the home of online investigations

You can support the work of Bellingcat by donating through the following link:

New Evidence Links Russian State to Berlin Assassination

September 27, 2019

By Bellingcat Investigation Team

Translations: Русский

Joint investigation by Bellingcat, Der Spiegel, the Insider and the Dossier Center.

  • In the first part of this joint investigation, we disclosed that the assassin of Zelimkhan Khangoshvili detained by German police traveled on a valid Russian passport issued under the fake identity of “Vadim Sokolov”. We concluded that the usage of a validly issued passport in the name of a non-existent person indicated a link between the assassin and the Russian state.
  • Interim reporting by Der Spiegel and other media has disclosed that the suspect initially traveled from Moscow to Paris and then on to Warsaw, where he rented a hotel room for five days during which he traveled on to Berlin – suggesting he initially intended to return to Warsaw following the Berlin operation.
  • In the interim, we have obtained information that a Russian-issued SIM card was found at “Sokolov”’s hotel room in Warsaw. German and Polish investigators are reportedly analyzing the data linked to that SIM card.
  • In a report from 26 September 2019, the New York Times (NYT) reported that German investigators received a tip from an anonymous source claiming the suspect’s real identity is that of Vladimir Stepanov, a former police officer from St. Petersburg who in 2006 was convicted and sentenced to 24 years in jail for being part of an organized crime group that murdered two people at the orders of a business rival. The NYT quotes a Western intelligence agency as giving credence to the tip, and the NYT partially corroborates this hypothesis by referring to a facial recognition analysis that compared media photographs of Stepanov from the time of his court proceedings to the German police-issued killer’s photograph. German police are cited as yet-undetermined whether Vladimir Stepanov is in fact the person behind the Vadim Sokolov persona. The NYT report did not put its weight behind the hypothesis that Stepanov is Sokolov, but did introduce the mysterious, anonymous tip to the public.

Contrary to the findings of the unnamed Western agency, Bellingcat and its investigative partners Der Spiegel, The Insider and The Dossier Center have concluded that the suspect held by German police is unlikely to be Vladimir Stepanov. This conclusion is based on a weeks-long investigation that analyzed – and ultimately rejected – the hypothesis that the killer and the former police major serving a 24-year sentence are the same person. The same finding was reached independently by the Petersburg-based outlet Fontanka, who claim in September 26 report that Vladimir Stepanov remains in a Russian prison.

In the process of this investigation, Bellingcat and its partners have obtained conclusive evidence that the suspect – whose real identity is still being sought by our team – traveled to Berlin under a cover identity with the active support of the Russian state that created a comprehensive, back-dated paper-trail for this fictitious persona in order to help him obtain the necessary travel and insurance documents, and – crucially – a Schengen visa. These findings preclude the hypothesis that this was an organized crime operation, or even a semi-official operation that received only limited support from individual corrupt officials.

A false lead

Within hours of our initial report that included the first published photograph of the detained hitman, Bellingcat was contacted by an anonymous source who – based on the NYT’s description – appears to be the same source who provided the tip to the German law enforcement, and possibly to Western intelligence agencies. The source believed they had visually identified the suspect as Vladimir Stepanov, the convicted former policeman, and provided information on the place where Stepanov was supposed to be serving the last decade of his long prison sentence. This was the 11th Penal Colony (or IK-11), located in the Russian town of Bor in the Nizhny Novgorod District, about 300 kilometers east of Moscow. This prison’s population includes convicted former law enforcement or intelligence officers, and its walls have seen the likes of both dirty cops and killers and high-profile spies, such as at least 2 former intelligence officers who were exchanged during the notorious 2010 spy-swap case involving ten Russian illegals working in deep cover in the United States.

Over the following weeks, Bellingcat and its investigative partners comprehensively assessed the veracity of this mysterious tip. Despite some early corroborating evidence, for example Stepanov’s similar age, a full match of initials, and a number of striking facial similarities, we ultimately concluded that Sokolov and Stepanov are not the same person.

To reach this conclusion, we initially scoured through hundreds of pages and hours of open source data for a photograph or video clip showing Stepanov. Despite the significant coverage of the high-profile court case in 2005 and 2016 (one of the assassinated businessman was the CEO of Almaz-Antey, Russia’s state-owned monopolist in the production of the Buk anti-aircraft defense system that shot down MH17, and who was reportedly a close personal friend of Vladimir Putin), we were unsuccessful in finding a high-quality photograph of Stepanov allowing forensic comparison.

We then obtained a copy of Vladimir Stepanov’s passport file from a source with access to Russia’s central passport database. It contained two photographs – one taken when Stepanov was 20, and the latter taken around the time he turned 45 (in 2016), as at that age Russian citizens must obtain a new passport.

While visually there are certain similarities between Stepanov’s passport photos and that of “Sokolov”, we could not establish an unequivocal match. Bellingcat then referred the photographs for comparison to Dr. Hassan Ugail, professor of Visual Computing at the School of Engineering Bradford University. Prof. Ugail specializes in facial recognition and age progression simulation techniques.  Prof. Ugail’s determination was that Stepanov and “Sokolov” were two different persons.

“Vadim Sokolov” can be seen on the left and right portions of this matrix (color photographs 1 and 3), and Vladimir Stepanov is on the top and bottom (black and white photographs 2 and 4). Results matrix provided by Prof. Ugail of Bradfort University

In order to further validate this finding, we sought other sources who were familiar with Vladimir Stepanov. We identified and contacted two former police officers from St. Petersburg who served jail time at the same prison outside of Nizhny Novogrod until recently, and whom we assumed might know Stepanov. Both confirmed that they knew Stepanov well – one said Stepanov had been his suborinate – and recognized him on the black & white passport photographs seen above, but not on the photograph of the bearded/mustachioed assassin. Both of these acquaintances of Stepanov also told us that according to the latest information they have, Stepanov was still serving his sentence at the Bor correctional facility. One of the two sources also told us that Vladimir Stepanov never had any tattoos – contrary to the information from German law enforcement sources that “Sokolov” has tattoos on both arms.

Seeking an additional source of validation, our investigative team then established contact with an officer working at the Bor prison facility. This source confirmed to us that Stepanov – as of mid-September 2019 – was still serving time there. This information has been corroborated by a Fontanka report. At our request, the source even took a photograph of Stepanov walking in the prison’s courtyard. Based on comparison to public videos and documentaries about this prison, we were able to geolocate the courtyard as belonging to the IK-11 facility. The images’ metadata also are consistent with the reported timestamp of capturing the photograph in the middle of September.

Based on all of this objective and subjective evidence, we have concluded that it is unlikely that Stepanov is the real person behind the fictitious “Sokolov” persona.

Our assumption for the false-positive match provided by the facial comparison commissioned by NYT is that the source photo of Stepanov used by the researcher is only of a part of a face, and is not facing the camera. A partial face compared to a full (frontal) face is much more likely to produce a false positive than full-face comparison. In addition, individual feature comparison suggests that the 2006 photograph discovered by NYT (middle) bears more similarity with Stepanov’s passport photo (on the left) than with that of “Sokolov” (on the right)

Left: Vladimir Stepanov in an old passport photograph. Middle: Vladimir Stepanov in court. Right: “Vadim Sokolov” shortly after his arrest in Berlin.

To preclude a false negative assessment, our team obtained Stepanov’s criminal record which includes a unique fingerprint formula. This record would arguably make it possible for German law enforcement to compare the formula to the fingerprint data from the actual suspect.

An honest mistake or a red herring?

We are not able to assess if the mysterious tip by the anonymous source was earnest confusion or part of a ruse to sidetrack the investigation and/or discredit investigative media, such as Bellingcat, or intelligence services by coaxing them to publish demonstrably false conclusions. If Bellingcat or another media outlet were to accuse Stepanov of being Sokolov, Russian authorities could easily produce Stepanov — something they have not done with any of the other GRU officers we have unmasked, including Oleg Ivannikov, Anatoliy Chepiga, and Aleksandr Mishkin. We are unable to determine how and why a Western intelligence agency may have concluded that the hypothesis provided by the anonymous source is credible, given our own findings within a relatively short period of time.

Evidence of a state-endorsed operation

In our previous report we based our assessment that “Sokolov”’s operation was highly likely state-sponsored on the fact that he was issued a valid, fully registered international travel passport in the name of a non-existing actual person, and was able to cross the Russian border, suggesting his fake identity was also entered into the central passport database. Further, following the arrest his data was removed from the passport database, which – as well as the issuance of the passport – could not have happened without state involvement.

