It feels like the plotline of a Soviet comedy. Ruslan Boshirov and Alexander Petrov, whom British authorities have identified as the main suspects in the March poisoning of Sergei Skripal and his daughter, appeared on Russia Today—a Kremlin-funded network—and claimed to be fitness consultants who only traveled to Salisbury, the scene of the attempted murder, to see its famous cathedral. “We were walking around and enjoying this English Gothic, this beauty,” explained Boshirov in the September broadcast.
It was over-the-top, absurd, and almost laughable—similar to the Kremlin’s disinformation efforts via Facebook and Twitter. Unfortunately for Vladimir Putin, the day after the interview, the investigative website Bellingcat reported that “Boshirov” and “Petrov” are aliases. Both men, the site showed, are Russian intelligence operatives.
Bellingcat has found itself at the heart of some of the Kremlin’s touchiest affairs over the last few years—starting with the downing of Malaysia Airlines Flight 17 over eastern Ukraine in July 2014. A Russian missile killed the 298 passengers onboard and sparked months of disinformation and denials. The tragedy was “a massive catalyst both for the work of Bellingcat but also the development of the field of online open-source investigation as a whole,” says Eliot Higgins, Bellingcat’s founder, who is based in Leicester, England.
Higgins and a crew of volunteers cut through the Kremlin’s falsehoods about what happened to the flight known as MH17, ferreting out the origins of the missile launcher used in the downing and tracking its journey into Ukraine. Obsessive curiosity is Higgins’s trademark. Blogging under the name Brown Moses, he became known for using YouTube videos to identify the weapons being used in the Syrian civil war. At Bellingcat, he has put together a roster of skilled contributors who specialize in sorting through just such information mazes.
One is Aric Toler, a Kansas City-based researcher with a background in Russian literature. Toler started “for fun” in 2014, helping on the MH17 reports. He ended up working on project after project and with Bellingcat’s website gaining popularity and funding, was brought on full-time. About half of the organization’s income comes from grants and donations from groups like the Open Society Foundations and the National Endowment for Democracy or from crowdfunding for specific research projects. The other half comes from Bellingcat’s workshops on how to responsibly leverage open-source information. Toler helps lead these five-day seminars for journalists, analysts, and others, which are offered in Western capitals as well as near Russia’s border in Georgia and Armenia.
Open-source reporting centers on analyzing publicly available material in an effort to pin down objective facts about an individual or incident. Bellingcat walks people through the process on its website, showing how you can verify a video or identify the weapon used in an attack. The site’s reports detail how the underlying information was obtained. “The hope is that my audience will see the process of verification and investigation, learn from that, and participate, so they learn how verification works and become skilled investigators themselves,” Higgins told the Columbia Journalism Review.
Even as the site staffs up, it continues to crowdsource its work. Bellingcat asks readers whether they can identify the location of a particularly obscure photo or video, for example, or figure out what time it was taken. “It’s kind of like a game, who can figure it out first,” says Toler. “Some people garden and some people do other things. It’s just a hobby that people have.”
In the course of its work, Bellingcat has sniffed out some unusual intelligence slipups. Back in April, Dutch authorities intercepted four Russian agents who were trying to hack into the Organization for the Prohibition of Chemical Weapons (OPCW). The operation seemed sloppy. Dutch authorities found the men parked near the OPCW building in the Hague with hacking equipment, cash, and a laptop they had neglected to wipe. They also found a cab receipt documenting one agent’s ride from the barracks of the GRU, Russia’s military intelligence service, to the Moscow airport.
Months later, the names of the agents were released. In an effort to verify their identities, Bellingcat tracked down the registration for one of the officers’ cars—and came across the names of more than 300 people who had registered vehicles to the same address. This happened to be the address of the GRU’s cyberwarfare department. Using openly available information, Bellingcat had stumbled upon the identities of hundreds of Russian intelligence officers. An analyst at the Carnegie Moscow Center, the Russian affiliate of the Carnegie Endowment for International Peace, described it as the “largest intelligence blunder in modern Russian history.” “A lot of it is just laziness and very petty corruption,” Toler says of the agents using the address. “When they get pulled over for drunk driving or speeding tickets, they are just let go as soon as the cop sees the address.”
Bellingcat has been particularly effective in undermining Russia’s traditional coverup strategy in cases like the downing of MH17 or the attack on the Skripals: distraction and lies. “It’s not actually about making it harder for the Russians to spy,” says Mark Galeotti, a Russian intelligence expert at the Institute of International Relations Prague. “It’s more that it then makes it more embarrassing for the Russians and harder for them to cover up what they’ve been doing.”
Russia accuses Bellingcat of using leaks from British security services and Higgins himself of being an intelligence agent. In its attempts to rebut the site, the Kremlin has shown a tendency to recycle Internet memes and lift other easily debunked content from social media. “We had a little spat with them, and we asked for clarification,” says Toler. “They sent us this 20-page meandering diatribe against us with all this ‘evidence.’ We took some paragraphs from there and put them in Google. They had simply copied and pasted 10 pages from a LiveJournal post.”
Bellingcat’s work on the Salisbury attack has been particularly frustrating for the Russians. In addition to the usual suspects, officials as high-ranking as foreign minister Sergey Lavrov are directing accusations at the organization. Higgins observed on Twitter that the Kremlin’s campaign against the site in the wake of its Skripal reports is unlike anything he’s experienced in its four years. “Never seen them look so weak or emotional at such a high level,” he wrote. “Tells you a lot about the problems we’ve caused them with our Skripal work.”
Yet Russia’s angry response appears at odds with what 30-year CIA veteran Daniel Hoffman describes as the trail of “breadcrumbs” left behind in Salisbury. “Nobody does Novichok except the Soviets and Russians,” he says, referring to the class of chemical agents used in the attack. “You could have targeted Skripal in a bar, you could have run him over with a lorry, but that’s not what they did.” The traceability of the attack had a “purpose,” Hoffman says.
In exposing “Boshirov” and “Petrov” as spies rather than tourists, Bellingcat used human sources and public information. Boshirov, it turns out, is a decorated GRU colonel named Anatoliy Chepiga. Bellingcat began by assuming the two were intelligence operatives. With their Russian partner, the Insider, they spoke to former Russian military officers to figure out which training academy the two might have attended, sifted through yearbook photos for possible matches, and then searched leaked databases for any residential details. As the group got closer to identifying Boshirov as Chepiga, they obtained parts of Chepiga’s passport file, which included a photo of him.
“I don’t think [the Russians] necessarily were ready for, firstly, how quickly they were burned, secondly, the depth of information that was provided, and thirdly, and perhaps most gallingly, that it came from Bellingcat, rather than, say, MI5,” says Galeotti.
The reports kept on coming. In mid-October Bellingcat identified the second suspect, “Petrov,” as Alexander Mishkin. An investigator from the Insider visited the village where he was born in northern Russia. Mishkin, like Chepiga, received the Hero of Russia award, the country’s highest honor, from Putin. Some suggested he received it for events related to Russia’s annexation of Crimea in 2014, or for helping ex-Ukrainian president Viktor Yanukovych escape the country that year. Bellingcat has established that Mishkin visited Ukraine a number of times between 2010 and 2013. Clearly, the man is not a fitness consultant who stayed in Salisbury only a short time because “the city was covered in snow.”
Russia and similarly closed societies will always try to control the narrative surrounding controversial events, but organizations like Bellingcat make that increasingly difficult. “It’s a growth industry,” says Steve Hall, who served as chief of Russian operations at the CIA, of open-source analysis. “You don’t have to have clandestine sources, you don’t have to have satellites, you don’t have to have NSA or GCHQ-style intercept capabilities to find out some good stuff.”
Organizations like Bellingcat, adds Galeotti, are making Russian intelligence uncertain about old certainties. “You might reckon that you’ve got a really strong legend, a really strong cover identity for your agents. You might reckon that you’ve covered your tracks,” he says. “And yet along comes this irritating collection of nerds, amateurs, and obsessives, which is probably, I’m sure, how they think of Bellingcat. All of a sudden, they are able to get around that—especially when they’re working with sources in Russia.”
