the home of online investigations

The GRU Globetrotters: Mission London

June 28, 2019

By Bellingcat Investigation Team

Translations: Русский

In a series of previous investigations, Bellingcat and the Insider identified the two key suspects in the Novichok poisoning of Sergey and Yulia Skripal, and the subsequent poisoning death of Dawn Sturgess. We identified the two suspects, who travelled under the fake identities of Alexander Petrov and Ruslan Boshirov, as Russian military intelligence (GU/GRU) officers Anatoliy Chepiga and Dr. Alexander Mishkin, both having rank of colonel and both recipients of Russia’s highest military award.

Bellingcat subsequently identified a third GRU officer who travelled to London during the Salisbury poisoning operation under the cover identity of Sergey Fedotov. We established that his real name is Denis Sergeev, and that his rank was at no lower than colonel, and possibly Lt. General or Major General. While Sergeev’s exact role in the operation was not known, taking into account his seniority and pattern of prior international operations, we assessed that he was in a senior position to Chepiga and Mishkin, and was likely in charge of coordinating the Salisbury operation.

In a series of follow-up investigations conducted in cooperation with international media organizations, we have attempted to uncover more details on Sergeev’s role in several international GRU operations.

This first installment is conducted in cooperation with BBC’s Newsnight.

Newly obtained telephone metadata logs from a telephone number registered in the name of the (cover) persona “Sergey Fedotov” has allowed us to analyze Denis Sergeev’s telephone usage – including calls and data connections – in the period of May 2017 – May 2019. The data – and especially the cell-ID metadata that we have been able to convert to geo-locations –  allowed us to recreate Sergeev’s movements. These movements were both in Russia and abroad, as well as his pattern of communications during his overseas operations. Bellingcat obtained the telephone metadata records from a whistleblower working at a Russian mobile operator, who was convinced s/he was not breaching any data privacy laws due to the fact that the person to whom this phone number was registered (“Sergey Fedotov”) does not in fact exist.

  • Based on the analysis of Sergeev’s telephone movements within Moscow, we have established that his daily routine involves trips from his place of residence to several locations housing GRU operations. These include the GRU headquarters at Khoroshevskoe Shosse 67B, and the GRU Academy at Narodnoe Opolchenie 50.
  • Notably, Sergeev’s daily routine shows unchanged pattern of travel to these GRU locations from 2017 through the end of 2018, validating our hypotheses that he was in the employ of the GRU at the time of the Skripal poisoning.
  • The telephone metadata produced further, unexpected evidence validating our identification of Denis Sergeev as the real person behind the “Sergey Fedotov” cover persona. This extra proof came in the form of a stray phone call from a telephone number registered in the name of Denis Sergeev’s wife, to the number registered in the name of “Sergey Fedotov” .
  • Our reporting partner BBC has established via its own sourcing that Denis Sergeev has a rank of Major General. This, along with our prior assessment of his seniority to the Mishkin/Chepiga team and with the objective telephone records from his trip to London, presented below, validates our assumption that he was involved in the Skripal operation in a supervising, coordinating role; communicating back and forth to Moscow, while leaving the suspected Chepiga/Mishkin hit-team to work in an operational “Faraday cage”.

Heatmap of Denis Sergeev’s movements in Moscow during 2018

The Impulsive Traveler

On the morning of Thursday, March 1st 2018, Denis Sergeev was working from his new home, a 7-minute walk from the GRU Academy where he had worked – and lived in a dormitory-style apartment with his family – for almost 10 years.  His new apartment was on a street named, somewhat imprudently, after a famous German spy who during World War II had passed on information about Hitler’s plans to the Soviet Union.

At 10:51 Sergeev, using a phone issued in the name of his cover identity, made a call to a number registered in the name of another non-existing person, a fictional Timur Agofonov. Whatever he had to say was short, as he hung up after 9 seconds. The rest of the day Sergeev stayed at home, browsing the internet and waiting.

