The AlfaBank-Trump conspiracy-theory explained
Sometimes a clue is only a clue
I’m going to write three more posts on the implications of the AlfaBank-Trump conspiracy-theory, but first, I need to explain what it is and why we should consider it a “conspiracy-theory”.
This post gets a bit long, so here’s the summary. Five years ago, researchers a found anomalous logs showing Alfa Bank searching for name including the word “trump”. They concluded it was proof of covert communications between Trump and the Russian bank. But on further investigation, it’s clear this is a classic “conspiracy-theory”, as the name doesn’t actually go to the Trump Organization. To explain it as covert communications, we need to make unsubstantiated claims about other actors, such as Cendyn, the actual company who created that name. We still can’t explain the anomaly, but we can just show this conspiracy-theory is not a likely explanation.
Here is the fuller explanation.
During the 2016 presidential campaign, many claimed Trump had inappropriate business dealings in Russia. The most prominent of which is the infamous Steele Dossier that claimed (among other things) ties with Alfa Bank, a big Russian bank allied with Putin. The Steele Dossier is highly controversial to this day, featured in conspiracy-theories on both the left and the right. Some bits have largely been refuted, while other bits have been partly confirmed. Much of the dossier remains in limbo.
In the middle of this debate stepped cybersecurity researchers. They monitor the health of internet infrastructure to stop viruses, malware, and hackers. This includes monitoring “DNS”, the “Domain Name System” that translates the names we humans use to the numeric addresses that network equipment uses. (The three core protocols that make internet infrastructure work are IP, BGP, and DNS — when things break, it’s usually one of them).
What the researchers found was that Alfa Bank was looking for the name “mail1.trump-email.com”. Moreover, only three organizations were doing lookups on this name during the summer of 2016: Alfa Bank, Spectrum Health, and Heartland Payments. Over 70% of the lookups came from Alfa Bank alone.
Spectrum Health has clear ties to Trump. It’s run by the DeVos family. Trump would later name Betsy DeVos to his cabinet as Secretary of Education.
The obvious conclusion is that this is the result of some sort of link between the two parties.
But not necessarily a direct link. That’s where the “conspiracy-theory” comes in.
Even if Trump and Alfa Bank are truthful and they have no direct relationship, they still interact with many of the same people. There are indirect links. This can create spurious evidence.
I say this as an OSINT hacker. “OSINT” stands for “open-source intelligence”. When used by the intelligence community (e.g. the CIA), the term refers to overt (rather than covert) sources of intelligence. When used by hackers, it means tools like Maltego or SpiderFoot that scour public databases across the Internet trying to expose otherwise obscure relationships.
Such hunting finds lots of spurious relationships that aren’t actually true. For example, Phil Waldron is well-known for pushing conspiracy-theories about how the 2020 election was stolen from Trump. In this video, he misuses the popular OSINT tool “SpiderFoot” to claim all sorts of relationships between nefarious parties and Dominion, the voting machine company at the center of most election conspiracy theories.
Those of us experienced with OSINT tools avoid leaping to these sorts of conclusions. We keep getting burned, seeing something we believe to be a real relationship only to later have it disproven. The DNS logs are certainly suggestive, but OSINT experts would not rely upon them alone to draw conclusions.
Not only is the positive link tenuous, there’s solid negative evidence — reasons to believe there isn’t the link we assume.
The assumption is that “trump-email.com” was controlled by the Trump Organization. As it turns out, that assumption is false. The name was created and controlled (during this time) by Cendyn, a hotel marketing firm hired by Trump Hotels.
Cendyn works with a lot of hotels. Among their marketing activities is bulk email. They create names just for use with these emails, such as hyatt-email.com, denihan-email.com, mjh-email.com, trump-email.com, and so on. These are domain names separate from the real names for these companies, like hyatt.com, denihan.com, or trumphotels.com.
Cendyn in turn subcontracts with Listrak, a company specializing in the raw infrastructure for sending bulk emails. Cendyn configures names like “mail1.trump-email.com” or “mail1.hyatt-email.com” to point to servers in Listrak’s data centers. These servers are designed for the bulk transmission of millions of emails, but aren’t really configured to receive anything.
For there to be covert communications between Alfa Bank and Trump Org using this infrastructure, the conspiracy needs to include Cendyn and Listrak. That’s a lot of people involved in the conspiracy that has remained secret for 5 years without leaks. If your goal is covert communications, a conspiracy involving so many people isn’t the way to do it. There are simpler ways of covert communications. I use the “Signal” app on my phone, for example.
The news coverage is obviously flawed. Most articles talk about a “Trump server”, but if there’s one thing we know, there’s no “Trump server”. There’s a server operated by Listrak in rural Pennsylvania that has only a distant link to the Trump Organization. Much of the time, such distinctions are minor, but in this story, it’s a crucial one.
A demonstration of the conspiracy-theory nature is a report by Daniel Jones and his Democracy Integrity Project (which is in turn indirectly tied to the Steele Dossier). The report frequent refers to the “Trump Organization server” even though it’s clear from the report that they know it’s a Listrak server. Since they have no evidence tying Trump to Listrak, they simply assert it as a truth needing no evidence.
The report has several “findings” that claim proof of the conspiracy. An illustrative example is Finding #5.
Here’s what Finding #5 claims. Before these DNS logs became public, the NYTimes contacted Alfa Bank on September 21, 2016. Two days later, Cendyn deleted the name “trump-email.com” from their DNS servers. This is too coincidental to have happened by chance. The reasonable conclusion is that Alfa Bank must’ve contacted their friends at Trump Org, which substantiates the link between the two companies.
