Type of site
|Document archive and disclosure|
|Available in||English, but the source documents are in their original language|
|Key people||Emma Best|
|Launched||3 December 2018|
Distributed Denial of Secrets, abbreviated DDoSecrets, is a non-profit whistleblower site for news leaks founded in 2018. Sometimes referred to as a successor to WikiLeaks, it is best known for its June 2020 publication of a large collection of internal police documents, known as BlueLeaks. The group has also published data on Russian oligarchs, fascist groups, shell companies, tax havens and banking in the Caymans, as well as hosting data scraped from Parler in January 2021 and from the February 2021 Gab leak. The group is also known for publishing emails from military officials, City Hall in Chicago and the Washington D.C. Metropolitan Police Department. As of January 2021, the site hosts dozens of terabytes of data.
The site is a frequent source for other news outlets, preferring to provide information and leads rather than present finished analysis to avoid centering any biases. The site's leaks have resulted in or contributed to multiple government investigations, including the second impeachment of President Donald J. Trump.
Distributed Denial of Secrets was founded by Emma Best, an American national security reporter known for filing prolific freedom of information requests, and another member of the group known as The Architect. According to Best, The Architect, who they already knew, approached them and expressed their desire to see a new platform for leaked and hacked materials, along with other relevant datasets. The Architect provided the initial technical expertise for the project. At its public launch in December 2018, the site held more than 1 terabyte of data from many of the highest-profile leaks. The site originally considered making all of the data public, but after feedback made some of it available only to journalists and researchers.
Best has served as a public face of the group, which lists its members. In February 2019, they told Columbia Journalism Review there were fewer than 20 people working on the project. In April 2021, their website listed 10 members and advisors.
In December 2019, Distributed Denial of Secrets announced their collaboration with the Organized Crime and Corruption Reporting Project. In May 2020, DDoSecrets partnered with European Investigative Collaborations and the Henri-Nannen-Journalistenschule journalism school. In June 2020, the DDoSecrets Twitter account was suspended in response to BlueLeaks, citing a breach of their policies against "distribution of hacked material" in a move that was criticized as setting a "dangerous precedent."
In December 2020, the group announced their affiliation with Harvard University's Institute for Quantitative Social Science.
DDoSecrets and the people behind the project have been described by Wired as a "transparency collective of data activists" and a successor to WikiLeaks, by the Congressional Research Service, Organized Crime and Corruption Reporting Project, Human Rights Watch and The Nation as a "transparency collective", by The Hill as a "leaktivist collective", by Columbia Journalism Review as a "journalist collective", by Brookings Institution as "a WikiLeaks-style journalist collective," by the New York Times as a "watchdog group", and Business Insider as a "freedom-of-information advocacy group", as an "alternative to WikiLeaks" by Columbia Journalism Review, Krebs On Security, ZDNet, and Forbes, and as "the most influential leaking organization on the internet" by VICE News."
In 2019, the Congressional Research Service recognized Distributed Denial of Secrets as a transparency collective. In 2020, the U.S. counterintelligence strategy described leaktivists and public disclosure organizations like Distributed Denial of Secrets as “significant threats,” alongside five countries, three terrorist groups, and “transnational criminal organizations.” A June 2020 bulletin created by the Department of Homeland Security's Office of Intelligence and Analysis described them as a "criminal hacker group". Elements of the report were challenged as inaccurate by media such as The Verge.
The next month, the IRS recognized the group as a 501(c)(3) non-profit.
In December 2019, DDoSecrets listed a leak from Russia's Ministry of Internal Affairs, portions of which detailed the deployment of Russian troops to Ukraine at a time when the Kremlin was denying a military presence there. Some material from that leak was published in 2014, about half of it wasn't, and WikiLeaks reportedly rejected a request to host the files two years later, at a time when Julian Assange was focused on exposing Democratic Party documents passed to WikiLeaks by Kremlin hackers.
In January 2019, DDoSecrets published hundreds of gigabytes of hacked Russian documents and emails from pro-Kremlin journalists, oligarchs, and militias. The New York Times called the release "a symbolic counterstrike against Russia's dissemination of hacked emails to influence the American presidential election in 2016." According to the Times, the documents shed light on the Russian invasion of Ukraine as well as ties between the Kremlin and the Russian Orthodox Church, the business dealings of oligarchs and much more. According to an internal bulletin issued by the Department of Homeland Security, the "hack-and-leak activity" was conducted by DDoSecrets, though reporting by The Daily Beast identified several independent hacktivists responsible for the hacks.
