The Washington PostDemocracy Dies in Darkness

Bellingcat breaks stories that newsrooms envy — using methods newsrooms avoid

Kremlin critic Alexei Navalny is shown in a recording of a phone call in which he tricked a Russian state agent into confessing his role in attempting to kill him. The disclosure built on the work of Bellingcat, the global investigative corps. (Navalny.Com/Reuters)

In his hunt to unmask the would-be assassins of a Kremlin critic, Christo Grozev had spent weeks sifting through the shocking amounts of personal data from Russia that has been leaked onto the Internet — including passenger information from more than 6 million flights.

But before he could expose the suspected Russian agents who allegedly poisoned opposition leader Alexei Navalny — a blockbuster story for which a CNN reporter confronted one of them on his doorstep — Grozev’s investigation hit a brick wall. Free data would only take him so far. So he opened his wallet to pay for some of the most crucial evidence: flight manifests and cellphone metadata that placed the men in proximity to Navalny when he fell sick.

Paying for intel of dubious origins might set off ethical alarm bells in most Western newsrooms. But Grozev is not a traditional journalist.

He’s a Vienna-based Bulgarian radio station manager whose sideline in blogging led him a few years ago to join the global corps of sleuths known as Bellingcat.

The investigative collaborative — which relies on both paid and volunteer researchers combing through “open-source” digital data available to anyone with the right searching skills — has been responsible for several eye-popping scoops: pinning the crash of a Malaysian airliner in Ukraine to a Russian missile, unmasking spies supposedly behind the poisoning of a Russian double agent in England and dissecting the racist motives of the Christchurch, New Zealand, mosque mass shooter.

This week, Bellingcat plunged into an investigation of the pro-Trump mob that stormed the U.S. Capitol on Wednesday, asking volunteers to help catalogue and preserve the hundreds of videos and photos of the event that have circulated freely online — before the posters choose to remove them — to aid efforts to identify suspects. “At the very least what we’re trying to do here is provide preservation” for the sake of future analysis, Aric Toler, who heads up Bellingcat’s training and research, told The Washington Post on Thursday.

Police let most Capitol rioters walk away. But cellphone data and videos could now lead to more arrests.

As it has partnered with mainstream news organizations to get its findings to the public — including CNN and the German magazine Der Spiegel for the Navalny investigation last month — Bellingcat’s occasional use of what is essentially a black market for data raises questions for American newsrooms. Grozev said he prefers freely available data, though, and only pays when he has exhausted other means — and when he strongly suspects a state crime has taken place.

“When the government is trying to cover its wrongdoing,” he said, “if the only way to prove the wrongdoing by the state is by acquiring data, then we find that ethically justifiable.”

Bellingcat was started in 2014 by Eliot Higgins, at the time an unemployed blogger and gamer in England whose obsessive personal research quest helped him become one of the foremost experts on munitions used in the Syrian civil conflict. Since then, Bellingcat has assembled a worldwide team whose work relies almost exclusively on digital data.

Their Navalny report, also produced with Russian outlet the Insider, found that the dissident had been trailed for years by at least eight operatives with chemical warfare expertise who worked for the Federal Security Service (FSB), successor to the Soviet-era KGB. The report cited “voluminous telecom and travel data” that also identified three operatives in proximity to Navalny as he prepared to take an August flight that ended in an emergency landing and his medically induced coma.

Russian President Vladimir Putin denied the murder plot, joking darkly at a news conference that if state agents had wanted to kill Navalny “they would have probably finished the job.” That was the cue for Bellingcat to release the daring Part Two of its investigation — a recording of a phone conversation with one of the alleged operatives in which Navalny himself, impersonating an FSB supervisor, got the man to acknowledge the crime.

Kremlin critic Alexei Navalny was poisoned by Russian state security team, report says

Bellingcat’s work has long drawn attacks from the Russian government, which has referred to them as “pseudo-investigators” and promoters of “fake news.” To underscore its credibility, Bellingcat employs a show-your-work approach, publishing exhaustive reports that walk readers through exactly where its investigators got their data — including leaked records of private information — and how they analyzed it.

“Credibility is our only asset,” said Grozev, Bellingcat’s lead Russia investigator. “Especially when the Russian government is openly creating this disinformation campaign that we’re nothing but a front for Western intelligence. It’s a very, internally conflicting narrative they’re presenting — ‘everything they put out is fake, but it is also very high quality so it must be Western intelligence.’ ”

Not long after Grozev took up his hobby of investigating Russian agents, he turned to a broker who sold illegal access to government records. After the resulting story was published, the broker sent him an angry letter, "to the tune of, 'I thought you were just a regular, small-time criminal like my other clients, but you are a journalist and that is unacceptable,' " Grozev said. "I felt I had offended this person because I'm not a criminal, but a journalist."

