How DDoSecrets built the go-to home for Russian leaks
American investigative reporter Emma Best knows how arduous it is to ask for information from government agencies.
She made more than 5,000 such requests during her career at MuckRock, a non-profit news site that publishes original government documents and conducts investigations based on them. Best was so persistent that the FBI temporarily banned her from filing any more information requests.
She found a way to cut through the government bureaucracy. Together with an anonymous partner known as The Architect, Best founded the whistleblower site Distributed Denial of Secrets (DDoSecrets) in 2018.
Since then, it has distributed hacked and leaked data from more than 200 entities, including U.S. law enforcement agencies, fascist groups, shell companies, tax havens, and the far-right social media sites Gab and Parler.
Unlike cybercriminals who sell hacked data on the darknet for personal gain, DDoSecrets says it exposes leaked information for the public good. “Secrets can be used for extortion by threatening to make it public, while public information can't,” Best said.
Her website has become a go-to place for whistleblowers and hackers, especially given the absence of its most famous predecessor, WikiLeaks, which has been inactive for the last two years.
Russian leaks
In March DDoSecrets published 817GB of hacked data from Roskomnadzor, the Russian government agency responsible for censorship in the country. From the 360,000 stolen files, journalists learned that Roskomnadzor had created a system, starting in 2020, for monitoring media content that, in their words, “destabilizes Russian society.”
The system reviewed and reported publications critical of Russian President Vladimir Putin and state officials, as well as those supporting LGBTQ+ rights, cannabis legalization and the opposition movement.
These reports paved the way for the Kremlin to shut down or censor independent media outlets as Russia invaded Ukraine this February, according to an investigation by Russian independent news website Meduza.
The Roskomnadzor leak is one of 58 Russian data dumps published on the DDoSecrets website. Over 12 million Russian documents have been leaked to the organization since the start of the war in Ukraine, with more information under embargo, Best told The Record.
After the invasion of Ukraine, most of the data DDoSecrets received was coming from Russia. Still, the group says that doesn’t mean the company has taken a side. “It really has to do with the data we receive,” DDoSecrets member Lorax Horne told the Verge.
DDoSecrets has received leaks from Ukraine as well, Best told The Record, “but they've all been identified as likely tied to state-sponsored entities or as active parts of psyops, such as Free Civilian.”
Because of their ties to an invading nation, and the lack of a clear and immediate public interest, the organization has decided not to publish them.
Among the most active hacktivist groups leaking Russian data is Anonymous, which declared "cyber war" on President Vladimir Putin in retaliation for the invasion of Ukraine. Other groups, including the Ukrainian Cyber Alliance and CyberHunta, have been sending Russian leaks to DDoSecrets for years, Best said.
It is hard to judge how impactful these leaks are given that Russian citizens don’t have access to them, and one of the few Russian-language media outlets that writes about leaked data, Meduza, has been declared a "foreign agent" and banned from the country for "spreading fakes.”
Ukraine, however, is actively using this data as proof of Russian totalitarianism and corruption. Some of these leaks, like the personal data of 120,000 Russian soldiers allegedly fighting in Ukraine, can be used to prosecute war crimes, Ukrainian top security official Yuriy Shchyhol told The Record.
Ethical alternative
Hackers who steal information from their victims' computers don't have many options for how to use it: they can threaten organizations with a data leak, demanding ransom; bury data on the dark web, in the hopes that someone will buy it; or leak it to journalists or platforms like WikiLeaks and DDoSecrets.
DDoSecrets gets most of its materials from private dataset collectors, leakers and hacktivists. It reviews the data and then decides whether it should be published based on the “public interest.” Its members aren’t engaged in hacking.
The distribution of some of the information is intentionally limited, according to Best, and only provided to qualified researchers and journalists “because some element of it is sensitive or we feel the risk of abuse outweighs the benefits of making it public,” Best said.
Among DDoSecrets’ databases that are not available to the public are 70GB of user data from the platform Gab and an alleged copy of the Hunter Biden laptop.
DDoSecrets doesn’t ask for money for any datasets. In fact, until very recently the team worked entirely on a volunteer basis, according to Best. Now its funding comes from individual donors and a handful of grants. According to the open finances platform Open Collective, DDoSecrets has an estimated annual budget of about $24,000; from August 2020 to July this year, it raised a total of $32,489 through the platform.
Hackers usually contact DDoSecrets using various secure messengers like Cwtch and Signal or PGP email encryption. The organization uses Tor Onion Services to ensure the anonymity of its users, and reduce legal difficulties.
Not surprisingly, DDoSecrets is not popular with everyone, and according to Best has been the target of DDoS attacks of its own. The organization was banned from social media in 2020 after exposing the personal data of 700,000 law enforcement officers in what became known as the BlueLeaks. The Department of Homeland Security’s Office of Intelligence and Analysis described DDoSecrets as “a criminal hacker group.”
WikiLeaks’ successor
Prior to founding DDoSecrets, Best and some of her colleagues worked with WikiLeaks. Among the reasons for her split with the group was its handling of the 2016 Democratic National Committee email leak. Best found the organization “deceptive” about the source, which was allegedly Russian intelligence agency hackers. Other members of DDoSecrets also described the environment within WikiLeaks as “toxic.”
“What went wrong, went wrong early on,” Best said. “The people that remained learned to successfully frame any criticism, no matter how constructive the intent, or any plea for improvement as an attack by outsiders and hostile forces.”
“I'd like them to have [a goal ] that is honest and divorced from the destiny of one man,” Best said, referring to WikiLeaks founder Julian Assange, who is now in a British jail awaiting possible extradition to the U.S. to face an array of charges under the Espionage Act.
Earlier in July, it was Best who first discovered that WikiLeaks quietly launched a new document submission portal for whistleblowers after its previous portal was offline for months. The system, however, didn’t seem to work and then shut down completely.
“Clearly they're facing technical challenges I don't understand, or there's just a lot they don't care about,” Best said. “Their silence continues to raise questions and not inspire confidence.”
Perhaps more than ever, hacktivists are hungry for a reliable place to forward hacked information, with leaks from Russia flowing at a constant rate since the start of the war in Ukraine. DDoSecrets has been happy to fill the void, and has plenty of material to work with.
“The leaking will continue until morality improves,” Best wrote on Twitter.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.