Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 1 of 189 AO 93 (Rev. 11/13) Search and Seizure Warrant UNITED STATES DISTRICT COURT for the District of Columbia In the Matter of the Search of (Briefly describe the property to be searched or identify the person by name and address) INFORMATION ASSOCIATED WITH THREE ACCOUNTS STORED AT PREMISES CONTROLLED BY MICROSOFT, GOOGLE, AND APPLE ) ) ) ) ) ) Case: 1: 18-sc-02581 Assigned To: Howell, Beryl A. Assign. Date : 8/3/2018 Description: Search & Seizure Warrant SEARCH AND SEIZURE WARRANT To: Any authorized law enforcement officer An application by a federal law enforcement officer or an attorney for the government requests the search of the following person or property located in the Northern District of California (identify the person or describe the property to be searched and give its location): See Attachment E I find that the affidavit(s), or any recorded testimony, establish probable cause to search and seize the person or property described above, and that such search will reveal (identify the person or describe the property to be seized): See Attachment F YOU ARE COMMANDED to execute this warrant on or before August 15, 2018 (not to exceed 14 days) ~ in the daytime 6:00 a.m. to 10:00 p.m. l'J at any time in the day or night because good cause has been established. Unless delayed notice is authorized below, you must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken, or leave the copy and receipt at the place where the property was taken. The officer executing this warrant, or an officer present during the execution of the warrant, must prepare an inventory as required by law and promptly return this warrant and inventory to Hon. Beryl A. Howell, Chief U.S. District Judge (United States Magistrate Judge) l'J Pursuant to 18 U.S.C. § 3103a(b), I find that immediate notification may have an adverse result listed in 18 U.S.C. § 2705 (except for delay of trial), and authorize the officer executing this warrant to delay notice to the person who, or whose property, will be searched or seized (check the appropriate box) ['J for _ _ days (not to exceed 30) ['J until, the facts justifying, the later specific date of Date and time issued: <7/;1/~/ r ~ z :s:r/A_ ____~~ .--~ - "_A_~- - ' . ! u d ge 's signature City and state: Washington, DC Hon. Beryl A. Howell, Chief U.S. District Judge Printed name and title Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 2 of 189 AO 93 (Rev. 11/13) Search and Seizure Warrant (Page 2) Return Case No.: Date and time warrant executed: Copy of warrant and inventory left with: Inventory made in the presence of: Inventory of the property taken and name of any person(s) seized: Certification I declare under penalty of perjury that this inventory is correct and was returned along with the original warrant to the designated judge. Date: Executing officer's signature Printed name and title Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 3 of 189 ATTACHMENT E Property to be Searched This warrant applies to information associated with the following Apple DSID: created or maintained between March 14, 2018 and the present, that is stored at premises owned, maintained, controlled, or operated by Apple, Inc., located at One Apple Park Way, Cupertino, California 95014. 53 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 4 of 189 ATACHMENTF Particular Things to be Seized I. Files and Accounts to be produced by the Provider: To the extent that the information described in Attachment E is within the possession, custody, or control of Apple, regardless of whether such information is located within or outside of the United States, including any messages, records, files, logs, or information that have been deleted but are stilJ available to Apple, or have been preserved pursuant to a request made under 18 U.S.C. § 2703(f), Apple is required to disclose the following information to the government, in unencrypted form whenever available, for each account or identifier listed in Attachment E: a. All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers, email addresses (including primary, alternate, rescue, and notification email addresses, and verification information for each email address), the date on which the account was created, the length of service, the IP address used to register the account, account status, associated devices, methods of connecting, and means and source of payment (including any credit or bank account numbers); b. All records or other information regarding the devices associated with, or used in connection with, the account (including all current and past trusted or authorized iOS devices and computers, and any devices used to access Apple services), including serial numbers, Unique Device Identifiers ("UDID"), Advertising Identifiers ("IDFA"), Global Unique Identifiers ("GUID"), Media Access Control ("MAC") addresses, Integrated Circuit Card ID numbers ("ICCID"), Electronic Serial Numbers ("ESN"), Mobile Electronic Identity Numbers ("MEIN"), Mobile Equipment Identifiers ("MEID"), Mobile Identification Numbers ("MIN"), Subscriber Identity Modules ("SIM"), Mobile Subscriber Integrated Services Digital Network Numbers ("MSISDN"), International Mobile Subscriber Identities ("IMSI"), and International Mobile Station Equipment Identities ("IMEi"); c. The contents of all emails associated with the account, including stored or preserved copies of emails sent to and from the account (including all draft emails and deleted emails), the source and destination addresses associated with each email, the date and time at which each email was sent, the size and length of each email, and the true and accurate header information including the actual IP addresses of the sender and the recipient of the emails, and all attachments; d. The contents of all instant messages associated with the account, including stored or preserved copies of instant messages (including iMessages, SMS messages, and MMS messages) sent to and from the account (including all draft and deleted messages), the source and destination account or phone number associated with each instant message, the date and time at which each instant message was sent, the size and length of each instant message, the actual IP addresses of the sender and the recipient of each instant message, and the media, if any, attached to each instant message; 54 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 5 of 189 e. The contents of all files and other records stored on iCloud, including all iOS device backups, all Apple and third-party app data, all files and other records related to iCloud Mail, iCloud Photo Sharing, My Photo Stream, iCloud Photo Library, iCloud Drive, iWork (including Pages, Numbers, Keynote, and Notes), iCloud Tabs and bookmarks, and iCloud Keychain, and all address books, contact and buddy lists, notes, reminders, calendar entries, images, videos, voicemails, device settings, and bookmarks; f. All activity, connection, and transactional logs for the account (with associated IP addresses including source port numbers), including FaceTime call invitation logs, messaging and query logs (including iMessage, SMS, and MMS messages), mail logs, iCloud logs, iTunes Store and App Store logs (including purchases, downloads, and updates of Apple and third-party apps), My Apple ID and iForgot logs, sign-on logs for all Apple services, Game Center logs, Find My iPhone and Find My Friends logs, logs associated with web-based access of Apple services (including all associated identifiers), and logs associated with iOS device purchase, activation, and upgrades; g. All records and information regarding locations where the account or devices associated with the account were accessed, including all data stored in connection with Location Services, Find My iPhone, Find My Friends, and Apple Maps; h. All records pertaining to the types of service used; i. All records pertaining to communications between Apple and any person regarding the account, including contacts with support services and records of actions taken; and j. All files, keys, or other information necessary to decrypt any data produced in an encrypted form, when available to Apple (including, but not limited to, the keybag.txt and fileinfolist.txt files). 55 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 6 of 189 II. Information to be Seized by Law Enforcement Personnel Any and all records that relate in any way to the accounts described in Attachment A which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision ofa felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 1001 (false statements), 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. §§ 1505 and 1512 (obstruction of justice), 18 U.S.C. § 1513 (witness tampering); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. § 30121 (foreign contribution ban), from June 1, 2015 to present, including: a. All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or communications regarding disinformation, denial, dissembling or other obfuscation about knowledge of, or access to hacked material; b. All records, information, documents or tangible materials that relate in any way to communications or meetings involving Jerome Corsi, Julian Assange, Randy Credico, or any individual associated with the Trump Campaign; c. All images, messages, communications, calendar entries, search terms, "address book" entries and contacts, including any and all preparatory steps taken in furtherance of the above-listed offenses; d. Communication, information, documentation and records relating to who created, used, or communicated with the account or identifier concerning the messages identified above, including records about their identities and whereabouts; e. Evidence of the times the account was used; f. All images, messages and communications regarding wiping software, encryption or other methods to avoid detection by law enforcement; g. Passwords and encryption keys, and other access information that may be necessary to access the account and other associated accounts; h. Credit card and other financial information, including but not limited to, bills and payment records evidencing ownership of the subject account; 1. All existing printouts from original storage which concern the categories identified in subsection II.a 56 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 7 of 189 AO 106 (Rev. 04/10) Application for a Search Warrant UNITED STATES DISTRICT COURT AUG -· 3 2018 for the District of Columbia In the Matter of the Search of (Brie.fly describe 1/,e property lu be searched or identify lh.e person by nam ond addres~) ) ) ) INFORMATION ASSOCIATED WITH THREE ACCOUNTS STORED AT PREMISES CONTROLLED BY MICROSOFT, GOOGLE, AND APPLE ) j Clerk, U.S. D1strict & BankruptcJr Courts for t~e District of Golumliia Case: 1:18-sc-02581 Assigned To : Howell, Beryl A. Assign. Date: 8/3/2018 Description: Search & Seizure Warrant APPLICATION FOR A SEARCH WARRANT I, a federal law enforcement officer or an attorney for the government, request a search warrant and state under penalty of pe1jllly that I have reason to believe that on the following person or property (identifjl the person or describe the properly to be searched and give its location): See Attachment E located in the Northern -------- District of California - - - - - - - - -- - - , there is now concealed (identify the person or describe the property to be seized): See Attachment F The basis for the search under Fed. R. Crim. P. 4I(c) is (check one or more): ~ evidence of a crime; ~ contraband, fruits of crime, or other i~ems illegally possessed; ref property designed for use, intended for use, or used in committing a crime; 0 a person to be an-ested or a person who is unlawfully restrained. The search is related to a violation of: Code Section 18 U.S.C. §§ 1505, 1512, 1513 18 u.s.c. §§ 1001, 1030, 371 See Affidavit for add'I Offense Description Obstruction of justice, Witness tampering False Statements, Unauthorized Access of Protected Computer, Conspiracy The application is based on these facts: See attached Affidavit. r/ Continued on the attached sheet. 0 Delayed notice of _ _ days (give exact ending date if more than 30 days: _ _ _ _ _ ) is requested under 18 U.S.C. § 3103a, the basis of which is set forth on the arta ed sheet. Reviewed by AUSA/SAUSA: !Aaron Zelinsky {ASC) Applicant's signature Andrew Mitchell, Special Agent, FBI Printed name and title Sworn to before me and signed in my presence. Date: City and state: Washington, D.C. Hon. Beryl A. Howell, Chief U.S. District Judge Printed name and title Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 8 of 189 AUG - 3 2018 Cferk, U.S. Dlstrlci & Bankruptcy Courts for the District of Columbia IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA IN THE MATTER OF THE SEARCH OF INFORMATION ASSOCIATED WITH THREE ACCOUNTS STORED AT PREMISES CONTROLLED BY MICROSOFT, GOOGLE, AND APPLE Case: 1:18-sc-02581 Assigned Tu : Howell, Beryl A. Assign. Date : 8/3/2018 Description: Search & Seizure Warrant AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A SEARCH WARRANT I, Andrew Mitchell, being first duly sworn, hereby depose and state as follows: INTRODUCTION AND AGENT BACKGROUND 1. I make this affidavit in support of an application for a search warrant for information associated with the following: a. The email account (hereafter "Target Account 1), that is stored at premises owned, maintained, controlled, or operated by Microsoft, Inc., a business with offices located at One Microsoft Way, Redmond, Washington, 98052. The information to be disclosed by Microsoft and searched by the government is described in the following paragraphs and in Attachments A and B. b. The email account (hereafter "Target Account 2"), that is stored at premises owned, maintained, controlled, or operated by Google, Inc., a business with offices located at 1600 Amphitheatre Parkway, Mountain View, California, 94043. The information to be disclosed by Google and searched by the government is described in the following paragraphs and in Attachments C and D. c. The iCloud account associated with the Apple ~mail account (hereafter "Target Account 3"), that is stored at premises owned, Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 9 of 189 maintained, controlled, or operated by Apple, Inc., a business with offices located at I Infinite Loop, Cupe1iino, California 95014. The information to be disclosed by Apple and searched by the government is described in the following paragraphs and in Attachment E and F. 2. I, Andrew Mitchell, am a Special Agent with the Federal Bureau of Investigation (FBI), and have been since 2011. As a Special Agent of the FBI, I have received training and experience in investigating criminal and national security matters. 3. The facts in this affidavit come from my personal observations, my training and experience, and information obtained from other agents and witnesses. This affidavit is intended to show merely that there is sufficient probable cause for the requested warrant and does not set forth all of my knowledge about this matter. 4. Based on my training and experience and the facts as set forth in this affidavit, there is probable cause to believe that the Target Accounts contain communications relevant to 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 1001 (false statements), 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. §§ 1505 and 1512 (obstruction of justice), 18 U.S.C. § 1513 (witness tampering); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. § 30121 (foreign contribution ban) (the "Subject Offenses"). 5. On September 11, 2017, Chief Judge Beryl A. Howell of the District of Columbia issued a search warrant for Roger STONE's Hotmail address, (Target Account 1). On October 17, 2017, Chief Judge Howell issued a search warrant for STONE's Gmail address, (Target Account 2). On or about March 14, 2018, Chief Judge Howell issued a search warrant for STONE's iCloud account (Target Account 3). This 2 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 10 of 189 warrant seeks to search those accounts from the date each respective warrant was issued to the present. JURISDICTION 6. This Court has jurisdiction to issue the requested warrant because it is "a court of competentjurisdiction" as defined by 18 U.S.C. § 2711. Id.§§ 2703(a), (b)(l)(A), & (c)(l)(A). Specifically, the Court is "a district court of the United States (including a magistrate judge of such a court) ... that has jurisdiction over the offense being investigated." 18 U.S.C. § 2711(3)(A)(i). The offense conduct included activities in Washington, D.C., as detailed below, including in paragraphs 14, 19, and 61. SUMMARY 7. This application seeks authority to search, from the date of search warrants previously issued by the Court to the present, three accounts believed to be used by Roger STONE: Target Account 1, which is STONE's STONE's account; Target Account 2, which is account; and Target Account 3, which is STONE's iCloud account. As set forth herein, there is probable cause to believe that each of the Subject Accounts contains evidence of the Subject Offenses, including ongoing efforts to obstruct justice, tamper with witnesses, and make false statements. 8. For example, as set forth in more detail below, in recent months STONE has reached out to communicate with multiple witnesses he knew or had reason to believe were scheduled to testify before Congress about interactions with STONE during the 2016 presidential campaign or were scheduled to meet with the Special Counsel's Office . After STONE learned that one witness, Randy CREDICO, was prepared to contradict STONE's congressional testimony, STONE repeatedly 3 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 11 of 189 urged CREDICO to assert the Fifth Amendment and decline to answer questions, and did so through multiple text messages. In June 2018, STONE instructed his private investigator to provide him with a full background investigation on another witness, who had done information technology work for STONE during the campaign 9. In September 2017, STONE released a statement he said he provided to Congress in which he denied having advance knowledge of "the source or actual content of the Wikileaks disclosures regarding Hillary Clinton." He also stated publicly that when he tweeted during the campaign, on August 21, 2016, "it will soon the Podesta's time in the barrel," he was not referring to the hacking or publication of John Podesta's emails, but rather to "Podesta's business dealings with Russia." Evidence obtained in the investigation, however, shows the following: a. On or about July 25, 2016, Roger STONE emailed Jerome CORSI to "Get to Assange" at the Ecuadorian Embassy and "get pending WikiLeaks emails[.]" Julian ASSANGE is the founder ofWikiLeaks. On or about July 31, 2016, STONE also instructed CORSI to have contact ASSANGE. On or about August 2, 2016, CORSI responded to STONE that the "[w]ord is friend in embassy plans 2 more dumps. One shortly after I'm back. 2nd in Oct. Impact planned to be very damaging .... Time to let more than Podesta to be exposed as in bed w enemy if they are not ready to drop HRC." After receipt of that message, on or about August 21, 2016, using @RogerJStoneJR, STONE tweeted: "Trust me, it will soon the Podesta's time in the barrel. #CrookedHillary." b. Information disclosures subsequently occurred on or about the times CORSI predicted: On or about August 12, 2016, the day CORSI was scheduled to return to the United States ("shortly after I'm back"), Guccifer 2.0 released hacked information related to the 4 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 12 of 189 Democratic Congressional Campaign Committee (DCCC). On or about October 7, 2016, the day the Washington Post published a breaking story about an Access Hollywood videotape of thencandidate Trump making disparaging remarks about women, WikiLeaks released emails hacked from the account of John Podesta. c. Furthermore, on the day of the Access Hollywood video disclosure, there were phone calls between STONE and CORSI after the Washington Post contacted STONE prior to publication. At approximately 11 :OOAM, the Washington Post received a tip regarding the Access Hollywood video. Approximately one hour later, shortly before noon, STONE received a call from the Washington Post. Approximately ninety minutes later, before 2:00PM, STONE called CORSI and they spoke. Approximately forty minutes later, CORSI called STONE and the two spoke again at length. At approximately 4:00PM, the Washington Post published its story regarding the Access Hollywood tape. By approximately 4:30PM, WikiLeaks tweeted out its first release of emails hacked from John Podesta. 5 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 13 of 189 PROBABLE CAUSE. A. Background on Relevant Individuals i. 10. Roger STONE Roger STONE is a self-employed political strategist/consultant and has been actively involved in U.S. politics for decades. STONE worked on the presidential campaign of Donald J. Trump (the "Campaign") until August 2015. Although Stone had no official relationship with the Campaign thereafter, STONE maintained his support for Trump and continued to make media appearances in support of the Campaign. As described further below, STONE also maintained contact with individuals employed by the Campaign, including thencampaign chairman Paul MANAFORT and deputy chairman Rick GATES. ii. Jerome CORSI 11. Jerome CORSI is a political commentator who, according to publicly available information, currently serves as the "Washington Bureau Chief for Inforwars.com." According to publicly-available sources, from 2014 until January 2017, CORSI was a "senior staff reporter" for the website "World Net Daily" a/k/a "WND.com." CORSI has also written a number of books regarding Democratic presidential candidates. As described further below, CORSI was in contact with STONE during the summer and fall of2016 regarding forthcoming disclosures of hacked information by WikiLeaks, and appears to have obtained information regarding upcoming disclosures which he relayed to STONE. 6 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 14 of 189 B. U.S. Intelligence Community Assessment of Russian Government-Backed Hacking Activity during the 2016 Presidential Election 13. On October 7, 2016, the U.S. Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement of an intelligence assessment of Russian activities and intentions during the 2016 presidential election. In the report, the USIC assessed the following: a. The U.S. Intelligence Community ("USIC") is confident that the Russian Government directed the recent compromises of emails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked emails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures were 7 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 15 of 189 intended to interfere with the U.S. election process. Such activity is not new to Moscow-the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to . influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities. 14. On January 6, 2017, the USIC released a declassified version of an intelligence assessment of Russian activities and intentions during the 2016 presidential election entitled, "Assessing Russian Activities and Intentions in Recent US Elections." In the report, the USIC assessed the following: a. "Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia's goals were to undermine public faith in the US democratic process, denigrate [former] Secretary [of State Hillary] Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump." b. · The USIC also described, at a high level, some of the techniques that the Russian government employed during its interference. The USIC summarized the efforts as a "Russian messaging strategy that blends covert intelligence operations-such as cyber activitywith overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or 'trolls."' c. With respect to "cyber activity," the USIC assessed that "Russia's intelligence services conducted cyber operations against targets associated with the 2016 US presidential election, including targets associated with both major US political parties." Further, "[i]n July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016." The USIC attributed these cyber 8 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 16 of 189 activities to the Russian GRU, also known as the Main Intelligence Directorate: "GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC." The GRU is the foreign military intelligence agency of the Russian Ministry of Defense, and is Russia's largest foreign intelligence agency. d. With respect to the release of stolen materials, the USIC assessed "with high confidence that the GRU used the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release US victim data obtained in cyber operations publicly and in exclusives to media outlets." e. Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his identity throughout the election. C. Additional Hacking Activity by Individuals Associated with the GRU 15. The Special Counsel's Office has determined that individuals associated with the GRU continued to engage in hacking activity related to the 2016 campaign through at least November 1, 2016. 16. For example, in or around September 2016, these individuals successfully gained access to DNC computers housed on a third-party cloud-computing service. In or around late September, these individuals stole data from these cloud-based computers by creating backups of the DNC's cloud-based systems using the cloud provider's own technology. The individuals used three new accounts with the same cloud computing service to move the "snapshots" to those accounts. 17. On or about September 4, 2016, individuals associated with the GRU stole the emails from a former White House advisor who was then advising the Clinton Campaign. These emails were later posted on DCLeaks. 9 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 17 of 189 18. On or about November 1, 2016, individuals associated with the GRU spearphished over 100 accounts used by organizations and personnel involved in administering elections in numerous Florida counties. 19. On or about July 13, 2018, a grand jury in this District indicted eleven GRU officers for knowingly and intentionally conspiring to hack into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election, steal documents from those computers, and stage releases of stolen documents in order to interfere with the election. The victims of the hacking and releases included the DNC, the Democratic Congressional Campaign Committee ("DCCC"), and the chairman of the Clinton campaign (John Podesta). See United States v. Viktor Borisovich Netyksho, et al. (I: 18-cr-215) (D.D.C.). 1 D. Roger STONE's Public Interactions with Guccifer 2.0 and WikiLeaks 20. On June 14, 2016, Crowdstrike, the forensic firm that sought to remediate an unauthorized intrusion into the computer systems of the DNC, publicly attributed the hack to Russian government actors. The media reported on the announcement. On June 15, 2016, the persona Guccifer 2.0 appeared and publicly claimed responsibility for the DNC hack. It stated on its WordPress blog that, with respect to the documents stolen from the DNC, "[t]he main part of the papers, thousands of files and mails, I gave to Wikileaks. They will publish them soon." In that post, Guccifer 2.0 also began releasing hacked DNC documents. 21. On July 22, 2016, WikiLeaks published approximately 20,000 emails stolen from the DNC. 1 A twelfth defendant was charged with conspiring to infiltrate computers of organizations responsible for administering elections, including state boards of election, secretaries of state, and companies that supply software and other technology used to administer elections. 10 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 18 of 189 22. On August 5, 2016, STONE published an article on Breitbart.com entitled, "Dear Hillary: DNC Hack Solved, So Now Stop Blaming Russia." The article stated: "It doesn't seem to be the Russians that hacked the DNC, but instead a hacker who goes by the name of Guccifer 2.0." The article contained embedded publicly available Tweets from Guccifer 2.0 in the article and stated: "Here's Guccifer 2.0's website. Have a look and you'll see he explains who he is and why he did the hack of the DNC." The article also stated: "Guccifer 2.0 made a fateful and wise decision. He went to WikiLeaks with the DNC files and the rest is history. Now the world would see for themselves how the Democrats had rigged the game." 23. On August 8, 2016, STONE addressed the Southwest Broward Republican Organization. During his speech, he was asked about a statement by ASSANGE to Russia Today (RT) several days earlier about an upcoming "October Surprise" aimed at the Hillary Clinton presidential campaign. Specifically, STONE was asked: "With regard to the October surprise, what would be your forecast on that given what Julian Assange has intimated he's going to do?" STONE responded: "Well, it could be any number of things. I actually have communicated with Assange. I believe the next tranche of his documents pertain to the Clinton Foundation but there's no telling what the October surprise may be." A few days later, STONE clarified that while he was not personally in touch with ASSANGE, he had a close friend who served as an intermediary. 24. On August 12, 2016, Gucci fer 2.0 publicly tweeted: "@RogerJStoneJr thanks that u believe in the real #Guccifer2." That same day, Guccifer 2.0 released the personal cellphone numbers and email addresses from the files of the DCCC. 25. On August 13, 2016, Stone posted a tweet using @RogerJStoneJr calling Guccifer 2.0 a "HERO" after Guccifer 2.0 had been banned from Twitter. The next day, Guccifer 2.0's 11 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 19 of 189 Twitter account was reinstated. 26. On August 17, 2016, Guccifer 2.0 publicly tweeted, "@RogerJStoneJr paying you back." Guccifer also sent a private message to @RogerJStoneJr stating "i'm pleased to say u r great man. please tell me if I can help u anyhow. it would be a great pleasure to me." 27. On August 18, 2016, Paul Manafort, STONE's longtime friend and associate, resigned as Chairman of the Trump Campaign. 28. As noted above, on August 21, 2016, using@RogerJStoneJR, STONE tweeted: "Trust me, it will soon the [sic] Podesta's time in the barrel. #CrookedHillary." In a C-SPAN interview that same day, STONE reiterated that because of the work of a "'mutual acquaintance' of both his and [ASSANGE], the public [could] expect to see much more from the exiled whistleblower in the form of strategically-dumped Clinton email batches." He added: "Well, first of all, I think Julian Assange is a hero ... I think he's taking on the deep state, both Republican and Democrat. I believe that he is in possession of all of those emails that Huma Abedin and Cheryl Mills, the Clinton aides, believe they deleted. That and a lot more. These are like the Watergate tapes." 29. On September 16, 2016, STONE said in a radio interview with Boston Herald Radio that he expected WikiLeaks to "drop a payload of new documents on Hillary on a wee~ly basis fairly soon. And that of course will answer the question as to what exactly what was erased on that email server." 30. On Saturday, October 1, 2016, using@RogerJStoneJr, STONE tweeted, "Wednesday @ HillaryClinton is done. #WikiLeaks." 31. On Sunday, October 2, 2016, MSNBC Morning Joe producer Jesse Rodriquez tweeted regarding an announcement AS SAN GE had scheduled for the next day from the balcony 12 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 20 of 189 of the Ecuadoran Embassy in London. On the day of the ASSANGE announcement- which was part of WikiLeaks' I 0-year anniversary celebration - STONE told Infowars that his intermediary described this release as the "mother load." On October 5, 2016, STONE used@RogerJStoneJr to tweet: "Payload coming. #Lockthemup." 32. On Friday, October 7, 2016, at approximately 4:03 PM, the Washington Post published an article containing a recorded conversation from a 2005 Access Hollywood shoot in which Mr. Trump had made a series of lewd remarks. 33. Approximately a half hour later, at 4:32 PM, WikiLeaks sent a Tweet reading "RELEASE: The Podesta Emails #HillaryClinton #Podesta #im WithHer" and containing a link to approximately 2,050 emails that had been hacked from John Podesta's personal email account. 34. WikiLeaks continued to release John Podesta's hacked emails through Election Day, November 8, 2016. On October 12, 2016, Podesta- referring back to STONE's August 21, 2016 C-SPAN and Twitter references - argued publicly that "[it is] a reasonable assumption to or at least a reasonable conclusion - that [STONE] had advanced warning [of the release of his emails] and the Trump campaign had advanced warning about what Assange was going to do. I think there's at least a reasonable belief that [Assange] may have passed this information on to [STONE]." Commenting to the NBC News, STONE indicated that he had never met or spoken with Assange, saying that "we have a mutual friend who's traveled to London several times, and everything I know is through that channel of communications. I'm not implying I have any influence with him or that I have advanced knowledge of the specifics of what he is going to do. I do believe he has all of the e-mails that Huma Abedin and Cheryl Mills, the Clinton aides, thought were deleted. I hear that through my emissary." 35. On March 27, 2017, CNN reported that a representative of WikiLeaks, writing 13 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 21 of 189 from an email address associated with WikiLeaks, denied that there was any backchannel communication during the Campaign between STONE and WikiLeaks. The same article quoted STONE as stating: "Since I never communicated with WikiLeaks, I guess I must be innocent of charges I knew about the hacking of Podesta's email (speculation and conjecture) and the timing or scope of their subsequent disclosures. So I am clairvoyant or just a good guesser because the limited things I did predict (Oct disclosures) all came true." E. STONE's Private Twitter Direct Messages with WikiLeaks and ASSANGE 36. On August 7, 2017, Chief Judge Beryl A. Howell issued a search warrant for the Twitter account @RogerJStoneJr. Information recovered from the search of that account includes the following: a. On October 13, 2016, while WikiLeaks was in the midst of releasing the hacked Podesta emails, @RogerJStoneJr sent a private direct message to the Twitter account @wikileaks. Thi~ account is the official Twitter account of WikiLeaks and has been described as such by numerous news reports. The message read: "Since I was all over national TV, cable and print defending WikiLeaks and assange against the claim that you are Russian agents and debunking the false charges of sexual assault as trumped up bs you may want to rexamine the strategy of attacking me- cordially R." b. Less than an hour later, @wikileaks responded by direct message: "We appreciate that. However, the false claims of association are being used by the democrats to undermine the impact of our publications. Don't go there if you don't want us to correct you." c. On or about October 15, 2016, @RogerJStoneJr sent a direct message to @wikileaks: "Ha! The more you \"c01Tect\" me the more people think you're lying. Your operation leaks like a sieve. You need to figure out who your friends are." 14 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 22 of 189 d. On or about November 9, 2016, one day after the presidential election, @wikileaks sent a direct message to @RogerJStoneJr containing a single word: "Happy?" @wikileaks immediately followed up with another message less than a minute later: "We are now more free to communicate." e. In addition, @RogerJStoneJr also exchanged direct messages with ASSANGE. For example, on June 4, 2017, @RogerJStoneJr directly messaged @JulianAssange, an address associated with ASSANGE in numerous public reports, stating: "Still nonsense. As a journalist it doesn't matter where you get information only that it is accurate and authentic. The New York Times printed the Pentagon Papers which were indisputably stolen from the government and the courts ruled it was legal to do so and refused to issue an order restraining the paper from publishing additional articles. If the US government moves on you I will bring down the entire house of cards. With the trumped-up sexual assault charges dropped I don't know of any crime you need to be pardoned for - best regards. R." That same day, @JulianAssange responded: "Between CIA and DoJ they're doing quite a lot. On the DoJ side that's coming most strongly from those obsessed with taking down Trump trying to squeeze us into a deal." f. On Saturday, June 10, 2017, @RogerJStoneJr sent a direct message to @JulianAssange, reading: "I am doing everything possible to address the issues at the highest level of Government. Fed treatment of you and WikiLeaks is an outrage. Must be circumspect in this forum as experience demonstrates it is monitored. Best regards R." 15 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 23 of 189 F. STONE's Communications with STONE, Forthcoming Leaks 37. and Others Regarding As indicated above, on September 11, 2017, Chief Judge Howell issued a search warrant for STONE's (Target Account 1); on address, October 17, 2017, Chief Judge Howell issued a search warrant for STONE's address, (Target Account 2); and on or about March 14, 2018, Chief Judge Howell issued a search warrant for STONE's iCloud account (Target Account 3). In addition, on or about December 19, 2017, Chief Judge Howell issued a search warrant for email account. Information recovered pursuant to those search warrants includes the following: a. On or about May 15, 2016, emailed CORSI: "Here is my flight schedule. Need to get something confirmed now .... " CORSI responded, "I copied Roger Stone so he knows your availability to meet Manafort and DT this coming week." CORSI appears to have forwarded the message to STONE at Target Account 1, who replied to CORSI that, "May meet Manafort -guarantee nothing." b. On or about May 18, 2016, CORSI emailed STONE at Target Account 1 with the title, "Roger -- why don't you look this over before I send it I believe that CORSI wrote, and I did manage to see Mr. Trump for a few minutes today as we were waiting in Trump Tower to say hello to Mike Cohen. Mr. Trump recognized us immediately and was very cordial. He would look for this memo from you this afternoon." c. On July 25, 2016, STONE, using Target Account 1, sent an email to CORSI with the subject line, "Get to Assange." The body of the message read: "Get to Assange 16 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 24 of 189 [a]t Ecuadorian Embassy in London and get the pending WikiLeaks emails ... they deal with Foundation, allegedly." d. On or about July 31, 2016, STONE, using Target Account 1, emailed CORSI with the subject line, "Call me MON." The body of the email read: ,should see should find Bernie [SJ anders brother who called Bill a Rapist - turn him for Assange[.] Trump[.] should find e. or more proof of Bill getting kicked out." As noted above, on or about August 2, 2016 (approximately 19 days before STONE publicly tweeted about "Podesta's time in the barrel"), CORSI emailed STONE at Target Account 1: "Word is friend in embassy plans 2 more dumps. One shottly after I'm back. 2nd in Oct. Impact planned to be very damaging." The email continued: "Signs are Fox will have me on mid-Aug. more post Ailes shakeup underway. Expect Shine to surface victor, for now. Post-DNC bump for HRC an artifact of rigged polling. Won't last. I expect presidential campaign to get serious starting Sept. Still in pre-season games. Time to let more than Podesta to be exposed as in bed w enemy if they are not ready to drop HRC. That appears to be the game hackers are now about. Would not hurt to start suggesting HRC old, memory bad, has stroke -- neither he nor she well. I expect that much of next dump focus, setting stage for Foundation debacle." Investigators believe that CORSI's reference to a "friend in embassy [who] plans 2 more dumps" refers to ASSANGE, who resided in Ecuador's London Embassy in 2016. f. On or about August 5, 2016, , an associate of STONE's, emailed Stone at Target Account 1. The email contained a link to a poll indicating that Clinton led Trump by 15 points. STONE responded, "enjoy it while u can[.] I dined with my new pal Julian Assange last night." subsequently stated to investigators that, around the 17 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 25 of 189 same time, STONE told him he had gone to London to meet ASSANGE. that in 2018 also stated told STONE he would be interviewed by the FBI and would have to divulge the conversation about meeting AS SAN GE. STONE tol he was joking and had not actually met ASSANGE. 