the home of online investigations

You can support the work of Bellingcat by donating through the following link:

The Dreadful Eight: GRU’s Unit 29155 and the 2015 Poisoning of Emilian Gebrev

November 23, 2019

By Bellingcat Investigation Team

  • In a previous investigation, Bellingcat and its investigative partner The Insider reported on the presence of a senior GRU officer, Denis Sergeev aka “Sergey Fedotov”, in Bulgaria at the time when a Bulgarian arms manufacturer collapsed into a coma following what was identified as poisoning by an unknown neuroparalytic substance. At that same time, the entrepreneur’s son and the production manager of his factory were also poisoned. A possible second poisoning may have been attempted a month later, days after Gebrev and his son were released from hospital.
  • We have previously identified Denis Sergeev as a Maj. General from Russia’s military intelligence elite overseas clandestine-operations unit, a sub-unit of military unit 29155. He traveled to the UK to coordinate the operation of Col. Chepiga and Col. Mishkin (aka “Boshirov” and “Petrov”) in Salisbury in March 2018. 
  • The clandestine sub-unit of GRU’s military unit 29155 is a top-secret intelligence squad comprising of approximately 20 undercover officers with hands-on combat experience and hailing from a broad array of backgrounds, ranging from signals intelligence to medicine.
  • We have previously identified members of this sub-unit as being involved in the destabilization and annexation of Crimea (2014), destabilization campaigns in Moldova (2014), a failed coup in Montenegro (2016), WADA-linked operations in Switzerland (2016-2017).
  • Currently unit 29155 is also under investigations in Spain – after disclosures by Bellingcat – over trips to Barcelona before and during the Catalonia independence referendum in 2017.

In a new joint investigation with Der Spiegel and The Insider, Bellingcat can now reveal that at the heart of the Bulgarian poisoning operation was a team of as many as eight GRU officers – all members of the same unit – who traveled to Bulgaria in the weeks surrounding the poisoning attempt. Crucially, constellations of teams of three – including Maj. General Denis Sergeev – were present in Bulgaria during both suspected poisonings.

The preparations for the attempt on Gebrev’s life may have been months in the making. The first member of the GRU sub-unit to visit frequently Bulgaria was “Vladimir Popov” – one of the two GRU officers indicted by Montenegro for orchestrating the country’s destabilization in late 2016 ahead of its accession to NATO. We previously identified “Vladimir Popov” as GRU officer Vladimir Moiseev.

GRU officer Vladimir Moiseev, cover name Vladimir Popov. Photo from now defunct social media profile under the fake identity of “Popov”, geo-located to Warsaw, Poland

Approximately one year before Gebrev’s poisoning, Moiseev visited the country in March 2014 (16-18.3), followed by trips in September (12-16.9), November (18-21.11) and December (5-16.12) 2014. His visits were made under his cover persona, which has its own fake backstory as a photographer and journalist for a now-defunct Russian marine insurance journal.

Several months after Popov’s initial trip, several other members of the same GRU unit began regular visits to Bulgaria. “Fedotov” was accompanied by “Pavlov” in late February 2015 (15-22), a week later agents “Kononikhin” and “Lebedev” came on a joint “tourism” trip on 26 February and stayed until 8 March. During the same period, another team member – “Nikitin” also made a short visit to the country. “Popov” came back to Bulgaria during the last three days of their stay – from 6 March to 11 March 2015.

Nikolay Ezhov, aka “Nikolay Kononikhin”. Left, Ezhov photo from his driving permit. Right, “Kononikhin”‘s photo from a visa application document

 

Danil Kapralov, aka “Danil Stepanov”. Left, photo from social media profile of Kapralov’s family member, right, photo from “Stepanov’s” travel passport.

