14 The Hunt
In April 2024 the threat-intelligence firm Mandiant published a report that read, in places, like a dossier on a person. Its subject was a Russian military hacking group the company had tracked for more than a decade, and the document announced a kind of promotion. “Given the active and persistent threat to governments and critical infrastructure operators globally,” it stated, “Mandiant has decided to graduate the group into APT44” (Roncone et al. 2024, 1). The new label resolved to an institution with an address. APT44, “commonly known as Sandworm,” was “a Russian Federation backed threat group attributed by multiple governments to Unit 74455, the Main Centre for Special Technologies (GTsST) within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU), commonly known as the Main Intelligence Directorate (GRU),” and Mandiant fixed the unit’s founding in 2009 from “publicly available images of the unit’s anniversary insignia” (Roncone et al. 2024, 2). APT is the security industry’s shorthand for an advanced persistent threat: a well-resourced intruder that picks a target, gets inside, and stays hidden for years. The GRU is Russia’s military-intelligence service. The report is what attribution looks like when it works, a sprawling cluster of activity converted, by a deliberate and gated institutional act, into a numbered unit of a named state, down to the insignia on the wall.
Attribution does not always arrive at the moment of disclosure; more often it accretes. When the SolarWinds compromise became public in December 2020, the firm then called FireEye could say only that “we are tracking the actors behind this campaign as UNC2452” (FireEye 2020), a placeholder for an actor it could not yet name. Sixteen months later the placeholder resolved. Mandiant had “gathered sufficient evidence to assess that the activity tracked as UNC2452 . . . is attributable to APT29” (Mandiant 2022), and its finding “matches attribution statements previously made by the U.S. Government that the SolarWinds supply chain compromise was conducted by APT29, a Russia-based espionage group assessed to be sponsored by the Russian Foreign Intelligence Service (SVR)” (Mandiant 2022), Russia’s civilian foreign-intelligence service. The machinery that turns an artifact into a name demonstrably exists, and it works on exactly the kind of patient, supply-chain-minded adversary the xz operation resembled. It produced no name for xz. No public attribution links APT44, Sandworm, APT29, the SVR, or any other named actor to the backdoor in xz: the groups above are a measure of what successful attribution can do, not a claim about who did this. Two years on, the operator is known only by the name on the commits, “Jia Tan,” which is not a name so much as the absence of one.
What makes the blank strange is that the record is not thin. The XZ Utils incident is among the most exhaustively documented intrusions in the history of open-source software. Every change the operator made sits in a public version history; every message survives in mailing-list archives; the late moves are timestamped to the minute. A real-time chat channel logged the operator’s connection, a network lookup captured a connecting address, the release archives carry cryptographic signatures, and the backdoor’s trigger mechanism has since been published and dissected line by line. By any ordinary intuition, that much evidence ought to converge on a person. It does not. The sharpest way to feel why is to set it beside a case that ran the other way.
For most of Bitcoin’s first decade its users believed the currency was anonymous, and they were wrong, and the demonstration of how wrong became its own genre of investigation. Andy Greenberg’s account of that work, Tracers in the Dark, describes investigators “tracing a cryptocurrency that had once seemed untraceable” (Greenberg 2022) to crack one criminal case after another. The property they exploited had been hiding in plain sight. As the computer scientist Sarah Meiklejohn put it in the 2013 paper that opened the field, “Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow is globally visible” (Meiklejohn et al. 2013, 127). The public ledger recorded every transaction permanently; in Greenberg’s phrase, “everyone was a witness to every payment” (Greenberg 2022). Substitute “code” for “money” and the sentence describes the operator with unsettling precision. The flow of the work, every commit, every email, every signing event, was globally visible. The ownership behind it was not. So why does one fully public record name people and the other does not?
