How We Caught Two Russian Banks Chatting With The Trump Server At Trump Tower

By Richard Cameron

Following the splashy tweets from Donald Trump, accusing former President Barack Obama of wiretapping his phones at Trump Tower, a piece of information that had been only sparsely reported on and barely noticed at the time, resurfaced. It was that the Foreign Intelligence Surveillance Court (FISC) had agreed to issue a warrant to the FBI’s National Security Division on the basis of probable cause to suspect involvement of the Trump campaign and possibly Donald Trump himself, with two Russian banks.

One of the banks is Alfa Bank, the largest private bank in Russia. The other is SVB bank. The warrant, issued on October 15, 2016, names the banks specifically and also names the persons of interest in the Trump organization. It should be noted that the order was not an order to conduct wiretapping, but instead – the collection of “electronic records”.

The basis of the warrant and what knowledgeable sources in the intelligence community believe is an ongoing investigation is evidence presented to the FISA court in affidavits to the judge demonstrating that the private server in Trump Tower had been communicating with the two Russian banks.

The intel that drove the FBI request had originated from leads they received from at least a couple of significant sources. One was a tip from a long time counter-intelligence agent of a Western intelligence service that specialized in analyzing data about Russia’s persistent attempts to influence elections – cited in a BBC report as one of the Baltic states (Latvia?).

Paul Wood, of the BBC, reported that he had obtained information “given to me by several sources and corroborated by someone I will identify only as a senior member of the US intelligence community.”  The source told Wood that C.I.A. Director John Brennan:

“was shown intelligence that worried him. It was—allegedly—a tape recording of a conversation about money from the Kremlin going into the US presidential campaign. It was passed to the US by an intelligence agency of one of the Baltic States.”

The other lead evolved from a cyber-security research team that, in the process of examining internet traffic related to both the Clinton and the Trump campaigns, randomly happened across an intriguing bit of data – lines of what at first appeared to be malware, but after closer review, was discovered to be communication between the Trump Tower and Russian financial interests.

The lead scientist, operating under the pseudonym “Tea Leaves” in order to safeguard his confidential relationship with his employers in the cyber security community, commented in his notes that, “I have an outlier here that connects to Russia in a strange way”.

Soon, he and colleagues who also analyze security data for private firms and firms contracted to U.S. intelligence agencies began reviewing DNS logs from the server at Trump Tower. Slate quotes Christopher Davis of HYAS InfoSec Inc. as commenting regarding Trump’s server, “I’ve never seen a server set up like that. It looked weird, and it didn’t pass the sniff test”.


The researchers discovered that the server had been in operation since 2009, but although originally used for various Trump mass marketing campaigns, had been repurposed to accommodate only communication between it and the Russian banks. Paul Vixie, a renowned expert in DNS coding, examined the server logs and concluded that “The parties were communicating in a secretive fashion. The operative word is secretive. This is more akin to what criminal syndicates do if they are putting together a project.”

Franklin Foer at Slate, asked a prominent computer scientist, Nicholas Weaver, about the likely indication of the communication documented by the server logs. Weaver told Foer, “I can’t attest to the logs themselves, but assuming they are legitimate they do indicate effectively human-level communication.”

No sooner than a New York Times reporter, Eric Lichtblau had interviewed a bank official at Alfa Bank, the Trump server was abruptly shut down. One specialist described it to Mr. Foer in descriptive terms that, “the knee was hit in Moscow, the leg kicked in New York”. Foer asked then Trump campaign spokeswoman Hope Hicks about the server. She responded in writing the following:

The email server, set up for marketing purposes and operated by a third-party, has not been used since 2010.  The current traffic on the server from Alphabank’s [sic] IP address is regular DNS server traffic—not email traffic.  To be clear, The Trump Organization is not sending or receiving any communications from this email server. The Trump Organization has no communication or relationship with this entity or any Russian entity.

Problem – it is settled cyber science that DNS server traffic indicates nothing other than email traffic and other digital modes of communication. It’s not certain why Ms. Hicks would release an incompetent statement that could so easily be disproved.

There are many avenues in the FBI’s ongoing investigation, including the dealings of Trump’s campaign manager, Paul Manafort as an intermediate with Putin and his administration, but the communications between the Russian banks and the Trump organization are solidly in the center of the mix.

One comment

Share Your Thoughts?