2 g. On or about August 15, 2016, CORSI emailed STONE at Target Account 1: "Give me a call today if you can. Despite MSM drumroll that HRC is already elected, it's not over yet. More to come than anyone realizes. Won't really get started until after Labor Day. I'm in NYC this week. Jerry." h. On or about August 31, 2016, CORSI emailed STONE at Target Account 1: "Did you get the PODESTA writeup." STONE replied "[y]es." 1. On or about August 31, 2016, CORSI messaged STONE at Target Account 3, "Podesta paid $I 80k to invest in Uranium One - was hired by Rosatom in Giustra scandal. Podesta now under FBI investigation - tied to Ukraine Yanukovych - Panama papers reveals Podesta hired by S[b]erbank, Russia's largest financial institution - Podesta$$$ ties to Russia undermine Clinton false narrative attempting to tie Trump to Putin." J. On or about September 6, 2016, CORSI emailed STONE at Target Account 1: "Roger[,] Is NY Post going to ~se the Pedesta [sic] stuff?" k. On or about September 24, 2016, emailed CORSI, "I will have much more on Turkey. Need a back channel highly sensitive stuff." CORSI responded, 18 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 26 of 189 "We have secure back channel through Roger. I saw him again in NYC last Friday and spoke to him about it again today." wrote back, "Awaiting secret file. Explosive ... Hope you are well. Can't wait for the debate. Channeling Reagan, I hope!" CORSI responded, "Keep me posted about file[.]" In a subsequent meeting with investigators, indicated this conversation concerned possible derogatory information he was trying to obtain from Turkey. I. On or about October 3, 2016, an associate of STONE emailed STONE at Target Account 2 and asked: "Assange - what's he got? Hope it's good." STONE wrote back, "It is. I'd tell Bannon but he doesn't call me back. My book on the TRUMP campaign will be out in Jan. Many scores will be settled." The associate forwarded the email to Steve BANNON, who was CEO of the Campaign at the time, and wrote: "You should call Roger. See below. You didn't get from me." BANNON wrote back, "I've got important stuff to worry about." The associate responded, "Well clearly he knows what Assange has. I'd say that's important." m. On or about October 4, 2016, ASSANGE gave a press conference at the Ecuadorian Embassy. There had been speculation in the press leading up to that event that ASSANGE would release information damaging to then-candidate Clinton, but WikiLeaks did not make any new releases. Instead, ASSANGE promised more documents, including information "affecting three powerful organizations in three different states, as well as, of course, information previously referred to about the U.S. election process." ASSANGE also stated that WikiLeaks would publish documents on various subjects every week for the next ten weeks, and vowed that the U.S. election-related documents would all come out before Election Day. n. On or about October 4, 2016, CORSI messaged STONE at Target Account 3, "Assange made a fool of himself. Has nothing or he would have released it. Total BS hype." 19 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 27 of 189 o. That same day, BANNON emailed STONE at Target Account 2, "What was that this morning???" STONE replied, "Fear. Serious security concern. He thinks they are going to kill him and the London police are standing done [sic]." BANNON wrote back, "He didn't cut deal w/ clintons???" STONE replied, "Don't think so BUT his lawyer is a big democrat." p. When BANNON spoke with investigators during a voluntary interview on February 14, 2018, he initially denied knowing whether the October 4, 2016 email to STONE was about WikiLeaks. Upon further questioning, BANNON acknowledged that he was asking STONE about WikiLeaks, because he had heard that STONE had a channel to ASSANGE, and BANNON had been hoping for releases of damaging information that morning. G. STONE and CORSI Communications on October 7, 2016, when the Podesta Emails Are Released 38. According to a publicly available news article, 3 at approximately 11AM on Friday, October 7, 2016, Washington Pos.t reporter David Fahrenthold received a phone call from a source regarding a previously unaired video of candidate Trump. According to the same article, "Fahrenthold didn't hesitate. Within a few moments of watching an outtake of footage from a 2005 segment on 'Access Hollywood,' the Washington Post reporter was on the phone, calling Trump's campaign, 'Access Hollywood' and NBC for reaction." 39. According to phone records at approximately 11 :27 AM, CORSI placed a call to STONE which STONE did not answer. 3 https://www.washingtonpost.com/lifestyle/style/the-cal\er-had-a-lewd-tape-of-donald-trump-then-the-race-wason/2016/10/07/31 d74714-8ce5-l le6-875e-2c 1bfe943b66_story.html 20 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 28 of 189 40. At approximately 11 :53AM, STONE received a phone call from the Washington Post. The call lasted approximately twenty minutes. 41. At approximately 1:42PM, STONE called CORSI and the two spoke for approximately seventeen minutes. 42. At approximately 2: 18PM, CORSI called STONE and the two spoke for approximately twenty minutes. 43. At approximately 4:00PM, the Washington Post published a story regarding the Access Hollywood tape. 44. At approximately 4:30PM, WikiLeaks tweeted out its first release of emails hacked from John Podesta that focused primarily on materials related to the Clinton Foundation. On or about August 2, 2016, CORSI emailed STONE on Target Account 1, "I expect that much of next dump focus, setting stage for Foundation debacle." 45. an author who has written about the At approximately 6:27PM, Clinton Foundation, and who, according to emails and phone records, regularly communicates with STONE, sent STONE an email titled, "WikiLeaks - The Podesta Emails," with a link to the . newly-released Podesta emails. Approximately ten minutes later, STONE, using Target Account 2, forwarded message to CORSI without comment. STONE does not appear to have forwarded the email to any other individual. H. STONE Asks CORSI for "SOMETHING" to Post About Podesta After STONE Is Accused of Advance Knowledge of the Leak 46. On or about October 8, 2016, STONE, using Target Account 3, messaged CORSI, "Lunch postponed-have to go see T." CORSI responded to STONE, "Ok. I understand." Approximately twenty minutes later, CORSI texted, "Clintons know they will lose 21 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 29 of 189 a week of Paula Jones media with T attacking Foundation, using Wikileaks Goldman Sachs speech comments, attacking badjob numbers." 47. On or about Wednesday, October 12, 2016, at approximately 8:17AM, STONE, using Target Account 2, emailed Corsi asking him to "send me your best podesta links." STONE emailed CORSI at approximately 8:44AM, "need your BEST podesta pieces." CORSI wrote back at approximately 8:54AM, "Ok. Monday. The remaining stuff on Podesta is complicated. Two articles in length. I can give you in raw form the stuff I got in Russian translated but to write it up so it's easy to understand will take weekend. Your choice?" 48. On or about that same day, October 12, 2016, Podesta accused STONE of having advance knowledge of the publication of his emails, as noted above. At approximately 3:25PM, CORSI emailed STONE at both Target Account 1 and 2 with the subject line "Podesta talking points." Attached to the email was a file labeled, "ROGER STONE podesta talking points Oct 122016.docx." The "talking points" included the statement that "Podesta is at the heart of a Russian-government money laundering operation that benefits financially Podesta personally and the Clintons through the Clinton Foundation." 49. CORSI followed up several minutes later with another email titled, "Podesta talking points," with the text "sent a second time just to be sure you got it." STONE emailed CORSI back via Target Account 1: "Got them and used them." 50. On or about Thursday, October 13, 2016, CORSI emailed STONE at Target Account 2: "PODESTA -- Joule & ties to RUSSIA MONEY LAUNDERING to CLINTON FOUNDATION." STONE responded, "Nice but I was hoping for a piece I could post under my by-line since I am the one under attack by Podesta and now Mook." CORSI wrote back to STONE, "I'll give you one more -NOBODY YET HAS THIS[:] It looks to me like 22 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 30 of 189 skimmed maybe billions off Skolkovo - Skolkovo kept their money with Metcombank[.] The Russians launched a criminal investigation(.] [web link] Once had the channel open from Metcombank to Deutsche Bank America to Ban[k] of America's Clinton Fund account, there's no telling how much money he laundered, or where it ended up. Nothing in Clinton Foundation audited financials or IRS Form 990s about $$$ received via Russia & Metcombank[.] I'm working on that angle now." STONE replied, "Ok Give me SOMETHING to post on Podesta since I have now promised it to a dozen MSM reporters[.]" 51. On or about Thursday, October 13, 2016, at approximately 6:30PM, CORSI sent STONE an email at Target Account 2, with the subject, "ROGER STONE article RUSSIAN MAFIA STYLE MONEY-LAUNDERING, the CLINTON FOUNDATION, and JOHN PODESTA." The text stated: "Roger[,] You are free to publish this under your own name." That same day, STONE posted a blog post with the title, "Russian Mafia money laundering, the Clinton Foundation and John Podesta." In that post, STONE wrote, "although I have had some back-channel communications with Wikileaks I had no advance notice about the hacking of Mr. Podesta nor I have I ever received documents or data from Wikileaks." The post then asked, "Just how mucl:i money did , a controversial Russian billionaire investor with ties to the Vladimir Putin and the Russian government, launder through Metcombank, a Russian regional bank owned 99.978 percent by , with the money transferred via Deutsche Bank and Trust Company Americas in New York City, with the money ending up in a private bank account in the Bank of America that is operated by the Clinton Foundation?" 52. On or about October 14, 2016, CORSI sent a message to STONE at Target Account 3, "I'm in.NYC. Thinking about writing piece attacking Leer and other women. It's basically a rewrite of what's out there. Going through new Wikileaks drop on Podesta." 23 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 31 of 189 53. On or about October 17, 2016, CORSI messaged STONE at Target Account 3, "On Assange, can you call me now- before 2pm[.]" STONE responded, "Missed u - just landed JFK - on Infowars now." CORSI wrote back, "Call afterwards. Have some important intel to share." 54. On or about October 17, 2016, CORSI emailed STONE at Target Accounts 1 and 2 with the subject, "Fwd: ASSANGE ... URGENT ... " CORSI wrote, "From a very trusted source," and forwarded an email with the header information stripped out, showing only the body text. The email read, "Yes[.] I figured this. Assange is threatening Kerry, Ecuador and U.K. He will drop the goods on them if they move to extradite him. My guess is that he has a set of dead man files that include Hillary. It's what they used to call a 'Mexican stand offl.]' Only hope is that if Trump speaks out to save him[.] Otherwise he's dead anyway, once he's dropped what he has. If HRC wins, Assange can kiss his life away. Interesting gambit Assange has to play out. He's called Podesta's bluff and raised him the election." 55. On or about October 18, 2016, CORSI messaged STONE at Target Account 3, "Pis call. Important." 56. On or about October 19, 2016, STONE published an article on Breitbart.com in which he claimed he had "no advance notice of Wikileaks' hacking of Podesta's e-mails." STONE stated, "I predicted that Podesta's business dealings would be exposed. I didn't hear it from Wikileaks, although Julian Assange and I share a common friend. I reported the story on my website." STONE linked to the story he had asked CORSI to write for him on October 13, 2016 discussed above. 57. On or about November 8, 2016, the United States presidential election took place. 24 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 32 of 189 58. On or about November 9, 2016, CORSI messaged STONE at Target Account 3, "Congratulations, Roger. He could not have done it without you." 59. On or about November 10, 2016, CORSI messaged STONE at Target Account 3, "Are you available to talk on phone?" Several minutes later, CORSI messaged, "I'm in London. Have some interesting news for you." 25 Case Document 29-13 Filed 04/28/20 Page 33 of 189 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 34 of 189 J. STONE's Congressional Testimony and Public Statements About His Relationship with Wikileaks 61. On September 26, 2017, STONE testified before the House Permanent Select Committee on Intelligence (HPSCI). Although the hearing was closed, STONE released to the public what he said were his opening remarks to the committee. In them, STONE stated: Members of this Committee have made three basic assertions against me which must be rebutted here today. The charge that I knew in advance about, and predicted, the hacking of Clinton campaign chairman John Podesta's email, that I had advanced knowledge of the source or actual content of the WikiLeaks disclosures regarding Hillary Clinton or that, my now public exchange with a persona that our intelligence agencies claim, but cannot prove, is a Russian asset, is anything but innocuous and are entirely false. Again, such assertions are conjecture, supposition, projection, and allegations but none of them are facts .... My Tweet of August 21, 2016, in which I said, "Trust me, it will soon be the Podesta' s time in the barrel. #CrookedHillary" must be examined in context. I posted this at a time that my boyhood friend and colleague, Paul Manafort, had just resigned from the Trump campaign over allegations regarding his business activities in Ukraine. I thought it manifestly unfair that John Podesta not be held to the same standard. Note, that my Tweet of August 21, 2016, makes no mention, whatsoever, of Mr. Podesta's email, but does accurately predict that the Podesta brothers' business activities in Russia with the oligarchs around Putin, their uranium deal, their bank deal, and their Gazprom deal, would come under public scrutiny .... [L]et me address the charge that I had advance knowledge of the timing, content and source of the WikiLeaks disclosures from the DNC. On June 12, 2016, WikiLeaks' publisher Julian Assange[] announced that he was in possession of Clinton DNC emails. 27 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 35 of 189 I learned this by reading it on Twitter. I asked a journalist who I knew had interviewed Assange to independently confirm this repot1, and he subsequently did. This journalist assured me that WikiLeaks would release this information in October and continued to assure me of this throughout the balance of August and all of September. This info11nation proved to be correct. I have referred publicly to this journalist as an, "intermediary" , "go-between" and "mutual friend." All of these monikers are equally true. 62. Tn a document dated March 26, 2018 titled "Minority Views," Democratic members of HPSCI published excerpts from Stone's September 2017 testimony before HPSCI. Those excerpts include the following: Q: Have any of your employees, associates, or individuals acting on your behest or encouragement been in any type of contact with Julian Assange? MR. STONE: No. Q: So throughout the many months in which you represented you were either in communication with Assange or communication through an intermediary with Assange, you were only referring to a single fact that you had confirmed with the intermediary MR. STONE: ThatQ: -- was the length and the breadth of what you were referring to? MR. STONE: That is correct, even though it was repeated to me on numerous separate occasions. 63. In the month that followed his testimony before HPSCI, on or about October 24, 2017, STONE published an article on his website, stonecoldtruth.com, titled "Is it the Podesta's Time in the Barrel Yet?" In that article, STONE stated: "[I]t was this inevitable scrutiny of the Podestas' underhanded business dealings that my 'time in the barrel' referred to and not, as some have quite falsely claimed, to the hacking and publication almost two months later of John Podesta's emails .... [M]y tweet referred to Podesta's business dealings with Russia, and the expectation that it would become a news story." K. STONE's Use of Target Account 3 to Message Randy CREDICO about STONE's "Back channel" 28 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 36 of 189 64. On November 19,2017, Randy CREDICO (who, as described further below, STONE publicly identified as his "intermediary" to ASSANGE), messaged STONE on Target Account 3, "My lawyer wants to see me today." STONE responded, "'Stonewall it. Plead the fifth. Anything to save the plan' ........ Richard Nixon[.]" CREDI CO responded, "Ha ha." 65. On or about November 21, 2017, CREDICO messaged STONE on Target Account 3, "I was told that the house committee lawyer told my lawyer that I will be getting a subpoena[.]" STONE wrote back, "That was the point at which your lawyers should have told them you would assert your 5th Amendment rights if compelled to appear." They continued to message, and CREDICO wrote, "My lawyer wants me to cut a deal." STONE wrote back, "To do what ? Nothing happening in DC the day before Thanksgiving - why are u busting my chops?" 66. On or about November 24, 2017, STONE, using Target Account 3, texted CREDICO, "Assange is a journalist and a damn good one- meeting with him is perfectly legal and all you ever told me was he had the goods [o]n Hillary and would publish them - which he himself said in public b4 u told me. It's a fucking witchunt [sic]." CREDICO replied, "I told you to watch his tweets. That's what I was basing it on. I told you to watch his Tweets in October not before that I knew nothing about the DNC stuffT,] I just followed his tweets[.]" STONE responded, "U never said anything about the DNC but it was August." CREDICO wrote back, "It was not August because I didn't interview him or meet him until August 26th[.] That was my first communication with his secretary in London, August 26th." STONE wrote back, "Not the way I remember it- oh well I guess Schiff will try to get one of us indicted for perjury[.]" 29 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 37 of 189 67. STONE and CREDICO continued to exchange messages via Target Account 3, and on November 24, 2017, CREDICO wrote to STONE, "Forensic evidence proves that there is no back Channel. So now you can relax." 68. On or about November 28, 2017, CREDICO tweeted a copy of a subpoena he received from HPSCI that was dated November 27, 2017. Toll records show that on November 27 and 28, 2017, CREDICO and STONE communicated via text message more than a dozen times. 69. On November 29, 2017, STONE publicly stated that CREDICO was his "intermediary." In a public Facebook post, STONE further stated that, "Credico merely[] confirmed for Mr. Stone the accuracy of Julian Assange's interview of June 12, 2016 with the British ITV network, where Assange said he had 'e-mails related to Hillary Clinton which are pending publication,' ... Credico never said he knew or had any information as to source or content of the material." 70. On or about December 1, 2017, CREDICO messaged STONE on Target Account 3, stating, "I don't know why you had to lie and say you had a back Channel now I had to give all of my forensic evidence to the FBI today what a headache[.] 4 You could have just told him the truth that you didn't have a back Channel they now know that I was not in London until September of this year[.] You had no back-channel and you could have just told the truth ... You want me to cover you for perjury now[.]" STONE responded, "What the fuck is your problem? Neither of us has done anything wrong or illegal. You got the best press of your life and you can get away with asserting for 5th Amendment rights if u don't want talk about AND if 4 Contrary to his statement, CREDICO has not provided any forensic evidence to the FBI. 30 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 38 of 189 you turned over anything to the FBI you're a fool." CREDICO responded, "You open yourself up to six counts of perjury[.] But I'm sure that wasn't sworn testimony so you're probably clear[.] Council for the committee knows you never had a back Channel and if you had just told the truth wouldn't have put me in this bad spot ... you should go back ... and amend your testimony and tell them the truth." CREDICO repeated: "you need to amend your testimony before I testify on the 15th." STONE replied, "If you testify you're a fool. Because of tromp [sic] I could never get away with a ce1iain [sic] my Fifth Amendment rights but you can. I guarantee you you [sic] are the one who gets indicted for perjury if you're stupid enough to testify[.]" 71. STONE and CREDICO continued to message each other on or about December 1, 2017. In response to STONE's message about being "stupid enough to testify," CREDICO told STONE: "Whatever you want to say I have solid forensic evidence." STONE responded: "Get yourself a real lawyer instead of some liberal wimp who doesn't know how to tell his guys to fuck off good night." CREDI CO then wrote: "Just tell them the truth and swallow your ego you never had a back Channel particularly on June 12th[.]" STONE responded: "You got nothing." 72. On or about December 13, 2017, according to public reporting, CREDICO indicated that he would not testify before HPSCI and would invoke his Fifth Amendment rights. 73. STONE and CREDICO continued to exchange messages via Target Account 3, and on or about January 6, 2018, CREDICO indicated to STONE that he was having dinner with a reporter. STONE responded, "Hope u don't fuck Up my efforts to get Assange a pardon[.]" CREDICO messaged STONE, "I have the email from his chief of staff August 25th 2016 responding to an email I sent to WikiLeaks website email address asking you would do my show[.] That was my initial contact." 31 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 39 of 189 74. On or about January 8, 2018, CREDTCO messaged STONE on Target Account 3 stating: "Embassy logs ... + 17 other pieces of information prove that I did not have any conversations with Assange until September of last year." 75. CREDICO and STONE continued to message each other, and on or about January 25, 2018, CREDICO wrote to STONE on Target Account 3: "You lied to the house Intel committee ... But you'll get off because you're friends with Trump so don't wo1Ty. I have all the forensic evidence[.] I was not a ba[ck] Channel and I have all those emails from September of 2016 to prove it[.]" 76. On or about April 13, 2018, news reports stated that CREDICO had shown reporters copies of email messages he had received from STONE in the prior few days that stated, "You are a rat. You are a stoolie. You backstab your friends - run your mouth my lawyers are dying Rip you to shreds." Another message stated, "I'm going to take that dog away from you," referring to CREDICO's therapy dog. CREDICO stated that it was "certainly scary . . . When you start bringing up my dog, you're crossing the line[.]" 5 77. On or about May 25, 2018, CREDICO provided additional messages he stated were from STONE to another news agency. 6 In these messages, STONE, on April 9, 2018, stated: "I am so ready. Let's get it on. Prepare to die[.]" In the article, CREDICO stated that he considered this email from STONE a threat. STONE stated in the article that CREDICO "told me he had terminal prostate cancer ... It was sent in response to that. We talked about it too. 5 https://www.yahoo.com/news/comedian-randy-credico-says-trump-adviser-roger-stone-threatened-dog135911370.html 6 https ://www.motherjones.com/ po Iitics/2018/0 5/ro ger-stone-to-associate-prepare-to-die/ 32 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 40 of 189 He was depressed about it. Or was he lying." The article noted that CREDICO stated he did not have prostate cancer and did not have any such discussion with STONE. L. STONE's Use of the Target Accounts to Communicate with Individuals Related to the Investigation 78. On May 17, 2018, Chief Judge Howell issued an order for the use of pen-trap devices on Target Account 1 and Target Account 2. The information obtained from that order, along with information obtained from toll records, revealed that STONE has continued to use Target Account 1 and Target Account 2, and that he has used them to communicate with individuals related to the investigation. 79. For example, STONE and communicated twice on May 28 and May 29, 2018 using Target Account 1. , a former associate of STONE's, was interviewed by the Special Counsel's Office on or aboi1t May 2, 2018. Toll records _show that and STONE communicated multiple times on May 5, 2018, and STONE communicated with using Target Account 1 on June 1, 2018 and June 6, 2018. , a private investigator who had previously worked with STONE and who was hired by STONE to research individuals associated with this case (as described further below), communicated with STONE on Target Account 1 at least four times between May 27, 2018 and July 12, 2018. STONE has also used Target Account 2 to communicate with individuals 80. associated with this investigation. a. For example, between May 23, 2018 and the present, STONE and CORSI exchanged at least five messages using Target Account 2. In the same time period, STONE exchanged at least 75 emails with CREDICO using Target Account 2. 33 • Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 41 of 189 b. Also in this same time period, STONE emailed ten times using Target Account 2. 2018, FBI agents approached at least is a former employee of STONE. On May 9, and That day, and again on May 10, 2018, communicated by phone with STONE. Overall, between May 23, 2018 and the present, STONE exchanged over 100 emails , using Target Account 2. In addition, between on or about June 14, 2018 and wit and STONE exchanged five emails using Target Account 2. June 17, 2018, 81. STONE has also used a phone number associated with Target Account 3 to communicate with a private investigator hired by STONE. was interviewed by investigators on June 7, 2018, and subsequently info1med investigators that in June 2018, STONE instructed him to conduct a full background investigation on who had been employed by STONE during the Campaign as an info1mation technology specialist. also told investigators that in June 2018, STONE instructed him to find an address for CREDICO that could be used to serve CREDICO with legal process. told investigators that his primary form of communication with STONE is by text message on Target Account 3. BACKGROUND CONCERNING EMAIL 82. In my training and experience, I have learned the Providers provide a variety of on-line services, including electronic mail ("email") to the public. The Providers allow 34 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 42 of 189 subscribers to obtain email accounts at the domain names identified in the email address contained in Attachment A and C. Subscribers obtain an account by registering with the Providers. During the registration process, the Providers ask subscribers to provide basic personal information. Therefore, the computers of the Providers are likely to contain stored electronic communications (including retrieved and unretrieved email) for their subscribers and information concerning subscribers and their use of services, such as account access information, email transaction information, and account application information. In my training and experience, such information may constitute evidence of the crimes under investigation because the information can be used to identify the account's user or users. 83. In my training and experience, email Providers generally ask their subscribers to provide certain personal identifying information when registering for an email account. Such information can include the subscriber's full name, physical address, telephone numbers and other identifiers, alternative email addresses, and, for paying subscribers, means and source of payment (including any credit or bank account number). In my training and experience, such information may constitute evidence of the crimes under investigation because the information can be used to identify the account's user or users. Based on my training and my experience, I know that, even if subscribers insert false information to conceal their identity, this information often provides clues to their identity, location, or illicit activities. 84. In my training and experience, email Providers typically retain certain transactional information about the creation and use of each account on their systems. This information can include the date on which the account was created, the length of service, records of log-in (i.e., session) times and durations, the types of service utilized, the status of the account (including whether the account is inactive or closed), the methods used to connect to the account 35 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 43 of 189 (such as logging into the account via the Providers' website), and other log files that reflect usage of the account. In addition, email Providers often have records of the Internet Protocol address ("IP address") used to register the account and the IP addresses associated with particular logins to the account. Because every device that connects to the Internet must use an IP address, IP address infonnation can help to identify which computers or other devices were used to access the email account. 85. In my training and experience, in some cases, email account users will communicate directly with an email service Providers about issues relating to the account, such as technical problems, billing inquiries, or complaints from other users. Email Providers typically retain records about such communications, including records of contacts between the user and the Providers' support services, as well as records of any actions taken by the Providers or user as a result of the communications. In my training and experience, such information may constitute evidence of the crimes under investigation because the information can be used to identify the account's user or users. 86. As explained herein, information stored in connection with an email account may provide crucial evidence of the "who, what, why, when, where, and how" of the criminal conduct under investigation, thus enabling the United States to establish and prove each element or alternatively, to exclude the innocent from further suspicion. In my training and experience, the information stored in connection with an email account can indicate who has used or controlled the account. This "user attribution" evidence is analogous to the search for "indicia of occupancy" while executing a search warrant at a residence. For example, email communications, contacts lists, and images sent (and the data associated with the foregoing, such as date and time) may indicate who used or controlled the account at a relevant time. Further, 36 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 44 of 189 infonnation maintained by the email Providers can show how and when the account was accessed or used. For example, as described below, email Providers typically log the Internet Protocol (IP) addresses from which users access the email account, along with the time and date of that access. By determining the physical location associated with the logged IP addresses, investigators can understand the chronological and geographic context of the email account access and use relating to the crime under investigation. This geographic and timeline information may tend to either inculpate or exculpate the account owner. Additionally, information stored at the user's account may further indicate the geographic location of the account user at a particular time (e.g., location information integrated into an image or video sent via email). Last, stored electronic data may provide relevant insight into the email account owner's state of mind as it relates to the offense under investigation. For example, information in the email account may indicate the owner's motive and intent to commit a crime (e.g., communications relating to the crime), or consciousness of guilt (e.g., deleting communications in an effort to conceal them from law enforcement). 87. In my training and experience, information such as search history can help to show the state of mind of an individual at the time the search was made, as well as the individuals potential advance knowledge of events, as they search to see if the anticipated event has occurred. INFORMATION REGARDING APPLE ID AND iCLOUD 7 The information in this section is based on information published by Apple on its website, including, but not limited to, the following document and webpages: "U.S. Law Enforcement Legal Process Guidelines," available at htip://images.apple.com/ privacy/docs/.l cgal-process-guidelines-us.pdf; "Create and start using an Apple ID," available at https://support.apple.com/en-us/HT203993; "iCioud," available at htlj ://www.apple.com/ icloud/; "What does iCloud back up?," available at https://suppo1i .app le.corn/kb/PHJ 25 19; "iOS Security," available at 37 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 45 of 189 88. Apple is a United States company that produces the iPhone, iPad, and iPod Touch, all of which use the iOS operating system, and desktop and laptop computers based on the Mac OS operating system. 