Case 1:18-cr-00111-CMHDocument 2Filed 12/21/17IN THE UNITED STATES DISTR

1. Case 1:18-cr-00111-CMH
2. Document 2
3. Filed 12/21/17
4.  
5. IN THE UNITED STATES DISTRICT COURT
6. FOR THE EASTERN DISTRICT OF VIRGINIA
7. Alexandria Division
8.  
9. UNITED STATES OF AMERICA
10. v.
11. JULIAN PAUL ASSANGE,
12. Defendant.
13.  
14. Case No. 17-MJ-611
15. Filed Under Seal
16.  
17. AFFIDAVIT IN SUPPORT OF A CRIMINAL COMPLAINT AND ARREST WARRANT
18.  
19. 1. I, Megan Brown, make this affidavit in support of a criminal complaint charging the defendant, Julian P. Assange, with violating 18 U.S.C. §371 by conspiring to (1) access a computer, without authorization and exceeding authorized access, to obtain classified national defense information in violation of 18 U.S.C. § 1030(a)(1); and (2) access a computer, without authorization and exceeding authorized access, to obtain information from a department or agency of the United States in furtherance of a criminal act in violation of 18 U.S.C. § 1030(a)(2), (c)(2)(B)(ii).
20.  
21. 2. I am a Special Agent with the Federal Bureau of Investigation (FBI) and have been so employed since February 2011. Since joining the FBI, I have investigated violations of federal law involving counterterrorism and counterintelligence matters, and I have gained experience through training and everyday work related to conducting these types of investigations. Since February 2017,1 have been assigned to a Counterespionage squad at the Washington Field Office in Washington, D.C. In this capacity, I investigate matters involving allegations of espionage, as well as the unauthorized disclosure of classified information, and related crimes. As a Special Agent with the FBI, I have received classroom and on-the-job training in general law enforcement and also in such specialized areas as counterintelligence, counterterrorism, and investigation of espionage-related crimes. I have participated in federal, multi-jurisdictional, and international investigations involving national security matters, conducted physical and electronic surveillance, executed search warrants, and debriefed witnesses and participants to unlawful activity related to these matters. Through my investigations, I have gained knowledge in the use of various investigative techniques including the utilization of Rule 41 search warrants, subpoenas, national security letters, physical and electronic surveillance, trash covers, and other sophisticated investigative techniques. As a federal agent, I am authorized to investigate violations of the laws of the United States. I have investigated criminal violations relating to espionage and the unauthorized disclosure of classified information, including violations related to the illegal possession, distribution, and/or receipt of classified information, and related crimes, in violation of 18 U.S.C. §§ 793, 794, 1030, and 1924. I also am authorized to execute warrants issued under the authority of the United States, and I have participated in arrest warrants and search warrants in my capacity as an FBI Special Agent.
22.  
23. 3. The facts in this Affidavit are based on my personal observations, information obtained from other agents and witnesses, my training and experience, and my review of records, reports, articles, and websites. Unless otherwise noted, information provided to me by other law enforcement personnel does not necessarily reflect my personal observations or investigation, but rather has been passed to me by individuals with first-hand knowledge. This Affidavit does not set forth all of my knowledge about this matter, but is intended merely to establish probable cause for the criminal complaint.
24.  
25. 4. As shown below, the conspirators took elaborate measures to conceal their communications, mask their identities, and destroy any trace of their conduct, using, for example, encryption and anonymization techniques, and erasing and wiping data. For this reason, the facts are derived in large part from forensic analysis of available computer data, remnants, or unalterable systems.
26.  
27. SUMMARY OF PROBABLE CAUSE
28.  
29. 5. These charges relate to one of the largest compromises of classified information in the history of the United States. Between in or around January 2010 and May 2010, Chelsea Manning, [1] an intelligence analyst in the U.S. Army, downloaded four, nearly complete and largely classified databases with approximately 90,000 Afghanistan war-related significant activity reports, 400,000 Iraq war-related significant activity reports, 800 Guantanamo Bay detainee assessments, and 250,000 U.S. State Department cables. Manning provided these records to WikiLeaks, a website founded and led by the defendant, Julian P. Assange. On its website, WikiLeaks expressly solicited classified information for public dissemination. WikiLeaks publicly released the vast majority of the classified records on its website in 2010 and 2011. Manning has since been tried and convicted by court-martial for her illegal acts in transmitting the information to WikiLeaks.
30.  
31. [1] Manning used the name "Bradley E. Manning" at the time of the events at issue in this Affidavit. According to a statement from Manning's attorney published on or around August 22, 2013, Manning has identified as a female since childhood and was changing her name to "Chelsea Manning." As a result, I refer to Manning using her current name and the female gender.
32.  
33. 6. The charges in this criminal complaint focus on a specific illegal agreement that Assange and Manning reached in furtherance of Manning's illegal disclosure of classified information. As explained below, investigators have recovered Internet "chats" between Assange and Manning from March 2010. The chats reflect that on March 8, 2010, Assange agreed to assist Manning in cracking a password stored on United States Department of Defense (DoD) computers connected to the classified Secret Internet Protocol Router Network (SIPRNet). Manning, who had access to the computers in connection with her duties as an intelligence analyst, was using the computers to download classified records to transmit to WikiLeaks.
34.  
35. 7. Cracking the password would have allowed Manning to log onto the computers under a username that did not belong to her. Such a deceptive measure would have made it more difficult for investigators to determine the source of the illegal disclosures. While it remains unknown whether Manning and Assange were successful in cracking the password, a follow-up message from Assange to Manning on March 10, 2010, reflects that Assange was actively trying to crack the password pursuant to their agreement.
36.  
37. 8. Circumstantial evidence reflects that Assange and Manning intended to crack the password to facilitate Manning's illegal disclosure of classified information. At the time they formed their illegal password-cracking agreement, Manning had already provided WikiLeaks with hundreds of thousands of classified records relating to, among other things, the wars in Afghanistan and Iraq. In the recovered chats surrounding the illegal agreement, Manning and Assange engaged in real-time discussions regarding Manning's transmission of classified records to Assange. The chats also reflect the two collaborating on the public release of the information and Assange actively encouraging Manning to provide more information. The chats, moreover, reflect that Manning actively took steps to try to conceal herself as the source of the leaks. Thus, the context of the agreement demonstrates that Assange and Manning intended to crack the password to facilitate Manning's disclosure of classified information of the United States.
38.  
39. I. BACKGROUND OF CO-CONSPIRATORS
40.  
41. A. Defendant Julian P. Assange and WikiLeaks
42.  
43. 9. Assange, a citizen of Australia, created the website WikiLeaks.org in 2006 to release on the Internet otherwise unavailable documents. WikiLeaks' website solicited submissions of classified, censored, or otherwise restricted information. [2]
44.  
45. [2] At some point between September and December 2010, WikiLeaks deleted the word "classified" from a description of the kinds of material it accepted.
46.  
47. 10. Although associates and volunteers worked for WikiLeaks in various capacities, WikiLeaks was closely identified with Assange himself. As reported in an article published in Wired magazine in or around September 2010, Assange stated, "I am the heart and soul of this organization, its founder, philosopher, spokesperson, original coder, organizer, financier, and all the rest." As stated by Assange in a January 2010 interview during the 26th Chaos Communication Congress, WikiLeaks had a full-time staff of five and 800 "occasional helpers." Assange has also stated that he made the final decision as to whether a particular document submitted to WikiLeaks was legitimate.
48.  
49. 11. Assange, who has never possessed a security clearance or need to know, was prohibited from receiving classified information of the United States.
50.  
51. B. Co-Conspirator Chelsea Manning
52.  
53. 12. Manning, a United States citizen, enlisted in the U.S. Army in October 2007 and subsequently attended the U.S. Army Intelligence Analyst Course at Fort Huachuca, Arizona.
54.  
55. 13. On April 7, 2008, Manning signed a Classified Information Nondisclosure Agreement. In doing so, Manning acknowledged being advised that unauthorized disclosure or retention or negligent handling of classified information could cause damage or irreparable injury to the United States or could be used to advantage by a foreign nation.
56.  
57. 14. On January 22, 2009, Manning was granted a U.S. government security clearance at the "Top Secret" level and signed a Sensitive Compartmented Information (SCI) Nondisclosure Statement. In so doing, Manning acknowledged that she would be granted access to SCI material, which involves or derives from intelligence sources or methods and is classified or in the process of being classified. She further acknowledged being advised that her unauthorized disclosure or retention or negligent handling of SCI could cause irreparable injury to the United States or be used to advantage by a foreign nation, and could constitute a federal crime.
58.  
59. 15. Executive Order No. 13526 and its predecessor orders define the classification levels assigned to national security and national defense information. Under Executive Order No. 13526, information may be classified as "Confidential" if its unauthorized disclosure reasonably could be expected to cause damage to the national security; "Secret" if its unauthorized disclosure reasonably could be expected to cause serious damage to the national security; and "Top Secret" if its unauthorized disclosure reasonably could be expected to cause exceptionally grave damage to the national security.
60.  
61. C. Manning's Access To Classified Information And Computer Networks In Iraq
62.  
63. 16. On or about October 12, 2009, Manning was deployed as a Military Occupational Specialty ("MOS") 35F - Intelligence Analyst, to Forward Operating Base ("FOB") Hammer in Iraq.
64.  
65. 17. Manning worked as an intelligence analyst in Iraq from October 2009 to May 2010. During that time, she had access to classified national defense information through various U.S. Army and DoD computer network systems, including SIPRNet — a network used for classified documents and communications at the Confidential and Secret levels, as designated according to Executive Order No. 13526.
66.  
67. 18. Manning had access to multiple classified databases and websites on SIPRNet, including the following: (1) the Combined Information Data Network Exchange ("CIDNE"), a set of DoD databases containing classified reports regarding the Afghanistan and Iraq wars, many of which contained raw intelligence information such as source names and locations; (2) a U.S. Central Command ("CENTCOM") website, which included reports of investigations of civilian deaths caused by U.S. forces; (3) an Intellipedia website named "JTF-GTMO Detainee Assessments," which included documents regarding detainees at the U.S. Naval Base in Guantanamo Bay, Cuba; (4) Net Centric Diplomacy ("NCD"), a Department of State database containing classified diplomatic cables; and (5) an Intelink-S search engine, which was a web portal that provided U.S. intelligence agencies with a single point of service to search for information across various classified websites on the SIPR network.
