You're listening to a stage talk titled Mapping Militia Networks with New America. This week we were joined by Candice Rondeau and Ben Dalton from the Future Frontlines Project at New America. They broke down their incredible methodology for tracing some of the most famed Russian militia groups on both Telegram and VKontakte, as well as providing invaluable advice for staying safe online. Whilst doing this intensive work, you can find links to all of the resources mentioned
in the talk in the podcast description. This talk was hosted by me, Charlotte Ma, on Thursday the 11th of September 2025, the Bellingcat Discord server. Welcome to this week's stage talk. Today we have the pleasure of hosting Ben Dalton and Candice Rondeau from New America. They both work on New America's feature frontlines projects, Ben as program manager and Candice as senior
director. Within the program, they use open source investigative tools, data mining techniques and journalistic methods to explore how network technologies from cyber warfare to artificial intelligence are reshaping global conflict, competition and influence. Today though they are here to talk about their work looking into online networks, specifically tracing online networks of militia and private military groups. You can find a lot about someone online, including who they spend
time with both online and offline. This is especially useful for tracking who might be fighting or supporting a group like Wagner for example. Within this discussion we're hoping to unpack what platforms you might find these people in, how you can trace their connections, and what tools might be useful in doing so. As we talk, please make sure to add your questions in the chat box via the message bubble icon in the top right corner of your screen.
And please note within your question, if you do not want me to read your username out, as I just said, this is being audio recorded. Okay, Candice Ben, tell us, how do you find these groups? So we were just sort of talking about the connection between Bellingcat and and Future Frontlines and collaboration. I'll just mention that I took a course with Elliot ages ago, Elliot and team, and it really was life -changing for me. So it's
really thrilled to be here. I thought I'd just open and tell you a little bit about New America and about Future Frontlines before we kind of dive into the work that we do and talk a little bit about our methodology. For those of you who don't know New America, we are a think tank based in Washington DC. We are non -partisan and non -profit quite genuinely. Unlike a lot of think tanks in DC, we are not a government in waiting.
A lot of the people that work here are former journalists or people who are still have one foot in journalism, but also work in policy on specific issues. And Future Frontlines sits within our global programming. We've been around since basically 2018, around the time that I started working on looking at the Wagner Group, which is sort of the jumping off point for the project itself. And I'll give you a little bit of background about that. So, we began this project in 2018.
And by that time, The war in Ukraine obviously had been going on for four years. The war in Syria was really heating up with ISIS, very active
in Syria, but also in Iraq. And the origin of our work on the Wagner Group began with a question about the changing nature of proxy warfare, the ways in which states in particular, like Russia and other countries, the United States, were engaging proxy actors who were not part of their normal conventional militaries to do their bidding in places in the Middle East and also in Eurasia. And my background is in sort of Russian area
of studies and so is Ben's. And I sort of took to the idea that there was a lot that was being talked about in terms of little green men and Wagner. Wagner was just kind of beginning to pick up its sort of brand recognition at that stage in 2018. But nobody really knew much about the organization. You know, it was a lot of rumors, basically. And I think the moment that changed everything for Wagner's profile, there are probably
two that we can talk about today. One is the most famous, which is the Battle of Khashom, or sometimes known as the Battle of Conoco, which is when a group of Wagner forces started to try and take control of a gas plant in northeast Syria that used to be owned by Conoco, an American oil company. And it was during this clash on February 7th, 2018 that we saw just tremendous amounts of casualties on the Russian side. They clashed with US special forces who were defending
the gas plant in nearby territory. And it was a breach essentially of a informal to formal, what people call a deconfliction line, where US forces and Russian forces operating in Syria and pursuing counter -terrorism operations against ISIS and other players were meant to at least communicate when they were in the same area to avoid these types of friendly fire or kind of semi -friendly fire clashes. But it happened
anyway. for reasons we can get into later, mostly sort of backstory politics about what was going on in the Kremlin. And the clash led to about 200 Wagner group casualties. And what was interesting about that moment was it really lit up the internet. It lit up the contactia, which is Russia's Facebook and Telegram. There were just wild rumors about how many casualties were actually you know, on
both sides. At some point, one of the most prominent nationalists in Russia, his name is Igor Gurkin, who had connections to some of these far -right groups like Wagner, insisted that there had been 600 casualties. And so, there was a lot of controversy. And that battle ignited a lot of interest in what Wagner was doing and who it was connected to. And luckily, it coincided with the kickoff of our project on proxy warfare. which we started with two or three primary research questions.
