The unauthorized leak of classified US defense data started as a private conversation on Discord and spread to the anonymous forum 4chan. Because of this, confidential information ended up in the public domain, threatening national security and privacy. Learn how this breach happened, its implications for US security, and the measures being taken to counter cyber threats.
In recent days, the US Department of Justice and the Pentagon have launched an investigation into an apparent online leak of classified documents, including some marked Top Secret.
Some of the documents, which have since been widely covered in the media, relate to Russia’s invasion of Ukraine, while others contain detailed analyzes of potential UK policies on the South China Sea and Houthi activities in Yemen.
The existence of the documents was first reported by the New York Times after the Russian Telegram channel published five photos of files related to Russia’s invasion of Ukraine on April 5. The document dates back to early March, around the time it was first posted on Discord, a popular messaging platform among gamers.
However, Bellingcat has evidence that the document, dated January, may have been published earlier, although it is unclear when it was posted online. Bellingcat also spoke with three members of the Discord community where the image was posted, who said that more documents have appeared online in recent months than in recent months. They claim that more documents have been shared on other Discord servers in recent months.
Surprisingly, the Discord channels where the March documents were posted focused on the computer game Minecraft and fans of a Filipino YouTube celebrity. They then spread to other sites, such as the imageboard 4Chan, before appearing on Telegram, Twitter and, in recent days, in major media publishers around the world.
Ukrainian officials questioned the veracity of the documents, and the adviser to the head of the Office of the President of Ukraine, Mykhailo Podolyak, stated in Telegram that he believed Russia was behind the alleged leak. But US security officials quoted by the New York Times appeared to hint at their authenticity.
Russian presidential spokesman Dmytro Peskov told CNN that the documents show the extent of US and NATO involvement in Ukraine. However, one pro-Russian Telegram channel that provided updates on the conflict was unconvinced and said the documents could be Western disinformation.
The documents appear to detail the events and offer an analysis of Russia’s invasion of Ukraine by March 2023.
None of the documents seen by Bellingcat were scanned, but rather photographed: the documents, dated to early March, have folds, including a box from a hunting scope and glue marks from a gorilla. This indicates that at least some of the documents were photographed in the same location.
The content of the transferred documents is very diverse, among the topics – maps of Ukrainian hot spots, such as Bakhmut and Kharkiv, schedules of Western ammunition deliveries to Ukraine, maps and catalogs of Ukrainian air defense equipment, including ammunition consumption calendars, etc., dated March 2 with a stamp “Top secret.”
Also included in the images is a “CIA Operations Center Update,” although much of the information contained in these documents was previously available to the public through media reports. While it is not yet possible to establish the source of these apparent leaks, it has been possible to trace the circulation of these documents on various online forums in recent months before they were reported by the pro-Russian Telegram channel and later by the mainstream media.
On April 5, the documents began to spread through pro-Russian Telegram channels, the first version found by Bellingcat was published in the Telegram channel “Donbasskaya девушка” at 21:29 Ukrainian time.
This post contained four images before another post with a different image was published shortly after.
Just a few hours earlier, a 4chan user posted the first of eight messages in a thread on the Politically Incorrect (/pol/) board, three of which attached images of seemingly similar but mostly different documents.
These eight messages, some of which can be seen below, were sent by the same anonymous user, as indicated by the same identifier used – CXWfLHRB.
In a subsequent post without an image, the same author argued with another 4chan user about the veracity of the information contained in their posts.
The only image shared on Telegram and 4chan was a map displaying a number of statistics, including the total number of soldiers killed in combat on the Russian and Ukrainian sides during the war.
However, the figures from these two sources differed. The first source (4chan) showed more Russian casualties than Ukrainian, while the second source (Donbass Girl) showed the opposite. A closer look at the second image posted on Telegram, which shows a much larger number of Ukrainian victims, shows that the image has been seriously tampered with.
Aside from the late publication date and rather blurry resolution, the numbers don’t add up. The spacing between some numbers and letters is also too large to match the font. Thus, it appears that either the “Donbas Debushka” Telegram account, or earlier sources posted on that account, altered the original image to show a higher number of Ukrainian casualties than originally assumed. However, none of the sources posted on 4chan or Telegram are genuine.
On March 4 – more than a month before the Telegram and 4chan posts – 10 documents titled “Minecraft Earth Map” were posted on the Discord server. Minecraft is a popular computer game played by millions of players around the world. After a brief argument with another person on the server about Minecraft Maps and the war in Ukraine, one of the Discord users replied “here you have some leaked documents”, adding 10 documents about Ukraine, some of which were marked “Top Secret”.
All seven documents from the 4chan and Telegram posts, including a map with lower casualty figures from Ukraine, were present in this post, along with three additional ones that were not published in any Telegram, Twitter, or 4chan posts at the time.
The user who shared the map later said on Twitter that he found them posted by another user on a Discord server called WowMao, which is run by fans of the popular YouTuber of the same name.
On March 1st and 2nd, user WowMao posted more than 30 documents to the server, many of which are marked “Top Secret”, so before being published on the Minecraft server.
The same user also published dozens of other documents about Ukraine on this server before they were removed on April 7. Although Bellingcat has seen these posts, he has not been able to independently verify the authenticity of the documents in them.
However, the WowMao server may not be the original source of these documents. Bellingcat spoke with another member of the Discord community who claimed that the other image had previously been posted on another remote server, often referred to as “Thug Shaker Central”, and at another time under a different name.
The image file shown by Bellingcat contained an additional document dated January 13, in the same style and format as the one posted on WowMao’s server. However, it is impossible to independently verify their authenticity, since the images provided are screenshots and not links to the original posts on a remote server. The content of these documents was also blurred during the Bellingcat show, except for the date and the secrecy stamp.
The Thug Shaker Central server was originally named after its founder, a member of the server nicknamed “Vakhi” told Bellingcat. Administrative duties on this server were taken over by another user before a new member appeared, and the name changed several times. Wahi did not want to name the person, but said he was the original source of the leaked documents, and when contacted by Bellingcat, he said his name had not been released.
Two other users, who declined to be named, said the files leaked on WowMao were only the “tip of the iceberg” compared to the number of documents posted on Thug Shaker Central.
There is no trace of this server other than the testimonies of these users and its presence scattered around 4chan. Therefore, Bellingcat cannot independently verify all of the information shared by these users, including the aforementioned January document, and whether the other user who uploaded the information described as the source of the leak was indeed the original source.
However, Bellingcat can confirm that Wahi and other users who spoke to Bellingcat, as well as another user who shared documents on the WowMao server, were part of the Thug Shaker server, as they provided Bellingcat with a list of members who matched key details of who they were by members of the Thug Shaker server.
Their statements about the general nature of the server also coincided. According to members, the Thug Shaker server name changed frequently, sometimes with a racial slur, and had about 20 active users who formed a close-knit community. Posts and channel lists show that the server’s users were interested in video games, music, Orthodox Christianity and fans of the popular YouTuber “Oxide”.
According to Bellingcat members, the server was not particularly geopolitical in nature, but users took a strong conservative stance on some issues. Racist imagery and racist memes were widespread. Bellingcat contacted Discord to see if they knew anything about the existence of the Thug Shaker Central, WowMao, and Minecraft Earth Map servers, as well as Discord’s alleged distribution of “top secret” documents.
Bellingcat also asked the Ministry of Defense (MoD) if the documents posted on the channel were authentic and if it was aware of any apparent sources of leaks; Discord responded that it could not provide Bellingcat with any comment at this time. The Department of Defense told Bellingcat via email that it is “actively looking into this matter and has formally referred it to the Department of Justice for investigation.”