The answer is not in the records but at their ends. Crypto investigators could trace value through the ledger, but the ledger alone never produced a person. Greenberg describes the realization that broke the cases open: the chains of transactions “eventually” led “to exchanges like Mt. Gox and Bitstamp, where they seemed to be cashed out for traditional currency. For an academic researcher, this was a dead end. But anyone with the subpoena power of law enforcement, Meiklejohn realized, could very likely force those exchanges to hand over information about the accounts behind those transactions” (Greenberg 2022). Meiklejohn’s own paper had stated the point dryly: “an agency with subpoena power would be well placed to identify who is paying money to whom” (Meiklejohn et al. 2013, 128). De-anonymization rode on a chokepoint in the real world. Sooner or later, value had to convert into ordinary money, and that conversion happened at a regulated exchange that collected identities, where a subpoena could force a name. The operator never had to cash out. The currency of the operation was trust, and it was spent in place: there was no exchange at the end of the trail, no account to subpoena, no real-world gate where the pseudonym had to anchor itself to a person.
Even fully exploited, the public record yields an actor, not an identity. Meiklejohn’s method could collapse a scatter of separate keys into a single node by “transitively” tainting an entire cluster once one member was labeled, producing “a condensed graph, in which nodes represent entire users and services rather than individual public keys” (Meiklejohn et al. 2013, 128). The same logic lets the XZ Utils record be read as coordinated activity: the helpful contributor “Jia Tan,” the impatient strangers who pressed for a faster handover, the account that later pushed the poisoned release downstream, all clustering into a single operational node. But a node is not a name. Clustering can show coordinated personas; it cannot tell you whether they were one person, several people, or a contributor later co-opted. That last step needs a label from outside the record, and against this operator no outside label ever came. Tigran Gambaryan, the federal investigator at the center of Greenberg’s biggest cases, drew the line as a working rule: against an adversary a state protects, “you might get a name-and-shame out of it,” but “you’re not going to get a body” (Greenberg 2022). The crypto criminals were reachable because the money chain ended at an identity. State-shielded actors are not: “the real problem remains rogue countries like Russia and North Korea,” Greenberg writes, “countries whose governments allow their citizens to defy global law enforcement action even when their activities are fully visible on the blockchain” (Greenberg 2022). Brian Krebs, the security journalist, made the same point about XZ Utils from the other end. His own investigative tools, he wrote, “can’t hold a candle to the tools available to our government and three-letter agencies. And when even they can’t see much of a trail with all their spy tools and off-books access, that’s telling. Thing is, those 3-letters probably are not going to tell us what they find (or don’t find)” (Krebs 2024, post 112198143331078347). Three cases sit on one spectrum: in crypto, a name and a body; with APT44, a name and no body; with xz, neither.
What the open record offered, then, was not identity but behavior, what Meiklejohn called “idioms of use,” the habitual tells that gradually erode a pseudonym (Meiklejohn et al. 2013, 128). The discipline of the hunt is to read those tells for exactly what they establish and no more. The most striking of them is an absence. Krebs, who spent hours on the question, found that the email addresses “used for a couple of years at least by the parties involved have absolutely zero trace in any kind data breach or database beyond Github/Gitlab, and maybe Tukaani and Debian and a few mailing lists” (Krebs 2024, post 112197305365490518). Ordinary identities leak: over years of use, an address turns up in some breach corpus, the haul of stolen data that circulates after a hack. These did not. The explanation Krebs reached for was the discipline of a professional. “Very few people do opsec well,” he wrote, using the security world’s shorthand for operational security, the practice of leaving no linkable trace, “and for every year you’re operating under the same name, nick, number, email, etc you dramatically increase the risk of screwing up that opsec. And almost everyone does, eventually” (Krebs 2024, post 112197305365490518). The operator did not. From the clean absence Krebs drew an inference, and he marked it as one: “to find it multiple times suggests we’re dealing with an operation that was set up carefully from the beginning. And that almost certainly means a group project (state-sponsored)” (Krebs 2024, post 112197305365490518). The reasoning is sound and the conclusion is hedged, and the hedge is the point. “Almost certainly” is a probability, not a verdict, and it names no one.
