facebook — means they often remove impostors only in response to complaints.
Both companies have stepped up efforts to purge fake accounts. Facebook says it takes down 1 million accounts a day, but struggles to keep up with the illicit activity. Still, the company says the abuse affects only a small fraction of the social network; Facebook officials estimated that of all the “civic content” posted on the site in connection with the U.S. election, less than one-tenth of 1 percent resulted from “information operations” like the Russian campaign.
Twitter, unlike Facebook, does not require the use of a real name and does not prohibit automated accounts, arguing that it seeks to be a forum for open debate. But it constantly updates a “trends” list of most-discussed topics or hashtags, and it says it tries to foil attempts to use bots to create fake trends. However, FireEye found that the suspected Russian bots sometimes managed to do just that, in one case causing the hashtag #HillaryDown to be listed as a trend.
Asked to comment, Twitter referred to a blog post in June in which it said it was “doubling down” on efforts to prevent manipulation but could not reveal details for fear of tipping off those trying to evade the company’s measures.
LEAKS AND FAKE PROFILES
In June, President Vladimir Putin of Russia allowed that “free-spirited” hackers might have awakened in a good mood one day and spontaneously decided to contribute to “the fight against those who say bad things about Russia.” Speaking to NBC News, he rejected the idea that evidence pointed to Russia.
Especially in the social media realm, attributing fake accounts — to Russia or to any other source — is always challenging. In January, the CIA, the FBI and the National Security Agency concluded “with high confidence” that Putin had ordered an influence operation to damage Clinton’s campaign and eventually aid Trump’s.
In April, Facebook published a public report on information operations using fake accounts. It shied away from naming Russia as the culprit until Sept. 6, when the company said it had removed 470 “inauthentic” accounts and pages that were “likely operated out of Russia.” Facebook officials fingered a St. Petersburg company with Kremlin ties called the Internet Research Agency.
The trail that leads from the Russian operation to the bogus Melvin Redick, however, is fairly clear. U.S. intelligence concluded that DCLeaks.com was created in June 2016 by the Russian military intelligence agency GRU. The site began publishing an eclectic collection of hacked emails, notably from George Soros, the financier and Democratic donor, as well as a former NATO commander and some Democratic and Republican staffers.
DCLeaks would soon be followed by a blog called Guccifer 2.0, which would leave even more clues of its Russian origin. Those sites’ posts, however, would then be dwarfed by those from WikiLeaks, which U.S. officials believe got thousands of Democratic emails from Russian intelligence hackers through an intermediary. At each stage, a chorus of dubious Facebook and Twitter accounts — alongside many legitimate ones — would applaud the leaks.
During its first weeks online, DCLeaks drew no media attention. But The Times found that some Facebook users somehow discovered the new site quickly and began promoting it on June 8. One was the Redick account, which posted about DCLeaks to the Facebook groups “World News Headlines” and “Breaking News — World.”
The same morning, “Katherine Fulton” also began promoting DCLeaks in the same awkward English Redick used.
So did “Alice Donovan,” who pointed to documents from Soros’ Open Society Foundations that she said showed its pro-American tilt.
Might Redick, Fulton, Donovan and others be real Americans who just happened to notice DCLeaks the same day? No. The Times asked Facebook about these and a half-dozen other accounts that appeared to be Russian creations. The company carried out its standard challenge procedure by asking the users to establish their bona fides. All the suspect accounts failed and were removed from Facebook.
THE AUTOMATIC BOOGEYMAN
Both on the left and the pro-Trump right, some skeptics complain that Moscow has become the automatic boogeyman, accused of misdeeds with little proof. Even those who track Russian online activity admit that in the election it was not always easy to sort out who was who.
“Yes, the Russians were involved. Yes, there’s a lot of organic support for Trump,” said Andrew Weisburd, an Illinois online researcher who has written frequently about Russian influence on social media. “Trying to disaggregate the two was difficult, to put it mildly.”
Weisburd admitted that he had labeled some Twitter accounts “Kremlin trolls” based simply on their pro-Russia tweets and with no proof of Russian government ties. The Times contacted several such users, who insisted that they had come by their anti-American, pro-Russian views honestly, without payment or instructions from Moscow.
“Hillary’s a warmonger,” said Marilyn Justice, 66, who lives in Nova Scotia and tweets as @mkj1951. Of Putin, she said in an interview, “I think he’s very patient in the face of provocations.”