One was to try and understand how do PMCs, private military companies, like Wagner actually operate. They were built as a private military company, but they seem to be acting really differently. And they also seem to have connections to other networks of unaffiliated masked men, little green men, including an organization many people now know as Rusich, which has deep roots in St. Petersburg and far -right ultra -nationalist movements. And so we wanted to figure out how are these
groups connected. And I was just sort of starting this experiment pretty much on my own. I did have some help from Arizona State University, where I also teach classes in security studies and journalism. And I connected with some young students in computer science who were really interested in also kind of unraveling this mystery. And it was with their help that we began to apply a combination of network analysis and social media analysis to try and understand the footprint
of this organization, at least virtually. And through that work, we stumbled on one of the earliest iterations of a Wagner Group channel or follower group, and it was called Cheve K. Wagner Military Review. At the time when we discovered this one single account, there were probably
about 6 ,900 followers in the account. And the thing that was interesting about it, as you can see from this picture here on the far right, there's a picture of a statue that looks like, you know, some sort of, you know, a fighter or warrior. And this became, along with some other symbols, a pretty important marker of Wagner's identity because it was actually sitting inside a base in Syria where Wagner forces and Rusich forces were, you know, bunked out in barracks.
I didn't know that at the time. I had to do a lot of digging just like everybody else does. and looking at the connections. But there were some things that jumped out of me as a Russian speaker, which was some of the symbology, this sort of throwback to the Soviet era of glory, the use of paramilitary and paratrooper symbols, and also, of course, a lot of Nazi themes throughout. So when we discovered this one singular count
in late 2018, it was about 6 ,900. And over four years, those accounts of followers would go to 355 ,000. So, that's a 5 ,000 % growth rate. And it was very telling because it really tracked very closely with what we saw was the expansion of Wagner's actual ranks and its operations, not only in Syria, but also a Central African Republic, Sudan, Libya, and eventually, Mali. But it was really a case that kind of floated to the top in some of these chats on this particular
channel that really caught my attention. And it was actually when, in 2019, when we began to look into the case of a man who was murdered online, on camera, a man who went by the name of Hamdi Bouta. He's a Syrian. who was born and raised in northeast Syria, had departed to Lebanon to do some day labor work. And in the summer, spring of 2017, he returned to see his family. And upon his return, he was captured crossing
the border. And nobody knew at the time, you know, when all this was unfolding, who he was or what his identity was. But the one thing that everybody knew was on this J .V .K. Wagner military review site was a constant stream of conversation
about a video that cropped up. It was about two minutes long, depicting several men with masked faces, and you can kind of see them there to the left in the picture, wielding a sledgehammer and beating this man, unarmed man, mercilessly on the ground of some sort of industrial site. And so we used all the usual techniques that you all know very well, geolocation, to kind of try and understand where exactly this event
was happening. And of course, OSINT is always a collective enterprise and there was a lot of exchange between Russian journalists and Western journalists who are trying to figure this out. And there was one in particular that bears mentioning is Kirill Mikhailov, who was really one of the first to kind of identify the scene, or at least guess that this was happening somewhere near Palmyra, Syria, where Wagner Trucks had been
operating for quite some time. It was when the first two -minute video appeared that there was certainly a sense that this had happened in Syria, but still even then figuring out their identities was tricky. Then, a little while later, another two -minute snippet appeared. And this is a video where the same men were depicted basically beheading and then dismembering the body of the man that they had beaten to death, was a sledgehammer.
And then carving the initials – and this was, for me, the biggest clue of their, I suppose, former military unit, the 131st Vedeve. onto the chest of the dismembered body and lighting it on fire. All of these things were kind of, you know, the regular practice of Wagner. In some ways, a lot of torture videos, a lot of trophy videos was a way for them to bond and also to kind of show their prowess to each other, but oftentimes the material was leaked, basically.
We sort of were able to pull everything together through a couple of different techniques. With the help of our student team at ASU, we tweaked a tool that we found online on GitHub that was very useful for sounding out a geodata and metadata posted on Vakantaktia. And Ben is showing here
actually. our tool, the Future Frontlines Ghost Tracker, where if you enter a particular location and a time and a date and you drop a pin, you'll usually find within a 50 -meter radius, if anybody's posted pictures in those areas, you can usually find those pictures. And it was through a series of soundings around the Palmira area. that we were able to locate a number of people who were posting pictures that had a very similar sort of background to what we were seeing in the background
of that video of Hamdi Bhutto's murder. And it occurred to me that actually, while we could kind of see pieces of the puzzle, we couldn't see the whole picture. But when we sort of pulled back a little bit, and started to look at the networked relationships between the people who were posting pictures and the networked relationships, people who were friends of certain users in the CHVK Wagner account who were extremely active.
