Skip to main content
stories

‘Your name is on some FSB officer’s list’ When hackers launched a cyberattack against Navalny supporters in April, they failed to cover their tracks. Meduza traced the effort back to the presidential administration itself.

Source: Meduza
Moscow Agency

On March 23, Alexey Navalny’s team announced plans to hold nationwide protests demanding the opposition politician’s release from prison. To help people organize, they created a website called “Free Navalny!” where his supporters could register their email addresses. On April 2, unknown hackers gained access to the site’s email address database — but the cyberattack remained undiscovered until April 16, when the attackers began sending threats to the registered addresses. The data was ultimately obtained both by employers and by the authorities: some people lost their jobs, while law enforcement investigated dozens of others. Meduza correspondents Liliya Yapparova and Denis Dmitriev followed the hackers’ tracks, which lead all the way to the presidential administrative directorate and the presidential administration — specifically to a “talented programmer” and the budding young head of a strategic research institute. The two are longtime business partners, and they share a common understanding of how “special operations on the internet” ought to work.

Please note. This article was originally published on May 11, 2021. You can read it in Russian here.

‘Thanks for coming — just don’t go to the rally’

On the morning of April 21, English teacher Yevgenia Makarova got a call from the Kurgan city prosecutor. He asked her to come see him by the end of the day. “He even suggested I get excused for work. I told him I’d make it,” Makarova told Meduza.

When she hung up the phone, Makarova realized her hands were shaking. “It was scary, because nothing like that had ever happened to me,” she said. “Before the rally [planned for April 21 in support of Navalny], they detained all of the activists. And I’d also taken part in rallies! I thought I would be given a few days [in jail], too.”

Before leaving home, Makarova left a note for her mother — in case she didn’t return. “I wrote down the prosecutor’s address, as well as the office they told me to go to — and that everything would be fine,” she recalled. She put the note inside of a greeting card on the dresser — so that her mom wouldn’t see it immediately. “And if I came home, I’d quietly get rid of it.”

The greeting card that hid Yevgenia Makarova’s note to her mother
Yevgenia Makarova’s personal archive

Makarova had to wait in line before entering the prosecutor’s office. “First, a young man and woman came out. They were so young, younger than me — practically older teenagers. They looked so distraught! They didn’t smile, they weren’t even looking at each other — it was like they were radiating fear when they walked past me,” Makarova said.

When it was Makarova’s turn to go in, deputy prosecutor Yevgeny Zarovny explained to her that he was “working off a signal” — he’d received information that she was planning to attend a rally in support of Navalny in the city center in a few hours. “‘But don’t you go to it! We’re applying preventative measures to you,’” he said, according to Makarova. “He gave me an ‘official warning against breaking the law,’ and I signed it. ‘Thanks for coming — just don’t go to the rally.’”

Makarova smiled cautiously when telling the story. After the meeting with Zarovny, she didn’t even think about going to the rally.

Zarovny didn’t tell Makarova where his “information” had come from. Several days later, however, Makarova remembered a strange email she’d received on April 15. “Hi, it’s Navalny,” it started out, like many of his other messages and posts — but then it took a dark turn. “Keep participating in super-IT-guy [Navalny associate Leonid] Volkov’s work — and we’ll keep getting new data about you, hahaha.”

Makarova determined the email had probably come from hackers who had gained access to the hundreds of thousands of emails submitted to the “Free Navalny!” site — she’d entered her own email there.

Read more

Unpleasant emails Team Navalny apologizes after database of email addresses registered for planned protest leaks online

Read more

Unpleasant emails Team Navalny apologizes after database of email addresses registered for planned protest leaks online

The Anti-Corruption Foundation (FBK) has confirmed the authenticity of the data leaked from the “Free Navalny!” site. Navalny’s chief of staff, Leonid Volkov, announced that the leak was connected to a former FBK employee. “Ninety-nine percent of cyberattacks happen with the help of an insider, through a ‘rat.’ A former employee with access [to sensitive information] could have downloaded email data from the server,” he said. In particular, Volkov blamed the leak on an FBK employee who was allegedly recruited by the Russian FSB.

