The GRU's MH17 Disinformation Operations Part 1: The Bonanza Media Project

An investigation by Bellingcat and its investigative partners has discovered evidence that Bonanza Media, a self-styled independent investigative platform, is in fact a special disinformation project working in coordination with Russia’s military intelligence.

While we have not yet established conclusively whether the Russia’s military intelligence agency, best known as the GRU, was behind the initial launch and funding of the Bonanza Media project, we have established that shortly after it was launched, senior members of the GRU entered into direct and regular communication with the project leader. The GRU received advance copies of Bonanza’s publications, provided its employees illegal cross-border access into eastern Ukraine, furnished the project with confidential internal documents of the official Dutch-led MH17 Joint Investigation Team conducting the official criminal investigation into the deaths of 298 passengers and crew members that were hacked by GRU’s cyber warfare division, and likely instructed Bonanza Media to leak them.

The findings of this investigation are of particular relevance due to the potential role of Bonanza Media as a source of evidence in the ongoing criminal trial over the downing of flight MH17 in 2014. The defense team of Oleg Pulatov – the only legally represented suspect in the ongoing criminal trial – has already introduced in court evidence provided by Bonanza Media, and has requested witness testimony by a key member of the project. The findings are also relevant because in the past few months Bonanza Media has pivoted away from purely MH17-linked topics towards Covid-19 disinformation.

This two-part investigation is based on emails from the mailboxes of two senior GRU officers obtained by a Russian hacktivist group and independently authenticated by us, and on phone call logs of these two GRU officers independently obtained by us from whistle-blowers with access to Russian telecoms data. Our findings present one of the most detailed chronicles of an actual disinformation project run by the GRU.

What is Bonanza Media?

Bonanza Media, a special-purpose media project dedicated to publicizing alternative narratives about the causes of the crash of MH17, was founded in early 2019 by former RT journalist Yana Yerlashova with the help of Dutch blogger Max van der Werff, who managed to receive Dutch press credentials in May 2019.

Yana Yerlashova, and even more so Max van der Werff were well-known names among conspiracy-minded netizens prone to distrusting the findings of the official MH17 investigation conducted by the Joint Investigation Team (JIT). Working for Russia’s state-run outlet RT, Yana Yerlashova had authored documentaries critical of the Dutch-led investigation, and in one case had been accused of planting wreckage from the plane at the crash site. Max van der Werff, routinely critical of Ukrainian authorities and sympathetic to the Russia-supported separatists in the Donbas Region of eastern Ukraine, already had been a fixture on Russian state media as well as on separatist media in 2015 casting doubt on evidence implicating Russia and the separatists in the downing.

Given this history of Van der Werff and Yerlashova, their announcement of a Kickstarter drive to raise funds for a new “independent” MH17 documentary – one that promised to present the “real truth” behind the downing – hardly came as a surprise to anyone following the MH17 investigation. To the relatively small, but tight-knit community of MH17 doubters, who are skeptical of any evidence pointing to Russia’s involvement in the downing of the airliner, the project appeared to be a commendable initiative of truly independent journalists immune to the trappings of the deep state. To others who follow the MH17 case, Bonanza Media seemed like a predictable extension in the Kremlin’s hybrid war on the five-country JIT, timed to sow confusion just before the start of the criminal trial at the Hague District Court in early 2020.

Yerlashova and Van der Werff, photo from their promotional page on Kickstarter.com

The project raised just over $23,000 in 18 days from 67 anonymous donors, with most of the funding coming – according to Van der Werff and Yerlashova – from Dutch donors. The Bonanza Media Twitter account even posted a jab at would-be Russian donors – complaining halfway through the campaign that no Russian money had been pledged.

Over the following year, Bonanza Media managed to put this modest budget (augmented, in the founders’ own words, by personal financial contributions that made up 70% of the total budget) to a surprisingly elastic use: the team crisscrossed between Malaysia (including an interview with then Malaysian Prime Minister Mahathir Mohamad), Russia, Russian-occupied eastern Ukraine, and the Netherlands; produced a series of documentaries showcasing alleged witnesses of a Ukrainian fighter jet near MH17; hosted and attended several press conferences and events in the Netherlands, the U.K. and Malaysia; and commissioned a study from a Malaysian cybersecurity expert alleging manipulation of some of the audio intercepts used as evidence in the MH17 investigation.

Yet, Bonanza’s impact outside its in-crowd and Kremlin-controlled media remained limited, with their press events attended by small groups of truthers and traditionally snubbed by both mainstream media and next-of-kin of the victims. Outside of its interview with Malaysian Prime Minister Mahathir Mohamad, Bonanza had little penetration into the mainstream information space.

