On Thursday, reporters from The New York Times were already gathered near the Dighton home of Airman First Class Jack Teixeira’s mother when a half-dozen FBI agents, some of them heavily armed, pushed their way inside. A twin-engine government surveillance plane circled overhead to keep watch.
Not long after, the 21-year-old who served in the Massachusetts Air National Guard was arrested and taken into custody. On Friday, Teixeira was charged in US District Court in Boston with leaking classified documents, allegedly posting batches of sensitive intelligence to an online chat group called Thug Shaker Central.
Advertisement
But Times reporters had arrived at the family’s home before federal authorities and questioned Teixeira’s mother, Dawn, outside her home. She confirmed that her son was a member of the Air National Guard; that he had been working overnight at a base on Cape Cod; and that he had recently changed his phone number.
When Teixeira appeared to drive onto the property in a red pickup truck, Times reporters approached the house again, as his mother and stepfather stood in the driveway.
“He needs to get an attorney if things are flowing the way they are going right now. The feds will be around soon, I’m sure,” said Thomas P. Dufault, Teixeira’s stepfather, told reporters.
His prediction quickly proved correct.
So how did Times journalists identify Teixeira, the suspect in a massive intelligence leak that has drawn worldwide attention? And how did the paper seem to be ahead of the government in doing so?
According to an affidavit filed in court on Friday, the FBI had been zeroing in on Teixeira for several days, following its own investigative clues and information that the Times and The Washington Post had uncovered about the Discord chat group where Teixeira allegedly shared the documents. Law enforcement officials were forced to speed up their investigation as reporters kept finding new information, the Times reported.
Advertisement
Although other members of the chat group did not identify Teixeira as the person who posted the intelligence files, a trail of digital evidence compiled by the Times ultimately led reporters to Teixeira.
On an episode of the Times podcast, Hard Fork, released Friday, hosts Kevin Roose and Casey Newton spoke with Aric Toler, who helped track down Teixeira. Toler is the director of training and research at Bellingcat, an investigative journalism group that specializes in open-source research, and he teamed up with the visual investigations team at the Times to help identify the source of the leak.
There are many platforms involved in the leak of the documents, Toler said.
“The whole thing came to a head,” he said, when the Times published a story about the Pentagon investigating the leak. At the time, journalists noted how there were posts on the messaging app Telegram, but Toler was not convinced it was the original source of the leak.
“I found three photos and two other ones that weren’t in the Telegram cache on 4Chan, but some other ones on Telegram weren’t on 4Chan, so clearly they got it from the same place,” Toler said. He then received a private message where someone alerted him that they thought they had seen the posts on Discord, a social media and messaging platform, and pointed him to a Minecraft map server. On that server, 10 photos had been posted, including three that “no one had seen before.”
Advertisement
Toler talked to the “Minecraft guy,” a 17-year-old who insisted he was not the leaker and said he had gotten the documents from another “kid” who had posted them on a different server. That individual had pulled the documents from another server, called Thug Shaker Central, where “hundreds and hundreds” were posted, Toler said in the podcast. Transcripts and photos had been posted on that server since October at the latest, Toler said.
Toler then had to narrow down the small pool of active members in that server — the online gaming chat group — to figure out the leaker. He spoke with a teenager who told him that the leader of Thug Shaker Central was called “O.G.,” short for “the original guy or original gangster,” Toler said.
The teenager said he and “O.G.” played games such as Halo together on Steam, a gaming platform, and that “O.G.” had shared the leaked documents among the members of the Discord group, Thug Shaker Central, Toler said.
Most of the members deleted their accounts after the story broke, Toler said.
After scraping data, one person stood out. A colleague of Toler’s at Bellingcat looked into that individual and found that he had used a website under one of his Steam usernames to sell items such as scopes and body armor. Toler said all the games the teenager mentioned playing with “O.G.” showed up on this person’s Steam list.
Advertisement
“The very first username he had was ... like Jack something something Tex,” Toler said. He googled the name and was led to a Flickr album from 2007 showing a man and his kid. The name of the album, he said, was “Jack and Jackie.” The team then looked into the mom and other family members, eventually finding “photos of a new Air Force Reserve Person, whose name was Jack, who had just recently entered the Air Force National Guard.”
As they continued investigating, Toler said that one of the usernames Teixeira used for his Instagram and Facebook also linked back to his Steam account. They determined that at some point Teixeira had taken over his dad’s Steam account, renamed it, and started using it himself.
But the sites “retain the historic name info,” Toler said.
“The dad’s Flickr account and the Steam account were the same, which led to ... photos of him, and linked back to the username [Teixeira] used for Instagram and Facebook,” Toler said. “From there, [we] realized, ‘Oh, he’s actually with the intelligence wing of this Air National Guard,’ and then everything kind of pulled together.”
The online gaming profile in Teixeira’s name connected him to photographs of locations where the leaked documents were photographed, including a kitchen countertop inside his childhood home, the Times reported. The countertop and floor tiles seen in the margins of the papers were also visible in photographs of the family home posted online by some of his immediate relatives.
Advertisement
Teixeira recently deleted the Thug Shaker Central group off Discord and made his Steam profile private, Toler said.
Toler said he wasn’t surprised about where the leak came from online and that others are likely sharing documents as well, just being more covert about it.
“Most people don’t have a 17-year-old friend who will then post [classified documents shared with them] onto Discord,” he said. “Maybe the people who are doing this right now have better friends, or at least maybe, frankly, better filters or sense of judgment.”
Shannon Larson can be reached at shannon.larson@globe.com. Follow her @shannonlarson98.