89. Apple provides a variety of services that can be accessed from Apple devices or, in some cases, other devices via web browsers or mobile and desktop applications ("apps"). As described in further detail below, the services include email, instant messaging, and file storage: a. Apple provides email service to its users through email addresses at the domain names mac.com, me.corn, and icloud.com. b. iMessage and FaceTirne allow users of Apple devices to communicate in real-time. iMessage enables users of Apple devices to exchange instant messages ("iMessages") containing text, photos, videos, locations, and contacts, while FaceTime enables those users to conduct video calls. c. iCloud is a file hosting, storage, and sharing service provided by Apple. iCloud can be utilized through numerous iCloud-connected services, and can also be used to store iOS device backups and data associated with third-party apps. d. iCloud-connected services allow users to create, store, access, share, and synchronize data on Apple devices or via icloud.com on any Internet-connected device. For example, iCloud Mail enables a user to access Apple-provided email accounts on multiple Apple devices and on icloud.com. iCloud Photo Library and My Photo Stream can be used to store and manage images and videos taken from Apple devices, and iCloud Photo Sharing allows the user https://www.appl e.com/business/docs/iOS Security Guide.pdt: and "iCloud: How Can I Use iCloud?," available at https://suppo1t.apple.com/kb/PH26502. 38 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 46 of 189 to share those images and videos with other Apple subscribers. iCloud Drive can be used to store presentations, spreadsheets, and other documents. iCloud Tabs and bookmarks enable iCloud to be used to synchronize bookmarks and webpages opened in the Safari web browsers on all of the user's Apple devices. iWork Apps, a suite of productivity apps (Pages, Numbers, Keynote, and Notes), enables iCloud to be used to create, store, and share documents, spreadsheets, and presentations. iCloud Keychain enables a user to keep website username and passwords, credit card information, and Wi-Fi network information synchronized across multiple Apple devices. e. Game Center, Apple's social gaming network, allows users of Apple devices to play and share games with each other. f. Find My iPhone allows owners of Apple devices to remotely identify and track the location of, display a message on, and wipe the contents of those devices. Find My Friends allows owners of Apple devices to share locations. g. Location Services allows apps and websites to use information from cellular, Wi-Fi, Global Positioning System ("GPS") networks, and Bluetooth, to determine a user's approximate location. h. App Store and iTunes Store are used to purchase and download digital content. iOS apps can be purchased and downloaded through App Store on iOS devices, or through iTunes Store on desktop and laptop computers running either Microsoft Windows or Mac OS. Additional digital content, including music, movies, and television shows, can be purchased through iTunes Store on iOS devices and .on desktop and laptop computers running either Microsoft Windows or Mac OS. 39 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 47 of 189 90. Apple services are accessed through the use of an "Apple ID," an account created during the setup of an Apple device or through the iTunes or iCloud services. A single Apple ID can be linked to multiple Apple services and devices, serving as a central authentication and syncing mechanism. 91. An Apple ID takes the form of the full email address submitted by the user to create the account; it can later be changed. Users can submit an Apple-provided email address (often ending in @icloud.com, @me.com, or@mac.com) or an email address associated with a third-party email provider (such as Gmail, Yahoo, or Hotmail). The Apple ID can be used to access most Apple services (including iCloud, iMessage, and FaceTime) only after the user accesses and responds to a "verification email" sent by Apple to that "primary" email address. Additional email addresses ("alternate," "rescue," and "notification" email addresses) can also be associated with an Apple ID by the user. 92. Apple captures information associated with the creation and use of an Apple ID. During the creation of an Apple ID, the user must provide basic personal information including the user's full name, physical address, and telephone numbers. The user may also provide means of payment for products offered by Apple. The subscriber information and password associated with an Apple ID can be changed by the user through the "My Apple ID" and "iForgot" pages on Apple's website. In addition, Apple captures the date on which the account was created, the length of service, records of log-in times and durations, the types of service utilized, the status of the account (including whether the account is inactive or closed), the methods used to connect to and utilize the account, the Internet Protocol address ("IP address") used to register and access the account, and other log files that reflect usage of the account. 40 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 48 of 189 93. Additional information is captured by Apple in connection with the use of an Apple ID to access certain services. For example, Apple maintains connection logs with IP addresses that reflect a user's sign-on activity for Apple services such as iTunes Store and App Store, iC!oud, Game Center, and the My Apple ID and iForgot pages on Apple's website. Apple also maintains records reflecting a user's app purchases from App Store and iTunes Store, "call invitation logs" for FaceTime calls, "query logs" for iMessage, and "mail logs" for activity over an Apple-provided email account. Records relating to the use of the Find My iPhone service, including connection logs and requests to remotely lock or erase a device, are also maintained by Apple. 94. Apple also maintains information about the devices associated with an Apple ID. When a user activates or upgrades an iOS device, Apple captures and retains the user's IP address and identifiers such as the Integrated Circuit Card ID number ("ICCID"), which is the serial number of the device's SIM card. Similarly, the telephone number of a user's iPhone is linked to an Apple ID when the user signs in to FaceTime or iMessage. Apple also may maintain records of other device identifiers, including the Media Access Control address ("MAC address"), the unique device identifier ("UDID"), and the serial number. In addition, information about a user's computer is captured when iTunes is used on that computer to play content associated with an Apple ID, and information about a user's web browser may be captured when used to access services through icloud.com and apple.com. Apple also retains records related to communications between users and Apple customer service, including communications regarding a particular Apple device or service, and the repair history for a device. 41 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 49 of 189 95. Apple provides users with five gigabytes of free electronic space on iCloud, and users can purchase additional storage space. That storage space, located on servers controlled by Apple, may contain data associated with the use of iCloud-connected services, including: email (iCloud Mail); images and videos (iCloud Photo Library, My Photo Stream, and iCloud Photo Sharing); documents, spreadsheets, presentations, and other files (iWork and iCloud Drive); and web browser settings and Wi-Fi network information (iCloud Tabs and iCloud Keychain). iCloud can also be used to store iOS device backups, which can contain a user's photos and videos, iMessages, Short Message Service ("SMS") and Multimedia Messaging Service ("MMS") messages, voicemail messages, call history, contacts, calendar events, reminders, notes, app data and settings, Apple Watch backups, and other data. Records and data associated with third-party apps may also be stored on iCloud; for example, the iOS app for WhatsApp, an instant messaging service, can be configured to regularly back up a user's instant messages on iCloud Drive. Some of this data is stored on Apple's servers in an encrypted form but can nonetheless be decrypted by Apple. 96. In my training and experience, evidence of who was using an Apple ID and from where, and evidence related to criminal activity of the kind described above, may be found in the files and records described above. This evidence may establish the "who, what, why, when, where, and how" of the criminal conduct under investigation, thus enabling the United States to establish and prove each element or, alternatively, to exclude the innocent from further susp1c10n. INFORMATION TO BE SEARCHED AND THINGS TO BE SEIZED 42 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 50 of 189 97. l anticipate executing this warrant under the Electronic Communications Privacy Act, in particular 18 U.S.C. §§ 2703(a), 2703(b)(l)(A) and 2703(c)(l)(A), by using the warrant to require Google to disclose to the government copies of the records and other information (including the content of communications) associated with the accounts in Attachment A, C, and E and particularly described in Section I of Attachment B, D, and F. Upon receipt of the information described in Section I of Attachments B, D, and F, government-authorized persons will review that information to locate the items described in Section II of Attachment B, D, and F. The items identified in Attachments A-F will also be screened by reviewers not on the prosecution team to identify and filter out privileged material. CONCLUSION 98. Based on the forgoing, I request that the Court issue the proposed search warrant. 99. Pursuant to 18 U.S.C. § 2703(g), the presence of a law enforcement officer is not required for the service or execution of this warrant. REQUEST FOR SEALING 100. I further request that the Court order that all papers in support of this application, including the affidavit and search warrant, be sealed until further order of the Court. These documents discuss an ongoing criminal investigation, the full nature and extent of which is not known to all of the targets of the investigation. Accordingly, there is good cause to seal these documents because their premature disclosure may seriously jeopardize that investigation. Respectfully submitted, k~___/ Andrew Mitchel l Special Agent Federal Bureau of Investigation 43 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 51 of 189 Subscribed and sworn to before me on this .P'{ y of August, 2018. / )/ ~_./ - ~-~ /;Arr-Cz,1/ The Honorable Beryl A. Howell Chief United States District Judge 44 , Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 52 of 189 ATTACHMENT A Property to be Searched This warrant applies to information associated with the email address: created or maintained between September 11, 2017 and present, that is stored at premises owned, maintained, controlled, or operated by Microsoft Corp., d/b/a Hotmail, a company headquartered at One Microsoft Way, Redmond, WA 98052. 45 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 53 of 189 ATTACHMENT B Particular Things to be Seized I. Files and Accounts to be produced by the Provider: To the extent that the information described in Attachment A is within the possession, custody, or control of the Provider including any messages, records, files, logs, images, videos, or information that have been deleted but are still available to the Provider or have been preserved pursuant to a preservation request under 18 U.S.C. § 2703(f), the Provider is required to disclose the following infor1!1ation to the government for each account or identifier listed in Attachment A: a. The contents of all e-mails, attachments and chat messages stored in the account, including copies of e-mails sent to and from the account, draft e-mails, the source and destination e-mails sent addresses associated with each e-mail, the date and time at which each e-mail was sent, and the size and length of each e-mail; b. All existing printouts from original storage of all of the electronic mail described above in Section I.A. above; c. AJI internet search data including all queries and location data; d. All transactional information of all activity of the account described above in Section I.A, including log files, dates, times, methods of connecting, ports, dial ups, and/or locations; e. All records or other information stored by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and files; f. Records or other information regarding the identification of the account described above in Section I.A, to include application, full name, physical address, telephone numbers and other identifiers, records of session times and durations, log-in IP addresses associated with session times and dates, account status, alternative e-mail addresses provided during registration, all screen names associated with subscribers and/or accounts, all account names associated with the subscriber, g. All records indicating the services available to subscribers of the electronic mail address described above in Section I.A.; 46 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 54 of 189 II. Information to be Seized by Law Enforcement Personnel Any and all records that relate in any way to the accounts described in Attachment A which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C . § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 1001 (false statements), 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. §§ 1505 and 1512 (obstruction of justice), 18 U.S.C. § 1513 (witness tampering); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. § 30121 (foreign contribution ban) from June 1, 2015 to present, including: a. All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or communications regarding disinformation, denial, dissembling or other obfuscation about knowledge of, or access to hacked material; b. All records, information, documents or tangible materials that relate in any way to communications or meetings involving Jerome Corsi, , Julian Assange, Randy Credico, or any individual associated with the Trump Campaign; c. All images, messages, communications, calendar entries, search terms, "address book" entries and contacts, including any and all preparatory steps taken in furtherance of the above-listed offenses; d. Communication, information, documentation and records relating to who created, used, or communicated with the account or identifier concerning the messages identified above, including records about their identities and whereabouts; e. Evidence of the times the account was used; f. All images, messages and communications regarding wiping software, encryption or other methods to avoid detection by law enforcement; g. Passwords and encryption keys, and other access information that may be necessary to access the account and other associated accounts; h. Credit card and other financial information, including but not limited to, bills and payment records evidencing ownership of the subject account; 47 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 55 of 189 1. All existing printouts from original storage which concern the categories identified in subsection II.a 48 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 56 of 189 ATTACHMENT C Property to be Searched This warrant applies to information associated with the following Google account: created or maintained between October 17, 2017 and the present, that is stored at premises owned, maintained, controlled, or operated by Google, Inc., a business with offices located at 1600 Amphitheatre Parkway, Mountain View, CA 94043. 49 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 57 of 189 ATTACHMENT D Particular Things to be Seized I. Files and Accounts to be produced by Google, Inc. To the extent that the information described in Attachment C is within the possession, custody, or control of Google, Inc. including any messages, records, files, logs, images, videos, or information that have been deleted but are still available to Google or have been preserved pursuant to a preservation request under 18 U.S .C. § 2703(f), Google is required to disclose the following information to the government for each account or identifier listed in Attachment C: a. The contents of all e-mails, attachments and chat messages stored in the account, including copies of e-mails sent to and from the account, draft e-mails, the source and destination e-mails sent addresses associated with each e-mail, the date and time at which each e-mail was sent, and the size and length of each e-mail; b. All existing printouts from original storage of all of the electronic mail described above in Section I.A. above; c. All internet search data including all queries and location data; d. All transactional information of all activity of the account described above in Section I.A, including log files, dates, times, methods of connecting, ports, dial ups, and/or locations; e. All records or other information stored by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and files; f. All records or other information regarding the identification of the account described above in Section I.A, to include application, full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the types of service utilized, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative e-mail addresses provided during registration, all screen names associated with subscribers and/or accounts, all account names associated with the subscriber, methods of connecting, log files, means and source of payment (including any credit or bank account number), and detailed billing records; g. All records indicating the services available to subscribers of the electronic mail address described above in Section I.A.; h. Google+ subscriber information, circle information, including name of circle and members, contents of posts, comments, and photos, to include date and timestamp; 50 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 58 of 189 1. Google Drive files created, accessed or owned by the account; j. YouTube subscriber information, private videos and files, private messages, and comments; k. Google+ Photos contents to include all images, videos and other files, and associated upload/download date and timestamp; l. account. Google Talk and Google Hangouts conversation logs associated with the 51 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 59 of 189 II. Information to be Seized by Law Enforcement Personnel Any and all records that relate in any way to the accounts described in Attachment C which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 1001 (false statements), 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. §§ 1505 and 1512 (obstruction of justice), 18 U.S.C. § 1513 (witness tampering); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. § 30121 (foreign contribution ban), from June 1, 2015 to present, including: a. All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or communications regarding disinformation, denial, dissembling or other obfuscation about knowledge of, or access to hacked material; b. All records, information, documents or tangible materials that relate in any way to communications or meetings involving Jerome Corsi, Julian Assange, Randy Credico, or any individual associated with the Trump Campaign; c. All images, messages, communications, calendar entries, search terms, "address book" entries and contacts, including any and all preparatory steps taken in furtherance of the above-listed offenses; d. Communication, information, documentation and records relating to who created, used, or communicated with the account or identifier concerning the messages identified above, including records about their identities and whereabouts; e. Evidence of the times the account was used; f. All images, messages and communications regarding wiping software, encryption or other methods to avoid detection by law enforcement; g. Passwords and encryption keys, and other access information that may be necessary to access the account and other associated accounts; h. Credit card and other financial information, including but not limited to, bills and payment records evidencing ownership of the subject account; 1. All existing printouts from original storage which concern the categories identified in subsection II.a 52 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 60 of 189 ATTACHMENTE Property to be Searched This warrant applies to information associated with the following Apple DSID: created or maintained between March 14, 2018 and the present, that is stored at premises owned, maintained, controlled, or operated by Apple, Inc., located at One Apple Park Way, Cupertino, California 95014. 53 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 61 of 189 ATACHMENTF Particular Things to be Seized I. Files and Accounts to be produced by the Provider: To the extent that the information described in Attachment E is within the possession, custody, or control of Apple, regardless of whether such information is located within or outside of the United States, including any messages, records, tiles, logs, or information that have been deleted but are still available to Apple, or have been preserved pursuant to a request made under 18 U.S.C. § 2703(£), Apple is required to disclose the following infonnation to the government, in unencrypted form whenever available, for each account or identifier listed in Attachment E: a. All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers, email addresses (including primary, alternate, rescue, and notification email addresses, and verification information for each email address), the date on which the account was created, the length of service, the IP address used to register the account, account status, associated devices, methods of connecting, and means and source of payment (including any credit or bank account numbers); b. All records or other information regarding the devices associated with, or used in connection with, the account (including all current and past trusted or authorized iOS devices and computers, and any devices used to access Apple services), including serial numbers, Unique Device Identifiers ("UDID"), Advertising Identifiers ("IDFA"), Global Unique Identifiers ("GUID"), Media Access Control ("MAC") addresses, Integrated Circuit Card ID numbers ("ICCID"), Electronic Serial Numbers ("ESN"), Mobile Electronic Identity Numbers ("MEIN"), Mobile Equipment Identifiers ("MEID"), Mobile Identification Numbers ("MIN"), Subscriber Identity Modules ("SIM"), Mobile Subscriber Integrated Services Digital Network Numbers ("MSISDN"), International Mobile Subscriber Identities ("IMSI"), and International Mobile Station Equipment Identities ("IMEI"); c. The contents of all emails associated with the account, including stored or preserved copies of emails sent to and from the account (including all draft emails and deleted emails), the source and destination addresses associated with each email, the date and time at which each email was sent, the size and length of each email, and the true and accurate header information including the actual IP addresses of the sender and the recipient of the emails, and all attachments; d. The contents of all instant messages associated with the account, including stored or preserved copies of instant messages (including iMessages, SMS messages, and MMS messages) sent to and from the account (including all draft and deleted messages), the source and destination account or phone number associated with each instant message, the date and time at which each instant message was sent, the size and length of each instant message, the actual IP addresses of the sender and the recipient of each instant message, and the media, if any, attached to each instant message; 54 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 62 of 189 e. The contents of all files and other records stored on iCloud, including all iOS device backups, all Apple and third-party app data, all files and other records related to iCloud Mail, iCloud Photo Sharing, My Photo Stream, iCloud Photo Library, iCloud Drive, iWork (including Pages, Numbers, Keynote, and Notes), iCloud Tabs and bookmarks, and iCloud Keychain, and all address books, contact and buddy lists, notes, reminders, calendar entries, images, videos, voicemails, device settings, and bookmarks; f. All activity, connection, and transactional logs for the account (with associated IP addresses including source port numbers), including FaceTime call invitation logs, messaging and query logs (including iMessage, SMS, and MMS messages), mail logs, iCloud logs, iTunes Store and App Store logs (including purchases, downloads, and updates of Apple and third-party apps), My Apple ID and iForgot logs, sign-on logs for all Apple services, Game Center logs, Find My iPhone and Find My Friends logs, logs associated with web-based access of Apple services (including all associated identifiers), and logs associated with iOS device purchase, activation, and upgrades; g. All records and information regarding locations where the account or devices associated with the account were accessed, including all data stored in connection with Location Services, Find My iPhone, Find My Friends, and Apple Maps; h. All records pertaining to the types of service used; i. All records pertaining to communications between Apple and any person regarding the account, including contacts with support services and records of actions taken; and j. All files, keys, or other information necessary to decrypt any data produced in an encrypted form, when available to Apple (including, but not limited to, the keybag.txt and fileinfolist.txt files). 55 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 63 of 189 II. Information to be Seized by Law Enforcement Personnel Any and all records that relate in any way to the accounts described in Attachment A which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 1001 (false statements), 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. §§ 1505 and 1512 (obstruction.of justice), 18 U.S.C. § 1513 (witness tampering); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. § 30121 (foreign contribution ban), from June 1, 2015 to present, including: a. All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or communications regarding disinformation, denial, dissembling or other obfuscation about knowledge of, or access to hacked material; b. All records, information, documents or tangible materials that relate in any way to communications or meetings involving Jerome Corsi, Julian Assange, Randy Credico, or any individual associated with the Trump Campaign; c. All images, messages, communications, calendar entries, search terms, "address book" entries and contacts, including any and all preparatory steps taken in furtherance of the above-listed offenses; d. Communication, information, documentation and records relating to who created, used, or communicated with the account or identifier concerning the messages identified above, including records about their identities and whereabouts; e. Evidence of the times the account was used; f. All images, messages and communications regarding wiping software, encryption or other methods to avoid detection by law enforcement; g. Passwords and encryption keys, and other access information that may be necessary to access the account and other associated accounts; h. Credit card and other financial information, including but not limited to, bills and payment records evidencing ownership of the subject account; 1. All existing printouts from original storage which concern the categories identified in subsection II.a 56 Case Document 29-13 Filed 04/28/20 Page 64 of 189 A0 93 (Rev. 11/13) Search and Seizure Warrant UNITED STATES DISTRICT COURT for the District of Columbia In the Matter of the Search of (Brie?y describe the property to be searched Case: 1 218?80?02582 or identi?i the person by name and address) Assigned TO I BBFYI A. INFORMATION ASSOCIATED WITH THREE Assign- Date 3 8/3/2018 ACCOUNTS STORED AT PREMISES CONTROLLED Description: Search SeIzure Warrant BY MICROSOFT. GOOGLE, AND APPLE SEARCH AND SEIZURE WARRANT To: Any authorized law enforcement of?cer An application by a federal law enforcement of?cer or an attorney for the government requests the search of the following person or property located in the Western District of Washington (identify the person or describe the property to be searched and give its location): See Attachment A I ?nd that the or any recorded testimony, establish probable cause to search and seize the person or property described above, and that such search will reveal (identi?l the person or describe the property to be seized): See Attachment YOU ARE COMMANDED to execute this warrant on or before 15. 2018 (not to exceed 14 days) in the daytime 6:00 am. to 10:00 pm. at any time in the day or night because good cause has been established. Unless delayed notice is authorized below, you must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken, or leave the copy and receipt at the place where the property was taken. The of?cer executing this warrant, or an of?cer present during the execution of the warrant, must prepare an inventory as required by law and return this warrant and inventory to Hon. Beryl A. Howell, Chief US. District Judge (United States Magistrate Judge) Pursuant to 18 U.S.C. 3103a(b), I ?nd that immediate noti?cation may have an adverse result listed in 18 U.S.C. 2705 (except for delay of trial), and authorize the of?cer executing this warrant to delay notice to the person who, or whose property, will be searched or seized (check the appropriate box) for days (not to exceed 30) El until, the facts justifying, the later speci?c date of Date and time issued: 3/57/27 3? (1374 3:32 A xi?jg/? Jtidge 's signature Washington, DC Hon. Beryl A. Howell, Chief US. District Judge Printed name and title City and state: Case Document 29-13 Filed 04/28/20 Page 65 of 189 A0 93 (Rev. 1 1/ 13) Search and Seizure Warrant (Page 2) Return Case No.: Date and time warrant executed: Copy of warrant and inventory left with: Inventory made in the presence of Inventory of the property taken and name of any person(s) seized: Certi?cation I declare under penalty of perjury that this inventory is correct and was returned along with the original warrant to the designated judge. Date: Executing of?cer '3 signature Printed name and title Case Document 29-13 Filed 04/28/20 Page 66 of 189 ATTACHMENT A Property to be Searched This warrant applies to information associated with the email address: created or maintained between September 11, 2017 and present, that is stored at premises owned, maintained, controlled, or operated by Microsoft Corp., d/b/a Hotmail, a company headquartered at One Microsoft Way, Redmond, WA 98052. 45 Case Document 29-13 Filed 04/28/20 Page 67 of 189 ATTACHMENT Particular Things to be Seized 1. Files and Accounts to be produced by the Provider: To the extent that the information described in Attachment A is within the possession, custody, or control of the Provider including any messages, records, ?les, logs, images, videos, or information that have been deleted but are still available to the Provider or have been preserved pursuant to a preservation request under 18 U.S.C. 2703(f), the Provider is required to disclose the following information to the government for each account or identi?er listed in Attachment A: a. The contents of all e-mails, attachments and chat messages stored in the account, including copies of e-mails sent to and from the account, draft e-mails, the source and destination e-mails sent addresses associated with each e-mail, the date and time at which each e-mail was sent, and the size and length of each e?mail; b. All existing printouts from original storage of all of the electronic mail described above in Section LA. above; c. All intemet search data including all queries and location data; d. All transactional information of all activity of the account described above in Section LA, including log ?les, dates, times, methods of connecting, ports, dial ups, and/or locations; e. All records or other information stored by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and ?les; f. Records or other information regarding the identi?cation of the account described above in Section LA, to include application, full name, physical address, telephone numbers and other identi?ers, records of session times and durations, log-in IP addresses associated with session times and dates, account status, alternative e?mail addresses provided during registration, all screen names associated with subscribers and/or accounts, all account names associated with the subscriber, g. All records indicating the services available to subscribers of the electronic mail address described above in Section 46 Case Document 29-13 Filed 04/28/20 Page 68 of 189 11. Information to be Seized by Law Enforcement Personnel Any and all records that relate in any way to the accounts described in Attachment A which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. 2 (aiding and abetting), 18 U.S.C. 3 (accessory after the fact), 18 U.S.C. 4 (misprision of a felony), 18 U.S.C. 371 (conspiracy), 18 U.S.C. 1001 (false statements), 18 U.S.C. 1030 (unauthorized access of a protected computer); 18 U.S.C. 1505 and 1512 (obstruction of justice), 18 U.S.C. 1513 (witness tampering); 18 U.S.C. 1343 (wire fraud), 18 U.S.C. 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. 30121 (foreign contribution ban) from June 1, 2015 to present, including: a. All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or communications regarding disinformation, denial, dissembling or other obfuscation about knowledge of, or access to hacked material; b. All records, information, documents or tangible materials that relate in any way to ni ations or meetin involvin Jerome Corsi, _Julian Assange, andy Credico, or any individual associated with the Trump Campaign; c. All images, messages, communications, calendar entries, search terms, ?address book? entries and contacts, including any and all preparatory steps taken in furtherance of the above-listed offenses; d. Communication, information, documentation and records relating to who created, used, or communicated with the account or identi?er concerning the messages identi?ed above, including records about their identities and whereabouts; 6. Evidence of the times the account was used; f. All images, messages and communications regarding wiping software, or other methods to avoid detection by law enforcement; g. Passwords and keys, and other access information that may be necessary to access the account and other associated accounts; h. Credit card and other ?nancial information, including but not limited to, bills and payment records evidencing ownership of the subject account; 47 Case Document 29-13 Filed 04/28/20 Page 69 of 189 i. All existing printouts from original storage which concern the categories identi?ed in subsection 48 Case Document 29-13 Filed 04/28/20 Page 70 of 189 A0 106 (Rev. 04110) Application for a Search Warrant . . 2 UNITED STATES DISTRICT COURT AUG 3 . for the Glen 2018 District of Columbia Court; Io'iJIIii-F'inisliricsi 32%? 2 In the Matter of the Search of (Esclriin' tn Case: 1 or it enti I 1U person Harrie cm; m. E. rat-Is) - INFORMATION ASSOCIATED WITH THREE ACCOUNTS i T0 - Beryl A- STORED AT PREMISES CONTROLLED BY MICROSOFT, Date 8/3/2018 GOOGLE. AND APPLE Description: Search Seizure Warrant APPLICATION FOR A SEARCH WARRANT I, a federal law enforcement of?cer or an attorney for the government, request a search warrant and state under penalty of perjury that I have reason to believe that on the following person or property (identify the person or describe the property to be searched and give its location): See Attachment A located in the Western District of .. Washington there is now concealed (identify the person or describe the property to be seized): See Attachment The basis for the search under Fed. R. Crim. P. 41(c) is (check one or more): devidence of a crime; Mcontraband, fruits of crime, or other items illegally possessed; lifproperty designed for use, intended for use, or used in committing a crime; a person to be arrested or a person who is unlawfully restrained. The search is related to a violation of: Code Section O?ense Description 18 U.S.C. 1505, 1512, 1513 Obstruction of justice, Witness tampering 18 U.S.C. 1001, 1030, 371 False Statements, Unauthorized Access of Protected Computer, Conspiracy See Af?davit for add'l The application is based on these facts: See attached Af?davit. Continued on the attached sheet. Delayed notice of days (give exact ending date if more than 30 days: is requested under 18 U.S.C. 3103a, the basis of which is set forth on the attaclgd sheet. ppii'cant ?s signature Reviewed by Aaron Zelinsky(ASC) Andrew Mitchell,_Special Agent, FBI Printed name and title Sworn to before me and signed in my presenceDate: 42 r/ 137/1 Judge '3 signature City and state: Washington, DC. Hon. Beryl A. Howell, Chief US. District Judge Printed name and title Case Document 29-13 Filed 04/28/20 Page 71 of 189 AUG 201?3- Clerk, US. District a. Bankruptcy Co I 1 . IN THE UNITED STATES DISTRICT COURT or mm? 0? Columbia FOR THE DISTRICT OF COLUMBIA IN THE MATTER OF THE SEARCH OF INFORMATION ASSOCIATED WITH THREE ACCOUNTS STORED AT Case: 1:18?sc?02582 Assigned To Howell, Beryl A. PREMISES CONTROLLED BY Assign Dale 8/ 3/201 8 MICROSOFT, GOOGLE, AND APPLE Description: Search Seizure Warrant AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A SEARCH WARRANT 1, Andrew Mitchell, being ?rst duly sworn, hereby depose and state as follows: INTRODUCTION AND AGENT BACKGROUND 1. I make this af?davit in support of an application for a search warrant for information associated with the following: a. The email account?