The other artifacts behave the same way: each is a real lead, and each stops short of a person. An independent study of the commit timestamps concluded, as Evan Boehs summarized it, that “the perpetrator worked ‘Office Hours’ in a UTC+02/03 timezone,” and noted that “they worked through the Lunar New Year, and did not work on some notable Eastern European holidays, including Christmas and New Year” (Boehs 2024). That pattern points toward a place and away from another, but it is a pattern in metadata, not a location. The single piece of geographic data was thinner still. The only public geolocation for “Jia Tan,” Kaspersky found, was “a Singaporean VPN exit node,” the server through which the operator’s traffic emerged, masking wherever it actually began, and the vendor immediately cautioned that the choice of exit could itself be staging: “if constructing a fictitious identity, using that particular exit node would definitely be a selected resource,” and “our pDNS confirms this IP as a Witopia VPN exit” (Kaspersky GReAT 2024), a commercial service identified through passive DNS, the historical record of which addresses have served which domains. A lead that confirms the operator used a VPN is a lead that confirms there is no location to read. Even the backdoor’s cryptography, the most legible artifact of all, names no author. Reverse-engineering the payload, the security researcher Anthony Weems found that “the backdoor uses a hardcoded ED448 public key for signature validation and decrypting the payload,” and that to make it run at all “we can replace this key with our own” (Weems 2024). Ed448 is a public-key signature scheme: a secret key signs, and a matching public key verifies. The backdoor carried only the public half, which meant it would accept commands from one party alone, the holder of the matching private key; that proved control of the backdoor, not a name. The encryption around the payload reused the public key’s bytes, so any onlooker could “decrypt any exploit attempt” (Weems 2024) and watch the door from outside, but watching is not opening. The operation built itself a private door with exactly one keyholder, left the door in plain view, and the key names no one.
The permanence that undid the crypto criminals was present here too, and produced nothing, because what the permanent record preserves are constructed artifacts that anchor to nothing real. It also turns the attribution problem inward, onto the code itself. The release the world initially fell back to, version 5.4.5, “seems to be still signed by the adversary,” one responder noted on disclosure day (Hess 2024, msg #72): the operator’s signature, the very mechanism meant to vouch for a release, sat on the safe harbor. Nearly a year later the cleaned and trusted line still carried hundreds of the operator’s commits, because excising every contribution would have meant rewriting the project’s history (Hess 2024, msg #200).
The deepest version of the problem is that a deliberately planted flaw can be indistinguishable from an honest mistake. The developer Joey Hess raised it within hours of the disclosure, arguing that the operator was “well placed to insert a buffer overflow” a crafted file could turn into “arbitrary code execution,” and that “the impact of such a security hole could be much more stealthy and bad than the known backdoor” because it could be denied as a bug (Hess 2024, msg #5). Lasse Collin’s later line-by-line review found no such second payload (Collin 2024b), and Hess’s worst case stayed a worst case; but the structural point holds, that a sufficiently subtle bug escapes attribution entirely by being deniable. The forensic responders ran into the same wall from the integrity side. The released archives matched their manifests, with “no evidence of tarballs being modified post-upload,” Sam James reported, and yet that proof of integrity bought no confidence, because the question was no longer whether the files were altered but whether the person who signed them could be trusted: “I am still considering whether we should bring back the last release signed by Lasse Collin, rather than Jia Tan, to be safe” (James 2024a, comment 8). A signature can prove provenance. It cannot certify intent.