Bonanza Media’s unexpected rise from inconsequential conspiracy project to relevance came in January 2020, when it announced it had obtained “credible information relevant for the MH17 dossier that has not been shared with the public yet.”

In the following two months – just prior to the start of the MH17 court case – Bonanza Media published a streak of what it said were “leaks” from internal documents of the JIT. In fact, an analysis of the content and cut-off-date of these leaks shows they were likely to be obtained from a hack of one of the JIT member countries’ offices, Malaysia. The trickle of internal documents leaked by Bonanza Media contained no compromising material on the work of the JIT – if anything, they showed it to be a professionally-run international investigative operation. However, Russian state media and Kremlin officials made full use of out-of-context quotes from the leaks to impute failures of the investigative process.`

Asked about the origin of the documents by a Dutch NRC journalist, Van der Werff answered:

Bonanza Media only makes statements on the content of the leaked documents. All questions that directly or indirectly relate to the source(s) are ignored by us. As you know perfectly well, this is normal conduct for professional journalists and of vital importance for the source(s) and the journalists. See the case of Julian Assange, WikiLeaks.

When asked the same question on another occasion, he repeated this answer.

Recently, Bonanza Media has pivoted to include disinformation around Covid-19 through a video series “REALITYcheck” in which people from around the world describe how they are living through the pandemic and government lockdowns. While many of the video testimonials are fairly generic, there are some clear indications of conspiratorial thinking, with stories of government overreach in carrying out lockdown orders, supposedly empty hospitals amidst media reports of a public health crisis, and the unreliability of mainstream media reports on coronavirus.

Previous Cooperation with Pro-Russian Forces in the Donbas

Before Bonanza Media was created, Max van der Werff had already contacted the Russian-backed separatist authorities in eastern Ukraine trying to help craft a narrative of their lack of culpability in the downing of MH17. In 2016, a leak appeared online from Tatyana Egorova, a staff member of the so-called Donetsk People’s Republic’s (DNR’s) Ministry of Information.

The Egorova Leaks include the entire inbox of the DNR official’s Mail.ru account, through which she conducted official “government” business (as is typical through Russia and its separatist “republics”). The leaked emails include a number of correspondences with Max van der Werff in which he volunteers advice on public messaging around the MH17 downing, and requests direct access to materials to help him with his work. Eventually, Van der Werff requests (and receives) access to visit and work in the “DNR”, after which he sends a scan of his passport to Egorova.

A selection of these emails can be seen below, with personal information redacted:

Despite his willingness, it is unclear whether Max van Der Werff played a significant role in shaping Russian-backed separatist authorities narratives around the downing of MH17. However, several years later his enthusiasm appeared to be put to more efficient use during his collaboration with Yana Yerlashova, who, our investigation has disclosed, directly coordinated their work with Russia’s military intelligence.

Evidence of Coordination with the GRU

No later than the summer of 2019, when Bonanza Media had completed its documentary and began showcasing it at public events, Yana Yerlashova was already coordinating the project’s activity with senior officers from the GRU. Emails and phone records obtained by us indicate that by August 2019, Col. Sergey Chebanov – a graduate of Russia’s Military Intelligence Academy with a roster of international diplomatic postings under his belt – was receiving regular updates about Bonanza’s plans and upcoming events. During most of the phone calls with Yerlashova, cell-tower data shows, he was based at the GRU headquarters at Khoroshevskoe Shosse 76B in Moscow. For his clandestine communication with the Bonanza Media founder and CEO, he had bought a burner phone which he registered in the name of a non-existent elderly Georgian woman – standard trade-craft for GRU spies who did not want their calls to be traceable to them.

The GRU headquarters in Moscow, via Wikimedia Commons.

Defeating the purpose of such operational security measures, he also used his normal phone – registered in his own name – from the same mobile cells as his burner, including at the GRU’s headquarters, or made calls from it in quick succession before or after the use of the burner. It was this Opsec oversight that enabled us to link the burner number to his real identity. Using his burner phone, Col. Chebanov spoke or texted with Yana Yerlashova an average of twice per day in the period from September 2019 to mid-2020, with more than 10 exchanges on certain days. While we can’t know what the two discussed by phone, their occasional exchange of emails showed a consistent pattern of coordination between Bonanza Media’s activities and the GRU.