Our additional investigation has found that the involvement of the Russian state in creating a documentary footprint for the non-existent identity of “Vadim Andreevich Sokolov” is more wide-spread and comprehensive than previously thought. Based on this additional evidence, the concept that this operation may have been set up without the full endorsement of the state apparatus is implausible.

Our investigative team followed the chain of steps that “Sokolov” needed to go through before obtaining the coveted Schengen visa that would allow him to travel initially to Paris, and then onward via Warsaw to his ultimate destination in Berlin. Then, we made an inventory list of documents and paperwork he would have needed at each step.

As reported in our first publication, “Sokolov” received an international non-biometric passport issued on 18 July 2019, and applied for a Schengen visa on 29 July 2019. In order for him to apply for a visa, this fictitious person would have needed to have the following:

  • A domestic passport and an entry in the Russia passport database. The domestic passport is needed as a precondition for obtaining the international travel passport. It is also a necessary requirement for creating a job “footprint” (see below)
  • Proof of employment, typically in the form of a certificate of employment
  • Bank statement showing sufficiency of funds
  • Travel insurance

A tax identification number for a non-existent man

As we reported previously, two sources with access to the Russia passport database had found no entry for Vadim Sokolov as of early September – after the murder and the arrest of the suspect. We assumed that the Russia passport database had been purged of his data following the murder. However, we also hypothesized that “Sokolov”s passport data may have remained intact in other government databases that may not have (yet) been purged by the Russian authorities. We decided that a good candidate for a database with a forgotten digital footprint would be the tax database. In order for “Sokolov” to show proof of employment to the French consulate, he would have had to be formally (fictionally) employed, most likely by a cutout company used by Russia’s secret services. However, any employment, fictional or not, would lead to mandatory tax registration.

From a source with access to tax records, we were able to obtain a copy of “Vadim Sokolov”’s tax file. As expected, it had not been purged, and contained strong evidence of a freshly-created fictitious persona.

“Vadim Sokolov” was first entered into the Russian tax system on 16 June 2019, and received a tax identification number (INN in Russian) the first time on 23 July 2019 – just five days after the issuance of his international travel passport, and six days before he applied for a visa. Notably, Sokolov received a tax ID number for the first time at age 49. While receiving a tax ID number is not technically mandatory in Russia, a tax registration is automatically triggered by any employment, thus implying that “Sokolov” was first gainfully employed at age 49.

The tax registration, as predicted, also included a domestic passport number for “Sokolov”. This passport was allegedly issued in 2015. Using the passport data in this tax report, we were able to validate its authenticity by entering “Sokolov”’s passport data into the Russian state-run online tax ID validation tool. Based on the passport number, name and date of birth, the tool reported a valid INN number which was the same as the one on the report we had obtained. Thus, effectively “Sokolov” appeared as a valid Russian citizen in one government-run database (the tax registry), while missing completely in another (the passport database).

Our attempts to find any trace of the 2015 passport number listed in the tax record in dozens of Russian databases – including in 2016 and 2018 editions of a comprehensive database of Moscow residents – returned empty results. As the passport number was (allegedly) issued in Moscow, if it had existed as of 2015 it would have shown up in both of these databases. We also tested for the possibility that “Sokolov” may have obtained a passport in Moscow while not being resident there. To this end we searched for his name and birthdate – with any passport number – in several thousands of regional databases leaked over the past 20 years. None of them had an entry for this parrticular “Sokolov”, Notably, these leaked offline databases, which cannot be modified by Russian authorities, include even the fake identities of Skripal poisoning suspects, GRU officers Col. Chepiga and Mishkin. This fact suggests the passport was created in 2019 and “retrofitted” to appear as if issued in 2015.

Having obtained this passport number, we asked one of the sources with access to the real-time Russia passport system to search for it in the database. The source reported that this passport entry was marked with a disclaimer “A person protected by law…To obtain this file, contact an administrator”.

As we have previously reported, several persons who have long worked with the Russia passport database have informed us that such “firewalling” of certain sensitive passport dossiers was introduced for the first time after Bellingcat’s explosive reports identifying the Skripal suspects. Indeed, during our early investigations into the identities of the three GRU officers implicated in the Skripal poisoning, no such firewalls existed, while in later periods our sources were no longer able to access these same passport files, with similar disclaimers appearing in their place.

