Episode 16



Vanessa Kirby gets Christo Grozev, a modern Sherlock Holmes, to share the secrets of how he solved one of the most notorious assassination attempts of the 21st century - the poisoning of retired Russian double-agent Sergei Skripal, hospitalized by a mysterious nerve agent on British soil.
Read the transcript →

True Spies Episode 16: N is for Novichok

Welcome to True Spies. Week by week, mission by mission, you’ll hear the true stories behind the world’s greatest espionage operations. You’ll meet the people who navigate this secret world. What do they know? What are their skills? And what would you do in their position? 

This is True Spies Episode 16: N is for Novichok.

CHRISTO GROZEV: An assassination operation takes no less than four to five people. Usually, it’s five to six people.

NARRATOR: Meet Christo Grozev. Not a spy but a spy hunter. Not the trilby hat and turned-up collar sort. No long evenings on lonely street corners, but rather days and nights in the depths of the internet. You might call Christo a data detective. In 2018, two men appeared on his radar. They looked innocent enough. To the casual eye, they were simply tourists in jeans, trainers, and padded jackets waiting at the ticket barrier of a provincial British railway station. But the British police had just revealed them to be Russian agents and prime suspects in an audacious assassination attempt.

CHRISTO GROZEV: Committing a crime like this in the United Kingdom is probably the worst idea on Earth because it’s completely dotted and littered with security cameras.

NARRATOR: Christo and his colleagues wanted to know who they really were.

CHRISTO GROZEV: We had the advantage of having spent several years following exactly the type of people that were behind this operation.

NARRATOR: This is the story of how Christo revealed the true identities of the two hapless tourists and so much more. It all begins in Salisbury. Salisbury is a small city in the south of England. It’s best known for its Medieval cathedral. Perhaps you know the pictures by the landscape artist John Constable with that tall, slender spire in the background. The cathedral holds one of only four surviving copies of the Magna Carta, a document of great historical importance. So there are plenty of tourists. But, one Sunday afternoon in March 2018, passers-by noticed two people: a man in his 60s and a younger woman slumped on a bench in the city center, clearly in some distress. The emergency services were called and they were ferried to a hospital. It didn’t take long for disturbing facts to emerge. The man was identified as Sergei Skripal. Mr Skripal, it seemed, was a former Russian spy. The younger woman was his daughter. They had both been poisoned. And by poisoned I don’t mean something cozy and Agatha Christie. The poison they found in Salisbury was a nerve agent, the kind of thing governments develop in chemical weapons labs. The British prime minister, Theresa May, knew exactly where to look for the culprits.

BRITISH PM THERESA MAY: It is now clear that Mr Skripal and his daughter were poisoned with a military-grade nerve agent of a type developed by Russia.

NARRATOR: Speaking in parliament a little more than a week after the attack, she had no hesitation in pointing the finger.

BRITISH PM THERESA MAY: Either this was a direct act by the Russian state against our country, or the Russian government lost control of its potentially catastrophically damaging nerve agent and allowed it to get into the hands of others.

NARRATOR: And the nerve agent had a name: Novichok. Identified, the prime minister said, by experts at Britain’s Defense Science and Technology Laboratory at Porton Down. Mrs May added something else, the full significance of which emerged only later.

BRITISH PM THERESA MAY: It was an indiscriminate and reckless act against the United Kingdom, putting the lives of innocent civilians at risk.

NARRATOR: It took time for the extent of the risk to emerge - nearly four months. And then another disturbing report from the small town of Amesbury, a few miles north of Salisbury. A couple in their 40s had been found unconscious in their flat. And a chilling announcement from counterterrorism police. This couple, too, had been exposed to Novichok, probably by accident. In the case of the Skripals, the Novichok appeared to have been applied to the handle of their front door. Miraculously, both of them survived. In this case, Charlie Rowley, a 45-year-old, had picked up a discarded perfume bottle that seems to have contained the deadly substance. Charlie Rowley, too, survived. His 44-year-old partner, Dawn Sturgess, did not. She died on July the 8th. The police were now conducting a murder inquiry. Two months later, on September the 5th, the prime minister was back on her feet in parliament.

BRITISH PM THERESA MAY: I would like to update the House on the investigation into the attempted murder of Sergei and Yulia Skripal, and the subsequent poisoning of Dawn Sturgess and Charlie Rowley earlier this year.

NARRATOR: The police had identified two suspects, two Russian nationals traveling on Russian passports. They had tracked their arrival at Gatwick Airport on the afternoon of Friday, March the 2nd, and followed their trail to a hotel in east London. They discovered that the two men had made two return trips to Salisbury by train, the first on Saturday, the second the following day. They were in Salisbury for roughly two hours on Sunday the 4th of March and left in the early afternoon. The Skripals were found collapsed on their park bench at around 4.15 pm that same day.

And there were images captured from CCTV: two men, perhaps in their early 40s, round faces and short hair, one with a goatee beard. Here they are arriving at Gatwick Airport and then standing at the ticket barrier at Salisbury station; the same men walking through the city in waterproof jackets, one in a woolly hat, the other a baseball cap; and then going back through passport control at Heathrow Airport for an evening flight to Moscow. 