The strongest corrective to amateur forensics comes from the one person who corresponded with the operator for two years. Collin, the maintainer who had been deceived, went back through the malicious commits and published his findings, and his review repeatedly cools the readings that the public was most eager to make. On the question of forged identity, the foundation of any attribution theory, he was flat: “while the commits weren’t signed, I didn’t spot any signs of committer fraud” (Collin 2024b). The operator had not needed to forge anything, because a trusted co-maintainer’s work is accepted on the strength of the relationship, not the cryptography. On the commit timezones that observers read as leaks of the operator’s real location, Collin noted that “there are mundane explanations for these,” routine git operations that rewrite the recorded time, adding that of the techniques that could produce the anomaly he “never did the last one but I don’t know if Jia did” (Collin 2024b). And on one of the louder theories, that the operator had shortened the project’s SECURITY.md disclosure window as tradecraft, to buy a backdoor more time before any flaw went public, Collin’s account inverts the story. Simplifying the file had been his own initiative, and on the window itself it was Collin who wanted it shorter: “I felt 21–30 days would be appropriate but Jia wanted to keep 90” (Collin 2024b). The artifact read as the operator’s cunning was, in the record, the maintainer’s housekeeping. The one glimpse of the operator’s character cuts the other way and is the more chilling for it. Pressed about a harmless metadata oddity in a release archive, the kind of slip that invites an easy excuse, the operator would not take it. “The simplest explanation would have been that the tarball was created with make dist instead of make mydist,” Collin wrote, naming the project’s ordinary packaging command and the hardened variant it was supposed to use, “however, Jia didn’t admit that it was such a simple error even though it would have been the easiest way to make me stop asking further questions” (Collin 2024b). It was discipline so complete that it refused even the convenient lie.
Set against that discipline, the leading theories are best handled the way the most careful analysts handled them: as a labeled set of possibilities, ordered by the strength of the evidence, never as a conclusion. Kaspersky, after laying out the artifacts, said as much itself: “reflecting on these data points still leads us to shaky ground. Until more details are publicized, we are left with speculation” (Kaspersky GReAT 2024). The vendor then offered not one account but three. The operation might have been a small team that planted a malicious actor in the maintainer’s seat; or a single individual running every persona, the pressure accounts and the helpful contributor alike; or, in the version that most unsettles the tidy narrative, a real contributor named in the record as “Jia Tan” who “legitimately earned access” and was only later manipulated or co-opted, with the harassing strangers possibly a coincidence rather than a coordinated screen (Kaspersky GReAT 2024). A vendor with the full artifact set could not decide between a team and a lone operator, or between a planted agent and a turned volunteer. That irresolution is the finding.
What the artifacts do support, and only at the level of capability, is a register: sophisticated, professional, patient, and probably backed by a state. The reverse-engineering vendors reached for that language while refusing the next step. Akamai called the tradecraft state-grade and stopped: “such long-term operations are usually the realm of state-sponsored threat actors, but specific attribution does not currently exist” (Akamai Security Intelligence Group 2024). The clearest articulation came from the security researcher Michał Zalewski, who argued from the operation’s defining trait, its multi-year patience, that “if this timeline is correct, it’s not the modus operandi of a hobbyist,” since anyone with the skill and the patience to do this “can easily land a job that would set you for life without risking any prison time” (Zalewski 2024). His conclusion was a graded inference: “all signs point to this being a professional, for-pay operation,” he wrote, “and it wouldn’t be surprising if it was paid for by a state actor” (Zalewski 2024). The provenance of that last phrase is itself a small lesson in attribution discipline. Zalewski had first written “foreign government,” then changed it; asked why, he explained in the comments that “given that it’s a pretty weak hunch, and that it’s tangential to the broader point, I stealth-edited the article to just say ‘state actor’” (Zalewski 2024, lcamtuf comment, 2024-03-30). A confident-sounding claim, downgraded in public, with the reasoning shown. It is the same calibration Mandiant performs formally with its tiers of confidence, here done in the open by a single analyst.
The “probably state” reading rests on a recognizable kind of tradecraft, and the recognition has a history. The journalist Nicole Perlroth recorded the taxonomy of the veteran U.S. offensive-cyber figure James Gosler, for whom the apex of the field was occupied by “the Tier V and VI nation-states who spent years and billions of dollars finding mission-critical zero-days, developing them into exploits, and . . . inserting them into the global supply chain” (Perlroth 2021). Supply-chain insertion, in that account, is the signature of the very top tier, and the xz operation is structurally a supply-chain insertion that demanded exactly the years and the patience the tier implies. But the inference must be held at the level it lives on. Gosler was describing his era and never connected the taxonomy to xz; the resemblance is a reading, not a finding. The operation’s footprint was also both vast and slow to map, which is part of why the reading took the shape it did. Surveying the incident days after the disclosure, the security researcher Kevin Beaumont noted that the “changes made by the threat actor on Github span multiple years,” and that “several days in, despite global focus,” he had not “seen anybody who has finished reverse engineering it” (Beaumont 2024). And the discipline against over-reading craft into a culprit is itself a documented lesson. Greenberg, recounting the long hunt for the GRU’s Sandworm, names “the attribution problem” as an ordinary condition of network operations rather than a coyness, a fog of “proxies, misdirection, and sheer overwhelming geographic uncertainty,” and quotes the analyst Rob Lee’s warning that “the people who develop it are not always the same people who use it” (Greenberg 2019). The patient social engineering, the discipline, and the bespoke cryptography license a register, not a name. As Thomas Roccia, who reconstructed the operation for a DEF CON audience, framed it, this was “an undercover operation that lasted almost three years, which is very impressive in terms of technical details, but also the social-engineering aspect is very impressive as well” (Roccia 2024, 1:06). Impressive enough to read as professional; not legible enough to name.
The most basic uncertainty was acknowledged from the first days. As Dan Goodin wrote in the week of the disclosure, “it’s unknown if there was ever a real-world person behind this username or if Jia Tan is a completely fabricated individual” (Goodin 2024), and an Electronic Frontier Foundation (EFF) analyst told The Intercept that there was no “indication yet whether this was state sponsored, a hacking group, a rogue developer, or any combination of the above” (Mazurov 2024). Two further years of work have not closed that sentence.
If any thread invites a verdict, it is the alias that did the most concrete damage. An account presenting as “Hans Jansen,” writing from hansjansen162@outlook.com, did two operation-critical things from a single email address. It had authored the indirect-function commits, a legitimate-looking optimization that lets a program pick the fastest version of a routine at startup, which the payload later used as its way into the build. And in March 2024, four days before the disclosure, the same account asked Debian to ship the backdoored release, calling it “my package”: “I am looking for a sponsor for my package ‘xz-utils’,” it wrote, naming “Version : 5.6.1-0.1” and the project’s own address as the upstream contact (Jansen 2024, msg #5, 2024-03-25). Named observers read the account as part of the operation rather than a coincidence. Russ Cox noted that “Hans Jansen” surfaces in 2024 only to promote the poisoned release and otherwise has essentially no internet presence, “a likely sock puppet” (Cox 2024); Krebs found the address absent from any breach corpus, as with the other personas; The Intercept grouped it among accounts that looked like deliberate persona management (Mazurov 2024). The pattern that links the personas is mechanical. As Krebs put it, accounts betray a shared hand through “multiple accounts that match some kind of naming convention, provider, etc. over the years” (Krebs 2024, post 112197610429038229), and the operation’s personas do: a recurring shape of a word plus digits at a free email provider, across “Jigar Kumar” and “Dennis Ens,” the strangers who pressured Collin to hand over control, and “Hans Jansen.” The reach may have extended past XZ Utils itself: a Linux kernel developer noted that the same actor was listed as a co-maintainer of the kernel’s XZ Embedded implementation (Corbet 2024, sergey.senozhatsky comment, 2024-04-01). That shows access and role, not identity. All of this is documented behavior and attributed judgment, and the discipline is to keep it there. Even the FAQ that became the incident’s reference work marked the limit: yes, “Hans Jansen” introduced the function-resolution mechanism and later pressed Debian to update, “but this is quite a common thing for eager users to do, so it’s not necessarily nefarious” (James 2024b). The clustering shows coordination. It does not show identity, and the relationship between “Hans Jansen” and “Jia Tan,” one person or several, planted or turned, stays exactly as unresolved as Kaspersky’s three hypotheses leave it.