It's then that we realized actually the network effects of this organization are much more powerful and easier to trace. And it's a way to sort of additionally verify connections between people. Of course, there's more work to do and then we'll talk a little bit more about what that looks
like. But this picture that you're looking at here, this image, represents a slice of a network that we carved out of both looking at the JPEG metadata from posts using our ghost tracker on the contactia and then also looking at the friend relationships between different individuals who
had signed up to J .V .K. Wagner Review and had certain profile attributes, many of whom were based in St. Petersburg, many of whom had served in the airborne VDV forces, many of whom said that they had served in Donbass in 2014 and 2015, several of whom bore Nazi logos or Rodin -Avare symbols, which was the Russian sort of pagan religion. And at the center of this network, it's kind of hard to see from this level, but there were three or four individuals that really
stood out to us as A, closely connected. So we were really also tracing the tightness of the network and the closeness of the relationships. And we discovered Oddly, at the center of that were some of the most active members of Russia's ultra -nationalist movements, including a guy named Alexei Miltakov, who is now quite famous. He was the commander of Rusich, this ultra -right,
ultra -nationalist neo -Nazi group. And then several members of the Russian imperial movement and the Russian imperial legion, which is an incredibly important part of the Wagner group's kind of background. as many of the individuals who trained with Wagner in the early days had paramilitary training in St. Petersburg through the Russian imperial movement, which was founded by members of the Vedeve airborne. So there's
a lot of common threads. And if you sort of using network analysis techniques and big data analysis, we were able to kind of see how they all connected to each other. What was interesting about this slide, I'll just mention this before handing it over to Ben to talk a little bit about more of what we found, is that four individuals on the right, so Milchakov and the three others from Russian Imperial movement, had actually been sanctioned by this time, by the time we're
doing this work. But the one on the left, Yashakov, had not been sanctioned. He was actually quite active and very important to some other operational parts of how Wagner worked that we later discovered. So what we understood is basically, if you want to really understand how these kind of shadow operators work, nine times out of 10, you're going to find them talking to each other online somewhere. And that's no mystery to most of you
who do this work. But for us, what was revelatory was that the contact you in particular had some interesting design features that made it extremely exploitable. Most importantly, because the Russian state seems to be very keen that online platforms like Vakantaktia maintain metadata for surveillance, it makes it easier for other people, including public interest investigators, to also mine that metadata and put the big puzzle pieces together using network analysis. Over to you, Ben. Thank
you, Candice. So, yeah, the approach that Candice was describing was working so well for us that we decided to expand it and continue it over a period of years. So there were two main waves of collection. So just to recap, you know, we have identified these VK groups of interest using the tools that Candice was describing, using tools like the Ghost Tracker to find accounts of interest. And there was a period of collection
that lasted from 2019 to 2020. And then again, we did another round of collection in 2022, about six months after the full -scale invasion. And we focused really on three overlapping groups on BK. So one was that CHVK Wagner Military Review Group that Candice was talking about. The other was the main kind of official group for Rusage. And the third was the main official group for the Russian Imperial movement, all of which had overlapping memberships, as you can see if you're
listening live on this chart here. And just to be clear, by collection, what I mean is that we expanded to bulk data collection of members of VK groups using the VK API. So this enabled us to create datasets with full profile data for every member of these VK groups. And that included their intergroup friendship connections. I'm told that this is an audience that appreciates
some degree of technical detail. So I will note that between these two periods, we had to make some pretty significant changes to the API script to accommodate changes that VK itself was making to their API that made it a little bit more difficult to do this. And we also had to contend with the groups themselves practicing sort of greater and greater degrees of OPSEC and sort of information security as the years went on. But because of these two main periods of collection, we were
able to compare how they changed over time. Candice already mentioned this huge group in the Wagner group, but pretty much they all experienced significant group over time with a significant membership core that remained substantially the same across the years. So as I said, the VK API gave us public data for members in these groups, and that enabled us to do a pretty granular analysis of graphics and the geographic distribution of the members, or at least as self -reported on their account
profiles. And what I'm showing now, I'll describe it for those listening after the fact, it's a map of just one of those variables, which is specifically self -reported locations. As you might expect, the majority of them are in former Soviet countries, but there is just this massive geographic distribution. I think we found 177 countries in all. around 5 ,000 of those people based in Europe. And in the interest of time, I won't show you other variables that was military
unit identification. There's a field on BK where you can say where, you know, in what military unit you served. We hired a team of researchers to basically identify which of those were real existing military units, which were historical and which were fictional. People would claim to be part of Warhammer 40K and like fictional units. And then we mapped the ones that are actually
existing. And long story short, we were able to identify some active duty members or service members of units in NATO countries using that method. So a couple of slides ago, Candice was showing you one network analysis that showed interlinkages as some of the central figures in these groups. What I'm now showing is sort
of looks like a tangled ball of yarn. So this is one of our working network visualizations of membership links among those three main VK groups that we analyzed in 2022, which yielded some pretty interesting results. So we were able to identify highly central nodes in this network, even if they were not a member of any of those three groups. So in other words, there were VK members who had extensive friendship ties to members of these three groups, but were not themselves
members. which led us to dig really deeper into some targeted profiles and yielded some interesting insights. And I will again shout out the work of the Information Competition Lab at Arizona State University, who we've worked with for many years on subjects like this and has helped us a lot with this kind of analysis. So when you put all of this together, you have data from figures that we identified through social media
collection and network analysis. We had sort of a more typical OSINT collection of other public data across the web. You had public bloggers, such as these two gentlemen who are now deceased, who would often share useful information, whether or not they realized it. And this led us to identify figures of interest who we believed played a role within the recruiting and command structure and propaganda structure. of this organization, specifically the Wagner Group, but also a larger
