A work-in-progress timeline surrounding Feb 2017 Daniel Jones meeting, including the ‘Trump’s insurance broker’ angle

A speaking timeline.

With a great deal happening, it’s important to move some things out there before they are fully developed and analyzed, largely because some of the event dates are remarkably coincident with known events from the Spygate timeline. 

The anchor point for this rough-condition timeline is early February 2017, when on successive days Michael Sussmann met with officials at the CIA to urge on them his trove of purported Alfa Bank-Trump data (9 February 2017), and John Podesta met with Peter Fritsch and Glenn Simpson of Fusion GPS, along with former Dianne Feinstein staffer Daniel Jones (on 10 February 2017), who in the same timeframe started a non-profit that hired Fusion to continue its anti-Trump work from 2016.

These dates are of particular interest, and not only because John Durham has discussed the Sussmann-CIA meeting in his court filings in the Sussmann false-statement case.  Durham has also, of course, filed a considerable amount of information indicating the extent to which Fusion GPS was in contact with Sussmann and Rodney Joffe, the axis through which the DNS lookup data assembled to make the “Alfa Bank-Trump” case was passed on to the FBI, CIA, and media outlets.

Michael Sussmann in an online forum in 2020. YouTube, Docket Media video

But the catalyst for this particular timeline is a discussion about a set of wickr chat logs from Georgia Tech, which were filed in an Alfa Bank “John Doe” civil suit in the Washington, D.C. Superior Court on 12 October 2021.  The logs were an exhibit – one of a lengthy number of exhibits – appended to testimony by Jones, which came from an Alfa Bank-John Doe case in Palm Beach County.  The Jones testimony in Palm Beach was dated 18 August 2021.*

Memo of Law Re Sussmann 10…. by walkafyre

The wickr chat logs, involving Alfa Bank researcher David Dagon (“tinadoug”) and a user identified as Daniel Jones, start out with a chat exchange referencing the date 8 February 2017.  (This begins on p. 376 of the Jones Exhibits document, and on the page itself is numbered “1 of 34” in Exhibit 20, per the exhibit stamp at the bottom of the page.  For orientation, this is the page you should be on if you’re accessing the Jones Exhibits documents:

Screen cap from Exhibits attachment to Jones testimony cited in text. All images: click to enlarge for legibility

(I’m going through all this so it’s clear where the information comes from.  It’s easy to lose the thread on that in the morass of documents surrounding the Alfa Bank cases and the filings in Durham’s Sussmann case.  See the first footnote below for ways to access the original Exhibits document.) 

What appears to be the same chat sequence continues through the following day, although after the opening chat entry referenced to 8 February 2017, there are no date entries.

An extensive discussion at Twitter has debated when this chat sequence occurred.  It references a study produced by cyber-risk consultants Stroz-Friedberg in July 2017, which has led most online researchers to conclude that the 8 February 2017 date at the beginning doesn’t mean the exchange took place starting 8 February.

The series of chat entries appears to have been retrieved for printing (or at least collation in a file) on 25 August 2017.  The date-referenced event – publication of the Stroz-Friedberg study in July – thus occurred before that time hack.

The content of the Stroz-Friedberg study (starting on p. 5 at this link) is an evaluation of the flurry of DNS lookups purportedly involving Alfa Bank and Trump-related servers in February and March 2017.  (The study is one of the exhibits for the Jones testimony filed in the D.C. Court in October 2021.)

Alfa Bank hired Stroz-Friedberg on 14 March 2017 to perform this evaluation after the blizzard of lookups erupted in the preceding weeks.  Just before the hiring date, there was a blast of DNS lookups purporting to involve the Alfa Bank and Trump-connected servers between 11 and 13 March 2017.  Earlier, another high-tempo period of lookups started on 18 February.

Obviously, given the connections of the Georgia Tech researchers to the Alfa Bank narrative, the Sussmann-CIA meeting, and Sussmann’s and Fusion GPS’s previous shopping of the narrative to media and the FBI, the coincidence of the 8 February chat date with the 9 February Sussmann-CIA meeting and the 10 February meeting of Fritsch, Simpson, Podesta, and Jones is arresting.

The timing is particularly of interest because the chat participants have an intriguing exchange about the need to revive interest in the purported Alfa Bank data (p. 390/“15 of 34”).

From the wickr chat log in the Exhibits document appended to Jones testimony cited in text.

