Saved web pages

New Details on Intelligence Leak Show It Circulated for Weeks Before Raising Alarm


Sometime in January, seemingly unnoticed by the outside world, an anonymous member of a group numbering just over a dozen began to post files—many labeled as top secret—providing details about the war in Ukraine, intercepted communications about U.S. allies, such as Israel and South Korea, and details of American penetration of Russian military plans, among other topics.

The documents, which appear to have numbered in the hundreds, stayed among the members of the tiny group on the Discord messaging platform until early March, when another user reposted several dozen of them to another group with a larger audience. From there, at least 10 files migrated to a much bigger community focused on the Minecraft computer game.

On Wednesday, with the U.S. government apparently still unaware, a Russian propaganda account on Telegram posted a crudely doctored version of one of the documents, alongside a few unedited ones.

The Federal Bureau of Investigation and the Justice Department are now on a sprawling hunt for answers on how the dozens of images that purport to show secret documents surfaced online. A government probe, launched Friday at the request of the Defense Department, is searching for the source of the leak.

A Justice Department spokeswoman declined to comment Sunday on the status of the investigation.

The leak is shaping up to be one of the most damaging intelligence breaches in decades, officials said. The disclosure complicates Ukraine’s spring offensive. It will likely inhibit the readiness of foreign allies to share sensitive information with the U.S. government. And it potentially exposes America’s intelligence sources within Russia and other hostile nations.

Photo: Roman Pilipey/Getty Images

A decade after National Security Agency contractor Edward Snowden leaked a giant cache of top-secret documents about surveillance and other intelligence activities, the U.S. government is still unable to protect against such breaches.

“How the heck are we back here again?” said Brett Bruen, president of Global Situation Room, a national security consulting firm, and a former White House official in the Obama administration. “These kinds of large scale security breaches were supposed to be a thing of the past. New controls and checks were put in place. Yet, clearly it wasn’t enough and we need a major rethink [and] revision to the classified protection process.”

Who had access

The Wall Street Journal wasn’t able to independently authenticate the documents, but they contain enough detail to give them credibility. Defense officials have said they believe some of the documents could be authentic.


In total, just over 50 documents with Secret and Top Secret classification markings have surfaced so far, and have been viewed by the Journal and a variety of independent intelligence analysts. A critical question is who had access, and when, to the hundreds of others that were posted in the original group between January and March, and how significant are the secrets that these files contain.

The U.S. intelligence community is expected to take measures to protect the sources and methods used in the collection of data in that material. “You have to assume it is compromised,” said Thomas Rid, professor of strategic studies at Johns Hopkins University. “But assuming that the adversary has it is one thing, knowing it is another.”

The probe into the leak will be among the FBI’s top priorities as investigators search for who had access to the information, and who would have motive to make it public, said Joshua Skule, a former FBI senior executive who is now the president of the government contracting firm Bow Wave.

“They are going to be looking to get to the bottom of who did it as expeditiously as possible, they are going to be sparing no resource,” Mr. Skule said. “The FBI is approaching this as if someone has committed a treasonous act.”

The leaked documents are photographs of presentations and files that had been printed out on A4 paper. They appear to have been folded twice, perhaps to be smuggled out of a secure facility. A variety of items can be seen in the margins of the photos, including Gorilla glue, shoes and instructions for a GlassHawk HD spotting scope, details that could facilitate the search for the leaker.

Mykhailo Podolyak, an adviser to Ukrainian President Volodymyr Zelensky, said in a Telegram post that it was unlikely that Russia was behind the original intelligence breach.

Photo: oleg petrasyuk/EPA/Shutterstock

“If you have an operating channel to obtain intelligence from the Pentagon, you don’t burn it for a one-day publicity drive,” he wrote. By publicizing the leak, he added, Russia aimed to distract attention from Ukraine’s preparations for the offensive, and to “sow certain doubts and mutual suspicions” between Kyiv and its partners.

Mr. Zelensky reacted to the leak by ordering new measures to clamp down on unauthorized disclosures of military information. The U.S. has also changed how military personnel access such documents, defense officials said last week.

The most damaging files, security analysts say, are the roundups of vetted intelligence material compiled in the Central Intelligence Agency’s operations center intelligence update. They include information on conversations that the U.S. had intercepted within allied governments, such as communications of the leaders of Israel’s Mossad intelligence service and discussions among members of South Korea’s national security council on whether to sell ammunition that could end up in Ukraine.

Even more sensitive is the information that appears derived from the U.S. penetration of the Russian government, such as details on how a Russian hacker shared screenshots with the FSB security service on accessing Canada’s natural-gas infrastructure, internal Russian ministry of defense deliberations on supplying ammunition to the Wagner paramilitary group, and plans by Russian military intelligence to foment an anti-Western and anti-Ukrainian campaign in Africa.

Aric Toler, head of research and training at the Bellingcat investigative consortium, which has carried out several probes of Russian intelligence operations, said that he has been in touch with three original members of the Discord group.

The group’s members saw hundreds of classified files before the channel was wiped clean, he said. Most members are based in the U.S. The identity of the original poster remains unknown.

Baffling pattern

Document leaks have emerged as a common tactic during the war in Ukraine, but the posting of the apparent U.S. intelligence files on Discord, an online chat service favored by videogame players, follows a different, somewhat baffling pattern, according to analysts.

Once global attention was drawn to the leak, members of the Discord groups scurried to delete their accounts and to purge their servers, fearing retribution by the U.S. government and unwelcome attention from foreign intelligence agencies.

“I left that server and I really hope that I am safe,” one of the users, who had uploaded some of the leaked files to the Minecraft community, posted on Friday, adding a crying emoji.

Founded eight years ago in San Francisco, Discord first gained popularity as software that gamers could use to talk to each other in a group. The majority of these chat servers are private—shared by friends—but they can be public, too. Discord also hosts communities supporting Ukraine’s cause.

On Sunday, Discord’s website listed more than 20,000 public servers, the majority of them concern gaming. “It’s a very reliable service when the games are acting glitchy,” said Levi Gundert, chief security officer with the intelligence firm Recorded Future.

Photo: Tiffany Hagler-Geard/Bloomberg News

Researchers at Mr. Gundert’s firm have also found unsavory content on the platform, such as terrorist propaganda and tools for hackers. “It really looks more like a kind of free-for-all in terms of the content that’s available,” he said.

Discord would likely have information about the users of the original group’s server that would be of use to law enforcement investigators, Mr. Gundert said.

A Discord spokeswoman declined to comment.

The latest leak isn’t the first time sensitive documents have shown up on a gaming-related server. Last year, a player of the WarThunder military vehicle combat game posted real classified information on the British Challenger 2 tanks, while a year earlier another user posted a classified manual for the French Leclerc tanks.

The new disclosures are far more significant. They include information about the types of heavy weapons and equipment of the nine Ukrainian brigades that the U.S. and allies are preparing for the coming spring offensive; precise details on the quickly dwindling ammunition of the Ukrainian air defense systems; the level of protection of critical infrastructure sites; and details on how many tanks, artillery pieces and military aircraft Ukraine operates.

The slide initially publicized on Wednesday and Thursday by Russian propaganda Telegram accounts had been doctored to inflate Ukrainian battlefield casualties and to minimize Russian ones. The crude nature of the alteration suggests this wasn’t a high-level intelligence operation, security analysts said.

Another purported Pentagon document that emerged on Friday contained the same estimate of Ukrainian and Russian battlefield fatalities as the unaltered slide: up to 43,000 Russian troops and up to 17,500 Ukrainian troops, in addition to as many as 41,000 Ukrainian civilians.

Photo: Evgeniy Maloletka/Associated Press

Separately from the war, one of the items in the CIA update said that Mossad leaders “advocated for Mossad officials and Israeli citizens to protest against the new Israeli government’s proposed judicial reform, including several explicit calls to action that decried the Israeli government.” The update cited signals intelligence, an indication that conversations among the Mossad leadership have been intercepted by the U.S. government.

Mossad Sunday took the rare step of publicly denying the report, calling these allegations “mendacious and without any foundation whatsoever.”

Changes in security

U.S. national security entities have taken steps to prevent a repeat of the 2013 breach, when Mr. Snowden, then a contractor to the National Security Agency, left the country with a large number of classified documents, and provided them to journalists.

Mr. Snowden, who became a Russian citizen, has said his leak was meant to shine light on what he described as abuses of U.S. surveillance, and chose to provide them to journalists so that they would vet the documents.

There has been no explanation so far of the motives behind the latest leak.

In the current case, the U.S. is considering a range of possibilities over how it occurred, including that someone with a top-secret security clearance leaked the information or that U.S. intelligence systems were hacked, U.S. officials said Saturday.

Leak probes usually begin by determining who had access to the documents, current and former officials said. Potentially hundreds of government employees have security clearances that would give them the ability to view the documents.

Marc Raimondi, a former Justice Department official, said that the pool of people who have access to some of the highest levels of classified information expanded in the years after the 9/11 terrorist attacks. A congressional commission that investigated the attacks pointed to the lack of intelligence sharing as one of the reasons the U.S. government didn’t uncover the plot.

Since then, efforts have focused on sharing intelligence more widely, “but with having that wider pool of people having access, obviously, you run the risk that one of those people may not take their oath as seriously as they should, and you have an improper release of national defense information,” said Mr. Raimondi, chief of staff at the Silverado Policy Accelerator, a Washington, D.C., based think tank focused on security and trade issues.

Mr. Raimondi said sharing intelligence remains critical for protecting the U.S. and its allies, even if it comes with risks.

“An extraordinarily small number of clearance holders violate their obligation,” he said. “But when it does occur, it can be devastating.”

—Vivian Salama, Sadie Gurman, Gordon Lubold and Dov Lieber
contributed to this article.

Write to Yaroslav Trofimov at and Robert McMillan at

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8