In the first message, which most of the leak victims received on April 15 and 16, the hackers threatened to “de-anonymize your email.” In the next one (received on April 18), they demonstrated that they actually could determine the names, phone numbers, and addresses of many of the victims. The third wave of messages was sent on April 21 from a different domain, and it was aimed at the victims’ employers.

The email provided a list of “employees of your organization” who “support extremists” (in mid-April, Moscow prosecutors filed a claim seeking to designate Navalny’s anti-corruption non-profits and political network as “extremist organizations”). “If these people don’t realize they need to follow the law, your company…will… fall under the close attention of the media and the regulatory authorities,” the hackers warned.

It’s unclear how many people lost their jobs after this third wave of emails. According to former sound engineer Mikhail Bezrukavy and two of his former coworkers, however, six people were fired from the All-Russia State Television and Radio Broadcasting Company (VGTRK), including one division head. “I heard one version, that everything came from the [VGTRK] security department,” said a former employee named Igor. “But others say it’s the opposite, that there was a ‘knock’ from the very top — and then it all came down from [VGTRK head Oleg] Dobrodeev. (At the time of this article’s publication, VGTRK had not responded to Meduza’s request for comment).

A screenshot of the email the hackers sent to people’s employers

Former VGTRK employee Svetlana was personally fired by television host and state media official Andrey Medvedev — it was the first time she met a senior representative of the company in her 16 years working there.

“Right off the bat, Medvedev asked why I was registered on free.navalny.com. To which I answered that this was my personal business. ’No,’ he said, ‘it’s not your personal business at all. It can’t be your personal business.’ And he started lecturing me about how I can’t support a figure like that and get a paycheck from VGTRK at the same time — and how he ‘feels personally hurt, because he’s a close friend of [RT editor-in-chief] Margarita Simonyan, and Navalny’s bashed both her and VGTRK — and how could I do this,” Svetlana recalled.

The meeting with Medvedev made a strong impression on Svetlana. “That smarmy look, those glassy eyes. My dad was a security officer, and my mom made a film about mildew,” she said, laughing. “To be honest, it was the first time I’ve ever been face-to-face with a character like that, and at some point, when I realized what he was getting at, I just started observing him, and I sort of zoned out. I was going to try to explain to him that I support [Navalny] more for humanitarian reasons, not even for political ones. But it was like he didn’t see me. You’re trying to communicate your point of view to someone just a little bit — and no reaction. None.”

Mikhail Bezrukavy, a sound operator for Vesti Moskva, was summoned by his superiors a day earlier, on the day of the rally. “[VGTRK deputy general director Irina] Filina fired me — and my position was sound engineer, just so you understand,” said Bezrukavy. “It was all very surreal: I was just worried about losing my job at first, but at some point the fear disappeared — and I was hit with the feeling that all of this was somehow not real. They were asking me questions: how can you work at the state TV network and support the opposition? “How can it be, we’re a federal service, we’re a large entity, we work with the top people.” There wasn’t any hate in their words: my position wasn’t high enough for them to show any hate. No, it was more like incomprehension. I realized these were people from a completely different universe. At a certain moment, I even had the thought that the conversation alone was worth getting fired over.”

It’s also unclear whether the hackers sent the leaked information to the FSB, the Investigative Committee, the Attorney General’s Office, or the Interior Ministry. (These agencies didn’t respond to Meduza’s questions). However, on April 20 and 21, representatives from all four agencies conducted an unprecedented raid across dozens of cities — from the Russian North Caucasus to Karelia, from Yakutia to Sakhalin. Out of the 706 leak victims Meduza surveyed (more than 400,000 people were affected), 34 people, or 5%, reported having either been visited by state investigators, summoned to a prosecutor’s office, or otherwise contacted by the Russian intelligence agencies. Security agents told two of the respondents that the searches were related to the leak from the “Free Navalny!” site.

Several respondents were warned that they might face criminal prosecution, while others were told they could be arrested or fined. “If you don’t stop, we might plant a couple of gun cartridges on you,” a police officer told Vladimir, who lives in Pyatigorsk.