If the dates of their exchange were Wednesday and Thursday, 8 and 9 February 2017, that would comport with references to the days of that specific week found in the chat entries.  It would also line up nicely with the suspected purpose of the 9 and 10 February meetings for which we have separate evidence.

The sudden eruption of DNS lookups on 18 February would then appear to be related at the very least to the 9 and 10 February meetings (i.e., to afford additional data background for further development of the DNS lookups theme).  Such a connection can certainly be postulated between the 9 and 10 February meetings and the DNS lookups explosion that started just over a week later.

It remains to be determined when the Georgia Tech chat sequence actually occurred.  Obviously, if the 8 February 2017 date is an indicator, the chat log could suggest wholesale complicity on the part of all the known actors in ginning up another round of supposed Alfa-gate data over the next five weeks.

But if we accept the chat log at face value, with its references by tinadoug to the Stroz-Friedberg study (several times in the chat log pages “1 through 34,” or 376-409 of the PDF), then the chat couldn’t have taken place before the data flurry Stroz-Friedberg was later hired to analyze.  The flurry was in February and March; the study was eventually published in July 2017.

All of that is prelude.  What follows here is the extremely interesting timeline that began to emerge from pulling the string on Stroz-Friedberg.

A dip into the mists

Among many other things, this arcane corner of the Russiagate/Spygate saga takes us back at the outset to information from a few years ago about the consulting firm McKinsey & Co.  McKinsey is a company with very long and extensive ties to the “permanent state” or “deep state,” and in the period 2011-2015, it was hired to consult on operations and streamlining for the U.S. intelligence community – including the eye-opening purpose of assisting in a reorganization of the CIA’s clandestine service.

That’s our first timeline entry.  We’ll see why shortly.  Meanwhile, recall that James Clapper was the DNI during that time period.  His was the deciding vote for engaging McKinsey on this task.  John Brennan became CIA director in 2013, just after Obama’s second inauguration.

The brain trust, briefing Congress in 2014. (Image: Defense Intelligence Agency)

For a flavor of how embedded McKinsey is with permanent staters (mostly Democrats, but some Republicans as well), note that In March 2019, McKinsey sponsored a visit by John Podesta to Australia and New Zealand to discuss the economic implications of automation.  While in Australia, Podesta conducted media interviews “[s]itting in the Curtin Room at McKinsey Offices in Sydney.”

The CIA and its clandestine service were not the only elements of the IC that got the McKinsey treatment in the Obama years.  And it’s pertinent to recall that in the middle of the period – 2013 – Amazon Web Services got its groundbreaking contract to operate the entire intelligence community’s Top Secret cloud service.  A number of big-ticket, big-name things were going on at the time; in hindsight, they look increasingly like self-incurred vulnerabilities.

There is obviously a vast list of events to choose from in 2015 and 2016.  Keeping in mind the McKinsey connection to a very sensitive agency reorganization in the Obama years, let’s move forward to other territory involving IT and “trust groups” associated directly or indirectly with Alfa-gate.


2013-2015:  During this period, the online payments service Heartland Payment Systems, Inc., partners with Neustar’s UltraDNS to improve IT transaction security.  This will matter later.

The backstory on Heartland is of interest, moreover.  Heartland was famously targeted by multiple hacks in the 2005-2010 timeframe, involving an Albert Gonzalez who was reportedly an undercover assets for the U.S. Secret Service at the time (2005-2008), and a group of Russian and Ukrainian hackers operating in 2009-2010.   These attacks produced the biggest cyber-theft of personal and financial information ever seen up to that point.

Coming off these untoward incidents, Heartland CEO Robert Carr was appointed to President Obama’s National Infrastructure Advisory Council (NIAC).

Although the exact date of Heartland’s partnership with UltraDNS isn’t readily available in online resources, the Heartland company executive quoted in Neustar’s PR release on the partnership was in his cited role with Heartland between 2013 and 2015, according to his LinkedIn profile.

2 June 2015:  Trump Hotels announces the IT breach of its customer payments system spanning dates between May 2014 and June 2015.

5 June 2015:  Neustar sells its entire “Legal Compliance Services” division to rival company Subsentio.  See the 2 June 2015 link above.  The Legal Compliance Services division afforded Neustar privileged access to the comms data telecom providers are legally required to make available to NSA.  Further discussion at the link.