“No Such Person Here”

The tax file contained another interesting lead: a registered residential address for “Vadim Sokolov”. Unlike the (non-existent) address in St. Petersburg that “Sokolov” claimed in his visa application, the one in his tax record was in Bryansk, a town in western Russia near the border with Belarus.

We obtained an official real estate record for this address, but, unusually, it contained no ownership data. Our collaborative investigative team dispatched a reporter to the stated address and found a run-down house. None of the people at this address knew of a Vadim Sokolov. The person living in the apartment listed in “Sokolov”’s tax file, a man in his eighties, said he does not know of a person by that name, nor if such a person ever lived at that address.

In previous investigations of undercover operatives in Russia, we have come across other “cover” residential addresses that are actually used by elderly people who may or may not be aware of the alternate “on-paper” residents in their apartments.

A missing employee

The employer “Sokolov” listed on his visa application document – and had to provide a certificate of employment with – was a St. Petersburg company called ZAO “RUST”. This is a construction company with a long history, but limited digital footprint. The company’s listed fixed-line phone number is the same as the number listed by a company wholly owned by the Russian Ministry of Defense, but we were not able to establish if the number was used concurrently or at different times.

Our team contacted the CEO of the company, who denied having employed or issued a certificate of employment to Vadim Sokolov. Furthermore he claimed that the company was in reorganization and could not have issued an employment certificate in recent months, as it conducts no economic activity. Still, he promised our reporter to look at the company’s records and inform us if a Vadim Sokolov has ever been employed by RUST. Thereafter, he switched off his phone and has not responded to our repeated attempts to reach him.

While “Sokolov”’s real identity is yet unknown and is the object of our ongoing investigation, our findings so far provide overwhelming evidence that the arrested assassin acted with the full support of the Russian state. The issuance of an array of documents to a fictitious person with no historical evidence of existence – including a last-minute entry into the tax database shortly before his trip to Germany – would not be possible without the direct involvement of a state apparatus. Even less plausible is the ability of a non-state actor to “firewall” the data on a Russian passport behind a disclaimer known to be used to protect personal data relating to undercover special service operatives.

Bellingcat Investigation Team

The Bellingcat Investigation Team is an award winning group of volunteers and full time investigators who make up the core of the Bellingcat's investigative efforts.

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

77 Comments

  1. M

    quote from the minion : Servus – September 28, 2019
    The IP addresses are most likely thouse of ´anonymous proxies’, placed a little bit everywhere in the Internet but …, many are run as ´honey pots’ by the three letter agencies or owners are by law obliged to provide all logs and mappings… and base design was done by US naval research… so as usual, only we the public is knows nothing………..

    reply:):):) get help – a good psychiatrist will help you

    PS
    bellingcat does not allow to reply to uncomfortable messages, does not put a “reply” button

    I am complaining 🙂 🙂 🙂 🙂

    Reply
    • Gerhard

      It seems I touched a nerve with them..very unprofessional for government representatives, but then again they lean so much on insults such as “retard,” etc. that we shouldn’t expect so much. But I am confident that the more they post the more data can be shared regardless of whether their IPs are masked, so post away I say. German BND should also take note that an FSB intelligence asset is apparently operating in Karlsruhe. Happy hunting! NSA and all Western governments are collaborating around the clock to shut you guys down!

      Reply
      • Mr.Bushkin

        Gerhard, you are more stupid than permitted by the police.

        The inland secret service is Germany is BfV and not BND.

        Reply
        • Gerhard

          Russian MO: [Insert uninspired ad hominem, blah blah]

          You are correct, BfV watches Wladimir then, and BND you. So which Russian agency pays you to make counter-Western posts on such boards on sites like Bellingcat?

          Reply
          • Mr.Bushkin

            Thanks for proving that you are more stupid than permitted by the police, dear Servus/Gerhard/Wladimir K, since Bellingat is an MI5 issue due to being located in UK. 😀

          • Mr.Bushkin

            Wait, I just got a call from BND, which claims that you popped up here, because the guest book in your insane asylum to write into has run out of space.

  2. Tracey Thakore

    The point I was trying to make with my earlier comment, is perhaps the “assassin,” is taking on the identity of the deceased.