Just after 6 pm, Denis Sergeev got the confirmation that he was expecting: he had to fly to London for the weekend. Not with his wife, and not under his real name, but as “Sergey Fedotov” – a department manager at a GRU front company offering courier services. Operational security protocol required that he himself book his ticket, lest traces to his employer – the GRU – remain in any of the booking systems.

Sergeev called a couple of travel agencies searching for a last-minute ticket to London for the next morning. For whatever reason – maybe the flight was sold out – it took them a while to confirm a booking. Only at 20:09 he got a call back from a travel agent situated about 2 kilometers from his home confirming that he had a ticket for the next morning.

Sergeev dialed *100# on his phone to check his prepaid credit. There was enough cash on the account, but he realized he needed to activate a roaming package plan for his trip, as he knew he would have to receive and send a lot of data files. But he left that chore for the morning – he had an early flight to catch.

The next morning Sergeev arrived at Sheremetyevo airport just before 6 am. His Aeroflot flight was scheduled to depart at 8:15 but he had to be at the airport early as he had luggage to check in. Disappointingly, at about 7:30 he got a text message from Aeroflot informing him that his flight would be delayed by an hour. An hour later, another text would extend the delay to two hours.

Sergeev used the waiting time to send a few messages and download some large files. In the two extra hours he was forced to wait, he exchanged several messages using Telegram, Viber, WhatsApp, and Facebook messenger, and downloaded 3 large files. At 9:15 he got a call from “Amir”, and they spoke for about 3 minutes. 45 minutes later, just before he finally boarded the Airbus A321, he called Amir again to tell him he was finally taking off. He would speak to Amir – and only to him, many times during the next three days.

An Uninterested Tourist

Both airline data and the telephone metadata confirm that Sergeev landed at Heathrow at 10:33 local time. It took him just over an hour to start moving from Heathrow’s Terminal 4 to downtown London. Telephone metadata pinpoints him at Heathrow latest at 11:50, following which it took him 37 minutes to get to the Kensington area another 15 minutes to get to his final destination, a hotel near Paddington Station.

Timeline of Sergeev’s movement on March 2, based on cell-tower connections. Number in circle signifies sequential connection, number next to circle shows number of connections.

His phone connected a number of times during his trip from the airport, suggesting he did not take the underground which typically has no phone coverage. The trajectory of the route taken, and the time it took him implies he most likely traveled by car. He checked in at his hotel at about 12:35 pm. Due to the coverage range of cell-towers, it is not possible to establish which exactly hotel he stayed at; however, it is practically certain that the hotel was within a few hundred feet from Paddington.

Over the following 2 days, and until his departure on Sunday morning, Sergeev barely left his hotel room, except for a short trip on Saturday morning.

The Great Communicator

While Sergeev did not show interest in seeing the sights of London, he spent a significant volume of time on the phone and online. Based on the data traffic of his phone, it appears that he did not trust local WiFi connections and instead used his 3G/4G telephone connection. The total data consumption for his 48-hour trip exceeded 1 GB.

Due to the specifics of data logging while in roaming, it is not possible to differentiate between different forms of data use – thus we do not know how much of Sergeev’s online time was spend on encrypted messengers vs downloading and uploading files and browsing. However, based on his observed use of messaging apps while in Moscow, we can assume that at least part of the time he was online he communicated via his preferred set of messengers – Telegram, Viber, Whatsapp and FB Messenger.

At least some of Sergeev’s data use can be plausibly identified as large file transfers, based on the size of the data transfer and the time it took to complete. The file size of some transfers matched the typical size of a high-resolution photograph, while other transfers were more commensurate with the expected size for video files.

Sergeev’s data usage persisted throughout his stay in London, suggesting his phone was with him the whole time and he did not take (long) trips that could not be matched via connections to cell-tower locations.  For example, during the night of 2nd to the 3rd of March, we can see non-trivial data volumes at 3 am to 4 am, as well as large file transfers (or video/VOIP calls) between 4:30 and 6 am London time, which would match the start of the working day in Moscow, given the three-hour time difference in March.