network of Russian paramilitaries as well. So I joined the team in 2021, and a couple of years after that, we gained access to a cache of internal data that belonged to companies associated with the Afghani pre -koshen. And much of what we found at that point corroborated our earlier work in terms of who we had identified that was of interest. So, you know, after collecting everything that we had, We organized it temporally, geographically. We ended up building robust dossiers, we called
them, of key figures within this network. We selected people who were prominent or held command positions, but also potentially for their alleged involvement in atrocity crimes. and published a set of these, about 24 of these, about a year ago, fall of 2024. And we're continuing to work
on more. The slide that I'm showing you now is one of my, I don't know if I would say favorites, but a gentleman named Vladimir Katayev, former Spetsnaz GRU, who, you know, I think he's interesting because he really shows the ability to move up the ranks. So he was like I think a platoon commander of some kind in 2017. But by the time that he was participating in the assault on Bakhmut in 2023, he was one of the assault attachment commanders. Is there anything that you'd like to add to what
I just said, Candice? Yeah. Well, one thing I think is interesting, I'm so glad that you picked the Kataev picture because the through line here is actually Kataev was also one of the perpetrators. in the murder of Hamdi Bhutta. And it was his
unit. And we all discovered this later. And that was the most fantastic part about, you know, sort of doing this work over several years with different researchers kind of coming and going and helping us, but continually applying the same methodology, which is, you know, big data collection, small sort of anecdotal OSINT verification combined with network analysis, those three things.
Plus, a pretty robust knowledge of sort of how the Russian military is organized, what its traditions are, and sort of digging into that helped us to kind of actually see this through line from one crime. And, you know, nobody knew that Katayev
was actually involved. But it was later when we also got access to some of these leaked documents that were shared with us from our partners, C4ADS, another organization based here in DC, that we discovered actually there was a whole set of reports in which Kataev and several other members of his unit were identified as the perpetrators. So, it was both gratifying and also kind of scary, you know, the level of accuracy that we were able to kind of produce by combining all these
methods. was really quite powerful. And if you go online and you take a look at our site, which is still active and we're still trying to find ways to upload more information there, you'll see actually not only were we able to do a network analysis and identify individuals, we were also able to really put together with all of these details, the command structure, which when you're looking at war crimes, is extremely critical for understanding who was giving orders when
atrocities occurred in a given area. In many cases, through triangulating all this data, we were able to also establish who was where when and which units. And so the dossiers are a reflection of a small batch, but in actual fact, we have a rather large database of about 13 ,000 personnel whose rank and their movements and their background. has been all documented. The one thing I just need to say is Bellingcat has been part of this
journey along the way. We've always had them as a sounding board, along with our colleagues at ASU and C4ADS. As always, OSINT is a collective action power that we all have to tap into and rely on to get the work done. Over to you, Charlie. Thank you so much for giving us a lowdown on your methodology and how you have looked into this group. There's a thousand questions in the chat, which I'm really excited to speak to you
about. Tristan actually said when we were unpacking a lot of what you've been doing, collecting information like this and platforms is always a cat and mouse game. Both the platforms and the targets change their behavior and the collection has to respond in kind. One of the biggest questions that's been coming out is how do you make sure that the people that you are IDing, how do you make sure that you haven't got any false herrings? Chris asked, what percentage of profiles mapped
do you expect are red herrings? How do you confirm those IDs? Yeah, well, a lot of work has gone into the dossiers in particular, I will say, and they're I guess there's a distinction and Ben can talk a little bit about kind of the mechanics of doing transforming raw data from leak files that shows a pattern of command structure versus
looking at where people were when. So, when we take the dossiers, what we're really doing is kind of scissoring down like through the network, almost like taking a piece of the spider web and then putting it under microscope. and saying, OK, what do we know about this individual that's in the public sphere? So we do all the normal things. We look for corporate registration information, tax IDs, matching birth dates. We look for their own social media profiles, which oftentimes many
of them were still live. Or interestingly, Not surprisingly, the community of OSINT, who's very interested in the Wagner Group, had spent a lot of time archiving also some of these live profiles that were very popular and well known. And in addition to that, medals were also handed out to individuals in many cases from the Kremlin. And so we could also check sort of the official register to see, you know, which medals were
handed out when. And actually We had a researcher from Stanford University, a fantastic statistician and data analyst who helped us kind of build a verification for our data set. And Ben will talk a little bit more about the technical aspects. Yeah. So I should note that things that are just purely social media data, we would not... published personally identifying information without extensive
corroboration from other sources. So when I showed that map earlier that showed the geographic distribution of members from these groups of interest, that was not identifying who they were individually. It was only identifying the geographic locations. Whereas when we identify a specific person, like the Kitaya figure, that has been extensively corroborated with, obviously, their online activities,
but also internal documentation. And by the time that actually we were, we published this, he was already essentially a quasi public figure because there were like news reports about him. Um, in terms of, yeah. So Ken has mentioned we have this, um, this dataset of Wagner group personnel, um, going from all the way back to 2014 up to, uh, I think it's 2022. Um, and for that, you know, this is basically, uh, you know, diskewing their own internal personnel lists into a highly
organized and structured data set. And so the data is coming directly from companies that are associated with or were associated with the Gepgini precaution. And that's the corroboration that we're looking for and that we've gotten. But even in that case, we've not made that data set public. So it's not freely available on the internet, because again, it contains an enormous amount
of personally identifying information. The people who we explicitly identify publicly are like sort of the crème de la crème in terms of cooperation and involvement in these activities. Absolutely. And cooperation is super important when it comes to identification. As you mentioned, there's been a couple of people asking about what you do if you find that when you're tracking someone across profiles, that they've got different usernames
on different platforms. It's very common. Often people spell their name differently as well. What kind of techniques have you found across platforms from this particular group when they're trying to maybe hide who they are or obscure the ability to trace them? Being a member of a paramilitary organization or any organization that systematically uses violence for enhancement of their own influence. Even in secret organizations, there's a lot of flexing within their own networks.