(hereafter ?Target Account 1), that is stored at premises owned, maintained, controlled, or operated by Microsoft, Inc., a business with of?ces located at One Microsoft Way, Redmond, Washington, 98052. The information to be disclosed by Microsoft and searched by the government is described in the following paragraphs and in Attachments A and B. b. The email account _(hereafter ?Target Account that is stored at premises owned, maintained, controlled, or operated by Google, Inc., a business with of?ces located at 1600 Amphitheatre Parkway, Mountain View, California, 94043. The information to be disclosed by Google and searched by the government is described in the following paragraphs and in Attachments and D. c. The iCloud accoun_ssociated with the Apple email account _hereafter ?Target Account that is stored at premises owned, Case Document 29-13 Filed 04/28/20 Page 72 of 189 maintained, controlled, or operated by Apple, Inc., a business with of?ces located at 1 In?nite Loop, Cupertino, California 95014. The information to be disclosed by Apple and searched by the government is described in the following paragraphs and in Attachment and F. 2. I, Andrew Mitchell, am a Special Agent with the Federal Bureau of Investigation (FBI), and have been since 2011. As a Special Agent of the FBI, 1 have received training and experience in investigating criminal and national security matters. 3. The facts in this af?davit come from my personal observations, my training and experience, and information obtained from other agents and witnesses. This af?davit is intended to show merely that there is suf?cient probable cause for the requested warrant and does not set forth all of my knowledge about this matter. 4. Based on my training and experience and the facts as set forth in this af?davit, there is probable cause to believe that the Target Accounts contain communications relevant to 18 U.S.C. 2 (aiding and abetting), 18 U.S.C. 3 (accessory after the fact), 18 U.S.C. 4 (misprision ofa felony), 18 U.S.C. 371 (conspiracy), 18 U.S.C. 1001 (false statements), 18 U.S.C. .1030 (unauthorized access of a protected computer); 18 U.S.C. 1505 and 1512 (obstruction of justice), 18 U.S.C. 1513 (witness tampering); 18 U.S.C. 1343 (wire fraud), 18 U.S.C. 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. 30121 (foreign contribution ban) (the ?Subject Offenses?). 5. On September 11, 2017, Chief Judge Beryl A. Howell of the District of Columbia issued a search warrant for Roger -address,_Target Account 1). On October 17, 2017, Chief Judge Howell issued a search warrant for - Account 2). On or about March 14, 2018, Chief Judge Howell issued a search warrant for iCloud account (Target Account 3). This 2 Case Document 29-13 Filed 04/28/20 Page 73 of 189 warrant seeks to search those accounts from the date each respective warrant was issued to the present. JURISDICTION 6. This Court has jurisdiction to issue the requested warrant because it is ?a court of competentjurisdiction? as de?ned by 18 U.S.C. 271 1. Id. 2703(3), Speci?cally, the Court is ?a district court of the United States (including a magistrate judge of such a court) . . . that has jurisdiction over the offense being investigated.? 18 U.S.C. 2711(3)(A)(i). The offense conduct included activities in Washington, D.C., as detailed below, including in paragraphs 14, 19, and 61. SUMMARY 7. This application seeks authority to search, from the date of search warrants previously issued by the Court to the present, three accounts believed to be used by Roger STONE: Target Account 1, which is -account; Target Account 2, which is .account; and Target Account 3, which is iCloud account. As set forth herein, there is probable cause to believe that each of the Subject Accounts contains evidence of the Subject Offenses, including ongoing efforts to obstruct justice, tamper with witnesses, and make false statements. 8. For example, as set forth in more detail below, in recent months STONE has reached out to communicate with multiple witnesses he knew or had reason to believe were scheduled to testify before Congress about interactions with STONE during the 2016 presidential campaign or were scheduled to meet with the Special Counsel?s Of?ce and/or appear before the Grand Jury investigating such interactions. After STONE learned that one witness, Randy CREDICO, was prepared to contradict congressional testimony, STONE repeatedly 3 Case Document 29-13 Filed 04/28/20 Page 74 of 189 urged CREDICO to assert the Fifth Amendment and decline to answer questions, and did so through multiple text messages. In June 2018, STONE instructed his private investigator to provide him with a full background investigation on another witness,-who had done information technology work for STONE during the campaign 9. In September 2017, STONE released a statement he said he provided to Congress in which he denied having advance knowledge of ?the source or actual content of the Wikileaks disclosures regarding Hillary Clinton.? He also stated publicly that when he tweeted during the campaign, on August 21, 2016, ?it will soon the Podesta?s time in the barrel,? he was not referring to the hacking or publication of John Podesta?s emails, but rather. to ?Podesta?s business dealings with Russia.? Evidence obtained in the investigation, however, shows the following: a. On or about July 25, 2016, Roger STONE emailed Jerome CORSI to ?Get to Assange? at the Ecuadorian Embassy and ?get pending WikiLeaks Julian ASSANGE is the founder of WikiLeaks. On or about July 31, 2016, STONE also instructed CORSI to have contact AS SANGE. On or about August 2, 2016, CORSI responded to STONE that the ?[w]ord is friend in embassy plans 2 more dumps. One shortly after I?m back. 2nd in Oct. Impact planned to be very damaging. . .. Time to let more than Podesta to be exposed as in bed enemy if they are not ready to drop After receipt of that message, on or about August 21, 2016, using @RogerJStoneJR, STONE tweeted: ?Trust me, it will soon the Podesta?s time in the barrel. #CrookedHillary.? b. Information disclosures subsequently occurred on or about the times CORSI predicted: On or about August 12, 2016, the day CORSI was scheduled to return to the United States (?shortly after I?m back?), Guccifer 2.0 released hacked information related to the 4 Case Document 29-13 Filed 04/28/20 Page 75 of 189 Democratic Congressional Campaign Committee On or about October 7, 2016, the day the Washington Post published a breaking story about an Access Hollywood videotape of then? candidate Trump making disparaging remarks about women, WikiLeaks released emails hacked from the account of John Podesta. c. Furthermore, on the clay of the Access Hollywood video disclosure, there were phone calls between STONE and CORSI after the Washington Post contacted STONE prior to publication. At approximately the Washington Post received a tip regarding the Access Hollywood video. Approximately one hour later, shortly before noon, STONE received a call from the Washington Post. Approximately ninety minutes later, before STONE called CORSI and they spoke. Approximately forty minutes later, CORSI called STONE and the two spoke again at length. At approximately the Washington Post published its story regarding the Access Hollywood tape. By approximately WikiLeaks tweeted out its ?rst release of emails hacked from John Podesta. Case Document 29-13 Filed 04/28/20 Page 76 of 189 PROBABLE CAUSE. A. Background on Relevant individuals Roger STONE 10. Roger STONE is a self-employed political strategist/consultant and has been actively involved in US. politics for decades. STONE worked on the presidential campaign of Donald J. Trump (the ?Campaign?) until August 2015. Although Stone had no official relationship with the Campaign thereafter, STONE maintained his support for Trump and continued to make media appearances in support of the Campaign. As described further below, STONE also maintained contact with individuals employed by the Campaign, including then- campaign chairman Paul MANAFORT and deputy chairman Rick GATES. ii. Jerome CORSI 11. Jerome CORSI is a political commentator who, according to publicly available information, currently serves as the ?Washington Bureau Chief for Inforwars.com.? According to publicly?available sources, from 2014 until January 2017, CORSI was a ?senior staff reporter? for the website ?World Net Daily? a/k/a ?WND.com.? CORSI has also written a number of books regarding Democratic presidential candidates. As described further below, CORSI was in contact with STONE during the summer and fall of 2016 regarding forthcoming disclosures of hacked information by WikiLeaks, and appears to have obtained information regarding upcoming disclosures which he relayed to STONE. Case Document 29-13 Filed 04/28/20 Page 77 of 189 B. U.S. Intelligence Community Assessment of Russian Government-Backed Hacking Activity during the 2016 Presidential Election 13. On October 7, 2016, the U.S. Department of Homeland Security and the Of?ce of the Director of National Intelligence released a joint statement of an intelligence assessment of Russian activities and intentions during the 2016 presidential election. In the report, the USIC assessed the following: a. The U.S. Intelligence Community is con?dent that the Russian Government directed the recent compromises of emails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked emails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures were Case Document 29-13 Filed 04/28/20 Page 78 of 189 intended to interfere with the US. election process. Such activity is not new to Moscow??the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to in?uence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia?s senior?most of?cials could have authorized these activities. 14. On January 6, 2017, the USIC released a declassi?ed version of an intelligence assessment of Russian activities and intentions during the 2016 presidential election entitled, ?Assessing Russian Activities and Intentions in Recent US Elections.? In the report, the USIC assessed the following: a. ?Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia?s goals were to undermine public faith in the US democratic process, denigrate [former] Secretary [of State Hillary] Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President?elect Trump.? b. The USIC also described, at a high level, some of the techniques that the Russian government employed during its interference. The USIC summarized the efforts as a ?Russian messaging strategy that blends covert intelligence operations?such as cyber activity? with overt efforts by Russian Government agencies, state?funded media, third-party intermediaries, and paid social media users or ?trolls.?? 0. With respect to ?cyber activity,? the USIC assessed that ?Russia?s intelligence services conducted cyber operations against targets associated with the 2016 US presidential election, including targets associated with both major US political parties.? Further, July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016.? The USIC attributed these cyber 8 Case Document 29-13 Filed 04/28/20 Page 79 of 189 activities to the Russian GRU, also known as the Main Intelligence Directorate: operations resulted in the compromise of the personal e-mail accounts of Democratic Party of?cials and political ?gures. By May, the GRU had ex?ltrated large volumes of data from the The GRU is the foreign military intelligence agency of the Russian Ministry of Defense, and is Russia?s largest foreign intelligence agency. d. With respect to the release of stolen materials, the USIC assessed ?with high con?dence that the GRU used the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release US victim data obtained in cyber operations publicly and in exclusives to media outlets.? e. Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his identity throughout the election. C. Additional Hacking Activity by Individuals Associated with the GRU 15. The Special Counsel?s Of?ce has determined that individuals associated with the GRU continued to engage in hacking activity related to the 2016 campaign through at least November 1, 2016. 16. For example, in or around September 2016, these individuals successfully gained access to DNC computers housed on a third-party cloud-computing service. In or around late September, these individuals stole data from these cloud-based computers by creating backups of the cloud-based systems using the cloud provider?s own technology. The individuals used three new accounts with the same cloud computing service to move the ?snapshots? to those accounts. 17. On or about. September 4, 2016, individuals associated with the GRU stole the emails from a former White House advisor who was then advising the Clinton Campaign. These emails were later posted on DCLeaks. Case Document 29-13 Filed 04/28/20 Page 80 of 189 18. On or about November 1, 2016, individuals associated with the GRU spearphished over 100 accounts used by organizations and personnel involved in administering elections in numerous Florida counties. 19. On or about July 13, 2018, a grandjury in this District indicted eleven GRU of?cers for knowingly and intentionally conspiring to hack into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election, steal documents from those computers, and stage releases of stolen documents in order to interfere with the election. The victims of the hacking and releases included the DNC, the Democratic Congressional Campaign Committee and the chairman of the Clinton campaign (John Podesta). See United States v. Viktor Borisovich et (1 :18?cr-215) D. Roger Public Interactions with Guccifer 2.0 and WikiLeaks 20. On June 14, 2016, the forensic ?rm that sought to remediate an unauthorized intrusion into the computer systems of the DNC, publicly attributed the hack to Russian government actors. The media reported On the announcement. On June 15, 2016, the persona Guccifer 2.0 appeared and publicly claimed responsibility for the DNC hack. It stated on its WordPress blog that, with respect to the documents stolen from the DNC, ?[t]he main part of the papers, thousands of ?les and mails, I gave to Wikileaks. They will publish them soon.? In that post, Guccifer 2.0 also began releasing hacked DNC documents. 21. On July 22, 2016, WikiLeaks published approximately 20,000 emails stolen from the DNC. A twelfth defendant was charged with conspiring to in?ltrate computers of organizations responsible for administering elections, including state boards of election, secretaries of state, and companies that supply software and other technology used to administer elections. 10 Case Document 29-13 Filed 04/28/20 Page 81 of 189 22. On August 5, 2016, STONE published an article on Breitbartcom entitled, ?Dear Hillary: DNC Hack Solved, 80 Now Stop Blaming Russia.? The article stated: ?It doesn?t seem to be the Russians that hacked the DNC, but instead a hacker who goes by the name of Guccifer The article contained embedded publicly available Tweets from Guccifer 2.0 in the article and stated: ?Here?s Guccifer 2.0?s website. Have a look and you?ll see he explains who he is and why he did the hack of the The article also stated: ?Guccifer 2.0 made a fateful and wise decision. He went to WikiLeaks with the DNC files and the rest is history. Now the world would see for themselves how the Democrats had rigged the game.? 23. On August 8, 2016, STONE addressed the Southwest Broward Republican Organization. During his speech, he was asked about a statement by ASSANGE to Russia Today (RT) several days earlier about an upcoming ?October Surprise? aimed at the Hillary Clinton presidential campaign. Speci?cally, STONE was asked: ?With regard to the October surprise, what would be your forecast on that given what Julian Assange has intimated he?s going to do?? STONE responded: ?Well, it could be any number of things. I actually have communicated with Assange. I believe the next tranche of his documents pertain to the Clinton Foundation but there?s no telling what the October surprise may be.? A few days later, STONE clari?ed that While he was not personally in touch with ASSANGE, he had a close friend who served as an intermediary. 24. On August 12, 2016, Guccifer 2.0 publicly tweeted: ?@RogerJStoneJr thanks that 11 believe in the real #GucciferZ.? That same day, Guccifer 2.0 released the personal cellphone numbers and email addresses from the files of the 25. On August 13, 2016, Stone posted a tweet using @RogerJStoneJr calling Guccifer 2.0 a after Guccifer 2.0 had been banned from Twitter. The next day, Guccifer 2.0?s 1 1 Case Document 29?13 Filed 04/28/20 Page 82 of 189 Twitter account was reinstated. 26. On August 17, 2016, Guccifer 2.0 publicly tweeted, ?@RogerJ StoneJ paying you back.? Guccifer also sent a private message to @RogerJ StoneJ stating ?i?m pleased to say great man. please tell me ifI can help anyhow. it would be a great pleasure to me.? 27. On August 18, 2016, Paul Manafort, longtime friend and associate, resigned as Chairman of the Trump Campaign. 28. As noted above, on August 21, 2016, using @RogerJStoneJR, STONE tweeted: ?Trust me, it will soon the [sic] Podesta?s time in the barrel. #CrookedHillary.? In a C-SPAN interview that same day, STONE reiterated that because of the work of a ??mutual acquaintance? of both his and the public [could] expect to see much more from the exiled whistleblower in the form of strategically-dumped Clinton email batches.? He added: ?Well, ?rst of all, I think Julian Assange is a 1 think he?s taking on the deep state, both Republican and Democrat. I believe that he is in possession of all of those emails that Huma Abedin and Cheryl Mills, the Clinton aides, believe they deleted. That and a lot more. These are like the Watergate tapes.? 29. On September 16, 2016, STONE said in a radio interview with Boston Herald Radio that he expected WikiLeaks to ?drop a payload of new documents on Hillary on a weekly basis fairly soon. And that of course will answer the question as to what exactly what was erased on that email server.? 30. On Saturday, October 1, 2016, using @RogerJStoneJr, STONE tweeted, ?Wednesday HillaryClinton is done. #WikiLeaks.? 31. On Sunday, October 2, 2016, Morning Joe producer Jesse Rodriquez tweeted regarding an announcement ASSANGE had scheduled for the next day from the balcony 12 Case Document 29-13 Filed 04/28/20 Page 83 of 189 of the Ecuadoran Embassy in London. On the day of the ASSANGE announcement which was part of WikiLeaks? 10?year anniversary celebration STONE told Infowars that his intermediary described this release as the ?mother load.? On October 5, 2016, STONE used @RogerJ StoneJ to tweet: ?Payload coming. #Lockthemup.? 32. On Friday, October 7, 2016, at approximately 4:03 PM, the Washington Post published an article containing a recorded conversation from a 2005 Access Hollywood shoot in which Mr. Trump had made a series of lewd remarks. 33. Approximately a half hour later, at 4:32 PM, WikiLeaks sent a Tweet reading The Podesta Emails #HillaryClinton #Podesta #imWithHer? and containing a link to approximately 2,050 emails that had been hacked from John Podesta?s personal email account. 34. WikiLeaks continued to release John Podesta?s hacked emails through Election Day, November 8, 2016. On October 12, 2016, Podesta referring back to August 21, 2016 C-SPAN and Twitter references argued publicly that ?[it is] a reasonable assumption to - or at least a reasonable conclusion - that had advanced warning [of the release of his emails] and the Trump campaign had advanced warning about what Assange was going to do. I think there?s at least a reasonable belief that [Assange] may have passed this information on to Commenting to the NBC News, STONE indicated that he had never met or spoken with Assange, saying that ?we have a mutual friend who?s traveled to London several times, and everything I know is through that channel of communications. I?m not implying I have any influence with him or that 1 have advanced knowledge of the speci?cs of what he is going to do. 1 do believe he has all of the e-mails that Huma Abedin and Cheryl Mills, the Clinton aides, thought were deleted. I hear that through my emissary.? 35. On March 27, 2017, CNN reported that a representative of WikiLeaks, writing 13 Case Document 29-13 Filed 04/28/20 Page 84 of 189 from an email address associated with WikiLeaks, denied that there was any backchannel communication during the Campaign between STONE and WikiLeaks. The same article quoted STONE as stating: ?Since I never communicated with WikiLeaks, I guess I must be innocent of charges I knew about the hacking of Podesta?s email (speculation and conjecture) and the timing or scope of their subsequent disclosures. So I am clairvoyant or just a good guesser because the limited things I did predict (Oct disclosures) all came true.? E. Private Twitter Direct Messages with WikiLeaks and ASSAN GE 36. On August 7, 2017, Chief Judge Beryl A. Howell issued a search warrant for the Twitter account @RogerJ Stone] r. Information recovered from the search of that account includes the following: a. On October 13, 2016, while WikiLeaks was in the midst of releasing the hacked Podesta emails, @RogerJStoneJr sent a private direct message to the Twitter account @wikileaks. This account is the of?cial Twitter account of WikiLeaks and has been described as such by numerous news reports. The message read: ?Since I was all over national TV, cable and print defending WikiLeaks and assange against the claim that you are Russian agents and debunking the false charges of sexual assault as trumped up bs you may want to rexamine the strategy of attacking me? cordially . b. Less than an hour later, @wikileaks responded by direct message: ?We appreciate that. However, the false claims of association are being used by the democrats to undermine the impact of our publications. Don?t go there if you don?t want us to correct you.? c. On or about October 15, 2016, @RogerJStoneJr sent a direct message to @wikileaks: ?Ha! The more you \"correct me the more people think you?re lying. Your operation leaks like a sieve. You need to ?gure out who your friends are.? 14 Case Document 29-13 Filed 04/28/20 Page 85 of 189 d. On or about November 9, 2016, one day after the presidential election, @wikileaks sent a direct message to @RogerJStoneJ containing a single word: ?Happy?? @wikileaks immediately followed up with another message less than a minute later: ?We are now more free to communicate.? e. In addition, @RogerJStoneJr also exchanged direct messages with ASSANGE. For example, on June 4, 2017, @RogerJStoneJr directly messaged @JulianAssange, an address associated with ASSANGE in numerous public reports, stating: ?Still nonsense. As ajournalist it doesn?t matter where you get information only that it is accurate and authentic. The New York Times printed the Pentagon Papers which were indisputably stolen from the government and the courts ruled it was legal to do so and refused to issue an order restraining the paper from publishing additional articles. If the US government moves on you I will bring down the entire house of cards. With the trumped-up sexual assault charges dropped I don?t know of any crime you need to be pardoned for - best regards. That same day, @JulianAssange responded: ?Between CIA and they?re doing quite a lot. 011 the side that?s coming most strongly from those obsessed with taking down Trump trying to squeeze us into a deal.? f. On Saturday, June 10, 2017, @RogerJStoneJr sent a direct message to @JulianAssange, reading: am doing everything possible to address the issues at the highest level of Government. Fed treatment of you and WikiLeaks is an outrage. Must be circumspect in this forum as experience demonstrates it is monitored. Best regards 15 Case Document 29-13 Filed 04/28/20 Page 86 of 189 F. Communications with STONE, - and Others Regarding Forthcoming Leaks 37. As indicated above, on September 1 1, 2017, Chief Judge Howell issued a search warrant for Account on October 17, 2017, Chief Judge Howell issued a search warrant for STONE?s-address, ?(Target Account and on or about March 14, 2018, Chief Judge Howell issued a search warrant for iCloud account (Target Account 3). In addition, on or about December 19, 2017, Chief Judge Howell issued a search warrant for email account. Information recovered pursuant to those search warrants includes the following: a. On or about May 15, 2016, -mailed CORSI: ?Here is my ?ight schedule. Need to get something con?rmed now . . . CORSI copied Roger Stone so he knows your availability to meet Manafort and DT this coming week.? CORSI appears to have forwarded the message to STONE at Target Account 1, who replied to CORSI that, ?May meet Manafort -guarantee nothing.? b. On or about May 18, 2016, CORSI emailed STONE at Target Account 1 with the title, ?Roger why don?t you look this over before I send it-I believe that CORSI wrote, nd I did manage to see Mr. Trump for a few minutes today as we were waiting in Trump Tower to say hello to Mike Cohen. Mr. Trump recognized us immediately and was very cordial. He would look for this memo from you this afternoon.? 0. On July 25, 2016, STONE, using Target Account 1, sent an email to CORSI with the subject line, ?Get to Assange.? The body of the message read: ?Get to Assange 16 Case Document 29-13 Filed 04/28/20 Page 87 of 189 [a]t Ecuadorian Embassy in London and get the pending WikiLeaks emails. . .they deal with Foundation, allegedly.? d. On or about July 31, 2016, STONE, using Target Account I, emailed CORSI with the subject line, ?Call me The body of the email read: -should see Assange[.] -should find Bernie [S]anders brother who called Bill a Rapist turn him for should ?nd? or more proof of Bill getting kicked out.? e. As noted above, on or about August 2, 2016 (approximately 19 days before STONE publicly tweeted about ?Podesta?s time in the barrel?), CORSI emailed STONE at Target Account 1: ?Word is friend in embassy plans 2 more dumps. One shortly after I?m back. 2nd in Oct. Impact planned to be very damaging.? The email continued: ?Signs are Fox will have me on mid?Aug. more post Ailes shakeup underway. Expect Shine to surface victor, for now. bump for HRC an artifact of rigged polling. Won?t last. I expect presidential campaign to get serious starting Sept. Still in pre-season games. Time to let more than Podesta to be exposed as in bed enemy if they are not ready to drop HRC. That appears to be the game hackers are now about. Would not hurt to start suggesting HRC old, memory bad, has stroke -- neither he nor she well. I expect that much of next dump focus, setting stage for Foundation debacle.? Investigators believe that reference to a ?friend in embassy [who] plans 2 more dumps? refers to ASSANGE, who resided in Ecuador?s London Embassy in f. On or about August 5, 2016,_ an associate of emailed Stone at Target Account 1. The email contained a link to a poll indicating that Clinton 2016. led Trump by 15 points. STONE responded, ?enjoy it while can[.] I dined with my new pal Julian Assange last night.? -ubsequently stated to investigators that, around the 17 Case Document 29-13 Filed 04/28/20 Page 88 of 189 same time, STONE told him he had gone to London to meet ASSANGE. -150 stated that in 2018,- told STONE he would be interviewed by the FBI and would have to divulge the conversation about meeting AS SANGE. STONE told-e was joking and had not actually met ASSANGE.2 g. On or about August 15, 2016, CORSI emailed STONE at Target Account 1: ?Give me a call today if you can. Despite MSM drumroll that HRC is already elected, it?s not over yet. More to come than anyone realizes. Won?t really get started until after Labor Day. I?m in NYC this week. Jerry.? h. On or about August 31, 2016, CORSI emailed STONE at Target Account 1: ?Did you get the PODESTA writeup.? STONE replied i. On or about August 31, 2016, CORSI messaged STONE at Target Account 3, ?Podesta paid $180k to invest in Uranium One was hired by Rosatom in Giustra scandal. Podesta now under FBI investigation tied to Ukraine Yanukovych Panama papers reveals Podesta hired by S[b]erbank, Russia?s largest ?nancial institution Podesta ties to Russia undermine Clinton false narrative attempting to tie Trump to Putin.? j. On or about September 6, 2016, CORSI emailed STONE at Target Account 1: ?Roger[,] Is NY Post going to use the Pedesta [sic] stuff?? k. On or about September 24, 2016,-mailed CORSI, will have much more on Turkey. Need a back channel highly sensitive stuff.? CORSI responded, Case Document 29-13 Filed 04/28/20 Page 89 of 189 ?We have secure back channel through Roger. I saw him again in NYC last Friday and spoke to him about it again back, ?Awaiting secret file. Hope you are well. Can?t wait for the debate. Channeling Reagan, I hope!? CORSI responded, ?Keep me posted about In a subsequent meeting with investigators-indicated this conversation concerned possible derogator?y information he was trying to obtain from Turkey. 1. On or about October 3, 2016, an associate of STONE emailed STONE at Target Account 2 and asked: ?Assange what?s he got? Hope it?s good.? STONE wrote back, ?It is. I?d tell Bannon but he doesn?t call me back. My book on the TRUMP campaign will be out in Jan. Many scores will be settled.? The associate forwarded the email to Steve BANNON, who was CEO of the Campaign at the time, and wrote: ?You should call Roger. See below. You didn?t get from me.? BANNON wrote back, ?I?ve got important stuff to worry about.? The associate responded, ?Well clearly he knows what Assange has. I?d say that?s important.? m. On or about October 4, 2016, ASSANGE gave a press conference at the Ecuadorian Embassy. There had been speculation in the press leading up to that event that ASSANGE would release information damaging to then?candidate Clinton, but WikiLeaks did not make any new releases. Instead, ASSANGE promised more documents, including information ?affecting three powerful organizations in three different states, as well as, of course, information previously referred to about the US. election process.? ASSANGE also stated that WikiLeaks would publish documents on various subjects every week for the next ten weeks, and vowed that the US election-related documents would all come out before Election Day. n. On or about October 4, 2016, CORSI messaged STONE at Target Account 3, ?Assange made a fool of himself. Has nothing or he would have released it. Total BS hype.? 19 Case Document 29-13 Filed 04/28/20 Page 90 of 189 0. That same day, BANNON emailed STONE at Target Account 2, ?What was that this STONE replied, ?Fear. Serious security concern. He thinks they are going to kill him and the London police are standing done BANNON wrote back, ?He didn?t cut deal w/ STONE replied, ?Don?t think so BUT his lawyer- is a big democrat.? p. When BANNON spoke with investigators during a voluntary interview on February 14, 2018, he initially denied knowing whether the October 4, 2016 email to STONE was about WikiLeaks. Upon further questioning, BANNON acknowledged that he was asking STONE about WikiLeaks, because he had heard that STONE had a channel to ASSANGE, and BANNON had been hoping for releases of damaging information that morning. G. STONE and CORSI Communications on October 7, 2016, when the Podesta Emails Are Released 38. According to a publicly available news article,3 at approximately 11AM on Friday, October 7, 2016, Washington Post reporter David ahrenthold received a phone call from a source regarding a previously unaired video of candidate Trump. According to the same article, ahrenthold didn?t hesitate. Within a few moments of watching an outtake of footage from a 2005 segment on ?Access Hollywood,? the Washington Post reporter was on the phone, calling Trump?s campaign, ?Access Hollywood? and NBC for reaction.? 39. According to phone records at approximately 11:27 AM, CORSI placed a call to STONE which STONE did not answer. 3 on/2016/ 10/0 7/3 1d74714-80e5-1 20 Case Document 29-13 Filed 04/28/20 Page 91 of 189 40. At approximately 1 STONE received a phone call from the Washington Post. The call lasted approximately twenty minutes. 41. At approximately 1 STONE called CORSI and the two spoke for approximately seventeen minutes. 42. At approximately CORSI called STONE and the two spoke for approximately twenty minutes. 43. At approximately the Washington Post published a story regarding the Access Hollywood tape. 44. At approximately WikiLeaks tweeted out its ?rst release of emails hacked from John Podesta that focused primarily on materials related to the Clinton Foundation. On or about August 2, 2016, CORSI emailed STONE on Target Account 1, expect that much of next dump focus, setting stage for Foundation debacle.? 45. At approximately an author who has written about the Clinton Foundation, and who, according to emails and phone records, regularly communicates with STONE, sent STONE an email titled, ?WikiLeaks The Podesta Emails,? with a link to the newly-released Podesta emails. Approximately ten minutes later, STONE, using Target Account 2, forwarded message to CORSI without comment. STONE does not appear to have forwarded the email to any other individual. H. STONE Asks CORSI for to Post About Podesta After STONE Is Accused of Advance Knowledge of the Leak 46. On or about October 8, 2016, STONE, using Target Account 3, messaged CORSI, ?Lunch postponed have to go see CORSI responded to STONE, ?Ok. I understand.? Approximately twenty minutes later, CORSI texted, ?Clintons know they will lose 21 Case Document 29-13 Filed 04/28/20 Page 92 of 189 a week of Paula Jones media with attacking Foundation, using Wikileaks Goldman Sachs speech comments, attacking bad job numbers.? 47. On or about Wednesday, October 12, 2016, at approximately STONE, using Target Account 2, emailed Corsi asking him to ?send me yOur best podesta links.? STONE emailed CORSI at approximately ?need your BEST podesta pieces.? CORSI wrote back at approximately ?Ok. Monday. The remaining stuff on Podesta is complicated. Two articles in length. I can give you in raw form the stuff I got in Russian translated but to write it up so it?s easy to understand will take weekend. Your choice?? 48. On or about that same day, October 12, 2016, Podesta accused STONE of having advance knowledge of the publication of his emails, as noted above. At approximately CORSI emailed STONE at both Target Account 1 and 2 with the subject line ?Podesta talking points.? Attached to the email was a ?le labeled, STONE podesta talking points Oct 12 2016.docx.? The ?talking points? included the statement that ?Podesta is at the heart of a Russian?government money laundering operation that bene?ts ?nancially Podesta personally and the Clintons through the Clinton Foundation.? 49. CORSI followed up several minutes later with another email titled, ?Podesta talking points,? with the text ?sent a second time just to be sure you got it.? STONE emailed CORSI back via Target Account 1: ?Got them and used them.? 50. On or about Thursday, October 13, 2016, CORSI emailed STONE at Target Account 2: -- Joule ties to RUSSIA MONEY LAUNDERING to CLINTON STONE responded, ?Nice but I was hoping for a piece I could post under my by-line since I am the one under attack by Podesta and now Mook.? CORSI wrote back to STONE, ?I?ll give you one more NOBODY YET HAS It looks to me like 22 Case Document 29-13 Filed 04/28/20 Page 93 of 189 - skimmed maybe billions off Skolkovo Skolkovo kept their money with Metcombank[.] The Russians launched a criminal investigation[.] [web link] Once- had the channel open from Metcombank to Deutsche Bank America to Ban[k] of America?s Clinton Fund account, there?s no telling how much money he laundered, or where it ended up. Nothing in Clinton Foundation audited ?nancials or IRS Form 9905 about received via Russia Metcombank[.] I?m working on that angle now.? STONE replied, ?Ok Give me SOMETHING to post on Podesta since I have now promised it to a dozen MSM 51. On or about Thursday, October 13, 2016, at approximately 6:3 0PM, CORSI sent STONE an email at Target Account 2, with the subject, STONE article RUSSIAN MAFIA STYLE MONEY-LAUNDERIN G, the CLINTON FOUNDATION, and JOHN The text stated: ?Roger[,] You are free to publish this under your own name.? That same day, STONE posted a blog post with the title, ?Russian Mafia money laundering, the Clinton Foundation and John Podesta.? In that post, STONE wrote, ?although I have had some back-channel communications with Wikileaks I had no advance notice about the hacking of Mr. Podesta nor I have I ever received documents or data from Wikileaks.? The post then asked, ?Just how much money did ?a controversial Russian billionaire investor with ties to the Vladimir Putin and the Russian government, launder through Metcombank, a Russian regional bank owned 99.978 percent by -with the money transferred via Deutsche Bank and Trust Company Americas in New York City, with the money ending up in a private bank account in the Bank of America that is operated by the Clinton Foundation?? 52. On or about October 14, 2016, CORSI sent a message to STONE at Target Account 3, ?I?m in NYC. Thinking about writing piece attacking Leer and other women. It?s basically a rewrite of what?s out there. Going through new Wikileaks drop on Podesta.? 