“Amir from Moscow”

During his trip, Sergeev made and received regular phone calls from only one telephone number. This was the same number he called just before flying from Moscow, and he communicated with this contact a total of 11 times during the London trip.

We have established that as of press-time, this number is “unregistered”, i.e. belongs to a prepaid sim-card without a documented owner. However, given that Russian mobile operators are obliged to activate sim cards only linked to individuals (or companies), and as of June 2018 they must require passport identification of number owners – or else disconnect them – this number appears to be non-standard.  In addition, metadata logs show that this telephone number does not produce the regular “footprint” left by regular numbers: i.e. there are no cell-tower IDs, or IMEI/IMSI logs matching this number. It is thus likely that this is a number from a special series used by Russian’s security services, and it is possibly not linked to a hardware telephone but – for instance – to a gateway device.

The number shows up in one telephone-sharing app popular in Russia under the name “Amir – Moscow”.

Screenshot from GetContact, a popular phone-number sharing app

Sergeev first called this number shortly after checking into his hotel near Paddington station on March 2. He had another short call with “Amir” an hour later, and then a longer 9-minute call 8:49 pm.

Saturday, 3 March

The next morning Sergeev received two phone calls from the same number shortly after 9 am, and two calls again after 15:45.

Between the two calls, Sergeev took at least one trip outside the hotel. Between 11:30 and noon, his phone registered at least once at a cell tower near Oxford Circus. Then, between noon to about 1:30 pm, his phone connected several times near the Embankment, on the Thames west bank.

Notably, according to the timeline of Chepiga and Mishkin’s movements, as presented by British police, they arrived from their hotel to Waterloo station at approximately 11:45 on that day.  Their train to Salisbury, however, would have left at 12:50. Waterloo station is approximately 10 minutes walk from the Embankment. Thus, had a meeting in person been necessary between Sergeev and the Chepiga/ Mishkin team – whether to pass on final instructions or a physical object – the area between the Embankment  and the Waterloo would have been a convenient place, and the one-hour time gap between their arrival to the station and their departure would have likely sufficed.

Sergeev’s movements on March 3. He spent most of the day at his hotel (271 connections), with a short trip to Oxford circus and a longer stay at the Thames. The blue line shows the walking distance between the Embankment and Waterloo

Sergeev’s detour to Oxford Circus may or may not be significant. In their infamous RT interview, Chepiga and Mishkin, masquarading as tourists Boshirov and Petrov, claimed that on March 3 they visited a shop at Oxford Street. However, they said they shopped for sneakers at Oxford street after their return from Salisbury, whereas Sergeev’s connection is from the morning before their trip. However, it is possible that Oxford Street was used as a point of brush-off meeting, or a fallback to another place of meeting.

 Timeline of Mishkin/Chepiga movements, per UK police

2018-3-2 15:00 Gatwick arrival
2018-3-2 17:40 Victoria station
2018-3-2 18:00 Waterloo
2018-3-2 19:00 Waterloo
2018-3-2 19:00 CityStay Hotel
2018-3-3 11:45 Waterloo *departing Waterloo 12:50
2018-3-3 14:25 Salisbury Station
2018-3-3 16:10 Salisbury Station
2018-3-3 20:05 CityStay Hotel
2018-3-4 8:05 Waterloo *departing Waterloo 10:20
2018-3-4 11:48 Salisbury Station
2018-3-4 11:58 Skripal house
2018-3-4 13:05 Salisbury Fisherman street
2018-3-4 13:50 Salisbury Station * left at 15:10
2018-3-4 16:45 Waterloo
2018-3-4 18:30 Underground to Heathrow
2018-3-4 19:28 Passport control

Just after 6 pm, Sergeev received two more calls from “Amir”, totaling about 4 minutes. Based on the police timeline, suggesting Chepiga and Mishkin left Salisbiry just after 4 pm, by the time of the call the pair would have just returned from their first trip to Salisbury.

Sunday, 4 March. Day of the Poisoning.