That the attribution stays open is not a failure to find an ending. It is the finding. The European Union’s own cybersecurity agency, surveying supply-chain attacks before the XZ Utils backdoor existed, stated the general case plainly: “attribution of attackers is very hard, prone to error, imprecise and politically challenging, but not impossible” (European Union Agency for Cybersecurity (ENISA) 2021, 14). The agency’s own numbers make non-attribution the ordinary outcome rather than the exception. Of twenty-four incidents it analyzed, ten were never attributed to a particular group, roughly 40%, and it attributed even that much resolution mostly to time, since most of the unattributed cases were recent (European Union Agency for Cybersecurity (ENISA) 2021, 25). Engineered ambiguity, in the literature of these operations, is a result and not a reporting gap. Thomas Rid, the historian of disinformation, describes attribution as “underdetermined by observable evidence,” a “judgment call” rather than a deduction (Rid 2020): the evidence does not compel a name, and supplying one anyway would be a different act from reporting one. The serious analyses converge on the same restraint from independent directions. The peer-reviewed software-engineering study of the attack declined to name anyone at all, telling its readers that “since our work focuses on the impact of the attack on software engineering practices rather than specific individuals, we have anonymized the actors involved” (Przymus and Durieux 2025, 92, fn 1). Unnamed is not one writer’s omission. It is the steady state of the field.
There is a reason the medium produces that steady state, and it is older than this operation. Open-source collaboration binds people who never identify one another through any embodied, hard-to-fake channel. Karl Fogel, in the standard manual on running such projects, calls it “psychologically odd, because it involves tight cooperation between human beings who almost never get to identify each other by the most natural, intuitive methods: facial recognition first of all, but also sound of voice, posture, etc.” (Fogel 2020, 98). A consistent screen name is the only face anyone has, and the culture’s own etiquette blesses it: “use your real name for all interactions,” Fogel advises, “or if for some reason you prefer pseudonymity, then make up a name and use it consistently” (Fogel 2020, 99). By that standard a steady, well-behaved alias is not a warning sign. It is good conduct, and “Jia Tan” satisfied the norm exactly. The operator’s pseudonymous consistency was camouflage indistinguishable from the ordinary, which is why no one was positioned to read it as a tell. Clifford Stoll’s hunt through the same kind of network a generation earlier ended, in 1989, with German authorities charging five named people with espionage and a trail that led to the KGB; that era could still walk the wire to a person. Stoll had already imagined a version of this adversary: a spy able to work cheaply from inside his own country, with little personal risk and few diplomatic costs (Stoll 1989). The operator is that figure realized and the courtroom subtracted.
In the end the people closest to the incident did not need a name, and said so. Andres Freund, who caught the backdoor, found that the operator’s identity was beside the point of the response: whether the malicious code came from a compromised account or a long con, he had not looked further, because “it didn’t really play a role for the reaction” (Freund 2024, 50:48). The responders treated attribution as out of scope on principle. “We do not want to speculate on the people behind this project,” the incident FAQ stated; “this is not a productive use of our time, and law enforcement will be able to handle identifying those responsible. They are likely patching their systems too” (James 2024b), a line that assumes, quietly, a competent adversary reading the same disclosure as everyone else. Krebs’s conclusion was that even the agencies with the deepest tools would likely “not tell us what they find (or don’t find)” (Krebs 2024, post 112198143331078347). And the most direct datum of all is the maintainer’s, recorded without speculation in the commit that ripped the backdoor out: “the maintainer who added the backdoor has disappeared” (Collin 2024a). The operator who spent two years earning a place at the center of the world’s software walked away from it and left no one to charge. Roccia, whose job is to attribute, allowed that “I’m not sure if we will have the answer someday” (Freund and Roccia 2024). That an adversary can operate this deep inside critical infrastructure and never be named is not a loose end in the story. It is the trust argument in its sharpest form: the systems that hold up the digital world authenticate work, not people, and a patient operator who never breaks the etiquette can ride that gap as far as it goes. The openness is a finding about the limits of what the public record can know, not a license to fill the silence with a culprit, and the honest reading leaves room for the operations that were never caught at all. As one developer wrote into the disclosure thread on its first day, “it would be hubris to assume this is the first or only attempt to subvert an upstream so far” (Corbet 2024, alex comment, 2024-03-29).