The Bankers Boxes are a series of releases from DDoSecrets related to banking, finance and corporate ownership.
In September 2019, DDoSecrets published the investigation file for the death of David Rossi, an executive of the world's oldest bank Banca Monte dei Paschi di Siena, who died under suspicious circumstances while the bank was embroiled in a scandal.
In November 2019, DDoSecrets published over 2 terabytes of data from the Cayman Island National Bank and Trust, dubbed the Sherwood files. The files were provided by the hacktivist known as Phineas Fisher, who was previously responsible for the hack and subsequent release of Gamma Group and Hacking Team documents and emails. The files included lists of the bank's politically exposed clients and was used for studies of how elites use offshore banking. The leak led to at least one government investigation.
In December 2019, DDoSecrets published #29 Leaks in partnership with the Organized Crime and Corruption Reporting Project. The hundreds of gigabytes of data in #29 Leaks included emails, documents, faxes, and recordings of phone calls. The leak was compared to the Panama Papers and the Paradise Papers and came from Formations House, which registered and operated companies for clients who included organized crime, state owned oil companies, and fraudulent banks.The leak led to at least one government investigation.
In 2019 and 2020, DDoSecrets published corporate registries for the Cook Islands and the Bahamas. DDoSecrets partnered with European Investigative Collaborations and the German Henri-Nannen-Journalistenschule journalism school in an unprecedented project named Tax Evader Radar to review and research a dataset containing almost one million documents from the Bahamas company registry. The project exposed the offshore holdings of prominent Germans, the activities of ExxonMobil, as well as the DeVos and Prince families. The leak included files which ICIJ reviewed as part of Bahamas Leaks but did not make available to the public.
In December 2019, DDoSecrets re-published the first tranche of PacoLeaks, data from Chilean police hacked by Anonymous as part of ongoing protests, after it was censored before publishing the second tranche. Soon after, they published emails hacked from the Chilean military, dubbed MilicoLeaks. MilicoLeaks included details on Chilean army intelligence, including operations, finance and international relations.
In April 2020, DDoSecrets published millions of neo-nazi and far-right chat messages in a searchable database called Whispers. The leaked chats showed threats of violence and attempts to sway the 2018 United States midterm elections.
On June 19, 2020, DDoSecrets released BlueLeaks, which consisted of 269 gigabytes of internal U.S. law enforcement data obtained from fusion centers by the hacker collective Anonymous. DDoSecrets called it the "largest published hack of American law enforcement agencies." The editor for The Intercept described BlueLeaks as the law enforcement equivalent to the Pentagon Papers.
Some of the group's servers were located in Germany, and German authorities seized those servers at the request of the United States.
Twitter and other social media companies cooperated with police by suspending the group's accounts and making their past posts inaccessible. Twitter cited its terms of service, which explicitly bars the distributing of "content obtained through hacking that contains private information, may put people in harm or danger, or contains trade secrets." However, Emma Best, one of the group's founders, called Twitter's actions "heavy-handed", as they suspended users whose tweets had linked to archives where leaked material could be found, they also suspended users whose tweets merely mentioned the leak.
On July 9, Reddit banned /r/BlueLeaks, a community created to discuss BlueLeaks, claiming they had posted personal information.
There is a federal investigation relating to BlueLeaks. Various Freedom of Information Act requests filed about BlueLeaks and DDoSecrets were rejected due to an ongoing federal investigation. Homeland Security Investigations has questioned at least one person, seeking information about BlueLeaks and DDoSecrets.
As a result of BlueLeaks, there were calls in 2020 to defund fusion centers and in 2021 Maine began holding legislative hearings about it.
During the George Floyd protests, law enforcement agencies monitored protesters' communications over social media and messaging apps. Reports leaked found that the police were aware of the potential for their surveillance to violate the Constitution. They distributed documents to police filled with rumors and warnings that the protests would become violent, sparking fear among police officers.
The documents also show a much broader trend of surveillance. They show details about the data that police can obtain from social media sites including Facebook, Twitter, TikTok, Reddit and Tumblr, among others. Fusion centers also collect and distribute detailed data from automatic license plate readers.
Surveys from law enforcement training programs reveal that some instructors were prejudiced and unprofessional. Classes taught biased, outdated, and incorrect content. Some contain sexual content unrelated to the class, and there was one report of an instructor admitting to lying in court frequently.
In Maine, legislators took interest in BlueLeaks thanks to details about the Maine Information and Analysis Center, which is under investigation. The leaks showed the fusion center was spying on and keeping records on people who had been legally protesting or had been "suspicious" but committed no crime.
