U.S. Spies, Seeking to Retrieve Cyberweapons, Paid Russian Peddling Dirt on Trump

BERLIN — After months of secret negotiations, a shadowy Russian bilked American spies out of $100,000 last year, promising to deliver stolen National Security Agency cyberweapons in a deal that he insisted would also include compromising material on President Donald Trump, according to U.S. and European intelligence officials.

The cash, delivered in a suitcase to a Berlin hotel room in September, was intended as the first installment of a $1 million payout, according to U.S. officials, the Russian and communications reviewed by The New York Times. The theft of the secret hacking tools had been devastating to the NSA, and the agency was struggling to get a full inventory of what was missing.

Several U.S. intelligence officials said they made clear that they did not want the Trump material from the Russian, who was suspected of having murky ties to Russian intelligence and to Eastern European cybercriminals. He claimed the information would link the president and his associates to Russia. Instead of providing the hacking tools, the Russian produced unverified and possibly fabricated information involving Trump and others, including bank records, emails and purported Russian intelligence data.

The U.S. intelligence officials said they cut off the deal because they were wary of being entangled in a Russian operation to create discord inside the U.S. government. They were also fearful of political fallout in Washington if they were seen to be buying scurrilous information on the president.

The Central Intelligence Agency declined to comment on the negotiations with the Russian seller. The NSA, which produced the bulk of the hacking tools that the Americans sought to recover, said only that “all NSA employees have a lifetime obligation to protect classified information.”

The negotiations in Europe last year were described by U.S. and European intelligence officials, who spoke on the condition of anonymity to discuss a clandestine operation, and the Russian. The U.S. officials worked through an intermediary — an American businessman based in Germany — to preserve deniability. There were meetings in provincial German towns where John le Carré set his early spy novels, and data handoffs in five-star Berlin hotels. U.S. intelligence agencies spent months tracking the Russian’s flights to Berlin, his rendezvous with a mistress in Vienna and his trips home to St. Petersburg, the officials said.

The NSA even used its official Twitter account to send coded messages to the Russian nearly a dozen times. The episode ended with U.S. spies chasing the Russian out of Western Europe, warning him not to return if he valued his freedom, the American businessman said. The Trump material was left with the American, who has secured it in Europe.

The Russian claimed to have access to a staggering collection of secrets that included everything from the computer code for the cyberweapons stolen from the NSA and CIA to what he said was a video of Trump consorting with prostitutes in a Moscow hotel room in 2013, according to U.S. and European officials and the Russian, who agreed to be interviewed in Germany on the condition of anonymity. There remains no evidence that such a video exists.

The Russian was known to U.S. and European officials for his ties to Russian intelligence and cybercriminals — two groups suspected in the theft of the NSA and CIA hacking tools.

But his apparent eagerness to sell the Trump “kompromat” — a Russian term for information used to gain leverage over someone — to U.S. spies raised suspicions among officials that he was part of an operation to feed the information into U.S. intelligence agencies and pit them against Trump. Early in the negotiations, for instance, he dropped his asking price from about $10 million to just over $1 million. Then, a few months later, he showed the American businessman a 15-second clip of a video showing a man in a room talking to two women.

No audio could be heard on the video, and there was no way to verify if the man was Trump, as the Russian claimed. But the choice of venue for showing the clip heightened U.S. suspicions of a Russian operation: The viewing took place at the Russian Embassy in Berlin, the businessman said.

There were other questions about the Russian’s reliability. He had a history of money laundering and a thin legitimate cover business — a nearly bankrupt company that sold portable grills for streetside sausage salesmen, according to British incorporation papers.

“The distinction between an organized criminal and a Russian intelligence officer and a Russian who knows some Russian intel guys — it all blurs together,” said Steven L. Hall, former chief of Russia operations at the CIA. “This is the difficulty of trying to understand how Russia and Russians operate from the Western viewpoint.”

U.S. intelligence officials were also wary of the purported kompromat the Russian wanted to sell. They saw the information, especially the video, as the stuff of tabloid gossip pages, not intelligence collection, U.S. officials said.

But the Americans desperately wanted the hacking tools. The cyberweapons had been built to break into the computer networks of Russia, China and other rival powers. Instead, they ended up in the hands of a mysterious group calling itself the Shadow Brokers, which has since provided hackers with tools that infected millions of computers around the world, crippling hospitals, factories and businesses.

No officials wanted to refuse information they thought might help determine what had happened.

“That’s one of the bedeviling things about counterintelligence and the wilderness that it is — nobody wants to be caught in a position of saying we wrote that off and then five years later saying, ‘Holy cow, it was actually a real guy,'” Hall said.

U.S. intelligence agencies believe that Russia’s spy services see the deep political divisions in the United States as a fresh opportunity to inflame partisan tensions. Russian hackers are targeting American voting databases ahead of the midterm election this year, they said, and using bot armies to promote partisan causes on social media. The Russians are also particularly eager to cast doubt on the federal and congressional investigations into the Russian meddling, U.S. intelligence officials said.

Part of that effort, the officials said, appears to be trying to spread information that hews closely to unsubstantiated reports about Trump’s dealings in Russia — including the purported video, whose existence Trump has repeatedly dismissed.

Rumors that Russian intelligence possesses the video surfaced more than a year ago in an explosive and unverified dossier compiled by a former British spy, and paid for by Democrats. Since then, at least four Russians with espionage and underworld connections have appeared in Central and Eastern Europe, offering to sell kompromat that would corroborate the dossier to U.S. political operatives, private investigators and spies, U.S. and European intelligence officials said.

U.S. officials suspect that at least some of the sellers are working for Russia’s spy services.

The Times obtained four of the documents that the Russian in Germany tried to pass to U.S. intelligence (The Times did not pay for the material). All are purported to be Russian intelligence reports, and each focuses on associates of Trump. Carter Page, the former campaign adviser who has been the focus of FBI investigators, features in one; Robert and Rebekah Mercer, the billionaire Republican donors, in another.

Yet all four appear to be drawn almost entirely from news reports, not secret intelligence. They all also contain stylistic and grammatical usages not typically seen in Russian intelligence reports, said Yuri Shvets, a former KGB officer who spent years as a spy in Washington before defecting to the United States just before the end of the Cold War. U.S. spies are not the only ones who have dealtwith Russians claiming to have secrets to sell. Cody Shearer, a U.S. political operative with ties to the Democratic Party, has been crisscrossing Eastern Europe for more than six months to secure the purported kompromat from a different Russian, said people familiar with the efforts, speaking on the condition of anonymity to avoid damaging their relationship with him.

Reached by phone late last year, Shearer would say only that his work was “a big deal — you know what it is, and you shouldn’t be asking about it.” He then hung up.

Shearer’s efforts grew out of work he first began during the 2016 campaign, when he compiled a pair of reports that, like the dossier, also included talk of a video and Russian payoffs to Trump associates. It is not clear what, if anything, Shearer has been able to purchase.

Before the Americans were negotiating with the Russian, they were dealing with a hacker in Vienna known only to U.S. intelligence officials as Carlo. In early 2017, he offered to provide them with a full set of hacking tools that were in the hands of the Shadow Brokers and the names of other people in his network, U.S. officials said. In exchange, he wanted immunity from prosecution in the United States.

But the immunity deal fell apart, so intelligence officials decided to do what spies do best: They offered to buy the data. That is when the Russian in Germany emerged, telling the Americans he would handle the sale.

Like Carlo, he had previously dealt with U.S. intelligence operatives, U.S. and European officials said. He served as a fixer, of sorts, brokering deals for Russia’s Federal Security Service, or FSB, which is the successor to the Soviet KGB. U.S. intelligence officials said that he had a direct link to Nikolai Patrushev, a former FSB director, and that they knew of previous work he had done helping move illicit shipments of semiprecious metals for a Russian oligarch.

By April it appeared that a deal was imminent. Several CIA officers even traveled from the agency’s headquarters to help the agency’s Berlin station handle the operation.

At a small bar in the former heart of West Berlin, the Russian handed the U.S. intermediary a thumb drive with a small cache of data that was intended to provide a sample of what was to come, U.S. officials said.

Within days, though, the deal turned sour. U.S. intelligence agencies determined that the data was genuinely from the Shadow Brokers, but was material the group had already made public. As a result, the CIA said it would not pay for it, U.S. officials said

The Russian was furious. But negotiations limped on until September, when the two sides agreed to try again.

Late that month, the American businessman delivered the $100,000 payment. Some officials said it was U.S. government money but routed through an indirect channel.

A few weeks later, the Russian began handing over data. But, in multiple deliveries in October and December, almost all of what he delivered was related to the 2016 election and alleged ties between Trump’s associates and Russia, not the NSA or CIA hacking tools.

In December, the Russian said he told the American intermediary that he was providing the Trump material and holding out on the hacking tools at the orders of senior Russian intelligence officials.

Early this year, the Americans gave him one last chance. The Russian once again showed up with nothing more than excuses.

So the Americans offered him a choice: Start working for them and provide the names of everyone in his network — or go back to Russia and do not return.

The Russian did not give it much thought. He took a sip of the cranberry juice he was nursing, picked up his bag and said, “Thank you.” Then he walked out the door.