Hunter Biden emails that Trump allies shared contain signs of possible ‘tampering,’ analysis suggests

Researchers shared the data to provide a more complete context about the data and questions surrounding it, they said.
President Joe Biden embraces his son Hunter Biden after addressing the nation from the Chase Center November 7, 2020 in Wilmington, Delaware. (Photo by Andrew Harnik-Pool/Getty Images)

Several emails within a cache of more than 128,700 emails allegedly associated with a Hunter Biden laptop that allies of and former staff of President Donald Trump are circulating show “signs of tampering,” according to a recent analysis.

Distributed Denial of Secrets, a nonprofit transparency journalism outlet focused on bringing newsworthy documents and data to light, published the findings Saturday.

“There are considerable issues with this dataset including signs of tampering, as well as misconceptions about its contents,” a write-up of the organization’s findings reads. “More than one altered or implanted emails was detected in a version of the dataset distributed by Trump allies and former staffers.”

Distributed Denial of Secrets, also known as DDoSecrets, published the 3.6 gigabyte dataset in full alongside the analysis “to counteract possible deceptions by persons with an agenda who are currently distributing the dataset without the relevant context or warnings,” it wrote.


Emma Best, a co-founder of DDoSecrets, tweeted May 21 that the “known altered emails have low impact,” but added that “their presence is significant. So is the inability to rule out others.” The altered emails were ones Best “found quickly” and “were relatively sloppy,” they said.

Garrett Ziegler, a former Trump administration staffer, posted the emails in a searchable database May 15, according to his Telegram channel. Links to download the full cache are included on the site. The page hosting the database refers to it as “a modern Rosetta Stone of white and blue collar crime under the patina of ‘the Delaware Way.'”

DDoSecrets did not accuse Ziegler of modifying the files or speculate as to who may have done it.

“They provided literally no evidence for their claims,” Ziegler told CyberScoop in an email Monday. “To my knowledge, not one of the 128,755 emails we put up were altered.” Ziegler later clarified that he’d posted 128,775 emails.

The signs


The emails, dating from between 2009 and 2019, have been the source of intrigue and accusations since they surfaced as an “October Surprise” just weeks ahead of the 2020 election. Trump allies and some Republicans claiming they highlight Biden’s corrupt business dealings while others, including former intelligence officials and some Democrats, say they’re the product of dirty tricks.

The data collection shows 145 distinct “last modified” dates ranging from Jan. 4, 2018 to May 8, 2022, according to the DDoSecrets analysis. That could “reflect many things, including the dates the files were exported or recovered, and do not necessarily indicate tampering,” the group wrote.

The possible “tampering” refers to emails created between Aug. 31, 2020 and Sept. 2, 2020, dates which fall more than a year after Biden had possession of the laptop.

In one case, on Aug. 31, 2020 — nearly a year and a half after the laptop left Biden’s possession — two blank email replies are created replying to an email from 2014. In another case, on Sept. 1, 2020, two draft emails were created and added to the email cache as a reply to an email from 2014. The next day, a variation of a Burisma email from 2016 is created and added to the cache.

Burisma — the Ukrainian natural gas company that paid Biden up to $50,000 per month to sit on its board when his father was the U.S. vice president — became central to the Trump campaign’s efforts to paint the Biden family as corrupt.


Russian military intelligence hackers targeted the company with phishing attacks starting in November 2019, cybersecurity company Area 1 reported in January 2020. The report’s authors noted that while neither Russian military phishing attempts or the targeting of a Ukrainian company were novel, the campaign came at a time when Burisma was “publically (sic) entangled in U.S. foreign and domestic politics.”

Questions around the provenance and legitimacy of the emails led Facebook and Twitter to suppress links to the original stories about the emails. Subsequent reporting has confirmed that at least some of the material from the laptop is genuine.

John Paul Mac Isaac, the owner of a computer repair service who originally passed at least one Biden laptop to Trump attorney Rudy Giuliani, told a right wing news outlet in April 2022 that “there have been multiple attempts over the past year-and-a-half to insert questionable material into the laptop as in, not physically, but passing off this misinformation or disinformation as coming from the laptop,” according to The Washington Post.

He said it was “a major concern of mine because I have fought tooth and nail to protect the integrity of this drive and to jeopardize that is going to mean that everything that I sacrificed will be for nothing.”

This is “exactly the worry many had at the time Giuliani et al claimed to have access to the emails, and something we’ve seen with email dumps in the past.”

Matt tait, cybersecurity expert

This is “exactly the worry many had at the time Giuliani et al claimed to have access to the emails, and something we’ve seen with email dumps in the past,” Matt Tait, a cybersecurity expert and former information security specialist for the U.K.’s Government Communications Headquarters, told CyberScoop in an online chat.

Journalists and experts wanted to see the emails when they came out to perform an analysis “precisely because a surgical addition into an otherwise genuine email dump could be used to pretend that the fake email was genuine,” Tait said. “After all, it is hard for the target of such a leak to credibly argue that the emails are genuine *except for* one damning email or paragraph buried in the dump.”

Tait noted that the chain of custody of the emails “is relatively long since when they left Biden’s possession, which makes it also difficult to assess with any confidence exactly who did the alterations or that person/organization’s specific motive. But it is clear the cache isn’t in its original form.”

The 128,775 emails are available for download via Ziegler’s site along with other material allegedly associated with the Biden family, such as a purported transcribed copy of Ashley Biden’s diary. Other Biden-related materials have also been posted to his Telegram channel, including voicemails, browser history and photos.

Ziegler’s Telegram channel has been used to publish other Biden materials from the laptops available for review, such as PDFs, PowerPoint presentations and audio files.


Ziegler’s site links to a “Research Board” that’s hosted on 8kun, the rebranded version of 8chan, the site of the most fervent QAnon conspiracy activity over the last few years.

Hunter Biden’s emails surfaced less than three weeks before the 2020 election after Trump associate and private attorney Rudy Giuliani provided data taken from Biden’s laptop, which had been dropped off for repairs in Delaware and never picked up, to the New York Post.

Another view

On March 30, 2022, The Washington Post published an analysis of “a small fraction” of data provided to the Post on a hard drive by a Republican activist. While “the vast majority of the data” on the drive could not be verified by two experts the Post contracted, roughly 22,000 emails “carried cryptographic signatures that could be verified using technology that would be difficult for even the most sophisticated hackers to fake,” the Post wrote.

The experts — Johns Hopkins University cryptography expert Matt Green and former National Security Agency operative Jake Williams — both agreed that the overall integrity of the data were inconclusive, the Post reported, due to the “sloppy handling of the data,” which had “been repeatedly accessed and copied by people other than Hunter Biden over nearly three years.”


The Post analysis noted that several files and folders were created on the hard drive in early September 2020, months after Biden’s laptop had been taken into FBI custody and nearly a year and a half after the laptop was dropped off for repairs. The modifications to the files flagged by the DDoSecrets analysis “coincide with dates where emails have been inserted into the cache,” DDoSecrets wrote.

“It’s unknown if the intent was to highlight these for research use, or if it was part of a failed attempt to edit and implant emails,” Saturday’s analysis reads. “It is possible they were deliberately sloppy attempts, and that more sophisticated attempts to modify the contents of the dataset remain.”

Green told CyberScoop in an email Monday that he did not “manually analyze all of the thousands of emails to look for discrepancies,” and that it’s “possible that this collection of email is different than what we looked at, and I can’t easily verify that either.”

Green added that the drive he examined was “bootable,” meaning it could boot a Mac using the drive image as the operating system.

Green said from “a forensic perspective this is not standard,” and that a risk with this is that “a Mac booted from such a copy would behave like the original Mac it was cloned from: the Mail app might attempt to reach out and download new mail form the source server, assuming the server passwords had not changed in the interim.”


If that happened, it would “result in changes to the mail repository stored on the drive.” Green said he had “no idea if this happened, but if it did it could explain some of the observations” in the DDoSecrets analysis.

Best told CyberScoop Tuesday that Green’s hypothesis likely doesn’t account for what they observed.

“In each of the altered/implanted emails detected so far, they are created as blank replies sent in response to years old emails relevant to GOP attacks on Hunter Biden,” Best told CyberScoop in an online chat Tuesday. “The email metadata show them as having been ‘sent’ long after the Hunter Biden laptops were allegedly dropped off, and dates which are matched by the file metadata. There are multiple versions of one email, all but one of which share a unique typo. I don’t see a way for sync attempts to explain that.”

Williams declined to comment on the DDoSecrets analysis.

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts