Online Lies About Spies

How a fake letter revived a claim the UK bugged Donald Trump

@DFRLab
DFRLab
9 min readFeb 2, 2018

--

A message from 4chan proposing to send a forged letter to news organizations “for the lulz,” together with the header of the fake. (Source: 4plebs)

On June 22, 2017, an anonymous user under the poster ID “yFIaEkoh” posted a forged letter to 4chan, an online forum popular with far-right and conspiracy theorist groups. The letter claimed to show that Britain’s electronic intelligence agency, GCHQ, spied during the 2016 U.S. presidential elections on the campaign of then-candidate Donald Trump at the behest of President Barack Obama.

Despite repeated exposure as a fraud, including on 4chan itself, the letter continued to circulate and was used to bolster claims that Trump remains the victim of an international “deep state” conspiracy aimed at undermining his presidency.

@DFRLab tracked the forgery across the internet, as a case study in how fakes can continue to spread through willing or engaged audiences, even when their falsehood is manifest.

The letter — content

The letter, dated November 2016, purported to be a request from then-GCHQ director Robert Hannigan to UK Foreign Secretary Boris Johnson, to extend permission “to surveil” Trump’s New York headquarters, “at the request of the US President”.

The text of the letter provided some logistical details, which implicated then-National Security Advisor Susan Rice.

To judge by the image posted online, the letter had been printed out on GCHQ headed paper, signed by Hannigan, then folded twice and scanned:

The image of the letter posted to 4chan on June 22, 2017. (Source: 4plebs)
The original 4chan post; note the date, June 22, 2017. (Source: 4plebs)

However, several internal factors confirm that the letter was a forgery. Paragraph four referred to “former MI5 agent Michael Steele,” who had provided “actionable leads” on apparent “communications with Russian hostile actors.” This was a glaring error: in fact, it was a former MI6 agent, Christopher Steele, who produced a dossier on Trump’s Russian connections.

Even if the author of a “TOP SECRET” document had been so sloppy as to give the source’s name — which is unlikely — it is beyond plausibility that they would get both Steele’s first name and his affiliation wrong in a communication with their own government.

The term “to surveil” was also indicative. For one thing, the verb is typical of American English, rather than British; for another, “surveillance” is a term proper to human intelligence, not signals intelligence, which is GCHQ’s remit. This may appear a technicality, but GCHQ is a technical organization.

Even the letter’s alleged back story is evidence of falsehood. The claim that GCHQ had sought permission to “surveil” Trump’s organization “at the request of the US President” could only be genuine if we were to believe that British civil servants would accept a tasking directly from the U.S. president, bypassing not only every intelligence and diplomatic entity in the U.S., but the entire diplomatic, political, and legal system of oversight in the UK.

In the words of former GCHQ director David Ormond, explaining this to the Financial Times:

If the telephone rang in GCHQ from the White House, that in itself would be unheard of. The director would then ring his US counterpart, the director of the NSA — there’s a hotline on his desk — to ask if it was a hoax. The next person he would ring would be the foreign secretary to say we’ve had this amazing request.

Whoever forged this letter had a very romantic view of the U.S. president’s power to task, and British civil servants’ willingness to comply.

The letter — presentation

While the content was demonstrably fake, the presentation of the letter was more convincing. It used a known GCHQ logo and Hannigan’s signature, and a classification (TOP SECRET STRAP3) which belongs to a known system.

However, all three features could easily be faked with a few minutes of research. The GCHQ logo and Hannigan’s signature are both available from his resignation letter, published by GCHQ in January 2017.

GCHQ Director Robert Hannigan’s resignation letter; compare the header and signature with those in the forgery. (Source: GCHQ)

The STRAP system of classification was exposed on various blogs since at least 2013, as have examples of STRAP-classified material leaked by former U.S. National Security Agency contractor Edward Snowden.

The forger would thus have found it easy to make their document look convincing; it is perhaps fortunate that their ability to write convincing content was so much lower.

We cannot establish the identity of the forger with certainty, yet the writing bears indicative patterns. The letter was written in idiomatic English; its tone is more American than British (“surveil”, “advisor” spelt with an o), and the context of the fake suggests an American focus, but there is insufficient evidence to be conclusive.

Context

The forgery was not released into an information vacuum. Three months earlier, on March 16, 2017, Fox News commentator Andrew Napolitano, a former judge, claimed:

Sources have told me that the British foreign surveillance service, the Government Communications Headquarters, known as GCHQ, most likely provided Obama with transcripts of Trump’s calls…by bypassing all American intelligence services.

The Trump White House took up the claim, which triggered a sharp response from both GCHQ and 10 Downing Street. Napolitano was reportedly suspended from Fox for two weeks for his comments.

The forgery appears aimed at reviving and bolstering Napolitano’s story, and thus feeding the ongoing conspiracy theory that the Obama White House abused its power against Trump.

Rapid exposure

The forgery was exposed almost as soon as it was posted. According to an archive of the 4chan page, it was placed online at 20:54:49 on June 22, 2017. At 21:13:34, less than nineteen minutes later, another anonymous user replied that it was fake.

Screenshot of the original post, with the times of posts underlined. (Source: 4plebs)

Discussion continued for over an hour. Some users initially expressed excitement and viewed it as vindication of Napolitano’s report.

(Source: 4plebs)

However, others quickly began pointing out flaws.

(Source: 4plebs)
(Source: 4plebs)

Some users began conducting research by reverse searching the picture.

(Source: 4plebs)

In less than an hour from the original post, online users identified the aformentioned resignation letter from Robert Hannigan as a likely template.

(Source: 4plebs)
(Source: 4plebs)

In a manner very characteristic of 4chan users, some suggested posting and sending it to news organizations even though it was a fake to see if reporters would fall for it.

(Source: 4plebs)
(Source: 4plebs)

Thus, within 90 minutes of the letter’s being posted to 4chan, most users there concluded that it was a forgery.

Spreading the fake

Despite this, the forged letter kept resurfacing in various parts of the far right and among conspiracy sites. On September 24, 2017, it was posted and tweeted by a website called USfuturenews.com as if it were genuine. The post was addressed to Trump, and claimed that “the evidence of illegal political espionage against you during the campaign and after is beyond refute.”

(Source: Twitter / @USfuturenews. Archived on January 31, 2018.)

The report failed to gain traction: the tweet was not retweeted, and it did not receive any replies.

It resurfaced on December 30, 2017, when sites in the U.S. interpreted a statement by Senator Lindsey Graham as confirming the existence of a Watergate-style conspiracy between the Obama White House, U.S. Department of Justice, and Federal Bureau of Investigation (FBI) against Trump.

A Twitter user called @sealeney posted it with the addition of a red text box highlighting a reference to Obama’s National Security Adviser Susan Rice. This time, the tweet caught on and was retweeted 101 times. The same image, complete with red box, was posted to a website called freerepublic.com a few hours later.

(Source: Twitter / @Sealeney. Archived on January 2, 2018.)

Again, a user called @Chillum was quick to respond and pointed out the errors. The account has since been set to private, but this screenshot provided the text.

A full week later, @Sealeney appeared to acknowledge the image was a fraud.

(Source: Twitter / @sealeney. Archived on January 31, 2018.)

By that time, the tweet was widely shared, including on subreddit /r/the_donald, another highly engaged far-right and conspiracy forum, where it was upvoted almost 900 times.

@Sealeney’s post appeared to have triggered aggressive narrative spread. On January 2, a Twitter user called @pepesgrandma (screen name “Babushka”) posted the letter, albeit with the caveat “if real” and with Hannigan’s name misspelt. The post was retweeted over 500 times.

(Source: Twitter / @pepesgrandma. Archived on January 31, 2018.)

The following day, the same user posted that they suspected the piece was a fake, but left the original post standing. The correction was only retweeted a dozen times.

(Source: Twitter / @pepesgrandma. Archived on January 31, 2018.)

On January 12, 2018 the pattern repeated itself. Another anonymous and hyper-partisan user, @datamanUSA, posted it with the hashtag #FusionCollusion, a reference to intelligence-gathering firm Fusion GPS, which employed Steele. The post was retweeted almost 200 times.

(Source: Twitter / @DatamanUSA. Archived on January 31, 2018.)

Again, other uses pointed out the fraud, but the post continued to spread.

Replies to the @DatamanUSA tweet. (Source: Twitter)

A week later, the post received yet another push, this time largely driven by a user called Patricia Negron, self-styled (ironically) as a “fake news fighter”, and active on both Twitter and Facebook. This user shares a range of partisan messaging, together with posts opposing vaccination and discussing so-called “chemtrails,” a longstanding conspiracy theory which holds that the vapor trails aircraft leave are actually part of a secret plot to control the climate and/or the population.

Her original post on Facebook was shared 99 times; a follow-up post stated that the forgery was genuine and earned another 23 shares.

(Source: Facebook / Patricia Negron. Archived on January 31, 2018.)

In a familiar pattern, another user replied that the post was a probable fake and pointed to the mistakes over Steele’s name and affiliation.

(Source: Facebook / James Ralston. Archived on January 31, 2018.)

Simultaneously, Negron posted a series of tweets sharing the forgery with the hashtag #ProjectFulsome. Together, these tweets generated almost 1,000 retweets. Yet again, other users replied with the likelihood that the letter was a fake; yet again, the letter continued to circulate, with Negron herself defending it.

(Source: Twitter / @TrishaDishes. Archived on January 31, 2018.)

By January 30, the forged letter was shared in thousands of tweets, posted on Reddit, shared across fringe websites, and gained limited traction on Facebook. By no means was the reception uniformly uncritical; indeed, users repeatedly pointed to its errors.

Nevertheless, seven months after it was initially posted, it continued to gain traction and feed the conspiracy theory of a plot by the combined American and British “deep states” aimed at discrediting President Trump.

Conclusion

The fate of the forged GCHQ letter is a case study in how long fraudulent content can last online. Posted in June and exposed as a fake within hours, it continued to circulate through far-right and conspiracy sites and resurfaced in September, December, and into the new year.

The fact that users on these channels did expose the letter as a fake quickly demonstrated a degree of awareness in at least some parts of the online community, and a reluctance to take apparently sensational documents at face value. However, others appeared to have fallen for the forgery. Worst of all, others realized it was false but decided to share it anyway — either for entertainment or for political impact.

The letter’s continued circulation, especially by anonymous and hyper-partisan accounts, shows how vulnerable American users remain to continuous online manipulation and outright fraud.

Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).

Anna Pellegatta is a Digital Forensic Research Assistant @DFRLab. Michael Sheldon is an editorial intern @DFRLab.

Follow along for more in-depth analysis from our #DigitalSherlocks.

--

--

@DFRLab
DFRLab

@AtlanticCouncil's Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.