Polina, a student at Moscow’s Stroganov Academy, was summoned to the dean’s office — “Your name is on some FSB officer’s list on his desk because you registered somewhere,” they told her. “It really scared me,” she said. “I was scared that the FSB had my name somewhere and that these people could reach me somehow — who knows how — and that they might call my mom. What, am I a terrorist now?”

On the day of the rally, Anastasia Zorina received a call from an unknown number. Using the app GetContact, Meduza determined that the number is saved in other people’s phones as “Devil,” “Son of a bitch,” and “Trash.” The man didn’t introduce himself, but spoke to Zorina as if they were old friends. “[He said] that he was from some kind of headquarters and that he needed help to take part in the rally: preparing tear gas, lighter fluid, and improvised explosive devices,” Zorina told Meduza. “And he sounded like I had no choice, since I’d already agreed to take part in the rally.”

The mysterious call seemed to Anastasia like a continuation of the “special operation” that had begun with the hackers’ attack. “Apparently they wanted to turn a peaceful event into a violent one.”

Read more

‘They got the brunt’ Journalists report dozens more layoffs among city employees in Moscow in response to pro-Navalny protests

Read more

‘They got the brunt’ Journalists report dozens more layoffs among city employees in Moscow in response to pro-Navalny protests

‘They just set us up’

The infrastructure the hackers left behind is already starting to disappear.

According to Reg.ru, a registration company that knows who registered the sites, the three main domains they used have already been abandoned.

The registration site said that nobody has tried to search for the domains’ owners: “there hasn’t been any communication” from any security agency. (Neither the FSB nor the Interior Ministry responded to Meduza’s questions about whether an official investigation has begun).

Meduza was able to find one other domain associated with the emails. On the evening of April 15 — just hours after the hackers began creating infrastructure for their attack — several people received messages from the address [email protected] (four out of more than 700 people who responded to Meduza mentioned this).

A screenshot of the message from the domain moscow-baku.ru

These emails contained all the same threats — the only difference was that they were some of the first (the larger wave of messages went out about a day later) and seemed to be part of a sort of test run. Or a mistake.

According to data from SPARK-Interfax, the domain moscow-baku.ru and “Moscow-Baku,” the site it hosts, belong to Musa Muradov — and it’s difficult to imagine that he’d be behind a pro-Kremlin cyberattack. A journalist originally from the Chechen capital, Grozny, Muradov is the former editor-in-chief of the newspaper Groznensky Rabochy. During the Chechen wars, the paper was named “the only truly independent newspaper published and distributed in Chechnya.” The paper was first printed in Grozny, then in Moscow, then in Nazran; because of Muradov’s editorial policy, the publication came into conflict both with the Russian authorities and with the Chechen rebels — and eventually with Ramzan Kadyrov himself. Human rights activists have referred to Muradov as someone who “simply doesn’t allow himself to be intimidated and is not silent about crimes committed on either side.”

Today, however, Muradov leads a different outlet: the news agency Moscow-Baku. “The idea of our site is to cover Russian-Azerbaijani relations,” Muradov told Meduza. “We’re more of a PR project, you see? We don’t even use the media format. We only talk about beautiful things.”

The project dedicated to Russian-Azerbaijani friendship has 684 followers on VKontakte and 66 on Twitter. Former VGTRK employees work on its YouTube channel, and former RIA FAN employees work on the main site.

“They don’t quite do journalism as it’s supposed to be,” one of the agency’s former employees told Meduza. “It’s propaganda journalism about the relationship between Russia and Azerbaijan.”

News about Navalny on the Moscow-Baku site reads almost neutral — when it’s covered at all. Ruslan Sagayev, the site’s editor-in-chief (who previously worked with pro-Kremlin media manager Aram Gabrelyanov) rejects the notion that any of his employees could have used the site’s infrastructure to distribute threats to the free.navalny.com cyberattack victims. “It’d be absurd if any of our employees took part in that,” Sagayev told Meduza. “Plus, no hacker would act so openly. They just set us up!”

“That our employees would do something like that?” said Musa Muradov. “Without a doubt, it’s out of the question. Why on earth would we do that? It’s not unusual for hackers to use the names of other sites, as far as I understand. And if they chose to use our site for something as despicable as this, we’re victims just like everyone else.”