As the Jones report describes it:
On September 23, 2016, two days after The New York Times approached Alfa Bank, the Trump Organization deleted the email server "mail1.trump-email.com" ... it would have been a deliberate human action taken by a someone working on behalf of the Trump Organization and not by Alfa Bank. An analyst, quoted in the Slate article by Franklin Foer, observed that "the knee was struck in Moscow, and the leg kicked in New York."
This illustrates the nature of conspiracy theory. You see an anomaly that you cannot explain, but which is explained by the conspiracy-theory. You see it as proof. There is no simpler explanation other than Alfa Bank communication with Trump Org.
Let’s contrast this with Wikipedia’s definition conspiracy-theory:
an explanation for an event or situation that invokes a conspiracy by sinister and powerful groups, often political in motivation, when other explanations are more probable.
Except here, there were no other explanations. It’s not a conspiracy-theory competing with a better explanation, it’s a theory competing with no other explanation. Absence of any other explanation is seen as proof for the one remaining explanation, the conspiracy.
But that was 2018. This is now 2021. Another explanation has appeared. And it is a lot simpler.
Trump appointed a special prosecutor, John Durham, to investigate the Steele Dossier and other accusers against Trump. It’s nasty political payback and an abuse of the justice system, but at the same time, it’s revealed more information behind this conspiracy-theory.
Among the things now revealed is that the researchers behind the DNS logs reached out to the FBI at the same time as the NYTimes. FBI agents called Cendyn on the morning of September 23, and Cendyn deleted the records that afternoon. As the FBI agent reported:
“Followed up this morning with Central Dynamics [Cendyn] who confirmed that the mail1.trump-email.com domain is an old domain that was set up in approximately 2009 when they were doing business with the Trump Organization that was never used."
This disproves Finding #5 in the Jones report. Nobody would now believe the deletion happened because of the NYTimes contacting AlfaBank.
The lesson here is about conspiracy theories. If this “coincidental timing” is no longer proof now that we have a better explanation, it shouldn’t have been treated as proof then when we didn’t. This the lesson I mention above as an OSINT researcher: we frequently encounter spurious associations that later get disproven. We learn not to treat such things as “proof”, only clues.
Journalists have the same experience. They are, after all, OSINT researchers going by a different name. Even if they couldn’t disprove the allegations, they knew to distrust them as unproven.
This is why mainstream sites like The New York times passed on the story. They correctly noted while there’s an interesting anomaly, there’s no substantiation for the claim there is secret communication, and that it was distorted by political interests. They think it’s important to not be in the position of Slate, the left-wing news site site that didn’t pass on the story. Slate is now in on the record reporting false claims about the coincidental NYTimes-AlfaBank timing — claims which responsible journalists would have, and did, doubt.
There is an analogy here with another prominent conspiracy theory, Mike Lindell’s claim to have “pcaps” proving the 2020 election was hacked by the Chinese to flip votes from Trump to Biden. He claims to have hired cyberexperts to independently validate the data. He claims no independent cyberexpert has been able to refute the data, which is technically true, since we don’t have meaningful access to the data.
A recent segment on Rachel Maddow’s show made similar arguments about these DNS logs. She claims the data comes from respectable people who would never lie about such a thing. She claims it’s been validated by experts. She claims no independent expert has been able to refute it.
This doesn’t change the ground truth. In both Lindell’s and Maddow’s cases, the data is not public, and no independent expert has been able to see it, much less refute or confirm it.
In truth, the Lindell conspiracy-theory is much sillier, it might as well be space aliens. In contrast, in the current story, the DNS logs look reasonable. The public version of those logs was redacted, but there may be more in the original logs that either confirm or refute the story. Experts would need to see all the original data to make an independent assessment.
For five years, these DNS logs haven’t gotten much attention, even in Democrat circles, because the claims here are clearly unsubstantiated. But John Durham’s prosecution of those behind the DNS logs is giving them new credibility. It’s obvious political payback based on a flimsy excuse that the lawyer involved, Michael Sussman, “lied” to FBI agents. This transforms Sussman from a typical scummy political operative into a hero, and thus the important secrets he fought to expose must be true. That’s what makes the above Maddow segment so compelling, it’s about heroes and villains rather than substantiating truth.
In summary, the purpose of this blogpost was to describe how we know it’s a conspiracy-theory. Assuming the researchers are honest, the DNS logs do indeed show a clue. But everything after that point is typical conspiracy-theory nonsense. Even if we can’t come up with alternate explanations, those with experience can still confidentially determine it’s unsubstantiated claims requiring a pretty complex conspiracy.
I'm curious why you regard the appointment of Durham as an abuse of the justice system and describe the indictment of Sussman as based on a flimsy excuse. I think the American public benefits from seeing the contra-evidence long-known by the FBI and SCO but which Mueller elected not to actually report on. The Mueller report systematically described every trivial Russian contact with the Trump organization, but chose instead simply to decline to report on facets of the claims they had disproven. That's a record that needs correcting.
Also, collecting information and preparing a report you know to be misleading and providing it to the FBI to instigate an investigation that you then intend to leak to the press seems like a much more appropriate case to charge a 1001 than the palpably flimsy 1001 charge against Papadop.
What explanation can *you* give for the contacts of Alfa with Cendyn/Listrak, then?