So, by that I mean there's kind of like a lot of symbology, there's a lot of bragging, there's a lot of, you know, seemingly secret chatting. I'll just give you one example. So, Rusich is a fantastic example. We have a colleague who was extremely obsessed, probably still is extremely obsessed with Rusich. and following the Instagram account of Rusich, which was live up until about 2019 -2021, actually, and sort of had gone up and down, but was like the most active way to
see what was going on with Rusich. And one of the habits that they had was putting information in kind of a coded chat to each other, sometimes using, you know, poetry from the Poetic Edda, which is this sort of Viking era poetic epic. But then also using slang that actually most of the slang comes from military culture and particularly very specific military culture. Just like the special forces in the United States have a certain way of talking, so do the airborne
forces of Russia. And the vast majority of the most active and most kind of high profile members of Wagner and Rusich came from the Airborne Forces or Spetsnaz or both. And that's stuff that you just have to kind of study. But one thing that happens oftentimes is because they're so enmeshed in that culture, even when they want to separate themselves by like having different aliases, almost always there's some sort of weird signature
overlap. You know, because a lot of them are Nazis, just as an example, you might see the number 88 come up quite a few times, right? You know, there are other things that are just such, you know, if you spend too much time in these far -right circles, you kind of start to recognize them and you can see the links between them. And then again, I just want to, you know, commend all the people out there who are doing such a good job of archiving a lot of this material.
And the other places that we don't talk about very much but are kind of important to recognize are the kind of weird dead bases of the internet, like .su. which is the Soviet Union, the old, you know, domain area for the Soviet Union. That's where a lot of far right, ultra nationalist conversation goes on. And that's where you can do a lot of verification of how people change their identities over time based on the kind of symbology that's been used there. Probably Ben has some other
tips too. Well, yeah, I mean, and this might seem a little bit obvious, but like, so on both VK and Telegram, which are the two still the two main platforms that I think that we monitor most closely, These groups, they have a dual purpose, where they're public -facing in the sense that they serve a propaganda function, they serve a recruitment function, sometimes
they're being used for crowdfunding. But at the same time, they're important for internal purposes, to form a sort of internal culture and internal coordination. And so they're public, but they're quasi -public, right? Um, and because of that, we also understand they all exist on like the knife edge being banned at any moment. Um, and so they will often have one or more backup groups that they will fall back to if their account
is banned. And, uh, if you just like get really obsessive and spend an enormous amount of time in these communities, you, you effectively, you know, you'll have as much information about their online structure as the, as the members themselves do such that, so just to pick one example, um, We've been talking a lot about research. They had a telegram channel that I'm going to get the dates wrong because it's been a couple of
years now. But back in the fall of, I want to say 2023, it was banned because they posted explicit instructions for like how to torture prisoners of war and then extort their family members for Bitcoin by like, you know, holding the location of where the body was buried. And this was too much even for telegram. And within 24 hours, the channel was banned. Um, but they had, you know, usage too, that they had already created
that stood up, um, immediately. And so they, you know, operations continued right back at it. And, um, that's maybe not the best example because research is like pretty, you know, prominent on telegram. It's not hard to find them, but like, it's a, it's a, it's a consistent pattern. Um, and if you just are really obsessed and spend a huge amount of time watching them, you will be able to know about all of their little backup and, you know, monitoring can just like continue
as seamlessly as their operations do. We often, whenever we're talking about network analysis and particularly identifying individual people, often we speak about the ethics of maybe infiltrating kind of closed groups or what's the difference between monitoring afar and then also kind of friending or befriending people on platforms so that you can monitor their profiles using a sock puppet. How do you kind of balance those
ethical arguments within your research? Yeah, well, I mean, I think everybody wrestles with those things. And I think as the field has evolved, and also platforms have kind of evolved, as we've been talking about, you have to evolve your own ethics, of course. But generally speaking, you know, of course, I always had a lot of young students who were, you know, helping with the research. People were much more computer savvy than I am, who wanted to kind of engage with