23 Case Document 29-13 Filed 04/28/20 Page 94 of 189 53. On or about October 17, 2016, CORSI messaged STONE at Target Account 3, ?On Assange, can you call me now before STONE responded, ?Missed ?just landed JFK on Infowars now.? CORSI wrote back, ?Call afterwards. Have some important intel to share.? 54. On or about October 17, 2016, CORSI emailed STONE at Target Accounts 1 and 2 with the subject, ?Fwd: ASSANGE. . .URGENT. . CORSI wrote, ?From a very trusted source,? and forwarded an email with the header information stripped out, showing only the body text. The email read, I ?gured this. Assange is threatening Kerry, Ecuador and U.K. He will drop the goods on them if they move to extradite him. My guess is that he has a set of dead man ?les that include Hillary. It?s what they used to call a ?Mexican stand offH? Only hope is that if Trump speaks out to save him[.] Otherwise he?s dead anyway, once he?s dropped what he has. If HRC wins, Assange can kiss his life away. Interesting gambit Assange has to play out. He?s called Podesta?s bluff and raised him the election.? 55. On or about October 18, 2016, CORSI messaged STONE at Target Account 3, call. Important.? 56. On or about October 19, 2016, STONE published an article on Breitbart.com in which he claimed he had ?no advance notice of Wikileaks? hacking of Podesta?s e-mails.? STONE stated, predicted that Podest?a?s business dealings would be exposed. Ididn?t hear it from Wikileaks, although Julian Assange and I share a common friend. I reported the story on my website.? STONE linked to the story he had asked CORSI to write for him on October 13, 2016 discussed above. 57. On or about November 8, 2016, the United States presidential election took place. 24 Case Document 29-13 Filed 04/28/20 Page 95 of 189 58. On or about November 9, 2016, CORSI messaged STONE at Target Account 3, ?Congratulations, Roger. He could not have done it without you.? 59. On or about November 10, 2016, CORSI messaged STONE at Target Account 3, ?Are you available to talk on phone?? Several minutes later, CORSI messaged, ?I?m in London. Have some interesting news for you.? 25 Case Document 29-13 Filed 04/28/20 Page 96 of 189 Case Document 29-13 Filed 04/28/20 Page 97 of 189 J. Congressional Testimony and Public Statements About His Relationship with Wikileaks 61. On September 26, 2017, STONE testi?ed before the House Permanent Select Committee on Intelligence (HPSCI). Although the hearing was closed, STONE released to the public what he said were his opening remarks to the committee. In them, STONE stated: Members of this Committee have made three basic assertions against me which must be rebutted here today. The charge that I knew in advance about, and predicted, the hacking of Clinton campaign chairman John Podesta?s email, that I had advanced knowledge of the source or actual content of the WikiLeaks disclosures regarding Hillary Clinton or that, my now public exchange with a persona that our intelligence agencies claim, but cannot prove, is a Russian asset, is anything but innocuous and are entirely false. Again, such assertions are conjecture, supposition, projection, and allegations but none of them are facts. . . . My Tweet of August 21, 2016, in which I said, ?Trust me, it will soon be the Podesta?s time in the barrel. #CrookedHillary? must be examined in context. I posted this at a time that my boyhood friend and colleague, Paul Manafort, had just resigned from the Trump campaign over allegations regarding his business activities in Ukraine. I thought it manifestly unfair that John Podesta not be held to the same standard. Note, that my Tweet of August 21, 2016, makes no mention, whatsoever, of Mr. Podesta?s email, but does accurately predict that the Podesta brothers? business activities in Russia with the oligarchs around Putin, their uranium deal, their bank deal, and their Gazprom deal, would come under public scrutiny. . . . [L]et me address the charge that I had advance knowledge of the timing, content and source of the WikiLeaks disclosures from the DNC. On June 12, 2016, WikiLeaks? publisher Julian Assange[] announced that he was in possession of Clinton DNC emails. 27 Case Document 29-13 Filed 04/28/20 Page 98 of 189 I learned this by reading it on Twitter. I asked a journalist who I knew had interviewed Assange to independently con?rm this report, and he subsequently did. Thisjournalist assured me that WikiLeaks would release this information in October and continued to assure me of this throughout the balance of August and all of September. This information proved to be correct. I have referred publicly to this journalist as an, ?intermediary? ?go?between? and ?mutual friend.? All of these monikers are equally true. 62. In a document dated March 26, 2018 titled ?Minority Views,? Democratic members of HPSCI published excerpts from Stone?s September 2017 testimony before HPSCI. Those excerpts include the following: Q: Have any of your employees, associates, or individuals acting on your behest or encouragement been in any type of contact with Julian Assange? MR. STONE: No. Q: So throughout the many months in which you represented you were either in communication with Assange or communication through an intermediary with Assange, you were only referring to a single fact that you had con?rmed with the intermediary MR. STONE: That Q: -- was the length and the breadth of what you were referring to? MR. STONE: That is correct, even though it was repeated to me on numerous separate occasrons. 63. In the month that followed his testimony before HPSCI, on or about October 24, 2017, STONE published an article on his website, stonecoldtruth.com, titled ?Is it the Podesta?s Time in the Barrel Yet?? In that article, STONE stated: was this inevitable scrutiny of the Podestas? underhanded business dealings that my ?time in the barrel? referred to and not, as some have quite falsely claimed, to the hacking and publication almost two months later of John Podesta?s emails. . . . [M]y tweet referred to Podesta?s business dealings with Russia, and the expectation that it would become a news story.? K. Use of Target Account 3 to Message Randy CREDICO about ?Back channel? 28 Case Document 29-13 Filed 04/28/20 Page 99 of 189 64. On November 19, 2017, Randy CREDICO (who, as described further below, STONE publicly identi?ed as his ?intermediary? to ASSANGE), messaged STONE on Target Account 3, ?My lawyer wants to see me today.? STONE responded, ??Stonewall it. Plead the ?fth. Anything to save the plan? Richard CREDICO responded, ?Ha ha.? 65. On or about November 21, 2017, CREDICO messaged STONE on Target Account 3, was told that the house committee lawyer told my lawyer that I will be getting a STONE wrote back, ?That was the point at which your lawyers should have told them you would assert your 5th Amendment rights if compelled to appear.? They continued to message, and CREDICO wrote, ?My lawyer wants me to cut a deal.? STONE wrote back, ?To do what Nothing happening in DC the day before Thanksgiving why are busting my chops?? 66. On or about November 24, 2017, STONE, using Target Account 3, texted CREDICO, ?Assange is a journalist and a damn good one- meeting with him is perfectly legal and all you ever told me was he had the goods [o]n Hillary and would publish them which he himself said in public b4 told me . It?s a fucking witchunt CREDICO replied, told you to watch his tweets. That?s what I was basing it on. I told you to watch his Tweets in October not before that I knew nothing about the DNC stuff[.] Ijust followed his STONE responded, never said anything about the DNC but it was August.? CREDICO wrote back, ?It was not August because I didn?t interview him or meet him until August 26th[.] That was my ?rst communication with his secretary in London, August 26th.? STONE wrote back, ?Not the way I remember it oh well I guess Schiff will try to get one of us indicted for Perjuf?-l? 29 Case Document 29-13 Filed 04/28/20 Page 100 of 189 67. STONE and CREDICO continued to exchange messages via Target Account 3, and on November 24, 2017, CREDICO wrote to STONE, ?Forensic evidence proves that there is no back Channel. So now you can relax.? 68. On or about November 28, 2017, CREDICO tweeted a copy of a subpoena he received from HPSCI that was dated November 27, 2017. Toll records show that on November 27 and 28, 2017, CREDICO and STONE communicated via text message more than a dozen times. 69. On November 29, 2017, STONE publicly stated that CREDICO was his ?intermediary.? In a public Facebook post, STONE further stated that, ?Credico merely con?rmed for Mr. Stone the accuracy of Julian Assange?s interview of June 12, 2016 with the British ITV network, where Assange said he had ?e-mails related to Hillary Clinton which are pending publication,? . . . Credico never said he knew or had any information as to source or content of the material.? 70. On or about December 1, 2017, CREDICO messaged STONE on Target Account 3, stating, don?t know why you had back Channel now I had to give all of my forensic evidence to the FBI today what a You could have just told him the truth that you didn?t have a back Channel they now know that I was not in London until September of this year[.] You had no back?channel and you could have just told the truth . . . You want me to cover you for perjury STONE responded, ?What the fuck is your problem? Neither of us has done anything wrong or illegal. You got the best press of your life and you can get away with asserting for 5th Amendment rights if don?t want talk about AND if 4 Contrary to his statement, CREDICO has not provided any forensic evidence to the FBI. 30 Case Document 29-13 Filed 04/28/20 Page 101 of 189 you-turned over anything to the FBI you?re a fool.? CREDICO responded, ?You open yourself up to six counts of perjury[.] But I?m sure that wasn?t sworn testimony so you?re probably clear[.] Council for the committee knows you never had a back Channel and if you had just told the truth wouldn?t have put me in this bad spot . . . you should go back . . . and amend your testimony and tell them the truth.? CREDICO repeated: ?you need to amend your testimony before I testify on the 15th.? STONE replied, ?If you testify you?re a fool. Because of tromp [sic] I could never get away with a certain [sic] my Fifth Amendment rights but you can. I guarantee you you [sic] are the one who gets indicted for perjury if you?re stupid enough to 71. STONE and CREDICO continued to message each other on or about December 1, 2017. In response to message about being ?stupid enough to testify,? CREDICO told STONE: ?Whatever you want to say I have solid forensic evidence.? STONE responded: ?Get yourself a real lawyer instead of some liberal wimp who doesn?t know how to tell his guys to fuck off good nigh CREDICO then wrote: ?Just tell them the truth and swallow your ego you never had a back Channel particularly on June STONE responded: ?You got nothing.? 72. On or about December 13, 2017, according to public reporting, CREDICO indicated that he would not testify before HPSCI and would invoke his Fifth Amendment rights. 73. STONE and CREDICO continued to exchange messages via Target Account 3, and on or about January 6, 2018, CREDICO indicated to STONE that he was having dinner with a reporter. STONE responded, ?Hope don?t fuck Up my efforts to get Assange a CREDICO messaged STONE, have the email from his chief of staff August 25th 2016 responding to an email I sent to WikiLeaks website email address asking you would do my show[.] That was my initial contact.? 31 Case Document 29-13 Filed 04/28/20 Page 102 of 189 74. On or about January 8, 2018, CREDICO messaged STONE on Target Account 3 stating: ?Embassy logs . . . 17 other pieces of information prove that I did not have any conversations with Assange until September of last year.? 75. CREDICO and STONE continued to message each other, and on or about January 25, 2018, CREDICO wrote to STONE on Target Account 3: ?You lied to the house Intel committee . . . But you?ll get off because you?re friends with Trump so don?t worry. I have all the forensic evidence[.] I was not a ba[ck] Channel and I have all those emails from September of 2016 to prove 76. On or about April 13, 2018, news reports stated that CREDICO had shown reporters copies of email messages he had received from STONE in the prior few days that stated, ?You are a rat. You are a stoolie. You backstab your friends run your mouth my lawyers are dying Rip you to shreds.? Another message stated, ?I?m going to take that dog away from you,? referring to therapy dog. CREDICO stated that it was ?certainly scary . . . When you start bringing up my dog, you?re crossing the 77. On or about May 25, 2018, CREDICO provided additional messages he stated were from STONE to another news agency.6 In these messages, STONE, on April 9, 2018, stated: am so ready. Let?s get it on. Prepare to In the article, CREDICO stated that he considered this email from STONE a threat. STONE stated in the article that CREDICO ?told me he had terminal prostate cancer . . . It was sent in response to that. We talked about it too. 5 135911370.htm1 6 32 Case Document 29-13 Filed 04/28/20 Page 103 of 189 He was depressed about it. Or was he lying.? The article noted that CREDICO stated he did not have prostate cancer and did not have any such discussion with STONE. L. Use of the Target Accounts to Communicate with Individuals Related to the Investigation 78. On May 17, 2018, Chief Judge Howell issued an order for the use of pen-trap devices on Target Account 1 and Target Account 2. The information obtained from that order, along with information obtained from toll records, revealed that STONE has continued to use Target Account 1 and Target Account 2, and that he has used them to communicate with individuals related to the investigation. 79. For example, STONE and ommunicated twice on May 28 and May 29, 2018 using Target Account 1. a former associate of was interviewed by the Special Counsel?s Of?ce on or about May 2, 2018. Toll records show that -nd STONE communicated multiple times on May 5, 2018, and STONE communicated with-using Target Account 1 on June 1, 2018 and June 6, 2018. - - a private investigator who had previously worked with STONE and who was hired by STONE to research individuals associated with this case (as described further below), communicated with STONE on Target Account 1 at least four times between May 27, 2018 and July 12,2018. 80. STONE has also used Target Account 2 to communicate with individuals associated with this investigation. a. For example, between May 23, 2018 and the present, STONE and CORSI exchanged at least ?ve messages using Target Account 2. In the same time period, STONE exchanged at least 75 emails with CREDICO using Target Account 2. 33 Case Document 29-13 Filed 04/28/20 Page 104 of 189 b. Also in this same time period, STONE emailed _at least ten times using Target Account 2.-is a former employee of STONE. On May 9, and again on May 10, 201 8? communicated by phone with STONE. Overall, between May 23, 2018 and the present, STONE exchanged over 100 emails wit-sing Target Account 2. In addition, between on or about June 14, 2018 and and STONE exchanged five emails using Target Account 2. June 17,2018, 81. STONE has also used a phone number associated with Target Account 3 to communicate with - a private investigator hired by STONE. -was interviewed by investigators on June 7, 2018, and subsequently informed investigators that in June 2018, STONE instructed him to conduct a full background investigation on- .vho had been employed by STONE during the Campaign as an information technology specialist-? _also told investigators that in June 2018, STONE instructed him to ?nd an address for CREDICO that could be used to serve CREDICO with legal process. -told investigators that his primary form of communication with STONE is by text message on Target Account 3. BACKGROUND CONCERNING EMAIL 82. In my training and experience, I have learned the Providers provide a variety of on-line services, including electronic mail (?email?) to the public. The Providers allow 34 Case Document 29-13 Filed 04/28/20 Page 105 of 189 subscribers to obtain email accounts at the domain names identi?ed in the email address contained in Attachment A and C. Subscribers obtain an account by registering with the Providers. During the registration process, the Providers ask subscribers to provide basic personal information. Therefore, the computers of the Providers are likely to contain stored electronic communications (including retrieved and unretrieved email) for their subscribers and information concerning subscribers and their use of services, such as account access information, email transaction information, and account application information. In my training and experience, such information may constitute evidence of the crimes under investigation because the information can be used to identify the account?s user or users. 83. In my training and experience, email Providers generally ask their subscribers to provide certain personal identifying information when registering for an email account. Such information can include the subscriber?s full name, physical address, telephone numbers and other identi?ers, alternative email addresses, and, for paying subscribers, means and source of payment (including any credit or bank account number). In my training and experience, such information may constitute evidence of the crimes under investigation because the information can be used to identify the account?s user or users. Based on my training and my experience, I know that, even if subscribers insert false information to conceal their identity, this information often provides clues to their identity, location, or illicit activities. 84. In my training and experience, email Providers typically retain certain transactional information about the creation and use of each account on their systems. This information can include the date on which the account was created, the length of service, records of log-in (1162., session) times and durations, the types of service utilized, the status of the account (including whether the account is inactive or closed), the methods used to connect to the account 35 Case Document 29-13 Filed 04/28/20 Page 106 of 189 (such as logging into the account via the Providers? website), and other log ?les that re?ect usage of the account. In addition, email Providers often have records of the Internet Protocol address address?) used to register the account and the IP addresses associated with particular logins to the account. Because every device that connects to the Internet must use an IP address, IP address information can help to identify which computers or other devices were used to access the email account. 85. In my training and experience, in some cases, email account users will communicate directly with an email service Providers about issues relating to the account, such as technical problems, billing inquiries, or complaints from other users. Email Providers typically retain records about such communications, including records of contacts between the user and the Providers? support services, as well as records of any actions taken by the Providers or user as a result of the communications. In my training and experience, such information may constitute evidence of the crimes under investigation because the information can be used to identify the account?s user or users. 86. As explained herein, information stored in connection with an email account may provide crucial evidence of the ?who, what, why, when, where, and how? of the criminal conduct under investigation, thus enabling the United States to establish and prove each element or alternatively, to exclude the innocent from further suspicion. In my training and experience, the information stored in connection with an email account can indicate who has used or controlled the account. This ?user attribution? evidence is analogous to the search for ?indicia of occupancy? while executing a search warrant at a residence. For example, email communications, contacts lists, and images sent (and the data associated with the foregoing, such as date and time) may indicate who used or controlled the account at a relevant time. Further, 36 Case Document 29-13 Filed 04/28/20 Page 107 of 189 information maintained by the email Providers can show how and when the account was accessed or used. For example, as described below, email Providers typically log the Internet Protocol (IP) addresses from which users access the email account, along with the time and date of that access. By determining the physical location associated with the logged IP addresses, investigators can understand the chronological and geographic context of the email account access and use relating to the crime under investigation. This geographic and timeline information may tend to either inculpate or exculpate the account owner. Additionally, information stored at the user?s account may further indicate the geographic location of the account user at a particular time g, location information integrated into an image or video sent via email). Last, stored electronic data may provide relevant insight into the email account owner?s state of mind as it relates to the offense under investigation. For example, information in the email account may indicate the owner?s motive and intent to commit a crime communications relating to the crime), or consciousness of guilt deleting communications in an effort to conceal them from law enforcement). 87. In my training and experience, information such as search history can help to show the state of mind of an individual at the time the search was made, as well as the individuals potential advance knowledge of events, as they search to see if the anticipated event has occurred. INFORMATION REGARDING APPLE ID AND 7 The information in this section is based on information published by Apple on its website, including, but not limited to, the following document and webpages: Law Enforcement Legal Process Guidelines,? available at ?Create and start using an Apple available at ?iCloud,? available at ?What does iCloud back available at 25 Security,? available at 37 Case Document 29-13 Filed 04/28/20 Page 108 of 189 88. Apple is a United States company that produces the iPhone, iPad, and iPod Touch, all of which use the operating system, and desktop and laptop computers based on the Mac OS operating system. 89. Apple provides a variety of services that can be accessed from Apple devices or, in some cases, other devices via web browsers or mobile and desktop applications As described in further detail below, the services include email, instant messaging, and file storage: a. Apple provides email service to its users through email addresses at the domain names mac.com, me.com, and icloud.com. b. iMessage and FaceTime allow users of Apple devices to communicate in real?time. iMessage enables users of Apple devices to exchange instant messages (?iMessages?) containing text, photos, videos, locations, and contacts, while FaceTime enables those users to conduct video calls. 0. iCloud is a ?le hosting, storage, and sharing service provided by Apple. iCloud can be utilized through numerous iCloud-connected services, and can also be used to store device backups and data associated with third-party apps. d. iCloud-connected services allow users to create, store, access, share, and data on Apple devices or via icloud.com on any Internet-connected device. For example, iCloud Mail enables a user to access Apple-provided email accounts on multiple Apple devices and on icloud.com. iCloud Photo Library and My Photo Stream can be used to store and manage images and videos taken from Apple devices, and iCloud Photo Sharing allows the user Security Guitlupclf, and ?iCloud: How Can I Use iCloud?,? available at 38 Case Document 29-13 Filed 04/28/20 Page 109 of 189 to share those images and videos with other Apple subscribers. iCloud Drive can be used to store presentations, spreadsheets, and other documents. iCloud Tabs and bookmarks enable iCloud to be used to bookmarks and webpages opened in the Safari web browsers on all of the user?s Apple devices. iWork Apps, a suite of productivity apps (Pages, Numbers, Keynote, and Notes), enables iCloud to be used to create, store, and share documents, spreadsheets, and presentations. iCloud Keychain enables a user to keep website username and passwords, credit card information, and i network information across multiple Apple devices. e. Game Center, Apple?s social gaming network, allows users of Apple devices to play and share games with each other. f. Find My iPhone allows owners of Apple devices to remotely identify and track the location of, display a message on, and wipe the contents of those devices. Find My Friends allows owners of Apple devices to share locations. g. Location Services allows apps and websites to use information from cellular, i, Global Positioning System networks, and Bluetooth, to determine a user?s approximate location. h. App Store and iTunes Store are used to purchase and download digital content. apps can be purchased and downloaded through App Store on devices, or through iTunes Store on desktop and'laptop computers running either Microsoft Windows or Mac OS. Additional digital content, including music, movies, and television shows, can be purchased through iTunes Store on devices and on desktop and laptop computers running either Microsoft Windows or Mac OS. 39 Case Document 29-13 Filed 04/28/20 Page 110 of 189 90. Apple services are accessed through the use of an ?Apple an account created during the setup of an Apple device or through the iTunes or iCloud services. A single Apple ID can be linked to multiple Apple services and devices, serving as a central authentication and syncing mechanism. 91. An Apple ID takes the form of the full email address submitted by the user to create the account; it can later be changed. Users can submit an Apple-provided email address (often ending in @icloud.com, @me.com, or @mac.com) or an email address associated with a third-party email provider (such as Gmail, Yahoo, or Hotmail). The Apple ID can be used to access most Apple services (including iCloud, iMessage, and FaceTime) only after the user accesses and responds to a ?veri?cation email? sent by Apple to that ?primary? email address. Additional email addresses (?alternate,? ?rescue,? and ?noti?cation? email addresses) can also be associated with an Apple ID by the user. 92. Apple captures information associated with the creation and use of an Apple ID. During the creation of an Apple ID, the user must provide basic personal information including the user?s full name, physical address, and telephone numbers. The user may also provide means of payment for products offered by Apple. The subscriber information and password associated with an Apple ID can be changed by the user through the ?My Apple and ?iForgot? pages on Apple?s website. In addition, Apple captures the date on which the account was created, the length of service, records of log-in times and durations, the types of service utilized, the status of the account (including whether the account is inactive or closed), the methods used to connect to and utilize the account, the Internet Protocol address address?) used to register and access the account, and other log ?les that re?ect usage of the account. 40 Case Document 29-13 Filed 04/28/20 Page 111 of 189 93. Additional information is captured by Apple in connection with the use of an Apple ID to access certain services. For example, Apple maintains Connection logs with IP addresses that re?ect a user?s sign?on activity for Apple services such as iTunes Store and App Store, iCloud, Game Center, and the My Apple ID and iForgot pages on Apple?s website. Apple also maintains records re?ecting a user?s app purchases from App Store and iTunes Store, ?call invitation logs? for FaceTime calls, ?query logs? for iMessage, and ?mail logs? for activity over an Apple-provided email account. Records relating to the use of the Find My iPhone service, including connection logs and requests to remotely lock or erase a device, are also maintained by Apple. 94. Apple also maintains information about the devices associated with an Apple ID. When a user activates or upgrades an device, Apple captures and retains the user?s IP address and identi?ers such as the Integrated Circuit Card ID number which is the serial number of the device?s SIM card. Similarly, the telephone number of a user?s iPhone is linked to an Apple ID when the user signs in to FaceTime or iMessage. Apple also may maintain records of other device identi?ers, including the Media Access Control address address?), the unique device identi?er and the serial number. In addition, information about a user?s computer is captured when iTunes is used on that computer to play content associated with an Apple ID, and information about a user?s web browser may be captured when used to access services through icl.oud.com and apple.com. Apple also retains records related to communications between users and Apple customer service, including communications regarding a particular Apple device or service, and the repair history for a device. 41 Case Document 29-13 Filed 04/28/20 Page 112 of 189 95. Apple provides users with ?ve gigabytes of free electronic space on iCloud, and users can purchase additional storage space. That storage space, located on servers controlled by Apple, may contain data associated with the use of iCloud-connected services, including: email (iCloud Mail); images and videos (iCloud Photo Library, My Photo Stream, and iCloud Photo Sharing); documents, spreadsheets, presentations, and other ?les (iWork and iCloud Drive); and web browser settings and Wi-Fi network information (iCloud Tabs and iCloud Keychain). iCloud can also be used to store 108 device backups, which can contain a user?s photos and videos, iMessages, Short Message Service and Multimedia Messaging Service messages, voicemail messages, call history, contacts, calendar events, reminders, notes, app data and settings, Apple Watch backups, and other data. Records and data associated with third-party apps may also be stored on iCloud; for example, the app for WhatsApp, an instant messaging service, can be con?gured to regularly back up a user?s instant messages on iCloud Drive. Some of this data is stored on Apple?s servers in an form but can nonetheless be by Apple. 96. In my training and experience, evidence of who was using an Apple ID and from where, and evidence related to criminal activity of the kind described above, may be found in the ?les and records described above. This evidence may establish the ?who, what, why, when, where, and how? of the criminal conduct under investigation, thus enabling the United States to establish and prove each element or, alternatively, to exclude the innocent from further suspicion. INFORMATION TO BE SEARCHED AND THINGS TO BE SEIZED 42 Case Document 29-13 Filed 04/28/20 Page 113 of 189 97. I anticipate executing this warrant under the Electronic Communications Privacy Act, in particular 18 U.S.C. 2703(a), 2703(b)(1)(A) and 2703(c)(l)(A), by using the warrant to require Google to disclose to the government copies of the records and other information (including the content of communications) associated with the accounts in Attachment A, C, and and particularly described in Section I of Attachment B, D, and F. Upon receipt of the information described in Section I of Attachments B, D, and F, government-authorized persons will review that information to locate the items described in Section II of Attachment B, D, and F. The items identi?ed in Attachments A-F will also be screened by reviewers not on the prosecution team to identify and ?lter out privileged material. CONCLUSION 98. Based on the forgoing, I request that the Court issue the proposed search warrant. 99. Pursuant to 18 U.S.C. 2703(g), the presence of a law enforcement of?cer is not required for the service or execution of this warrant. REQUEST FOR SEALING 100. I further request that the Court order that all papers in support of this application, including the af?davit and search warrant, be sealed until further order of the Court. These documents discuss an ongoing criminal investigation, the full nature and extent of which is not known to all of the targets of the investigation. Accordingly, there is good cause to seal these documents because their premature disclosure may seriouslyjeopardize that investigation. Respectfully submitted, Andrew Mitchell Special Agent Federal Bureau of Investigation 43 Case Document 29-13 Filed 04/28/20 Page 114 of 189 r7: .- Subscribed and sworn to before me on this day of August, 2018The Honorable Beryl A. Howell Chief United States District Judge 44 Case Document 29-13 Filed 04/28/20 Page 115 of 189 ATTACHMENT A Property to be Searched This warrant applies to information associated with the email address: created or maintained between September 11, 2017 and present, that is stored at premises owned, maintained, controlled, or operated by Microsoft Corp., d/b/a Hotmail, a company headquartered at One Microsoft Way, Redmond, WA 98052. 45 Case Document 29-13 Filed 04/28/20 Page 116 of 189 ATTACHMENT Particular Things to be Seized 1. Files and Accounts to be produced by the Provider: To the extent that the information described in Attachment A is within the possession, custody, or control of the Provider including any messages, records, ?les, logs, images, videos, or information that have been deleted but are still available to the Provider or have been preserved pursuant to a preservation request under 18 U.S.C. 2703(f), the Provider is required to disclose the following information to the government for each account or identi?er listed in Attachment A: a. The contents of all e-mails, attachments and chat messages stored in the account, including copies of e-mails sent to and from the account, draft e-mails, the source and destination e-mails sent addresses associated with each e?mail, the date and time at which each e-mail was sent, and the size and length of each e?mail; b. All existing printouts from original storage of all of the electronic mail described above in Section I.A. above; 0. A11 internet search data including all queries and location data; d. All transactional information of all activity of the account described above in Section LA, including log ?les, dates, times, methods of connecting, ports, dial ups, and/or locations; e. All records or other information stored by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and ?les; f. Records or other information regarding the identi?cation of the account described above in Section LA, to include application, full name, physical address, telephone numbers and other identi?ers, records of session times and durations, log?in IP addresses associated with session times and dates, account status, alternative e?mail addresses provided during registration, all screen names associated with subscribers and/or accounts, all account names associated with the subscriber, g. All records indicating the services available to subscribers of the electronic mail address described above in Section 46 Case Document 29-13 Filed 04/28/20 Page 117 of 189 II. Information to be Seized by Law Enforcement Personnel Any and all records that relate in any way to the accounts described in Attachment A which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. 2 (aiding and abetting), 18 U.S.C. 3 (accessory after the fact), 18 U.S.C. 4 (misprision ofa felony), 18 U.S.C. 371 (conspiracy), 18 U.S.C. 1001 (false statements), 18 U.S.C. 1030 (unauthorized access of a protected computer); 18 U.S.C. 1505 and 1512 (obstruction of justice), 18 U.S.C. 1513 (witness tampering); 18 U.S.C. 1343 (wire fraud), 18 U.S.C. 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. 30121 (foreign contribution ban) from June 1, 2015 to present, including: a. All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or communications regarding disinformation, denial, dissembling or other obfuscation about knowledge of, or access to hacked material; b. All records, information, documents or tangible materials that relate in any way to communications or meetings involving Jerome Corsi, Julian Assange, associated with the Trump Campaign; c. All images, messages, communications, calendar entries, search terms, ?address book? entries and contacts, including any and all preparatory steps taken in furtherance of the above-listed offenses; d. Communication, information, documentation and records relating to who created, used, or communicated with the account or identi?er concerning the messages identified above, including records about their identities and whereabouts; e. Evidence of the times the account was used; f. All images, messages and communications regarding wiping software, or other methods to avoid detection by law enforcement; g. Passwords and keys, and other access information that may be necessary to access the account and other associated accounts; h. Credit card and other ?nancial information, including but not limited to, bills and payment records evidencing ownership of the subject account; 47 Case Document 29-13 Filed 04/28/20 Page 118 of 189 i. All existing printouts from original storage which concern the categories identi?ed in subsection {La 48 Case Document 29-13 Filed 04/28/20 Page 119 of 189 ATTACHMENT Property to be Searched This warrant applies to information associated with the following Google account: created or maintained between October 17, 2017 and the present, that is storedat premises owned, maintained, controlled, or operated by Google, Inc., a business with of?ces located at 1600 Amphitheatre Parkway, Mountain View, CA 94043. 