Guccifer 2.0's Final Messenger: Mainstream Media & Their "Russian Fingerprints"

Authored by Elizabeth Vos via,

Disobedient Media has consistently covered the work of The Forensicator over the last nine months. Our previous report focused on the first in a series of findings made by the analyst, which reveal intricate issues stemming from the Guccifer 2.0 persona’s earliest publications, as well as the establishment media’s culpability in broadcasting the documents as part of a larger Russian hacking narrative.

This article will focus on the second work published by the Forensicator in his ongoing series, titled: Media Mishaps: Early Guccifer 2 Coverage. The Forensicator sums up the results of his latest work:

Wittingly, or not, the media served a critical role in getting the message out that there were “Russian fingerprints” inside the first document that Guccifer 2 disclosed.

The media became Guccifer 2.0’s assistant by completing the long path from the original Trump opposition report to the final published PDF’s with Russian error messages in them (the so-called “Russian fingerprints”).

As described by the Forensicator, the emergence of wide public exposure to Guccifer 2.0’s first document and the Cyrillic error messages embedded within it depended solely on the work of establishment media. The outlets involved worked to make the technical details of the matter digestible for broad public consumption, and concluded that the errors in the document constituted evidence of a successful Russian-state-sponsored hack of the DNC.

While this may not represent a shocking revelation to those who have followed the lumbering progress of the Russian hacking narrative, the Forensicator’s new report indicates the degree to which there may have been active or unwitting cooperation between the Guccifer 2.0 persona and key press outlets who published the earliest reports on the alleged hacker’s publication of the ‘Trump Opposition report.’

Leading the charge in such press coverage was The Washington Post, who reported on June 14, 2016, that the DNC alleged that it had been hacked by Russian operatives. The following day, Guccifer 2.0 made his official debut.  He shared several documents with at least two media outlets: The Smoking Gun and Gawker. The outlets focused on Guccifer 2.0’s first document, a doctored version of a Trump Opposition Report that the DNC claimed had been stolen by Russian hackers. Both media outlets published Guccifer 2.0’s first publication as a PDF file on their websites.

As discussed by the Forensicator and Disobedient Media, the fact the email to which the opposition report was attached was later published in the Podesta Email collection by Wikileaks does not prove that Guccifer 2.0 and Wikileaks shared a source on the document. However, it does suggest that either the DNC, the operators of the Guccifer 2.0 person, or both parties had access to Podesta’s emails. This raises questions as to why the DNC would interpret the use of this particular file as evidence of Russian penetration of the DNC.

Returning to the timeline of events surrounding media coverage of the Guccifer 2.0 persona’s debut, one recalls that the following day, on June 16, 2016, Ars Technica published an article, titled “Guccifer” leak of DNC Trump research has a Russian’s fingerprints on it.  The “Russian fingerprints” cited were the error messages, written in the Cyrillic alphabet, which were included near the end of Gawker’s PDF printout of the opposition report. The errors are presented, with notation via the Forensicator, below:

Image via The Forensicator

The Forensicator’s findings describe the procedure by which Ars Technica opened Guccifer 2’s document, seeing the error messages in English despite Gawker’s PDF showing them in Russian. In response to this inconsistency, Ars Technica argued that the Russian error messages must have appeared when the file was printed as a PDF. The outlet also made the surprising claim that Gawker got its PDF file directly from Guccifer 2.0. This statement, as highlighted by the Forensicator in the following image, raises serious questions regarding the relationship between major press outlets and supposed Russian hackers.

It is important to not that the possibility that the respective outlets worked directly with those responsible for the Guccifer 2.0 persona cannot be proven, or ruled out, based on the currently available evidence.


It is also highly interesting that in this incredibly early Ars Technica report on the Guccifer 2.0 persona’s publication of an attachment from a Podesta email would use the term “leaker,” as opposed to “hacker,” in coverage which ultimately implied the DNC had been hacked by Russians. In fact, the article did not use the term one, but three times, including the article’s subtitle. One can only wonder if this apparent Freudian slip represented an unintentional admission of the real circumstances of the initial security breach at the DNC from which all later ‘Russian hacking’ controversy stems.

The Forensicator’s latest work provides a close reading of the metadata for the PDF’s published by The Smoking Gun and Gawker, shown in the table below. In reviewing his work, one notices that Gawker used LibreOffice and that The Smoking Gun used Word for Mac to create their PDF files.