68.  
69. 19. At FOB Hammer, Manning worked in a Sensitive Compartmented Information Facility ("SCIF"). Under Executive Order No. 13526, Section 4.1, and Army regulations. Manning was prohibited from removing classified information from the SCIF in which she worked, from storing the information in her residential quarters, and from loading the information onto a personal computer. Further, the act of removing classified media from a SCIF and hand carrying that information was permitted only when approved by the appropriate official.
70.  
71. 20. In the SCIF, Manning had access to several SIPRNet computers, two of which she principally used at different times. In this affidavit, I refer to these two computers as "IP1" and "IP2."
72.  
73. 21. Manning's use of the computers was also governed by the AR-25-2. The AR-25-2 is an Army regulation that establishes the standards, processes, and procedures for information assurance practices in the United States Army. It applies to everyone within the Army.
74.  
75. 22. In March 2010, the AR-25-2 prohibited certain "activities ... by any authorized user on a Government provided [information system] or connection." These prohibited activities included "[a]ttempt[ing] to ... circumvent, or bypass network [information systems] security mechanisms." The AR-25-2 also prohibited "[s]haring personal accounts and authenticators (passwords or PINs)."
76.  
77. II. MANNING'S EARLY DISCLOSURES TO WIKILEAKS
78.  
79. 23. According to Manning, she began helping WikiLeaks soon after WikiLeaks publicly released messages from the September 11, 2001 terrorist attacks on November 25, 2009.
80.  
81. 24. As the examples in the following two sections demonstrate, Manning transmitted a large amount of classified information to WikiLeaks prior to March 2010, which was when she formed the agreement with Assange that is the subject of this complaint.
82.  
83. A. Classified Significant Activity Reports Relating To Iraq And Afghanistan Wars
84.  
85. 25. During her court-martial proceedings. Manning has admitted that, prior to March 2010, she provided WikiLeaks with classified significant activity reports from the Iraq and Afghanistan wars ("Iraq War Reports" and "Afghanistan War Reports," respectively).
86.  
87. 26. According to Manning, she downloaded the Iraq War Reports and Afghanistan War Reports from the relevant CIDNE databases in late December 2009 and early January 2010, and initially saved the records on a CD-RW that she kept in her SCIF. Manning admitted that she later took the CD-RW out of the SCIF and copied the data from the CD-RW onto her personal laptop. Manning stated that she transferred the data from her laptop to a Secure Digital ("SD") memory card, which she took with her when she went on leave later in January 2010.
88.  
89. 27. Investigators later recovered the SD card that Manning used to transport the Iraq War Reports and Afghanistan War Reports. Forensic analysis of the SD card revealed that it contained the CIDNE databases for Iraq (391,883 records) and Afghanistan (91,911 records). The SD card also contained a README.txt file, which contained the following message:
90.  
91. Items of Historical Significance for Two Wars: Iraq and Afghanistan Significant Activities (SIGACTs) between 0000 on 01 JAN 2004 and 2359 on 31 DEC 2009 (Iraq local time, and Afghanistan local time) CSV extracts are from the Department of Defense (DoD) Combined Information and Data Exchange (CIDNE) Database. It's already been sanitized of any source identifying information. You might need to sit on this information, perhaps 90-180 days, to figure out how best to release such a large amount of data, and to protect source. This is possibly one of the more significant documents of our time, removing the fog of war, and revealing the true nature of 21st century asymmetric warfare. Have a good day.
92.  
93. 28. According to Manning, she uploaded the Iraq War Reports, Afghanistan War Reports, and README.txt file to the WikiLeaks website on or around February 3, 2010.
94.  
95. 29. WikiLeaks publicly released the Iraq War Reports and Afghanistan War Reports on its website later in 2010. In July 2010, WikiLeaks released approximately 76,000 of the Afghanistan War Reports. Then, in October 2010, WikiLeaks released approximately 391,832 Iraq War Reports.
96.  
97. 30. Manning and WikiLeaks had reason to believe that public disclosure of the Afghanistan War Reports and Iraq War Reports would cause injury to the United States. Documents included in the Afghanistan War Reports contained information the disclosure of which potentially endangered U.S. troops and Afghan civilians, and aided enemies of the United States. Numerous Secret reports, for example, related to the identity and significance of local supporters of United States and Coalition forces in Iraq and Afghanistan.
98.  
99. 31. In fact, according to a July 30, 2010 New York Times article entitled "Taliban Study WikiLeaks to Hunt Informants," after the release of the Afghanistan War Reports, a member of the Taliban contacted the New York Times and stated, "We are studying the report. We knew about the spies and people who collaborate with U.S. forces. We will investigate through our own secret service whether the people mentioned are really spies working for the U.S. If they are U.S. spies, then we will know how to punish them."
100.  
101. 32. Moreover, on May 2, 2011, United States government officials raided the compound of Usama bin Laden in Abbottabad, Pakistan. During the raid, they collected a number of items of digital media, which included, among other things, (1) a letter from bin Laden to another member of the terrorist organization al-Qaeda in which bin Laden requested that the member gather the DoD material posted to WikiLeaks, and (2) a letter from that member of al-Qaeda to Bin Laden with information from the Afghanistan War Reports released by WikiLeaks.