27 July 2015According to a DNC lawsuit, Cozy Bear (APT28) first intruded into the DNC IT system.

1-3 August 2015:  Always worth the reminder, this was the weekend when Bill Clinton and John Brennan were both in Jackson Hole, Wyoming attending a medical conference sponsored by Dr. Patrick Soon Shiong, a pharma billionaire who at the time was working a partnership with then-Vice President Joe Biden for Biden’s “Cancer Moonshot.”  Brennan had the use of an Air Force C-40B, which sat idle at the local airport the entire time, in spite of the conference clearly being an extracurricular excursion for the CIA director.

Of note, Soon Shiong – who was briefly but vigorously touted by the East coast media for a Trump advisory position after the 2016 election – later bought the Los Angeles Times in June 2018.

To this day, we have yet to learn what Clinton and Brennan may have discussed that weekend.  It is extremely unlikely that the presence of either was unrelated to the presence of the other.

In the fall of 2015, we have the following:

15 September 2015:  Trump Hotels announces it will shift from Cendyn to Serenata for online customer relations and marketing services.  The timing is of some interest:  Trump Hotels and Cendyn had been partnered since 2007.   The previewed switch was announced just as the GOP pre-primary events were heating up for Donald Trump.  This was also the month an obscure Russian development company, I.C. Expert Investment Company, joined forces with Felix Sater to craft a plan for a Trump hotel in Moscow (see here as well).

It’s of more than passing interest that the decision to move from Cendyn to Serenata (a firm based in Germany, which had just opened a U.S. branch in San Francisco in 2015) came three months after the significant breach of Trump Hotels’ automated payment system.

16 September 2015:  Oddly enough, a Russian hacker involved in the identity thefts at Heartland Payments (as well as a string of other mass processors of financial information) pleaded guilty to U.S. federal charges on this date.  See also the 15 December entry on Heartland and Global.

16 September 2015:  Formation of a high-profile cybersecurity trust group – a non-profit called Global Cyber Alliance – is announced by Cyrus Vance, Jr., the Manhattan DA at the time.  GCA quickly adds a number of former Obama advisors and appointees to its boards and staff.

Cyrus Vance, Jr. explains why he didn’t prosecute Harvey Weinstein in 2015. PBS video, YouTube

In a peculiar coincidence, for his GCA startup money Vance uses funds obtained by his office in a massive sanctions-violation settlement with French banking giant BNP Paribas.  The settlement was finalized earlier in 2015, after BNP had blown a whistle in the UK in 2014 on the financial shenanigans of Burisma owner Mykola Zlochevsky.

As with McKinsey, keep Cyrus Vance, Jr. in mind.  He reappears later.

October 2015:  CrowdStrike executive and former DOJ official Shawn Henry joins the board of Global Cyber Alliance.

November 2015:  Obama creates the new Defense Digital Service, to be headed by a veteran of the emergency response to the botched Healthcare.gov rollout, Chris Lynch.  (Lynch also has extensive links in the Chicago crony network.)

It’s the Defense Digital Service that eventually gives the public a story about what’s happening with the “Pentagon IP addresses” during their strange excursion in 2021 (see link).  But the DDS would also set up a single “satellite” location at – wouldn’t you know it – the Georgia Cyber Center in Augusta.

DDS’s “Tatooine” satellite location in Augusta, Georgia. Image: Georgia Cyber Center

November 2015:  Georgia Tech becomes a member of tech industry trust group Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).  M3AAWG touts Georgia Tech as the group’s first university member.  Interestingly, M3AAWG’s membership also features Listrak, of all companies, as one of a small number of sponsor-level and/or board participants at Listrak’s punching weight in the industry.  (Most commercial companies at that level with M3AAWG are the larger and more widely-known ones).

(Of more than passing interest, these same entities – the DDS satellite location and Georgia Tech – are later called on by Georgia Secretary of State Brad Raffensperger to help with cybersecurity for the 2020 elections.)

15 December 2015:  Global Payments, Inc, and Heartland Payment Systems, Inc (the latter being the UltraDNS client; i.e., Neustar/Joffe), announce an impending merger which will make them one of the biggest payments companies in the United States.

As part of the Alfa-gate saga, journalist Dexter Filkins (for The New Yorker) and others would later emphasize that Global, which became Heartland’s parent company, had purchased an Alfa Bank-linked company in 2011.