Those visits were likely a preparation for the main operation. The immediate arrangements for the operation however appear to have begun on 24 April 2015, when two GRU officers traveling undercover as the tourists “Georgy Gorshkov” and “Sergey Fedotov”, arrived to Bulgaria’s Black Sea resort city of Bourgas. (Gebrev believes he recognized “Gorshkov”’s face when we showed him a photograph, however given the long time after the incident he said he could not be sure).

“Georgy Gorshkov”, one of the GRU team members who traveled to Bulgaria twice around Gebrev’s poisoning. Photo from a passport scan.

“Sergey Pavlov” arrived on the same day directly to the capital Sofia where Gebrev was at the time. Ticketing data shows that both “Fedotov” and “Gorshkov” were supposed to fly back from Sofia to Moscow on 30 April 2015. However, neither of them waited for their return flights. Instead, late on the evening of 28 April 2015, they both flew to Istanbul and then onward from Istanbul’s Ataturk airport for Moscow. The next morning, 29 April 2015, “Pavlov” flew directly to Moscow from Sofia on a Bulgaria Air flight.

Sergey Lyutenkov, aka “Sergey Pavlov”. Left, Lyutenkov’s passport photo. Right, “Pavlov”‘s visa application photo.

About 20 hours before the tourists’ premature departure, late in the evening of 27 April 2015, Emilian Gebrev felt the first symptoms of what would soon turn out to be a near-fatal poisoning. Initially he felt a burning sensation in one of his eyes, then the uncomfortable feeling progressed to both of them. Later that night he says he felt dizzy, and had flashes and blurred vision.

He did not read too much into these early symptoms, and attributed them to tiredness or early signs of flu. However, the following day his symptoms progressed, and during dinner with business partners on the evening of 28 April, Emilian Gebrev felt that he was going to collapse. Having a good contact at Sofia’s military hospital, he was rushed there just in time before falling into a coma.

In the next several hours, both his son and his production director – neither of whom attended the dinner – also felt weak and fell down with inexplicable, albeit somewhat less severe symptoms. They all ended up in hospital during the next day.

The medical examination of all three showed symptoms of severe poisoning, with Gebrev’s condition deteriorating the fastest. The medical team treating him was unable to identify the poison, but – partly thanks to experience while deployed in peace-keeping operations in war-zones – the lead doctor was able to mitigate the symptoms sufficiently to maintain Gebrev’s vital signs while keeping him in a medically induced coma.

Denis Sergeev, aka Sergey Fedotov. Left, still from a 1997 documentary showcasing Sergeev’s role in hostilities in Dagestan. Right, “Fedotov’s photo from a visa application document.

Approximately 20 days after initially being admitted to hospital, Emilian Gebrev’s status improved substantially and he was released. The doctors – still in the dark about the actual cause of his sudden illness – advised Gebrev and his son to spend some time away from the polluted city air, and so they drove to the beach resort of Sinemorets. 

It was while the Gebrevs were at their seaside house that a revamped GRU team returned to Bulgaria.

First “Danil Stepanov” arrived on 23 May 2015. The next day he was joined by senior officer “Fedotov” who flew to Sofia on a direct flight from Moscow. “Fedotov” had booked a return ticket on May 28, 2015, however, once again, he did not show up for the flight. Instead, two days later, on 30 May 2015, he took a flight from neighbouring Serbia to Moscow. Notably, on 28 May 2015 the two were joined in Bulgaria by “Gorshkov”, who accompanied “Fedotov” in his detour via Belgrad to Moscow on 30 May. “Danil Stepanov” left Bulgaria on 29 May on a direct flight to Moscow.

On 26 May 2015 – during the stay of “Fedotov” and “Stepanov” in Bulgaria – Gebrev and his son once again felt early symptoms similar to what they had experienced a month prior, and went for examination into Sofia’s military hospital that same evening.

As we reported earlier, Gebrevs diagnosis remained inconclusive with doctors unable to determine the source or type of poisoning. At Gebrev’s own initiative, the Finnish research institute Verifin was asked to analyse serum and urine samples. The analysis performed was not examining the actual poison, but its biological descendants (metabolites) that had remained in the human body. Verifin found traces of two organophosphates that could be linked to pesticides, and a third one that the laboratory was unfamiliar with and could not identify.