these guys. And I had to explain, you can look, but don't touch. And that was like kind of a rule of thumb for all of us, largely to protect us in our own security, because this is an organization or sort of a network of organizations that is very bent on vengeance and targeting people. And of course, they're connected, broadly speaking, they were connected to Yevgeny Prigozhin's various media enterprises and propaganda enterprises,
most notably the Internet Research Agency. which, you know, has a legendary hacking capacity and trolling capacity. And still to this day, actively does a lot of trolling of individuals who study and work on the Wagner Group or look at, you know, some Russian propaganda and ultranationalism. So, for us, it was kind of a hardbound rule that, you know, we were not to engage. Of course, we use sock puppets, you know, to constantly do our monitoring. And we were very regular about
it. In terms of... And we never did any sort of hacking, you know, there was no, that's also a no -go zone for us. We want to stay within the bounds of the law and sort of ethical standards as best we can so that the work can actually do the good it's meant to do, which is to expose perpetrators of war crimes and atrocity violence. I guess the follow -up question there, as Chris has just asked in the chat, is what are your top tips for OPSEC? What are the... steps that
you take to protect yourselves? Well, they're the basics. I mean, obviously, you know, if you're going to be monitoring on social media, always better to do it with sock puppet. Good to rotate your sock puppets as well. Keep them active and alive and looking like they're engaged so they don't look like sort of zombies that are sort of trawling around on the platform. Try and make them to some degree fit with the culture that you're looking at. So you can sort of camouflage
yourself. You shouldn't be sort of, you know, wearing maybe like a rainbow flag if you're entering an ultra -nationalist right -wing space. As an example, right, that shouldn't be your sock puppet identity because that will immediately attract attention. So trying to blend in is really important. Using a VPN, critical, must do it all the time. We use burner phones, as many people do, for a lot of our interactions. So as an example, I don't have Telegram or VKontakte on my phone.
I usually have another phone for that so that I don't have any crossover between my personal or professional life and the research and investigation I'm doing. And we, you know, we don't really talk about what we're doing until after we're done doing it. And so we oftentimes work with, you know, sometimes as many as, you know, 12, 15 different sort of student researchers or faculty researchers or people that we're sort of in collaboration
with. And I think, you know, we've done a relatively pretty good job of sort of minding our P's and Q's when it comes to just being quiet about the work that we're doing. No point in bragging about it because there's nothing to show then. So, and in fact, this isn't really sort of an enterprise, I think, that really is good for bragging. I think there's just, you know, the work requires a certain amount of humbleness because you can also make a mistake. And I think you also have
to recognize that on some level. I'm sure Ben
has some other tips too. Yeah, I mean we also in addition to burner friends we've used for burner air gap laptops Occasionally over the years who've gotten I guess you could call like external hard drives of dubious origin That you don't want to just like plug into your regular device for pretty obvious reasons And so that we have a sort of sacrificial lamb laptop that you could use for that This another one more thing that I think speaks to a question like
one or two questions ago Which is that if we're publishing like a major report? um, on a, on a public figure, um, we will, you know, do traditional journalistic diligence and, and ask for, um, comment. And that usually does not, you know, usually they're not interested in speaking to us, but there is a stage right before one of the last stages, uh, before going live where we will do that. Right. So that's sort of part of the, the basic ethics of of doing an investigation.
Yeah. Just circling back to kind of techniques that the groups also use to try and obscure their identities. Somebody mentioned earlier, you know, how Vucic seemingly intentionally time -lags location -based content posted to its Telegram channel. Does that happen on VK as well? I think in those cases, chronolocation becomes a skill that is absolutely paramount. It takes time and
effort. Um, but that's where you don't just rely on the time tag of when something was posted, you're constantly checking, um, if you can do locate and then chrono locate particular imagery or videos, for example. Um, I don't know if you have anything else to add to that particular point before we move on in terms of ways that people obscure information on mine. Um, yeah, I'll just say a few words. Uh, but research absolutely does this all the time. Uh, they're kind of notorious.
They have seemingly just like an inexhaustible archive. Um, that they will post from all the way back to like, you know, here's Milchakov in Syria in 2017, or here's where we were in Ukraine circa, you know, late 2022. And they'll often actually identify it with like the location and time, which, you know, you can't really take their word for. Or, you know, alternately, they'll post without any kind of identifying information.
