How to Identify an Insurrectionist
Some of the rioters who attacked the Capitol last Wednesday made identifying themselves easy. Maybe they streamed the whole thing, or perhaps mugged for news photographers with their feet on Nancy Pelosi’s desk. Others have proved harder to ID. Just who was responsible for that grainy flash of violence in the corner of a video? How about that masked dude with a bunch of zip ties?
This weekend, an impromptu gathering of dedicated Twitter sleuths came together to identify several of the more-difficult instigators. At the center was John Scott-Railton. A senior researcher at the University of Toronto’s Citizen Lab, Scott-Railton professionally hunts bad guys on the Internet. He doesn’t exclusively focus on the American right—he’s studied Mexican cartels and Chinese propaganda—but he began studying the “Stop the Steal” movement after the election. And just two days ago, he was able to use some savvy internet sleuthing to positively identify two of the more nefarious Capitol stormers: Lieutenant Colonel Larry Rendall Brock, Jr. and the “Zip Tie Guy,” Eric Munchel. He’s also referring information to the media and bigger online sleuthing organizations like Bellingcat.
It turns out that good detective work is much the same online as it is in real life: You have to follow the clues and build a timeline. Scott-Railton also broke down the different types of Capitol rioters and explained why we all need to think more about our veterans’ mental health.
GQ: Could you start off by explaining exactly what it is you do?
John Scott-Railton: My work focuses on tracking digital threats to civil society, understanding the bad actors that are hacking journalists and human rights defenders around the world.
And how did that involve you in the events that happened at the Capitol last week?
A couple of months ago I began looking into the “Stop the Steal” movement because I felt like it was an ideological disinformation cannon pointed at the population. You can imagine my sense of horror but gnawing lack of surprise when things descended into chaos on the 6th. Watching, I really felt like maybe there was something I could do.
A single photograph caught my attention, of a man holding a clutch of temporary restraints, which some people call zip-tie handcuffs, vaulting a railing in the Senate gallery. The guy was wearing military gear, he had covered every inch of his body. I thought, “Man, I have to figure out who this man is, this is a public safety issue.”
So I logged into my Twitter account and started a process of careful open source investigation. You try to surface details and use them to identify a person. That process very quickly attracted the support of tens of thousands of people surfacing images and suggestions. By riding that incredible wave of citizen public surface, we were able to get an identification. The same thing happened for the retired Lieutenant Colonel from Texas, Lawrence R. Brock. The identification of those two men was a really interesting example of what can happen when a lot of people put their minds together and really try to solve an urgent problem.
How do you even start to identify a person by what they’re wearing when they’re completely covered?
It’s an interesting challenge. There are two things that happen. The first is, when you look at someone’s clothes, sometimes you get clues. What brand is this? How many people would have this? What military patches are these? But something else happens, which is you find other footage of the person. You can scrutinize details so you can find other shots, maybe of a shoulder or a backpack. That’s exactly what happened here. By focusing on the minutiae we could find other footage of these people in other situations and metaphorically walk back with them out of the Capitol, and with the guy colloquially known as Zip Tie Guy, walk with him right back to the lobby of his hotel, the Grand Hyatt in DC. He had lost his body armor and was sitting with a woman who appears to be his mother.
Can you break down how you actually found him? Was there an article of clothing that unlocked everything or something?
So the process began with an appeal. Can we find more pictures of this person? In the case of Zip Tie Guy, he had some clues. He was wearing a baseball cap from Black Rifle Coffee Company. They’re a company that sells militaristic AR-branded coffee, and his hat had an AR-15 superimposed onto an American flag, which to me will have to go down as one of the more nauseating pieces of iconography from the last few years—their swag was also worn by Kyle Rittenhouse. (Much later we found postings online by the guy supporting Kyle Rittenhouse.)
He also had a patch that had a thin blue flag superimposed onto the outline of the state of Tennessee. This was like one orbit of interrogation. We ultimately identified the brand of his gloves and his camouflage and got close on his shoes. People made good guesses about his phone and his sunglasses.