However, given the timing of the Global-Heartland merger and Heartland’s minor but notable role in the notorious DNS lookups, Heartland’s status as a long-time UltraDNS customer looks a lot more interesting than the older, more-tenuous Alfa Bank link.

Side note:  Global Payment Systems was also one of the major targets in the 2009-2010 hacking spree by the Russian/Ukrainian group.

The crunch period of 2016 begins

Fast-forward to March 2016:

9 March 2016:  The last date on which on which the “A record,” or address record, for the Cendyn-registered domain name “mail1.trump-email.com” pointed to the Listrak server in Pennsylvania.  (Ankura report, p. 5).

Town center, Lititz, PA. YouTube video

This was the case, however, in spite of the apparent fact that the trump-email.com domain, previously set up by Cendyn, remained registered and operational, according to contemporary records, through July 2016.  In other words, Cendyn didn’t dissolve the domain, although March 2016 was the month in which Serenata reportedly began providing services to the Trump Hotels.  See the graphics below from the Ankura study done for the Alfa Bank “John Doe” lawsuits.  The passage in the report is found on pp. 10-11.

(As we’ll see below, Serenata had its own domain and set of addresses for its Trump clients.  Note that a German business press article, which appears to date to December 2016, confirms that Serenata was providing services for the Trump Hotels that year.  The article’s tone and phrasing indicate this was an established relationship at the time of publication.)

Sometime before 29 June 2016, meanwhile, the trump-email.com domain was extended for another year under Cendyn ownership, to July 2017.

Screen cap from Ankura report on DNS lookups commissioned by Alfa Bank. p. 10; link in text

There is no record of Cendyn-prompted activity with the address mail1.trump-email.com in that period.  (That address is implicated in the purported DNS lookups in 2016, which the Joffe team wove the Alfa Bank-Trump story around.)

From the forensic analyses done for Alfa Bank by Mandiant (starting on p. 12 at this link) and Ankura, which both looked at this 2016 period (May through September 2016), I can’t discern that either Cendyn or Serenata was using the address in question for Trump-related comms.  So that’s very interesting.

18 April 2016:  Fancy Bear (APT29) achieves intrusion into the DNC IT system.  Reportedly, the DNC didn’t notice this until 28 April 2016.

22 April 2016:  DARPA puts out the Broad Agency Announcement for its Enhanced Attribution project, addressing exactly the form of “attribution” research effort touted by CrowdStrike as a company specialty, and later developed in Georgia Tech’s research as a project awardee. 

(If you still think it was mere coincidence that DARPA announced this particular project in April 2016 in the middle of Perkins Coie hiring Fusion GPS and the DNC discovering the Fancy Bear intrusion, I’m not sure what to do for you.)

25 April 2016:  Global Payment Systems and Heartland Payments conclude their merger, originally announced in December 2015.  The UltraDNS client, Heartland, is now part of Global Payment Systems.

Another side note on these events:  Heartland CEO Robert Carr was later accused by the SEC of insider trading on the Global Payments deal.  He eventually paid a fine under a settlement agreement in 2020 and left his CEO post as well as his position on the President’s NIAC.

4 May 2016:  Shawn Henry, CrowdStrike senior executive and director with the Global Cyber Alliance (Vance Jr.’s baby), was called in by Perkins Coie to investigate the DNC intrusion by Fancy Bear.

4 May 2016:  Date of the first supposed DNS lookups between the Alfa Bank server and Listrak server hosting mail1.trump-email.com address.  The domain, again, was still owned by Cendyn, but neither Cendyn nor Serenata was apparently using the mail1-trump-email.com address.

4 May 2016:  Trust group M3AAWG – the one that added Georgia Tech as its first university member in November 2015, and had little Listrak as a sponsor-level member and sometime board member – announces a partnership with the Global Cyber Alliance to encourage development of measures combating online threats.  The announcement speaks specifically of concerns about phishing and email security; i.e., the intrusion method into the DNC system for which Shawn Henry is called in the same day.

6 May 2016:  Emails from the Sussmann filings collated by Judicial Watch show communication at Georgia Tech about an impending meeting regarding DARPA-BAA-16-34, the project announcement on Enhanced Attribution from 22 April 2016.  (First email on p. 1 of the PDF.)

Fast-forward again, to the end of July 2016.

28 July 2016:  The FBI floats a little-remarked announcement that it seeks to hire, for the first time ever, a “senior-level data scientist” as a top advisor to the Bureau’s Cyber Division.  (The Bureau’s own announcement is here, but it’s noteworthy that it was obviously shopped to Politico, which carried it the next day.)