GRU Colonel Sergey Chebanov

Using two different email accounts, Yerlashova sent Col. Chebanov draft articles intended for publication on the Bonanza Media website, as well as draft promotional materials for events involving Bonanza Media. For example, in an email from 21 February 2020, Yana Yerlashova forwarded Col. Chebanov a draft teaser for the public screening of Bonanza Media’s documentary scheduled for 3 March 2020 in London. The teaser, prepared by the event’s UK organizer Theo Russell, was initially sent for Yerlashova’s approval by a Bonanza media collaborator named Elena Plotnikova. Plotnikova is a vocal Netherlands-based Ukrainian pro-Kremlin activist and member of an opaquely funded organization called “Global Rights for Peaceful People” whose main mission, in the organization’s own words, is defending the Russia-supported separatists in eastern Ukraine. Half an hour after Yerlashova received the proposed promotional text, she forwarded it onward for approval to GRU’s Colonel Chebanov.

“Take a look at the text for Theo’s promotion, plz 🙂

If everything’s okay, he’ll send it out and make an event on social media with the same text.”

In another example of coordination with the GRU, on 3 May 2020 Yana Yerlashova emailed Col. Chebanov a draft article written by Bonanza Media’s hired Dutch contributor Eric van de Beek. The article was published the next day on BonanzaMedia.com.

Only three substantive changes had been made to Van de Beek’s article between the copy submitted by Yerlashova to the GRU officer and the published version. All of the edits expanded on the original draft’s attacks on Bellingcat:

Left: Altered text from the published article; Right: The original draft text, with changed text highlighted in red.

It is not clear who requested or suggested these changes. Formerly a journalist working for the Dutch Elsevier magazine, Eric van de Beek has a track record of voicing support for conspiracy theories on the internet such as those relating to 9/11; the White Helmets; the Douma chemical attack; and eventually also MH17. He has also shown a strong contempt towards Bellingcat, describing us as the “PR-firm of the CIA”, and declaring on 14 April 2018 that he refuses to read any Bellingcat articleEric van de Beek declined to answer any of our questions for this research.

However, other emails in Col. Chebanov’s mailbox also suggest that the GRU had a particular interest in Bellingcat. An email from 9 October 2019, sent to Col. Chebanov from an email account belonging to another GRU officer, contained two attachments, one named “Letter to Higgins” and the other “Invitation to Higgins to a conference on 29 October 2019“. The email contained images and texts from an invitation to a public screening of Bonanza’s documentary in the Hague, scheduled for 23 October 2019. The doc file contained a collection of draft texts from the invitation, screenshots from the Facebook page of the “Global Rights for Peaceful People” organization, and, oddly, a link to a tweet by Eliot Higgins, executive director of Bellingcat. Four days earlier Eliot Higgins had received an emailed invitation to this event and had tweeted a question about the provenance of the organization. It’s unclear if the email sent to the GRU officer was a reaction to Eliot’s tweet, had been part of a more sinister, hacking operation, or had some other motivation (over the years Bellingcat members have been the target of repeated phishing attempts which cyber security experts have attributed to the GRU’s hacking department, known as Fancy Bear).

The “Global Rights for Peaceful People” group would continue to organise more screenings thereafter, and on three occasions played Bonanza Media documentaries on a video-screen parked in front of the MH17 court building packed with journalists and relatives of the victims.

An (Un)Orthodox Christmas

On 6 January 2020 – the eve of Russian Christmas Eve and the sleepiest period in a country that traditionally locks down until mid-January – one spot in Moscow was seeing a flurry of busy action. It was the GRU’s headquarters at Khoroshevskoe Shosse 76B where Col. Chebanov was at his desk. At 10:26am, he texted Yana Yerlashova. She texted him back a minute later. The two exchanged more SMS messages until 11:06. At 11:42, Yerlashova emailed the colonel a photo of her passport. After a few more text messages between the two, at 15:37 she also emailed him a photo of the passport of Bonanza Media’s camera man, RT staffer Vitaliy Biryukov, who formerly worked for Zvezda (a TV network run by the Russian Ministry of Defence).

Shortly after receiving the two passports, Col. Chebanov called his colleague – Maj. General Andrey Ilchenko, a trusted associate of GRU’s current chief Igor Kostyukov. Cell phone metadata shows Ilchenko was near a SIGINT military base in the village of Shchelkovo near Moscow, where he would stay for the next two days. The two GRU officers continued their communication throughout the night.

