Russian Hackers Breached the DNC and Used Guccifer 2.0 and WikiLeaks to Spread Stolen Emails
Russian government-linked hackers penetrated the Democratic National Committee, stole opposition research on Donald Trump and thousands of internal emails, and triggered a wider investigation after leaked material exposed not only politically damaging correspondence but also sensitive donor and personal data. Security firms including CrowdStrike, Mandiant, Fidelis, SecureWorks, and ThreatConnect tied the intrusion to Russian groups tracked as APT28/Fancy Bear and APT29, with later reporting pointing specifically to Russia’s military intelligence service, the GRU, based on malware and infrastructure overlaps. Researchers and investigators said the operation combined network intrusion, theft, and staged disclosure in a manner consistent with a coordinated influence campaign targeting the 2016 U.S. election.
After the breach became public, the online persona Guccifer 2.0 surfaced to claim responsibility and deny Russian involvement, but reporting and forensic analysis described the persona as a likely cutout used to distribute stolen documents and muddy attribution. WikiLeaks then published large batches of DNC emails while later reports said it had direct outreach to Donald Trump Jr. during the campaign and declined to publish a separate cache of Russian government documents in the same period, intensifying scrutiny of its role in the broader information operation. Subsequent congressional and special-counsel-era reporting found sharp partisan disagreement over whether Trump associates coordinated with Russia, but broad agreement that Moscow conducted an interference campaign that used hacked Democratic materials to damage Hillary Clinton and influence the election.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
28 events from the most recent confirmed update back to the earliest known activity.
Federal judge dismisses DNC lawsuit over hacked document dissemination
U.S. District Judge John Koeltl dismissed with prejudice the DNC's lawsuit against the Trump campaign, WikiLeaks, and others over the publication of hacked DNC materials. He ruled the complaint did not plausibly allege that defendants other than Russia participated in or agreed to the theft, and said publication of stolen materials can be protected when the publisher did not help commit the hacking.
Mueller indicts 12 GRU officers over DNC hacking operation
Special Counsel Robert Mueller indicted 12 officers of Russia's GRU for hacking the DNC, DCCC, and Clinton campaign, stealing data, and staging releases through DCLeaks, Guccifer 2.0, and WikiLeaks. The indictment also described related targeting of a state election board and provided detailed allegations about how stolen Democratic emails were transferred for publication.
House Intelligence Republicans issue Russia investigation report
Republicans on the House Intelligence Committee released a report concluding there was no evidence the Trump campaign assisted Russia's 2016 interference operation. Democrats issued a dissent, but both sides agreed Russia had conducted an election interference campaign that remained an ongoing threat.
DNC sues Russia, Trump campaign, and WikiLeaks over 2016 hack
The Democratic National Committee filed a civil lawsuit alleging that Russia, the Trump campaign, WikiLeaks, and others conspired to damage Democrats during the 2016 election through the hacking and dissemination of stolen materials. The suit sought to frame the cyberintrusion and release operation as part of a broader coordinated effort.
Congress receives Trump Jr.-WikiLeaks message records
The Atlantic reported that Donald Trump Jr.'s lawyers had provided his private Twitter messages with WikiLeaks to congressional investigators. The disclosure added documentary evidence to ongoing probes into Russian election interference and dissemination of hacked materials.
Report says WikiLeaks rejected Russian government leak cache
Foreign Policy reported that WikiLeaks declined to publish a large cache of Russian government documents during the 2016 campaign while it was publishing hacked Democratic materials. WikiLeaks denied rejecting the material because it was Russian.
Mueller examines outreach to suspected Russian-linked hackers
Reporting said Special Counsel Robert Mueller was looking into a 2016 effort by GOP operative Peter Smith to obtain Hillary Clinton emails from hacker groups, including some he believed were tied to Russia. The inquiry raised further questions about attempted contacts with actors linked to the Democratic email hacks.
Guccifer 2.0 reappears after months of silence
The Guccifer 2.0 persona resurfaced publicly in January 2017 after a long quiet period. The return renewed attention on the role of the persona in distributing material stolen from Democratic targets.
FBI says DNC denied direct access to hacked servers
U.S. officials said the FBI was not given direct access to the DNC's hacked computer servers during its investigation and instead relied on forensic images and analysis provided by CrowdStrike. The disclosure became a notable point in public debate over the handling of the DNC intrusion and the government's evidence collection.
U.S. expels Russian diplomats and sanctions Moscow over election hacking
The Obama administration imposed its strongest response yet to the 2016 election interference campaign, expelling 35 Russian diplomats, sanctioning Russian intelligence services and GRU officers, and closing two Russian compounds in the United States. The measures were announced as punishment for Russia's hacking and influence operations targeting U.S. political organizations.
CrowdStrike links DNC hack to Russian military intelligence
CrowdStrike reported evidence tying the group behind the DNC intrusion to a Russian military intelligence unit, citing malware overlap with operations targeting a Ukrainian artillery app. The finding strengthened public attribution of the hack to the GRU.
