The Fall of Prigozhin (literally)

And how to filter through the media noise

For this week's NL and FR version, let's use some OSINT tools! Go to your addons (about:addons for Mozilla users), and add a Google Translate or Deepl extension. Make sure to provide feedback and ask for assistance where needed!

As has been extensively reported by now, one of Prigozhin’s private jets was shot down near Moscow in the afternoon of August 23rd, with claims of both him and Utkin falling to their death as a result. With the dust settling around this case following Prigozhin’s burial on Tuesday, we have now heard about every wild claim regarding the event. Such claims are often based on untrustworthy claims, and there has been little to no verification on some of the key elements showcased in this case– it’s time to perform OSINT! As you may understood by now, the aim of today’s newsletter is not to feed into the ongoing speculative mayhem in your newsfeeds -we have plenty twitter experts taking care of that already- but to walk you through the process of collecting and analyzing information in order to verify certain claims about the event and show a few tips and tricks you can use to reinforce the credibility of your reports. In the case of such high-stake and overly mediatized events, it is mostly about determining the degree of certainty and credibility of certain pieces of information rather than determining a clearcut answer – anyone dealing in absolutes at this point is mostly looking for exposure and mediatic buzz.

Sourcing the Information

To no one’s surprise, there are plenty sources of information sharing a lot of footage claiming to document the incident and its repercussions throughout Russia. In order to filter through them without using expensive and over-engineered programs, we can usually draw our information from the advanced search service on Twitter (or X, however you prefer to call it), Telegram and other social media from the Runet (VK and OK), and build up from there.

A good way to start is to keep collecting information and footage from more ‘generic’ channels until you find a few sources to tap into and exploit/pivot from further in a second stage of collection. Having a good library of Telegram Channels and twitter sources (which we provide as part of our Advanced Database Access service) is a great way to build your network of information, while always keeping in mind that you should avoid building information bubbles/echo chambers in the process. Consider it as your own network of informants, only in an online setting. After reaching saturation (read: not finding any new footage or pieces of information), we can already sketch a general overview of the current footage and rumors surrounding the event:

• RA-02795, officially registered under the Wagner Group, crashed north of Moscow (south of Tver, near Kuzheninko) after only 12 minutes of flight. It is said to have departed from Sheremetyevo International Airport, although the plane’s ADS-B tracker was only turned on north of Moscow.

• The Federal Air Transport Agency published a list of passengers on its official Telegram Channel, citing the information provided by the operating airline. This includes the following passengers:

  • Sergei ‘Kedr’ Propustin, security guard recruited from Wagner’s second reconnaissance and assault detachment (former company of Kirill ‘chukcha’ Tikhonovich). Member of Wagner since 2015, badge M-0394.

  • Makaryan ‘Makar’ Evgeniy, a former police officer turned veteran Wagner commander. Badge M2300.

  • Totmin ‘Tot’ Aleksandr, who served under Wagner in Sudan. Badge M-5534, he is originally from Altai. VK profile last seen on August 23rd at 4:32 p.m (see below).

  • Chekalov ‘Rover’ Valeriy, one of Prigozhin’s right hands (head of, inter alia, Euro Polis LLC, JSC Neva, etc.). Interestingly, he has very bad opsec, with his old Odnoklasniki profile leaking his widow and children’s pictures, information about where you can find them, etc. talk about horrible OpSec…

  • Dmitriy ‘Wagner’ Utkin, an SF lieutenant colonel/part time Nazi. More info on Utkin can be found here from the excellent Dossier Center.

  • Matuseev Nikolay (actual name: Nikolai Matusecitch), member of Chvk Wagner since 2017, a gunner in the fourth assault detachment in Syria. Badge M-2559.

  • Prigozhin Evgeniy. The leaked images of his burned corpse (which are too graphic to show here) reveal an inconsistency in his dental structure, but this is not enough to draw any conclusions about the presence of the head of Wagner.

  • Three staff members: Aleksei Levshin (Crew Commander), Rustam Karimov (co-pilot) and Kristina Raspopova (flight attendant).

• Flightradar posted an official statement regarding the incident. Interestingly, the ADS-B data seems to be unavailable for the beginning of the flight due to jammers present in and around the city (due to recent drone strikes, which we covered in our previous article).

source: Flightradar24

• Artem Stepanov is the former founder of MNT Aero, which operated the plane which got shot down. He was also considered as Prigozhin’s  ‘personal pilot’. He left for Kamchatka (allegedly with his wife and her brother) after which he has not been found. It is claimed that he is on a camping trip – not verified.

