An Old Investigation Worth Revisiting

There is something new brewing that we telegraphed on Twitter, but it’s going to take a bit to ripen. Between now and then let’s look over an unrelated event that is somewhat similar in spirit. Some of this originally appeared on Liberty STRATCOm as Russian Indictments, American Pinholes. The Internet Research Agency indictment revealed thirteen email addresses associated with Paypal accounts. It is believed that Ricky Pinedo had something to do with their procurement, but we were interested in what could be discerned from them.

Internet Research Agency Paypal Accounts
Internet Research Agency Paypal Accounts

We checked these against RiskIQ and only the first one came back with an associated domain.

DigitalFaceLab registered by
DigitalFaceLab registered by [email protected]

The domain registration was proxied, but unluckily for IRA, I used to live about two miles from this address, which was easily checked. It is a vacant lot between two other homes, and the woman’s name is common.

DigitalFaceLab Bogus Registration
DigitalFaceLab Bogus Registration

Don’t bother chasing DigitalFaceLab[.]com unless you have RiskIQ, it was moved to a Chinese IP after we started probing it, apparently a strategy to shift blame, and that’s not the real story in any event.

If you Googled the domain name when the indictment was relased, there was one hit, in YourDigitalFace[.]com’s front page source code.

YourDigitalFace[.]com [email protected]
And the [email protected] account is one of the other Paypal accounts in the indictment. Now we might be on to something …

The domain YourDigitalFace[.]com was originally registered by Scott Orlosk in New Hampshire.

YourDigitalFace[.]com Original Registration
YourDigitalFace[.]com Original Registration
But it’s unclear what happened here. Did Orlosk lose control of the domain? It ends up tied to a Russian registrar, but not until May of 2017, which hardly makes sense given the overall time frame of events.

YourDigitalFace[.]com Expires
YourDigitalFace[.]com Expires
So what might be happening here?

  • RiskIQ is good, but not perfect, it misses things, it finds things later, it updates where and when it can get additional information. Maybe we are missing a key piece.
  • YDF expired, but Orlosk recovered it during a grace period, and may have been involved in developing and running DigitalFaceLab[.]com
  • Some exceedingly clever IRA person used DFL for the 2016 election and just happened to leave this subtle trail of clues to confound analysis.

But we know that IRA scrambled to clean up after the FBI made them – this is admitted in their indictment. Concealment at the theorized level is something we do in operations, we’ve run across similar things in other encounters with Russians, but this just … doesn’t feel like that. It doesn’t seem planned, it seems hasty, after the fact.

There are precisely three weeks to go till the 2018 midterm. This is a fine time to recall that Ricky Pinedo was just sentenced to six months in prison for what he took to be a crime below the threshold that would be pursued. His life will never be the same and everyone who had any transactions with those thirteen accounts has no doubt had some sleepless nights. Pinedo being sentenced means any cases based on his cooperation are going to quickly move to arrests, search warrants, and unsealed indictments becoming available.