ProPublica

Inside the infrastructure of one of the largest fraud waves in history

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

A Bronx man allegedly received $1.5 million in just ten months. A California real estate broker raked in more than $500,000 within half a year. A Nigerian government official is accused of pocketing over $350,000 in less than six weeks.

What they all had in common, according to federal prosecutors, was participation in what may turn out to be the biggest fraud wave in U.S. history: filing bogus claims for unemployment insurance benefits during the COVID-19 pandemic. (The broker has pleaded guilty, while the Bronx man and Nigerian official have pleaded not guilty.)

Fraudsters have filed in high volumes, sometimes obtaining payments from multiple states, despite the fact that a jobless person is barred from getting assistance in more than one state. One person, according to the U.S. Department of Labor, used a single Social Security number to file unemployment insurance claims in 40 states. Twenty-nine states paid up, sending $222,532.

But the problem extends far beyond a plague of solo scammers. A ProPublica investigation reveals that much of the fraud has been organized — both in the U.S. and abroad. Fraudsters have used bots to file online claims in bulk. And others, located as far away as China and West Africa, have organized low-wage teams to file phony claims.

In addition, the fraud has been enabled by a burgeoning online infrastructure, whose existence has not previously been reported in the mainstream press. Much of it is geared toward exploiting aging or obsolete state unemployment systems whose weaknesses have drawn warnings for decades. Communities have sprouted on messaging apps such as Telegram, where fraudsters trade tips on how to cash in. Hustlers advertise their techniques — or “sauces" (apparently short for “secret sauce") — for filing bogus claims, along with state-specific instructions on how to get around security checks, according to a ProPublica review of messages on more than 25 such chat forums.

Some of the forums have thousands of participants and regularly offer stolen identities for sale, alongside tech tips, screenshots that ostensibly prove the methods work and advice on which states are easiest to game and which are “lit" — that is, still paying out fake claims. Users have created two Telegram channels in which they trade tips for filing claims in Maryland, whose labor department recently said it detected some 508,000 potentially fraudulent jobless claims between the start of May and mid-June. Participants in those forums have been talking about turning their efforts to Pennsylvania, where officials recently said they have “noticed an uptick" in fraudulent claims.

Telegram did not respond to requests for comment. But after ProPublica's inquiry, 10 of the channels we asked about suddenly went dark, marked with this notice: “This channel can't be displayed because it violated Telegram's Terms of Service."

Nobody has yet come close to putting a definitive number on the dollar value of fraud relating to pandemic-era unemployment benefits. But ProPublica performed a data analysis that hints at the massive scope. In state after state, the volume of initial jobless claims has far exceeded the number of estimated job losses. Across the U.S. from March to December 2020, the number of initial claims equated to 68% of the country's labor force, which stood at around 164 million before the pandemic. In five states — Arizona, Georgia, Hawaii, Nevada and Rhode Island — the initial claims outnumbered the entire pool of civilian workers. By contrast, about 23% of American workers were out of a job or underemployed at the peak of the pandemic, according to the Bureau of Labor Statistics; in the most recent report that figure is just under 10%. (There are innocent explanations for at least some of the disparity: If a person loses a job more than once during a given year, they can legitimately file for benefits more than once during that time.)

The fraud estimates provided by states so far range from high to jaw-dropping. In Vermont, as many as 90% of claims in some months were determined to be fraudulent, state officials said in June. Rhode Island's labor agency said in March that it suspected fraud in 43% of the claims it had received. The equivalent agency in California has confirmed fraud in about 10% of its payments and said it's investigating a further 17%. The numbers have tailed off in Texas, whose agency says it now suspects fraud in about 14% of its claims.

“The system was the victim of what is one of the largest internet crimes in history, perpetrated against all 50 states at extraordinary levels," said James Bernsen, a spokesperson for the Texas Workforce Commission. (Bernsen and officials for other states say the damage could've been even worse: They say they've been able to stop billions of dollars' worth of bogus claims before they got paid.)

The U.S. Department of Labor's inspector general estimates that at least $87 billion in fraudulent and improper payments will have made their way through the system by the time pandemic-linked jobless aid programs expire in September. That estimate is based on a historic assumption that fraud and waste eat up about 10% of unemployment insurance aid. The inspector general acknowledges that figure is likely too conservative in an environment where unemployment insurance fraud has “exploded" to “unprecedented" levels.

Other experts anticipate a dramatically higher tally. “From my experience, when this is all said and done, we are going to be counting in the hundreds of billions of dollars, not the tens of billions," said Jon Coss, who heads a unit within Thomson Reuters that is helping states detect fake unemployment insurance claims.

Coss bases that assessment on the widespread fraudulent activity he's seen. He said one U.S. state, which he declined to name, received fake claims — all purportedly from state residents — that originated from IP addresses in nearly 170 countries. They included countries historically linked to fraud, such as China, Nigeria and Russia, as well as more surprising ones, such as Cuba, Eritrea, Fiji and Monaco. Overall, Coss said, between 40% and 50% of the claims his group has analyzed seem highly suspect. He added, “It's mind-boggling the level of fraud that we're seeing."

Defrauding unemployment insurance, or UI, programs, which pay out weekly benefits to workers who've lost jobs through no fault of their own, is likely as old as the programs themselves. But the rise of internet-based crime over the past 25 years or so, particularly the use of stolen identities to file fake claims on someone else's behalf, opened the way to fraud on an epic scale.

The problem was already described as ongoing as early as 1998, when the Labor Department's inspector general warned about the “continued proliferation of UI fraud schemes." Four years later, a report by the inspector general said, “We are particularly concerned with identity theft or imposter schemes, which occur when individual identities are stolen and then used to apply for UI benefits." The report noted that “individuals have the opportunity to defraud multiple states from a single location."

In 2015, the agency detailed the “systemic weaknesses" that make UI programs vulnerable to fraud. (More on those later.) At least twice during the Obama administration, the Labor Department proposed reforms to Congress to address some of these inadequacies, primarily by boosting information sharing among states and federal agencies. Both times these efforts went nowhere. President Donald Trump included similar reforms in each of his four budget proposals to Congress. They, too, were never enacted.

Meanwhile, states' funding for unemployment insurance administration was falling, largely because the economy strengthened and unemployment fell. At the start of the pandemic, funding for states' unemployment insurance administration stood at a 30-year low, according to the National Association of State Workforce Agencies.

The funding squeeze led to some predictable results. California, which had hired Coss's firm to help detect fraud, canceled that contract in 2016 to save money. Budget cuts also trimmed the ranks of the federal Labor Department's inspector general's office, which lost 28% of its criminal investigators between 2012 and 2020, according to figures provided in response to a Freedom of Information Act request.

At the same time, online criminals were expanding their targets. Years ago, Agari Data, a cybersecurity firm that helps catch email scams, began tracking a Nigerian cybercrime group it dubbed “Scattered Canary." Agari produced a timeline of the group's evolution that looks like an ever-branching tree: It grew out of Craigslist scams (2009) into phishing (2015) and then tax return fraud and credit card fraud (2016). Scattered Canary started targeting unemployment aid, too. “Similar to how the group pivoted from individual victims to business targets during the previous three-year period," Agari wrote in a 2019 report, “Scattered Canary again set their sights on a new type of target in 2017 — government agencies."

A steady procession of large-scale hacks of corporations and governments over the past decade provided the raw material needed to defraud government benefit programs. What scammers call “fullz" — a suite of data ranging from a person's name and address to their Social Security number, date of birth and more — was increasingly easy to obtain. The Privacy Rights Clearinghouse, which tracks data breaches, tallied 2,229 hacks from 2010 to 2019, according to a database of such incidents. Those hacks exposed nearly 6.9 billion records.

When the pandemic seemed to threaten the foundations of the economy in March 2020, Congress responded quickly, launching the biggest expansion of unemployment insurance since the system was created amid the Great Depression. Lawmakers created three massive programs that workers could tap as states shut down to halt the spread of the deadly virus.

One program provided workers 13 additional weeks of aid once they exhausted their regular unemployment benefits. Another gave laid-off workers an extra $600 per week on top of existing benefits. A third, known as Pandemic Unemployment Assistance, funded 39 weeks of jobless benefits for workers traditionally excluded from unemployment insurance, such as self-employed “gig economy" contractors.

As of July 17, 2021, the three programs have collectively paid out about $604 billion, a total projected to reach up to $873 billion by the time the programs expire in September. That's on top of states' regular unemployment insurance plans, which paid out another $166 billion in jobless benefits between March 2020 and June 2021. That means total payments to the jobless could add up to about $1 trillion over 18 months.

Augmenting UI payments was not an unusual move for Congress — but the scale and speed were vastly different. For example, in the aftermath of the 2008 financial crisis, Congress funded an extra $25 a week on top of regular state unemployment benefits, then averaging around $300 a week. This time, Congress authorized a weekly $600 payment that was automatically added to regular UI payments, which require verification of prior income and employment.

But in its urgency to get cash to people with no work, Congress chose not to require such verification in the PUA program. It requested only self-certification of eligibility and no proof of income or identity. And successful applicants could get the extra $600 weekly payment, too.

With its loose application requirements, PUA instantly drew throngs of scammers. California state authorities have said that 95% of its confirmed fraudulent UI payments originated in PUA claims. Pennsylvania's agency estimated that nearly 84% of its PUA claims were phony.

A scroll through the thousands of messages exchanged in Telegram chat forums provides a vivid illustration of what state unemployment agencies have been up against. The forums are easy to find: Simply searching for the acronym “PUA" can lead any Telegram user to a bunch of them (even after Telegram shut 10 of them in the wake of our questions). They have proliferated since the start of the pandemic, providing bustling marketplaces for criminals looking to obtain stolen IDs, methods for filing fake jobless claims or other advice. The most common products sold on the forums — state-specific sauces for filing claims — are hawked with daily frequency.

A Telegram user who posts under the handle “VerifiedFraud" recently offered his 1,300 chat room participants a new sauce for Pennsylvania's system that he said would pay $700 a week. (VerifiedFraud also posted an earnest “new month prayer" on July 1, asking God to help his customers: “My prayer is all your sleepless night & day coming to this forum working & praying to God shall come through and Success will locate u.")

Pennsylvania said it's unable to speak to the validity of the guide. When ProPublica asked about the guide, VerifiedFraud responded with two emojis: 🙄🙄. Fifteen minutes later, he posted a message in his channel that seemed to rationalize fraud: “Virtually all these wealthy entrepreneurs you see around 90% of them started with something illegal to make enough money to run their business."

The guides available on Telegram include lengthy step-by-step directions and screenshots detailing where to input stolen information. They offer advice on how to avoid triggering anti-fraud software, such as not to fill out part of the application on one device or from one IP address, then switch to another. One guide for filing claims in New York state warns users, “Don't Copy and Paste in the text box. Type in the details while filling the text boxes. A script monitors activities like Copy&Paste to raise red flags."

When such guides outlive their usefulness, new ones quickly pop up. “New CALI SAUCE WAVE," read one of several messages posted in late June alongside a screenshot of what purported to be a successful unemployment aid application for California. The ad, offered by someone who calls himself the “King of Cali," touted a video guide and a PDF walk-through. California's Employment Development Department declined to comment.

Many of the pitches are blunt. One ad features the 2021 edition of a “Fraud Bible" for sale alongside 19 other sauces, including a guide for obtaining loans under the government's Paycheck Protection Program, another frequent fraud target. The PPP loan program ended on May 31, underscoring the risk that the people selling the Fraud Bible may not be on the up and up. (When ProPublica requested comment, the seller or sellers of the Fraud Bible responded with variations of “fuck you." The “King of Cali" responded by asking, “Are you ready to pay? I'll give you everything you need." Hours later, his profile was deleted and replaced with a warning: “Many users reported this account as a scam or a fake account. Please be careful, especially if it asks you for money.")

Concerns about fraud are rampant inside the forums — but only insofar as the users fear they could become victims of it rather than perpetrators, say, by paying for a fraud strategy that no longer works. One Telegram forum called “$CAM C3NT£R" promises a “trusted" escrow service that clears sales of sauces, stolen identities and other services to make sure participants don't rip each other off while preparing to rip the government off. (The administrator of $CAM C3NT£R told ProPublica he's just trying to stop fraud inside his channel: “lot of fake people around and I'm doing escrow to protect my people.")

To convey the success of their methods, sellers frequently post photos of wads of cash or screenshots of unemployment payments seemingly landing in their bank accounts or mobile payment apps. One user who recently advertised a Michigan sauce elegantly arranged $20 bills in the shape of the words “tap in" to encourage users to pay $200 via Bitcoin for his method, along with a screenshot of Michigan's jobless aid website and the claim that “Michigan still hittin and is payin good money." (A spokesperson for Michigan's Unemployment Insurance Agency said the state is having success stopping fraudulent payments before they're made and that “these type of messages amount to false advertising in order to elicit money from those who would steal identities.")

Social Security numbers, names and dates of birth are frequently exposed in the forums by sellers wishing to give buyers a taste of what they've got. Sometimes users post links to files of data purportedly stolen via corporate hacks. In another dark web forum called White House Market, some participants offer to create identity profiles tailored to specific states where buyers want to file jobless claims. “No guarantee in success, but all pros would be made just for you," read one such ad. The asking price was $70 per profile.

Such forums have attracted users from around the world, but user messages suggest that one country in particular appears to provide a significant set of followers: Nigeria.

That's where Abidemi Rufai was bound on the evening of May 14 when he was getting ready to board the first-class cabin of a flight at John F. Kennedy International Airport after visiting his brother in New York. Instead, he was arrested by FBI agents and charged with stealing more than $350,000 in unemployment benefits from Washington state.

Details of that indictment shed light on how federal prosecutors believe such schemes are carried out, and the sheer variety of participants they have attracted: Rufai serves as a senior special assistant to the governor of a Nigerian state.

He allegedly used stolen identities to file fake unemployment benefits in 11 states, including over 100 applications in Washington, where state auditors have tallied a total of $1.1 billion in possible imposter fraud from nearly 250,000 potentially bogus claims.

Prosecutors say Rufai filed his claims using variations on the same email, sandytangy58@gmail.com, which he modified by inserting periods in different places, like san.dyta.ngy58@gmail.com or sa.ndyt.a.ngy58@gmail.com. Servers for state unemployment agencies treat those as different email addresses, but Google disregards periods when routing messages to a gmail account. That allowed Rufai and his co-conspirators the convenience of filing in multiple states while handling all of their correspondence from one email account. It's a popular strategy: Another Nigerian national allegedly used it to claim more than $489,000 of unemployment payouts from 15 states, according to an affidavit filed in a similar case.

When completing unemployment benefit applications, Rufai and his co-conspirators directed states to pay benefits into Green Dot online banking accounts, one of several fintech platforms favored by criminals for their ability to quickly link debit cards with checking accounts that can be used to receive government benefit payments. In other cases, they directed payments into bank accounts controlled by “money mules," people who would receive funds and then transfer them to Rufai and his co-conspirators in exchange for a fee. (Green Dot Chief Risk Officer Philip Lerma said the company has been working with state agencies to combat fraudulent activity. “This is an ongoing process of learning and refinement across the industry," he said in a statement.)

Prosecutors said Rufai's email account contained a “staggering" amount of stolen information, including passwords to people's email accounts, security questions and answers, driver's license numbers, and bank account and routing numbers, as well as more than 1,000 stolen tax returns.

Rufai had also used his gmail account to submit claims for Federal Emergency Management Agency disaster relief in 2017, according to prosecutors, followed by fraudulent submissions to the Small Business Administration and the Internal Revenue Service. After Rufai was charged, investigators at the IRS disclosed they had been investigating the sandytangy58@gmail.com account for several years. They told prosecutors that the agency had received 652 applications for fraudulent tax refunds from “dot variants" of that email, totaling $1.6 million. Of that, about $900,000 was approved for payment.