Following the news of the Skripals poisoning with Novichok in 2018, and recognizing some of the symptoms described in their case, Gebrev approached Bulgarian authorities with a request to reopen the cold-case investigation and probe for the possible use of Novichok or a similar substance on him. He also urged Bulgarian authorities to request a new chemical analysis of the samples submitted to Verifin in 2015, with the hindsight awareness of the possible use of Novichok, and accumulated knowledge of its residual manifestations in blood and urine. While the Bulgarian government has reopened the investigation and is known to be cooperating with UK law enforcement, Gebrev’s requests for a repeat chemical analysis – in cooperation with the OPCW – have not yet been acted upon.

Possible motivation behind the attack

The precise motivation for the apparent poisoning attempts is still not determined by the Bulgarian investigation, nor is it clear even to the victim. Gebrev’s arms business was not a major factor in arms sales to countries or militant groups that Russia’s Defense Ministry considers adversaries. While Gebrev did export weapons to Georgia during the Russia-Georgian war in 2008 and ended up in a Russian Ministry of Defense blacklist, he tells us his business accounted for no more than 10% of Bulgaria’s total arms sales to Georgia during the war. He is adamant that he did not export arms to Ukraine, directly or indirectly, after Russia annexed Crimea in February 2014.

One possible hypothesis for Gebrev becoming a target was the internal power struggle of oligarchs in Bulgaria, on whom Russia exerted significant influence during the period 2014-2015.

Russia did consider the arms industry in Bulgaria hostile to its interests, since by early 2015, a number of Bulgarian arms manufacturing and exporting companies were scrambling for a clandestine US budget allocation for supplying weapons to the Syrian rebels. The demand for Eastern-type light/medium weapons and munitions had grown exponentially and Bulgarian exporters were eager to get a cut of the allocation. The exported weapons, naturally, were not going directly to the Syrian insurgents armies, but were initially sold to proxies, such as Azerbaijan and Saudi Arabia.

Gebrev insists now that his company, Emco, did not bid for any arms sales under this clandestine program. He says his main export markets – India and Northern Africa – required high volumes and he was fully focused on fulfilling those export commitments. However, an export license application for a shipment to Azerbaijan – that was allegedly intended for Syria – was filed with Bulgarian foreign ministry, coincidentally, on April 27 – hours before Gebrev felt the initial symptoms of poisoning.

Gebrev’s main hypothesis is that this was a forgery by a competitor, who wanted to eliminate his business from the market by turning the Russians against him. We have reviewed correspondence between the Bulgarian Ministry of Foreign Affairs and the Embassy of Azerbaijan from April 2015 which does show that Emco’s name was fraudulently – or erroneously – included in the export request.

MFA letter to Azerbaijani correcting the name of the actual export applicant initially listed as Emco

While the timing of this erroneous inclusion of Gebrev’s company into a transaction seen by Russia as hostile, and his initial poisoning, is a remarkable coincidence, it is unlikely that there is a direct causal relationship between the two, as there would not have been sufficient time between the “set-up” and the poisoning operation. At the same time, it is beyond doubt that during 2015, 2016 and 2017 there were attempts to discredit Emco internationally, including through an English-language article in a Bulgarian newspaper that used the false export license application to implicate Emco in arms exports to ISIS-linked militants.

