After Trump’s Inauguration, two Democratic senators who had reviewed the data assembled by Max’s group—Mark Warner and a colleague who requested anonymity—asked the F.B.I. for an assessment of any potential contacts between Alfa Bank and the Trump Organization. The material was also brought to the attention of the C.I.A., which found it substantial enough to suggest that the F.B.I. investigate. In March, 2017, a Pennsylvania news outlet called Lancaster Online reported that F.B.I. agents had visited the offices of Listrak, the company that housed the Trump server. Ross Kramer, Listrak’s C.E.O., told me, “I gave them everything they asked for.”
Around the same time, the second Democratic senator approached a former Senate staffer named Daniel Jones and asked him to give the data a closer look. Jones had served as a counterterrorism investigator for the F.B.I. and then spent ten years working for the Senate Intelligence Committee, where he led the inquiry into the use of torture under the George W. Bush Administration. Now he was running an investigations firm, the Penn Quarter Group, and a nonprofit initiative called the Democracy Integrity Project, which was intended to help keep elections free from foreign interference.
To assess the Alfa Bank data, Jones assembled a team of computer scientists, divided into two groups, one on each coast. (They also consulted with Jean Camp, who agreed to coöperate despite the possibility that Alfa Bank might take legal action.) All these experts have national reputations in the field. Some have held senior cybersecurity jobs in the Pentagon, the White House, and the intelligence services, as well as in leading American technology companies. In order to encourage an unbiased outcome, Jones never introduced the East Coast group to the West Coast group.
I met several times with the two members of the East Coast group and spoke with them repeatedly. They used pseudonyms, Paul and Leto, in part because they had been alarmed by encounters with Russia while they were working at high levels of government. Leto said that, in 2016, as he was investigating cyber intrusions that seemed to originate in Russia, he became convinced that he was being followed. Both he and Paul believed that their phones had been hacked. These incursions coincided with a period of intense Russian activity in the U.S., including the hacking of the D.N.C., a pro-Trump social-media blitz, and the arrival of Maria Butina, who is accused of being a Russian agent sent to ingratiate herself with American conservative leaders. (Butina has denied the accusations.)
As Paul and Leto began working, they needed to verify that Max’s data presented an accurate picture of the traffic. After the Slate story appeared, skeptics pointed out that no one has a comprehensive view of the Domain Name System. They speculated that other entities, besides Alfa Bank and Spectrum Health, had looked up the Trump domain, and that Max had failed to see them. The D.N.S. company Dyn told a reporter that it had seen lookups from other computers around the world. But Dyn turned out to have registered only two additional lookups, both from the same address in the Netherlands.
Max and his colleagues maintain that they are able to see nearly all the D.N.S. lookups on a given domain; the senior Capitol Hill aide I spoke to affirmed that Max’s group is widely understood to have this capability. Paul Vixie, one of the original architects of the D.N.S. network, examined the data and told me, “If this is a forgery, it’s better than any forgery I’ve seen.” Jones’s team also ran analyses and real-time tests to check Max’s access to D.N.S. records. “It’s completely implausible that he could have fooled us,” Paul said.
Max had provided the Jones team with thirty-seven million D.N.S. records, enough to fill thousands of screens with time stamps and I.P. addresses—long strings of numbers and letters in green type. Over the course of several months, Paul and Leto examined the data for patterns and anomalies. “We stared at a lot of green screens,” Paul said. They regarded their inquiry as a statistical enterprise, capturing each Alfa Bank D.N.S. query from the ocean of data that they had been given and plotting it over a four-month period. Both said that they began their work as skeptics. “I started from an assumption that this is a bunch of nonsense,” Leto told me.
Much of the information that was publicly available might well have supported that assumption. Foer’s article in Slate had prompted online discussions, in which commentators offered explanations ranging from the benign to the sinister. The timing of the lookups, which came in the summer just before the election, invited speculation. Foer claimed that the biggest flurries of traffic coincided with major campaign events, including the party conventions. Paul and Leto were dubious. If anything, the traffic coincided with Paul Manafort’s time as Trump’s campaign manager—but the D.N.S. queries continued after Manafort stepped down. “A lot of people are seeing faces in clouds,” Leto said.