    Reply
  3. DecentDiscourse

    Thank you very much for the extensive and detailed roadmap you have published. I will be sure to address all of these techniques at our upcoming department heads meeting and make sure each and every method is blocked. Further, we will be sure to place triggers in our systems to make sure the appropriate security staff are alerted when searches of these databases take place with certain criteria involving our special operatives.
    Again, thank you so very much for telling the world exactly how to stop this from being repeated.

    Yours Truly, fictional Russian governmental bureaucrat.

    Reply
    • Mr.Bushkin

      Does it mean that there will be no identifyable designated special passport issuing instances for Russian state undercover special service operatives in future?

      Reply
    • Mr.Bushkin

      The passage “A second man used the alias Sergei Pavlov.” probably refers to pavlovous dogs, but it remains a mystery, what exactly has stimulated the production of such a lame fake news summary.

      Congratulations to Bellingcat nontheless. 👍

      Reply
      • Gerhard

        Maybe if you could write in English beyond a third-grade level with stupid, unfunny “jokes” your kind could graduate to RT or Sputnik correspondents. Stop posting here, and go get a real job.

        Reply
        • Mr.Bushkin

          A LOL, at the stupid new arrival Servus/Gerhard/Wladimir K, which hallucinates about driving me off from my favorite conspiracy theoretician site.

          Reply
      • M

        The bellingcat version is again not compatible with the NYT version.
        There is a lot of inaccuracy when it comes to the main workplace of the main characters of “Russian globetrotters”. For example Denis Sergiejev known as Sergey Fedotov was supposed to be every day T his workplace in the GRU
        conservatory (a stone’s throw from his place of residence on Richard Sorge Street). It was in “The GRU Globetrotters: Mission London” in detail in Heatmap of Denis Sergeev’s movements in Moscow during 2018 :). This map does show that he did not appear in eastern Moscow in 2018 – and this all-powerful military unit( described by NYT) is in the eastern part of Moscow – Unit 29155 . NYT claims that Fedotov is one of three operatives who traveled to Britain, from that Unit. As indicated by the Google military unit 29155 is on ул. 11-я Парковая 11-Я, д. 38а. ( Park street 38a) in Район Восточное Измайлово ( East Izmailovo Moscow district).
        In the bellingcat masterpiece titled: The GRU Globetrotters: Mission London they wrote:
        “Newly obtained telephone metadata logs from a telephone number registered in the name of the (cover) persona “Sergey Fedotov” has allowed us to analyze Denis Sergeev’s telephone usage – including calls and data connections – in the period of May 2017 – May 2019. The data – and especially the cell-ID metadata that we have been able to convert to geo-locations – allowed us to recreate Sergeev’s movements.” 🙂 – according to bellingcat he was very often in the Schukino district (where he lives and works) also in the town of Khimki and near Sheremetiewo airport. Schukino District of Moscow is located in the WESTERN part of the city. Unit 29155 is in EASTERN part of the city.
        The distance between them is about 25 km :):):):
        who’s lying, who’s fooling around. ???????????????

        Reply
          • Servus

            Thanks Kola, so Russian state media opens a propaganda counter fire, sure sign that German police holds a GRU operative and that investigation makes progress, they already anticipate problems..,.

          • Mr.Bushkin

            Servus/Gerhard/Wladimir K, that’s for sure because you stink. 😀

          • Wladimir K

            This is childish. Do you want to impress me with your geek shit or what.
            Gays like you have in reality no balls. This is a fact. In reality you would never tell me such a bullshit into my face. Because are scary and hidding behind the internet https://www.pinterest.de/pin/452119250066051418/?nic=1
            I would beat your until you are sitting in wheel chair. пидорас, что смелый чтоли. In Russia is a guy called tessak he is viteting people who are taling bullshit on the internet. They thing they are brave, but in reality he was visiting them at home and asking this motherfuckers like to repeat that again. Nobody did it. So at the end you need muscles and not fucking geek skills on the internet. You probably living with your 45 years at home and watching gay porn at the internet and had not up to now your coming out. Schwachmatt

  4. Shalashaska

    Sokolov is just the beginning of the story.

    The real mastermind is GRU Col. Volgin, also known as Thunderbolt. His hardcore nationalist faction is gathering power

    Reply

Leave a Reply

  • (will not be published)

You can support the work of Bellingcat by donating through the following link:

TRUST IN JOURNALISM - IMPRESS