There were also images of a perfume bottle Charlie Rowley had found in Salisbury. It, the police said, had contained the fatal dose of Novichok that killed Dawn Sturgess. And there were names for the two Russians: Ruslan Boshirov and Alexander Petrov. But no one thought that these were their real names. The police and the prime minister had little doubt who they worked for.

BRITISH PM THERESA MAY: I can today tell the House that, based on a body of intelligence, the government has concluded that the two individuals named by the police and CPS are officers from the Russian military intelligence service, also known as the GRU.

NARRATOR: Sergei Skripal had himself worked for the GRU. He’d been recruited by military intelligence after serving as a paratrooper in Afghanistan. By the mid-1990s he’d been posted to Spain and it is there that he’s said to have been recruited by British intelligence as a double agent. He carried on working for the British after he’d gone back to Moscow, where eventually his cover was blown and he was arrested, very publicly, in December 2004. You’ll find footage of this online. He’s held in what is apparently some kind of headlock before being led in handcuffs to a van. Filming this was a deliberate humiliation. Although he received a 13-year prison sentence, he was released as part of a spy swap in 2010. But perhaps Russia never forgives and never forgets. There’s been much speculation that Skripal’s treachery was the motive for the attack and a warning to others tempted to follow a similar path. The family moved to Britain but Skripal’s wife died of cancer in 2012 and Yulia, his daughter, moved back to Russia in 2014. And then Sasha, Sergei’s son, died suddenly on a weekend visit to St Petersburg. There have been rumors of alcoholism but there is much about his death that isn’t known. By 2017, Sergei Skripal was alone in Salisbury. Not a name on Christo Grozev’s radar, but once the British prime minister had denounced the suspects as members of the GRU he got to work.

CHRISTO GROZEV: Fortunately, we had experience with investigating Russian military intelligence.

NARRATOR: Let me tell you a bit more about Christo, our spy hunter, and the organization he works for because the story I’m telling you today is really their story. The story of how a group of dedicated digital detectives uncovered the real identities of Ruslan Boshirov and Alexander Petrov; how they revealed that a third Russian agent had traveled to London the same weekend; and how they exposed a much wider circle of secret agents connected to the Salisbury case.

CHRISTO GROZEV: We're not linked to any intelligence service. We don't get tips. We don't get clues. We're not even an old-fashioned journalist organization, media organization, that has its network of sources that leak. So all we can do is wait for some sort of shred of evidence to appear publicly and then we take it from there.

NARRATOR: Perhaps you’ve heard of Bellingcat. It describes itself as an independent international collective of researchers, investigators, and citizen journalists. Registered in the Netherlands, but with staff and contributors in more than 20 countries, it relies on publicly available sources - what’s known in the trade as open-source intelligence - to reveal hidden truths. In short, Bellingcat’s researchers crunch a lot of data. And Christo Grozev, you might say, is data-cruncher-in-chief. Well, certainly when it comes to Russia.

CHRISTO GROZEV: Russia is a very online society and it's a very corrupt society as well. The two of these things together result in a lot of data being traded, people working for the FSB or for law enforcement.

NARRATOR: The FSB is another of Russia’s security agencies.

CHRISTO GROZEV: They tend to download copies of their passport databases there on their office computers and then trade them for money with heads of securities of private companies, for example, or with detective agencies. Sooner or later, such databases leak onto the open market. So we had started gathering such databases and, by 2018, by the time we started looking at the Skripal case, we had already a collection of more than 500 regional databases containing passport data, residential data, car ownership data, telephone number data. All of these allowed us to quite quickly figure out a plan on how to look for these two gentlemen and to figure out whether they're real or not.

NARRATOR: And one other thing you need to know about Bellingcat. They like working with other people.

CHRISTO GROZEV: We typically work with a Russian partner, The Insider. But in this particular case, the interest in the topic was so great that a lot of other international and Russian organizations were focussing on it at the same time. So it became almost like a global collaboration, journalistic collaboration. A very active partner in this collaboration was Fontanka, a St Petersburg media outlet, which is also quite independent. But they were not the only ones. Novaya Gazeta was another Russian media organization that also contributed.

NARRATOR: So, imagine the situation. You’ve been presented with a couple of names and some fuzzy CCTV images, and now you’re going to work out: a) whether these people are who they say they are, and; b) if they’re not, who they really are. And you’re pretty sure they’re Russian spies. What would you do? Where do you start?

CHRISTO GROZEV: We already had a pretty good idea that these are fake personalities. But in order to confirm that for sure, we needed to have more than just the first and last name. We needed their birthdate and we needed the patronymic.

NARRATOR: The patronymic is the middle name that every Russian has. It derives from your father’s name. If you’re a man your patronymic ends in -vich. So, if your father’s name was Ivan your patronymic would be Ivanovich.

CHRISTO GROZEV: In order for a person to be positively identified, you need the three names, the first, middle, and last name. So we needed to get that before we could move our investigation further.

NARRATOR: If you know about these things you will know that passenger manifests from international flights are full of useful data. So, step one for the Bellingcat detectives was to get hold of the manifest from the flight that had brought the two men from Moscow to London. How on earth do you do that?

CHRISTO GROZEV: We had developed a network of trusted whistleblowers in different travel agencies, in different airlines in Russia, who would, late at night after their working hours, agree to - sometimes, on limited occasions and once they were convinced that we were looking for a solution to a crime and not just poking around people's data - they would agree to share limited data on these persons. I think on that particular day there were six flights and we had to make an educated guess as to which flights we should try to get hold of because each attempt to get hold of passenger manifests in Russia would involve a whistleblower working for one of the travel agencies with access to booking data or at one of the airline companies, risking their job and probably their freedom to help us. And it seems that we made a pretty good guess because the first flight manifest we got for one of the morning flights on the 2nd of March ended up with two familiar names, Boshirov and Petrov.

NARRATOR: As I said, passenger manifests are full of useful data. They show, for example, a passenger’s date of birth. And they also show their passport number. Innocent enough, you might think. But Boshirov and Petrov’s passport numbers were very revealing.

CHRISTO GROZEV: Lo and behold, we saw that the two passport numbers were so close to each other that when you count them, you see that only two passports had been issued between the one and the other - which means that they were issued literally on the same day, but more like the same second or the same minute.

NARRATOR: Two people on the same flight with almost identical passport numbers. That’s pretty suspicious and surprisingly amateurish, but Christo wanted to be sure. So, he dug back through his files from a previous investigation. A coup attempt in 2016 in the former Yugoslav republic of Montenegro organized, Bellingcat believed, by agents from Russian military intelligence, the GRU. And there he found the fake identities of two GRU officers along with their passport details. And guess what?

CHRISTO GROZEV: And we looked at the passport numbers in those fake identities and they were literally different by five or six numbers from the two numbers of Boshirov and Petrov. At that point I was absolutely sure - we were all absolutely sure - that we're talking about the same unit from the same intelligence service, which must be the GRU.

NARRATOR: To be clear: what Christo is saying is that not only did this remove any doubt he may have had that Boshirov and Petrov were members of the GRU, this grouping of passport numbers also showed him that the two men were members of a much smaller, clandestine group within the GRU. You’ll be hearing more about them. It is at this point in the story that none other than the Russian president, Vladimir Putin - himself a former intelligence officer, don’t forget - steps in. In a television interview, he dismisses out of hand the suggestion that Boshirov and Petrov were spies: ‘We know who they are,’ he says. ‘They are civilians.’ And he suggests that it would be a good idea for the two men to make themselves available to the media.

CHRISTO GROZEV: Then, literally the next day, I was flying back to my hometown and I saw that there was an interview scheduled with the two suspects that was just about to launch. So I broke all the rules of airline flying and I switched on, well, I started listening and watching the interview on my phone with headphones. I just couldn't believe my ears. I had to actually ask the stewardess to wait a little bit more before the boarding because I wanted to listen to the end of it.

NARRATOR: Perhaps you’ve seen this interview. Go online and check it out if you haven’t. Two very subdued individuals protesting their innocence: ‘Yes, it’s us you can see on those pictures published by the British police. Yes, those are our real names, Boshirov and Petrov. No, we’d never heard of the Skripals. Why did we go to Salisbury? Because our friends had been telling us about this wonderful city and the cathedral with its famous 123-meter spire. Why did we go twice? Well, the weather was so bad on the first day that it was impossible to see the sights, so we had to go back to London. We did a bit of shopping on Oxford Street. And no, no, no, we don’t work for the GRU.’ The interview led Christo, briefly, to doubt all his instincts.

CHRISTO GROZEV: I thought maybe we're wrong. This cannot be people who are secret services who would agree to show up on television and talk lies that can be double-checked and validated relatively easily. So actually, this was the moment where it became almost a full-time job for me because I thought this is either a big mistake by the Brits, by us, or it's the most blatant lie of any government that I've seen. And we need to find out one way or the other.

NARRATOR: But, at the same time, he was confident that Bellingcat could find objective open-source data that would contradict the two men’s assertions.

CHRISTO GROZEV: For example, they spent an inordinate amount of effort and time in the short trip in trying to get to Salisbury and back twice. They explained that by saying that the first day when they went there, it was very slushy, and they were essentially scared of the snow and they couldn't make it a proper trip. So, we looked at the weather forecast, we looked at videos and Twitter posts from the time they were in Salisbury, and we saw that, yeah, there was a little bit of snow, a little bit of slush. But nothing that a Russian can't handle. Russia is permafrost half of the year. This probably was the most implausible statement they made in the whole interview.

NARRATOR: The interview had been screened by RT, Russia Today, a channel notable for its faithful reflection of the view from the Kremlin. Ironically, the interview made Bellingcat’s search for the suspects’ real identities significantly easier.

CHRISTO GROZEV: In the beginning, we were starting our investigation based on two blurry photographs from the British press release and also from scans of passport photos we got from the passenger manifest. This gave us the opportunity to get really high quality - Russia Today's a very well-funded television station, so it has the best cameras and it streams in super high, usually, quality - so we were able to get dozens and dozens high-definition facial shots that gave us the opportunity to later do reverse face search and comparison to other photographs we found in passport databases.

NARRATOR: Okay, passport databases. These form a crucial part of the investigation. So, let’s just take a minute to understand exactly what they are and what information they contain.

CHRISTO GROZEV: Russia, which is a country that came out of the Soviet Union, which was an extremely centralized and bureaucratic society, has kept a lot of that bureaucracy. There's a lot of documentary file data on every person who was born there. One such mandatory piece of data is the passport file.

NARRATOR: Which is very handy if you’re a data detective. Every Russian over the age of 14 has to have an ID document, known as an internal passport. That means there’s an official file on every Russian adult that contains details of every passport ever issued, both internal and external.

CHRISTO GROZEV: And it would include data of issue, passport number, and a screenshot or a face shot of the photograph that was used in that passport, along with a form that you filled in to get that passport from the authorities. In addition, the file would contain a listing of all travel passports, international passports that have been issued to that person.

NARRATOR: A Soviet legacy that’s a digital-era goldmine for people like Christo. So, how to get their hands on the passport files of Ruslan Boshirov and Alexander Petrov?

CHRISTO GROZEV: In both cases, we were able to use the help of a whistleblower who had a relative working in one of the agencies in Russia that has access to the central computerized system that has electronic versions of these passport files. And we had found somebody who was willing to access it for us and give us the passport file for the two of them.

NARRATOR: The first one they got hold of was Alexander Petrov’s. They recognized the face straight away; this was the right man. But there was also a lot missing.

CHRISTO GROZEV: His first passport entry was in the year 2009. And that makes no sense. I mean, everything preceding that was blank. There was a reference to a preceding passport that had been used as a reason to give the new passport. And that passport number was issued apparently in St Petersburg. But when we looked in offline data from St Petersburg, we found that this passport number didn't exist. So, we knew that something was wrong, that this is a file

most likely created from scratch in 2009 based on a newly invented identity.

NARRATOR: Because, remember, every Russian citizen has to have an internal passport from the age of 14. So, if Petrov’s first passport had been issued only in 2009 that would make him 23 in 2018. One look at his TV interview was enough to know this clearly wasn’t the case.

CHRISTO GROZEV: There were other clues that we found in the second page of the second section of this passport file, which contains the applications for a passport that I mentioned earlier. In this particular case, the application, which typically should be filled in by the passport holder, was blank, completely blank. And at the top, there was a stamp with the letters, CC, or SS in Russian, which can be deciphered as ‘top secret’ - sovershenno sekretno - and a handwritten note which said: Do not yield information. Now, all of this already then gave us the strong, strong conviction, indication that this is a Secret Service operative. This is a nonexistent person and somebody had written the note: If anybody looks for information for this person to not provide any information.

NARRATOR: Okay, so what have you got? A passport file for a man probably in his 40s with no official record before 2009. A blank passport application form. A stamp that appears to mean top secret. And a handwritten note saying: Don’t give out any information about this person. And a gaping hole - no reference to the passport which Petrov used to fly to London on March the 2nd. Oh, and you’ve got something else. On a stamp at the top of the blank application form, there is a seven-digit number which had Christo scratching his head. But remember, Bellingcat weren’t the only people digging into the shady background of Alexander Petrov.

CHRISTO GROZEV: Several other media outlets, including Novaya Gazeta, figured out that might actually be a telephone number, and they just picked up a telephone and dialed it, and somebody answered from the Ministry of Defense. And the person said: ‘Who gave you this number?’ And he hung up when he figured out it was a journalist calling.

NARRATOR: So, the seven-digit number on Petrov’s blank application form led straight to the heart of the beast. Although the beast then tried to cover its tracks.

CHRISTO GROZEV: Other journalists called. They got the answer from a male voice that: ‘Oh, no, you're wrong. This is the flea market.’ And then, when by the time we started calling the number, then it was disconnected. Nobody answered the phone anymore.

NARRATOR: So, there was little doubt in Christo’s mind that Alexander Petrov, or a man who went by that name, was GRU. He was a Russian military intelligence agent. But what about the second man, Ruslan Boshirov?

CHRISTO GROZEV: The moment we disclosed our method in this initial publication on Petrov, the next day, before we could even do the same exercise for Boshirov, the Russian media, including Fontanka, did exactly, they replicated our approach, and they published screenshots of Boshirov's passport file which contained exactly the same gaps and exactly the same number and exactly the same stamp: Do not yield information. So, at this point, we already knew for sure that both of them are fake identities. Both of them have a linkage to the GRU, and the big question remained: who are they really?

NARRATOR: So, you’ve got two names which you are sure are fake. You’ve got photos to match faces to the names. And you know that they work in military intelligence. Now you’ve got to find out how they really are. What would you do next? What Christo did next was that he got creative. Where, he wondered, would Russians send people to learn how to be spies.

CHRISTO GROZEV: And we got a consistent answer from the two sources we approached, which was, well, by the end of the ‘90s, the whole system of training spies had kind of collapsed in Russia, and we didn't really have a good training operation, training ground, but there were a couple of schools or institutes, as they call them, that prepared elite spies with good training of foreign languages and the grasp of understanding how the West works. And one of them was the Far Eastern Military Institute in Khabarovsk.

NARRATOR: Khabarovsk, by the way, is about as far east as you can go in Russia. Thousands of miles from Moscow. An eight-hour flight. And this is where Christo started looking. Digitally, of course.

CHRISTO GROZEV: We actually spend a few nights looking at, sort of, Facebook photographs of its graduates, looking for a glimpse of a younger version of Boshirov, to hopefully see him there. And we did that with our friends from The Insider. We had allocated the sort of yearbook photos by year. So we spent a good three nights going through thousands of different photographs, also photographs posted on the social media groups of the school graduates and alumni.

NARRATOR: This painstaking digital legwork eventually bore fruit: a picture of a man, bearing a resemblance to Boshirov, obviously on military assignment in a war zone.

CHRISTO GROZEV: It was against the background of a mountain in a place that looked like the Caucasus. And it was a group of five or six people in military attire. And we were told that this is most likely Chechnya, one of the mountains in Chechnya where there had been two long-running wars. And the time of the photograph was given to us as somewhere between 2001 and 2004.

NARRATOR: It was a start. They could narrow their search - someone who’d graduated from the military academy in Khabarovsk and who had then served in Chechnya. 

CHRISTO GROZEV: And we found, by sheer luck, a reference in a military magazine, a reference to a ‘Hero of Russia’ who had graduated the Far Eastern Military Institute, who had fought on three assignments at three different times in Chechnya, was wounded there and was one of the, sort of, one of the graduates that the institute was most proud of.

NARRATOR: Being a Hero of Russia is a big deal. It’s the highest award available to any Russian citizen, conferred by the president himself. Most importantly for Bellingcat, this particular Hero of Russia had a name: Anatoliy Chepiga. Could this be their man?

CHRISTO GROZEV: The hardest evidence we were hoping to get was a copy of a passport file under the name of Anatoliy Chepiga that would have the identical photograph that we had seen in the passport file of Boshirov.

NARRATOR: So back to the whistleblower, back to the person who had given them the file of the fake identity, Ruslan Boshirov. But no. So near and yet so far. The whistleblower didn’t want to play ball.

CHRISTO GROZEV: By this time, the story had become central news all over the world, including in Russia. So this whistleblower actually felt threatened and we agreed that it was not a good idea for him or her to do this. So we had to find somebody else.

NARRATOR: It took a few more days to find that someone. It was worth the wait. This was the moment when all that trawling through thousands of pictures finally paid off.

CHRISTO GROZEV: We got a file in the name of Anatoliy Chepiga, and it had a photograph of a younger version of the person we had seen in the Russia Today interview.

NARRATOR: There he was - the man so keen to see the famous Salisbury Cathedral spire, but who’d been defeated by the snow. There was further confirmation of Chepiga’s identity, if any were now needed, in the form of a video someone had shot inside the Khabarovsk academy, where a wall of photographs celebrates graduates who later become Heroes of Russia.

CHRISTO GROZEV: In the last column, we saw a face that we enhanced a little bit to get a better picture. And it looked definitively like a current version, a very fresh version of the same person that we had seen on Russia Today. So we had two faces, two photographs, one from the passport file, one from the video of the Wall of Fame. And both of them gave us a match.

NARRATOR: It was a big moment. 

CHRISTO GROZEV: Obviously, there was huge euphoria with us having identified a really secret, deep covert Russian officer of the military intelligence.

NARRATOR: But now, they had to identify the second man and that turned out to be harder than they thought. For one thing, there are an awful lot of Alexander Petrovs in Russia, tens of thousands. So how to narrow it down? Well, do you remember Montenegro? That failed attempt to topple the government in 2016 was organized by agents of the GRU. Christo suddenly had a brainwave - one of the agents Bellingcat had unmasked had had a fake identity that wasn’t very different from his real name. 

CHRISTO GROZEV: So they would use, in those cases, the first name and the patronymic of the real person. They would maintain the birthdate and they would only change typically the last name.

NARRATOR: And remember they already had the passport file in the name of Alexander Yevgenyevich Petrov, the one that was missing so much information. But it did contain a date of birth, not necessarily an accurate one, but a starting point, nonetheless. And, crucially, there was a reference to a previous passport having been issued in St Petersburg. So why not start there?

CHRISTO GROZEV: When we looked in the St Petersburg residential database, the historical database of people residing in St Petersburg, we looked for a combination of the name Alexander, the middle name Yevgenyevich, which belonged to Petrov, and the birth date that belonged to Petrov, but having lived in St Petersburg and we found only one person that matched these criteria. And that person was named Alexander Yevgenevich Mishkin.

NARRATOR: So could Alexander Yevgenyevich Petrov actually be Alexander Yevgenyevich Mishkin? There were further clues that made that look likely.

CHRISTO GROZEV: Then we looked at the address that he was registered at and we found out to be an address that was just across the street from the Military Medical Academy of Russia, the premier military academy, which is based in St Petersburg, for medical doctors. And we found that this address was essentially a dorm that was used by students in that military academy. So, at that point, we had a pretty good hypothesis that this may be our guy. Moreover, that it is - if it is our guy - then we have a new breaking story: one of the two people who had gone out to try to poison Skripal and his daughter was not only a GRU officer, he was a medical doctor who was part of the team. That, on one hand, would have been shocking but, on the other hand, would actually make sense.

NARRATOR: So now they have to prove the hypothesis. More digital shoe leather.

CHRISTO GROZEV: Then we approached a lot of the known graduates of the University of the Medical Academy on social media. This was done by our friends from The Insider. We sent more than 100 direct messages to people to ask them if they knew this face. We showed them a photograph of Petrov. Most of them very quickly responded: ‘No, we don't know. We've never seen this person.’

NARRATOR: But then, bingo.

CHRISTO GROZEV: I got an anonymous email a couple of days later saying: ‘I know I couldn't say anything when I was approached on social media because VK and OKAY are monitored by the FSB. But I want to tell you that, yes, I know this guy. He was one class above me. His name is Mishkin. And yes, he is the same guy that we saw on television.’

NARRATOR: Petrov is definitely Mishkin. So what’s the next step? Well, you should be getting used to the routine by now. A photograph, a photograph that matches Petrov to Mishkin. So it’s back to those passport files, the ones that contain data on every Russian citizen going back to the age of 14. But there’s a problem now. Bellingcat has already exposed Anatoliy Chepiga and it’s becoming too risky for whistleblowers to go into online databases. They might trigger an alert. So Christo needs to find a database that has already been downloaded.

CHRISTO GROZEV: One such source was a car insurance officer with access to an offline database of car sales, car registrations, car insurance. He was kind enough to share with us a copy of the driver's license and of the actual passport scan that had been left by Mishkin when he had been buying a car. And that passport showed his face. That was exactly the same face that we had seen on the Russia Today interview and on the Petrov file. So that's how we confirmed for sure that it's the same person that Mishkin [was a] doctor, medical doctor, and GRU officer Alexander Mishkin is, in fact, the second suspect in the Salisbury case.

NARRATOR: When Bellingcat had identified the first man as Anatoliy Chepiga they had sent a local reporter to the place he grew up to find out if anyone there remembered him. They did the same in the case of Alexander Mishkin. He came from a small village in Siberia.

CHRISTO GROZEV: At about 11:30 pm, we got a message from our guy saying: ‘You won't believe it. I can't send you more data now. So you'll hear from me when I'm out of here. But I was able to talk to his neighbors. He's a Hero of Russia as well.’ And that was a bombshell.

NARRATOR: The next day Christo heard the whole story.

CHRISTO GROZEV: Apparently, his grandmother had been a local medical worker. And she always said to his neighbors that: ‘I want my grandson to become a doctor.’ And she took care of him because his parents had lived in a nearby town toiling away at some factory. So he was very close to his grandmother, and she had shared with the neighbors a photograph of him handshaking with the Russian president and getting the Hero of Russia award sometime in late 2014, early 2015. She would never let any of the neighbors touch that photograph. So she would only show from her hands. Unfortunately, by the time our reporter was there, the grandmother had been whisked away by security services because they knew that we were coming. They had seen that reporters came to Chepiga's birthplace and they knew that we would be coming to Mishkin's place soon. So, she was out of there. But this story confirmed once again that we have two Heroes of Russia, highly decorated people, who had been entrusted with this mission to go in, try to poison Sergei Skripal.

NARRATOR: It’s a good story, right? Well, it’s about to get even better. Back in September 2018, the British counterterrorism police had published pictures of two men. But Bellingcat had now established that there was a third GRU man in London at the same time. So let’s just rewind briefly. We’ve already heard about the failed coup attempt mounted by GRU officers in Montenegro in 2016. And we’ve heard that the agents who took part in that had passports whose numbers were very close to those of the fake passports held by the Salisbury suspects. This had led Christo and his colleagues to the idea that there was a small, elite unit of such men who traveled under false identities to carry out murky operations on behalf of the GRU. And remember, the flight that brought Anatoliy Chepiga and Alexander Petrov to London on March the 2nd was only one of several. So, was there someone else with a similar passport number aboard one of the others? Well, yes there was. A man with a passport in the name of Sergey Vyacheslavovich Fedotov. A bit of digging and Bellingcat got hold of a Russian telephone number issued in this name.

CHRISTO GROZEV: We had managed to get the metadata for that telephone number and we had noticed that it was not typically turned on all the time in Russia. It was only turned on a couple of days or a week before an international trip, that was used during the trip, and was turned off a couple of days after returning back to Russia. This would be consistent with the operation of the second identity, which is only activated when needed, and on international trips.

NARRATOR: The digital sleuths were able to track the movement of this phone not only in Russia in the week before Fedotov traveled, but also during the two days he spent in London. They’d got hold of the phone’s metadata records from a whistleblower at one of Russia’s mobile phone operators. They were then able to follow his movements based on the phone’s connection to various cell towers.

CHRISTO GROZEV: And that gave us a very interesting pattern. He had traveled directly from the airport to a hotel in downtown London near Paddington Station. On the way, he had lingered by the Russian embassy for about a couple of minutes. He may have stopped up there or he may have just been in the vicinity. We couldn't verify that for sure. And he left half a day before the others around 3:00 p.m. on the 4th.

NARRATOR: So Sergey Fedotov, the third man, arrived in London on Friday the 2nd of March and left on Sunday the 4th, exactly as the other two did, albeit on different flights. But Fedotov didn’t go to Salisbury.

CHRISTO GROZEV: He was holed up for most of the time in his hotel room, making continuous calls and online communication back to numbers in Moscow. Our assumption at that point was that he was getting instructions, feeding back status reports to Moscow, to his superiors, and interacting with the two officers who were taking the trip to Salisbury and back to London. But communicating with them with a secure messenger, whereas some of the phone calls back to Moscow were on a regular phone line, and those were the ones we could track.

NARRATOR: As far as Christo could tell from the telephone data, Fedotov left his hotel only once that weekend, on Saturday morning.

CHRISTO GROZEV: And his phone registered at a cell tower near Oxford Circus but then it moved. And between noon and 1.30 pm, it was connected several times near the Embankment on the west bank of the Thames. So it's interesting that, according to what we know about Chepiga's and Mishkin's movements from British police, they arrived from their hotel to Waterloo Station at approximately 11.45 am. Their train to Salisbury was more than an hour later at 12.50 pm. Waterloo Station is about 10 minutes walk, if I remember, from the Embankment. And therefore, they would have had enough time to meet in person whether to exchange some last-minute instructions or pass on an object from one to the other. But in any case, the area between the Embankment and the Waterloo Station would have been a convenient place for such a brush-off meeting.

NARRATOR: A brush-off is a classic piece of tradecraft, where something is handed over surreptitiously but often in public. Could this have been where the perfume bottle changed hands? Fedotov’s little excursion is an intriguing detail, not least because he appears to have been near Oxford Street. You’ll recall that Chepiga and Petrov had said, in their interview on Russia Today, that they’d been shopping on Oxford Street.

CHRISTO GROZEV: If they had met there and had been captured on camera, they probably wanted to create an alibi for why they were there. And probably that's why they mentioned Oxford Street so visibly in the interview.

NARRATOR: Fedotov, according to the passenger manifest of his flight, had traveled at very short notice. He’d bought his ticket only the night before he flew. Which, incidentally, is also true for Chepiga and Mishkin. A fact that further undermines, you might think, the story of a long-standing desire to observe the wonders of Salisbury Cathedral. Yulia Skripal, as we’ve heard, didn’t live in the UK any longer. She had flown in on March the 3rd to visit her father. Could this provide a clue as to why the attack took place when it did? Did the agents decide to travel when they did on discovering that Yulia was flying to the UK? Was she a target rather than an innocent bystander? Questions, sadly, that we can’t answer here. But back to Fedotov. There were several indications that he wasn’t simply a member of the team but the man in charge. For a start, he was older than the other two.

CHRISTO GROZEV: Other than that, it was significant that he was not tasked with the actual hands-on operation. He was in a coordinating function in a much safer environment, holed up in a hotel. And that, again, is a symptom of either a higher function in the hierarchy or more of a supporting team. But given that he was communicating back and forth all the time and did apparently meet with them, we think at least one senior member is always present in such operations, from our understanding of how they work and our assumption was that [he’s] the senior-most.

NARRATOR: So who was Fedotov? Well, we know the procedure by now. Find the passport file and it will shed its secrets. The problem for Christo by now was the Russian authorities were wise to Bellingcat’s methods.

CHRISTO GROZEV: By the time we started looking for his real identity, the Russian security services had done everything possible to purge all data. Not only were they deleting data of their officers, both from the GRU and the FSB, but in some cases they were modifying data, falsifying data so that we wouldn't find an empty file, but the file that would seem like it belonged to a different person.

NARRATOR: So they became reliant on databases that had already been leaked, ones from which the Russians would not be able to delete information.

CHRISTO GROZEV: We did get a photograph of Sergey Fedotov from a border crossing database of Russia, which had a whistleblower with access to the border crossing data [who] had kept the last passport photo used by this person when he had crossed to go to the UK. So we had a blurry photograph of Fedotov.

NARRATOR: But, try as they might, they couldn’t find a match for this photo. They tried the old trick of finding someone else with the name combination Sergey Vyacheslavovich but that was no good. So then, in desperation, they looked for someone with the middle name only, combined with the date of birth. 

CHRISTO GROZEV: And we found that when we do that exercise, we end up with about 12 people in Moscow who had the middle name, Vyacheslavovich, and the same birthday as Fedotov. And one of them had a family name or a last name, Sergeev, which was the first name of Sergey Fedotov, so we thought: ‘This is interesting. Could this be the guy?’

NARRATOR: So, of course, they now needed his passport file but this was a dead end.

CHRISTO GROZEV: By the time we looked for his passport file we were told by a whistleblower that this passport file does not exist. There is no such person called Denis Vyacheslavovich Sergeev. Well, by this time we knew that this must be him because if they had purged his file, there was no other explanation other than that he's the right guy.

NARRATOR: A case of an absence of information confirming the existence of information. But they still had to track that information down. They got a blurry photo of his driving license from an insurance database, but that wasn’t conclusive. What now?

CHRISTO GROZEV: Then, what really gave us strong, visual evidence that we moved on, there was an old video documentary we found, which had been shot by the Russian military in-house videographer after an operation in 1998 in the Caucasus. And a person, who was by that time a major with the name Denis Vyacheslavovich Sergeev, had been wounded. He had taken on the command after his commander had been killed, and he had essentially taken his unit out of harm's way. We saw this narration in an excerpt from a book that we found.

NARRATOR: And the book made reference to a film that had been made about this operation by the Russian Ministry of Defense.

CHRISTO GROZEV: We spent a few days looking for an old copy of this film. Ultimately, we were able to find the author, the director of this film who shared with us a copy. And we found an actual on-screen interview with Denis Sergeyev, which was in much better quality than the blurry photograph we had received from the driver's license for his motorcycle.

NARRATOR: Weeks and weeks of digital digging had finally paid off. They had their man. Sergey Vyacheslavovich Fedotov, who had spent a busy weekend in a Paddington hotel in March 2018, was, without doubt, Denis Vyacheslavovich Sergeev, a major-general in the GRU. And it seems Sergeev, as a policeman might say, ‘had previous’. As we’ve heard, Bellingcat was slowly putting together a database of people they thought belonged to this elite group of Russian secret agents, a database based on the similarity of their passport numbers. And they noted that several of these people had been in Bulgaria all at the same time in early 2015. One of them was Sergeev. He’d been there twice, in April and then again in May.

CHRISTO GROZEV: But he was not the only one. Two members that had been engaged with the Montenegro coup attempt had also visited in days, one day or two days before his trips. Furthermore, four other members that we had not identified or linked to other operations but could link to this unit because of the fake identities and fake numbers that they were traveling on, were also with him.

NARRATOR: So what had happened in Bulgaria in the spring of 2015 that might have required the attention of a group of Russian agents? Christo began to trawl the internet.

CHRISTO GROZEV: And one thing we could find was the unsuccessful attempt to poison a Bulgarian arms manufacturer.

NARRATOR: Yes, you heard that right. An attempt to poison a Bulgarian arms manufacturer. Ring any bells?

CHRISTO GROZEV: It had become a cold case without really anybody finding the real reason why this person and his son and the production manager of his arms manufacturing facility in Bulgaria had ended up in a hospital.

NARRATOR: The victim’s name, in this case, was Emilian Gebrev. He was the hardest hit of the three.

CHRISTO GROZEV: He fell into a coma and they were fighting for his life for more than a week. And it took him about three weeks before he could recover nearly in full. He believes he's not fully recovered until today.

NARRATOR: In early 2019, Bellingcat published the story revealing Fedotov’s true identity and his link to Bulgaria. Mr Gebrev, the arms manufacturer, got in touch. 

He said: ‘I think this may be related to my story. And at the time, nobody knew what Novichok is. But now everybody knows. So maybe we should revisit my case.’ So he immediately approached the Bulgarian prosecution and law enforcement and said: ‘I want my case reopened. I want you to look at the hypothesis of Novichok having been used on me.’

NARRATOR: The Bulgarian authorities obliged.

CHRISTO GROZEV: We shared all the data we had gathered with Bulgarian law enforcement and with Mr Gebrev himself. And further to the original overlap of which we knew based on open-source data, what we didn't know was that the second trip by Sergeev in May, late May, coincided with another relapse of Mr Gebrev, where he felt he was poisoned again and he went back to a hospital. So it appears, it would appear that after the first unsuccessful attempt, they may have come back to try to poison him again because he ended up in a hospital.

NARRATOR: At this point, no one has been able to confirm that Mr Gebrev was poisoned with Novichok. But there is evidence to suggest a modus operandi similar to Salisbury. In this case, it seems whatever the substance was, it was applied to the door handle of Mr Gebrev’s car, which was parked in an underground garage. The Bulgarian prosecutor has released CCTV footage of a man wandering around the garage the day Mr Gebrev fell ill. And Bellingcat’s investigations show Sergeev, traveling under the alias of Fedotov, had stayed with his colleagues in a hotel nearby. They had, Bellingcat says, asked for rooms with a view of the garage entrance. Bulgarian prosecutors have now charged three men with the attempted murder of Mr Gebrev. One of them is Denis Vyacheslavovich Sergeev. And he was charged in that name, the name revealed by Bellingcat. But he has not been charged in connection with the attack on the Skripals. So are there perhaps more people yet to be revealed with a role in the Salisbury case too? Christo Grozev is certain of it. 

CHRISTO GROZEV: We are positive we haven't discovered all of the members of this operation. Why do we think so? An assassination operation takes no less than four to five people. Usually, it's five to six people that travel in a staggered fashion. They travel consecutively in order to provide intelligence that is long-term, that is not just one-day intelligence. They need to know the pattern of the person. They need to know the way of movement. And it doesn't happen with a single trip. So we believe there are at least three others that are out there that we haven't yet identified.

NARRATOR: Christo and Bellingcat have shoved a significant spanner in the works of Russian military intelligence. The agents they’ve identified may never be brought to book. But their globetrotting days, you’d think, are over. They risk arrest, trial, and serious jail time if they ever again set foot outside Russia. The secret unit may have left one fingerprint too many.

I’m Vanessa Kirby. Join us next week for another brush with True Spies. We all have valuable spy skills, and our experts are here to help you discover yours. Get an authentic assessment of your spy skills, created by a former head of training at British intelligence, now at SPYSCAPE.com.

Guest Bio

Bulgarian investigative journalist Christo Grozev is the lead Russia investigator with Bellingcat. He focuses on security threats and the weaponization of information.

No items found.
No items found.