On the morning of March 4, Fedotov made several data connections from his Paddington hotel.  At 9:03 AM his phone rang, and he spoke with “Amir” for just about a minute.  At 10:20 he sent or received a file of 8 MB, commensurat with a photo file.  Notably, at that same moment, the Chepiga/Mishkin team left by train from Waterloo to Salisbury.

At 10:40 Sergeev called “Amir” one last time, and spoke with him for about 2 minutes. He continued using the internet until 11, when he checked out of the hotel.  He had a scheduled flight out of Heathrow at 13:30, and he was already running late.

At 11:20 Sergeev went offline and reappeared near Southhall on the way to Heathrow airport 30 minutes later. This route and timing would be consistent with him taking the 11:25 AM Heathrow Express from Paddington. He arrived at Heathrow’s Terminal 4 just before 12 pm. Fortunately for him, Aeroflot’s flight – once again – was late. He made the flight, and the plane to Moscow took off at 14:15.

As Sergeev’s plane was about to land, “Amir” tried to call him at 8:51 PM, and when he could not reach him, sent him a text message. Sergeev landed at 21:00, checked his online messengers for messages, and left for his home by car. Once at his home, at 22:35 he made a brief 10-second call to “Amir”. He then stayed browsing the internet until 4 in the morning.

Relevance of new findings

The new findings confirm that Sergeev was an active GRU officer at the time of the Salisbury operation, as opposed to a retired officer employed for a private operation. They also shed light on the likely chain of command for this (and other) GRU overseas operations, with one coordinating senior officer communicating with headquarters in Moscow while the team on the ground receive limited to no new instructions. This set-up may be linked to operational security and the need to minimize the operative team’s exposure to traceable data communications.  Evidence obtained by us on other international operations involving the same team suggests that this is a stable GRU oprerational model.

The new telephone metata data also provides an answer to a mystery unresolved in our prior investigation relating to Sergeev: his mysterioius check-in and later “de-boarding” entry from the passenger list. Given the late departure from his hotel and delayed arrival at Heathrow, it is plausible that by the time he went through security control, the airline had already excluded Sergeev from the passenger list.  Assuming he had an electronic boarding pass on his phone, he would have been able to make his way to the gate and – given the delayed flight – “begged” his way back in to the checked-in passenger list. This would still leave open the question as to why, upon arriving to Moscow, he declared to border officials that he was landing from Rome, instead of London. The latter might have been out of caution given the sensitivity of his operation.

While we cannot validate from objective sources the finding by our reporting partner BBC Newsnight that Denis Sergeev has a rank of Major General, it is consistent with our own assessment, given his prior military achievements and seniority.  The involvement of a GRU Major General would indicate the unusually high importance of the operation.

Bellingcat Investigation Team

The Bellingcat Investigation Team is an award winning group of volunteers and full time investigators who make up the core of the Bellingcat's investigative efforts.

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

Support Bellingcat

You can support the work of Bellingcat by donating through the below link:

49 Comments

  1. Ben

    In paragraph 2 of ‘An Uninterested Tourist’ you write:

    “His phone connected a number of times during his trip from the airport, suggesting he did not take the underground which typically has no phone coverage.”

    If he was travelling on the Underground into London he would have had mobile coverage for the majority of the journey. Most of this stretch of of the Piccadilly Line on the Underground is overground.

    If he was travelling on the train he would of got the Heathrow Express (straight to Paddington!). This train has Wi-Fi. https://www.heathrowexpress.com/onboard

    Reply
      • concerned citizen

        He didn’t trust the locally provided wi-fi so he used locally provided 4g?

        Makes no sense.

        Reply
        • Servus

          Concerned comrade, why not try to find the answer yourself, ask around maybe your supervisor can assist you, may cost you a beer, and tell the world.

          Reply
    • D

      Ben: on the Picadilly line the coverage is spotty at best in my experience for the bits where it’s extant. I’m unfortunate enough to routinely take that route…

      Article also notes he was likely not using WiFi based on the amount of data use he had over 3/4G (which is what the metadata the story is based on can account for).