102.  
103. 33. In addition, some of the Afghanistan War Reports included detailed reports of improvised explosive device ("IED") attacks on United States and Coalition forces in Afghanistan. The enemy could use these reports to plan future IED attacks because they described IED techniques, devices, and explosives, and revealed the countermeasures used by United States and Coalition forces against IED attacks and potential limitations to those countermeasures,
104.  
105. 34. I have reviewed a number of the Afghanistan War Reports and Iraq War Reports that WikiLeaks released. The reports that I reviewed contained classification markings reflecting that they were classified as "SECRET." This suggests that the versions of the Afghanistan War Reports and Iraq War Reports that Manning transmitted to WikiLeaks clearly reflected that they were classified.
106.  
107. B. Classified Iceland Documents
108.  
109. 35. As a further example, Manning also provided WikiLeaks with a number of classified documents relating to Iceland prior to March 2010.
110.  
111. 36. According to Manning, she accessed the NCD portal on February 14, 2010, and found a cable entitled "10 Reykjavik 13," which addressed an Icelandic issue known as "Icesave." Manning admitted that she burned the information onto a CD-RW on February 15, 2010, took it to her personal housing unit, saved the document to her personal laptop, and then uploaded it to WikiLeaks.
112.  
113. 37. WikiLeaks released this "Icesave" cable on its website on or around February 18, 2010. I have reviewed the document that WikiLeaks released on its website. It contained clear markings reflecting it was classified as "Confidential," That suggests that the version of the Icesave cable that Manning transmitted to WikiLeaks clearly reflected that it was classified.
114.  
115. 38. In addition, on February 14, 2010, Manning, using IP1 identified to her, viewed the Intellipedia website for Iceland. From this website. Manning clicked on links to, and viewed, three files entitled "Sigurdardottir.pdf," "Skarphedinsson.pdf," and "Jonsson.pdf" A forensic examination of Manning's personal laptop computer showed that a storage device was inserted into her machine. The volume name of the CD — "100215_0621" — vindicated that the CD was burned on February 15, 2010, at 6:21 a.m. The file names "Jonsson.pdf," "Sigurdardottir.pdf," and "Skarphedinsson.pdf" were burned to the CD.
116.  
117. 39. On March 29, 2010, WikiLeaks posted on its website classified U.S. State Department biographies of three Icelandic officials: Icelandic Prime Minister Johanna Sigurdardottir; Icelandic Minister of Foreign Affairs and External Trade Ossur Skarphedinsson; and Icelandic Ambassador to the United States Albert Jonsson. I have reviewed the three biographies released by WikiLeaks. They contained clear markings indicating that they were classified as "Confidential."
118.  
119. 40. Thus, as the examples in these two sections demonstrate. Manning provided hundreds of thousands of classified documents to WikiLeaks prior to March 2010. WikiLeaks received and published the classified documents, despite their clear markings indicating that they were classified.
120.  
121. III. MANNING'S CHATS WITH ASSANGE
122.  
123. 41. A person assigned a name with initials "NF" held a series of online chat conversations with Manning in which the pair discussed providing classified documents to WikiLeaks and the protection of Manning's identity as a source of the documents. According to the dates on the chats, they occurred between March 5, 2010, and March 18,2010. During the chat conversations, Manning used the alias "Nobody" and the account "dawgnetwork@jabber.ccc.de," while NF used the account "pressassociation@jabber.ccc.de."
124.  
125. 42. Those chats took place on the "Jabber" chat server. Jabber is used for real-time instant messaging. Manning and NF used a Jabber chat service hosted on jabber.ccc.de. "CCC" is a commonly used acronym for the Berlin-based Chaos Computer Club, which according to accounts on the Internet, Assange had frequented.
126.  
127. 43. At her court-martial proceedings. Manning stated that she "engaged in conversation often" with NF, "sometimes as long as an hour or more." Forensic analysis showed that Manning deleted or removed the NF chat logs from her laptop. Nevertheless, investigators have been able to recover several portions of the chats between Manning and NF from Manning's personal computer.
128.  
129. 44. A complete copy of the recovered chats between Manning and NF is attached to this Affidavit as Attachment A.
130.  
131. A. Assange Was "NF"
132.  
133. 45. At her court-martial proceeding, Manning claimed that she believed the individual with whom she was chatting "was likely Mr. Julian Assange, Mr. Daniel Schmidt, or a proxy representative of Mr. Assange and Schmidt."
134.  
135. 46. As summarized below, however, the evidence demonstrates that Assange was the "NF" who communicated with Manning in the March 2010 chats.
136.  
137. 47. Specific information provided by NF in the March 2010 chats indicates that NF was Assange. For example, when chatting with Maiming on March 5, 2010, NF confided that he liked debates, and that he "[j]ust finished one on the IMMI, and crushed some wretch from the journalists union." NF told Manning that the debate was "[v]ery satisfying," and that "the husband of the wretch" had exposed a source, an IT consultant who had given NF "10Gb of banking documents."
138.  