In many Western countries, the idea that you could shell out a couple of dollars in cryptocurrency to an automated messaging application and obtain someone’s passport number, cellphone metadata and vehicle registration seems astonishing. But poor data security and rampant corruption in Russia make it quite simple, and common. In 2019, a BBC reporter exploring the black market for personal data paid about $25 to an online forum and, in less than a day, received a file containing his own passport information dating back to when he was 14.

The supply chain typically begins with low-level government workers who have access to data and a hunger to make money on the side; they use third-party, anonymous platforms to sell this information. While perhaps a technically illicit trade, many customers run these searches for non-nefarious reasons — such as employers doing background checks on potential hires or real estate agents considering business deals, said Toler.

Certainly, there are more questionable uses, such as blackmail, he said. “You also hear a lot of stories about jealous wives who think their husband is cheating on them, so you spend 40 bucks to look at their phone records.”

Journalists in Russia have increasingly turned to the data market as a reporting tool, but the data they obtain doesn’t always tell a clear-cut story. The Insider recently cited records from a leaked database to report that the daughter of a high-ranking Putin official holds French and Russian dual citizenship — something that’s illegal for Russian lawmakers and highly controversial for their family members.

The woman did not respond to the Insider’s inquiries, and the French government declined to confirm it, citing privacy concerns — so it was only after the story published that she shared with another publication a copy of her French residence permit, suggesting that she may merely have a home there, not citizenship. The Insider had to amend its story.

The unreliability of such data is one reason Bellingcat does rigorous cross-checking, preferably connecting to “a source we’ve obtained earlier than we started the investigation, before anyone has had the idea to poison the data,” Grozev said. In the case of the Navalny plot, Bellingcat analysts turned to previously verified offline databases to back up their new findings.

For legal purposes, Bellingcat does not use its foundation money to purchase leaked data, instead relying on individual researchers like Grozev to pay for it themselves. So the bigger ethical question the group contends with is how much of this data to make public, Toler said: No one wants to inadvertently reveal information about suspected spies’ relatives or others who are not the direct focus of their investigation.

“It’s kind of a case-by-case basis here, because it’s unprecedented in some ways that you can get the phone records of a spy,” Toler said. “It’s not something you read about in a journalism textbook.”

But this approach does raise questions for American news outlets that typically have prohibitions against paying sources in exchange for information — especially when it may, technically, have been stolen.

In its report on the Navalny investigation, CNN cited “thousands of phone records along with flight manifests and other documents obtained by Bellingcat,” without getting into how those records were obtained.

“At all points when you are using controversial data or controversial reporting techniques, you must disclose exactly what you’ve done,” said Alicia Shepard, a former ombudsman for NPR. “It is incumbent upon CNN to be as transparent as possible, and they are making a lot of assumptions that you’re not going to question where they got the information.”

Shepard said CNN could have addressed this by simply linking to Bellingcat’s own thorough explainer on its online report. “To me, transparency [means] I should be able to read a story and if I had the desire to re-report it, I could check it out.”

A CNN spokesman, Jonathan Hawkins, said the network stands by its reporting and its inclusion of Bellingcat’s research. “Bellingcat has explained its methodology in full and transparent detail.”

Edward Wasserman, media ethics professor and dean emeritus of University of California at Berkeley’s Graduate School of Journalism, argues that the privacy concerns involved with Bellingcat’s work in this instance are not a substantial argument against the kind of reporting they do. “The wrong being concealed far outweighs the claim of ‘this is mine and you can’t have it,’ ” he said.

Even if Russia has negligently left its data protections so weak, Wasserman warns that journalists should not exploit these kinds of sleuthing techniques to dig up salacious but inconsequential information. But the Navalny case is different, he said. “This is a move against a major political opponent taken by one of the most powerful politicians in the world on behalf of bolstering his claim to power,” Wasserman said. “This is big stuff, and in that respect, you’re not going in for trivial reasons, not just because you’re trying to get a story on deadline, but because you’re trying to expose major criminality — and you’re going about it in a very serious way.”

But now Bellingcat and other journalists may have another issue to contend with: Shortly after the Navalny report, Russia moved to crack down on the leaks that have driven the data black market. Legislation to bolster privacy protections for members of the FSB, military intelligence and other agencies is making its way through the State Duma, Russia’s lower parliamentary body.

“Seems rather late though,” Higgins, Bellingcat’s founder, tweeted last month. “I guess you could say the Bellingcat is out the bag.”

Isabelle Khurshudyan in Moscow contributed to this report.