I think that in general, they're pretty careful and pretty good about not revealing anything. Um, that would give away their current operations or at least their operator, you know, in anything that could affect their ongoing operations. Um, just to, yeah, just to, you know, I'll agree with the point that you made that you have to do a lot of due diligence to actually confirm that the thing that they're showing you, um, is from the time and place that they're claiming
that it's from. Yeah. Don't just take their word for it. Circling back to the tool that you mentioned, we've had a lot of questions on that. A lot of people are interested in it, as you can imagine. Is it open source? Is it available anywhere? There's been a lot of people searching for it on GitHub, for example. Can you tell us a little bit about the development of the tool? If it's open source, where is it? And if it's not, how come and is there a plan to do so? I knew this
question would come. I do believe the actual original code. is somewhere in GitHub. And perhaps after the fact, we might find a way to share that. Our code is updated and cleaned and refined for location accuracy. We haven't put it online or made it open source yet. Again, for some of the same reasons that we're a little bit sort of nervous about sharing some of the data that
we have. We're trying to sort of wind our way, and I think we probably will find a way to make a lot of our tools, techniques, and data more accessible, likely on a tiered basis. Again, because this is really sensitive information that we are hoping will inform war crimes investigations that are ongoing. Not only in Ukraine, I just want to mention there are places in the world where Wagner and Rusich have operated where there aren't a lot of human rights defenders out there.
So Mali is a great example. Syria is another good example. And yet there is, I think, an appetite still to see some justice brought. And I guess that's why we're a little bit cautious about being too open with our tools and methods and data. However, in certain settings, we are happy to share with certain... types of folks who are kind of interested in that particular type of
work. So yeah, the version, the original code does exist somewhere on GitHub in the pre -modified version, but in order for it to work functionally today, you'd have to make pretty extensive changes to it, both the ones that we made, but also literally just to like update it to work with VK's existing modern API, which changes all the time. The first version was just a week or two. We had some very, very clever mathematicians and computer scientists
on our team who managed to tweak it. But Ben has progressively tweaked it again and again as the API has changed, as platform rules have changed. So it's one of those tools that has to be constantly updated. Gio Crow has just asked, what is the name of the GitHub project? I'm guessing you don't know from the original source code. I'm sure we have it somewhere. If we can find
a way to share it, we will. Fabulous. Is there any tools that you would recommend outside of the ghost track tool that kind of do similar functions or are useful at least for searching telegram connections or VK connections? So I have this dream. This doesn't exist yet as far as I can tell, but it's something that I would love to see built. which is something that would
do something similar for Telegram. Now, you can't build something that just like searches for geotagged content on Telegram the same way, because almost
nobody posts geotagged content on Telegram. But one idea I had was, especially in parts of the world that are relatively less dense and more remote, like for example, a relatively undeveloped part of Mali or the Central African Republic, a tool that like the ghost tracker that we showed, draws a bounding box around a geographic area and then searches for recent posts that mention community names, drawing from like open street map data within that area in a variety of languages.
So like Russian, English, Arabic, et cetera, which could be a way of sort of like fishing around for interesting posts and identifying channels on telegram that you might not have been aware of. previously that are posting content on that. And if anybody out there has the technical chops to build something like that, I would love
to see your work. Yeah, other tools I would just mention, and these are things that actually, I mean, I'm pretty sure our methods are replicable because we've had to reiterate them over and over. But I certainly think if you're scraping data, particularly social media accounts, but I would say exclusively, I would say there are other kinds of data, too, where you can create a searchability and connectivity capacity there.
So doing network analysis, for instance, on social ties or common characteristics and attributes. But also, again, the Information Competition Lab has been extremely helpful. Some of the work that we did, for instance, on the January 6th Parler data that was released very shortly after the riots on Capitol Hill here in DC, was really facilitated by the creation of essentially a SQL database that allows us to dump open data into it and then search it by text and number
and moniker. Those are things that actually can be replicated, I think, with relative ease, especially now with the support of AI. And again, if we get time, and some sort of support out there in the world to continue doing our work. We could probably come back and kind of share some, just some tips on specifically how to do that. And maybe invite our colleagues from the ASU lab to join us. That sounds amazing. Saiva has put in a really good PSA though in the chat. Fair
warning to any budding code developers. Any trolling tool has a high chance of leaving a significant footprint on the platform you're accessing. which means your activity could be tracked back to you and used maliciously. So please, please be careful if you are building tools to do such a job. Yeah, 100 % on that. I just want to say the tools I'm mentioning, especially, you know, kind of these specialized search tools for particular data, all of that's happening in a virtual machine.
So really important to work in a virtual machine or in a virtual environment that is shielded and not connected to your target. Absolutely. I also noted in the chat, if you're interested in this specific discussion, you might want to check out our previous discussion with the All Eyes on Wagner team. They talked about monitoring Wagner mercenaries in Africa. So you can look at that conversation, if you would like, on our RSS feed. or on any podcast platform by searching
StageShorts with Bell and Cat. We've only got five minutes left, which is a shame because there's so many more questions in the chat. Guys asked earlier, are there any best practices you can identify in regards to extracting an accurate, incredible pattern of life from web data, especially in the context of the platform and community? I mean, I think it's really specific to the community.