Obama says he warned Putin to stop election-related hacking
President Barack Obama said he confronted Russian President Vladimir Putin over U.S. intelligence findings on election-related cyberactivity, telling him to 'cut it out.' The public statement marked a notable official White House response to the hacking campaign and signaled direct diplomatic pressure on Russia.
Obama orders intelligence review of election-related hacking
President Barack Obama directed the U.S. intelligence community to conduct a broad review of foreign efforts to hack and influence U.S. elections, with a report due before he left office. The review was to cover multiple election cycles and inform Congress and state election officials about lessons learned from the interference campaign.
WikiLeaks urges Trump campaign to contest election if defeated
On Election Day, WikiLeaks messaged Donald Trump Jr. encouraging the campaign to publicize claims that the election was rigged if Trump lost. The outreach later became part of congressional scrutiny of election interference.
Report says alleged DNC hackers used six zero-days in prior year
The Register reported that the Russian-linked hackers associated with the DNC intrusion had burned through six zero-day vulnerabilities over the previous year. The report added technical detail about the sophistication and tooling of the operators tied to the broader election interference campaign.
Researchers find fake data in Guccifer 2.0 leak files
Researchers reported that some files released by Guccifer 2.0, including anti-doping and Clinton-related materials, contained fabricated or altered data mixed with authentic stolen content. The finding suggested the leak operation involved manipulation of documents, adding new technical insight into the persona's information operation.
Guccifer 2.0 claims Clinton Foundation hack amid skepticism
Guccifer 2.0 asserted that he had hacked the Clinton Foundation and released material to support the claim. Reporting on October 4, 2016 said the evidence appeared dubious, suggesting the persona was making unsupported or deceptive claims beyond the known DNC intrusion.
WikiLeaks contacts Donald Trump Jr. via Twitter DM
Private messages between WikiLeaks and Donald Trump Jr. began on Twitter, with WikiLeaks sending political tips and requests during the 2016 campaign. These contacts were later turned over to congressional investigators.
DNC opens a new probe after WikiLeaks release
Following the WikiLeaks publication, the DNC launched a fresh investigation into the breach to determine the full scope of exposed data. Reports said leaked material included contributors’ financial information, Social Security numbers, and location data, contradicting earlier assurances.
Report says DNC hack expanded to staffer's personal email
Yahoo News reported that suspected Russian hackers had also compromised the personal email account of a DNC staffer conducting opposition research on Paul Manafort, indicating the intrusion extended beyond the DNC network itself. The report suggested a wider penetration of Democratic targets than previously disclosed.
WikiLeaks begins publishing stolen DNC emails
WikiLeaks released about 19,250 DNC emails, exposing internal communications and intensifying the political fallout from the breach. The publication suggested the compromise was broader than initially understood and included sensitive donor-related information.
Guccifer 2.0 sends second stolen DNC document cache to The Hill
Guccifer 2.0 provided The Hill with another exclusive batch of stolen DNC files, including political strategy notes, convention planning documents, fundraising guidance, and personal information for thousands of donors and volunteers. The release added evidence that sensitive internal Democratic data was being selectively leaked before WikiLeaks began publishing DNC emails.
Fidelis independently confirms Russian-linked malware in DNC intrusion
Fidelis analyzed malware samples and indicators from the DNC intrusion and said they matched CrowdStrike’s descriptions, with strong overlaps to tools previously linked to COZY BEAR and FANCY BEAR. The firm highlighted similarities between SeaDaddy and SeaDuke and X-Tunnel traits tied to FANCY BEAR, providing independent technical support for Russian attribution.
Guccifer 2.0 persona appears after breach disclosure
A persona calling itself Guccifer 2.0 emerged shortly after the DNC hack became public, denied Russian involvement, and began releasing documents claimed to be from the DNC. Later reporting described the persona as likely part of a Russian deception operation.
DNC publicly discloses breach and hires CrowdStrike
The Washington Post reported that Russian government hackers had penetrated the DNC and stolen opposition research on Donald Trump. CrowdStrike said it found two Russian-linked groups on the network, making this the first major public disclosure of the incident.
Russian hackers penetrate the DNC network
The Democratic National Committee was compromised by two separate intruder groups later identified by security firms as APT28/Fancy Bear and APT29/Cozy Bear. Reporting indicates the intrusion predated public disclosure and involved theft of internal party data.
Spear-phishing campaign compromises Podesta and other political email accounts
Russian-linked spear-phishing operations tied to the broader 2016 interference campaign compromised personal Gmail accounts associated with Democratic and political figures, including Clinton campaign chairman John Podesta and former Secretary of State Colin Powell. Stolen emails from these accounts were later disseminated through DC Leaks and WikiLeaks, expanding the operation beyond the DNC network itself.
Obama administration reportedly warned about Russian interference in 2014
Politico reported that the Obama administration received warnings in 2014 about Russian efforts related to election interference. The disclosure pushed the known timeline of U.S. awareness back well before the 2016 DNC hack became public.
Sources
38 references tracked. Mallory keeps watching after this page renders.
Our Work with the DNC: Setting the record straight
web.archive.org
Open sourceThere Was Never a 'Deep State' Conspiracy to Get Trump - The Atlantic
theatlantic.com
Open sourceJudge dismisses DNC lawsuit against Trump campaign, Russia, WikiLeaks over hacking
web.archive.org
Open sourceHow the Russians hacked the DNC and passed its emails to WikiLeaks - The Washington Post
washingtonpost.com
Open source'Cozy Bear' & 'Fancy Bear' Attack: Russian Hackers Infiltrate DNC Computers | Common Dreams
commondreams.org
Open sourceRussian government hackers penetrated DNC, stole opposition research on Trump - The Washington Post
washingtonpost.com
Open sourceRussian government hackers penetrated DNC, stole opposition research on Trump - The Washington Post
washingtonpost.com
Open sourceRussian Hackers Break Into Democrats' Campaign Arm, Steal Donald Trump Research : NPR
npr.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Russian Intelligence Hacked Democratic Targets and Used WikiLeaks to Release Stolen Emails
U.S. officials, cybersecurity investigators, and later federal prosecutors concluded that Russian intelligence penetrated Democratic Party networks and stole politically sensitive material during the 2016 presidential campaign. Early reporting on the Democratic National Committee breach tied the intrusion to the Russian-linked groups **Cozy Bear** and **Fancy Bear**, while the online persona **Guccifer 2.0** surfaced to claim responsibility and distribute stolen files, including opposition research on Donald Trump. As hacked emails from the DNC and Clinton campaign chairman John Podesta were published, U.S. officials said they saw increasing evidence that Russia was using **WikiLeaks** as a channel to disseminate the material, even as Moscow, WikiLeaks, and figures including Julian Assange publicly denied Russian involvement or coordination. The U.S. response escalated from an FBI investigation and intelligence reviews ordered by the Obama administration to formal attribution and criminal charges. Special Counsel Robert Mueller later secured indictments against **12 GRU officers** for the DNC hack-and-leak operation, and court filings and subsequent reporting detailed contacts between Guccifer 2.0 and Trump adviser Roger Stone, though Mueller said he lacked sufficient admissible evidence to charge Stone, Assange, or WikiLeaks in a broader conspiracy. A bipartisan Senate Intelligence Committee report later backed the intelligence community’s assessment that the interference campaign was approved by **Vladimir Putin**, combined cyber-espionage with influence operations, and was intended to damage Hillary Clinton and help Donald Trump.
May 26, 2026
US and Allies Expose GRU Hackers Behind Election, NotPetya, and OPCW Operations
US prosecutors and allied governments publicly identified Russian military intelligence officers from the **GRU** for a series of high-profile cyber operations, linking the same apparatus to election interference, destructive malware, and espionage campaigns. A Mueller indictment detailed how GRU operators allegedly hacked Democratic Party networks, stole documents, and staged their release through online personas and infrastructure designed to obscure Russian involvement. Separately, the US Justice Department charged additional GRU officers over attacks tied to Ukraine, including the **NotPetya** malware outbreak and intrusions associated with power grid disruptions, underscoring the unit’s role in both covert influence operations and disruptive cyberattacks. European authorities also exposed a failed close-access GRU operation against the **Organisation for the Prohibition of Chemical Weapons (OPCW)** in The Hague. Dutch officials said four Russian operatives arrived with Wi‑Fi interception equipment, cash, phones, and receipts that connected them to GRU facilities in Moscow, and later expelled them after reportedly receiving a British intelligence tip. Investigators and media reports tied members of that team to broader targeting of the Skripal investigation, **MH17** investigators, and the **World Anti-Doping Agency**, reinforcing a picture of a global GRU campaign marked by aggressive targeting and, in some cases, operational mistakes that helped attribute the activity.
May 25, 2026
WikiLeaks DNC Email Dump Exposed Anti-Sanders Bias and Triggered Leadership Resignations
WikiLeaks published nearly **20,000 Democratic National Committee emails** and more than **8,000 attachments** taken from the accounts of seven senior staff members, exposing internal messages that showed hostility toward Bernie Sanders during the 2016 Democratic primary. The leaked correspondence included discussions of using Sanders’s religious beliefs against him, insults directed at his campaign team, donor-access and fundraising conversations, and off-the-record exchanges with journalists and political figures. The release also exposed sensitive personal information for donors and other individuals, including contact and financial data, creating privacy and identity-theft concerns. The disclosures triggered an immediate political crisis inside the DNC. Debbie Wasserman Schultz apologized to Sanders and resigned as chair, while CEO Amy Dacey, CFO Brad Marshall, and communications director Luis Miranda later departed as the fallout widened. Sanders and his allies said the emails confirmed that party officials had tilted the primary toward Hillary Clinton, while the DNC described the incident as a serious network intrusion and brought in outside security support. Multiple reports tied the breach to an earlier hack of DNC systems that investigators and political officials increasingly linked to Russian actors, even as WikiLeaks withheld its source.
Jun 8, 2026