According to technology experts Meduza spoke to, it’s possible that someone used the Moscow-Baku domain by mistake when they sent out the initial “test” emails — someone who once had access to the network, or who still does.

“Let’s imagine it’s a physical mailbox,” Leonid Yevdokimov, a researcher from the University of Michigan’s Censored Planet project, told Meduza. “A person once printed some envelopes for Moscow-Baku. Then he was asked to print some for ’Navalny Fail’ — and he only edited the layout half of the time. As a result, half of the envelopes were sent from Moscow-Baku. But in this case, substitute the printer with an email distribution script.”

However, Moscow-Baku might also have no connection to the hackers at all — in fact, it might have been just another one of their victims. According to experts Meduza spoke to, the fact is that email headers are quite easy to fake. “In order to send an email with the return address [email protected], you barely have to do anything,” said Yevdokimov.

At Meduza’s request, Censored Planet researcher Leonid Yevdokimov conducted an experiment using the IP address and the email server that the first set of emails from [email protected] came from. He found that they don’t accept messages from the real Moscow-Baku domain. This disconnection means it’s unlikely that the hackers used the news agency’s real infrastructure.

When asked whether the real Moscow-Baku has enemies of its own, Muradov was at a loss. “As far as the recent events in Karabakh, there might be publications the Armenian side doesn’t like,” he decided. “But I’m not saying this was done by ‘Armenian hackers’ — I don’t have the slightest idea who this could have been.”

Digital footprints

Whoever attacked free.navalny.com, one thing is certain: it’s not their first time doing this. That much is clear from the registration data of the domains used to set up the email list — all of which are connected to a single virtual number (+4674575456433) and two email addresses: [email protected] and [email protected].

Those two addresses were discovered by the outlet Current Time TV in their investigation of the cyberattack.

The owner of the email address [email protected] has participated in provocations against Navalny’s Anti-Corruption Foundation before, according to OSINT-enthusiast Reworr: it was listed as the contact address in an announcement for a “money handout” at a protest rally initiated by opposition figure Ilya Yashin and backed by FBK employees. “We need people for a rally on August 3 from 11:20 to 12:30 near the Trubnaya metro station. No ages or gender requirements,” said a message on the forum politrabota.ru.

Judging by the similarity in registration data, the same group registered the domain navalny.ru.com; as far as Meduza knows, it hasn’t been used in any mailing lists or phishing attacks.

The rest of the domain names registered by the group look like imitations of real government sites.

These kinds of domains are often used in phishing attacks. Their main goal is to get credit card information. They do this through deceit: the scammers create clone sites where inattentive users are likely to enter their login information and credit card data.

Imitation sites were registered to three email addresses — [email protected], [email protected], and [email protected] — and two virtual numbers (one Swedish and one Icelandic) that the hackers have used multiple times. These sites were made to look like payment sites, government agency sites, and tax sites. The latter immediately redirects the user to the email and password form - probably to steal their data.

A source provided Meduza with technical information about a unique identifier of the owner of navalnyfail.ru, which was also used to send threats to Navalny’s supporters. According to this information, the organizers of the attack on the FBK also own the domains mchs-mail.ru, r77-fssprus.ru, and roskozna.ru (which simulates the Federal Treasury website).

However, two other domain names created by the same unknown group of hackers are associated neither with fraud nor with the attempts to provoke the FBK. As Reworr first noted, the sites zasekin.press and zasekin.space were registered on February 26, 2021 — the day before a provocation against Samara-based outlet Zasekin.ru.

An example of the mass email sent from Zasekin.ru
Zasekin.ru

On February 27, the same thing happened to Zasekin.ru that might have happened to Moscow-Baku: hackers created a fake email address that used the Zasekin.ru domain name and began sending emails from it. The emails reminded Samara officials and party branches about the upcoming regional duma elections, suggesting they “not vote for the bunker midget or the phony rabbit [derogatory nicknames for local politicians],” and support Alexey Navalny’s “Smart Voting” strategy instead.