I have to say that This is such a specialized community, and yet the signature of how they kind of tend to act and to flex and to communicate does have a lot of transferability. So for instance, we've looked at others of American far -right groups that have kind of similar ways of communicating with each other. And I guess as a result of a lot of our work, we've also inherited a lot of
data that people want to share with us. because I think they kind of have a sense that maybe with combining our methods, we can kind of, you know, get a sense of the pattern of life. The pattern of life is super hard. I don't even think, you know, some of these AI programs like Lavender or whatever that the Israelis are using. I mean, they're just... they're always going to be dirty because the data is always going to be dirty. So you shouldn't be expecting like 90 % accuracy.
You're just always going to have to triangulate to understand pattern of life, which is mostly really familiarizing yourself with the history and culture of the social group that you're looking at. You can't just go on faith of kind of leaked corporate data and then some social media and then that's it. Because you really need to understand what is it that glues this this network of people together. And people work in networks. The only biggest lesson is every social group in the world
operates in a network format. And it tends to be, you know, the more extreme, I suppose, in kind of commitments to violence, the more likely the signaling amongst that network is going to become super obvious and quite routine. and very easily recognizable. I don't know if Ben has
any other observations. Yeah, I don't know. A word of caution, I guess, which is that at this point, you know, I assume that most of the accounts that we track are probably using a sort of a hybrid pattern of sort of generative content and then human generated content. And it will switch back and forth between them. I think most platforms at this point have gotten I don't know, relatively good at detecting just like purely automated content and you just like the pure
bot. Um, and, uh, but at the same time, if you're just like a single human plugging away during your sort of information operations, then you're, you're not, you know, competing at the level that you need to in today's information ecosystem. And so I, yeah, I, my, my hypothesis dealing with these, these groups and entities is that
it's sort of like a hybridized. pattern, which makes, yeah, pattern of life really difficult because you can't really tell when their online activity is sort of the human or whatever sort of generative content is also potentially posting on that account. What tipped you off for high level command profiles identifying the command structure? What was the key signifier that you'd
found someone who had a high level command? So, this really started with that Chebyka -Wagner review group that we mentioned on Vkontaktia that we kind of stumbled on in 2018, just as all that stuff was happening with the Battle of Khashom and their world was kind of lighting up. One thing that happened on the anniversary of that, so in February 2019, so one year later, was that somebody, and I still theorize to this
day that it was probably a Ukrainian off. But somebody threw up a message saying, you know, I remember, you know, the fallen of the Battle of Khashim, I'm paraphrasing here, you know, and then the next chat line was, who served where? And weirdly, at that moment, just suddenly like dozens and then dozens and then hundreds of guys would just... answer with their Vechay number, which is their military unit number. And I realized, holy shit, these guys are just openly identifying
themselves. And I'll note that that's when I also realized that many user accounts on Bacontactia, you know, especially for guys, it's pretty typical to have the unit that you served in as commscript posted. It's kind of like where you went to high school, where you went to college, university. It's part of your profile. You don't have to fill it out, but many guys do because it's a way to find each other and also to show that you've done your service, you've been a patriot
and so forth. And so we collected all of those, put them into a spreadsheet, and then we did a lot of verification. This is the early days even before Ben was around. You know, our first attempt at this was kind of the data was a little bit dirty and we didn't understand at first how many were imitating units and how many were real. It was only later as we started to refine our methods and realize, oh, we can actually segment this profile data on military unit affiliation.
But that was the most telling piece was just where people had served and then having an understanding of who was central to the network. And the vast majority of having a particular profile and a particular affiliation with units that were known to be very active, for instance, in Georgia in 2008. and some other sort of ghost operations that well preceded the incursion in Ukraine.
So a lot of it, again, is this combination of kind of understanding the culture, like the literal culture, not the online culture, and then doing a lot of historical research to put it all together. Amazing. Thank you so much for giving us that detail. I know Chris, who asked the question initially, really appreciates it. Thank you so much for coming into chat today. I have a bunch of people in the chat right now saying how much you've humbled them and also how much they've
enjoyed this talk. Please do check out both Candice and Ben's work at New America. I put the link in the chat and I'll also put it in the description of this podcast, along with all of the links that we've discussed today. And please tune in in two weeks time for the next stage talk. But until then, take care and thank you again, Ben and Candice, for your time today. Thanks so much. Thanks, all. Thank you, everybody. Thank you
for listening to the Stage Talk. If you'd like to catch a Stage Talk live where you can ask the guest questions, join the Bellingcat Discord server by visiting www .discord .gg The music you've heard is titled Dawn by Newer Self and is courtesy of Artlist.