At the same time, there were several other important pieces. I had a conversation that first night, right after I posted that first image of him, with a journalist, William Turton of Bloomberg, who said to me, “I think this guy harassed me at the Grand Hyatt that night.” I filed that away. He sent a video he had tweeted, and there was a single frame that had someone in profile in black camouflage. It was very hard to tell if it was the same person. Ultimately someone surfaced a photo of him walking with a woman the moment he walked into the Capitol. He was walking up the staircase with his hand on the back of a woman. Here’s this guy helping a woman up the stairs in body armor. Is this just some guy being chivalrous? What is that?
That moment led to someone finding an image of those two people walking on the grounds of the Capitol. It was being sold by the AP. So hundreds of dollars later, I had a hi-resolution picture and the rights to tweet it once. So I did. Critically, it showed the face of the woman. That became the open sesame that connected him to footage in the Grand Hyatt.
Once we had that, we had his face and we had him talking. Then the clock was ticking—I’d already been talking with people in Tennessee because of the thin blue line patch. Tennessee people started making connections and messaging me potential people. Boy were they right! I pulled down all this guy’s social media and I called the FBI with my level of confidence, the information that got me there, and the identity based on my best efforts.
How much of this process do you personally direct, and how much was a mass movement on Twitter?
I suspect that several of the people surfacing in my threads were also participating on other threads. We don’t really know all the pieces that went into that investigation, which is what’s so beautiful about it. It was just thousands of people doing their best.
It was important to remind people of the difference between surfacing clues and making statements about identification, which is really the last step in the long yellow brick road of open source intelligence gathering.
What should people be wary of on that long road? Is there anything about open source internet sleuthing that can be dangerous?
As I watched the effort grow bigger, I realized the stakes were growing. The only right move was to get directly in touch with the FBI and explain to them once I had found what I felt to be a strong identification. It was not far from my mind that there have been efforts like these that have gotten wrong, and that can have lasting consequences. You can’t put that genie back. So I urged my followers to be careful and didn’t say anything publicly about it until others had done so.
Were there any common markers—accessories, patches, anything— that kept coming up with other individuals you were trying to identify?
There’s kind of a typology. There were the Instagram tourists with no plan. There were people who came looking for a brawl and they got it; we strongly suspect some of them were Proud Boys. Then there were people who wore military gear, and whether they were having the LARPing time of their life or they were lone wolves, we don’t know. But some of them had a lot of equipment and were up to something.
Then there was a final group—these organized militia types. We see the insignia of the Oath Keepers. [Ed: a far-right anti-government militia organization.] There was a video of a line of men marching their way up towards the Capitol—those men wore Oath Keeper patches and presented themselves as former law enforcement and military. I think we need to understand those groups, as much as we need to understand the individuals who did bad things. Put another way, we need to understand the groups that came there with plan and intent. We need to understand who their leadership was, what they wanted to do inside the Capitol, and whether they have plans around the inauguration.
What are the limits of this crowd-sourced online sleuthing? What are you worried about now?
The pipe bombs don’t have Instagram accounts. There was an obviously organized attack there, and it’s a very hard nut to crack. I’m concerned that our conversations are still missing that a lot of these people came back from the Capitol and drew the conclusion that this was a success. I’m worried about the unidentified people who left pipe bombs.
I’m desperately worried that these armed and organized militia groups have a grievance narrative, which could help groups cement ideology and double down, and I’m very concerned about disturbed young people on the periphery of the militia movement.
What can people do?
If we keep dismissing groups like this, we’ll find ourselves surprised again and again. We have to understand what happened in people’s minds, and what the things are that appeal to veterans. Our nation has an embarrassing history of disservice to our veterans and their mental health. People keep asking if there’s something they can contribute to. People should contribute to organizations that support veterans’ mental health.
This interview has been edited and condensed for clarity.
Culture
“It was not the army I expected it to be.”
Originally Appeared on GQ