In an unusual sequence – well, there was no evident sequence.  I have yet to identify information posted online about who got this job.  James Comey referred to the new position in a speech he gave in August 2016, but if the lucky candidate has been identified publicly, I can’t find it.

YouTube video

James Trainor, assistant director of the FBI’s Cyber Division, issued a statement (see links) on the new position posting: “The addition of a senior-level position acknowledges the growing cyber threat, which is a top priority threat for the FBI, and reflects equitable distribution of sophisticated senior talent across the FBI.”

You may guess that James Trainor is mentioned by name here because he crops up again.  Timing is obviously interesting, given everything else that was happening in the period 26-31 July 2016 – some of it, as we now know, relating to Alfa-gate. 

23 September 2016:  The last DNS lookup supposedly implicating Alfa Bank and a Trump computer is recorded by the Joffe Team.  As described above, while Cendyn still had the mail1.trump-email.com address registered throughout the period 4 May to 23 September 2016, the Ankura analysis for Alfa Bank indicated the activity could not have been because the “A” record for the address still resolved to the Cendyn-contracted Listrak server.  That resolution had ceased on 9 March 2016.

This is the timeframe when the DNS flurry included 76 lookups involving Heartland Payments.

Screen cap via Krebs on Security post 23 Sep 2021; link in text

Heartland-related domains are hosted by UltraDNS.  Some examples:

Screen cap by author 2 May 2022
Screen cap by author 2 May 2022

Note that the Spectrum Health server, mentioned as the third of the most active organizational servers (besides Alfa Bank’s and Heartland’s), was supposedly involved in a total of 702 lookups.  Spectrum later acknowledged that DNS lookups had occurred with “an independent marketing firm that owns and administers servers for companies in the hospitality industry” (apparently a reference to Listrak; see Jones Exhibits wickr chat log p.399/ “24 of 34”).   Spectrum also stated, however, that “None of this traffic was email or other communications.”  It was all automated server-to-server activity.

Worth a comment that the second-order connection of Spectrum Health with Erik Prince may have been a reason to manufacture data involving the health care company.

Heartland’s close connection with UltraDNS, meanwhile, may have made it a convenient target for the Joffe Team.  Oddly, as noted in the wickr chat log, the series of Heartland DNS lookups, supposedly in 2016, had not been identified at the time, and only showed up later (p. 400/“25 of 34”).

Passage in wickr chat log from Jones Exhibits appendage; p. 400/“25 of 34”

Daniel Jones, with whom tinadoug (Dagon) has the chat, seems skeptical and worried about that aspect of the data.  That’s understandable.  The timeline of the Global Payments-Heartland acquisition and the purported Heartland involvement in the lookups doesn’t serve to dispel concern.

And fast-forward once again, to the fall of 2016.

11 October 2016:  Global insurance giant Aon PLC announces it is acquiring Stroz-Friedberg.  These things just seem to have kept happening at the darnedest times.  I won’t keep you in suspense:  Stroz-Friedberg, of course, went on to be hired by Alfa Bank five months later to assess the DNS lookups flurries.

The CEO of Aon PLC is a long-time executive of McKinsey named Gregory Case.

The CEO of Stroz-Friedberg at the time was a 28-year veteran of McKinsey named Michael Patsalos-Fox.  Patsalos-Fox had joined Stroz-Friedberg in 2013.

Oh – and, most importantly, given that this happened in October 2016, Aon was the long-time insurance broker for the Trump organization.  That relationship went back decades.

24 October 2016:  FBI veteran James Trainor, the aforementioned assistant director for the FBI’s Cyber Division, departed his FBI job to accept an executive position with Aon.  Trainor was hired as senior vice president in the cyber solutions group of Aon’s Risk Solutions unit, which would place him working with new Aon subsidiary Stroz-Friedberg.

Yes, it sure looks like something here.  We’ll get to that.

After the 2016 election

November 2016:  Georgia Tech and DARPA finalized the terms of GT’s Enhanced Attribution project award, setting off a tremendous chain of emails and chat logs.

Fast-forward to February and March 2017 for the Alfa-gate events described at the beginning of the article, culminating in Alfa Bank hiring Stroz-Friedberg to analyze the DNS lookups flurry from that period.