      Reply
    • Vladimir

      From the towers marked on the map I would agree, especially as the loop at Hounslow follows the Picadilly line rather well. His route appears consistent with taking Picadilly to Earl’s Court then switching to District to Bayswater, especially if I’m interpreting those numbers correctly and the phone didn’t connect at all between those latter two stops. Suggests below ground is plausible.

      Reply
      • Grubbie

        Obviously flew into the UK to watch a lot of porn.I am struggling to see why one would need a lot of data to organise a poisoning.

        Reply
      • Rob

        If he did use the tube it looks like he might have gone one stop further to Gloucester Rd (point 40 on the map) and changed on to the Circle Line to Paddington (via Bayswater).

        Reply
    • Glen

      The western end of the Piccadilly line is overland for a few stops before going underground between Hounslow West and Hatton Cross – the indicative route on the first map is not commensurate with either Piccadilly line or Heathrow express routes hence the conclusion of car travel

      Reply
      • Vladimir

        In fact it resurfaces between Hatton Cross and Hounslow West stations, then at all points east until Barons Court it is overground and has a good phone signal. The statement made in the above report,

        “His phone connected a number of times during his trip from the airport, suggesting he did not take the underground which typically has no phone coverage.”

        is simply incorrect. He may indeed have taken a car, and detailed information obtained might show this, but as far as I can see the map shown is consistent with tube travel and the article makes a flawed argument.

        Reply
  2. Greg L

    I think it is unlikely Sergeev was transmitting plain old imagery (photos). I suspect Sergeev was using steganography software to imbed encrypted messages in photo files. Sergeev would have a set of photos on his phone and his handler in Moscow would too. The data changes the least-significant bit of pixels in a manner that can’t be discerned from random noise in regular photos (it won’t work with graphics that have perfect colors in areas).

    When properly done (RSA 256, long randomized passwords, and proper photos), the effect is like encrypting with a write-once pad. Western authorities must have both the original photo as well as Sergeev’s and compare them to see if there is even imbedded data in Sergeev’s copy. And even with that knowledge, they’d then have to decrypt the difference, which would likely have been done with RSA 256, which is going to make it effectively impossible given that this was professional spy tradecraft where only ultra-strong passwords were used.

    Reply
    • Servus

      “steganography ” why ? It is used to hide the fact that you communicate but he was openly calling the virtual person in Moscow… But who knows, maybe he communicated with the killers with an electronic “dead drop box” using images, but well, encrypted messages would be just fine, don’t see any additional value of steganography. So, most likely hypothesis should be retained, he was bored to death and downloaded pictures of demoisselles and athletes.

      Why wouldn’t he use WiFi. Most likely for security reasons, a WiFi device joins the provider LAN and could be susceptible for Level 2 and L3 (OSI comms model) type attacks, while joining with 3/4G is more controlled and only some L3 can happen. GRU should know something about L2 hacking via hotel WiFi…

      It’s not a criticism of your great and admirable work but it is based on an assumption that Serveev was where his mobile phone was. One can imagine a phone programmed to do some actions simulating a person’s presence while the real guy was somewhere else. This can not be determined from the meta data alone but I don’t see a reason while this assumption should not have been valid in this case.
      ….

      Reply
  3. Iacopo i.

    in a previous part of your investigation you wrote about a fly of “Fedotov” to Rome on March 3-4 (the very day of crucial Italian general election). So what about this, in this last part of investigation?

    Reply
  4. Mischa

    Forgive my ignorance, but he seems to have had no contact with the other two. What was his role? Could they have used burner phones or by other prearranged means? Any chance of the checking Paddington hotel registers? If hotel found it will need to be checked for Novichok.

    Reply
    • Servus

      Mischa, most likely he would talk with the killers via a an electronic dead drop.
      Maybe the whistle blower could provide meta data for the equally fictive persons of Bachirov and Petrov ?

      Then one could find matching “questions”, “answers” and “status reports”…

      Reply
  5. Serious

    Is it only me that finds it highly unlikely that a Russian telephone employee would hand over all this data of one of their customers to a foreign news service? He would have worked out that there was something fishy, even something that could land him in serious trouble ala treason. Without this data your whole investigation fails.

    Reply
    • Papa Colombo

      Yeah. That whistleblower story is suspect. I presume the data is authentic but was actually obtained through hacking a database.

      Reply
      • AlexT

        Seriously ?
        Assuming this is not a complete fabrication (and for one I don’t think it is) it is almost certainly straight from 5-eyes intercepts. Plain and simple.
        As of why they would share with their PR agency (Belingcat) is probably the most interesting question.

        Reply
        • Bob

          I’m starting to think Bellingcat is nothing but misinformation, at best.

          They have a serious anti-russia agenda. Where misinformation refers to inaccuracies that stem from error, disinformation is deliberate falsehood promulgated by design.

          Reply
    • concerned citizen

      And surely the Russian security services wouldn’t use accounts that were known by ordinary telecoms employees to be fakes used by the GRU. It’s absurd.

      Why don’t we just ask this ‘whistleblower’ to give us the identities of all GRU agents in Europe while we’re at it? Job done.

      Reply
      • Servus

        ha ha , but they did. Just like the car registration to the GRU HQ… “surly Russian security services” would not be doing anything stupid like that…

        Start getting concerned with the operational security of your services… the GRU head did not and he is not with us any more….

        Reply
        • concerned citizen

          Your story about car registration to GRU HQ sounds interesting, do you have any evidence for it? (Claims made by bellingcat not accepted).

          Reply
          • Servus

            Concerned comrade,
            Please read the report of Chepiga and Mishkin identification. One of the key elements was finding connection between true and false identity via car registration files. The correctness of the identification was confirmed independently by the interviews of their neighbours and relatives.
            As a person in Russia, you could also go to a local bazaar or it’s electronic counterpart and acquire the car registration or fine files, go for the historic copies and the latest ones. There should be a discrepancy, since GRU must have rushed to clean up the databases.
            GRU has really painted itself in a corner.

          • concerned citizen

            Servus – July 1, 2019
            Concerned comrade,
            Please read the report of Chepiga and Mishkin identification.

            (Claims made by bellingcat not accepted).

  6. Patrick Mahony

    GRU never heard of CEX for unlocked phones or Lycamobile SIM-only PAYG.

    Reply
  7. VG

    A typo: ‘spend’ used instead of “spent” in the second paragraph under ‘The Great Communicator’.

    Reply
  8. DavidC

    The timeline has this line for Boshirov and Petrov:
    2018-3-4 11:58 Skripal house

    That claim seems to be from the photo of the pair at the Shell station on Wilton Rd with that timestamp. That location is some 400 meters from Skripal’s house. There is no evidence the men ever got closer to the house than the Shell station.

    Reply
    • Jeroen

      So how did some of the content of the Nina Ricci Premier Jour bottle with an applicator replacing the usual nozzle travel that last 400 meter?

      Reply
  9. concerned citizen

    Ultimately what we have here is that a man visited London and used his mobile phone.

    Reply
      • Servus

        You are absolutly right, good that you finally understood the report.

        Now get to the part about this man’s identity and his communication pattern.

        …two other man ultimatly made a special trip to UK to see a famous petrol station 400m from Skripal’s house. Is this your idea of a hollyday ?This is an honest question, I could have a blind spot for a cultural artefact of the GRU subculture.

        Reply
        • concerned citizen

          But Skripal wasnt attacked with a sniper rifle.

          If they were 400 metres away from his house that’s meaningless. If you can’t prove they went to his house there’s no case, just a lot of nonsense.

          Reply
    • Martin

      I could say the same thing about you, as in ‘Ultimately what we have here is a man commenting on the internet’ but that wouldn’t tell us important details. I’d have to say ‘Ultimately what we have here is a concerned Russian agent trying to push a false narrative for the GRU murderers and discredit bellingcats reporting’

      Reply

Leave a Reply

  • (will not be published)