Industry News

Guccifer 2.0’s schoolboy error reveals he’s hacking from Moscow

Guccifer 2.0, the notorious hacker who is alleged to have compromised the computer systems of the Democratic National Committee (DNC) and stolen opposition research on Donald Trump, has accidentally tipped his hand that he was working for Russian intelligence.

Back in 2016, Guccifer 2.0 denied being Russian or working for Russia in online interviews and claimed (somewhat unconvincingly) to come from Romania.

But, as Daily Beast now reports, the so-called “lone hacker” was in fact an officer with Russia’s military intelligence division (GRU).

Why do they say that? Well, it appears that the self-proclaimed independent hacker from Romania may have forgotten to enable his VPN client on one occasion, and “left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation.”

That IP address was then tied to the GRU’s headquarters in Moscow.

According to the latest report, the US government believes that at some point Guccifer 2.0’s activities were taken over by a GRU officer with more experience. This has been speculated on before after it was observed that whoever was working behind the Guccifer 2.0 moniker had stopped making so many sloppy mistakes, and appeared to have turned into a more professional leaker of information.

Robert Mueller, who is heading the probe into possible collusion between Donald Trump’s presidential campaign and Russia, is said to have brought FBI agents who investigated Guccifer 2.0 onto his team. The news of Guccifer’s link to Moscow is unlikely to dampen the belief that Russia attempted to interfere in the US election, and will raise more questions about possible connections between the Trump campaign and Russia.

Attributing attacks reliably is notoriously difficult, but it turns out it’s even harder to opsec properly. Whether you’re a good guy or a bad guy, if you care about your privacy online don’t do something careless like forget to turn your VPN on.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • Actually, Mueller is heading the probe into overseeing the investigation into Russian tampering in the 2016 presidential election, not specifically "collusion between Donald Trump’s presidential campaign and Russia".

  • 1. Unlikely they'd have a point of origin for ops being their HQ.
    2. Unlikely a Russian intelligence agency would use a Russian VPN to conceal their origin.
    3. I guess they didn't enable anonymization routing either then? (eg. no ToR, etc?!)
    4. Article claims individual GRU officer identified from this but if all that was revealed was the agency's HQ IP address… how would that have worked?

    Now let's look at the evidence substantiating the claim… oh… wait… there isn't any… it's a rumor from someone only willing to make assertions on condition of being unaccountable.