(Note also that the period 8-17 March 2017 was absolutely stuffed with Spygate developments, including the DOJ/FBI responding to Devin Nunes’s demand for the 2016 FISA applications, and Senate staffer James Wolfe’s leak of the one on Carter Page, in unredacted form, to journalist Ali Watkins.  See also here.)

A noteworthy date in February, shortly before the Michael Sussmann visit to the CIA on 9 February 2017:

2 February 2017:  The White House Chief Information Security Officer (CISO), Cory Louie, is abruptly dismissed.  Louie was appointed to his role by Obama during the major overhaul of the White House IT infrastructure and its cyber administration in the period 2013 to 2015.  Rodney Joffe was also a largely informal but insider-level participant in that enterprise.  The incoming Trump team kicked Louie out almost immediately, for which we may reasonably suspect there was a reason.

Two dates of particular note in March 2017:

4 March 2017:  President Trump tweeted that he had been “wiretapped” by the Obama administration.

8 March 2017:  Documentation on the trump-email.com domain showed that between 6 March and 8 March, ownership of the domain was transferred from Cendyn to the Trump Organization.  (See the Ankura study for Alfa Bank, pp. 10-11.)

Screen cap from Ankura report on DNS lookups commissioned by Alfa Bank. pp. 10-11; link in text

Again, this doesn’t look random.  The year before, Cendyn had extended ownership and registration of the domain to July 2017.  But just at the time Trump was tweeting about being wiretapped (and Nunes ordered up the FISA surveillance applications from 2016), the Trump Organization took ownership of a third party’s utility domain with the Trump name on it, even though no Trump entity had set it up, registered it, or ever used it.

Looks to me like the Trump Organization had a reason for wanting to be in control of it.  If so, that concern appears to have been validated by the mighty storm of DNS lookups that ensued from 11 to 13 March 2017.

Now to May 2017.  At this point Stroz-Friedberg, under a double layer of long-time McKinsey executives and former FBI official James Trainor, is working on the purported February-March DNS lookups involving Alfa Bank.

9 May 2017:  James Comey resigns as FBI director, setting off the howling chorus that will produce the appointment of Robert Mueller as special counsel eight days later.

10 May 2017:  Stroz-Friedberg replaces CEO Michael Patsalos-Fox with an interesting character:  Jason Hogg**, an executive with decades of experience in financial instruments and cybersecurity, along with some two years as a “special operations agent” for the FBI from 1998-2000.  Hogg came to Stroz-Friedberg (with a dual-hat role as lead executive for cyber solutions at Aon) from investment fund Tritium Partners.  Besides his two years with the FBI, Hogg had background with the Blackstone Group.  Among other career accomplishments, he developed a secure cash card under the brand Revolution Money in the mid-2000s, an enterprise that was ultimately bought out by American Express.

Jason Hogg is the son of the late Russell Hogg, an interesting character in his own right who is famous now for serving as president and CEO of MasterCard in the 1980s, and was a special agent for the FBI in the years following his service in World War II and graduation from Harvard’s School of Business Administration.

At the time of the CEO replacement in May 2017, Stroz-Friedberg is in the middle of its assessment for Alfa Bank.  It’s an eye-catching decision for a firm that would be well aware of the political freight attaching to the Alfa Bank project it’s working on.

A last single date in 2017:

22 June 2017:  The first date on which data available to the general public in a standard online search shows an Internet transaction with a domain and address set up by Serenata for its Trump Hotels client.

The address in question is trump.serenata-nethotel.com.  We can reasonably suppose the domain had been in use well before the June 2017 date, but that’s the earliest activity date I can discover.

Activity reflected in a standard domain/address search for Serenata’s Trump Hotels address. Screen cap by author 10 May 2022

It all comes together

This is not a comprehensive timeline, but a focused one collating a batch of known, related data points.  So you can fill in what else you think is relevant as we fast forward once again through 2017-2020, when New York State and our cyber alliance maven Cyrus Vance, Jr., from his Manhattan DA perch, turned a wirebrush on the Trump organization looking for something to prosecute.

This is worth hanging in there for.  Several things come together.

One direction New York took was trying to prove Trump’s organization valued its properties fraudulently, potentially as a tax evasion scheme.  This tack brings back our ace insurance behemoth Aon, which as the insurance broker for the properties in question would have a lot of information about how the insured (the Trump Organization) valued them in the relevant time period.

