At first the researchers worried that what they were seeing was malware attempting to break into the Trump server, but that didn’t match the pattern of exchanges. The signals started and stopped at irregular intervals. Sometimes several close together. Sometimes long intervals of nothing. When coming from New York, the signals appeared during office hours in New York. When coming from Moscow, the signals were during office hours in Moscow. It didn’t look like malware. It didn’t look like anything automated. It looked like people. Someone in the Trump Organization was conducting frequent communications with the Moscow offices of Alfa Bank.
Coming on the heels of James Comey’s letter re-opening the investigation into Hillary Clinton’s email server, and a day after the New York Times had devoted every single column of its entire front page to that “scandal,” this looked like a story that could possibly push back the anti-Clinton tide suddenly surging in those final days.
But two things happened within hours of the story’s first appearance. First, a number of computer security experts, most notably Robert Graham of Errata Security, scoffed at the researchers from the Slate article. Looking at the data set, Graham declared that the original group had “violated their principles” and that the communication was actually from the marketing firm Cendyn, which set up the server for the Trump Organization and that “… this is just normal marketing business from Cendyn and Listrak is the overwhelming logical explanation for all of this.”
Even more impact came via what was probably the single most critical article of the entire election cycle. Also dated Oct. 31, the Times article was titled “Investigating Donald Trump, F.B.I. Sees No Clear Link to Russia.” In this article, not only did the Times quote the FBI as saying that they had found no evidence connecting Trump and Russia. They went much further, directly reversing statements that had already been released to the public from the CIA and NSA to say that even when it came to Russian actions hacking the DNC “the F.B.I. and intelligence officials now believe, [this] was aimed at disrupting the presidential election rather than electing Mr. Trump.”
That article also addressed the Alfa Bank connection. And their conclusion was exactly the same as the one that Graham produced.
The F.B.I. ultimately concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts.
And with that, the New York Times put a definitive lid on not just the mysterious server story, they dismissed any connection between Trump and Russia so thoroughly that the story was essentially shut down in the media until after the election. The following day, Fortune published an article giving Alfa a clean bill of health. Saying that even if Trump did have some connection with them, that Alfa was run by the most “western-oriented capitalists in Russia.” None of Alfa’s principles was on the US sanctions list. So even if Trump was talking to them, no big deal. The Intercept piled on, calling the Slate story “wacky” and again pinning the so-called communications on advertising spam for Trump’s hotels.
And that … was pretty much that. Slate’s Franklin Foer returned to the story on Nov. 2, but even he seemed to be backing away from the original conclusions. According to Foer he brought the researcher’s concerns to light because “I thought I would be remiss if I sat on data that I believed deserves to be evaluated and understood” and went on to cite the New York Times article while saying “Not every nexus between the candidate and Russia is nefarious. This one might well be entirely innocent or even accidental.”
The story that broke that Monday morning was stone cold dead within 48 hours. The New York Times said the Alfa Bank connection had already been looked at by the FBI and found to be nothing. Security experts chided the researchers cited by Slate for “speculating” and drawing unwarranted conclusions. Fortune blessed Alfa Bank as the capitalist good guys. The Washington Post pitched in their expert on why it was nothing. Even Slate seemed willing to shrug it off. There was definitely nothing to see here, and the Times went back to covering the story that mattered most—Hillary’s email. In fact, they never stopped. Even the story about Trump’s Russia connection didn’t merit the front page. The top story that day was “Agents cleared to scrutinize email cache” as the paper breathlessly covered every step as agents “scrambled under intense public pressure” to scan what was described as hundreds of thousands of emails.
As far as most media was concerned, the story about that server in Trump’s building seemed to have never happened. Some diarists continued to return to the story on Daily Kos, there was still chatter within the security blogs, but as far as the big media sources were concerned, the whole idea had been thoroughly debunked.
It wasn’t until three months after Donald Trump had taken office before the “mystery server” bobbed to the surface again. On March 10, 2017, CNN reported that the FBI was actually still looking into whether there was, or had been, a connection between that Trump Organization server and Alfa Bank.
Questions about the possible connection were widely dismissed four months ago. But the FBI's investigation remains open, the sources said, and is in the hands of the FBI's counterintelligence team -- the same one looking into Russia's suspected interference in the 2016 election.
So, far from having been looked at and dismissed before the Times article ran in October, the FBI was still looking into the activities of that server. Which seemed interesting for at least two reasons: First, what was really going on with the server? Second, who told the New York Times that the story was a dead end?
But after that momentary reappearance, the server story went right back into the depths. On the other hand, Alfa Bank and its parent company, Alfa Group, began showing up frequently.
■ Brian Benczkowski, nominated by Trump and now serving as the assistant attorney general for the Criminal Division, represented Alfa Bank in the private sector before playing a key role in Trump’s transition team. The Criminal Division, among other things, is the section of the Justice Department that looks into charges of computer hacking. This generated some concern among lawmakers, but not enough to cause a single Republican to vote against Benczkowski.
■ Alex Van Der Zwaan, the first person to be sentenced for a crime by special counsel Robert Mueller, is the son-in-law of Russian oligarch German Khan, a co-owner of Alfa Bank.
■ Alfa Group makes an appearance in the memos produced by former British intelligence officer Christopher Steele where, despite the statements that Fortune produced just after the initial Slate article, Steele’s sources say that Alfa is very close to Putin. In particular, the owners of Alfa are cited as giving advice to Putin on foreign policy “and especially about the US.”
■ Alfa Bank executives were on the list of those who were connected to the investigation into Carter Page.
■ Investigators looking into spy Maria Butina are interested in payments she received through Alfa Bank.
Shortly after the CNN article ran in March of 2017, the blog Tea Pain began tugging again at the Trump Organization—Alfa Bank connection. Building off existing research of a data scientist who had posted results on Twitter, what Tea Pain showed was that data seemed to be moving in something of a “round robin” fashion between the Trump server, the Alfa server, and a server owned by Spectrum Health. The fact that the Spectrum server was also exchanging information with the same server as the Trump server had been used as “proof” that the apparent relationship was nothing more than coincidental. But to Tea Pain, it appeared that Spectrum Health, owned by the family of Betsy DeVos and Erik Prince, was participating in a three-way conversation, or sometimes acting as a kind of go-between for the Trump—Alfa link.
Once the activity was charted, a pattern emerged. For example, a connection is made from Alfa Bank to Trump Tower, which may last anywhere from 1 minute to 15 minutes or more, followed by a longer “sleep” period. When averaged over months, these events charted an average time between connections to be 3660 seconds, or 1 hour and 1 minute. Whatever was running, it would hook up, transfer data for a few minutes, then go to sleep for an hour.
The same pattern was visible when looking at connections that appeared on the Spectrum Health server and made connections to the Trump server. It seemed to Tea Pain that what was happening wasn’t emails or messages being sent directly. Instead, the pattern of behavior indicated a process that was a mixture of something manual and something automated: Database replication. Database replication is a process that keeps different versions of the same database “in sync,” so that new information or changes made in one copy makes its way to the others.
Someone was entering data into a computer connected to the server at Spectrum health. When, either manually or according to some algorithm that tracked the amount of change, it was time for an update, data was relayed back to Trump Tower. The same thing was happening at the Trump Tower server, with data being relayed to Alfa Bank. And both servers appeared to be getting updates that originated from Alfa Bank.
One key thing that made the pass-through apparent was when the Spectrum server talked to Trump Tower, the next communication to Alfa from Trump Tower would be longer. Which indicated that, whatever Spectrum was passing to Trump Tower, it was getting passed on to Alfa. And the same thing happened in reverse.
While there could still be good reasons why servers at Spectrum Health, Trump Tower, and Alfa Bank were sharing a database that was being kept updated in both directions … it’s hard to think of them immediately. And whatever was going on, it certainly did not resemble the “spam marketing” answer that had been the go-to solution for those debunking the original Slate story.
Tea Pain returned early in June with additional information on the database replication theory and was able to map the behavior seen by all three servers to the pattern he has indicated. This included opening multiple simultaneous connections when the data load was larger.
And that … is where the public knowledge of what happened between a Trump Organization server at Trump Tower and a server at Alfa Bank in Moscow rests.
■ The pattern doesn’t seem to match that would be produced if it was the result of email spam being sent by the Trump Tower server. And while some examples of marketing emails from the Trump Organization have been produced as “explanations” of the server traffic, none of these emails have been mapped to the traffic from the Trump Tower server.
■ None of the security experts who debunked the original article ever seems to have come forward with an example of the Trump Tower server conducting these type of connections to any server other than Alfa Bank and Spectrum Health—which seems like very odd behavior for a server that’s handing out marketing materials.
■ Despite complaints that the original researchers involved in the Slate article were engaged in “speculation,” it seems that the rush to pin all the communications on marketing emails was also nothing but speculation, and taking that one step farther into trying to make it communication from someone other than the Trump Organization was extremely speculative. The debunkers seemed more interested in proving the first set of researchers had made mistakes, than they were in finding any answers.
■ The Tea Pain research shows that the pattern does appear to match one that might be expected if the servers had been maintaining a joint database shared across those three locations. Though the data appears to come at irregular intervals, the spacing and length of those intervals maps well to the theory he puts forward.
■ No one has a great explanation for what kind of database might have been replicated across these servers. But considering the speed of the commercial connections between these machines, the relatively brief length of the connections should not be taken as a sign that little data was being exchanged. The three servers could have been sharing a database in the gigabytes.
■ Despite the pre-election assurances that the FBI had completed their examination of the server and found the traffic completely innocent, it’s clear that, at least as of March 2017, that investigation was still underway.
Twenty-two months after the original Slate article, the mystery chatter between Trump Tower and Alfa Bank is still that—a mystery. But it’s one that deserves more attention than it’s been getting in the public eye and not nearly so easily dismissed as the literal Monday morning quarterbacks on Monday Oct. 31, 2016, want everyone to believe.