The journalist who authored the article incorrectly implicating Emco cited documents allegedly leaked to it from a little-known organization calling itself “Anonymous Bulgaria”.  The only evidence of this organization’s existence is a Twitter account which has posted almost exclusively Kremlin-aligned (dis)information, including an hacked email dump relating to an Azerbaijani company’s alleged involvement in arms trading with ISIS-linked groups, as well as promoting a conspiracy theory that Azerbaijan used diplomatic mail to ship white phosphorus to Armenia for a false-flag attack. After being dismissed from the Bulgarian newspaper over the incorrect reporting, the journalist launched an English-language website called Armswatch.com which publishes information and unverifiable claims focusing on the arms trade usually aligned with Russia’s military-industrial complex. A recent publication alleging illicit Serbian arms exports to Ukraine (and citing 4-years-old data) appeared within hours of the escalation between the Serbian government and Russia following the publication of a surveillance video showing a GRU officer exchanging bags with a Serbian military officer in December 2018.

The long-term campaign against Emco –including by sources aligned and seem to be acting in sync with the Russian military – make it plausible that attempts may have started before the erroneous export application from April 27.

In the absence of logical alternative explanations, Gebrev’s own hypothesis that he may have been targeted based on false information fed by competitors to the Kremlin, stands out as the most plausible scenario.

Identification Methodology

As we have reported earlier, GRU officers from Unit 21955 traveling undercover are issued passport in batches, and their passports are renewed approximately every two years. Each batch contains sequentially numbered passports, most of which are reserved to GRU officers. This has allowed us to identify all members of this GRU sub-unit by using as seed the cover identities – and associated passport numbers – of the trio of the Skripal-poisoning suspects.

The validation of a suspected officer from this unit can be done by searching for such suspect’s domestic passport number, usually available from a number of leaked car registration or residential databases. Once the number is obtained, we can typically verify if a real person with that identity exists, by searching for that “persons”‘s tax ID number on a Russian government-run website. Cover identities do not have a tax ID number, since they were removed the the tax database following our initial investigations into the Skripal suspects in 2018.

Identifying the real identity – the longest and most cumbersome process – requires trying various permutations of initial, patronyimic and family names, and using the cover persona’s birth date, to locate a candidate with a residential address (current or historic) at one of several known addresses of GRU-linked dormitories.

A final step requires the photographic match between a photo of the cover identity with one of the suspected real identity. A number of different sources are used to locate photographs in each case, including social media (usually of family members), passport dossier files accessed via whistle-blowers, or Schengen visa application documents.

Bellingcat Investigation Team

The Bellingcat Investigation Team is an award winning group of volunteers and full time investigators who make up the core of the Bellingcat's investigative efforts.

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

32 Comments

  1. Tom Wonacott

    “………While the Bulgarian government has reopened the investigation and is known to be cooperating with UK law enforcement, Gebrev’s requests for a repeat chemical analysis – in cooperation with the OPCW – have not yet been acted upon……..”

    Unit 29155 keeps popping up throughout Europe. While Russia seems to be making some headway with their Middle East policies (except for possibly Wagner in Libya), their policies in their near abroad and throughout Europe seem to be in disarray. Their clear risky interference in the US election just seems to be a part of a political strategy to influence outcomes in the west which benefit Russia – all at great risk of exposure. It would by no means be out of the ordinary if Russia interfered in the Catalonia referendum.

    Why use OPCW? Any results published by OPCW will be suspect based on their Douma fiasco. Chemical analysis should be conducted by a credible lab.

    Reply
    • Gerhard

      See latest OPCW article — this is hot off the Kremlin’s presses via their foreign media arm WikiLeaks. Must have been a mole or someone Russia placed inside OPCW to discredit findings. Russian disinformation campaign to undermine broader credibility of OPCW after Postol operation failed.

      Reply
  2. kraaii

    Gebrev does no believe in GRU link ”Viafot” “They are trying to destroy me physically, economically and legally.”