In October 2018, New York state investigators reportedly disclosed an ongoing probe along this line, which stretched back to 2017 and was predicated on real estate transfers in the 2011-2015 timeframe.

In March 2019, CNBC reported that New York’s Department of Financial Services had subpoenaed records from Aon on Trump-related insurance dealings.

In December 2020, Aon confirmed that it had been subpoenaed by Cyrus Vance, Jr. as well.  The subpoena reportedly resulted in Aon interviews with the Manhattan DA’s office.  (See here also.)

Interestingly, reporting on this and other recent probes of Trump in New York has rarely included much calendar-referenced history, except when a figure like Michael Cohen or Stormy Daniels has been involved.  In the latter cases, appearances in court or before legislative committees afford an anchor in time.

The Aon Center in Chicago. Aon was formed in Chicago and headquartered there from 1982 to 2012, when it moved its headquarters to London. Wikipedia: MusikAnimal – Own work

When the reporting is about what the state or Manhattan agencies may be probing, it’s harder to piece together when the probes started.  References in media reporting are vague and coy.  This feature is especially persistent because no indictments or court cases seem to issue from the probes, in which such markers in time would have to be laid down.

At any rate, the sequence of events with Aon buying Stroz-Friedberg in October 2016, Stroz-Friedberg being called in on the allegations about Alfa Bank DNS lookups in February-March 2017, and New York pursuing a tax evasion theory against Trump that resulted in Aon being subpoenaed in 2019 and 2020, has an interesting culmination.

On 12 January 2021 – i.e., six days after the 6 January Capitol episode – Aon dropped the Trump Organization as a client.

Of course, the 6 January event was cited as the reason for that decision.

One may read Aon’s October 2016 purchase of Stroz-Friedberg as mere coincidence, in spite of Stroz-Friedberg’s long-time FBI ties (it was founded by two FBI agents) and McKinsey alumnus CEO.

The same benign construction can perhaps be put on James Trainor’s move from the FBI to Aon, two weeks after the purchase of Stroz-Friedberg was announced.  With the resulting package slated to work together – Trainor as a senior cyber-risk policy executive for Aon and Stroz-Friedberg as a cyber-risk consultancy – we do start to strain credulity a bit.

And it’s a bit more fatuous and less believable to swallow the coincidence of the cyber-risk consultancy owned by Trump’s insurance broker being used to assess the allegations about Alfa Bank and a supposedly Trump-related email address.  (At the very least, we might wonder why Alfa Bank would choose a company with that connection to produce an assessment intended as court-quality evidence.  I wonder if the FBI recommended Stroz-Friedberg when Alfa Bank reported the February-March 2017 flurry of lookups to the Bureau.)

And it’s considerably more fatuous and less believable that Aon dropped the Trump Organization’s business in January 2021 because of virtuous distaste for the 6 January event. The idea is hard to swallow that this was done without political pressure from, say, the New York authorities who’d been subpoenaing Aon over Trump for the last two years.

An alternative construction of those events cannot be dismissed by honest analysts.  That construction would see Aon’s Stroz-Friedberg purchase as a way of getting an investigative firm with deep-state ties into the halls of Trump’s insurance broker – for Trump’s organization, a long-trusted partner.

Trump State of the Union address 2019. Fox News video

Five years ago that might have seemed like a fanciful conspiracy theory even to the honest.  In 2022, after years of revelations about what Trump’s opponents were doing in 2015 and 2016, it cannot have that character.  Sure, it would require forensic pursuit and proof – and I stress that we don’t have the latter – but the suspicion and pursuit don’t require justification at this point.

If the Stroz-Friedberg purchase positioned a “connected” company inside Trump’s insurance broker, it’s easy to see why it would be desirable to leave everything in stasis while Trump was in office.  The last few days of his term then became a natural end date to an Aon-Trump business relationship that may well have involved a deep-state connection from October 2016 onward.

It remains striking to me that Stroz-Friedberg did the DNS lookups evaluation for Alfa Bank in 2017, and perhaps we will see that question resolved at some point.

It might appear that neither side in the Alfa Bank case would really want such a connection attached to expert evidence for a civil suit.

An Alfa Bank opponent in court wouldn’t necessarily want the details about Aon and Stroz-Friedberg coming out for close inspection.  The appearance of a Trump connection to Alfa Bank’s expert would be persuasive only so far.  Then Alfa Bank would have the opportunity to point out the peculiar timing of the Stroz-Friedberg acquisition by Aon, Trump’s insurance company, as it related to the potential that the whole thing was a set-up.