The Forensicator’s analysis destroys Ars Technica’s speculative theory, by pointing out that Gawker‘s PDF has Russian error messages because Guccifer 2’s 1.doc was opened in LibreOffice:

If we open 1.doc in LibreOffice, the Russian error messages are visible.  They will be displayed in Russian, independent of the user’s language settings.  Why?  This behavior derives from the fact that LibreOffice handles these invalid (empty) URL’s differently than Microsoft Word for Windows.

We observe that LibreOffice does not issue an error when it encounters an empty URL inside a HYPERLINK field; it simply prints the text defined by \fldrslt.  The \fldrslt value in this case is the display text for the URL, which happens to be the Russian error message.  LibreOffice prints that Russian error message independent of the user’s current language setting; it thinks it is simply the URL’s display text.

The above explanation iterates the method by which Gawker created its PDF with “Russian fingerprints”, but leaves one wondering how The Smoking Gun produced its PDF containing Russian error messages?  The Smoking Gun did not use LibreOffice – they used Word for Mac instead.  The Forensicator runs this down, writing:

“Surprisingly, Word for Mac behaves differently from Word for Windows, when it encounters an empty URL.  Word for Mac behaves similarly to LibreOffice; it quietly accepts the empty URL and simply displays the hyperlink text (defined by the \fldrslt function code) inside the document.  This text happens to be a Russian error message, written in Cyrillic.”

The Forensicator points out that if both media outlets had opened Guccifer 2’s 1.doc in Word for Windows, the error messages would have appeared in English, and there would never have been any “Russian fingerprints” – and therefore Russian hacking – story.  Given that the vast majority of users have Microsoft Word for Windows, it is especially surprising that both Gawker and The Smoking Gun used a different word processing application.

In his previous report, the Forensicator explained the multi-step complex process used to embed the Russian error messages into 1.doc, in other words, the Guccifer 2.0 persona’s side of the operation in producing the initial Russian hacking ‘evidence.’  Now, we learn from his newest report, that a final critical final step was needed to have those Russian error messages appear in the published PDF’s – the journalists had to print those PDF’s with either LibreOffice or Word for Mac. Given this, the Forensicator makes this critical summary point:

“The media became Guccifer 2’s assistant by completing the long path from the original Trump opposition report to the final published PDF’s with Russian error messages in them (the so-called Russian fingerprints).”

The Forensicator mentions that his analysis depends on the assumption that both Gawker and The Smoking Gungenerated their own PDF’s.  If instead, they received their PDF documents from those behind the construction of the Guccifer 2.0 persona or a third party and didn’t inform their readers of this ‘chain-of-custody’ of their evidence, serious questions as to the integrity of their reporting process are inevitably raised.

In this way, the respective media outlets can be said to have taken an active role (wittingly or not) in advancing the “Russian fingerprints” narrative. They achieved this by describing Guccifer 2.0’s publication of the Trump Opposition report as an incident related to Russian hacking, and most importantly, by using the required operating systems and settings to create Cyrillic error messages used to substantiate these claims. Placing the intent of the journalists involved and the ominous reference by Ars Technica to a ‘leaker’ aside, Gawker and The Smoking Gun can be said to have acted as final messengers of the Guccifer 2.0 persona and those behind it. 


virgule revolla Sat, 05/12/2018 - 03:13 Permalink

The time stamps are interesting, as they are difficult to modify.

The PDF contents are made to look important, but the authors don't seem to know that it nearly as easy to edit a "final" PDF as it is to edit an MS-Word document. One just needs to have the right software tools, which hopefully Gucifer, Forensicator, journalists and others parties of interest all have. I could easily embedded a chain of Cyrilic characters in a PDF without ever coming close to a Russian computer...

In reply to by revolla

Ocean22 revolla Sat, 05/12/2018 - 11:49 Permalink

I am mainly in the camp that Putin is, at the very least, part of this mess, not a saviour of humanity.  Lots of evidence to support this perspective to.  Go rent and watch “snow piercer” on Netflix. Very telling.  The head and tail work together to fight US, not themselves.   

In reply to by revolla

SRV IntercoursetheEU Sat, 05/12/2018 - 12:07 Permalink

Seth was a message to the leakers... not a single piece of evidence has been released in his case, including even one of the hundreds of security cameras he would have been in... unless he wasn't. Several months later the local news admitted the photo's of "the corner" and the first responders was from stock footage. Oh, and isn't it perfectly normal to have a DNC operative camp out with the family to take care of all media queries... even today!

Ask and honest DC Police investigator past or present.

