New Evidence Links Russian State to Berlin Assassination

Translations:

Joint investigation by Bellingcat, Der Spiegel, the Insider and the Dossier Center.

  • In the first part of this joint investigation, we disclosed that the assassin of Zelimkhan Khangoshvili detained by German police traveled on a valid Russian passport issued under the fake identity of “Vadim Sokolov”. We concluded that the usage of a validly issued passport in the name of a non-existent person indicated a link between the assassin and the Russian state.
  • Interim reporting by Der Spiegel and other media has disclosed that the suspect initially traveled from Moscow to Paris and then on to Warsaw, where he rented a hotel room for five days during which he traveled on to Berlin – suggesting he initially intended to return to Warsaw following the Berlin operation.
  • In the interim, we have obtained information that a Russian-issued SIM card was found at “Sokolov”’s hotel room in Warsaw. German and Polish investigators are reportedly analyzing the data linked to that SIM card.
  • In a report from 26 September 2019, the New York Times (NYT) reported that German investigators received a tip from an anonymous source claiming the suspect’s real identity is that of Vladimir Stepanov, a former police officer from St. Petersburg who in 2006 was convicted and sentenced to 24 years in jail for being part of an organized crime group that murdered two people at the orders of a business rival. The NYT quotes a Western intelligence agency as giving credence to the tip, and the NYT partially corroborates this hypothesis by referring to a facial recognition analysis that compared media photographs of Stepanov from the time of his court proceedings to the German police-issued killer’s photograph. German police are cited as yet-undetermined whether Vladimir Stepanov is in fact the person behind the Vadim Sokolov persona. The NYT report did not put its weight behind the hypothesis that Stepanov is Sokolov, but did introduce the mysterious, anonymous tip to the public.

Contrary to the findings of the unnamed Western agency, Bellingcat and its investigative partners Der Spiegel, The Insider and The Dossier Center have concluded that the suspect held by German police is unlikely to be Vladimir Stepanov. This conclusion is based on a weeks-long investigation that analyzed – and ultimately rejected – the hypothesis that the killer and the former police major serving a 24-year sentence are the same person. The same finding was reached independently by the Petersburg-based outlet Fontanka, who claim in September 26 report that Vladimir Stepanov remains in a Russian prison.

In the process of this investigation, Bellingcat and its partners have obtained conclusive evidence that the suspect – whose real identity is still being sought by our team – traveled to Berlin under a cover identity with the active support of the Russian state that created a comprehensive, back-dated paper-trail for this fictitious persona in order to help him obtain the necessary travel and insurance documents, and – crucially – a Schengen visa. These findings preclude the hypothesis that this was an organized crime operation, or even a semi-official operation that received only limited support from individual corrupt officials.

A false lead

Within hours of our initial report that included the first published photograph of the detained hitman, Bellingcat was contacted by an anonymous source who – based on the NYT’s description – appears to be the same source who provided the tip to the German law enforcement, and possibly to Western intelligence agencies. The source believed they had visually identified the suspect as Vladimir Stepanov, the convicted former policeman, and provided information on the place where Stepanov was supposed to be serving the last decade of his long prison sentence. This was the 11th Penal Colony (or IK-11), located in the Russian town of Bor in the Nizhny Novgorod District, about 300 kilometers east of Moscow. This prison’s population includes convicted former law enforcement or intelligence officers, and its walls have seen the likes of both dirty cops and killers and high-profile spies, such as at least 2 former intelligence officers who were exchanged during the notorious 2010 spy-swap case involving ten Russian illegals working in deep cover in the United States.

Over the following weeks, Bellingcat and its investigative partners comprehensively assessed the veracity of this mysterious tip. Despite some early corroborating evidence, for example Stepanov’s similar age, a full match of initials, and a number of striking facial similarities, we ultimately concluded that Sokolov and Stepanov are not the same person.

To reach this conclusion, we initially scoured through hundreds of pages and hours of open source data for a photograph or video clip showing Stepanov. Despite the significant coverage of the high-profile court case in 2005 and 2016 (one of the assassinated businessman was the CEO of Almaz-Antey, Russia’s state-owned monopolist in the production of the Buk anti-aircraft defense system that shot down MH17, and who was reportedly a close personal friend of Vladimir Putin), we were unsuccessful in finding a high-quality photograph of Stepanov allowing forensic comparison.

We then obtained a copy of Vladimir Stepanov’s passport file from a source with access to Russia’s central passport database. It contained two photographs – one taken when Stepanov was 20, and the latter taken around the time he turned 45 (in 2016), as at that age Russian citizens must obtain a new passport.

While visually there are certain similarities between Stepanov’s passport photos and that of “Sokolov”, we could not establish an unequivocal match. Bellingcat then referred the photographs for comparison to Dr. Hassan Ugail, professor of Visual Computing at the School of Engineering Bradford University. Prof. Ugail specializes in facial recognition and age progression simulation techniques.  Prof. Ugail’s determination was that Stepanov and “Sokolov” were two different persons.

“Vadim Sokolov” can be seen on the left and right portions of this matrix (color photographs 1 and 3), and Vladimir Stepanov is on the top and bottom (black and white photographs 2 and 4). Results matrix provided by Prof. Ugail of Bradfort University

In order to further validate this finding, we sought other sources who were familiar with Vladimir Stepanov. We identified and contacted two former police officers from St. Petersburg who served jail time at the same prison outside of Nizhny Novogrod until recently, and whom we assumed might know Stepanov. Both confirmed that they knew Stepanov well – one said Stepanov had been his suborinate – and recognized him on the black & white passport photographs seen above, but not on the photograph of the bearded/mustachioed assassin. Both of these acquaintances of Stepanov also told us that according to the latest information they have, Stepanov was still serving his sentence at the Bor correctional facility. One of the two sources also told us that Vladimir Stepanov never had any tattoos – contrary to the information from German law enforcement sources that “Sokolov” has tattoos on both arms.

Seeking an additional source of validation, our investigative team then established contact with an officer working at the Bor prison facility. This source confirmed to us that Stepanov – as of mid-September 2019 – was still serving time there. This information has been corroborated by a Fontanka report. At our request, the source even took a photograph of Stepanov walking in the prison’s courtyard. Based on comparison to public videos and documentaries about this prison, we were able to geolocate the courtyard as belonging to the IK-11 facility. The images’ metadata also are consistent with the reported timestamp of capturing the photograph in the middle of September.

Based on all of this objective and subjective evidence, we have concluded that it is unlikely that Stepanov is the real person behind the fictitious “Sokolov” persona.

Our assumption for the false-positive match provided by the facial comparison commissioned by NYT is that the source photo of Stepanov used by the researcher is only of a part of a face, and is not facing the camera. A partial face compared to a full (frontal) face is much more likely to produce a false positive than full-face comparison. In addition, individual feature comparison suggests that the 2006 photograph discovered by NYT (middle) bears more similarity with Stepanov’s passport photo (on the left) than with that of “Sokolov” (on the right)

Left: Vladimir Stepanov in an old passport photograph. Middle: Vladimir Stepanov in court. Right: “Vadim Sokolov” shortly after his arrest in Berlin.

To preclude a false negative assessment, our team obtained Stepanov’s criminal record which includes a unique fingerprint formula. This record would arguably make it possible for German law enforcement to compare the formula to the fingerprint data from the actual suspect.

An honest mistake or a red herring?

We are not able to assess if the mysterious tip by the anonymous source was earnest confusion or part of a ruse to sidetrack the investigation and/or discredit investigative media, such as Bellingcat, or intelligence services by coaxing them to publish demonstrably false conclusions. If Bellingcat or another media outlet were to accuse Stepanov of being Sokolov, Russian authorities could easily produce Stepanov — something they have not done with any of the other GRU officers we have unmasked, including Oleg Ivannikov, Anatoliy Chepiga, and Aleksandr Mishkin. We are unable to determine how and why a Western intelligence agency may have concluded that the hypothesis provided by the anonymous source is credible, given our own findings within a relatively short period of time.

Evidence of a state-endorsed operation

In our previous report we based our assessment that “Sokolov”’s operation was highly likely state-sponsored on the fact that he was issued a valid, fully registered international travel passport in the name of a non-existing actual person, and was able to cross the Russian border, suggesting his fake identity was also entered into the central passport database. Further, following the arrest his data was removed from the passport database, which – as well as the issuance of the passport – could not have happened without state involvement.

Our additional investigation has found that the involvement of the Russian state in creating a documentary footprint for the non-existent identity of “Vadim Andreevich Sokolov” is more wide-spread and comprehensive than previously thought. Based on this additional evidence, the concept that this operation may have been set up without the full endorsement of the state apparatus is implausible.

Our investigative team followed the chain of steps that “Sokolov” needed to go through before obtaining the coveted Schengen visa that would allow him to travel initially to Paris, and then onward via Warsaw to his ultimate destination in Berlin. Then, we made an inventory list of documents and paperwork he would have needed at each step.

As reported in our first publication, “Sokolov” received an international non-biometric passport issued on 18 July 2019, and applied for a Schengen visa on 29 July 2019. In order for him to apply for a visa, this fictitious person would have needed to have the following:

  • A domestic passport and an entry in the Russia passport database. The domestic passport is needed as a precondition for obtaining the international travel passport. It is also a necessary requirement for creating a job “footprint” (see below)
  • Proof of employment, typically in the form of a certificate of employment
  • Bank statement showing sufficiency of funds
  • Travel insurance

A tax identification number for a non-existent man

As we reported previously, two sources with access to the Russia passport database had found no entry for Vadim Sokolov as of early September – after the murder and the arrest of the suspect. We assumed that the Russia passport database had been purged of his data following the murder. However, we also hypothesized that “Sokolov”s passport data may have remained intact in other government databases that may not have (yet) been purged by the Russian authorities. We decided that a good candidate for a database with a forgotten digital footprint would be the tax database. In order for “Sokolov” to show proof of employment to the French consulate, he would have had to be formally (fictionally) employed, most likely by a cutout company used by Russia’s secret services. However, any employment, fictional or not, would lead to mandatory tax registration.

From a source with access to tax records, we were able to obtain a copy of “Vadim Sokolov”’s tax file. As expected, it had not been purged, and contained strong evidence of a freshly-created fictitious persona.

“Vadim Sokolov” was first entered into the Russian tax system on 16 June 2019, and received a tax identification number (INN in Russian) the first time on 23 July 2019 – just five days after the issuance of his international travel passport, and six days before he applied for a visa. Notably, Sokolov received a tax ID number for the first time at age 49. While receiving a tax ID number is not technically mandatory in Russia, a tax registration is automatically triggered by any employment, thus implying that “Sokolov” was first gainfully employed at age 49.

The tax registration, as predicted, also included a domestic passport number for “Sokolov”. This passport was allegedly issued in 2015. Using the passport data in this tax report, we were able to validate its authenticity by entering “Sokolov”’s passport data into the Russian state-run online tax ID validation tool. Based on the passport number, name and date of birth, the tool reported a valid INN number which was the same as the one on the report we had obtained. Thus, effectively “Sokolov” appeared as a valid Russian citizen in one government-run database (the tax registry), while missing completely in another (the passport database).

Our attempts to find any trace of the 2015 passport number listed in the tax record in dozens of Russian databases – including in 2016 and 2018 editions of a comprehensive database of Moscow residents – returned empty results. As the passport number was (allegedly) issued in Moscow, if it had existed as of 2015 it would have shown up in both of these databases. We also tested for the possibility that “Sokolov” may have obtained a passport in Moscow while not being resident there. To this end we searched for his name and birthdate – with any passport number – in several thousands of regional databases leaked over the past 20 years. None of them had an entry for this parrticular “Sokolov”, Notably, these leaked offline databases, which cannot be modified by Russian authorities, include even the fake identities of Skripal poisoning suspects, GRU officers Col. Chepiga and Mishkin. This fact suggests the passport was created in 2019 and “retrofitted” to appear as if issued in 2015.

Having obtained this passport number, we asked one of the sources with access to the real-time Russia passport system to search for it in the database. The source reported that this passport entry was marked with a disclaimer “A person protected by law…To obtain this file, contact an administrator”.

As we have previously reported, several persons who have long worked with the Russia passport database have informed us that such “firewalling” of certain sensitive passport dossiers was introduced for the first time after Bellingcat’s explosive reports identifying the Skripal suspects. Indeed, during our early investigations into the identities of the three GRU officers implicated in the Skripal poisoning, no such firewalls existed, while in later periods our sources were no longer able to access these same passport files, with similar disclaimers appearing in their place.

“No Such Person Here”

The tax file contained another interesting lead: a registered residential address for “Vadim Sokolov”. Unlike the (non-existent) address in St. Petersburg that “Sokolov” claimed in his visa application, the one in his tax record was in Bryansk, a town in western Russia near the border with Belarus.

We obtained an official real estate record for this address, but, unusually, it contained no ownership data. Our collaborative investigative team dispatched a reporter to the stated address and found a run-down house. None of the people at this address knew of a Vadim Sokolov. The person living in the apartment listed in “Sokolov”’s tax file, a man in his eighties, said he does not know of a person by that name, nor if such a person ever lived at that address.

In previous investigations of undercover operatives in Russia, we have come across other “cover” residential addresses that are actually used by elderly people who may or may not be aware of the alternate “on-paper” residents in their apartments.

A missing employee

The employer “Sokolov” listed on his visa application document – and had to provide a certificate of employment with – was a St. Petersburg company called ZAO “RUST”. This is a construction company with a long history, but limited digital footprint. The company’s listed fixed-line phone number is the same as the number listed by a company wholly owned by the Russian Ministry of Defense, but we were not able to establish if the number was used concurrently or at different times.

Our team contacted the CEO of the company, who denied having employed or issued a certificate of employment to Vadim Sokolov. Furthermore he claimed that the company was in reorganization and could not have issued an employment certificate in recent months, as it conducts no economic activity. Still, he promised our reporter to look at the company’s records and inform us if a Vadim Sokolov has ever been employed by RUST. Thereafter, he switched off his phone and has not responded to our repeated attempts to reach him.

While “Sokolov”’s real identity is yet unknown and is the object of our ongoing investigation, our findings so far provide overwhelming evidence that the arrested assassin acted with the full support of the Russian state. The issuance of an array of documents to a fictitious person with no historical evidence of existence – including a last-minute entry into the tax database shortly before his trip to Germany – would not be possible without the direct involvement of a state apparatus. Even less plausible is the ability of a non-state actor to “firewall” the data on a Russian passport behind a disclaimer known to be used to protect personal data relating to undercover special service operatives.

Related articles

Support Bellingcat

Your donation to Bellingcat is a direct contribution to our research. With your support, we will continue to publish groundbreaking investigations and uncover wrongdoing all around the world.

Donate now

Join the Bellingcat Mailing List

Along with our published content, we will update our readers on events that our staff and contributors are involved with, such as noteworthy interviews and training workshops.