They used address-swapping technology to send out fake emails under our names,” said Zasekin.ru owner Dmitry Loboiko (who, by his own admission, is not a Navalny supporter).

But Loboiko has his own theory about who’s behind the attack on his publication and the digital infrastructure used in the wider cyber campaign against Navalny — he believes it’s “people from the presidential administration” who conduct “special operations on the Internet.”

‘They buy these things just like everyone else’

Early in the morning of February 22, 2021, pages on the news and analysis site Zacekin.ru began to fill with brief descriptions of suicide methods, links to child pornography, and the band Kolovrat — all things that are closely tracked and blocked by Russia’s federal censorship agency, Roskomnadzor.

The extremist material was put on the site through the comments: the site, which usually gets about 10,000 to 12,000 views a day, suddenly received tens of thousands commenters — and an avalanche of banned content appeared in the comments.

“They were counting on us not being able to deal with such a large attack — and getting blocked by Roskomnadzor,” said Dmitry Loboiko. “About 60,000 commenters came within a couple hours. And at the same time, we were hit with a DDoS attack.”

Loboiko soon learned which page had caught the hackers’ attention. “Our tech guys told me right away that it was because of 30781. I mean, after ‘zasekin.ru’ and a slash,” said Loboiko. “We only saw the number of the article they were DDoS-ing. And for the first half hour, I couldn’t really figure out what they were talking about. But when the site started working again and we took a look, a lot became clear.”

The system administrators immediately saw from the data that the DDoS attack was aimed at a single page that the hackers were trying to destroy. “It was hit by 150,000–200,000 in the first hour of the attack — basically, a gigantic amount of views — and 46,000 comments. Obviously, it wasn’t live people who left these comments. Pavel Seleznev isn’t a popular enough figure for 100,000 people to log on to find out, ‘what’s up with that former FSB agent who traveled abroad?’,” Loboiko said.

At the moment of the attack, the publication was in conflict with only one person: Pavel Seleznev, a former agent from the FSB’s Samara office. The day before the cyberattack, the site had published a short article about Seleznev “succumbing to temptation.”

Making reference to various court documents, the article told the story of the FSB veteran’s attempts to leave the country. Former intelligence officials are forbidden to leave Russia for five years after their termination, but Seleznev managed to procure a foreign passport under a fake name and flew to Dubai.

“Actually, we didn’t even publish everything we know about him,” said Loboiko. “And our information about the Emirates was based on material from the Samara regional court! After that, people with connections to Seleznev started inquiring: Wasn’t the material commissioned by someone? How can we get rid of it? And they were informed through all possible channels that this wasn’t commissioned, and nobody was specifically trying to sabotage Seleznev — and the primary source is published on the court’s website.”

The DDoS attack began the next day — and just kept going. “In April, there were a little over 31 million visits from the attackers. Most of them came through Tor, so nobody can tell who’s behind them. I think they would stop if we removed the article,” said Loboiko.

On April 23, Seleznev tried to get the page blocked by going to Roskomnadzor. But despite all his efforts, the article about his trip to Dubai is the main thing people are googling about him right now. Until February, Seleznev was only discussed in Samara-based Telegram channels — and on the site Kompromat.ru, where his page described how he played cards with bankers, retired security officers, and crime bosses.

Pavel Seleznev and Dilyara Selezneva
Screenshot from Zasekin.ru

Aware of Seleznev’s resentment, journalists from Zasekin.ru conducted their own investigation into the cyberattack. (Seleznev himself didn’t respond to Meduza’s request for comment). “It turned out there was no way the ex-officer could organize an operation like this himself,” said Loboiko. But according to a source who’s been following the conflict, Seleznev could have gotten help organizing the DDoS attack from his close friend and business partner Mikhail Dudin — “a talented mathematician and programmer.”

Meduza has determined that Dudin and Seleznev’s connections run deep: their families have done business together at least three times.

Until 2015, Dudin held shares in AktivKapital Bank, where Seleznev’s wife Dilyara was deputy chairwoman for a long time. “As I understand it, Dudin was one of AktivKapital Bank’s founders during a crisis, when the bank lost its license. He effectively arrived right when the real beneficiaries were leaving, when the lefties who would end up nominal chairmen hadn’t arrived yet — and so we had this transitional administration,” said Loboiko. “And he was in that transitional administration, led by Dilyara Selezneva.

According to data from SPARK-Interfax, Dudin was the official founder and general director of the IT company Alex-Konsalt LLC until 2018. In August 2018, he stopped being general director, and in October he stopped being founder. A month later, his wife, Lyudmila Dudina, who was in business with Pavel Seleznev, became the company’s founder.

In 2018, according to data from SPARK-Interfax, Dudin and Seleznev became co-owners of Principle of Law LLC.

Dudin is a skilled programmer who has worked with federal security agencies, according to a source knowledgeable about his career. “About 10 years ago, he tried to sell FSB officers his method for determining a user’s specific location using cell towers,” said the source. “Back in those days, they say, they had to send three specially equipped cars to a location, create a local network, then use this network to find the exact location. Mikhail came up with a system for how to determine someone’s location within one or two meters — remotely, without those three cars.”

Dudin has since relocated to Moscow, where he appears to work for the presidential administration, according to Meduza’s source. “He’s not a public person at all. He’s now working for [head of the Presidential Executive Office’s domestic policy department Andrey] Yarin,” he said. “They say he’s a very well-paid specialist.”

Meduza was unable to determine whether Dudin has an official position in the presidential administration. But according to sources, the administration has already known him for over 10 years. “Even back in his Volga days,” a former administration official told Meduza. “He’s a good guy, doesn’t drink. Loves animals.” And he really does “collaborate with Yarin,” sources close to the FSB and the presidential administration confirmed. According to a contact aggregator Meduza consulted, Dudin’s number is saved in someone’s phone as “Mikhail President Admin.”

In 2017, Yarin was put in charge of the Kremlin’s initiative to protect against foreign cyberattacks, and in the fall of 2020, he was one of the individuals sanctioned by the European Union in response to Navalny’s poisoning — according to data from the EU, he was part of the group working to discredit Navalny.

Meduza’s source, a person familiar with Dudin’s work in the presidential administration, joked that the programmer is “doing all kinds of interesting projects’’ for Yarin. On the other hand, the knack for math that Dudin became renowned for in Samara hasn’t come in handy at his new job so far, according to a source close to the FSB — the administration doesn’t have the infrastructure necessary for large-scale cyberattacks. “They buy these things just like everyone else. Everything’s done by third-party companies,” said the source.

However, according to two sources Meduza spoke to, including a person close to the FSB who’s familiar with the details of the last “special effort” against the FBK, Mikhail Dudin was definitely involved in the attack on free.navalny.com. “I’m confident that the attacks against Zasekin.ru and the attacks against the Navalny supporters were both organized by Dudin,” said another source, who lives in Samara and knows Dudin well. (At the time of this article’s publication, the Russian presidential administration hadn’t answered Meduza’s questions about the cyberattack and Dudin’s role in it. Dudin himself didn’t respond to Meduza’s request for comment).

Dudin also has connections to a research institute under the presidential administration, which, according to Meduza’s sources, were also involved in the cyberattack against Navalny’s supporters.

‘How many Navalny fans did you check out for the feds?’

On April 20, two Investigative Committee officials spent the entire morning sitting in a car. They went out early to make sure they got to Pudozh — a small town on Russia’s Lake Onega — by the afternoon at the latest. Their goal was to find Alyona Mironova, a woman who had registered her email with the “Free Navalny!” site.

“They probably drove down our terrible roads and shot the shit,” said Mironova herself, who had long since moved to St. Petersburg. Around five p.m., the officers reached a two-story house with dusty pink siding — Alyona’s mother’s house. “The last street before the forest,” said Alyona. “They asked, ‘Does Alyona Mironova live here?’ ‘Nope, in Petersburg.’ So they stood there for a bit, looked around, then left.”

Pudozh. Alyona Mironova’s mother’s house
Alyona Mironova’s personal archive

By that time, the hackers had already sent Mironova an email with her personal data. There was just one mistake: the address. Not all of the information the hackers obtained turned out to be up to date — but they were able to turn a list of just email addresses into a detailed database of Navalny supporters’ phone numbers and addresses.

They could have done this by matching the email list with other data leaks on the database black market; the only problem was that there are dozens of these databases.

But according to black market participants who keep up with database updates, the data collected by the Navalny site hackers came from a database called Sprut, considered one of the most complete collections of personal data.

The database of Navalny supporters “includes pretty up-to-date employment information — only Sprut has data like that,” said a source from the Russian data market. “Sprut has direct contracts with GlavNIVTs — for all intents and purposes, with the presidential administration.”

The Russian Presidential Affairs Department's Scientific Research Computing Center (GlavNIVTs) is another Kremlin organization responsible for high-tech projects. As Meduza previously reported, this quasi-secret institution is led by former Russian intelligence officials, and its team of programmers has developed deanonymization technology to meet the authorities’ needs. Their software can return a variety of information about any Russian resident — from passport data and to a car’s VIN number, to foreign real estate holdings.

On April 14, the day before the cyberattack against free.navalny.com users began, GlavNIVTs was taken over by Vadim Gaisin — a longtime business partner of Mikhail Dudin.

According to data from SPARK-Interfax, Gaisin became owner of Piknik LLC in June 2012. In March 2013, he sold the company to Mikhail Dudin.

In 2018, Gaisin took over Yutek-NN LLC, which until then had been owned by Dudin.

In 2016, Gaisin sold his shares of ZhBI Stroi-holding LLC to Samara native Vitaly Belodubrovsky. In 2015, Belodubrovsky became the owner of the management company Volgasbytservis, which Dudin founded.

According Meduza’s sources, Gaisin’s arrival is part of a broader shift within the institution, which, after a number of financial problems and personnel changes, is slated to return to its “real work” — developing technology for Russia’s security forces.

As Meduza has previously reported, in 2014, when high-ranking FSO (Russian Secret Service) employee Alexander Kolpakov became a manager of the department that GlavNIVTS falls under, the Research Institute became a development platform for law enforcement agencies. But after a series of financial difficulties, the painstakingly-assembled team of programmers and analysts parted ways.

“Everything in GlavNIVTs has changed. The real work is theoretically supposed to start now, but it hasn’t started yet,” a source close to the FSB told Meduza. “And he [Gaisin] is a total dark horse right now — not even a gray one. It’s totally unclear how he plans to prove himself.”

But Mikhail Dudin has his own experience working with databases of private information. In 2006, according to data from SPARK-Interfax, Dudin began leading a company called “Alex-Consult,” which, according to user instructions on its website, provides access to a “subsystem of information searches in text databases” (including the Interior Ministry’s internal memos). In 2020, a division of Rosneft bought access to the database — one of many such purchases.

According to Current Time TV’s own investigation into the cyberattack against Navalny supporters, Yutek-NN, another of Dudin’s companies, has a license from the FSB to implement special technical methods of covertly receiving information.

The FSB may also have taken part in updating the database of Navalny supporters’ information. At the very least, its officers reached out to the private information black market with such a request, according to a source from the black market who has connections to the authorities. “They tried to sell a sweet fairy tale about state contracts, cooperation, friendship and mutual assistance,” he added. (The FSB didn’t respond to Meduza’s request for comment).

Meduza’s source didn’t know how many total players from the data market worked on the database at intelligence agencies’ request. “It’s embarrassing to even ask,” he said. “‘Vasily Viktorovich, how many Navalny supporters did you check out for the feds?’ He’ll say, ‘What are you, an idiot? Don’t call here anymore.’”

* * *

At first, Alyona Mironova couldn’t believe that the officers who traveled an extra 250 miles because of a data mistake would quit looking for her. “For the first two days, I couldn’t stop looking around at the police on the metro: will they question me or not?” Mironova said.

Mironova still doesn’t know what the officers wanted to tell her on their visit to Pudozh. “If this was their strategy, they’ve failed miserably,” she said. “Because we still don’t understand: am I supposed to be scared or something?”

Story by Liliya Yapparova and Denis Dmitriev with additional reporting by Andrey Pertsev and Alexey Kovalev, edited by Valery Igumenov

Translated by Sam Breazeale