In reply to by IntercoursetheEU

trulz4lulz JRobby Sat, 05/12/2018 - 09:10 Permalink

Not it wouldn't have. Multiple people were mirroring the server for a few hours and uploading it. And once you start doing that, it goes pretty quick, depending on connection speeds, it wouldn't have taken long at all, few hours tops. And considering their skill in IT, and their reaction to the "leak" it was obvious they didn't know what happened until it was all uploaded. 

In reply to by JRobby

techpriest brianshell Fri, 05/11/2018 - 18:52 Permalink

According to former CIA analyst Ray McGovern, Guccifer 2.0 was a creation of the CIA, through the tools that were exposed in the Vault 7 release by Wikileaks:

I remember some obvious propaganda like Propornot, but if what McGovern said is true, then it means that Guccifer 2.0 was meant to be a persona that would be "exposed" as a Russian Hacker, and used as evidence to say that the election was rigged to favor Trump. Gaslighting for sure.

In reply to by brianshell

SRV looseal Sat, 05/12/2018 - 12:18 Permalink

Started in the 90s when the CIA infiltrated the FBI (JTTF), giving them color of law in the US... that's what McCabe was all about.

They brought the drugs, weapons (focusing on stealing and selling the highly enrich uranium from the Soviet nukes worth hundreds of billions) deals to the US (CIA could not operate inside the US), and Hillary was leading it out of the State Dept.

As Eric Braverman said as he made a run for Israel... follow the money... he was running from his position as CEO of The Foundation when he said it btw!

Finally, keep all of the above in mind when you evaluate Trump's move to end the Iran Deal... backroom deals galore... the reason they all panicked and pulled out all the stops to prevent it!

In reply to by looseal

OCnStiggs Fri, 05/11/2018 - 18:52 Permalink

The DNC will be unable to survive what is coming.

The indictments will include DWS and a host of DNC operatives associated with the Hillary campaign. As they turn on each other, the true nature of the Progressive Liberals in America will exposed for all to see. The last 24 months will serve as a "How Not To.." run a campaign or political party. And the players deserve every day they will serve in confinement.


Troy Ounce OCnStiggs Sat, 05/12/2018 - 01:20 Permalink


You might be right.

They are now investigating the best timing. When do you pull the plug?

Just before after a banking crisis?

Before of after you start WW3 in the ME?

They must now be thinking: how can one profit to the max from this incredible American political crisis?

The crisis will be global.

Timing, I say.

In reply to by OCnStiggs

BetterRalph Chief Joesph Fri, 05/11/2018 - 19:58 Permalink

Bill's Apple OS X server e-mail hosting for POTUS staff

Hillary's unmanaged DELL PowerEdge 2900 doin the MS Exch 2007 + Borked Chain Gang of FBI Traitor Custardy, PowerEdge 1950 Blackberry JuiceMachineJr server (STFU and have a nice cup of treason), Cisco324NAS, the "a firewall" hmm excuse me sir, can you pass me the "A Firewall?" and one a UPS ups-ing, so she does not burp on the holidays when she get's drunk as often.  (hell with a server ya know anything is possible in domain names lemme see the etc hosts lol 123@thebastardoperator.hell root@localhost  Microsoft Forefront and the Symantec virus were updat0r and install, or so they say. 

We PAGLIANO have embedded to be comcastic you know.

By Next year, I can build my bicycle out of balsa-wood too!

But the Weiner Lappy has a World Broken Cup of Custard Record.

Awan Spy Server

Awan Spy Server   

I trust the FBI, DOJ and CIA a lot still, honest.


In reply to by Chief Joesph

Slammofandango Fri, 05/11/2018 - 19:25 Permalink

Even if it could be proven without any doubt that Russia hacked the DNC and Podesta's emails, and that's still a big 'if', proof of Russian hacking doesn't rule out Wikileaks concurrently receiving stolen data that had been downloaded into a memory stick by an insider at the DNC. 

Consuelo Fri, 05/11/2018 - 20:26 Permalink

I thought the German journalist from a while back fairly well 'established' just where the establishment media get their marching orders from...

GreatUncle Fri, 05/11/2018 - 20:57 Permalink

Lol what footprint is this "fuck off".

Is that Russian how do you know it is not?

In this world of MSM media manipulation nothing can be termined to be true unless it has real world realities.

Think Skripal UK, no real world reality as per investigators in some university in the UK lol.

I still think both Skripals are dead until proven reality suggests otherwise.