Citizen Lab: Leaks, Hacking, and Fake News

Image used under CC BY 2.0 from Flickr user Marcie Casas


The terms leakshacking and fake news have been tossed around frequently by reporters, government officials, and activists. What do these terms mean, and how do they impact our digital identities? This May, the University of Toronto’s Citizen Lab released a report that sheds some light on these terms, and answers some questions that we often think, but forget to ask.



Who is Citizen Lab?

The University of Toronto’s Citizen Lab is an “interdisciplinary laboratory based at the Munk School of Global Affairs” [1], who focus on “advanced research and development of intersection of Information and Communication Technologies (ICTs), human rights, and global security” [2]. As a self-described “hactivist hothouse”, the Citizen Lab works toward uncovering information that matters most to digital citizens [3].


The Report

On May 25, 2017, the Citizen Lab released a report, Tainted Leaks: Disinformation and Phishing with a Russian Nexus. They detail what started as a small investigation of a phishing attack against journalist David Satter that exploded into an investigation of nearly 200 related phishing attacks and tainted leaks, which may have ties to Russia. The report includes a summary and four segments: how tainted leaks are made; tiny discovery; connections to publicly reported operations; and a discussion. What concerns the reporters most is not the presence of hacking, phishing and disinformation campaigns, but instead, how these campaigns affect the relationship between reporters and civil societies, as well as the operations of daily life for citizens [4].


Tainted Leaks

The term tainted leaks refers to a specific technique used by hackers to facilitate the spread of false news stories. To create a tainted leak, hackers lure victims to input their email addresses and passwords into false login pages through phishing attacks . Once the hacker has access to the victim’s email address and password, they can steal documents found in the victim’s email accounts, and selectively release them. While some of the stolen documents are leaked without tampering, others are slightly altered to promote certain ideologies, ideas, or theories. It is this blending of authentic and falsified information that characterizes a tainted leak. Once these leaked documents are released, they are often picked up by sensationalist news organizations and reported as authentically leaked documents. These leaks produce a mill of fake news that is difficult to disprove until the authentic documents are released. The tainted leaks scheme that targeted journalist David Satter is the focal point of the Citizen Lab’s report.


David Satter

David Satter, a prominent American journalist, received an email on the 5th of October 2016 that looked exactly like a Google security warning; however, the email was a cleverly crafted phishing campaign in disguise. While Satter wasn’t fooled by the first email, he did fall victim to a second email in this campaign that he received on October 7, 2016. The malicious email prompted him to change his Gmail account password by following a shortened URL created with (a URL shortening service). After following the link, Satter input his login information, changed his password, and continued with his business. It wasn’t until Google registered an unauthorized login to Satter’s account, that he noticed something was wrong. This unauthorized access was found to have Romanian origins, and is presumed to have been the source behind the theft of Satter’s email documents.

Once stolen, a selection of Satter’s documents were released by CyberBerkut, “a pro-Russian hacktivist collective” [5]. While most documents were released unaltered, “one document showed extensive evidence of tainting” [6]. In the manipulated document, Satter appeared to have been “paying Russian journalists and anti-corruption activists to write stories critical of the Russian Government” [7]. After the release of the authentic document by Satter, these claims were demonstrably disproven.


Related Attacks

Using the Satter investigation as a case study, the Citizen Lab team was able to isolate a series of related attacks using variations of the phishing scheme. These campaigns all relied on URL shorting services, and could be seen targeting 198 email addresses. Targets of the phishing campaign included: “a former Russian Prime Minister, a global list of government ministers, ambassadors, military and government personnel, CEOs of oil companies, and members of civil society”[8]. Though there is no concrete link between this series of attacks, and the attacks on the US and French National elections, there are similarities, including the use of URL shortening services, and ties to tainted leaks.



What concerns Citizen Lab most about these reports is their impact on “civil society”, or democratic societies in general. While tainted leaks may seem like an issue exclusive to National governments, they have real impacts for all digital citizens. Considering the Citizen Lab’s report, there are two important takeaways to consider:


  1. Phishing attacks can happen to anyone

While it may seem like government officials are the only targets of these attacks, the Citizen Lab’s report proves that members of the civil society, including journalists, can be targets. Ask yourself, are you prepared in the event that you are targeted for a phishing attack? As hackers get better at providing convincing false links, it is more important than ever to pay attention to the links follow, and to use strategies to protect ourselves from malicious schemes.

  1.    Fact Checking is crucial

Tainted leaks can make it very difficult to spot disinformation. When a leak makes headlines, it is important to think critically about its origin. You can help stop the spread of fake news by engaging critically with the information you read, finding corroborative sources, and trusting the journalistic integrity of large news organizations whose professional practices promote the production of authentic news.


To learn more about tainted leaks and the Citizen Lab, visit:

The Report on Tainted Leaks: Disinformation and Phishing With a Russian NexusThe Citizen Lab’s Website, and Ronald J. Deibert’s TEDx Talk.



Was this helpful?

Leave a Reply