Full Timeline from today’s indictment or there abouts 
March 2016 - ANTONOV, BADIN, YERMAKOV, LUKASHEV, and their co-conspirators targeted over 300 individuals affiliated with the Clinton Campaign, the DCC and DNC, using a technique known as spear-phishing. (page 2)
March 2016 - the Conspirators, in addition to their spear-phishing efforts, researched the DCC and DNC computer networks to identify technical specifications and vulnerabilities. (page 8)
March 15, 2016 - YERMAKOV ran a technical query for the internet protocol configurations to identify connected devices. 011 or about the same day, YERMAKOV searched for open-source information about the DNC network, the Democratic Party, and Hillary Clinton. (page 8)
March 14, 2016 and April 28, 2016 - Conspirators used the same pool of bitcoin funds to purchase a virtual private network account and to lease a server in Malaysia. (page 17-18)
March 19, 2016 - LUKASHEV and his co-conspirators created and sent a spear-phishing email to the chairman of the Clinton Campaign and their co-conspirators stole the contents of the chairman’s email account, which consisted of over 50,000 emails. (page 6)
March 19, 2016 - LUKASHEV and his co-conspirators sent spear-phishing emails to the personal accounts the Clinton Campaign, including its campaign manager and a senior foreign policy.( Page 6)
March 28, 2016 - YERMAKOV researched the names of Victims 1 and 2 and their association with Clinton on various social media sites. Through their spear-phishing operations successfully stole email credentials and thousands of emails from numerous individuals affiliated with the Clinton Campaign. Many of these stolen emails, including those from Victims and 2, were later released by the Conspirators through DCLeaks. (page 7)
April 2016 - Within days of searches regarding the Conspirators hacked into the computer network. Once they gained access, they installed and managed different types of malware to explore the network and steal data. (page 8)
April 2016 - the Conspirators installed X-Agent malware on the DNC network, including the same versions installed on the network. MALYSHEV and his co-conspirators monitored the X-Agent malware from the AMS panel and captured data from the victim computers. The AMS panel collected thousands of keylo and screenshot results from the and DNC computers, such as a screenshot and keystroke capture of Employee 2 viewing the
online banking information. (page 8)
April 2016 and June 2016** - the Conspirators installed multiple versions of their X-Agent malware on at least ten computers, which allowed them to monitor individual employees’ computer activity, steal passwords, and maintain access to the network. (page 8)
April 6, 2016 - the Conspirators created an email account in the name
(with a one-letter deviation from the actual spelling) of a known member of the
Clinton Campaign. The Conspirators then used that account to send spear-phishing
emails to the work accounts of more than thirty different Clinton Campaign
employees. In the spear-phishing emails, LUKASHEV and his co-conspirators
embedded a link purporting to direct the recipient to a document titled “hillary” In fact, this link directed the recipients computers to a GRU created website. (Page 8)
April 7, 2016 - YERMAKOV ran a technical query for the internet protocol configurations to identify connected devices. (page 8)
April 12, 2016 - the Conspirators used the stolen credentials of a DCCC Employee to access the network. Employee 1 had received a spearphishing email from the Conspirators on or about April 6, 2016, and entered her password after clicking on the link. (page 8)
April 14, 2016 - the Conspirators repeatedly activated X-Agent’s keylog and screenshot functions to surveil Employee 1’s computer activity over the course of eight hours. During that time, the Conspirators captured Employee 1’s communications with co-workers and the passwords she entered while working on fundraising and voter outreach projects. (page 9)
April 15, 2016 - the Conspirators searched one hacked computer for terms that
included “hillary,” “cruz,” and “trump.” The Conspirators also copied select folders,
including “Benghazi Investigations.” The Conspirators targeted computers containing information such as opposition research and field operation plans for the 2016 elections. (page 10)
April 18, 2016 - the Conspirators hacked into the computers through their access to the network. The Conspirators then installed and managed different types of malware (as they did in the network) to explore the DNC network and steal documents. (page 10)