  • A main partner in this operation is Kirill Shcherbakov

  • The current owner of MNT Aero, Olga Gubareva, was on holiday according to her Instagram posts. Interestingly, her account has disappeared from social networks since then, even though it did not appear to be a sock puppet when it was online (that’s why you archive your searches whenever you can, better luck next time). Another TikTok account appears to match her description, with the same username as her now deleted Instagram account.

• There are claims that the aircraft itself was known for breaking down quite regularly, however nothing verifies this, and it passed the checkup before the summer without issues. Jet flight service is the company which ran a full checkup of the plane at the beginning of the summer with no remarks, except for noises when turning on the air conditioning and knocks when braking.

  • A trustworthy source claimed that on August 16, a manager at MNT Aero, unexpectedly gave an order to take the plane out of the hangar to the street, claiming that he had an order from Prigozhin about the need to save money, thereby circumventing the hanger fee. Under the same pretext, the company representatives refused the services of Jet Flight Service in finding and installing the parts, claiming that they will buy and install them themselves. As a result, the braking system package on the chassis was purchased from an unknown source. Its representatives, as it is already known, lied to company’s representatives that the spare part will be delivered from the USA, Miami, bypassing sanctions through a "well-established route". And when the time came to hand over the "American part" to the buyer, they said that it had been broken in the warehouse at customs from a quick drop on the floor. The replacement part was bought by a private company from France where it was to be dismantled for parts. And, here, this part (or its double) already repaired "popped up" on Prigozhin's airplane. The version that the bomb could have been planted in the brake mechanism or turbo-cooler is still under consideration. In general, the market actively discussed that they are looking for parts for the plane of the head of PMC Wagner.

    • When we tried to reach out to suppliers of the specific part which is claimed to have been replaced on Prigozhin’s plane, there was absolutely no issue in procuring information about the availability or destination of some of the parts. Now imagine if we were gathering that information for malign intents…

    • Sergey Kitrish, the engineer working on the plane, was immediately questioned after the incident, and his social media were deleted (but we were able to confirm its authenticity by checking out its cached content).

• We consulted an experienced aeronautical engineer for the cross-analysis of the flight data and specific rumors and facts around the incident, which allowed us to come up with the following elements.

  • Given the way the aircraft broke, it seems that the plane broke apart at the level of the landing gear, with a (left) wing breaking apart during the incident. As the flight pattern indicates, there seems to have been an issue on board, which resulted in two stabilization efforts post-takeoff, followed by the crash after the second stabilization pattern. This also indicates that there was no depressurization of the aircraft as this would have prompted the pilot to dive to lower altitudes.

  • We also managed to find an incident response protocol booklet for the aircraft which corroborates the findings of our research regarding the pilot’s response, stating that this was most likely an engine failure protocol.

  • The ‘turbocooler’ often mentioned by most outlets is most likely badly translated, as there is no turbocooler on a stock embraer legacy 600. What is mostly mentioned here is the cabin air pressure control system which is usually controlled through a bleed system or generator in the back of the plane. If there is a turbocooler, however, the spike in altitude before the crash could indicate the engines going into overdrive before collapsing.

  • From the engineer’s point of view, the plane’s oscillation was not great enough for it to be a hydraulic issue. His educated guess stated that there must have been a first minor explosion causing the plane to detect an issue (e.g. affecting the engines) followed by a secondary explosion downing the plane. At the given altitude, the plane was outside of MANPAD range, and the plane could have only been shot down by a long-distance missile. These missiles would have left a smoke trail/plume, which was not visible on the available footage, and given the status of the wreckage, it should not be expected that the plane was downed from a ground-to-air missile.

Do you want to learn about incident analysis tools and techniques? We would love to teach you as part of our introductory OSINT training, make sure to have a look!

Verifying the Crash Site

Another element which is often overlooked is the fact that despite mentions of the plane being downed near a town in the Tver area, there has been little to no effort made in the geolocation of the crashed plane. So, let’s figure that one out as well! For the purpose of this article, we do not need to precisely geolocate the plane crash but verify that it did indeed happen in the area it is claimed to have happened - mainly in order to add to the credibility of our report. A first reflex I had when watching the crash footage was to look for wildfire data in the area, hoping that a satellite with publicly available data was passing by at that time with a sensitive enough sensor would have picked up on the fire caused by the crash. A first tool used in this case is the NASA FIRMS (Fire Information for Resource Management System) tool which unfortunately came up short in identifying any potential spots. A bit more tedious and meticulous is the transformation of data in the Sentinel Playground (now called Copernicus Browser) to expose wildfires, which you can do by adding a custom filter and inserting the ‘Burned Area Visualization’ script to search for any potential burnt areas in a post-crash setting. Unfortunately, the days of overflight did not perfectly line up, and there were only a few false positives on cloud linings, so I had to revert to combing through the sparsely available street view data in the area. Although there are plenty angles of the crash, the most useful one to our investigation is the one published here, which offers a view of an odd metal structure/tower, a growhouse and a wooden fence. Based on the town’s positioning, the powerline network in the area obtained through openinframap, we were able to use the F4map demo to scout for some towers in the area, which we were able to find in one of the town’s neighborhoods. It was precisely this little auto-generated tower which gave its position away. Despite the lack of footage from crowdsourced providers such as mapillary or kartaview, Yandex street view gave us enough resources to determine the exact location matching the two metal structures, growhouse and wooden fence.

Here’s a quick bonus for you: for quick changes between mapping/satellite providers, you can use websites such as satellites.pro or extensions such as openswitchmaps.

Verifying the Passenger List

• The picture of Raspopova’s (the flight attendant) ‘last breakfast’ was posted on her FB page on the morning of the flight, at 9:03 a.m. Due to file compression, the interesting EXIF data has been cleared from the image file. When trying to geolocating the exact place where the picture was taken, it appears that it was not at one of the airport’s cafés. The time of posting is also rather early for the flight itself, so people claiming this was taken at the airport have no proof of this. Given that she was not wearing her uniform and the fact that the cabin tag was most likely an old one given how worn out it is, it is more likely that the image was taken outside of the airport – good luck finding out where. Interestingly, however, her VK account claims that her last interaction on the app occurred on August 23rd – which concurs with the crash data we have amassed so far. These concur with the times the accounts of the co-pilot ad one of Prigozhin’s bodyguards on board were last seen (see below). Interestingly the ‘last seen’ indication of the bodyguard’s account is interestingly close to the presumed time of the incident. As mentioned in the @vchkogpu channel, bodyguards and other personnel were usually allowed to use their phones when on board of Prigozhin’s airplane. Some of the tools used in the finding/linking of these accounts are epieos.com and whatsmyname.

source: Facebook

source: VKontakte

source: VKontakte

source: VKontakte

A final element of importance is a video with complimentary screenshots of alleged text messages which surfaced on the @vchkogpu channel showing the inside of the plane on the morning of departure as well as the conversation between the direction and the head of the visiting company. There are many details to digest here, and given the lack of tangible proof of many of the alleged facts, let us focus on that which can be proven. The conversation between both interlocutors reads as follows:

From the inside footage of the plane, we cannot conclude a lot except that there are portraits of Putin and some interesting books inside of it – to no one’s surprise. The license plate of the car mentioned matches up with the description of a Mercedes Benz GLC 1st gen coupé registered in Moscow, which allegedly belongs to Rusjet’s chairwoman of the board of directors Alexandra Yulina, who was accompanied by her technical director Sergei Klokotov that day.

Ultimately, all of this information was included in an interactive graph on the recently updated osintracker.com tool. It is free, intuitive and allows for quick structuring of easily accessible reports. As much as I don’t really use their transforms, I’d definitely recommend it! Some of the information is not yet in the public spheres yet, so it has been blurred. There is no need to dox any of them unnecessarily.

Depending on your needs and motivations, it is possible to provide access to the full report.

So What?

In the last few sections, we have managed to really encompass the main aspects of a thrilling investigation. OSINT has once again proven itself extremely useful in the sourcing of verifiable information as well as increasing the degrees of certainty of certain key elements of the investigation, starting from the wide spectrum of information sources offered by OSINT tools and techniques. Using the official data published by trustworthy flight data providers in combination with statements of official instances regarding the passenger list and general situation on board before takeoff, we are offered a great starting point from which to pivot onto some of the ‘spicier’ information to be found in the open-source information realm. This information allowed us to pivot through an extensive SOCMINT process, and the data we found on the ‘last seen’ timestamps really enhanced our trust in the published passenger list. Combining this with our ability to verify the general location of the crash site as well as source existing contingency planning manuals for the aircraft, leveraging knowledge within our network of experts could really allow us to reinforce the credibility of our analysis if we were to do more than the superficial analysis presented in this article. In fact, this is exactly where our company likes to thrive, being the connecting link between technicians and executives while providing trustworthy, timely and actionable intelligence!

PS: I would like to thank you for your enthusiasm regarding the previous article and the many subscriptions. If you have not done so yet, feel free to subscribe to our newsletter to be notified of our upcoming insight articles.

Resources used throughout this article:

• BANTS Consulting's Advanced Database

• Flightradar24

• Telegram

• Dossier Center

• Cached View

• Scribd

• NASA FIRMS

• Sentinel Playground

• Copernicus Browser

• openinframap

• F4Map

• Yandex Maps

• satellites.pro

• openswitchmaps

• epieos.com

• osint.industries

• whatsmyname

• VKontakte

• platesmania

• osintracker