Documents also contain reports about other countries from the Department of Homeland Security, U.S. Department of State and other agencies. Officials discussed cyber attacks from Iran and concerns about further attacks in early 2020. Another report discusses possible Chinese espionage at natural gas facilities. Homeland Security also discussed Russian interference with American elections, attempts to hack the 2020 census, and manipulation of social media discussion.
On August 21, The Guardian revealed, based on the leaked documents, the existence of Google's "CyberCrime Investigation Group" (CIG). The group focused on voluntarily forwarding detailed information of Google, YouTube and Gmail users, among other products, to members of the Northern California Regional Intelligence, a counter-terrorist fusion center, for content threatening violence or otherwise expressing extremist views, often associated with the far right. The company has also been said to report users who appeared to be in mental distress, indicating suicidal thoughts or intent to commit self-harm.
One way Google identified its users in order to report them to law enforcement was by cross-referencing different Gmail accounts that eventually led them to a single Android phone. In some cases the company did not ban the users they reported to the authorities, and some were said to still have accounts on YouTube, Gmail and other services.
In early 2020, Gab, a social network known for its far-right userbase, launched encrypted text messaging service Gab Chat in beta.
In late June 2020, hackers leaked a May 26 law enforcement bulletin that was distributed by DDoSecrets as part of BlueLeaks. The bulletin was created by the Central Florida Intelligence Exchange Fusion Center, who speculated that Gab Chat's encryption and privacy features for private chatting, such as the service automatically deleting text messages after 30 days of them being sent, could entice white supremacists to use the platform instead of Discord, a platform on which white supremacist groups have been frequently infiltrated by anti-fascists.
In July 2020, DDoSecrets released secret files on the United States' case against Julian Assange.
In January 2021, DDoSecrets began making data published by ransomware hackers available to journalists. The initial release contained over 750,000 files from industries including pharmaceuticals, manufacturing, finance, software, retail, real estate, and oil and gas.
In June 2021, DDoSecrets released 73,500 emails, accounting files, contracts, and around 19 GB of other business documents from the pipeline firm LineStar Integrity Services. The same month, 200 gigabytes from Presque Isle Police Department were posted online, including 15,000 emails and police reports and witness statements from the 1970s to the present. DDoSecrets mirrored the files and gave them to journalists, but did not repost them publicly citing privacy concerns.
The group pointed to their earlier publication of the Perceptics breach as an example of the importance of ransomware leaks. The breach revealed that the security firm had lobbied Congress to downplay privacy and security concerns, provided extensive favors to politicians, and crafted some of the Republican Party's demands on border security.
In April 2021, DDoSecrets published a cache of emails from Chicago City Hall, which Mayor Lightfoot refused to answer questions about. The emails revealed that the city's handling of fatal shootings by police officers violates state law and a federal consent decree. The emails also exposed the Mayor's secret lobbying for qualified immunity, a secret drone program funded with off-the-books cash, and the city's problems with police chases and the George Floyd protests. The emails also revealed that the Mayor's office was blindsided by CPD's use of facial recognition and Clearview AI.
In May 2021, DDoSecrets republished the leak of Washington D.C.'s Metropolitan Police Department, including over 90,000 emails. According to DDoSecrets co-founder Emma Best, the documents gave "a unique opportunity to examine how these systems of policing are built, how they’re deployed, and an opportunity to perform an authoritative study on how, when and why the system is deployed differently against different groups." Among other things, the files revealed details of surveillance of right wing extremists and the response to the January 6th insurrection attempt.
In January 2021, DDoSecrets made the scraped Parler videos available to journalists. Videos scraped from Parler were used as evidence during the second impeachment trial of Donald Trump.
In February 2021, DDoSecrets gave journalists financial documents from the Directorate of Investment and Company Administration (DICA) showing Google was indirectly supporting the Myanmar coup by allowing Gmail addresses and Google run blogs to be used to run companies owned and operated by Myanmar's military and coup leaders. After the public release of the 330 gigabyte leak, Google disabled the blog. A Google spokesperson told Insider, "In this case, we have terminated accounts as a result of President Biden's Executive Order of 11 February 2021 concerning Myanmar." Justice For Myanmar called the release "biggest leak in Myanmar history."
In March 2020, DDoSecrets published an additional 156 GB of data which had been hacked from the Myanmar Investment Commission. The release included entries of the Investments Management System, proposals and permits, many of which are labelled “secret” or “confidential”. As a result, Justice For Myanmar added 26 companies to its list of business associates of the Myanmar military.