139. 48. "IMMI" refers to the Icelandic Modem Media Initiative, a legislative proposal of considerable public interest in Iceland at the time. According to accounts available on the Internet, on March 5, 2010, before NF's chat with Manning about a debate, the University of Iceland presented a panel that discussed media topics, including the IMMI. Assange was a member of that panel, as was the female deputy president of the Icelandic journalists association.
140.  
141. 49. Moreover, the NF in the March 2010 chats with Manning appeared to have extensive knowledge of WikiLeaks' day-to-day operations, including knowledge of submissions of information to the organization, as well as of financial matters. During the chats, on March 8, 2010, and March 16, 2010, Manning asked NF about the financial state of WikiLeaks. On both occasions, NF responded by identifying financial difficulties that WikiLeaks had to overcome, such as losing its credit card vendor. NF also stated that WikiLeaks had raised half a million of an unspecified currency. NF thus demonstrated intimate familiarity with WikiLeaks' financial affairs and circumstances, which Assange would have.
142.  
143. 50. Further, the NF in the chats with Manning mentioned that he planned to attend a conference on investigative journalism in Norway in late March 2010. On March 17,2010, NF told Manning that NF would "be doing an investigative journo conf in norway this week end, so may be out of contact most of the time." In fact, on March 18, 2010, according to an article on the Internet authored by Assange, Assange traveled from Iceland eventually to Oslo, Norway, where he attended and spoke at a March 20 conference held by SKUP, an investigative-journalism organization. According to accounts on the Internet, Assange's name appeared on a list of individuals scheduled to attend the conference, and Assange was identified as a "lecturer." A review of the other names on the list revealed no other persons known to be associated with WikiLeaks, and no one named NF. Further, SKUP's website had a photo of Assange speaking at the conference.
144.  
145. 51. In addition, NF repeatedly discussed with Manning details about a video being prepared for release, which NF referred to as "Project B." As reported in the New Yorker on June 7, 2010, "Project B" was the code name Assange and WikiLeaks used for the video about the 2007 Apache helicopter attack, later released under the name "Collateral Murder."
146.  
147. 52. Also, on June 27, 2011, the FBI interviewed U.S. Person No. 1 (US1), who met Assange in December 2009 in Berlin, Germany. According to US1, Assange and US1 exchanged email addresses at this time and began communicating via email. Eventually, Assange and US1 began using the Jabber instant messaging service to communicate. According to US1, Assange used the Jabber account pressassociation@jabber.ccc.de to communicate with US1 via Jabber. Assange used pressassociation@jabber.ccc.de until the summer of 2010 to communicate with US1. As noted, pressassociation@jabber.ccc.de was the Jabber account used by NF in the chats with Manning.
148.  
149. 53. The evidence further reflects that Manning believed NF was Assange. In chats with U.S. Person No. 2 (US2) on May 23, 2010, Manning stated that Assange "*might*" have used the "ccc.de jabber server," the same server used in the chats between NF and Manning. And on May 22,2010, Manning told US2 that she had communicated with Assange when explaining that she was a source for WikiLeaks. Manning stated, "im a high profile source... and i've developed a relationship with assange... but i don't know much more than what he tells me, which is very little, it took me four months to confirm that the person i was communicating was in fact assange."
150.  
151. 54. Furthermore, a forensic examination of Manning's personal computer seized on May 28, 2010, revealed that pressassociation@jabber.ccc.de was associated with Assange in Manning's "Buddy List" configuration file (blist.xml), and that deleted versions of Manning's blist.xml file identified pressassociation@jabber.ccc.de as an alias for NF. The file had a creation date and last written date of May 28, 2010.
152.  
153. 55. Based on this evidence, I have concluded that Manning's partner in the chats, assigned the username "NF," was in fact Assange. Accordingly, in the following discussion of the March 2010 chats, I identify Assange as the person with whom Manning communicated.
154.  
155. B. Nature of the Assange-Manning Chats
156.  
157. 56. As the below examples illustrate, the recovered chats between Manning and Assange reflect that the two collaborated on Manning's disclosure of classified information to WikiLeaks for WikiLeaks to disseminate publicly.
158.  
159. 1. JTF-GTMO Documents
160.  
161. 57. At her court-martial proceeding, Manning admitted that she provided WikiLeaks with Joint Task Force Guantanamo ("JTF-GTMO") Detainee Assessment Briefs ("DABs") in early March 2010.
162.  
163. 58. In fact, Attachment A reflects discussions between Manning and Assange about the value of these documents and Manning's transmission of them to Assange.
164.  
165. 59. On March 7, 2010, Manning asked Assange, "how valuable are JTF GTMO detention memos containing summaries, background info, capture info, etc?" Assange replied, "time period?" Manning answered, "2002-2008." Assange responded, "quite valuable to the lawyers of these guys who are trying to get them out, where those memos suggest their innocence/bad procedure...also valuable to merge into the general history, politically gitmo is mostly over though."
166.  
167. 60. Manning has admitted that "[a]fter this discussion, [she] decided to download the DABs."
168.  
169. 61. On March 8, 2010, Manning told Assange, "im sending one last archive of interesting stuff... should be in the x folder at some point in the next 24 hours." Assange replied, "ok. great!" Manning added, "you'll need to figure out what to do with it all..."