The Trump Organization had done little to clarify the matter. In October, 2016, it released a statement denying interactions with Alfa Bank “or any Russian entity.” Instead, it offered a peculiar explanation for the D.N.S. traffic: it had been triggered when “an existing banking customer of Cendyn”—the marketing firm—had used the company’s systems to send communications to Alfa Bank. Such a scenario would be highly irregular; it was as if Gmail had allowed a user to send e-mail from another user’s account. “It makes no sense,” Paul told me.
Trump’s advocates claimed that the investigations sponsored by Alfa Bank had proved that Alfa and the Trump Organization were not communicating. In fact, they sidestepped the question. Mandiant, one of the cybersecurity firms, said that it was unable to inspect the bank’s D.N.S. logs from 2016, because Alfa retained such records for only twenty-four hours. The other firm, Stroz Friedberg, gave the same explanation for why it, too, was “unable to verify” the data.
As Jones’s team vetted the data, they examined various possible explanations. One was malware, which had played a role in the hack of the D.N.C.’s computers. Most malware has “distinctive patterns of behavior,” Camp told me. It is typically sent out in a blast, aimed simultaneously at multiple domains. There is a “payload”—a mechanism that activates the malicious activity—and a “recruitment mechanism,” which enables the malware to take over parts of a vulnerable computer. None of the experts whom Jones assembled found any evidence of this behavior on the Trump server. “Malware doesn’t keep banging on the door like that,” Paul said.
A second possibility was marketing e-mail. After the Slate article appeared, some commentators suggested that Trump’s server had innocently sent promotional e-mails to Alfa Bank, and that a computer there had responded with queries designed to verify the identity of the sender. This became a catchall answer for anyone who couldn’t explain what had happened. “Either this is something innocuous, like spam,” Rachel Cohen, a press secretary for Senator Warner, told me, “or it’s completely nefarious.”
Alfa Bank had received Trump marketing e-mails in the past. But Cendyn had told CNN that it stopped sending e-mails for the Trump Organization in March, 2016, before the peculiar activity began; Trump had transferred his online marketing to another company, called Serenata. Jones’s team investigated, and found additional evidence that the server wasn’t sending marketing e-mails at the time. One indicator was the unusually limited traffic. Kramer, of Listrak, told me that a typical client sends “tens of thousands of e-mails a day” to huge numbers of recipients. If the Trump server was following that pattern, it would have generated significant D.N.S. traffic. To establish a kind of control group, Jones’s team asked Max to capture the D.N.S. logs for the Denihan Hospitality Group—a hotel chain, similar in size to Trump’s, which was using Cendyn and Listrak to send marketing e-mails. In a sample spanning August and September, 2016, a Denihan domain received more than twenty thousand D.N.S. queries, from more than a thousand I.P. addresses. In the same period, the Trump domain had twenty-five hundred lookups, nearly all of them from Alfa Bank and Spectrum Health.
The timing and the frequency of the D.N.S. lookups also did not suggest spam, Paul and Leto believed. Mass-marketing e-mails are typically sent by an automated process, one after another, in an unbroken rhythm. The Alfa queries seemed to fall into two categories. Some came in a steady pulse, while others arrived irregularly—sometimes many in a day, sometimes a few. “The timing of the communication was not random, and it wasn’t regular-periodic,” Paul said. “It was a better match for human activity.”
But, if the Trump server wasn’t sending or receiving e-mail, what could explain the traffic? There was the possibility of “spoofing”—essentially, faking an identity. Did someone try to make it appear, falsely, that Alfa Bank was reaching out to the Trump Organization? Jones’s team concluded that such an attack would have been unlikely to produce thousands of D.N.S. lookups, over such a long time. “Maybe for a few days, but not four months,” Leto said. There was also a question of motive. In the spring of 2016, very few people knew that Max and his colleagues were able to monitor D.N.S. traffic so comprehensively, so any spoofers would have been impersonating Alfa Bank with little expectation of being detected. News stories investigating the links between Trump and Russia were months away. “Why would someone do that?” Steven Bellovin, of Columbia, said. “And why would they pick those organizations?”