Category: Open Source Intelligence

Skripal Case from Russia with Love

Hello folks,

Today I will talk about the Skripal case and the OSINT methods used by the Bellingcat group to find the real identities of the russian spies behind the Sergueï and Ioulia Skripal poisoning.

The story started when a friend shared me some informations about two nicknames “Dorbik” and “Matad0r“, a vendor of bullet proof hosting services (a bulletproof hosting guarantees that websites hosted in these locations will not be shut down, even if they are blatantly hosting criminal content).

I searched a bit and found some interesting informations :

[REDACTED Defendant #20] AKA Dorbik AKA Matad0r is a vendor of Bullet Proof Hosting services. Bulletproof hosting guarantees that websites hosted in these locations will not be shut down, even if they are blatantly hosting criminal content. Other criminals hosted carding forums and phishing sites on Dorbik’s services.

With the USA official district court document (in 2017 before the Skripal Case) :

I searched the “Dorbik” nickname in this document and found the name of the dark market vendor:

Sergei Litvinenko” -> Sergei Like “Sergei Skripal” but Litvinenko like “Alexandre Litvinenko” who was a British naturalised Russian defector and former officer of the Russian FSB secret service.

You can read his full biography here:

Like Sergei Skripal, Litvinenko got hospitalised in what was established as a case of poisoning by radioactive polonium-210 (Novitchok for the Skripal case).

He died from the poisoning on 23 November 2006.

From coincidences, I suggest that Sergei Skripal was “Sergei Litvinenko” aka “Dorbik” aka “Matad0r” and that Alexander Litvinenko was a member of his family but the informations are not enough to confirm this theory.

On 4 March 2018, Sergei Skripal and Yulia Skripal were poisoned in Salisbury with a Novichok nerve agent, according to official UK sources and the Organisation for the Prohibition of Chemical Weapons (OPCW).

In the 1990s, Sergei Skripal was an officer for Russia’s Main Intelligence Directorate (GRU) and worked as a double agent for the UK’s secret service from 1995 until his arrest in Moscow in December 2004.

Like you know, Alexander Litvinenko died in 2006, and weirdly, the same year, Sergei Skripal was convicted of high treason and sentenced to 13 years in a penal colony by a Russian court.

Two Russian nationals, who go by the names Alexander Petrov and Ruslan Boshirov were accused of the murder attempt on Sergei Skripal (fake names obviously):

Recently, On 14 September 2018, the website “Bellingcat” wrote an article about Alexander Petrov and established a link from the suspect’s passport and the russian security services, you can read the full post here:

You can see the last minute travel plans:

And you can see an important informations about his passport:

Alexander Petrov’s passport dossier is marked with a stamp containing the instruction “Do not provide any information”. This stamp does not exist in standard civilian passport files. A source working in the Russian police force who regularly works with the central database confirmed to Bellingcat and The Insider that they have never seen such a stamp on any passport form in their career. That source surmised that this marking reserved for operatives of the state under deep cover.

And more important, the domestic passport photo matches the photos released by the UK authorities and the face of the person calling himself Alexander Petrov:

Today, Bellingcat Investigation Team released others important informations, they found the real identity of Ruslan Boshirov from OSINT methods.

He was identified as a GRU colonel named Anatoliy Chepiga:

The passport file contained a photograph – dated approximately in 2003, when this passport was obtained – that strongly resembled a younger “Boshirov” as seen in passport photos released by the UK police:

The amazing work of the bellingcat team identified the suspect from a 2003 database, he used his personnal address as “Military Unit 20662, Khabarovsk“, It also listed his place of birth as “village of Nikolaevka”, further linking this person to the Hero of the Russian Federation with the same name.

Bellingcat has contacted confidentially a former Russian military officer of similar rank as Colonel Chepiga, in order to receive a reaction to what Bellingcat found. The source, speaking on condition of anonymity, expressed surprise that at least one of the operatives engaged in the operation in Salisbury had the rank of colonel. Even more surprising was the suspects’ prior award of the highest military recognition.

On 13 September the two men were interviewed on Russian television where they claimed they were tourists visiting the city.

On 2 October 2018 Bellingcat released more informations about the colonel, they obtained a photograph posted on the Russian social network “Odnoklassniki (OK)” by a visitor who visited the Far-Eastern Military Academy (abbreviated as DVOKU in Russian) where you can see a picture of the colonel.

More informations can be found on:

About the second suspect (Dr. Alexander Mishkin), Bellingcat released a full report, you are able to read it here:

Recently, a GRU hackers team tried to hack the OPCW buildings to erase some evidences from different operations, a rental car full of hacking devices has been found on a parking near the OPCW buildings :

You can read the informations on:

Point de vue intéressant sur l’investigation OSINT d’une image

Hello chers lecteurs,

Aujourd’hui j’ai pu avoir une conversation intéressante avec x0rz ainsi qu’une autre personne sur discord donc je souhaitais vous en faire part en espérant que cela puisse aider certaines personnes à retrouver un lieu précis visible sur une photo voir même une personne.

x0rz a en effet demandé à plusieurs personnes ceci :

L’objectif était donc de retrouver le lieu ou toute autre information liée à cette photo.

Une personne a donc suggérer que la photo avait été prise vers le Pont d’Iéna à côté de la Tour Eiffel :

On peut en effet voir le bâtiment typiquement parisien juste au-dessus à gauche, et les immeubles à droite, une autre photo a donc été mise en ligne par cette même personne :

D’après cette même personne, les tâches noires sur le pont semblaient être les bas-reliefs, ce qui a confirmé le lieu général de la photo.

x0rz a ensuite suggéré que la photo avait été prise en rooftop de cette façon :

En cherchant sur streetview, cette même personne a réussi à trouver le lieu précis en se basant sur des éléments visibles sur la photo et en les comparant :

En cherchant un peu, le lieu semblait être l’hotel 5 étoiles Shangri-La situé au 10, avenue d’Iéna, Paris, 75116, France :

Une autre personne sur discord a donc superposée l’image du lieu ainsi que l’image de la personne, on a donc pu observer que l’image était bien centrée :

J’ai pour le coup suggéré que les nuages visibles ne variaient pas sur le côté gauche de l’image mais qu’ils changeaient cependant sur le côté droit, on peut donc en déduire que la photo a été prise le même jour que la photo de présentation de l’hôtel.

Cependant l’image est trop parfaite et on peut apercevoir quelques découpes mal faites sur les cheveux du côté gauche de la femme, il est donc fort probable que cette même femme sur la photo ait été détourée et rajoutée par dessus l’autre image, elle n’a donc probablement jamais mis les pieds dans cet hôtel.

Cette analyse est intéressante dans le sens que même sans résultats directs de Google Images ou bien TinEye, il est toujours possible de repérer plusieurs petits éléments disponibles sur une photo et de remonter petit à petit jusqu’à retrouver l’endroit précis ainsi que l’angle où elle a été prise, mais également la date approximative sans même analyser les metadata.

Pour plus d’informations, vous pouvez jeter un oeil sur l’article exceptionnel de x0rz :