170.  
171. 62. Later that day. Manning wrote to Assange, "anyway, im throwing everything i got on JTF GTMO at you now... should take awhile to get up tho...summary/history/health conditions/reasons for retaining or transfer of nearly every detainee (about 95%)." Assange replied, "ok, great! what period does it cover for each internment?" Manning replied "2002-2009..." Assange inquired if the information included "initial medical evaluation to exit evaluation?"
172.  
173. 63. Also on March 8, 2010, Manning updated Assange about the ongoing upload, stating that the "upload is at about 36%." Assange asked for an "ETA," to which Manning responded "11-12 hours... guessing since its been going for 6 already." Assange asked, "how many mb?" Manning replied "about 440mb" and "a lot of scanned pdf[']s."
174.  
175. 64. Two days later, on March 10, 2010, Assange reported to Manning, "there[']s a username in the gitmo docs" and asked "i assume i should filter it out?" Manning stated that "any usernames should probably be filtered, period." Manning then recognized, "but at the same time, theres a gazillion of them."
176.  
177. 65. Later in the chat on March 10, 2010, Manning asked, "anything useful in there?" Assange replied "no time, but have someone on it." Assange then followed up that "there surely will be" and that "these sorts of things are always motivating to other sources too." Assange noted that such disclosures provided "inspiration" for other leakers because "gitmo=bad, leakers=enemy of gitmo, leakers=good."
178.  
179. 66. WikiLeaks ultimately released the JTF-GTMO DABs starting in April 2011. By August 2011, it had released 765 JTF-GTMO DABs.
180.  
181. 67. As General Robert Carr testified during Manning's court martial, the release of the DABs caused problems for the United States' efforts to move detainees out of Guantanamo Bay to other countries. According to General Carr, at the time of the release of the DABs, the Department of State was negotiating with foreign governments regarding the transfer of the detainees. The release of the classified DABs threatened to conflict with those negotiations.
182.  
183. 68. I have reviewed a number of the JTF-GTMO DABs that WikiLeaks released. They contained clear markings indicating that they were classified as "SECRET."
184.  
185. 2. Assange Encourages Manning To Continue Searching For Documents
186.  
187. 69. The March 2010 chats also reveal that Assange provided Manning with encouragement to provide more information.
188.  
189. 70. On March 8,2010, when discussing the JTF GTMO upload. Manning told Assange, "after this upload, thats all i really have got left." Assange replied, "curious eyes never run dry in my experience."
190.  
191. 71. In response, Manning stated, "ive already exposed quite a bit, just no-one knows yet. ill slip into darkness for a few years, let the heat die down." Manning added, "considering just how much one source has given you, i can only imagine the overl[o]ad."
192.  
193. 72. Earlier in the same day, Assange noted that there had been "2500 articles in .is referendum in the past 15 hours, despite it being a Sunday." (The domain name for Iceland is ".is.") Manning stated, "oh yeah... osc went haywire digging into .is." (Based on the context, in using the term "osc," Manning likely was referring to the CIA's open source center.) Assange responded, "yeah? that[']s something we want to mine entirely, btw."
194.  
195. 3. Manning And Assange Discuss Concealing Source Of Documents
196.  
197. 73. During his chats with Manning, Assange asked whether documents sent by Manning about an arrest by Iraqi police were "releasable." Manning advised Assange that certain documents could be released, but that an original incident report could not be, and that a translation of a report was "super not releasable." Assange asked that Manning "be sure to tell me these things as soon as possible," and "better yet in the submission itself," since Assange was "not the only one to process this stuff and also will forget details if publication is delayed a long time due to the flood of other things." After Manning asked if Assange was "gonna give release a shot?," Assange opined that a lack of detail in the releasable material "may be problematic," Manning suggested that WikiLeaks could refer to a hotel located near where the arrest occurred; she "figured it would make it look more like a journalist acquired it... if the hotel was mentioned." Manning also advised Assange that she was "all over the place ... clearing logs," and that she was "not logging at all... safe .... i just wanted to be certain."
198.  
199. 74. Thus, in the quoted communications Manning and Assange discussed the form in which WikiLeaks could disclose the information about the arrest by Iraqi police, and the suppression of particular material that if released might reveal Manning's identity as the source.
200.  
201. 75. In addition, Manning assured Assange that by "clearing logs" she was taking the proper steps to prevent discovery, by leaving no trace on her computer of their communications.
202.  
203. 4. Assange's Knowledge That Manning Was In The U.S. Armed Forces In Iraq
204.  
205. 76. The March 2010 chats between Manning and Assange included military jargon and references to current events in Iraq suggesting that Assange knew Manning was an American service member in Iraq.
206.  
207. 77. For example, on March 6, 2010, Assange asked Manning, "it looks like a MiTT report?" MiTT is a military acronym for Military Transition Team, a team that trains local Iraqi troops.
208.  
209. 78. On March 18, 2010, Manning used the military term "MI" (for Military Intelligence) in a chat with Assange. Later that day, Assange wrote to Manning, "but remember...rules are just for the grunts..." in response to a discussion about the breaking of rules by an Army Lieutenant Colonel and senior officers. "Grunts" is military slang for enlisted military personnel in general and is often specifically used for infantrymen.