Sanitized scan of the passport of GRU senior officer Andrey Ilchenko,

On 8 January and the next day, Yerlashova exchanged 10 calls and text messages with Col. Chebanov and had 3 calls with Gen. Ilchenko. The GRU colonel Chebanov himself alternated calls with Yerlashova – using his burner – with calls to Ilchenko – however, using his normal phone. Yerlashova and Chebanov’s last exchange of texts on 9 January was at late in the evening, at 10:22pm.

The next morning, at 10:16 on 10 January, Col. Chebanov forwarded by email to Gen. Ilchenko the two passport copies Yerlashova had sent him four days earlier. At 12:22, Andrey Ilchenko sent a series of text messages to Anna Soroka, a self-styled deputy minister of foreign affairs of the unrecognized Lugansk People’s Republic in Russian-occupied eastern Ukraine. At 12:23, Ilchenko called Yana Yerlashova, who had unsuccessfully tried to reach him an hour earlier. The two spoke for just under a minute. At 14:20, Gen. Ilchenko forwarded to Anna Soroka the two passport copies he had received from Chebanov earlier that day.

Shortly after his call with Yerlashova, phone metadata shows Ilchenko left the headquarters of the GRU. As he did not make calls or send texts until just before 5pm when he got back to the office, his precise movements cannot be established. However, at 3:53pm local time, he emailed Anna Soroka a photograph of a copy of another passport. This time, he had not received it by email – i.e. he needed to have received it as a digital file to his phone, or taken the photo himself. The passport copy he emailed was that of Bonanza Media’s Max van der Werff.

The unedited photo of Van der Werffs passport copy contained all original metadata, which shows it was taken using an iPhone 6s, on that same day and at a time of 15:49 – 3 minutes before Ilchenko emailed it to his Donbas contact. Other photographs emailed by Ilchenko to others on different dates show that he uses that exact iPhone model, and the same out-of-date iOS version, which makes it highly probable that he himself took the photo of Max van der Werff’s passport copy.

The location at which the photograph was taken is a short drive from the GRU headquarters, pеrhaps indicating that Ilchenko drove to meet with either Van der Werff personally, or with someone whom Van der Werff had trusted to carry a printed copy of his passport.

Contacted repeatedly via Twitter, Max van der Werff refused to answer  our questions about whether he knowingly cooperated with the GRU, as well as about the circumstances of his relationship, if any, with GRU’s Andrey Ilchenko.

We made multiple attempts to reach Yana Yerlashova by telephone; she either did not answer the calls or was unreachable. An email with detailed questions about Bonanza Media’s relationship with the GRU remained unanswered as of press time.

“Who Controls Them?”

The context for Ilchenko’s phone calls to his contact in the Russian-controlled LNR government – and the reason he sent the three passport photos – becomes clear from a response he received from Anna Soroka later that day. At 16:32 (Moscow time), she emailed him back saying:

“I would need to coordinate them. Who are they – from which channel are they – where are they going to show the recorded footage? Who controls them? These are the minimum questions that the FSB guys will ask. I can’t bring journalists here just like that, on my own initiative. If I try it, they’ll be detained right at the border. We must position it all to the FSB and the AP (Russia’s Presidential Administration) in such a way that they should see what’s in it for them”

It appears from this exchange that GRU’s Andrey Ilchenko had requested Anna Soroka – who seems to be his trusted political contact in the LNR – to arrange for the Bonanza Media team to be allowed to enter into and film in the separatist-controlled Donbas region. She replies that she needs clearance from both FSB and the Kremlin. As we have reported earlier, after an initial scuffle between the FSB and GRU for political and economic control over the two Russian-backed separatist territories in eastern Ukraine (LNR and DNR), by the end of 2014 the FSB had gotten the upper hand. This might explain the need for the GRU to use its remaining local “LNR” loyalists – of whom Anna Soroka appears to be a high-ranking one – for assistance in special GRU operations (“LNR” borders Russia and is a transit point into “DNR” where MH17 was shot down, and where the Bonanza Team presumably needed to travel to.)

The fact that the GRU’s Gen. Ilchenko tried to arrange for Bonanza Media’s entry into eastern Ukraine via a local loyalist rather than in direct coordination with the FSB – the agency that controls Russia’s borders – also suggests that the GRU is the preeminent Russian security agency interested in producing disinformation relating to the MH17 shootdown. This can be explained by the fact that the Buk missile launcher that shot down MH17 belonged to, and was possibly also operated by, an active Russian military unit – the 53rd Anti-Aircraft Missile Brigade. A clandestine overseas operation by a Russian military unit is usually supervised by Russia’s military intelligence; which might be a reason that the GRU has a disproportionately vested interest in deflecting from its involvement in causing the tragedy.

After receiving this cautious response from Anna Soroka, phone logs show that Ilchenko made a series of phone calls, including to a high-ranking customs chief and to his brother, a senior official at Russia’s Ministry of Foreign Affairs. Late that night, at 21:40, he consecutively called Yana Yerlashova and Col. Chebanov, apparently with positive news. Whatever concerns FSB and the Kremlin might have had about their own benefit from the planned Bonanza Media trip, appeared to have been allayed – as the events of the next few days would show.

A Road Trip with The GRU

At 6 am Moscow time on 12 January 2020, Max van der Werff posted the following message on Facebook.

Later that same evening, Yerlashova and the van der Werff settled down in what appears to be a makeshift studio in Russia for the promised live stream. In their unscripted and at times chaotic address to their followers, the Bonanza team explained they had received “important new information” which they needed to “verify further” and to that end they needed to travel to eastern Ukraine again. Without disclosing what this new information was, they asked for more donations – via Patreon or directly to Van der Werff’s Dutch bank account number, to be able to pay for this trip.

It is not clear if and how much money Yerlashova and Van der Werff were able to raise in the following several hours, but phone metadata from Ilchenko’s phone (which shows the cell tower location of his calling counterparts, as long as they – like Yana Yerlashova – are on the same mobile network) – indicates that by late afternoon on the next day they were already on the way by car to the Russia–Ukraine border. Between calls to Yana Yerlashova, Ilchenko was making a flurry of calls to various Russian customs officials. The next day – on 14 January 2020 – the Bonanza Team had arrived in Rostov-on-Don. From there, Yana Yerlashova exchanged several calls and messages with Ilchenko, who was on that day still located at the GRU headquarters in Moscow.

On the next morning, 15 January 2020, call metadata shows that Ilchenko went to the GRU office but left around noon. On the way to Sheremetyevo airport, he stopped by a phone store – presumably to buy a new SIM card – and had it registered in the name of a non-existent, elderly Armenian lady whose “passport” he apparently was in possession of (the SIM card is registered on that same day, based on mobile telephone data records we obtained.) Ilchenko departed by plane to Rostov-on-Don, the largest Russian city near the border of eastern Ukraine, just after 2pm, and switched on his phone at Rostov’s Platov airport just after 4 pm. At 4:15 pm Yana Yerlashova called him on his main number. The call was short, and presumably he told her he would call her back from his new secret number. He did call her from the new SIM card 15 minutes later, and the call – again – lasted just half a minute.

The following morning, on 16 January 2020, there was a cross-fire of phone calls among Yana Yerlashova, Gen. Ilchenko, Col. Chebanov, and Bonanza Media’s cameraman; after which the group – judging from phone data from Ilchenko’s phone – moved towards the Ukrainian border. They were geolocated near the border town of Donetsk (Russia), where a major border crossing point between Russia and the Donbas lies, at about 11 am on 16 January.

Over the next three days – during which the Bonanza Media team presumably searched for self-styled witnesses of an air-to-air attack on MH17 in eastern Ukraine – Yana Yerlashova and GRU’s Andrey Ilchenko communicated over 100 times. Due to the way in which mobile operators work in the separatist territories, we could not determine their movements on the Ukrainian side, nor whether they were together at all times – or whether Gen. Ilchenko even crossed with the team into Ukraine, or simply facilitated Bonanza’s work from the Russian side of the border. Notably, on 18 January 2020, his phone was switched off for the entire day – suggesting that they both may have been on Ukrainian territory on that day and did not need to coordinate between one another via telephone.

Ilchenko returned from Rostov-on-Don to Moscow on 19 January, and, based on several calls between him and Yerlashova the next day, the Bonanza Media team made it back by car on 20 January 2020.

The Dawn of #BonanzaLeaks

Just ten days after the Bonanza Media team returned from eastern Ukraine, the calls from their GRU contacts again started pouring in. Just after 3 pm on 31 January 2020, Yana Yerlashova received a text message from Ilchenko, followed by a phone call and an exchange of six other text messages with Col. Chebanov. The two GRU officers communicated with her 29 times over the next 24 hours.

On the next day, after an exchange of one phone call and four text messages between Col. Chebanov and Yana Yerlashova, the Bonanza Media twitter account, using the hashtag #BonanzaLeaks, published its first “leaked” internal JIT document – one of many that would come over the next several months.

In part two of this investigation we examine the origins of BonanzaLeaks, as well as other disinformation projects targeting the MH17 investigation.