April 18, 2016 - the Conspirators activated X-Agent”s keylog and screenshot functions to steal credentials of a employee who was authorized to access the DNC network. The Conspirators hacked into the DNC network from the network using stolen credentials. (page 10)
April 19, 2016 - KOZACHEK, YERSHOV, and their co-conspirators remotely configured an overseas computer to relay communications between X-Agent malware and the AMS panel and then tested X-Agent’s ability to connect to this computer. The Conspirators referred to this computer as a “middle server.” The middle server acted as a proxy to obscure the connection between malware at the and the Conspirators’ AMS panel. (page 9)
April 19, 2016 - after attempting to register the domain electionleaks.com, the Conspirators registered the domain dcleaks.com through a service that anonymized the registrant. The funds used to pay for the dcleaks.com domain originated from an account at an online service that the Conspirators also used to fund the lease of a virtual private server registered with the operational email account [email protected]. The dirbinsaabol email account was also used to 'register the john356gh URL-shortening account used by LUKASHEV to spearphish the Clinton Campaign chairman and other campaign-related individuals. (page 13)
April 19, 2016 - the Conspirators directed X-Agent malware on the computers to connect to this middle server and receive directions from the Conspirators.
Hacking into the DNC Network. (page 9)
April 22, 2016 - the Conspirators activated X-Agent’s keylog and screenshot functions to capture the discussions of another Employee. Employee about the DCCC finances, as well as her individual banking information and other personal topics. (page 9)
April 22, 2016 - the Conspirators compressed gigabytes of data from DNC computers, including opposition research. The Conspirators later moved the compressed DNC data using X-Tunnel to a GRU-leased computer located in Illinois. (page 11)
April 28, 2016 - the Conspirators connected to and tested the same computer located in Illinois. Later that day, the Conspirators used X-Tunnel to connect to that computer to steal additional documents from the network. (page 11)
May 25, 2016 and June 1, 2016 - the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that
time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server. (page 11)
May 13, 2016 - the Conspirators cleared the event logs from a DNC computer. (page 11)
May 30, 2016 - MALYSHEV accessed the AMS panel in order to upgrade custom AMS software on the server. That day, the AMS panel received updates from approximately thirteen different X-Agent malware implants on and DNC computers. (page 11)
May 31, 2016 - YERMAKOV searched for open-source information about Company 1 (CrowdStrike?) and its reporting on X-Agent and X-Tunnel. (page 12)
June 2016 - they gained access to approximately thirty-three DNC computers. (page 12)
June 2016 - KOVALEV and his co-conspirators researched domains used by US. state boards of elections, secretaries of state, and other election-related entities for website
vulnerabilities. KOVALEV and his co-conspirators also searched for state political party email
addresses, including filtered queries for email addresses listed on state Republican Party websites. (page 25)
June 2016 and continuing through the 2016 US. presidential election - the Conspirators used DCLeaks to release emails stolen from individuals affiliated with the Clinton Campaign. The Conspirators also released documents they had stolen in other spearphishing operations, including those they had conducted in 2015 that collected emails from individuals affiliated with the Republican Party. (page 13)
June 1, 2016 - the Conspirators attempted to delete traces of their presence on the DCC network using the computer program CCleaner. (page 11)
June 8, 2016 - the Conspirators launched the public website dcleaks.com, which they used to release stolen emails. Before it shut down in or around March 2017, the site received over one million page Views. The Conspirators falsely claimed on the site that DCLeaks was started by a group of “American hacktivists,” when in fact it was started by the Conspirators. (page 13)
June 8, 2016 - and at approximately the same time that the dcleaks.com website was launched, the Conspirators created a DCLeaks Facebook page using a preexisting social media account under the fictitious name “Alice Donovan.” In addition to the DCLeaks facebook page, the Conspirators used other social media accounts in the names of fictitious U.S. persons such as “Jason Scott” and “Richard Gingrey” to promote the DCLeaks website. The Conspirators accessed these accounts from computers managed by POTEMKIN and his co-conspirators. (page 14)
June 8, 2016 - the Conspirators created the Twitter account @dcleaksw. The Conspirators operated the @dcleaks_ Twitter account from the same computer used for other efforts to interfere with the 2016 U.S. presidential election. For example, the Conspirators used the same computer to operate the Twitter account @BaltimoreIsWhr, through which they encouraged U.S. audiences to “[J]oin our flash mob” opposing Clinton and to post images with the hashtag #BlacksAgainstHillary. (page 14)
June 14, 2016 - the Conspirators registered the domain actblues.com, which mimicked the domain of a political fundraising platform that included a donations page. Shortly thereafter, the Conspirators used stolen credentials to modify the website and redirect Visitors to the actblues.com domain. (page 12)
June 14, 2016 - the DNC through - Company 1 - publicly announced that it had been hacked by Russian government actors. In response, the Conspirators created the online persona Guccifer 2.0 and falsely claimed to be a lone Romanian hacker to undermine the allegations of Russian responsibility for the intrusion. (page 14)
June 15, 2016 - the Conspirators logged into a Moscow-based server used and
managed by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Standard Time, searched for certain words and phrases, including: “Some hundred sheets”, “Some Hundreds of Sheets”, “dcleaks”, “illuminati”, “widely known translation”, “worldwide known”, “think twice about”, and “company’s competence”. Later that day, at 7:02 PM Moscow Standard Time, the online persona Guccifer 2.0 published its first post on a blog site created through WordPress. (page 14)
June 2016 and October 2016 - the Conspirators used Guccifer 2.0 to release documents through WordPress that they had stolen from the and DNC. The Conspirators, posing as Guccifer 2.0, also shared stolen documents with certain individuals. (page 15)
June 20, 2016 - the Conspirators deleted logs from the AMS panel that documented their activities on the panel, including the login history. (page 11)
June 20, 2016 - after Company 1 had disabled X-Agent on the network, the Conspirators spent over seven hours unsuccessfully trying to connect to X-Agent. The Conspirators also tried to access the network using previously stolen credentials. (page 12)
June 22, 2016 - Organization 1 sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” (page 17)
June 27, 2016 - the Conspirators, posing as Guccifer 2.0, contacted a U.S. reporter with an offer to provide stolen emails from “Hillary Clinton’s staff.” The Conspirators then sent the reporter the password to access a nonpublic, password-protected portion of dcleaks.com containing emails stolen from Victim 1 by LUKASHEV, YERMAKOV, and their co-conspirators in or around March 2016. (page 17)
July 2016 - KOVALEV and his co-conspirators hacked the website of a state board of elections and stole information related to approximately 500,000 voters, including names, addresses, partial social security numbers, dates of birth, and driver’s license numbers. (page 26)
July 6, 2016 - the Conspirators used the VPN to log into the @Guccifer_2 Twitter account. The Conspirators opened that VPN account from the same server that was also used to register malicious domains for the hacking of the and DNC networks. (page 17)
July 6, 2016 - Organization 1 added, “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [Democratic National Convention]
is approaching and she will solidify bernie supporters behind her after.” The Conspirators responded, “0k . . . i see.” Organization 1 explained, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.” (page 18)
July 14, 2016 - After failed attempts to transfer the stolen documents starting in late June 2016, the Conspirators, posing as Guccifer 2.0, sent Organization 1 an email with an attachment titled “wk linkl.txt.gpg.” The Conspirators explained to Organization 1 that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. (page 18)
July 18, 2016 - Organization 1 confirmed it had “the 1GB or so archive” and
would make a release of the stolen documents “this week.” (page 18)
July 22, 2016 - Organization 1 released over 20,000 emails and other documents stolen from the DNC network by the Conspirators. This release occurred approximately three days before the start of the Democratic National Convention. Organization 1 did not disclose Guccifer 2.0’s role in providing them. The latest-in-time email released through Organization 1 was dated on or about May 25, 2016, approximately the same day the Conspirators hacked the DNC Microsoft Exchange Server. (page 18)
July 27, 2016 - the Conspirators attempted after hours to spearphish for the first time, email accounts at a domain hosted by a third- party provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy-six email addresses at the domain for the Clinton Campaign. Hacking into the Network. (Page 7)
August 2016 - KOVALEV and his co-conspirators hacked into the computers of a U.S. vendor (Vendor 1) that supplied software used to verify voter registration information for the 2016 U.S. elections. KOVALEV and his co-conspirators used some of the same infrastructure to hack into Vendor 1 that they had used to hack into SBOE 1. (page 26)
August 2016 - the Federal Bureau of Investigation issued an alert about the hacking of SBOE 1 and identified some of the infrastructure that was used to conduct the hacking. In response, KOVALEV deleted his search history. KOVALEV and his co-conspirators also deleted records from accounts used in their operations targeting state boards of elections and similar election-related entities. (page 26)
August 15, 2016 - the Conspirators, posing as Guccifer 2.0, received a request for stolen documents from a candidate for the U.S. Congress. The Conspirators responded using the Guccifer 2.0 persona and sent the candidate stolen documents related to the candidate”s opponent. (page 15)
August 15, 2016 - the Conspirators, posing as Guccifer 2.0, wrote to a person who was in regular contact with senior members of the presidential campaign of Donald J. Trump, “thank for writing back . . . do u find anyt[h]ing interesting in the docs i posted” (page 16)
August 17, 2016 - the Conspirators added, “please tell me if i can help anyhow . . . it would be a great pleasure to me.” (page 16)
August 22, 2016 - the Conspirators, posing as Guccifer 2.0, transferred approximately 2.5 gigabytes of data stolen from the to a then-registered state lobbyist and online source of political news. The stolen data included donor records and personal identifying information for more than 2,000 Democratic donors. (page 16)
August 22, 2016 - the Conspirators, posing as Guccifer 2.0, sent a reporter stolen documents pertaining to the Black Lives Matter movement. The reporter responded by discussing when to release the documents and offering to write an article about their release. (page 16)
September 2016 - the Conspirators also successfully gained access to DNC computers hosted on a third-party cloud-computing service. These computers contained test applications related to the analytics. After conducting reconnaissance, the Conspirators gathered data by creating backups, or “snapshots,” of the cloud-based systems using the cloud provider’s own technology. The Conspirators then moved the snapshots to cloud-based accounts they had registered with the same service, thereby stealing the data from the DNC. (page 13)
September 9, 2016 - the Conspirators, again posing as Guccifer 2.0, referred to a stolen document posted online and asked the person, “what do think of the info on the turnout model for the democrats entire presidential campaign.” The person responded, “[p]retty standard.” (page 16)
October 2016 - KOVALEV and his co-conspirators further targeted state and county offices responsible for administering the 2016 U.S. elections. (page 26)
October 7, 2016 - Organization 1 released the first set of emails from the chairman of the Clinton Campaign that had been stolen by LUKASHEV and his co-conspirators. (page 18)
October 28, 2016 - KOVALEV and his co-conspirators visited the websites of certain counties in Georgia, Iowa, and Florida to identify vulnerabilities. (page 26)
October 7, 2016 and November 7, 2016 - Organization 1 released approximately thirty-three tranches of documents that had been stolen from the chairman of the Clinton Campaign. In total, over 50,000 stolen documents were released. (page 26)
November 2016 and prior to the 2016 U.S. presidential election - KOVALEV
and his co-conspirators used an email account designed to look like a Vendor 1 email address to send over 100 spearphishing emails to organizations and personnel involved in administering elections in numerous Florida counties. The spearphishing emails contained malware that the Conspirators embedded into Word documents bearing Vendor 1’s logo. (page 26)
January 12, 2017 - the Conspirators published a statement on the Guccifer 2.0 WordPress blog, falsely claiming that the intrusions and release of stolen documents had “totally no relation to the Russian government.” (page 17)