This was a big enterprise

A point I’ve been stressing for some time is that a whole lot of what was going on in Spygate was apparently intended to work with the dossier commissioned by Hillary Clinton and the DNC, but was not within the span of control of Hillary and the DNC.  Some of Alfa-gate, which was clearly part of Spygate, was within their control, or at least their sphere of influence.  Those elements of Alfa-gate – Michael Sussmann’s excursions to the FBI and CIA, the intensive shopping of the Alfa Bank narrative to the media – are the most prominent features surrounding John Durham’s indictment of Sussmann.

But there’s a vast array of federal agency activities apart from anything Hillary or the DNC could control, from the use of confidential human source assets to setting up Brennan’s 2016 task force, to running FISA Section 702 queries, making formal unmasking requests at the NSC level, laundering foreign-source “dirt” on Trump to look like legitimate intelligence, and engaging side-gigs at agencies in DOD, Treasury, and ODNI (e.g., the National Counterterrorism Center, NCTC).

Most of Alfa-gate was actually outside Hillary’s and the DNC’s control as well.  The Joffe research team is not something Hillary had the horsepower or scope of influence to make happen.  Certainly the industry resources the team made use of were well beyond her.  There were industry and “civil society” developments that factored into every line of effort in Spygate, and hardly any of them were things Hillary could arrange.

She had no way of engaging DARPA through her own efforts; Obama’s DOD had to do that, especially as regards committing assets and awarding actual project resources to Georgia Tech.  Indeed, if federal cybersecurity monitors were doing their jobs, more than one agency probably had to be aware of what Georgia Tech and the Joffe group were embarking on. Ordering that quiescent cognizance was up to the sitting administration.

Hillary, of course, had no way of scoring a contract for Neustar to provide DNS resolution services for the Executive Office of the President.  That was done by Obama’s cyber fixer-upper crew as it demo’d and remodeled the IT infrastructure of the White House in his second term.  The little YotaPhone caper was cute, but Hillary and the DNC didn’t have the resources to imagine much less execute it.  Who did pay for the various activities of the Alfa-gate actors remains a good question.  All we know for sure is that Sussmann billed the Hillary campaign and the DNC for his time, Fusion was paid by Perkins Coie, and Neustar had a federal contract for the EOP services.

Special Counsel John Durham, Dept of Justice

None of this excuses Hillary and the DNC.  The enduring point is that we cannot prevent this from happening again if we are satisfied with merely finding something to indict Hillary on.  I’m hopeful that Durham has something larger in view, while I understand that to make his Sussmann case – or any other – he has to limit and sharpen his focus.

Large-scale revelations are badly needed, however, because from what we know already, this could not possibly have been a plot so small that it started with Hillary Clinton.  We would do better not to continue trying to make it fit that theory.  It doesn’t.


* In addition to Daniel Jones and The Democracy Integrity Project (TDIP), Alfa Bank has sued “John Does” separately in the venues potentially involved in what Alfa Bank alleges is fraudulent concoction of the “Alfa Bank-Trump” IT data.

The documents filed on 12 October 2021 in the D.C. court can be viewed at Scribd, courtesy of Twitter super-sleuth @walkafyre.  For those without Scribd accounts, I can provide instructions in the comments for retrieving the documents from the D.C. Superior Court.  It’s the very devil to do it, and it doesn’t result in a universally accessible link.  Each retriever must do his or her own search.  The exhibits file is a whopping 24 meg – easily downloadable once you navigate to it, but not email-able.

** At the time of the high school shooting in Parkland, Florida, in February 2018, student activist David Hogg was erroneously identified by some on social media as the son of Jason Hogg.  I stress that that is a misidentification.  David Hogg’s father is retired FBI special agent Kevin Hogg, and there appears to be no connection between the latter Hoggs and Jason Hogg, the executive and entrepreneur.

Feature image: Eisenhower Executive Office Building. Wikipedia


3 thoughts on “A work-in-progress timeline surrounding Feb 2017 Daniel Jones meeting, including the ‘Trump’s insurance broker’ angle”

    1. Interesting, compelling… speculation that 2/3 of US govt is compromised, corrupt and many will be indicted looks more plausible as Durham investigations continue.

Comments are closed.

%d bloggers like this: