Who Is Downloading Hunter Biden’s iCloud Files?

Chaos Actors have yet again rigging up a fresh scandal. Who’s interested?

Who Is Downloading Hunter Biden’s iCloud Files?
Screenshot of a forum full of losers who have nothing better to do with their lives than this.

Chaos Actors have yet again rigged up a fresh scandal by claiming new data belonging to the President’s son has leaked via 4chan. Who’s interested?

Dear Reader,

Mass surveillance of BitTorrent downloads has been around for a long time.

Recently, some of the world’s political chaos actors decided to try and generate a new scandal around Hunter Biden with the alleged release of several hundred gigabytes of data, supposedly from his iCloud account this time. I have not analyzed the particulars of this case as a priority because these distractions don’t seem intended to hold up to real forensic scrutiny, and, as usual, there is no “smoking gun” — just a morass of moral complaints about how a private citizen who is not campaigning for, nor serving in any elected nor appointed office, lives his life.

It’s all been a big ‘nothing-burger’ with the ultimate purpose of sowing the impression that the President of the United States is unfit for office because he has a family member who made bad choices with drugs and girls, despite the reality of our previous presidential administration and its deep, deliberate, and indefatigable corruption going far beyond the conduct of a single person who is not in office nor holding any appointed role in public service.

Now I’m no expert, but when performing analysis on influence operations, I usually find it more effective to look away from what these actors are aggressively waving in our faces and seek to examine the context and metadata surrounding their efforts.

Whether the files contain bunk/fake data is irrelevant here (in fact, some “leaks” are just elaborate honeypots), I am interested in potentially deducing the interest and even motivations of some interested parties via the simple act of geolocating the downloaders.

Time is of the essence when downloading leaks, and using one or more anonymizing hops can hamper the speed of a surreptitious transfer. That means those downloading files (like huge files) using the Bittorrent protocol sometimes do so “naked,” without any layer of identity protection, enabling most would-be surveillers to more accurately identify them over the wire.

However, although many downloaders use public or private VPNs, it is likely that speed is often more important than proper anonymization, and most downloaders would like to keep their VPN exit node within a reasonable network distance away from their actual location.

The Bittorrent protocol’s transparency allows us to review a snapshot of the IP addresses around the world I observed downloading, sharing, or simply watching the purported leak (the larger of the two).

Partial screenshot for visual purposes showing the info window of the Transmission BitTorrent client for OS X.

Here is an incomplete list of the locations seen engaging with the data:

  • McLean, Virginia, USA
  • Ontario, Canada
  • Focșani, Romania
  • Veszprém, Hungary
  • Rio De Janeiro, Brasil
  • Guangzhou, China
  • Tehran, Iran
  • Irkutsk, Russia
  • Taichung, Taiwan
  • Paris, France
  • Haarlem, Netherlands
  • Mexico City, Mexico
  • Athens, Greece

What I think will be interesting is looking at differences between basic “peers,” or sharers, and “seeders”: sharers who now have a complete copy of the file, who have very helpfully continued to share it past the point of completion, ensuring further dissemination.

👏👏👏 Leave claps below if you’re interested in a “Part 2”: Dataset(s), deeper dive analysis, code samples, maybe even a visual dashboard?