49 Case Document 29-13 Filed 04/28/20 Page 120 of 189 ATTACHMENT Particular Things to be Seized 1. Files and Accounts to be produced by Google, Inc. To the extent that the information described in Attachment is within the possession, custody, or control of Google, Inc. including any messages, records, ?les, logs, images, videos, or information that have been deleted but are still available to Google or have been preserved pursuant to a preservation request under 18 U.S.C. 2703(f), Google is required to disclose the following information to the g0vernment for each account or identi?er listed in Attachment C: a. The contents of all e-mails, attachments and chat messages stored in the account, including copies of e?mails sent to and from the account, draft e-mails, the source and destination e-mails sent addresses associated with each e-mail, the date and time at which each e-mail was sent, and the size and length of each e-mail; b. All existing printouts from original storage of all of the electronic mail described above in Section LA. above; 0. All internet search data including all queries and location data; d. All transactional information of all activity of the account described above in Section LA, including log ?les, dates, times, methods of connecting, ports, dial ups, and/or locations; 6. All records or other information stored by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and ?les; f. All records or other information regarding the identi?cation of the account described above in Section LA, to include application, full name, physical address, telephone numbers and other identi?ers, records of session times and durations, the date on which the account was created, the length of service, the types of service utilized, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative e?mail addresses provided during registration, all screen names associated with subscribers and/or accounts, all account names associated with the subscriber, methods of connecting, log ?les, means and source of payment (including any credit or bank account number), and detailed billing records; g. All records indicating the services available to subscribers of the electronic mail address described above in Section h. Google+ subscriber information, circle information, including name of circle and members, contents of posts, comments, and photos, to include date and timestamp; 50 Case Document 29-13 Filed 04/28/20 Page 121 of 189 i. Google Drive ?les created, accessed or owned by the acCount; j. YouTube subscriber information, private videos and ?les, private messages, and comments; k. Google+ Photos contents to include all images, videos and other ?les, and associated upload/download date and timestamp; 1. Google Talk and Google Hangouts conversation logs associated with the account. 51 Case Document 29-13 Filed 04/28/20 Page 122 of 189 II. Information to be Seized by Law Enforcement Personnel Any and all records that relate in any way to the accounts described in Attachment which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. 2 (aiding and abetting), 18 U.S.C. 3 (accessory after the fact), 18 U.S.C. 4 (misprision ofa felony), 18 U.S.C. ?371 (conspiracy), 18 U.S.C. 1001 (false statements), 18 U.S.C. 1030 (unauthorized access ofa protected computer); 18 U.S.C. 1505 and 1512 (obstruction ofjustice), 18 U.S.C. 1513 (witness tampering); 18 U.S.C. 1343 (wire fraud), 18 U.S.C. 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. 30121 (foreign contribution ban), from June 1, 2015 to present, including: a. All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or communications regarding disinformation, denial, dissembling or other obfuscation about knowledge of, or access to hacked material; b. All records, information, documents or tangible materials that relate in any way to communications or meetin involvin Jerome Corsi, Julian Assange, ?Randy Credico, or any individual associated with the Trump Campaign; c. All images, messages, communications, calendar entries, search terms, ?address book? entries and contacts, including any and all preparatory steps taken in furtherance of the above?listed offenses; d. Communication, information, documentation and records relating to who created, used, or communicated with the account or identi?er concerning the messages identified above, including records about their identities and whereabouts; e. Evidence of the times the account was used; f. All images, messages and communications regarding wiping software, or other methods to avoid detection by law enforcement; g. Passwords and keys, and other access information that may be necessary to access the account and other associated accounts; h. Credit card and other ?nancial information, including but not limited to, bills and payment records evidencing ownership of the subject account; i. All existing printouts from original storage which concern the categories identified in subsection 11a 52 Case Document 29-13 Filed 04/28/20 Page 123 of 189 ATTACHMENT Property to be Searched This warrant applies to information associated with the following Apple DSID: created or maintained between March 14, 2018 and the present, that is stored at premises owned, maintained, controlled, or operated by Apple, Inc., located at One Apple Park Way, Cupertino, California 95014. 53 Case Document 29-13 Filed 04/28/20 Page 124 of 189 ATACHMENT Particular Things to be Seized I. Files and Accounts to be produced by the Provider: To the extent that the information described in Attachment is within the possession, custody, or control of Apple, regardless of whether such information is located within or outside of the United States, including any messages, records, ?les, logs, or information that have been deleted but are still available to Apple, or have been preserved pursuant to a request made under 18 U.S.C. 2703(f), Apple is required to disclose the following information to the government, in form whenever available, for each account or identi?er listed in Attachment E: a. All records or other information regarding the identi?cation of the account, to include full name, physical address, telephone numbers, email addresses (including primary, alternate, rescue, and noti?cation email addresses, and veri?cation information for each email address), the date on which the account was created, the length of service, the IP address used to register the account, account status, associated devices, methods of connecting, and means and source of payment (including any credit or bank account numbers); b. All records or other information regarding the devices associated with, or used in connection with, the account (including all current and past trusted or authorized devices and computers, and any devices used to access Apple services), including serial numbers, Unique Device Identi?ers Advertising Identi?ers Global Unique Identi?ers Media Access Control addresses, Integrated Circuit Card ID numbers Electronic Serial Numbers Mobile Electronic Identity Numbers Mobile Equipment Identi?ers Mobile Identi?cation Numbers Subscriber Identity Modules Mobile Subscriber Integrated Services Digital Network Numbers International Mobile Subscriber Identities and International Mobile Station Equipment Identities c. The contents of all emails associated with the account, including stored or preserved copies of emails sent to and from the account (including all draft emails and deleted emails), the source and destination addresses associated with each email, the date and time at which each email was Sent, the size and length of each email, and the true and accurate header information including the actual IP addresses of the sender and the recipient of the emails, and all attachments; d. The contents of all instant messages associated with the account, including stored or preserved copies of instant messages (including iMessages, SMS messages, and MMS messages) sent to and from the account (including all draft and deleted messages), the source and destination account or phone number associated with each instant message, the date and time at which each instant message was sent, the size and length of each instant message, the actual IP addresses of the sender and the recipient of each instant message, and the media, if any, attached to each instant message; 54 Case Document 29-13 Filed 04/28/20 Page 125 of 189 e. The contents of all ?les and other records stored on iCloud, including all device backups, all Apple and third?party app data, all ?les and other records related to iCloud Mail, iCloud Photo Sharing, My Photo Stream, iCloud Photo Library, iCloud Drive, iWork (including Pages, Numbers, Keynote, and Notes), iCloud Tabs and bookmarks, and iCloud Keychain, and all address books, contact and buddy lists, notes, reminders, calendar entries, images, videos, voicemails, device settings, and bookmarks; f. All activity, connection, and transactional logs for the account (with associated IP addresses including source port numbers), including aceTime call invitation logs, messaging and query logs (including iMessage, SMS, and MMS messages), mail logs, iCloud logs, iTunes Store and App Store logs (including purchases, downloads, and updates of Apple and third-party apps), My Apple ID and iForgot logs, sign-on logs for all Apple services, Game Center logs, Find My iPhone and Find My Friends logs, logs associated with web?based access of Apple services (including all associated identi?ers), and logs associated with device purchase, activation, and upgrades; g. All records and information regarding locations where the account or devices associated with the account were accessed, including all data stored in connection with Location Services, Find My iPhone, Find My Friends, and Apple Maps; h. All records pertaining to the types of service used; i. All records pertaining to communications between Apple and any person regarding the account, including contacts with support services and records of actions taken; and j. All ?les, keys, or other information necessary to any data produced in an form, when available to Apple (including, but not limited to, the keybag.txt and ?les). 55 Case Document 29-13 Filed 04/28/20 Page 126 of 189 II. Information to be Seized by Law Enforcement Personnel Any and all records that relate in any way to the accounts described in Attachment A which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. 2 (aiding and abetting), 18 U.S.C. 3 (accessory after the fact), 18 U.S.C. 4 (misprision ofa felony), 18 U.S.C. 371 (conspiracy), 18 U.S.C. 1001 (false statements), 18 U.S.C. 1030 (unauthorized access ofa protected computer); 18 U.S.C. 1505 and 1512 (obstruction ofjustice), 18 U.S.C. 1513 (witness tampering); 18 U.S.C. 1343 (wire fraud), 18 U.S.C. 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. 30121 (foreign contribution ban), from June 1, 2015 to present, including: a. All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or communications regarding disinformation, denial, dissembling or other obfuscation about knowledge of, or access to hacked material; b. All records, information, documents or tangible materials that relate in any way to communications or meetin involvin Jerome Corsi, _Julian Assange, Randy Credico, or any individual associated with the Trump Campaign; c. All images, messages, communications, calendar entries, search terms, ?address book? entries and contacts, including any and all preparatory steps taken in furtherance of the above?listed offenses; d. Communication, information, documentation and records relating to who created, used, or communicated with the account or identi?er concerning the messages identi?ed above, including records about their identities and whereabouts; e. Evidence of the times the account was used; f. All images, messages and communications regarding wiping software, or other methods to avoid detection by law enforcement; g. Passwords and keys, and other access information that may be necessary to access the account and other associated accounts; h. Credit card and other ?nancial information, including but not limited to, bills and payment records evidencing ownership of the subject account; i. All existing printouts from original storage which concern the categories identi?ed in subsection 56 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 127 of 189 AO 93 (Rev. 11/13) Search and Seizure Warrant UNITED STATES DISTRICT COURT for the District of Columbia In the Matter of the Search of (Briefly describe the property to be searched or identify the person by name and address) INFORMATION ASSOCIATED WITH THREE ACCOUNTS STORED AT PREMISES CONTROLLED BY MICROSOFT, GOOGLE, AND APPLE ) ) ) ) ) ) Case: 1: 18-sc-02583 Ass!gned To: Howell, Beryl A. Assign. Date : 8/3/2018 Description: Search & Seizure Warrant SEARCH AND SEIZURE WARRANT To: Any authorized law enforcement officer An application by a federal law enforcement officer or an attorney for the government requests the search of the following person or property located in the Northern District of California (identify the person or describe the property lo be searched and give its location): See Attachment C I find that the affidavit(s), or any recorded testimony, establish probable cause to search and seize the person or property described above, and that such search will reveal (identify the person or describe the property to be seized): See Attachment D YOU ARE COMMANDED to execute this warrant on or before August 15, 2018 (not to exceed 14 days) ~ in the daytime 6:00 a.m. to I 0:00 p.m. 0 at any time in the day or night because good cause has been established. Unless delayed notice is authorized below, you must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken, or leave the copy and receipt at the place where the property was taken. The officer executing this warrant, or an officer present during the execution of the warrant, must prepare an inventory as required by law and promptly return this warrant and inventory to Hon. Beryl A. Howell, Chief U.S. District Judge (United States Magistrale Judge) 0 Pursuant to 18 U.S.C. § 3103a(b), I find that immediate notification may have an adverse result listed in 18 U.S.C. § 2705 (except for delay of trial), and authorize the officer executing this warrant to delay notice to the person who, or whose property, will be searched or seized (check the appropriate box) 0 for _ _ days (not to exceed 30) 0 until, the facts justifying, the later specific date of Date and time issued: City and state: Washington, DC Hon. Beryl A. Howell, Chief U.S. District Judge Printed name and title Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 128 of 189 AO 93 (Rev. 11/13) Search and Seizure Warrant (Page 2) Return Case No.: Date and time warrant executed: Copy of warrant and inventory left with: Inventory made in the presence of : Inventory of the property taken and name of any person(s) seized: Certification I declare under penalty of perjury that this inventory is correct and was returned along with the original warrant to the designated judge. Date: Executing officer's signature Printed name and title Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 129 of 189 ATTACHMENT C Property to be Searched This warrant applies to information associated with the following Google account: created or maintained between October 17, 2017 and the present, that is stored at premises owned, maintained, controlled, or operated by Google, Inc., a business with offices located at 1600 Amphitheatre Parkway, Mountain View, CA 94043. 49 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 130 of 189 ATTACHMENTD Particular Things to be Seized I. Files and Accounts to be produced by Google, Inc. To the extent that the information described in Attachment C is within the possession, custody, or control of Google, Inc. including any messages, records, files, logs, images, videos, or information that have been deleted but are still available to Google or have been preserved pursuant to a preservation request under 18 U.S.C. § 2703(f), Google is required to disclose the following information to the government for each account or identifier listed in Attachment C: a. The contents of all e-mails, attachments and chat messages stored in the account, including copies of e-mails sent to and from the account, draft e-mails, the source and destination e-mails sent addresses associated with each e-mail, the date and time at which each e-mail was sent, and the size and length of each e-mail; b. All existing printouts from original storage of all of the electronic mail described above in Section I.A. above; c. All internet search data including all queries and location data; d. All transactional information of all activity of the account described above in Section I.A, including log files, dates, times, methods of connecting, ports, dial ups, and/or locations; e. All records or other information stored by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and files; f. All records or other information regarding the identification of the account described above in Section I.A, to include application, full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the types of service utilized, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative e-mail addresses provided during registration, all screen names associated with subscribers and/or accounts, all account names associated with the subscriber, methods of connecting, log files, means and source of payment (including any credit or bank account number), and detailed billing records; g. All records indicating the services available to subscribers of the electronic mail address described above in Section I.A.; h. Google+ subscriber information, circle information, including name of circle and members, contents of posts, comments, and photos, to include date and timestamp; 50 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 131 of 189 i. Google Drive files created, accessed or owned by the account; j. YouTube subscriber infonnation, private videos and files, private messages, and comments; k. Google+ Photos contents to include all images, videos and other files, and associated upload/download date and timestamp; I. account. Google Talk and Google Hangouts conversation logs associated with the 51 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 132 of 189 II. Information to be Seized by Law Enforcement Personnel Any and all records that relate in any way to the accounts described in Attachment C which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 1001 (false statements), 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. §§ 1505 and 1512 (obstruction of justice), 18 U.S.C. § 1513 (witness tampering); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. § 30121 (foreign contribution ban), from June 1, 2015 to present, including: a. All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or communications regarding disinformation, denial, dissembling or other obfuscation about knowledge of, or access to hacked material; b. All records, information, documents or tangible materials that relate in any way to communications or meetings involving Jerome Corsi, Julian Assange, Randy Credico, or any individual associated with the Trump Campaign; c. All images, messages, communications, calendar entries, search terms, "address book" entries and contacts, including any and all preparatory steps taken in furtherance of the above-listed offenses; d. Communication, information, documentation and records relating to who created, used, or communicated with the account or identifier concerning the messages identified above, including records about their identities and whereabouts; e. Evidence of the times the account was used; f. All images, messages and communications regarding wiping software, encryption or other methods to avoid detection by law enforcement; g. Passwords and encryption keys, and other access information that may be necessary to access the account and other associated accounts; h. Credit card and other financial information, including but not limited to, bills and payment records evidencing ownership of the subject account; 1. All existing printouts from original storage which concern the categories identified in subsection II.a 52 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 133 of 189 AO 106 (Rev. 04/10) Application for a Search Warrant f UNITED STATES DISTRICT COURT AUG ._ 3 201H for the District of Columbia In the Matter of the Search of ) (Briefly describe rhe property to be searched or ide11tifj1 l11e person by name a11d,addrcss) ) ) INFORMATION ASSOCIATED WITH THREE ACCOUNTS STORED AT PREMISES CONTROLLED BY MICROSOFT, GOOGLE, AND APPLE ) ) ) Clerk, U. S, lllstrlct & Bankrupic} Courts for t~e District of Columola Case: 1:18-sc-02583 Assigned To : Howell, Beryl A. Assign. Date : 8/3/2018 Description: Search & Seizure Warrant APPLICATION FOR A SEARCH WARRANT I, a federal law enforcement officer or an attorney for the government, request a search warrant and state under penalty of perjury that I have reason to believe that on the following person or property (identify the person or describe the property to be searched and give its localion): See Attachment C located in the - - -Northern - - - - - District of California - -- - - - - - - - - - , there is now concealed (identify the person or describe the property to be seized): See Attachment D The basis for the search under Fed. R. Crim. P. 41(c) is (check one or more): ~ evidence of a crime; ~ contraband, fruits of crime, or other items illegally possessed; ~ property designed for use, intended for use, or used in committing a crime; 0 a person to be arrested or a person who is unlawfully restrained. The search is related to a violation of: Offense Description Code Section 18 u.s.c. §§ 1505, 1512, 1513 18 U.S.C. §§ 1001, 1030, 371 See Affidavit for add'I Obstruction of justice, Witness tampering False Statements, Unauthorized Access of Protected Computer, Conspiracy The application is based on these facts: See attached Affidavit. ~ Continued on the attached sheet. 0 Delayed notice of _ _ days (give exact ending date if more than 30 days: _ _ _ _ _ ) is requested under 18 U.S.C. § 3103a, the basis of which is set forth on ~ Reviewed by AUSA/SAUSA: !Aaron Zelinsky (ASC) Applicam's signature Andrew Mitchell, Special Agent, FBI Printed name and title Sworn to before me and signed in my presence. Date: .Judge 's signature City and state: Washington, D.C. Hon. Beryl A. Howell, Chief U.S. District Judge Printed name and litle Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 134 of 189 ]: i,' AUG - 3 2018 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA lN THE MATTER OF THE SEARCH OF INFORMATION AS SOCIATED WITH THREE ACCOUNTS STORED AT PREMISES CONTROLLED BY MICROSOFT, GOOGLE, AND APPLE Clerk, U.S. ()istrlc:t & Bunkruptc}' Courts tor the District of Columbia Case: 1: 18-sc-02583 Assigned To : Howell, Beryl A. Assign . Date : 8/3/2018 . Descript ion: Search & Seizure Warrant AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A SEARCH WARRANT I, Andrew Mitchell, being first duly sworn, hereby depose and state as follows: INTRODUCTION AND AGENT BACKGROUND 1. I make this affidavit in support of an application for a search warrant for information associated with the following: a. The email accoun (hereafter "Target Account 1), that is stored at premises owned, maintained, controlled, or operated by Microsoft, Inc., a business with offices located at One Microsoft Way, Redmond, Washington, 98052. The information to be disclosed by Microsoft and searched by the government is described in the following paragraphs and in Attachments A and B. b. The email accoun (hereafter "Target Account 2"), that is stored at premises owned, maintained, controlled, or operated by Google, Inc., a business with offices located at 1600 Amphitheatre Parkway, Mountain View, California, 94043. The information to be disclosed by Google and searched by the government is described in the following paragraphs and in Attachments C and D. c. The iCloud account associated with the Apple email account (hereafter "Target Account 3"), that is stored at premises owned, Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 135 of 189 maintained, controlled, or operated by Apple, Inc., a business with offices located at I Infinite Loop, Cupertino, California 95014. The information to be disclosed by Apple and searched by the government is described in the following paragraphs and in Attachment E and F. 2. I, Andrew Mitchell, am a Special Agent with the Federal Bureau of Investigation (FBI), and have been since 2011. As a Special Agent of the FBI, I have received training and experience in investigating criminal and national security matters. 3. The facts in this affidavit come from my personal observations, my training and experience, and information obtained from other agents and witnesses. This affidavit is intended to show merely that there is sufficient probable cause for the requested warrant and does not set forth all of my knowledge about this matter. 4. Based on my training and experience and the facts as set forth in this affidavit, there is probable cause to believe that the Target Accounts contain communications relevant to 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 1001 (false statements), 18 U.S.C. § J 030 (unauthorized access of a protected computer); 18 U.S.C. §§ 1505 and 1512 (obstruction of justice), 18 U.S.C. § 1513 (witness tampering); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. § 30121 (foreign contribution ban) (the "Subject Offenses"). 5. On September 11, 2017, Chief Judge Beryl A. Howell of the District of Columbia issued a search warrant for Roger STONE' address, (Target Account 1). On October 17, 2017, Chief Judge Howell issued a search warrant for STONE's address, (Target Account 2). On or about March 14, 2018, Chief Judge Howell issued a search warrant for STONE's iCloud account (Target Account 3). This 2 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 136 of 189 warrant seeks to search those accounts from the date each respective warrant was issued to the present. JURISDICTION 6. This Court has jurisdiction to issue the requested warrant because it is "a court of competentjurisdiction" as defined by 18 U.S.C. § 2711. Id.§§ 2703(a), (b)(l)(A), & (c)(l)(A). Specifically, the Court is "a district court of the United States (including a magistrate judge of such a court) ... that has jurisdiction over the offense being investigated." 18 U.S.C. § 27I 1(3)(A)(i). The offense conduct included activities in Washington, D.C., as detailed below, including in paragraphs 14, 19, and 61. SUMMARY 7. This application seeks authority to search, from the date of search warrants previously issued by the Court to the present, three accounts believed to be used by Roger STONE: Target Account 1, which is STONE's Hotmail account; Target Account 2, which is STONE's Gmail account; and Target Account 3, which is STONE's iCloud account. As set " forth herein, there is probable cause to believe that each of the Subject Accounts contains evidence of the Subject Offenses, including ongoing efforts to obstruct justice, tamper with witnesses, and make false statements. 8. For example, as set forth in more detail below, in recent months STONE has reached out to communicate with multiple witnesses he knew or had reason to believe were scheduled to testify before Congress about interactions with STONE during the 2016 presidential campaign or were scheduled to meet with the Special Counsel's Office . After STONE learned that one witness, Randy CREDICO, was prepared to contradict STONE's congressional testimony, STONE repeatedly 3 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 137 of 189 urged CREDICO to assert the Fifth Amendment and decline to answer questions, and did so through multiple text messages. In June 2018, STONE instructed his private investigator to provide him with a full background investigation on another witness who had done information technology work for STONE during the campaign and In September 2017, STONE released a statement he said he provided to Congress 9. in which he denied having advance knowledge of "the source or actual content of the Wikileaks disclosures regarding Hillary Clinton." He also stated publicly that when he tweeted during the campaign, on August 21, 2016, "it will soon the Podesta's time in the barrel," he was not referring to the hacking or publication of John Podesta's emails, but rather. to "Podesta's business dealings with Russia." Evidence obtained in the investigation, however, shows the following: a. On or about July 25, 2016, Roger STONE emailed Jerome CORSI to "Get to Assange" at the Ecuadorian Embassy and "get pending WikiLeaks emails[.]" Julian ASSANGE is the founder ofWikiLeaks. On or about July 31, 2016, STONE also instructed CORSI to have contact ASSANGE. On or about August 2, 2016, CORSI responded to STONE that the "[w]ord is friend in embassy plans 2 more dumps. One shortly after I'm back. 2nd in Oct. Impact planned to be very damaging .... Time to let more than Podesta to be exposed as in bed w enemy if they are not ready to drop HRC." After receipt of that message, on or about August 21, 2016, using@RogerJStoneJR, STONE tweeted: "Trust me, it will soon the Podesta's time in the barrel. #CrookedHillary." b. Information disclosures subsequently occurred on or about the times CORSI predicted: On or about August 12, 2016, the day CORSI was scheduled to return to the United States ("shortly after I'm back"), Guccifer 2.0 released hacked information related to the 4 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 138 of 189 Democratic Congressional Campaign Committee (DCCC). On or about October 7, 2016, the day the Washington Post published a breaking story about an Access Hollywood videotape ofthencandidate Trump making disparaging remarks about women, WikiLeaks released emails hacked from the account of John Podesta. c. Furthermore, on the day of the Access Hollywood video disclosure, there were phone calls between STONE and CORSI after the Washington Post contacted STONE prior to publication. At approximately 11 :OOAM, the Washington Post received a tip regarding the Access Hollywood video. Approximately one hour later, shortly before noon, STONE received a call from the Washington Post. Approximately ninety minutes later, before 2:00PM, STONE called CORSI and they spoke. Approximately forty minutes later, CORSI called STONE and the two spoke again at length. At approximately 4:00PM, the Washington Post published its story regarding the Access Hollywood tape. By approximately 4:30PM, WikiLeaks tweeted out its first release of emails hacked from John Podesta. 5 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 139 of 189 PROBABLE CAUSE. A. Background on Relevant Individuals i. Roger STONE 10. Roger STONE is a self-employed political strategist/consultant and has been actively involved in U.S. politics for decades. STONE worked on the presidential campaign of Donald J. Trump (the "Campaign") until August 2015. Although Stone had no official relationship with the Campaign thereafter, STONE maintained his support for Trump and continued to make media appearances in support of the Campaign. As described further below, STONE also maintained contact with individuals employed by the Campaign, including thencampaign chairman Paul MANAFORT and deputy chairman Rick GATES. ii. Jerome CORSI 11. Jerome CORSI is a political commentator who, according to publicly available information, currently serves as the "Washington Bureau Chief for Inforwars.com." According to publicly-available sources, from 2014 until January 2017, CORSI was a "senior staff reporter" for the website "World Net Daily" a/k/a "WND.com." CORSI has also written a number of books regarding Democratic presidential candidates. As described further below, CORSI was in contact with STONE during the summer and fall of2016 regarding forthcoming disclosures of hacked information by WikiLeaks, and appears to have obtained information regarding upcoming disclosures which he relayed to STONE. 6 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 140 of 189 B. U.S. Intelligence Community Assessment of Russian Government-Backed Hacking Activity during the 2016 Presidential Election 13. On October 7, 2016, the U.S. Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement of an intelligence assessment of Russian activities and intentions during the 2016 presidential election. In the report, the USIC assessed the following: a. The U.S. Intelligence Community ("USIC") is confident that the Russian Government directed the recent compromises of emails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked emails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures were 7 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 141 of 189 intended to interfere with the U.S. election process. Such activity is not new to Moscow-the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities. 14. On January 6, 2017, the USIC released a declassified version of an intelligence assessment of Russian activities and intentions during the 2016 presidential election entitled, "Assessing Russian Activities and Intentions in Recent US Elections." In the report, the USIC assessed the following: a. "Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia's goals were to undermine public faith in the US democratic process, denigrate [former] Secretary [of State Hillary] Clinton, and harm her electability and.potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump." b. The USIC also described, at a high level, some of the techniques that the Russian government employed during its interference. The USIC summarized the efforts as a "Russian messaging strategy that blends covert intelligence operations-such as cyber activitywith overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or 'trolls.'" c. With respect to "cyber activity," the USIC assessed that "Russia's intelligence services conducted cyber operations against targets associated with the 2016 US presidential election, including targets associated with both major US political parties." Further, "[i]n July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016." The USIC attributed these cyber 8 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 142 of 189 activities to the Russian GRU, also known as the Main Intelligence Directorate: "GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC." The GRU is the foreign military intelligence agency of the Russian Ministry of Defense, and is Russia's largest foreign intelligence agency. d. With respect to the release of stolen materials, the USIC assessed "with high confidence that the GRU used the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release US victim data obtained in cyber operations publicly and in exclusives to media outlets." e. Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his identity throughout the election. C. Additional Hacking Activity by Individuals Associated with the GRU 15. The Special Counsel's Office has determined that individuals associated with the GRU continued to engage in hacking activity related to the 2016 campaign through at least November 1, 2016. 16. For example, in or around September 2016, these individuals successfully gained access to DNC computers housed on a third-party cloud-computing service. In or around late September, these individuals stole data from these cloud-based computers by creating backups of the DNC's cloud-based systems using the cloud provider's own technology. The individuals used three new accounts with the same cloud computing service to move the."snapshots" to those accounts. 17. On or about September 4, 2016, individuals associated with the GRU stole the emails from a former White House advisor who was then advising the Clinton Campaign. These emails were later posted on DCLeaks. 9 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 143 of 189 18. On or about November I, 2016, individuals associated with the GRU spearphished over 100 accounts used by organizations and personnel involved in administering elections in numerous Florida counties. 19. On or about July 13, 2018, a grand jury in this District indicted eleven GRU officers for knowingly and intentionally conspiring to hack into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election, steal documents from those computers, and stage releases of stolen documents in order to interfere with the election. The victims of the hacking and releases included the DNC, the Democratic Congressional Campaign Committee ("DCCC"), and the chairman of the Clinton campaign (John Podesta). See United States v. Viktor Borisovich Netyksho, et al. (1: 18-cr-215) (D.D.C.). 1 D. Roger STONE's Public Interactions with Guccifer 2.0 and WikiLeaks 20. On June 14, 2016, Crowdstrike, the forensic firm that sought to remediate an unauthorized intrusion into the computer systems of the DNC, publicly attributed the hack to Russian government actors. The media reported on the announcement. On June 15, 2016, the persona Guccifer 2.0 appeared and publicly claimed responsibility for the DNC hack. It stated on its WordPress blog that, with respect to the documents stolen from the DNC, "[t]he main part of the papers, thousands of files and mails, I gave to Wikileaks. They will publish them soon." In that post, Guccifer 2.0 also began releasing hacked DNC documents. 