The leak also revealed how millions of dollars allegedly flowed from Mytel subscribers into the pockets of Myanmar military generals and how their families profited from the military, the coup itself and the internet blackouts. The leak also led to allegations of profiteering which resulted in policy changes that cost Myanmar generals millions of dollars. The data also revealed that Thai state-owned companies were funding the Myanmar junta.
On February 28, DDoSecrets revealed "GabLeaks", a collection of more than 70 gigabytes of data from Gab, including more than 40 million posts, passwords, private messages, and other leaked information. The data was given to the group by a hacktivist self-identifying as "JaXpArO and My Little Anonymous Revival Project", who retrieved the data from Gab's back-end databases to expose the platform's largely right-wing userbase. DDoSecrets co-founder Emma Best called GabLeaks "another gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon and everything surrounding January 6."
The group said that they would not release the data publicly due to the data containing a large amount of private and sensitive information and will instead share the data with select journalists, social scientists, and researchers. Andy Greenberg from Wired confirmed that the data "does appear to contain Gab users' individual and group profiles—their descriptions and privacy settings—public and private posts, and passwords".
In response, Gab CEO Andrew Torba acknowledged the data breach, said that his Gab account had been "compromised", and that "the entire company is all hands investigating what happened and working to trace and patch the problem". Torba also used a transphobic slur to insult the hackers "attacking" Gab and referred to them as "demon hackers." On March 1, he revealed in a post on Gab's blog that the company had received a ransom demand of $500,000 in Bitcoin for the data, and wrote in response that they would not be paying it. Also on March 1, Torba said in a Gab post that "I want to make clear that we have zero tolerance for any threats of violence including against the wicked people who are attacking Gab. We need to pray for these people. I am."
Dan Goodin reported in Ars Technica on March 2 that Gab's chief technology officer (CTO), Fosco Marotto, had in February introduced a SQL vulnerability that may have led to the data breach, and that Gab had subsequently scrubbed the commit from Git history. The company had previously open sourced Gab's source code in a Git repository which included all historical commits; on March 1, they took the repository offline and replaced it with a zipfile.
On March 8, JaXpArO again compromised verified accounts on Gab, posting a message to their feeds addressed to Torba, which said the service had been "fully compromised" the previous week and accused him of lying to Gab's users. Gab briefly went offline again the same day, and the company wrote on Twitter that they had taken their site offline "to investigate a security breach". Torba posted a statement in response to the attack, claiming that "The attacker who stole data from Gab harvested OAuth2 bearer tokens during their initial attack" and that "Though their ability to harvest new tokens was patched, we did not clear all tokens related to the original attack. By reusing these old tokens, the attacker was able to post 177 statuses in an 8-minute period today."
In May 2021, The Intercept used GabLeaks in its coverage and fundraising. Former Intercept reporter Glenn Greenwald criticized the publication for exploiting what he called an invasion of free speech and privacy, which he said contrasted with The Intercept's origins during the Snowden leaks.
In April 2021, Distributed Denial of Secrets made donor information from the Christian crowdfunding site GiveSendGo available to journalists and researchers. The information identified previously anonymous high-dollar donors to far-right actors including members of the Proud Boys, designated as a terrorist group in Canada, many of whose fundraising efforts were directly related to the January 6th attack on the United States Capitol. The platform had previously been criticized for its refusal to restrict use by far right extremists. It was later reported that police officers and public officials in the United States had donated to Kyle Rittenhouse. The executive officer for internal affairs for Norfolk Police Department was fired for the comments he made with his donation to Rittenhouse.
In May 2021, USA Today used the GiveSendGo data to report that nearly $100,000 was raised for the Proud Boys on GiveSendGo from people of Chinese descent in the days before the 2021 Capitol attack. In June 2021, USA Today used the GiveSendGo data to report that a member of the Koch family had anonymously donated to a crowdfunding campaign supporting the election fraud conspiracy theories.
'It's the largest published hack of American law enforcement agencies,' Emma Best, cofounder of DDOSecrets, wrote in a series of text messages. 'It provides the closest inside look at the state, local, and federal agencies tasked with protecting the public, including [the] government response to COVID and the BLM protests.'
The @DDoSecrets account is suspended and inaccessible and a Twitter spokesperson told tech site Gizmodo that the move was done in compliance with the company's policy against the distribution of hacked materials. The policy outlaws distributing "content obtained through hacking that contains private information, may put people in harm or danger, or contains trade secrets."