Hunting the Hunters: New Digital Methodologies

Hunting the Hunters:

New Digital Methodologies of

Investigating Russian Spies and Security Service Officers

 

Aric Toler

arictoler@bellingcat.com

@AricToler (Twitter / Telegram)

 

 

Russian Data Flowing Outward

Russian personal data is widely available either for free (indexed, leaked databases) and a relatively small fee (less than LexisNexis, sometimes only a few euros paid via an anonymous bot, like Amazon). This data is widely used by journalists, human resource departments (background checks), and even wives suspecting their husbands of infidelity.

This is compounded by frequent customer and user data leaks from major Russian platforms, like Vkontatkte, Yandex, and Mail.ru.

 

 

 

Facial Recognition

 

 

 
 
 

 

 

Navalny Timeline

August 14: Alexey Navalny arrives in Novosibirsk from Moscow

 

August 17: Navalny and his team go to Tomsk by car

 

August 19: Navalny poisoned [unknown time/method]

August 20: Navalny leaves on flight from Tomsk to Moscow, becomes sick on board, flight diverted to Omsk, where he is hospitalized.

August 22: Navalny allowed to leave to Berlin, arrives at Charite hospital.


 


 

Uncovering Navalny’s Poisoning

  • Research Thread #1: Phone records of chemical weapon specialists who assisted Russian military intelligence (GRU) with the Skripal poisonings in 2018
  • Research Thread #2: As we learned from previous investigations, security operatives will arrive a day or two in advance of an operation, and leave on the day of or day after an operation. Who had tickets matching Navalny’s itinerary in Novosibirsk and Tomsk, plus/minus one day on arrival and departure?

Research Thread #1: Phone records

  • Who were the chemical weapon specialists involved with the Skripal poisonings talking to in the lead-up to Navalny’s poisoning?
  • Collect phone numbers frequently contacted, and crossreference them to establish identities.


 

Telephone Numbers

Can use popular caller ID apps, like GetContact and TrueCaller, to identify real identity of these phone numbers. Available with free apps or easy-to-use Telegram bots.

 

Can also check to see where the number is registered in leaked databases, customer data

Research Thread #2: Flights

  • There was one person who fit our parameters for flights that trailed Navalny, a man who flew into Novosibirsk on August 13 (one day before Navalny) and bought a ticket to fly out of Tomsk on August 21 (one day after Navalny).
  • This person was named Alexey Andreevich Frolov (born 16 June 1980)
  • Frolov’s Tomsk-Moscow ticket was booked with (i.e. purchased in the same transaction) two other men:

Vladimir Panyaev and Ivan Spiridonov.

Looking for a lead

Alexey Frolov and Ivan Spiridonov both have absolutely no history in any databases or sources we could find except for travel records.

  • No taxpayer number (INN)
  • No vehicle
  • No residence
  • No social media
  • No phone number
  • No address

Looking for a lead

Vladimir Panyaev was a real person, though. Running his phone number through the popular GetContact app reveals that someone listed him as “FSB Vladimir

 

Aleksandrovich Panyaev” in their phone’s contact book.

Lead: found!

  • Further researching Panyaev’s travel records reveals that Panyaev previous travelled with Frolov to…
  • Kaliningrad in July 2020 (Navalny was there)
  • Chelyabinsk in April 2017 (Navalny was there)
  • Astrakhan in April 2017 (Navalny was supposed to be there… except he was attacked the previous day and hospitalized)

 

Who is Frolov?

  • One of Panyaev’s co-travelers on Navalny’s trail (September 2017, to Omsk) was Alexey Aleksandrovich Aleksandrov was born on 16 June 1981.
  • Aleksandrov was registered as living at Michurinsky 25 – a residential building commonly used for those attending the FSB Academy, located down the road at Michurinsky 70.
  • Aleksandrov’s personal details also seemed pretty familiar…

Who is Frolov?

Alexey Andreevich Frolov (born 16 June 1980)

Alexey Aleksandrovich Aleksandrov (born on 16 June 1981)

Who is Frolov?

Alexey Andreevich Frolov (born 16 June 1980)

Alexey Aleksandrovich Aleksandrov (born on 16 June 1981)

Aleksandrov’s wife’s maiden name? Frolova

Aleksandrov = Frolov

Aleksandrov did not book any travel from his home in Moscow before Navalny’s poisoning, while Frolov did.

Yet, metadata in Aleksandrov’s phone records revealed:

  • August 14, when Navalny had arrived in Novosibirsk, Aleksandrov’s phone pinged a cell tower near the hotel where Navalny was staying.
  • Aleksandrov later turns on his phone just after midnight on August 21, showing he was in Tomsk, near Navalny’s hotel just hours after the poisoning likely took place.