210.  
211. 79. Further, Manning made several references to specific events and places in Iraq (including the Tigris River) that indicated Manning was then in Iraq.
212.  
213. IV. MANNING AND ASSANGE'S AGREEMENT TO CRACK A COMPUTER PASSWORD TO ACCESS CLASSIFIED NATIONAL SECURITY INFORMATION
214.  
215. 80. As described below, during their March 2010 chats, Manning and Assange reached an agreement for Assange to assist Manning in cracking a password related to two computers with access to classified national security information. I understand the following through my review of the testimony of a forensic examiner in Manning's court martial, my conversations with FBI forensic examiners, and research on the Internet.
216.  
217. A. Background On Password Hashes
218.  
219. 81. A computer using a Microsoft Windows operating system does not store users' passwords in plain text for security reasons. Instead, the computer stores passwords as "hash values." When a user creates a password for the relevant username, the password passes through a mathematical algorithm, which creates a "hash value" for the password. Essentially, the creation of the hash value is a form of encryption for storing the password. The hash value — not the plain text of the password — is then stored on the computer.
220.  
221. 82. As additional security, the computer does not store the full hash value in one location. Instead, the hash value for that username is broken into two parts. One part is stored in the Security Accounts Manager (SAM) database as the SAM registry file. The SAM file in a Windows operating system keeps usernames and parts of the hash value associated with the username. The other part of the hash is stored in the "system file." To obtain the full hash value associated with the password, one needs the parts from the SAM file and the system file.
222.  
223. 83. Finally, as further security, Windows locks the SAM file and system file. Only users with administrative level privileges can access the files.
224.  
225. 84. However, even if a user does not have administrative level privileges, the user might be able to access the system file or the SAM file by using special software, such as a Linux operating system. A person, for example, can reboot a computer using a CD with the Linux operating system and view the contents of the SAM file or system file.
226.  
227. 85. The evidence suggests that Manning did just that. Forensic analysis of Manning's personal laptop computer reflects that she burned the Linux operating system to a CD on or around March 2, 2010. Through forensic analysis, investigators have further determined that Manning therefore could have viewed the SAM file of both IP1 and IP2 — the SIPRNet computers that Maiming primarily used — by rebooting them with the Linux operating system that she downloaded.
228.  
229. B. Agreement To Crack Password
230.  
231. 86. On March 8, 2010, at approximately 3:55 p.m., Manning asked Assange whether he was "any good at lm hash cracking."
232.  
233. a. At the time, Windows operating systems commonly used two methods for hashing and storing passwords, Lan Manager (LM) and New Technology Lan Manager (NTLM). Referring to an LM hash or an NTLM hash is tantamount to saying, "Windows password." Thus, in the above-described message, Manning asked Assange if he was able to crack passwords for computers running Windows operating systems.
234.  
235. 87. In response to Manning's question, Assange answered, "yes." Assange then stated, "we have rainbow tables for lm." A "rainbow table" is a tool used to crack a hash value to determine the password associated with it.
236.  
237. 88. After Assange claimed to have rainbow tables. Manning stated "80XXXXXXXXXXXXXXXXXXX1c." Manning then stated, "i think its lm + lmnt."
238.  
239. a. Manning likely meant to say "lm + ntlm." The hexadecimal string of text is consistent with the format of an LM or NTLM hash. Further, on Windows operating system version Vista or newer, LM is disabled, and only NTLM is used. Manning's remark that she "thought" that the hash was "lm + lmnt" suggests that she retrieved it from a computer running a pre-Vista version of Windows.
240.  
241. 89. A few minutes later, Manning further explained, "not even sure if thats the hash....i had to hexdump a SAM file, since i don't have the system file." Assange asked, "what makes you think [it's] lm?"^ Assange asked, "its from a SAM?" Manning answered "yeah." Assange then stated that he "passed it onto our lm guy."
242.  
243. a. In the above-described chats Manning informed Assange that she had accessed the SAM file with a program and had identified this particular 16-byte hexadecimal value as a potential LM or NTLM password hash.
244.  
245. b. By saying she retrieved the password hash through a "hexdump," Manning likely meant that she used a software program to view the SAM file in "hexadecimal format," in which raw computer data can be viewed.
246.  
247. 90. Two days later, at approximately 11:30 p.m. on March 10, 2010, Assange followed up on the issue. Assange messaged Manning and asked, "any more hints about this lm hash?" Assange stated, "no luck so far."
248.  
249. 91. Investigators have not recovered a response by Manning to Assange's question, and there is no other evidence as to what Assange did, if anything, with respect to the password. The numbers provided by Manning were part of, but not the full, hash. Manning would have needed the part of the hash from the system file as well to obtain the full value. The next chats that investigators were able to recover were dated March 16,2010. Thus, there is approximately a six-day gap in the chats after Assange asked for further hints on the hash.
250.  
251. 92. Nevertheless, the recovered chats described above reflect an agreement between Manning and Assange to crack the hash.
252.  
253. C. Password Belonged To A SIPRNet Computer
254.  
255. 93. Forensic investigators have determined that the hash that Assange agreed to help Manning crack came from IP1 and IP2.
256.  