    Reply
    • Tom Wonacott

      “……..I guess you were thinking of the Moscow laboratory which handled data of Russian athletes?……”

      You unwittingly give the exact reason why the lab needs to be credible. The OPCW published their final report for the Douma Chemical attack in March of this year (https://www.opcw.org/media-centre/news/2019/03/opcw-issues-fact-finding-mission-report-chemical-weapons-use-allegation). This conclusion essentially blames the Assad regime for the Douma chemical attack (without having the authority to actually blame the Assad regime). A leaked internal document at the OPCW in October i.e., engineering assessment, strongly implied that this was a false flag operation by the “rebels” (https://drive.google.com/file/d/1ayBv-nEOMTtIc-QOvejQBdCnZQXTuJ5z/view).

      First, this calls into question any published results of OPCW in the Syrian conflict. There simply is no place for a supposedly neutral organization that works through the UN – especially one that investigates the use of chemical weapons – to produce a result for political reasons. Second, it is never good when RT provides a more honest version of the Douma chemical attack than the western media (https://www.rt.com/news/474206-opcw-report-leaked-email/). Simply put – a propaganda bananza. Normally, RT is far more notable for what they leave out of their on-line version – like most all references to Wagner (like in Libya, for example).

      The OPCW needs to regain credibility, but that is not going to happen investigating the poisoning of the Bulgarian arms dealer.

      Reply
      • Jeroen

        Well the OPCW has the authority now to blame Assad (or other actors) for chemical attacks, its regime carries out, because the OPCW members voted before gaining such authority.

        Trying to “call into question ANY published results of OPCW in the Syrian conflict”???

        Claiming (Russian state financed) “RT provides a more honest version of the Douma chemical attack than THE western media”???

        Is the Kremlin afraid when the OPCW or British laboratories investigate the poisoning of the Mr Emilian Gebrev?

        Reply
  3. Germann Arlington

    What face recognition/verification software are you using and what is a confidence value needed to claim that two photos are of the same person?

    Reply
    • Jeroen

      Is that you “Germann Arlington” born in “1966” living in “Aberdare, Wales” who twitters pro-Assad???

      Reply
      • HaraldK

        Whatever, it’s a legit question anyway. A number with umpteen decimals declaring similarity isn’t really worth anything unless we can examine the model that provided it.

        Though, based on my own built in same-person-detection software, I don’t doubt any of the claimed identifications.

        The Russians thought this guy armed Syrian rebels, and tried to murder him for it. That much is clear.

        What I do doubt is that they were necessarily wrong. I don’t understand why Bellingcat is so sure the export license was false. Granted I can’t read those documents, but the existence of a later document correcting a former document doesn’t really say anything either way. We’re talking clandestine arms exports here for heaven’s sake – competitive “leaking” of fake documents making themselves look good is within all sides’ capabilites here. Bellingcat needs to make their case for this belief more clear – especially as they’re now for some bizarre reason picking a fight with a Bulgarian investigative journalist over it.

        I really can’t see the point of it. The real news here is the assasination attempt, and Bellingcat HAS documented that sufficiently, with information I can reasonably check.

        Reply
  4. Chris

    I find it disturbing and unfair that this story generates so much attention: “8 guys tried to poison an elderly businessman and failed”. My ex-wife tried to poison me with a slower acting poison. The circumstancial evidence was even more than in this case(poison detected, ER etc) and her motive was much clearer ($2M+lover), but she got away without being investigated. The real scandal is that I was convicted of domestic violence for calling her a ‘psychopath’ over this, albeit being a law abiding tax paying computer programmer, and exemplary citizen. Yet my story doesn’t interest the press….

    Reply
    • Gerhard

      Chris, shame on you for marrying a Russian GRU operative. But as you’re probably one yourself I guess you knew what you were getting yourself into..but bonus points at Glavset for an inventive story anyway..thanks for the entertainment.

      Reply
  5. Amused

    Motivation – unknown. Profit – unknown. Target doubtful. Boys from secret services have nothing better to do for about a year, except for prepering an inept poisoning. You gotta be kidding😉

    Reply

Leave a Reply

  • (will not be published)

You can support the work of Bellingcat by donating through the following link:

TRUST IN JOURNALISM - IMPRESS