21. On July 22, 2016, WikiLeaks published approximately 20,000 emails stolen from theDNC. 1 A twelfth defendant was charged with conspiring to infiltrate computers of organizations responsible for administering elections, including state boards of election, secretaries of state, and companies that supply software and other technology used to administer elections. 10 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 144 of 189 22. On August 5, 2016, STONE published an article on Breitbart.com entitled, "Dear Hillary: DNC Hack Solved, So Now Stop Blaming Russia." The article stated: "It doesn't seem to be the Russians that hacked the DNC, but instead a hacker who goes by the name of Guccifer 2.0." The article contained embedded publicly available Tweets from Guccifer 2.0 in the article and stated: "Here's Guccifer 2.0's website. Have a look and you'll see he explains who he is and why he did the hack of the DNC." The article also stated: "Guccifer 2.0 made a fateful and wise decision. He went to WikiLeaks with the DNC files and the rest is history. Now the world would see for themselves how the Democrats had rigged the game." 23. On August 8, 2016, STONE addressed the Southwest Broward Republican Organization. During his speech, he was asked about a statement by AS SAN GE to Russia Today (RT) several days earlier about an upcoming "October Surprise" aimed at the Hillary Clinton presidential campaign. Specifically, STONE was asked: "With regard to the October surprise, what would be your forecast on that given what Julian Assange has intimated he's going to do?" STONE responded: "Well, it could be any number of things. I actually have communicated with Assange. I believe the next tranche of his documents pertain to the Clinton Foundation but there's no telling what the October surprise may be." A few days later, STONE clarified that while he was not personally in touch with ASSANGE, he had a close friend who served as an intermediary. 24. On August 12, 2016, Guccifer 2.0 publicly tweeted: "@RogerJStoneJr thanks that u believe in the real #Guccifer2." That same day, Guccifer 2.0 released the personal cellphone numbers and email addresses from the files of the DCCC. 25. On August 13, 2016, Stone posted a tweet using @RogerJStoneJr calling Guccifer 2.0 a "HERO" after Guccifer 2.0 had been banned from Twitter. The next day, Guccifer 2.0's 11 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 145 of 189 Twitter account was reinstated. 26. On August 17, 2016, Guccifer 2.0 publicly tweeted, "@RogerJStoneJ r paying you back." Guccifer also sent a private message to @RogerJStoneJr stating "i'm pleased to say u r great man. please tell me if I can help u anyhow. it would be a great pleasure to me." 27. On August 18, 2016, Paul Manafort, STONE's longtime friend and associate, resigned as Chairman of the Trump Campaign. 28. As noted above, on August 21, 2016, using @RogerJStoneJR, STONE tweeted: "Trust me, it will soon the [sic] Podesta's time in the barrel. #CrookedHillary." In a C-SPAN interview that same day, STONE reiterated that because of the work of a '"mutual acquaintance' of both his and [ASSANGE], the public [could] expect to see much more from the exiled whistleblower in the form of strategically-dumped Clinton email batches." He added: "Well, first of all, I think Julian Assange is a hero ... I think he's taking on the deep state, both Republican and Democrat. I believe that he is in possession of all of those emails that Huma Abedin and Cheryl Mills, the Clinton aides, believe they deleted. That and a lot more. These are like the Watergate tapes." 29. On September 16, 2016, STONE said in a radio interview with Boston Herald Radio that he expected WikiLeaks to "drop a payload of new documents on Hillary on a weekly basis fairly soon. And that of course will answer the question as to what exactly what was erased on that email server." 30. On Saturday, October 1, 2016, using @RogerJStoneJr, STONE tweeted, "Wednesday @HillaryClinton is done. #WikiLeaks." 31. On Sunday, October 2, 2016, MSNBC Morning Joe producer Jesse Rodriquez tweeted regarding an announcement ASSANGE had scheduled for the next day from the balcony 12 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 146 of 189 of the Ecuadoran Embassy in London. On the day of the ASSANGE announcement -which was part of WikiLeaks' 10-year anniversary celebration - STONE told Info wars that his intennediary described this release as the "mother load." On October 5, 2016, STONE used @RogerJStoneJr to tweet: "Payload coming. #Lockthemup." 32. On Friday, October 7, 2016, at approximately 4:03 PM, the Washington Post published an article containing a recorded conversation from a 2005 Access Hollywood shoot in which Mr. Trump had made a series of lewd remarks. 33. Approximately a half hour later, at 4:32 PM, WikiLeaks sent a Tweet reading "RELEASE: The Podesta Emails #HillaryClinton #Podesta #im WithHer" and containing a link to approximately 2,050 emails that had been hacked from John Podesta's personal email account. 34. WikiLeaks continued to release John Podesta's hacked emails through Election Day, November 8, 2016. On October 12, 2016, Podesta- referring back to STONE's August 21, 2016 C-SPAN and Twitter references - argued publicly that "[it is] a reasonable assumption to or at least a reasonable conclusion - that [STONE] had advanced warning [of the release of his emails] and the Trump campaign had advanced warning about what Assange was going to do. I think there's at least a reasonable belief that [Assange] may have passed this information on to [STONE]." Commenting to the NBC News, STONE indicated that he had never met or spoken with Assange, saying that "we have a mutual friend who's traveled to London several times, and everything I know is through that channel of communications. I'm not implying I have any influence with him or that I have advanced knowledge of the specifics of what he is going to do. I do believe he has all of the e-mails that Huma Abedin and Cheryl Mills, the Clinton aides, thought were deleted. I hear that through my emissary." 35. On March 27, 2017, CNN reported that a representative of WikiLeaks, writing 13 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 147 of 189 from an email address associated with WikiLeaks, denied that there was any backchannel communication during the Campaign between STONE and WikiLeaks. The same article quoted STONE as stating: "S\nce I never communicated with WikiLeaks, I guess I must be innocent of charges I knew about the hacking of Podesta's email (speculation and conjecture) and the timing or scope of their subsequent disclosures. So I am clairvoyant or just a good guesser because the limited things I did predict (Oct disclosures) all came true." E. STONE's Private Twitter Direct Messages with WikiLeaks and ASSANGE 36. On August 7, 2017, Chief Judge Beryl A. Howell issued a search warrant for the Twitter account @RogerJStoneJr. Information recovered from the search of that account includes the following: a. On October 13, 2016, while WikiLeaks was in the midst ofreleasing the hacked Podesta emails, @RogerJStoneJr sent a private direct message to the Twitter account @wikileaks. This account is the official Twitter account of WikiLeaks and has been described as such by numerous news reports. The message read: "Since I was all over national TV, cable and print defending WikiLeaks and assange against the claim that you are Russian agents and debunking the false charges of sexual assault as trumped up bs you may want to rexamine the strategy of attacking me- cordially R." b. Less than an hour later, @wikileaks responded by direct message: "We appreciate that. However, the false claims of association are being used by the democrats to undermine the impact of our publications. Don't go there if you don't want us to correct you." c. On or about October 15, 2016, @RogerJStoneJr sent a direct message to @wikileaks: "Ha! The more you \"correct\" me the more people think you're lying. Your operation leaks like a sieve. You need to figure out who your friends are." 14 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 148 of 189 d. On or about November 9, 2016, one day after the presidential election, @wikileaks sent a direct message to @RogerJStoneJr containing a single word: "Happy?" @wikileaks immediately followed up with another message less than a minute later: "We are now more free to communicate." e. In addition, @RogerJStoneJr also exchanged direct messages with ASSANGE. For example, on June 4, 2017, @RogerJStoneJr directly messaged @JulianAssange, an address associated with ASSANGE in numerous public reports, stating: "Still nonsense. As a journalist it doesn't matter where you get information only that it is accurate and authentic. The New York Times printed the Pentagon Papers which were indisputably stolen from the government and the courts ruled it was legal to do so and refused to issue an order restraining the paper from publishing additional articles. If the US government moves on you I will bring down the entire house of cards. With the trumped-up sexual assault charges dropped I don't know of any crime you need to be pardoned for - best regards. R." That same day, @JulianAssange responded: "Between CIA and DoJ they're doing quite a lot. On the DoJ side that's coming most strongly from those obsessed with taking down Trump trying to squeeze us into a deal." f. On Saturday, June 10, 2017, @RogerJStoneJr sent a direct message to @JulianAssange, reading: "I am doing everything possible to address the issues at the highest level of Government. Fed treatment of you and WikiLeaks is an outrage. Must be circumspect in this forum as experience demonstrates it is monitored. Best regards R." 15 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 149 of 189 F. STONE's Communications with STONE Forthcoming Leaks 37. , and Others Regarding As indicated above, on September 11, 2017, Chief Judge Howell issued a search warrant for STONE's address, (Target Account 1); on October 17, 2017, Chief Judge Howell issued a search warrant for STONE' address, (Target Account 2); and on or about March 14, 2018, Chief Judge Howell issued a search warrant for STONE's iCloud account (Target Account 3). In addition, on or about December 19, 2017, Chief Judge Howell issued a search warrant for email account. Information recovered pursuant to those search warrants includes the following: a. On or about May 15, 2016, emailed CORSI: "Here is my flight schedule. Need to get something confirmed now .... " CORSI responded, ."! copied Roger Stone so he knows your availability to meet Manafort and DT this coming week." CORSI appears to have forwarded the message to STONE at Target Account 1, who replied to CORSI that, "May meet Manafort -guarantee nothing." b. On or about May 18, 2016, CORSI emailed STONE at Target Account 1 with the title, "Roger -- why don't you look this over before I send it I believe that CORSI wrote, and I did manage to see Mr. Trump for a few minutes today as we were waiting in Trump Tower to say hello to Mike Cohen. Mr. Trump recognized us immediately and was very cordial. He would look for this memo from you this afternoon." c. On July 25, 2016, STONE, using Target Account 1, sent an email to CORSI with the subject line, "Get to Assange." The body of the message read: "Get to Assange 16 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 150 of 189 [a]t Ecuadorian Embassy in London and get the pending WikiLeaks emails ... they deal with Foundation, allegedly." d. On or about July 31, 2016, STONE, using Target Account 1, emailed CORSI with the subject line, "Call me MON." The body of the email read: should see should find Bernie [S]anders brother who called Bill a Rapist- tum him for Assange[.] Trump[.] should fin e. e or more proof of Bill getting kicked out." As noted above, on or about August 2, 2016 (approximately 19 days before STONE publicly tweeted about "Podesta's time in the barrel"), CORSI emailed STONE at Target Account 1: "Word is friend in embassy plans 2 more dumps. One shortly after I'm back. 2nd in Oct. Impact planned to be very damaging." The email continued: "Signs are Fox will have me on mid-Aug. more post Ailes shakeup underway. Expect Shine to surface victor, for now. Post-DNC bump for HR.Can artifact ofrigged polling. Won't last. I expect presidential campaign to get serious starting Sept. Still in pre-season games. Time to let more than Podesta to be exposed as in bed w enemy if they are not ready to drop HRC. That appears to be the game hackers are now about. Would not hurt to start suggesting HRC old, memory bad, has stroke -- neither he nor she well. I expect that much of next dump focus, setting stage for Foundation debacle." Investigators believe that CORSI's reference to a "friend in embassy [who] plans 2 more dumps" refers to ASSANGE, who resided in Ecuador's London Embassy in 2016. f. On or about August 5, 2016, an associate of STONE's, emailed Stone at Target Account 1. The email contained a link to a poll indicating that Clinton led Trump by 15 points. STONE responded, "enjoy it while u can[.] I dined with my new pal Julian Assange last night." subsequently stated to investigators that, around the 17 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 151 of 189 same time, STONE told him he had gone to London to meet ASSANGE also stated told STONE he would be interviewed by the FBI and would have to that in 2018 divulge the conversation about meeting AS SAN GE. STONE tol he was joking and had not actually met ASSANGE. 2 g. On or about August 15, 2016, CORSI emailed STONE at Target Account 1: "Give me a call today if you can. Despite MSM drumroll that HRC is already elected, it's not over yet. More to come than anyone realizes. Won't really get started until after Labor Day. I'm in NYC this week. Jerry." h. On or about August 31, 2016, CORSI emailed STONE at Target Account 1: "Did you get the PODESTA writeup." STONE replied "[y]es." 1. On or about August 31, 2016, CORSI messaged STONE at Target Account 3, "Podesta paid $ l 80k to invest in Uranium One - was hired by Rosatom in Giustra scandal. Podesta now under FBI investigation - tied to Ukraine Y anukovych - Panama papers reveals Podesta hired by S[b]erbank, Russia's largest financial institution - Podesta$$$ ties to Russia undermine Clinton false narrative attempting to tie Trump to Putin." J. On or about September 6, 2016, CORSI emailed STONE at Target Account 1: "Roger[,] Is NY Post going to use the Pedesta [sic] stuff?" k. On or about September 24, 2016, emailed CORSI, "I will have much more on Turkey. Need a back channel highly sensitive stuff." CORSI responded, 18 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 152 of 189 "We have secure back channel through Roger. I saw him again in NYC last Friday and spoke to him about it again today." wrote back, "Awaiting secret file. Explosive ... Hope you are well. Can't wait for the debate. Channeling Reagan, I hope!" CORSI responded, "Keep me posted about file[.]" In a subsequent meeting with investigators, indicated this conversation concerned possible derogatory information he was trying to obtain from Turkey. I. On or about October 3, 2016, an associate of STONE emailed STONE at Target Account 2 and asked: "Assange -what's he got? Hope it's good." STONE wrote back, "It is. I'd tell Bannon but he doesn't call me back. My book on the TRUMP campaign will be out in Jan. Many scores will be settled." The associate forwarded the email to Steve BANNON, who was CEO of the Campaign at the time, and wrote: "You should call Roger. See below. You didn't get from me." BANNON wrote back, "I've got important stuff to worry about." The associate responded, "Well clearly he knows what Assange has. I'd say that's important." m. On or about October 4, 2016, ASS ANGE gave a press conference at the Ecuadorian Embassy. There had been speculation in the press leading up to that event that AS SAN GE would release information damaging to then-candidate Clinton, but WikiLeaks did not make any new releases. Instead, ASSANGE promised more documents, including information "affecting three powerful organizations in three different states, as well as, of course, information previously referred to about the U.S. election process." ASSANGE also stated that WikiLeaks would publish documents on various subjects every week for the next ten weeks, and vowed that the U.S. election-related documents would all come out before Election Day. n. On or about October 4, 2016, CORSI messaged STONE at Target Account 3, "Assange made a fool of himself. Has nothing or he would have released it. Total BS hype." 19 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 153 of 189 o. That same day, BANNON emailed STONE at Target Account 2, "What was that this morning???" STONE replied, "Fear. Serious security concern. He thinks they are going to kill him and the London police are standing done [sic]." BANNON wrote back, "He didn't cut deal w/ clintons???" STONE replied, "Don't think so BUT his lawye is a big democrat." p. When BANNON spoke with investigators during a voluntary interview on February 14, 2018, he initially denied knowing whether the October 4, 2016 email to STONE was about WikiLeaks. Upon further questioning, BANNON acknowledged that he was asking STONE about WikiLeaks, because he had heard that STONE had a channel to ASSANGE, and BANNON had b~en hoping for releases of damaging information that morning. G. STONE and CORSI Communications on October 7, 2016, when the Podesta Emails Are Released 38. According to a publicly available news article, 3 at approximately 11AM on Friday, October 7, 2016, Washington Post reporter David Fahrenthold rece_ived a phone call from a source regarding a previously unaired video of candidate Trump. According to the same article, "Fahrenthold didn't hesitate. Within a few moments of watching an outtake of footage from a 2005 segment on 'Access Hollywood,' the Washington Post reporter was on the phone, calling Trump's campaign, 'Access Hollywood' and NBC for reaction." 39. According to phone record , at approximately 11 :27 AM, CORSI placed a ca.JI to STONE which STONE did not answer. 3 https://www.washingtonpost.com/lifestyle/style/the-caller-had-a-lewd-tape-of-donald-trump-then-the-race-wason/2016/10/07/3 ld74 7l 4-8ce5- l l e6-875e-2cl bfe943b66_story.html 20 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 154 of 189 40. At approximately 11 :53AM, STONE received a phone call from the Washington Post. The call lasted approximately twenty minutes. 41. At approximately 1 :42PM, STONE called CORSI and the two spoke for approximately seventeen minutes. 42. At approximately 2: 18PM, CORSI called STONE and the two spoke for approximately twenty minutes. 43. At approximately 4:00PM, the Washington Post published a story regarding the Access Hollywood tape. 44. At approximately 4:30PM, WikiLeaks tweeted out its first release of emails hacked from John Podesta that focused primarily on materials related to the Clinton Foundation. On or about August 2, 2016, CORSI emailed STONE on Target Account 1, "I expect that much of next dump focus, setting stage for Foundation debacle." 45. At approximately 6:27PM, an author who has written about the Clinton Foundation, and who, according to emails and phone records, regularly communicates with STONE, sent STONE an email titled, "WikiLeaks -The Podesta Emails," with a link to the newly-released Podesta emails. Approximately ten minutes later, STONE, using Target Account 2, forwarded message to CORSI without comment. STONE does not appear to have forwarded the email to any other individual. H. STONE Asks CORSI for "SOMETHING" to Post About Podesta After STONE Is Accused of Advance Knowledge of the Leak 46. On or about October 8, 2016, STONE, using Target Account 3, messaged CORSI, "Lunch postponed- have to go see T." CORSI responded to STONE, "Ok. I understand." Approximately twenty minutes later, CORSI texted, "Clintons know they will lose 21 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 155 of 189 a week of Paula Jones media with T attacking Foundation, using Wikileaks Goldman Sachs speech comments, attacking bad job numbers." 47. On or about Wednesday, October 12, 2016, at approximately 8:17AM, STONE, using Target Account 2, emailed Corsi asking him to "send me your best podesta links." STONE emailed CORSI at approximately 8:44AM, "need your BEST podesta pieces." CORSI wrote back at approximately 8:54AM, "Ok. Monday. The remaining stuff on Podesta is complicated. Two articles in length. I can give you in raw form the stuff I got in Russian translated but to write it up so it's easy to understand will take weekend. Your choice?" 48. On or about that same day, October 12, 2016, Podesta accused STONE of having advance knowledge of the publication of his emails, as noted above. At approximately 3:25PM, CORSI emailed STONE at both Target Account 1 and 2 with the subject line "Podesta talking points." Attached to the email was a file labeled, "ROGER STONE podesta talking points Oct 12 2016.docx." The "talking points" included the statement that "Podesta is at the heart of a Russian-government money laundering operation that benefits financially Podesta personally and the Clintons through the Clinton Foundation." 49. CORSI followed up several minutes later with another email titled, "Podesta talking points," with the text "sent a second time just to be sure you got it." STONE emailed CORSI back via Target Account 1: "Got them and used them." 50. On or about Thursday, October 13, 2016, CORSI emailed STONE at Target Account 2: "PODESTA -- Joule & ties to RUSSIA MONEY LAUNDERING to CLINTON FOUNDATION." STONE responded, "Nice but I was hoping for a piece I could post under my by-line since I am the one under attack by Podesta and now Mook." CORSI wrote back to STONE, "I'll give you one more -NOBODY YET HAS THIS[:] It looks to me like 22 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 156 of 189 skimmed maybe billions off Skolkovo - Skolkovo kept their money with Metcombank[.] The Russians launched a criminal investigation(.] [web link] Once had the channel open from Metcombank to Deutsche Bank America to Ban[k] of America's Clinton Fund account, there's no telling how much money he laundered, or where it ended up. Nothing in Clinton Foundation audited financials or IRS Form 990s about$$$ received via Russia & Metcombank[.] I'm working on that angle now." STONE replied, "Ok Give me SOMETHING to post on Podesta since I have no.w promised it to a dozen MSM reporters[.]" 51. On or about Thursday, October 13, 2016, at approximately 6:30PM, CORSI sent STONE an email at Target Account 2, with the subject, "ROGER STONE article RUSSIAN MAFIA STYLE MONEY-LAUNDERING, the CLINTON FOUNDATION, and JOHN PODESTA." The text stated: "Roger[,] You are free to publish this under your own name." That same day, STONE posted a blog post with the title, "Russian Mafia money laundering, the Clinton Foundation and John Podesta." In that post, STONE wrote, "although I have had some back-channel communications with Wikileaks I had no advance notice about the hacking of Mr. Podesta nor I have I ever received documents or data from Wikileaks." The post then asked, "Just how much money did , a controversial Russian billionaire investor with ties to the Vladimir Putin and the Russian government, launder through Metcombank, a Russian regional bank owned 99.978 percent by , with the money transferred via Deutsche Bank and Trust Company Americas in New York City, with the money ending up in a private bank account in the Bank of America that is operated by the Clinton Foundation?" 52. On or about October 14, 2016, CORSI sent a message to STONE at Target Account 3, "I'm in NYC. Thinking about writing piece attacking Leer and other women. It's basically a rewrite of what's out there. Going through new Wikileaks drop on Podesta." 23 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 157 of 189 53. On or about October 17, 2016, CORSI messaged STONE at Target Account 3, "On Assange, can you call me now - before 2pm[.]" STONE responded, "Missed u - just landed JFK - on Infowars now." CORSI wrote back, "Call afterwards. Have some important intel to share." 54. On or about October 17, 2016, CORSI emailed STONE at Target Accounts 1 and 2 with the subject, "Fwd: ASSANGE ... URGENT ... " CORSI wrote, "From a very trusted source," and forwarded an email with the header information stripped out, showing only the body text. The email read, "Yes[.J I figured this. Assange is threatening Kerry, Ecuador and U.K. He will drop the goods on them if they move to extradite him. My guess is that he has a set of dead man files that include Hillary. It's what they used to call a 'Mexican stand off[.]' Only hope is that if Trump speaks out to save him[.] Otherwise he's dead anyway, once he's dropped what he has. If HRC wins, Assange can kiss his life away. Interesting gambit Assange has to play out. He's called Podesta's bluff and raised him the election." 55. On or about October 18, 2016, CORSI messaged STONE at Target Account 3, "Pis call. Important." 56. On or about October 19, 2016, STONE published an article on Breitbart.com in which he claimed he had "no advance notice of Wikileaks' hacking of Podesta's e-mails." STONE stated, "I predicted that Podesta's business dealings would be exposed. I didn't hear it from Wikileaks, although Julian Assange and I share a common friend. I reported the story on my website." STONE linked to the story he had asked CORSI to write for him on October 13, 2016 discussed above. 57. On or about November 8, 2016, the United States presidential election took place. 24 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 158 of 189 58. On or about November 9, 2016, CORSI messaged STONE at Target Account 3, "Congratulations, Roger. He could not have done it without you." 59. On or about November 10, 2016, CORSI messaged STONE at Target Account 3, "Are you available to talk on phone?" Several minutes later, CORSI messaged, "I'm in London. Have some interesting news for you." 25 Case Document 29-13 Filed 04/28/20 Page 159 of 189 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 160 of 189 J. STONE's Congressional Testimony and Public Statements About His Relationship with Wikileaks 61. On September 26, 2017, STONE testified before the House Permanent Select Committee on Intelligence (HPSCI). Although the hearing was closed, STONE released to the public what he said were his opening remarks to the committee. In them, STONE stated: Members of this Committee have made three basic assertions against me which must be rebutted here today. The charge that I knew in advance about, and predicted, the hacking of Clinton campaign chairman John Podesta's email, that I had advanced knowledge of the source or actual content of the WikiLeaks disclosures regarding Hillary Clinton or that, my now public exchange with a persona that our intelligence agencies claim, but cannot prove, is a Russian asset, is anything but innocuous and are entirely false. Again, such assertions are conjecture, supposition, projection, and allegations but none of them are facts .... My Tweet of August 21, 2016, in which I said, "Trust me, it will soon be the Podesta' s time in the barrel. #CrookedHillary" must be examined in context. I posted this at a time that my boyhood friend and colleague, Paul Manafort, had just resigned from the Trump campaign over allegations regarding his business activities in Ukraine. I thought it manifestly unfair that John Podesta not be held to the same standard. Note, that my Tweet of August 21, 2016, makes no mention, whatsoever, of Mr. Podesta's email, but does accurately predict that the Pode_sta brothers' business activities in Russia with the oligarchs around Putin, their uranium deal, their bank deal, and their Gazprom deal, would come under public scrutiny.... [L]et me address the charge that I had advance knowledge of the timing, content and source of the WikiLeaks disclosures from the DNC. On June 12, 2016, WikiLeaks' publisher Julian Assange[] announced that he was in possession of Clinton DNC emails. 27 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 161 of 189 I learned this by reading it on Twitter. I asked a journalist who I knew had interviewed Assange to independently confirm this rep011, and he subsequently did. This journalist assured me that WikiLeaks would release this information in October and continued to assure me of this throughout the balance of August and all of September. This infotmation proved to be correct. I have referred publicly to this journalist as an, "intermediary", "go-between" and "mutual friend." All of these monikers are equally true. 62. In a document dated March 26, 2018 titled "Minority Views," Democratic members of HP SCI published excerpts from Stone's September 2017 testimony before HPSCI. Those excerpts include the following: Q: Have any of your employees, associates, or individuals acting on your behest or encouragement been in any type of contact with Julian Assange? MR. STONE: No. Q: So throughout the many months in which you represented you were either in_ communication with Assange or communication through an intermediary with Assange, you were only referring to a single fact that you had confirmed with the intermediary MR. STONE: ThatQ: -- was the length and the breadth of what you were referring to? MR. STONE: That is c01Tect, even though it was repeated to me on numerous separate occasions. 63. In the month that followed his testimony before HPSCI, on or about October 24, 2017, STONE published an article on his website, stonecoldtruth.com, titled "Is it the Podesta's Time in the Barrel Yet?" In that article, STONE stated: "[I]t was this inevitable scrutiny of the Podestas' underhanded business dealings that my 'time in the barrel' referred to and not, as some have quite falsely claimed, to the hacking and publication almost two months later of John Podesta's emails .... [M]y tweet referred to Podesta's business dealings with Russia, and the expectation that it would become a news story." K. STONE's Use of Target Account 3 to Message Randy CREDI CO about STONE's "Back channel" 28 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 162 of 189 64. On November 19, 2017, Randy CREDI CO (who, as described further below, STONE publicly identified as his "intermediary'' to ASSANGE), messaged STONE on Target Account 3, "My lawyer wants to see me today." STONE responded, '"Stonewall it. Plead the fifth. Anything to save the plan' ........ Richard Nixon[.]" CREDI CO responded, "Ha ha." 65. On or about November 21, 2017, CREDICO messaged STONE on Target Account 3, "I was told that the house committee lawyer told my lawyer that I will be getting a subpoena[.]" STONE wrote back, "That was the point at which your lawyers should have told them you would assert your 5th Amendment rights if compelled to appear." They continued to message, and CREDICO wrote, "My lawyer wants me to cut a deal." STONE wrote back, "To do what ? Nothing happening in DC the day before Thanksgiving - why are u busting my chops?'.' 66. On or about November 24, 2017, STONE, using Target Account 3, texted CREDICO, "Assange is a journalist and a damn good one- meeting with him is perfectly legal and all you ever told me was he had the goods [o]n Hillary and would publish them - which he himself said in public b4 u told me. It's a fucking witchunt [sic]." CREDI CO replied, "I told you to watch his tweets. That's what I was basing it on. I told you to watch his Tweets in October not before that I knew nothing about the DNC stuff[.] I just followed his tweets[.]" STONE responded, "U never said anything about the DNC but it was August." CREDICO wrote back, "It was not August because I didn't interview him or meet him until August 26th[.] That was my first communication with his secretary in London, August 26th." STONE wrote back, "Not the way I remember it- oh well I guess Schiff will try to get one ofus indicted for perjury[.]" 29 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 163 of 189 67. STONE and CREDICO continued to exchange messages via Target Account 3, and on November 24, 2017, CREDICO wrote to STONE, "Forensic evidence proves that there is no back Channel. So now you can relax." 68. On or about November 28, 2017, CREDICO tweeted a copy of a subpoena he received from HPSCI that was dated November 27, 2017. Toll records show that on November 27 and 28, 2017, CREDICO and STONE communicated via text message more than a dozen times. 69. On November 29, 2017, STONE publicly stated that CREDICO was his "intermediary." In a public Facebook post, STONE further stated that, "Credico merely[] confirmed for Mr. Stone the accuracy of Julian Assange's interview of June 12, 2016 with the British ITV network, where Assange said he had 'e-mails related to Hillary Clinton which are pending publication,' ... Credico never said he knew or had any information as to source or content of the material." 70. On or about December 1, 2017, CREDICO messaged STONE on Target Account 3, stating, "I don't know why you had to lie and say you had a back Channel now I had to give all of my forensic evidence to the FBI today what a headache[.] 4 You could have just told him the truth that you didn't have a back Channel they now know that I was not in London until September of this year[.] You had no back-channel and you could have just told the truth ... You want me to cover you for pe1jury now[.]" STONE responded, "What the fuck is your problem? Neither of us has done anything wrong or illegal. You got the best press of your life and you can get away with asserting for 5th Amendment rights if u don't want talk about AND if 4 Contrary to his statement, CREDICO has not provided any forensic evidence to the FBI. 30 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 164 of 189 you ·turned over anything to the FBI you're a fool." CREDICO responded, "You open yourself up to six counts of perjury[.] But I'm sure that wasn't sworn testimony so you're probably clear[.] Council for the committee knows you never had a back Channel and if you had just told the truth wouldn't have put me in this bad spot ... you should go back ... and amend your testimony and tell them the truth." CREDI CO repeated: "you need to amend your testimony before I testify on the 15th." STONE replied, "If you testify you're a fool. Because of tromp [sic] I could never get away with a certain [sic] my Fifth Amendment rights but you can. I guarantee you you [sic] are the one who gets indicted for perjury if you're stupid enough to testify(.]" 71. STONE and CREDICO continued to message each other on or about December 1, 2017. In response to STONE's message about being "stupid enough to testify," CREDICO told STONE: "Whatever you want to say 1 have solid forensic evidence." STONE responded: "Get yourself a real lawyer instead of some liberal wimp who doesn't know how to tell his guys to fuck off good night." CREDICO then wrote: "Just tell them the truth and swallow your ego you never had a back Channel particularly on June 12th(.]" STONE responded: "You got nothing." 72. On or about December 13, 2017, according to public reporting, CREDICO indicated that he would not testify before HPSCI and would invoke his Fifth Amendment rights. 73. STONE and CREDICO continued to exchange messages via Target Account 3, and on or about January 6, 2018, CREDICO indicated to STONE that he was having dinner with a reporter. STONE responded, "Hope u don't fuck Up my efforts to get Assange a pardon[.]" CREDICO messaged STONE, "I have the email from his chief of staff August 25th 2016 responding to an email I sent to WikiLeaks website email address asking you would do my show[.] That was my initial contact." 31 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 165 of 189 74. On or about January 8, 2018, CREDICO messaged STONE on Target Account 3 stating: "Embassy logs ... + 17 other pieces of information prove that I did not have any conversations with Assange until September of last year." 75. CREDICO and STONE continued to message each other, and on or about January 25, 2018, CREDICO wrote to STONE on Target Account 3: "You lied to the house Intel committee ... But you'll get off because you're friends with Trump so don't worry. I have all the forensic evidence[.] I was not a ba[ck] Channel and I have all those emails from September of 2016 to prove it[.]" 76. On or about April 13, 2018, news reports stated that CREDICO had shown reporters copies of email messages he had received from STONE in the prior few days that stated, "You are a rat. You are a stoolie. You backstab your friends - run your mouth my lawyers are dying Rip you to shreds." Another message stated, "I'm going to take that dog away from you," referring to CREDICO's therapy dog. CREDICO stated that it was "cetiainly scary . . . When you start bringing up my dog, you're crossing the line[.]" 5 77. On or about May 25, 2018, CREDICO provided additional messages he stated were from STONE to another news agency. 6 In these messages, STONE, on April 9, 2018, stated: "I am so ready. Let's get it on. Prepare to die[.]" In the article, CREDICO stated that he considered this email from STONE a threat. STONE stated in the article that CREDICO "told me he had terminal prostate cancer ... It was sent in response to that. We talked about it too. 5 https://www.yahoo.com/news/comedian-randy-credico-says-trump-adviser-roger-stone-threatened-dog135911370.html 6 https://www.motherjones.com/politics/2018/05/roger-stone-to-associate-prepare-to-die/ 32 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 166 of 189 He was depressed about it. Or was he lying." The article noted that CREDTCO stated he did not have prostate cancer and did not have any such discussion with STONE. L. STONE's Use of the Target Accounts to Communicate with Individuals Related to the Investigation 78. On May I 7, 2018, Chief Judge Howell issued an order for the use of pen-trap devices on Target Account 1 and Target Account 2. The information obtained from that order, along with information obtained from toll records, revealed that STONE has continued to use Target Account 1 and Target Account 2, and that he has used them to communicate with individuals related to the investigation. 79. For example, STONE and communicated twice on May 28 and May 29, 2018 using Target Account 1. , a former associate of STONE's, was interviewed by the Special Counsel's Office on or about May 2, 2018. Toll records show that ' and STONE communicated multiple times on May 5, 2018, and STONE communicated wit using Target Account 1 on June 1, 2018 and June 6, 2018. a private investigator who had previously worked with STONE and who was hired by STONE to research individuals associated with this case (as described further below), communicated with STONE on Target Account 1 at least four times between May 27, 2018 and July 12,2018. 80. STONE has also used Target Account 2 to communicate with individuals associated with this investigation. a. For example, between May 23, 2018 and the present, STONE and CORSI exchanged at least five messages using Target Account 2. In the same time period, STONE exchanged at least 75 emails with CREDICO using Target Account 2. 33 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 167 of 189 • b. Also in this same time period, STONE emailed is a former employee of STONE. On May 9, ten times using Target Account 2. 2018, FBI agents approached at least and That day, and again on May 10, 2018, communicated by phone with STONE. Overall, between May 23, 2018 and the present, STONE exchanged over 100 emails with using Target Account 2. In addition, between on or about June 14, 2018 and June 17, 2018, 81. and STONE exchanged five emails using Target Account 2. STONE has also used a phone number associated with Target Account 3 to communicate with , a private investigator hired by STONE. was interviewed by investigators on June 7, 2018, and subsequently informed investigators that in June 2018, STONE instructed him to conduct a full background investigation on who had been employed by STONE during the Campaign as an information technology specialist. also told investigators that in June 2018, STONE instructed him to find an address for CREDICO that could be used to serve CREDICO with legal process. told investigators that his primary fmm of communication with STONE is by text message on Target Account 3. BACKGROUND CONCERNING EMAIL 82. In my training and experience, I have learned the Providers provide a variety of on-line services, including electronic mail ("email") to the public. The Providers allow 34 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 168 of 189 subscribers to obtain email accounts at the domain names identified in the email address contained in Attachment A and C. Subscribers obtain an account by r~gistering with the Providers. During the registration process, the Providers ask subscribers to provide basic personal information. Therefore, the computers of the Providers are likely to contain stored electronic communications (including retrieved and unretrieved email) for their subscribers and information concerning subscribers and their use of services, such as account access information, email transaction information, and account application information. In my training and experience, such information may constitute evidence of the crimes under investigation because the information can be used to identify the account's user or users. 83. In my training and experience, email Providers generally ask their subscribers to provide certain personal identifying information when registering for an email account. Such information can include the subscriber's full name, physical address, telephone numbers and other identifiers, alternative email addresses, and, for paying subscribers, means and source of payment (including any credit or bank account number). In my training and experience, such information may constitute evidence of the crimes under investigation because the information can be used to identify the account's user or users. Based on my training and my experience, I know that, even if subscribers insert false information to conceal their identity, this information often provides clues to their identity, location, or illicit activities. 84. In my training and experience, email Providers typically retain certain transactional information about the creation and use of each account on their systems. This information can include the date on which the account was created, the length of service, records of log-in (i.e., session) times and durations, the types of service utilized, the status of the account (including whether the account is inactive or closed), the methods used to connect to the account 35 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 169 of 189 (such as logging into the account via the Providers' website), and other log files that reflect usage of the account. In addition, email Providers often have records of the Internet Protocol address ("IP address") used to register the account and the IP addresses associated with particular logins to the account. Because every device that connects to the Internet must use an IP address, IP address information can help to identify which computers or other devices were used to access the email account. 85. In my training and experience, in some cases, email account users will communicate directly with an email service Providers about issues relating to the account, such as technical problems, billing inquiries, or complaints from other users. Email Providers typically retain records about such communications, including records of contacts between the user and the Providers' support services, as well as records of any actions taken by the Providers or user as a result of the communications. In my training and experience, such information may constitute evidence of the crimes under investigation because the information can be used to identify the account's user or users. 86. As explained herein, information stored in connection with an email account may provide crucial evidence of the "who, what, why, when, where, and how" of the criminal conduct under investigation, thus enabling the United States to establish and prove each element or alternatively, to exclude the innocent from further suspicion. In my training and experience, the information stored in connection with an email account can indicate who has used or controlled the account. This "user attribution" evidence is analogous to the search for "indicia of occupancy" while executing a search warrant at a residence. For ~xample, email communications, contacts lists, and images sent (and the data associated with the foregoing, such as date and time) may indicate who used or controlled the account at a relevant time. Further, 36 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 170 of 189 information maintained by the email Providers can show how and when the account was accessed or used. For example, as described below, email Providers typically log the Internet Protocol (IP) addresses from which users access the email account, along with the time and date of that access. By determining the physical location associated with the logged IP addresses, investigators can understand the chronological and geographic context of the email account access and use relating to the crime under investigation. This geographic and timeline information may tend to either inculpate or exculpate the account owner. Additionally, information stored at the user's account may further indicate the geographic location of the account user at a particular time (e.g., location information integrated into an image or video sent via email). Last, stored electronic data may provide relevant insight into the email account owner's state of mind as it relates to the offense under investigation. For example, information in the email account may indicate the owner's motive and intent to commit a crime (e.g., communications relating to the crime), or consciousness of guilt (e.g., deleting communications ~ in an effort to conceal them from law enforcement). 87. In my training and experience, information such as search history can help to show the state of mind of an individual at the time the search was made, as well as the individuals potential advance knowledge of events, as they search to see if the anticipated event has occurred. INFORMATION REGARDING APPLE ID AND iCLOUD 7 The information in this section is based on information published by Apple on its website, including, but not limited to, the following document and webpages: "U.S. Law Enforcement Legal Process Guidelines," available at htip:/limages.apple.com/orivacy/docs/ legal-process-guiclelines-us.pd_f; "Create and start using an Apple ID," available at https://suppoct.app.Je.com/en-us/HT203993; "iCloud," available at http://www.apple.com/icloud/; "What does iCloud back up?," available at https://support.aople.com/ kb/PH12519; "iOS Security," available at 37 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 171 of 189 88. Apple is a United States company that produces the iPhone, iPad, and iPod Touch, all of which use the iOS operating system, and desktop and laptop computers based on the Mac OS operating system. 89. Apple provides a variety of services that can be accessed from Apple devices or, in some cases, other devices via web browsers or mobile and desktop applications ("apps"). As described in further detail below, the services include email, instant messaging, and file storage: a. Apple provides email service to its users through email addresses at the domain names mac.com, me.com, and icloud.com. b. iMessage and FaceTime allow users of Apple devices to communicate in real-time. iMessage enables users of Apple devices to exchange instant messages ("iMessages") containing text, photos, videos, locations, and contacts, while FaceTime enables those users to conduct video calls. c. iCloud is a file hosting, storage, and sharing service provided by Apple. iCloud can be utilized through numerous iCloud-connected services, and can also be used to store iOS device backups and data associated with third-party apps. d. iCloud-connected services allow users to create, store, access, share, and synchronize data on Apple devices or via icloud.com on any Internet-connected device. For example, iCloud Mail enables a user to access Apple-provided email accounts on multiple Apple devices and on icloud.com. iCloud Photo Library and My Photo Stream can be used to store and manage images and videos taken from Apple devices, and iCloud Photo Sharing allows the user https://www.apple.com/business/docs/iOS Security Guid.e. pdf, and "iCloud: How Can I Use iCloud?," available at https: //support.apple.com/kb/PH26502. 38 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 172 of 189 to share those images and videos with other Apple subscribers. iCloud Drive can be used to store presentations, spreadsheets, and other documents. iCloud Tabs and bookmarks enable iCloud to be used to synchronize bookmarks and webpages opened in the Safari web browsers on all of the user's Apple devices. iWork Apps, a suite of productivity apps (Pages, Numbers, Keynote, and Notes), enables iCloud to be used to create, store, and share documents, spreadsheets, and presentations. iCloud Keychain enables a user to keep website username and passwords, credit card information, and Wi-Fi network information synchronized across multiple Apple devices. e. Game Center, Apple's social gaming network, allows users of Apple devices to play and share games with each other. f. Find My iPhone allows owners of Apple devices to remotely identify and track the location of, display a message on, and wipe the contents of those devices. Find My Friends allows owners of Apple devices to share locations. g. Location Services allows apps and websites to use information from cellular, Wi-Fi, Global Positioning System ("GPS") networks, and Bluetooth, to determine a user's approximate location. h. App Store and iTunes Store are used to purchase and download digital content. iOS apps can be purchased and downloaded through App Store on iOS devices, or through iTunes Store on desktop and laptop computers running either Microsoft Windows or Mac OS. Additional digital content, including music, movies, and television shows, can be purchased through iTunes Store on iOS devices and on desktop and laptop computers running either Microsoft Windows or Mac OS. 39 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 173 of 189 90. Apple services are accessed through the use of an "Apple ID," an account created during the setup of an Apple device or through the iTunes or iCloud services. A single Apple ID can be linked to multiple Apple services and devices, serving as a central authentication and syncing mechanism. 91. An Apple ID takes the form of the full email address submitted by the user to create the account; it can later be changed. Users can submit an Apple-provided email address (often ending in@icloud.com, @me.com, or@mac.com) or an email address associated with a third-party email provider (such as Gmail, Yahoo, or Hotmail). The Apple ID can be used to access most Apple services (including iCloud, iMessage, and FaceTime) only after the user accesses and responds to a "verification email" sent by Apple to that "primary" email address. Additional email addresses ("alternate," "rescue," and "notification" email addresses) can also be associated with an Apple ID by the user. 92. Apple captures information associated with the creation and use of an Apple ID. During the creation of an Apple ID, the user must provide basic personal information including the user's full name, physical address, and telephone numbers. The user may also provide means of payment for products offered by Apple. The subscriber information and password associated with an Apple ID can be changed by the user through the "My Apple ID" and "iForgot" pages on Apple's website. In addition, Apple captures the date on which the account was created, the length of service, records of log-in times and durations, the types of service utilized, the status of the account (including whether the account is inactive or closed), the methods used to connect to and utilize the account, the Internet Protocol address ("IP address") used to register and access the account, and other log files that reflect usage of the account. 40 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 174 of 189 93. Additional information is captured by Apple in connection with the use of an Apple ID to access certain services. For example, Apple maintains connection logs with IP addresses that reflect a user's sign-on activity for Apple services such as iTunes Store and App Store, iCloud, Game Center, and the My Apple ID and iForgot pages on Apple's website. Apple also maintains records reflecting a user's app purchases from App Store and iTunes Store, "call invitation logs" for FaceTime calls, "query logs" for iMessage, and "mail logs" for activity over an Apple-provided email account. Records relating to the use of the Find My iPhone service, including connection logs and requests to remotely lock or erase a device, are also maintained by Apple. 94. Apple also maintains information about the devices associated with an Apple ID. When a user activates or upgrades an iOS device, Apple captures and retains the user's IP address and identifiers such as the Integrated Circuit Card ID number ("ICCID"), which is the serial number of the device's SIM card. Similarly, the telephone number of a user's iPhone is linked to an Apple ID when the user signs in to FaceTime or iMessage. Apple also may maintain records of other device identifiers, including the Media Access Control address ("MAC address"), the unique device identifier ("UDID"), and the serial number. In addition, information about a user's computer is captured when iTunes is used on that computer to play content associated with an Apple ID, and information about a user's web browser may be captured when used to access services through icloud.com and apple.com. Apple also retains records related to communications between users and Apple customer service, including communications regarding a particular Apple device or service, and the repair history for a device. 41 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 175 of 189 95. Apple provides users with five gigabytes of free electronic space on iCloud, and users can purchase additional storage space. That storage space, located oµ servers controlled by Apple, may contain data associated with the use of iCloud-connected services, including: email (iCloud Mail) ; images and videos (iCloud Photo Library, My Photo Stream, and iCloud Photo Sharing); documents, spreadsheets, presentations, and other files (iWork and iCloud Drive); and web browser settings and Wi-Fi network information (iCloud Tabs and iCloud Keychain). iCloud can also be used to store iOS device backups, which can contain a user's photos and videos, iMessages, Short Message Service ("SMS") and Multimedia Messaging Service ("MMS") messages, voicemail messages, call history, contacts, calendar events, reminders, notes, app data and settings, Apple Watch backups, and other data. Records and data associated with third-party apps may also be stored on iCloud; for example, the iOS app for WhatsApp, an instant messaging service, can be configured to regularly back up a user's instant messages on iCloud Drive. Some of this data is stored on Apple's servers in an encrypted form but can nonetheless be decrypted by Apple. 96. In my training and experience, evidence of who was using an Apple ID and from where, and evidence related to criminal activity of the kind described above, may be found in the files and records described above. This evidence may establish the "who, what, why, when, where, and how" of the criminal conduct under investigation, thus enabling the United States to establish and prove each element or, alternatively, to exclude the innocent from further suspicion. INFORMATION TO BE SEARCHED AND THINGS TO BE SEIZED 42 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 176 of 189 97. I anticipate executing this warrant under the Electronic Communications Privacy Act, in particular 18 U.S.C. §§ 2703(a), 2703(b)(l)(A) and 2703(c)(l)(A), by using the warrant to require Google to disclose to the government copies of the records and other information (including the content of communications) associated with the accounts in Attachment A, C, and E and particularly described in Section I of Attachment B, D, and F. Upon receipt of the information described in Section I of Attachments B, D, and F, government-authorized persons will review that information to locate the items described in Section II of Attachment B, D, and F. The items identified in Attachments A-F will also be screened by reviewers not on the prosecution team to identify and filter out privileged material. CONCLUSION 98. Based on the forgoing, I request that the Court issue the proposed search warrant. 99. Pursuant to 18 U.S.C. § 2703(g), the presence of a law enforcement officer is not required for the service or execution of this warrant. REQUEST FOR SEALING 100. I further request that the Court order that all papers in support of this application, including the affidavit and search warrant, be sealed until further order of the Court. These documents discuss an ongoing criminal investigation, the full nature and extent of which is not known to all of the targets of the investigation. Accordingly, there is good cause to seal these documents because their premature disclosure may seriously jeopardize that investigation. Respe~ Andrew Mitchell Special Agent Federal Bureau of Investigation 43 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 177 of 189 Subscribed and sworn lo before me on this 1f { of Augus~ 2018. / $ /711 !l l(,t1Lt The Honorable Beryl A. Howell Chief United States District Judge 44 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 178 of 189 ATTACHMENT A Property to be Searched This warrant applies to information associated with the email address: created or maintained between September 11, 2017 and present, that is stored at premises owned, maintained, controlled, or operated by Microsoft Corp., d/b/a Hotmail, a company headquartered at One Microsoft Way, Redmond, WA 98052. 45 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 179 of 189 ATTACHMENT B Particular Things to be Seized I. Files and Accounts to be produced by the Provider: To the extent that the information described in Attachment A is within the possession, custody, or control of the Provider including any messages, records, files, logs, images, videos, or information that have been deleted but are still available to the Provider or have been preserved pursuant to a preservation request under 18 U.S.C. § 2703(f), the Provider is required to disclose the following information to the government for each account or identifier listed in Attachment A: a. The contents of all e-mails, attachments and chat messages stored in the account, including copies of e-mails sent to and from the account, draft e-mails, the source and destination e-mails sent addresses associated with each e-mail, the date and time at which each e-mail was sent, and the size and length of each e-mail; b. All existing printouts from original storage of all of the electronic mail described above in Section I.A. above; c. All internet search data including all queries and location data; d. All transactional information of all activity of the account described above in Section I.A, including log files, dates, times, methods of connecting, ports, dial ups, and/or locations; e. All records or other information stored by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and files; f. Records or other information regarding the identification of the account described above in Section LA, to include application, full name, physical address, telephone numbers and other identifiers, records of session times and durations, log-in IP addresses associated with session times and dates, account status, alternative e-mail addresses provided during registration, all screen names associated with subscribers and/or accounts, all account names associated with the subscriber, g. All records indicating the services available to subscribers of the electronic mail address described above in Section LA.; 46 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 180 of 189 II. Information to be Seized by Law Enforcement Personnel Any and all records that relate in any way to the accounts described in Attachment A which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 1001 (false statements), 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. §§ 1505 and 1512 (obstruction of justice), 18 U.S.C. § 1513 (witness tampering); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. § 30121 (foreign contribution ban) from June 1, 2015 to present, including: a. All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or communications regarding disinformation, denial, dissembling or other obfuscation about knowledge of, or access to hacked material; b. All records, information, documents or tangible materials that relate in any way to communications or meetings involving Jerome Corsi, Julian Assange, Randy Credico, or any individual associated with the Trump Campaign; c. All images, messages, communications, calendar entries, search terms, "address book" entries and contacts, including any and all preparatory steps taken in furtherance of the above-listed offenses; d. Communication, information, documentation and records relating to who created, used, or communicated with the account or identifier concerning the messages identified above, including records about their identities and whereabouts; e. Evidence of the times the account was used; f. All images, messages and communications regarding wiping software, encryption or other methods to avoid detection by law enforcement; g. Passwords and encryption keys, and other access information that may be necessary to access the account and other associated accounts; h. Credit card and other financial information, including but not limited to, bills and payment records evidencing ownership of the subject account; 47 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 181 of 189 i. All existing printouts from original storage which concern the categories identified in subsection II.a 48 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 182 of 189 ATTACHMENT C Property to be Searched This warrant applies to information associated with the following Google account: created or maintained between October 17, 2017 and the present, that is stored.at premises owned, maintained, controlled, or operated by Google, Inc., a business with offices located at 1600 Amphitheatre Parkway, Mountain View, CA 94043. 49 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 183 of 189 ATTACHMENT D Particular Things to be Seized I. Files and Accounts to be produced by Google, Inc. To the extent that the information described in Attachment C is within the possession, custody, or control of Google, Inc. including any messages, records, files, logs, images, videos, or information that have been deleted but are still available to Google or have been preserved pursuant to a preservation request under 18 U.S.C. § 2703(£), Google is required to disclose the following information to the government for each account or identifier listed in Attachment C: a. The contents of all e-mails, attachments and chat messages stored in the account, including copies of e-mails sent to and from the account, draft e-mails, the source and destination e-mails sent addresses associated with each e-mail, the date and time at which each e-mail was sent, and the size and length of each e-mail; b. All existing printouts from original storage of all of the electronic mail described above in Section LA. above; c. All internet search data including all queries and location data; d. All transactional information of all activity of the account described above in Section LA, including log files, dates, times, methods of connecting, ports, dial ups, and/or locations; e. All records or other information stored by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and files; f. All records or other information regarding the identification of the account described above in Section I.A, to include application, full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the types of service utilized, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative e-mail addresses provided during registration, all screen names associated with subscribers and/or accounts, all account names associated with the subscriber, methods of connecting, log files, means and source of payment (including any credit or bank account number), and detailed billing records; g. All records indicating the services available to subscribers of the electronic mail address described above in Section LA.; h. Google+ subscriber information, circle information, including name of circle and members, contents of posts, comments, and photos, to include date and timestamp; 50 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 184 of 189 1. Google Drive files created, accessed or owned by the account; J. YouTube subscriber information, private videos and files, private messages, and comments; k. Google+ Photos contents to include all images, videos and other files, and associated upload/download date and timestamp; 1. Google Talk and Google Hangouts conversation logs associated with the account. 51 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 185 of 189 II. Information to be Seized by Law Enforcement Personnel Any and all records that relate in any way to the accounts described in Attachment C which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 1001 (false statements), 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. §§ 1505 and 1512 (obstruction of justice), 18 U.S.C. § 1513 (witness tampering); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. § 30121 (foreign contribution ban), from June 1, 2015 to present, including: a. All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or communications regarding disinformation, denial, dissembling or other obfuscation about knowledge of, or access to hacked material; b. All records, information, documents or tangible materials that relate in any way to communications or meetings involving Jerome Corsi, Julian Assange, Randy Credico, or any individual associated with the Trump Campaign; c. All images, messages, communications, calendar entries, search terms, "address book" entries and contacts, including any and all preparatory steps taken in furtherance of the above-listed offenses; d. Communication, information, documentation and records relating to who created, used, or communicated with the account or identifier concerning the messages identified above, including records about their identities and whereabouts; e. Evidence of the times the account was used; f. All images, messages and communications regarding wiping software, encryption or other methods to avoid detection by law enforcement; g. Passwords and encryption keys, and other access information that may be necessary to access the account and other associated accounts; h. Credit card and other financial information, including but not limited to, bills and payment records evidencing ownership of the subject account; 1. All existing printouts from original storage which concern the categories identified in subsection II.a 52 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 186 of 189 ATTACHMENT E Property to be Searched This warrant applies to information associated with the following Apple DSID: created or maintained between March 14, 2018 and the present, that is stored at premises owned, maintained, controlled, or operated by Apple, Inc., located at One Apple Park Way, Cupertino, California 95014. 53 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 187 of 189 ATACHMENTF Particular Things to be Seized I. Files and Accounts to be produced by the Provider: To the extent that the information described in Attachment Eis within the possession, custody, or control of Apple, regardless of whether such information is located within or outside ofthe United States, including any messages, records, files, logs, or infonnation that have been deleted but are still available to Apple, or have been preserved pursuant to a request made under 18 U.S.C. § 2703(f), Apple is required to disclose the following information to the government, in unencrypted form whenever available, for each account or identifier listed in Attachment E: a. All records or other information regarding th~ identification of the account, to include full name, physical address, telephone numbers, email addresses (including primary, alternate, rescue, and notification email addresses, and verification information for each email address), the date on which the account was created, the length of service, the IP address used to register the account, account status, associated devices, methods of connecting, and means and source of payment (including any credit or bank account numbers); b. All records or other information regarding the devices associated with, or used in connection with, the account (including all current and past trusted or authorized iOS devices and computers, and any devices used to access Apple services), including serial numbers, Unique Device Identifiers ("UDID"), Advertising Identifiers ("IDFA"), Global Unique Identifiers ("GUID"), Media Access Control ("MAC") addresses, Integrated Circuit Card ID numbers ("ICCID"), Electronic Serial Numbers ("ESN"), Mobile Electronic Identity Numbers ("MEIN"), Mobile Equipment Identifiers ("MEID"), Mobile Identification Numbers ("MIN"), Subscriber Identity Modules ("SIM"), Mobile Subscriber Integrated Services Digital Network Numbers ("MSISDN"), International Mobile Subscriber Identities ("IMSI"), and International Mobile Station Equipment Identities ("IMEI"); c. The contents of all emails associated with the account, including stored or preserved copies of emails sent to and from the account (including all draft emails and deleted emails), the source and destination addresses associated with each email, the date and time at which each email was sent, the size and length of each email, and the true and accurate header information including the actual IP addresses of the sender and the recipient of the emails, and all attachments; d. The contents of all instant messages associated with the account, including stored or preserved copies of instant messages (including iMessages, SMS messages, and MMS messages) sent to and from the account (including all draft and deleted messages), the source and destination account or phone number associated with each instant message, the date and time at which each instant message was sent, the size and length of each instant message, the actual IP addresses of the sender and the recipient of each instant message, and the media, if any, attached to each instant message; 54 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 188 of 189 e. The contents of all files and other records stored on iCloud, including all iOS device backups, all Apple and third-party app data, all files and other records related to iCloud Mail, iCloud Photo Sharing, My Photo Stream, iCloud Photo Library, iCloud Drive, iWork (including Pages, Numbers, Keynote, and Notes), iCloud Tabs and bookmarks, and iCloud Keychain, and all address books, contact and buddy lists, notes, reminders, calendar entries, images, videos, voicemails, device settings, and bookmarks; f. All activity, connection, and transactional logs for the account (with associated IP addresses including source port numbers), including FaceTime call invitation logs, messaging and query logs (including iMessage, SMS, and MMS messages), mail logs, iCloud logs, iTunes Store and App Store logs (including purchases, downloads, and updates of Apple and third-party apps), My Apple ID and iForgot logs, sign-on logs for all Apple services, Game Center logs, Find My iPhone and Find My Friends logs, Jogs associated with web-based access of Apple services (including all associated identifiers), and logs associated with iOS device purchase, activation, and upgrades; g. All records and information regarding locations where the account or devices associated with the account were accessed, including all data stored in connection with Location Services, Find My iPhone, Find My Friends, and Apple Maps; h. All records pertaining to the types of service used; i. All records pertaining to communications between Apple and any person regarding the account, including contacts with support services and records of actions taken; and j. All files, keys, or other information necessary to decrypt any data produced in an encrypted form, when available to Apple (including, but not limited to, the keybag.txt and fileinfolist.txt files). 55 Case 1:19-mc-00029-CRC Document 29-13 Filed 04/28/20 Page 189 of 189 II. Information to be Seized by Law Enforcement Personnel Any and all records that relate in any way to the accounts described in Attachment A which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 1001 (false statements), 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. §§ 1505 and 1512 (obstruction ofjustice), 18 U.S.C. § 1513 (witness tampering); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. § 30121 (foreign contribution ban), from June I, 2015 to present, including: a. All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or communications regarding disinformation, denial, dissembling or other obfuscation about knowledge of, or access to hacked material; b. All records, information, documents or tangible materials that relate in any way to communications or meetings involving Jerome Corsi, Julian Assange, Randy Credico, or any individual associated with the Trump Campaign; c. All images, messages, communications, calendar entries, search terms, "address book" entries and contacts, including any and all preparatory steps taken in furtherance of the above-listed offenses; d. Communication, information, documentation and records relating to who created, used, or communicated with the account or identifier concerning the messages identified above, including records about their identities and whereabouts; e. Evidence of the times the account was used; f. All images, messages and communications regarding wiping software, encryption or other methods to avoid detection by law enforcement; g. Passwords and encryption keys, and other access information that may be necessary to access the account and other associated accounts; h. Credit card and other financial information, including but not limited to, bills and payment records evidencing ownership of the subject account; 1. All existing printouts from original storage which concern the categories identified in subsection II.a 56