257. 94. Using an image of Manning's SIPRNet computer hard drives, the forensic investigator booted it with the same Linux operating system that Manning burned to a CD on her personal computer.
258.  
259. 95. The forensic investigator then navigated to the SAM file on the computers. Using a hex editor, the investigator was able to view and obtain the precise hash value that Manning forwarded to Assange.
260.  
261. 96. The hash value that Manning forwarded to Assange was associated with the password for an "FTP" user on IP1 and IP2. The FTP user was not attributable to any specific person.
262.  
263. 97. Although there is no evidence that the password to the FTP user was obtained, had Manning done so, she would have been able to take steps to procure classified information under a username that did not belong to her. Such measures would have frustrated attempts to identify the source of the disclosures to WikiLeaks.
264.  
265. V. ASSANGE FLEES FROM JUSTICE
266.  
267. 98. On May 27, 2010, based on information provided by US2, Army investigators in Iraq took Manning into military custody at FOB Hammer. Manning was subsequently charged with a variety of criminal offenses in a military court-martial related to her disclosures to WikiLeaks, including charges alleging unlawful transmission of national defense information, in violation of 18 U.S.C. § 793(e), theft of government information, in violation of 18 U.S.C. § 641, and unlawful access to a government computer, in violation of 18 U.S.C. § 1030(a)(1).
268.  
269. 99. On July 30, 2013, Manning was convicted of most of these charges, including unlawful gathering or transmission of national defense information, computer intrusion, and theft of government property. Manning was acquitted of aiding the enemy and of one count of 18 U.S.C. § 793(e). Manning was sentenced to 35 years' imprisonment in August 2013.
270.  
271. 100. Meanwhile, beginning as early as November 2010 and as late as April 2017, media outlets reported that the Department of Justice was investigating charges against WikiLeaks or Assange in connection with the disclosures by Manning.
272.  
273. 101. On November 20, 2010, in connection with unrelated charges in Sweden, an international arrest warrant was issued against Assange. Following litigation between December 2010 and May 2012, the United Kingdom (U.K.) Supreme Court determined that Sweden's extradition request had been lawfully made, and the U.K. had ten days to take Assange to Sweden. Instead of appealing to the European Court of Human Rights, in June 2012, Assange fled to the Ecuadorian embassy in London. Ecuador formally granted Assange diplomatic asylum on August 16, 2012, "citing his well-founded fears of political persecution and the possibility of the death penalty were he sent to the United States." Specifically, Assange feared that "if he were to be sent to USA, he might be prosecuted and perhaps be executed by a military court in regard to his involvement in the release of stolen and leaked American documents on its crimes in Afghanistan and Iraq." See http://www.aalco.int/Ruling%20of%20UNWGAD%20on%20Julian%20Assange.pdf.
274.  
275. 102. Assange has made numerous comments reflecting that he took refuge in the Ecuadorian embassy to avoid extradition and charges in the United States.
276.  
277. 103. For example, in 2013, the WikiLeaks website posted an affidavit by Assange concerning alleged monitoring of his activities and the search and seizure of his property. In this affidavit, Assange acknowledged that he was "granted asylum after a formal assessment by the government of Ecuador in relation to the current and future risks of persecution and cruel, inhuman and degrading treatment in the United States in response to my publishing activities and my political opinions. I remain under the protection of the embassy of Ecuador in London for this reason." See https://wikileaks.org/IMG/html/Affidavit_of_Julian_Assange.html.
278.  
279. 104. On May 19, 2017, in response to Sweden's decision to discontinue its investigation regarding suspected rape by Julian Assange, Assange publicly stated, "While today was an important victory and an important vindication ... the road is far from over... The war, the proper war, is just commencing. The UK has said it will arrest me regardless. Now the United States, CIA Director Pompeo, and the U.S. Attorney General have said that I and other WikiLeaks staff have no rights ... we have no first amendment rights... and my arrest and the arrest of our other staff is a priority.... The U.K. refuses to confirm or deny at this stage whether a U.S. extradition warrant is already in the U.K. territory. So, this is a dialogue that we want to happen. Similarly, with the United States, while there have been extremely threatening remarks made, I am always happy to engage in a dialogue with the Department of Justice about what has occurred." https://www.bloomberg.com/news/articles/2017-05-19/swedish-prosecutors-to-drop-rape-investigation-against-assange.
280.  
281. CONCLUSION
282.  
283. 105. The evidence summarized in this Affidavit establishes probable cause to believe that the defendant, Julian P. Assange, committed the offense alleged in the complaint; namely, Assange violated 18 U.S.C. § 371 by conspiring to (1) access a computer, without authorization and exceeding authorized access, to obtain classified national defense information in violation of 18 U.S.C. § 1030(a)(1); and (2) access a computer, without authorization and exceeding authorized access, to obtain information from a department or agency of the United States in furtherance of a criminal act in violation of 18 U.S.C. § 1030(a)(2), (c)(2)(B)(ii).
284.  
285. Respectfully submitted,
286.  
287. Special Agent Agent Megan Brown
288. Federal Bureau of Investigation
289.  
290. Subscribed and sworn before me this 21 day of December 2017
291. Theresa Caroll Buchanan
292. United States Magistrate Judge
293. Alexandria, Virginia