Rufai has pleaded not guilty. His lawyer, Michael Barrows, did not respond to repeated requests for comment. Barrows wrote in a bail filing in late June that Rufai has no criminal record and that prosecutors are offering “intentionally false and/or misleading information in an effort to exaggerate the crimes alleged while tarnishing the reputation of a well-respected Nigerian government official."

Some scammers employ similar techniques on a mass scale by writing computer scripts, or bots, to automatically populate stolen identities into states' application portals. New York suffered an attack from one such bot, which was able to repeatedly navigate and complete its application process, according to a person familiar with the episode. New York's labor commissioner has said that the state is “aggressively deploying advanced resources" to fight fraud, including computer algorithms of its own.

Other fraudsters outsource such activity to human labor farms in low-wage countries, according to cybersecurity firm F5. Patterns of UI applications indicate workers in China, Brazil, Bolivia, Mexico and West African nations have been hired to input data into U.S. unemployment portals, according to Carlos Asuncion, F5's director of solutions engineering. Asuncion said job ads to do that kind of work often pop up on websites catering to “microworkers" — people who earn pennies per task for such actions as creating gmail accounts, inputting email addresses or zip codes and solving captchas (the latter for as little as five hundredths of a cent per captcha). The labor can be even cheaper, according to Asuncion, than developing and updating a computer algorithm. As he put it, “It's kind of an arms race."

State unemployment agencies, burdened by aging technologies and siloed databases that don't effectively communicate with each other, have been unable to keep up with any sort of arms race.

Federal rules require states to cross-check applicants' information against a handful of databases when determining eligibility for jobless benefits. These include a national directory of new hires, quarterly wage records submitted by employers, and an immigration database that allows states to verify applicants' citizenship status. The Labor Department also recommends that states check a database aimed at preventing claims in multiple states, as well as the Social Security Administration, prisoner records and an interstate data hub meant to help flag foreign IP addresses, suspicious email domains and applicants, according to a May 2020 compliance bulletinbulletin.

But performing all those checks requires modern technology. Many states are running their UI systems on software so obsolete that it's hard to even find anyone able to service it. North Dakota had to recruit programmers from Latvia to prop up its systems last year, since the tiny Eastern European nation is one of the few places that still teaches the software used by the state's unemployment insurance system. The clunky mainframe was “miraculously patched together, at considerable cost, to get us through the pandemic surge," the state's governor said in his December 2020 budget proposal, which sought to replace the system.

Amid the surge in claims, databases frequently froze up or slowed to a crawl, according to the Labor Department's inspector general. States also reported not having the mainframe capacity to perform cross-matches for the large volumes of claims they were getting.

The result was that many cross-checks simply didn't happen. Twenty states did not perform all the required database cross-matches, and 44 states did not perform all recommended ones, the inspector general found.

Even when states perform the checks, they can still be fooled. After all, the extent of identity theft means that criminals often input the information of a real person. Validating that the data is accurate doesn't necessarily verify whether the claim was filed by the person whose data was used. “Verification and validation are two different things," said John Pallasch, an assistant secretary of labor during the Trump administration. “That was the inherent flaw in all of this."

Violinist Philip Payton got caught on the wrong end of this after he lost his job playing in Disney's “Frozen" musical. When the pandemic shut down all Broadway performances in March 2020, word got around the orchestra that musicians could apply for unemployment insurance. By early April, Payton was receiving $504 a week plus the extra $600 authorized by Congress, his account shows. “This just helped me stay normal," he said. “I could pay my bills and pay my half of the rent."

But things changed in mid-September when the weekly payments suddenly stopped. He called New York's Department of Labor and was told, he said, that he had a claim in another state. The agent didn't tell him which state. A follow-up conversation in October ended the same way.

Many have shared Payton's plight. In 2020, consumers filed nearly 400,000 complaints claiming their identities were stolen and used to claim government benefits. That was up more than 2,900% from about 13,000 such complaints in 2019, according to Federal Trade Commission data.

Unsure what to do, Payton kept calling until he finally got through to someone who told him the other claim was in Texas. Payton called the Texas Workforce Commission's fraud line, but couldn't get through to anyone.

By then, it was January and Payton was beginning to run low on cash. He kept calling and leaving messages but couldn't get a call back. Eventually, through a chain of contacts, Payton reached an agent at the Texas commission, who told him he was listed as having filed claims in multiple states. The agent told him to call New York's labor department to get his benefits restarted.

That prompted yet another round of phone calls. It was now early April. Payton had drained his savings and was falling behind on rent. Sometimes he'd spend three to four hours a day on hold while practicing violin or browsing job ads on the internet. He also started contacting organizations he thought might be able to help. Eventually, he connected with a paralegal at the Legal Aid Society, who sent an email to two New York labor department officials asking to expedite his case.

A day later, after eight months of missed payments and little work, Payton's unemployment benefits finally restarted (and covered the earlier missed payments). But the experience shook his faith in the program. “There just has to be a better system," Payton said.

The state unemployment agencies in New York and Texas both declined to comment on Payton's situation, citing privacy restrictions. But Bernsen, the spokesperson for the Texas Workforce Commission, said in a statement that the state generally blocks suspicious claims by placing a “fraud block" on them. “This becomes a problem when the legitimate person needs to access those funds." He added, “Fundamentally, the system is trying to do two things simultaneously that are at odds with one another: ensure quick payments to individuals and prevent fraud."

Of the two issues, fraud prevention is now much more on the minds of officials in Washington. Gene Sperling, President Biden's top official in charge of the pandemic response, said the issue goes beyond just unemployment insurance. The deluge of fraudulent claims has slowed as the surge in federal aid draws to a close, but he sees the proliferation of identity theft for government benefits as the larger threat. “It's always a bad thing when somebody cheats and gets a few thousand dollars by doing this or that," Sperling told ProPublica. “But we seem to be seeing something much larger and systemic."

Sperling said the White House asked federal agencies to provide preliminary recommendations by mid-July on what the government can do to prevent criminal syndicates from using stolen identities to access government aid, whether unemployment benefits, small business loans or disaster aid given out by FEMA.

One idea that's already being implemented is improving the Labor Department inspector general's access to states' unemployment compensation data, so that federal watchdogs can analyze claims for fraud in real time instead of individually subpoenaing states for the data.

The administration is also planning to spend $2 billion to modernize states' unemployment insurance programs and strengthen them against fraud. The Labor Department is still figuring out how to allocate the funds, which were appropriated under the $1.9 trillion coronavirus stimulus bill enacted in March. One approach under consideration involves having the federal government develop centralized technology to help the 53 states and territories manage their jobless aid programs, instead of having them all fend for themselves and scramble to implement changes during crises.

Recent increases in funding to bolster fraud detection have also been a boon for ID.me, a company that has been hired by 27 states since mid-2020 and recently won a $1 billion federal contract to provide its services to more states. ID.me verifies that claimants are who they say they are by having them take selfies or asking them to appear on video and checking to make sure their faces match the photos on identity documents used to apply for benefits.

ID.me's chief executive, Blake Hall, made headlines last month when he told Axios that he thinks taxpayers' losses from UI fraud will top $400 billion. Hall defends that estimate, which some commentators criticized as wildly inflated. Hall based the figure on the precipitous drop-offs in new claim applications that states have experienced after implementing ID.me verification. In New York, for instance, state data confirms that new claims for PUA fell by 89% after ID.me went live in late March. And more than 50% of people who have already filed for UI benefits don't even try to confirm their identities when asked to do so, according to Hall, who cited data from five states the company has worked with.

Fraudsters are trying to adapt. Telegram forums have lit up with offers of sauces and software that sellers claim can bypass ID.me. Hall said his firm monitors such ads and maintained that he has yet to find any that work. “There is no bypass," he asserted.

That may be true today. But, as one recent post on a dark web marketplace noted, “The fraud business is an ever-changing type of business, meaning methods are constantly being updated because of new security implementations on the market."

'Don't you work with old people?' Many elder-care workers still refuse to get COVID-19 vaccine

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

They are two sisters in two states. Both are dedicated health care professionals who watched in horror as COVID-19 swept through the nation's nursing homes, killing a staggering number of residents and staff alike.

One sister is now vaccinated. The other is not.

Dude. Get vaccinated!" Heidi Lucas texted her sister Ashley in May from her home in Jefferson City, Missouri.

“Nope lol," Ashley Lucas texted back from Orbisonia, Pennsylvania.

“Don't you work with old people?"

“Yeah"

“What if you killed one of them? Get vaccinated," Heidi wrote.

Neither sister is budging as the Delta variant brings a new spike in coronavirus numbers across the nation.

Their divide mirrors America's larger one, where the vaccine to combat COVID-19 is eagerly embraced by some, yet eyed with suspicion and rejected by others.

It is the refusal group, including a significant percentage who work in the nation's nursing homes, that has confounded and alarmed health care officials who are at a loss as to how to sway them.

Nursing homes faced a shocking mortality rate during the pandemic. In the U.S., COVID-19 killed more than 133,000 residents and nearly 2,000 staff members between May 31, 2020 and this July 4, according to Centers for Medicare & Medicaid Services reports. The true toll is thought to be even higher as data gathering lagged in the early months of the crisis, health experts say.

Working in a nursing home became one of the “most dangerous jobs" in America in 2020, according to an analysis of work-related deaths by Scientific American.

Yet seven months after the first vaccines became available to medical professionals, only 59% of staff at the nation's nursing homes and other long-term care facilities are fully or partially vaccinated — with eight states reporting an average rate of less than half, according to CMS data updated last week.

Twenty-three individual facilities had vaccination rates of under 1%, the data showed.

Staff vaccinations have lagged even as the overall rate for residents climbed to 83%, according to the CMS data.

The strong vaccination percentage among nursing home residents is credited, in part, to an early campaign to bring the vaccine directly to facilities. That suggests availability is not necessarily the issue behind staff going without.

So, what is?

The question defies easy answers. Vaccine refusal is regional and often aligns not only with individuals' political alignment but also with their preferred news sources and which social media they follow.

Last week, President Joe Biden took aim at Facebook and other social media giants for failing to police vaccine misinformation that amplifies conspiracy theories and discourages people from getting vaccinated. “They're killing people," he said, directly blaming the platforms. On Monday, he recast the accusation to say it was specific individuals posting dangerous information who are culpable.

On Tuesday, U.S. Sen. Mitch McConnell, R-Ky., pleaded to “anyone out there willing to listen: Get vaccinated." While not mentioning skeptics specifically — including those in his own party — the Republican leader urged the unvaccinated to ignore “demonstrably bad advice."

COVID-19 cases are now surging in every state, with new hospitalizations and deaths almost entirely occurring among the unvaccinated. “This is becoming a pandemic of the unvaccinated," Centers for Disease Control and Prevention Director Rochelle Walensky warned last week during a White House briefing.

In May, CMS began requiring weekly reports on vaccinations of residents and staff at nursing homes and other long-term care facilities. The emerging data confirms many health care experts' worst fears, especially for Southern states.

Louisiana has the lowest statewide average: Just 44.5% of the staff at its long-term care facilities have been at least partially vaccinated, according to CMS data released last week.

Florida, the second lowest-vaccinated state, had a rate of just under 46% among its nursing home and long-term care staff, with Missouri, Oklahoma, Tennessee, Georgia, Mississippi and Wyoming all showing rates of less than 50 percent, according to the data.

Vaccination rates in assisted living facilities are not included in the data.

A separate American Association of Retired Persons analysis, released last week, showed that only one in five of the nation's more than 15,000 nursing homes were able to hit a goal, set by two industry trade groups, of vaccinating 75% of their staff by the end of June.

While cases in nursing homes have recently slowed, and most of the new COVID-19 infections are among younger people, some experts still worry of a return to darker days.

The CDC recently launched an investigation into deaths of residents at several western Colorado senior facilities possibly linked to unvaccinated staff, the Associated Press reported Wednesday.

“We need to sound the alarm," said Susan Reinhard, senior vice president of AARP and director of its Public Policy Institute. “Nursing homes were devastated by COVID-19, and many residents remain highly vulnerable to the virus."

Nationally, more than 89% of people 65 or older have received at least partial vaccination, the CDC reported this week. Still, public health experts have warned that even if fully vaccinated, the elderly may be vulnerable to “breakthrough" coronavirus infection because of compromised immune systems and other underlying health problems.

In Missouri's southern region, the overall rate of full vaccination in some rural counties is less than 20%, according to state health department and CDC tracking. The latest surge of the delta variant has turned the area into a “tinderbox," Steven Edwards, CEO of the CoxHealth hospital system in Springfield, recently told reporters.

On Thursday, 160 patients were being treated for COVID-19 at CoxHealth, a spokesperson told ProPublica. On May 14, there were 18.

Heidi Lucas directs the Missouri Nurses Association. She is pro-vaccine and has been pushing hard for nurses to get vaccinated, especially those on the front lines of patient care.

Lucas said it is impossible to separate the lack of vaccination among staff from the lack of vaccinations in individual communities. “Nurses are people too," she said. “They are on social media and are inundated with false information. How do you fight it?"

Her sister, Ashley Lucas, lives 900 miles away in Orbisonia, a small town of around 500 people about an hour south of State College. She's a traveling certified nursing assistant at area nursing homes and chose to skip the vaccine.

Her fiance and her children, ages 12 and 13, are also unvaccinated. “I don't consider myself an anti-vaxxer," she told ProPublica, bristling that some might see her as reckless or ill-informed.

Instead, she said her decision was carefully considered. It never made sense to her, she said, that the virus seemed to strike randomly, with some residents getting sick while others did not. She said she is not convinced the vaccine would change the odds.

She's also concerned after hearing that the vaccine could interfere with fertility — a contention that has been deemed false by the Centers for Disease Control and Prevention and the World Health Organization. It all leads her to believe more research is needed into the vaccines' long-term effects.

“This is just a personal choice and I feel it should be a free choice," she said. “I think it's been forced on us way too much."

Certified nursing assistants make up the largest group of employees working in nursing homes and other long-term care facilities, providing roughly 90 percent of direct patient care. They are typically overworked and underpaid, most earning about $13 per hour and receiving no paid sick leave or other benefits, said Lori Porter, co-founder and CEO of the National Association of Health Care Assistants.

Porter said she is not completely surprised by the low vaccination rate. It comes down to trust, she said, both of the vaccines and of facility administrators who now say staff must get vaccinated. Refusal may feel like empowerment. “It's the first time ever they have had the ball in their court," Porter said.

On March 31, Houston Methodist Hospital mandated that all of its 26,000 employees be vaccinated by June 7 or lose their jobs. Jennifer Bridges, a nurse, sued along with 116 other employees, claiming the health care system had overstepped its rights and that she and the others refused to be “human guinea pigs," evoking the Nuremberg Code, a set of ethical standards established in response to Nazi medical experimentation in concentration camps.

On June 12, U.S. District Judge Lynn N. Hughes dismissed the closely watched case, taking offense to likening the vaccine to the Holocaust, which he called “reprehensible." Ten days later, 153 Houston Methodist employees either were fired or quit after refusing the vaccine. The judge's ruling has been appealed.

A handful of long-term care chains have similarly sought to mandate worker vaccines, but such action is far from widespread in the industry. One sticking point has been whether vaccination can legally be required, since all three available vaccines have only emergency use authorization, not full approval from the U.S. Food and Drug Administration.

The thornier issue, though, is whether the facilities can risk losing staff when they're already short-handed. Many workers have vowed to quit rather than be forced into vaccinations.

Aegis Living, a long-term senior care provider in three Western states, made vaccines mandatory for its roughly 2,600 employees on July 1. Dwayne Clark, founder and CEO, said initially 400 employees refused but when the deadline arrived, only about 100 left rather than be vaccinated.

“We lost some staff that we didn't want to lose," Clark told ProPublica, “but it felt like the right moral protocol to impose."

Recently the U.S. Equal Employment Opportunity Commission issued guidelines stating that employers can require workers to be vaccinated as long as medical or religious exemptions are permitted.

“Nursing home workers certainly have the right to make decisions about their own health and welfare, but they don't have the right to place vulnerable residents at risk," said Lawrence Gostin, a health law professor at Georgetown University. “Nursing homes don't just have the power to require vaccinations, they have the duty."

Still, the issue is far from resolved.

“America is a highly litigious country," Gostin said, “I expect the courts to consistently uphold nursing home mandates, because they are entirely lawful and justified. But there will likely be lawsuits at least until it is quite clear they are futile."

Diane Peters is a registered nurse in the Chicago suburbs who last year worked at a nursing home and is now working at a senior rehabilitation center. She does not trust the science behind the vaccine and is unvaccinated. So is her fiance.

Everything about the rollout felt like propaganda, she said. Development was too rushed. Clinical trials typically take years, she said, not months. “I don't think it's safe right now, it needs more time," she said she tells patients if they ask.

Most don't, she said. Neither do her co-workers. She has only been asked once by her employer if she was vaccinated, she said, declining to name the company.

Peters guesses about 40 percent of her colleagues are also unvaccinated, but said no one likes to talk about it because the divide surrounding the vaccine is “surreal." Staff members are tested regularly and are required to wear masks, she said.

She is doubtful mandates would stick. “They can threaten," she said, “but a lot of nurses would walk."

She trusts her instincts and her own research for now. When asked what would change her mind, she had one word: “Nothing."

'What if you killed one of them?': Many elder-care workers still refuse the COVID-19 vaccine

This story originally appeared at ProPublica, a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

They are two sisters in two states. Both are dedicated health care professionals who watched in horror as COVID-19 swept through the nation's nursing homes, killing a staggering number of residents and staff alike.

One sister is now vaccinated. The other is not.

Dude. Get vaccinated!" Heidi Lucas texted her sister Ashley in May from her home in Jefferson City, Missouri.

“Nope lol," Ashley Lucas texted back from Orbisonia, Pennsylvania.

“Don't you work with old people?"

“Yeah"

“What if you killed one of them? Get vaccinated," Heidi wrote.

Neither sister is budging as the Delta variant brings a new spike in coronavirus numbers across the nation.

Their divide mirrors America's larger one, where the vaccine to combat COVID-19 is eagerly embraced by some, yet eyed with suspicion and rejected by others.

It is the refusal group, including a significant percentage who work in the nation's nursing homes, that has confounded and alarmed health care officials who are at a loss as to how to sway them.

Nursing homes faced a shocking mortality rate during the pandemic. In the U.S., COVID-19 killed more than 133,000 residents and nearly 2,000 staff members between May 31, 2020 and this July 4, according to Centers for Medicare & Medicaid Services reports. The true toll is thought to be even higher as data gathering lagged in the early months of the crisis, health experts say.

Working in a nursing home became one of the “most dangerous jobs" in America in 2020, according to an analysis of work-related deaths by Scientific American.

Yet seven months after the first vaccines became available to medical professionals, only 59% of staff at the nation's nursing homes and other long-term care facilities are fully or partially vaccinated — with eight states reporting an average rate of less than half, according to CMS data updated last week.

Twenty-three individual facilities had vaccination rates of under 1%, the data showed.

Staff vaccinations have lagged even as the overall rate for residents climbed to 83%, according to the CMS data.

The strong vaccination percentage among nursing home residents is credited, in part, to an early campaign to bring the vaccine directly to facilities. That suggests availability is not necessarily the issue behind staff going without.

So, what is?

The question defies easy answers. Vaccine refusal is regional and often aligns not only with individuals' political alignment but also with their preferred news sources and which social media they follow.

Last week, President Joe Biden took aim at Facebook and other social media giants for failing to police vaccine misinformation that amplifies conspiracy theories and discourages people from getting vaccinated. “They're killing people," he said, directly blaming the platforms. On Monday, he recast the accusation to say it was specific individuals posting dangerous information who are culpable.

On Tuesday, U.S. Sen. Mitch McConnell, R-Ky., pleaded to “anyone out there willing to listen: Get vaccinated." While not mentioning skeptics specifically — including those in his own party — the Republican leader urged the unvaccinated to ignore “demonstrably bad advice."

COVID-19 cases are now surging in every state, with new hospitalizations and deaths almost entirely occurring among the unvaccinated. “This is becoming a pandemic of the unvaccinated," Centers for Disease Control and Prevention Director Rochelle Walensky warned last week during a White House briefing.

In May, CMS began requiring weekly reports on vaccinations of residents and staff at nursing homes and other long-term care facilities. The emerging data confirms many health care experts' worst fears, especially for Southern states.

Louisiana has the lowest statewide average: Just 44.5% of the staff at its long-term care facilities have been at least partially vaccinated, according to CMS data released last week.

Florida, the second lowest-vaccinated state, had a rate of just under 46% among its nursing home and long-term care staff, with Missouri, Oklahoma, Tennessee, Georgia, Mississippi and Wyoming all showing rates of less than 50 percent, according to the data.

Vaccination rates in assisted living facilities are not included in the data.

A separate American Association of Retired Persons analysis, released last week, showed that only one in five of the nation's more than 15,000 nursing homes were able to hit a goal, set by two industry trade groups, of vaccinating 75% of their staff by the end of June.

While cases in nursing homes have recently slowed, and most of the new COVID-19 infections are among younger people, some experts still worry of a return to darker days.

The CDC recently launched an investigation into deaths of residents at several western Colorado senior facilities possibly linked to unvaccinated staff, the Associated Press reported Wednesday.

“We need to sound the alarm," said Susan Reinhard, senior vice president of AARP and director of its Public Policy Institute. “Nursing homes were devastated by COVID-19, and many residents remain highly vulnerable to the virus."

Nationally, more than 89% of people 65 or older have received at least partial vaccination, the CDC reported this week. Still, public health experts have warned that even if fully vaccinated, the elderly may be vulnerable to “breakthrough" coronavirus infection because of compromised immune systems and other underlying health problems.

In Missouri's southern region, the overall rate of full vaccination in some rural counties is less than 20%, according to state health department and CDC tracking. The latest surge of the delta variant has turned the area into a “tinderbox," Steven Edwards, CEO of the CoxHealth hospital system in Springfield, recently told reporters.

On Thursday, 160 patients were being treated for COVID-19 at CoxHealth, a spokesperson told ProPublica. On May 14, there were 18.

Heidi Lucas directs the Missouri Nurses Association. She is pro-vaccine and has been pushing hard for nurses to get vaccinated, especially those on the front lines of patient care.

Lucas said it is impossible to separate the lack of vaccination among staff from the lack of vaccinations in individual communities. “Nurses are people too," she said. “They are on social media and are inundated with false information. How do you fight it?"

Her sister, Ashley Lucas, lives 900 miles away in Orbisonia, a small town of around 500 people about an hour south of State College. She's a traveling certified nursing assistant at area nursing homes and chose to skip the vaccine.

Her fiance and her children, ages 12 and 13, are also unvaccinated. “I don't consider myself an anti-vaxxer," she told ProPublica, bristling that some might see her as reckless or ill-informed.

Instead, she said her decision was carefully considered. It never made sense to her, she said, that the virus seemed to strike randomly, with some residents getting sick while others did not. She said she is not convinced the vaccine would change the odds.

She's also concerned after hearing that the vaccine could interfere with fertility — a contention that has been deemed false by the Centers for Disease Control and Prevention and the World Health Organization. It all leads her to believe more research is needed into the vaccines' long-term effects.

“This is just a personal choice and I feel it should be a free choice," she said. “I think it's been forced on us way too much."

Certified nursing assistants make up the largest group of employees working in nursing homes and other long-term care facilities, providing roughly 90 percent of direct patient care. They are typically overworked and underpaid, most earning about $13 per hour and receiving no paid sick leave or other benefits, said Lori Porter, co-founder and CEO of the National Association of Health Care Assistants.

Porter said she is not completely surprised by the low vaccination rate. It comes down to trust, she said, both of the vaccines and of facility administrators who now say staff must get vaccinated. Refusal may feel like empowerment. “It's the first time ever they have had the ball in their court," Porter said.

On March 31, Houston Methodist Hospital mandated that all of its 26,000 employees be vaccinated by June 7 or lose their jobs. Jennifer Bridges, a nurse, sued along with 116 other employees, claiming the health care system had overstepped its rights and that she and the others refused to be “human guinea pigs," evoking the Nuremberg Code, a set of ethical standards established in response to Nazi medical experimentation in concentration camps.

On June 12, U.S. District Judge Lynn N. Hughes dismissed the closely watched case, taking offense to likening the vaccine to the Holocaust, which he called “reprehensible." Ten days later, 153 Houston Methodist employees either were fired or quit after refusing the vaccine. The judge's ruling has been appealed.

A handful of long-term care chains have similarly sought to mandate worker vaccines, but such action is far from widespread in the industry. One sticking point has been whether vaccination can legally be required, since all three available vaccines have only emergency use authorization, not full approval from the U.S. Food and Drug Administration.

The thornier issue, though, is whether the facilities can risk losing staff when they're already short-handed. Many workers have vowed to quit rather than be forced into vaccinations.

Aegis Living, a long-term senior care provider in three Western states, made vaccines mandatory for its roughly 2,600 employees on July 1. Dwayne Clark, founder and CEO, said initially 400 employees refused but when the deadline arrived, only about 100 left rather than be vaccinated.

“We lost some staff that we didn't want to lose," Clark told ProPublica, “but it felt like the right moral protocol to impose."

Recently the U.S. Equal Employment Opportunity Commission issued guidelines stating that employers can require workers to be vaccinated as long as medical or religious exemptions are permitted.

“Nursing home workers certainly have the right to make decisions about their own health and welfare, but they don't have the right to place vulnerable residents at risk," said Lawrence Gostin, a health law professor at Georgetown University. “Nursing homes don't just have the power to require vaccinations, they have the duty."

Still, the issue is far from resolved.

“America is a highly litigious country," Gostin said, “I expect the courts to consistently uphold nursing home mandates, because they are entirely lawful and justified. But there will likely be lawsuits at least until it is quite clear they are futile."

Diane Peters is a registered nurse in the Chicago suburbs who last year worked at a nursing home and is now working at a senior rehabilitation center. She does not trust the science behind the vaccine and is unvaccinated. So is her fiance.

Everything about the rollout felt like propaganda, she said. Development was too rushed. Clinical trials typically take years, she said, not months. “I don't think it's safe right now, it needs more time," she said she tells patients if they ask.

Most don't, she said. Neither do her co-workers. She has only been asked once by her employer if she was vaccinated, she said, declining to name the company.

Peters guesses about 40 percent of her colleagues are also unvaccinated, but said no one likes to talk about it because the divide surrounding the vaccine is “surreal." Staff members are tested regularly and are required to wear masks, she said.

She is doubtful mandates would stick. “They can threaten," she said, “but a lot of nurses would walk."

She trusts her instincts and her own research for now. When asked what would change her mind, she had one word: “Nothing."

State Rep. Bill Kidd joked that he didn't get a vaccine because he’s a Republican — now he has COVID

This story was originally published by ProPublica, a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

Amid the current surge in COVID-19 cases in Missouri, a recent Facebook conversation between two Republican state lawmakers is telling.

Around Independence Day, State Rep. Bill Kidd, from the Kansas City suburbs, revealed that he has been infected by the coronavirus.

“And no, we didn't get the vaccine," he wrote in a post that has since been deleted. “We're Republicans 😆"

State Rep. Brian Seitz, a Republican from Taney County, home to the tourist destination of Branson, commented on the post by falsely claiming that the virus had been developed by top government scientist Anthony Fauci and billionaire Microsoft founder Bill Gates. They “knew what was coming," Seitz wrote.

“The jury is still out on the 'vaccine' (who knows what's in that)," he wrote.

As the number of coronavirus infections rises around the country, lawmakers like Kidd and Seitz have adopted responses that trouble many health officials. In Tennessee, Republicans legislators threatened to shut down the state health department, saying it was targeting minors for mass vaccinations without the consent of parents. In Ohio, lawmakers allowed a doctor to testify at a legislative hearing last month that coronavirus vaccines could leave people magnetized (they can't). During a hearing in the Montana Senate, a senator said he had read articles about “putting a chip in the vaccine." (There are no chips in vaccines.)

Just as with his insistence that he won the election, former president Donald Trump's attitudes about COVID-19 hold great sway with his supporters. Trump routinely bashed Fauci and infectious disease experts throughout the pandemic and questioned the severity of the coronavirus.

He also strongly carried Missouri's southwest corner in the November election. While Trump beat Joe Biden by 15.4 percentage points statewide, in rural Taney County, the margin was 57.8 points.

Those supporters now tend to oppose efforts to get everyone vaccinated, believing they are being led by Democrats, said Ken Warren, a professor of political science at Saint Louis University who tracks state and local politics. “It's a sad reality," he said. “We can't get together on anything, even fighting COVID."

Such attitudes are accelerating an anti-vaccine sentiment that has run strong in the state legislature for years, particularly with lawmakers from the area of Missouri now facing increased infection rates. In 2018, Republican state Rep. Lynn Morris, a pharmacist from southwest Missouri, pushed a proposal to prohibit discrimination against unvaccinated children. Public school children are required to be vaccinated against several diseases, but families can claim a medical or religious exemption. The Legislature took up a similar proposal in 2019. Each failed.

Late last year, state Rep. Suzie Pollock, a Republican from south-central Missouri, proposed a bill to prohibit discrimination against people who choose not to be vaccinated against the coronavirus. She claimed the vaccine against the virus had “been rushed" and that its efficacy was “in question," myths that have been relentlessly amplified by right-wing media.

The bill did not advance, but Gov. Mike Parson signed into law a related bill blocking local governments from requiring proof of coronavirus vaccination for people seeking to access transportation systems or other public services.

It's not enough for some. “Now people are pushing back even against the idea of private employers like hospitals and health care providers telling their employees you have to be vaccinated," said state Rep. Shamed Dogan, a Republican from the St. Louis suburbs. “I think that some of the legitimate concerns of government overreach have turned into this broader resistance to any vaccination, which is something I don't agree with."

Late in this year's legislative session, Pollack pushed a proposal that would allow more parents to opt out of vaccinating their children against diseases including polio, measles and mumps. Pollock insisted she was not against vaccines, but said that people should have the freedom to choose. The House Elementary and Secondary Education Committee voted 10-6 in favor of the bill.

The full House defeated it on April 28 in a 79-67 vote.

“There is a tremendous skepticism about the good that government can do," said Dan Ponder, a political science professor at Drury University in Springfield and director of the Meador Center for Politics & Citizenship there.

Ponder said many residents of southwest Missouri question the motives behind the policies that governments are pushing and show “a tremendous skepticism about information." He added, “People don't believe the vaccines are working. People don't believe the federal government isn't going to come down here and … basically strong-arm them into taking a vaccine."

Indeed, when the Centers for Disease Control and Prevention deployed a two-person “surge response" team to southwest Missouri this month to combat an outbreak attributed to the dangerous delta variant, both Parson and U.S. Rep. Jason Smith, from south-central Missouri, tweeted opposition to federal agents going door to door to compel vaccines, something President Joe Biden's administration said it never had any intent to do.

On Sunday, Springfield Mayor Ken McClure told CBS' Face the Nation that his community was “being hurt" by rampant vaccine misinformation. He said people were sharing “health-related fears, what it might do to them later on in their lives, what might be contained in the vaccinations. And that information is just incorrect."

Taney County is near the heart of the surge of the delta variant, which health officials say spreads more easily than earlier versions of the virus. The county is leading the state with the highest rate of coronavirus cases over the past seven days, according to Missouri health department data. Surrounding counties have similarly high rates, raising alarms for federal health officials.

Despite the spike, just 28% of Taney County's residents are fully vaccinated, below the state average of 40%.

Seitz, who once owned a newspaper that promoted Branson's entertainment industry, boasted in an interview that the Ozark tourist town was doing gangbuster business after a year of being mostly shut down.

“There were 27,000 people at our July 3 celebration," he said, noting that he attended with U.S. Rep. Billy Long and “he said something like, 'I'm so glad to see there are very few chin diapers in the crowd.' The roar was huge … we're so happy not to be forced by government to either wear a mask or take a vaccine."

Seitz said he had no business telling his constituents how to live. The media has shifted its focus from deaths to the raw numbers of cases, he said, glossing over that most people who catch the virus don't die. While 600,000 American deaths have been attributed to COVID-19, Seitz questioned whether people were dying from the disease or from existing health problems: “If a person is grossly overweight and caught a very virulent virus, did they die because they were in very ill health or did they die because of the virus?"

Seitz falsely claimed that COVID vaccines have not been tested and are unsafe. He backed down on his comment about Fauci on Kidd's Facebook post, acknowledging that the virology expert did not create the coronavirus but asserting that he had been engaged for years in experiments to make viruses more dangerous or transmissible. Fauci has insisted the U.S. government did not participate in experiments that could have caused the pandemic.

Seitz said he had nothing against people who take the vaccine or wear masks. It's their choice, he said. He said it wasn't his job to keep people safe, but to keep people free.

“I haven't had the flu even since 1994," he said. “Why would I take a vaccine? ... My life was normal for the past year, very few instances of wearing a mask, and so forth, and I'm just fine."

Betsy Fogle, who recently completed her first session as a Democratic state representative from Springfield, said it was “fascinating kind of watching the narrative and the rhetoric" in the state capital of Jefferson City surrounding COVID-19, “and then watching it all get politicized and polarized. And then seeing that real-life impact that has on our neighbors back in Springfield when our hospitals are full and our hospital CEOs are begging people to get vaccinated and people just aren't doing it."

She said there was a mentality among Republican leaders “that COVID is a hoax, or that vaccines are a hoax, and that trickles down."

She said she has several constituents who didn't get vaccinated “because they think that this is a joke, and then these people reach out a month later to say, 'I'm sorry I didn't listen.'"

Kidd, the Republican from the Kansas City area, posted almost two weeks after his initial Facebook post that he was seeking prayers because he was “having a difficult time with COVID" and “really sick." Kidd posted again on Thursday that he was “doing better" after the virus “kicked my butt." He did not respond to a message from a reporter.

Fogle said she hoped Kidd recovered, “but that's the frustrating part about it, is that our hospitals, our doctors, our people who are in charge of making these decisions are telling us how severe it is, and we refuse to accept that severity."

She said she makes daily calls to everyone she knows who isn't vaccinated “and what I hear is, 'No, it's my right, it's my body, it's my choice, like, stop bringing this up.' And it's hard to win those arguments."

Campaign to rein in mega IRA tax shelters gains steam in Congress

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

Series: The Secret IRS Files

Inside the Tax Records of the .001%

Two members of Congress who have long been responsible for shaping federal laws on retirement savings are considering major reforms after ProPublica exposed how the ultrawealthy are turning retirement accounts into gargantuan tax shelters.

Rep. Richard Neal, the Massachusetts Democrat who chairs the powerful House Ways and Means Committee, told ProPublica that he has directed the committee to draft a bill that “will stop IRAs from being exploited."

The committee is considering “limiting the total amount of money that can be saved in tax-preferred retirement accounts," Neal said in a written statement.

“Incentives in our tax code that help Americans save for retirement were never intended to enable a tax shelter for the ultra-wealthy," Neal said. “We must shut down these practices."

In addition, Sen. Ben Cardin, a Maryland Democrat who has co-authored a series of changes to retirement savings laws in the past decade, is also in favor of reforms that his spokesperson said would “prevent the type of massive abuses exemplified by the ultra-wealthy."

But provisions lurking deep in unrelated legislation currently wending its way through Congress could undermine those efforts.

In its June 24 story, ProPublica detailed that one technique investors have used to sock hundreds of millions of dollars — even billions — away in their IRAs is to fill the accounts with bargain-basement shares in companies that are not publicly traded, so they have no clear valuation. Then, when the companies go public or are sold, their accounts explode in value — with all of the gains tax-free.

Cardin's spokesperson told ProPublica that the senator now supports banning such transactions, which would be one of the biggest reforms in decades to the rules governing the accounts. The Internal Revenue Service recommended a similar change more than a decade ago. Congressional investigators wrote that an IRS team in 2009 had suggested “limiting the types of investments IRAs can make to publicly traded or otherwise marketable securities with a readily ascertainable fair market value."

Cardin is “considering reforms, such as banning the use of IRAs to purchase nonpublic investments," calling it “a good starting point while protecting IRAs for every day Americans to save for their retirement," his spokesperson wrote in an email.

The growing interest in changing the system gives momentum to the plans of Oregon Sen. Ron Wyden, chair of the Senate Finance Committee, who last month declared that he was eyeing a similar crackdown on giant IRAs.

Wyden's move came after ProPublica detailed how the Roth IRA, a ho-hum retirement account designed to help the middle class save for retirement, had been hijacked by the ultrawealthy, who used it to create gigantic onshore tax shelters. Tax records obtained by ProPublica revealed that Peter Thiel, a co-founder of PayPal and an early investor in Facebook, had a Roth IRA worth $5 billion as of 2019. As long as Thiel waits until he is six months shy of his 60th birthday, he will be able to withdraw his fortune tax-free.

Thiel made an end run around the strict limit on what can be put into a Roth IRA by purchasing so-called founders' shares of PayPal in 1999 when he was chairman and CEO of that company, according to tax records and a financial statement Thiel included in his application for citizenship in New Zealand. Securities and Exchange Commission records show Thiel bought 1.7 million shares for $1,700 — a price of a tenth of a penny per share. PayPal later told the SEC that the shares were among those sold at “below fair value."

When PayPal took off and Thiel's shares ballooned in value, he sold them and used the proceeds — still within his Roth — to invest in other startups, including Facebook, long before they went public, according to court records and Thiel's financial statement filed in New Zealand. He never had to make another contribution to his Roth again. The account's stratospheric growth all stemmed from a private stock deal available only to a handful of people.

This is the type of nonpublic IRA investment that Cardin is considering banning. A spokesperson for Thiel did not respond to requests for comment.

But this new appetite for reining in the accounts may be too late to slow contrary bipartisan legislation already rolling through Congress. Buried deep inside two complex and sweeping bills — each more than 140 pages long — are provisions that could make it harder for the IRS to crack down on the ultrawealthy who dodge tax rules.

Those bills, paradoxically, are co-sponsored by Cardin and Neal, two of the lawmakers who are now calling for reining in giant retirement accounts.

The House and Senate bills were introduced before ProPublica launched its ongoing series last month exposing how the country's richest citizens sidestep the nation's income tax system. ProPublica has obtained IRS tax return data on thousands of the wealthiest people in the U.S., covering more than 15 years, allowing it to conduct an unprecedented examination of how the ultrawealthy employ tricks to avoid taxes in ways that most Americans cannot.

The bills are being pitched as helping ordinary Americans save for retirement, including automatic enrollment of workers in employer-sponsored retirement plans. But they also include perks for retirement and financial industries, such as relaxing certain rules in ways that are seen as a boon for insurers.

Deciphering the handouts is nearly impossible without a background in the intricacies of retirement plan tax laws and the help of experts. The bills hide critical changes in language most laypeople would never understand. For instance, a key piece of the Senate bill reads, “Paragraph (2) of subsection (e) of section 408 is repealed." But the scope of that change only makes sense when layered with this: “Section 4975(c)(3) is amended by striking 'the account ceases to be an individual retirement account by reason of the application of section 408(e)(2)(A) or if'."

ProPublica had to reverse-engineer the meaning of that series of numbers and letters to determine that it would take away one of the most potent weapons in the IRS' arsenal: the ability to strip an entire IRA of its tax-favored status.

Complicated IRS and Department of Labor rules prohibit IRA investments that involve conflicts of interest or self-dealing. That can be a particular concern with nontraditional IRA investments, such as purchases of real estate or of shares of companies that are not publicly traded. Under the current law, if the IRS determines that a retirement account has engaged in a prohibited transaction, the agency can blow up the entire account — an event that Warren Baker, a tax attorney whose practice focuses on IRAs, likens to “Armageddon." The whole account then ceases to be an IRA, and the owner has to pay income taxes on it.

The two bills propose defusing that bomb. In the House bill, the tax benefits would only be stripped from the part of the account involved in the forbidden transaction. The Senate bill would loosen the rules even more, applying a 15% excise tax on the part of the account involved in the prohibited transaction without blowing up the account. A spokesperson for Cardin said, “The penalty jumps to 100% if not corrected in a timely manner."

Still, someone who violates the rules suddenly would have a “massive long-term upside benefit" of tax-free growth, Baker said, while “your downside risk is a penalty that is smaller than the capital gains rates," the federal tax on the income that's generated when stocks or other assets are sold.

Bob Lord, a tax attorney and tax counsel to Americans for Tax Fairness, said he has represented clients who settled Roth IRA cases because the threat of losing the tax benefits of their entire accounts was “leverage the IRS had." He was stunned when he read the bills and saw that power stripped from the IRS.

“These changes will lead to more aggressive transactions that lodge greater wealth in Roth IRAs, with less risk if the IRS audits," Lord said.

The proposed Senate bill, experts say, makes another concession to IRA owners who might be tempted to dodge the rules. Under current law, an IRA account holder who violates rules is never totally in the clear. That's because the current statute of limitations for violations is a bit of a gray area, experts say. The IRS, “could virtually go back indefinitely," said Jeffrey Levine, a CPA and chief planning officer at Buckingham Wealth Partners.

The Senate bill proposes stopping the clock at three years. Yet, it can take more than three years for some nontraditional investments to balloon. If the IRS were to discover something amiss, under the bill's proposed statute of limitations it would be too late to act.

“For the little guy this makes all the sense in the world," Levine said. But for the ultrawealthy with huge accounts and squadrons of lawyers, he said, the changes could incentivize bad behavior. “Someone with all the resources in the world could say, 'I'll do this now that my risk-reward calculation is different and I'm looking at getting through three years and then I'm kind of home free.' That, you know, is a real boon for those who want to take advantage of the system."

The House bill is co-sponsored by Neal and Rep. Kevin Brady, a Texas Republican, and the Senate bill is co-sponsored by Cardin and Sen. Rob Portman, an Ohio Republican.

A spokesperson for Portman defended the legislation, which she said was “borne out of contact from our constituents — including innocent middle class savers who had their retirements wrecked by innocent and minor errors." ProPublica asked aides to Portman and Cardin for examples, but neither provided any. A Cardin spokesperson wrote in an email that “there usually is not litigation when this happens, and non-public examples are confidential taxpayer information."

In a joint statement, the offices of Portman and Cardin defended the Senate bill, saying it would help small businesses offer 401(k) retirement plans, expand access to savings for low-income Americans and “allow people who have saved too little to set more aside for retirement." The new legislation, they added, included measures to prevent Americans from inadvertently losing their IRAs while “implementing safeguards to prevent abuse."

Brady's communications director asked for questions in writing, then did not respond.

A staffer with Neal's Ways and Means Committee said the House bill had broad support and touted many provisions, including the automatic enrollment of employees in retirement plans, a national lost-and-found to locate retirement plans from prior jobs and a requirement that employers let certain long-term, part-time workers enroll in 401(k) plans.

The House bill, she noted, doesn't repeal the prohibited transaction rules; it limits the impact to the inappropriate purchase. She described Neal as “very committed to maintaining these important rules and believes that full sanctions should apply when violated."

How China spreads its propaganda version of life for Uyghurs

by Jeff Kao, ProPublica, and Raymond Zhong, Paul Mozur and Aaron Krolik, The New York Times
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.
Recently, the owner of a small store in western China came across some remarks by Mike Pompeo, the former U.S. secretary of state. What he heard made him angry

A worker in a textile company had the same reaction. So did a retiree in her 80s. And a taxi driver.

Pompeo had routinely accused China of committing human rights abuses in the Xinjiang region, and these four people made videos to express their outrage. They did so in oddly similar ways.

“Pompeo said that we Uyghurs are locked up and have no freedom," the store owner said.

“There's nothing like that at all in our Xinjiang," said the taxi driver.

“We are very free," the retiree said.

“We are very free now," the store owner said.

“We are very, very free here," the taxi driver said.

“Our lives are very happy and very free now," the textile company worker said.

These and thousands of other videos are meant to look like unfiltered glimpses of life in Xinjiang, the western Chinese region where the Communist Party has carried out repressive policies against Uyghurs and other predominantly Muslim ethnic minorities.

Most of the clips carry no logos or other signs that they are official propaganda.

But taken together, the videos begin to reveal clues of broader coordination — such as the English subtitles in clips posted to YouTube and other Western platforms.

A monthslong analysis of more than 3,000 of the videos by ProPublica and The New York Times found evidence of an influence campaign orchestrated by the Chinese government.

The operation has produced and spread thousands of videos in which Chinese citizens deny abuses against their own communities and scold foreign officials and multinational corporations who dare question the Chinese government's human rights record in Xinjiang.

It all amounts to one of China's most elaborate efforts to shape global opinion.

Beijing is trying to use savvier and more forceful methods to broadcast its political messages to a worldwide audience. And Western internet platforms like Twitter and YouTube are playing a key part.

Many of these videos of people in Xinjiang first appeared on a regional Communist Party news app. Then they showed up on YouTube and other global sites, with English subtitles added. (The excerpts of dialogue in this article are translated from the original spoken Chinese or Uyghur by ProPublica and The Times. They are not taken from the English subtitles in the original videos.)

On Twitter, a network of connected accounts shared the videos in ways that seemed designed to avoid the platform's systems for detecting influence campaigns.

China's increasingly social-media-fluent diplomats and state-run news outlets have since spread the testimonials to audiences of millions worldwide.

Western platforms like Twitter and YouTube are banned in China out of fear they might be used to spread political messaging — which is exactly how Chinese officials are using these platforms in the rest of the world.

They are, in essence, high-speed propaganda pipelines for Beijing. In just a few days, videos establishing the Communist Party's version of reality can be shot, edited and amplified across the global internet.

How the Videos Work

The dialogue in hundreds of the Xinjiang videos contains strikingly similar, and often identical, phrases and structures.

Most videos are in Chinese or Uyghur and follow the same basic script. The subject introduces themselves, then explains how their own happy, prosperous life means there couldn't possibly be repressive policies in Xinjiang.

Here's a typical clip, shot as a selfie.

A four-character Chinese phrase meaning “born and raised" appears in more than 280 of the more than 2,000 videos attacking Pompeo that ProPublica and the Times found on YouTube and Twitter.

The people in more than 1,000 of the videos say they have recently come across Pompeo's remarks, most of them “on the internet" or on specific platforms such as Douyin, the Chinese version of TikTok.

An expression meaning “complete nonsense" and close variations of it appear in more than 600 of the videos.

Establishing that government officials had a hand in making these testimonials is sometimes just a matter of asking.

In one clip, the owner of a used car dealership in Xinjiang says: “Pompeo, shut your mouth."

When reached by phone, the man said local propaganda authorities had produced the clip. When asked for details, he gave the number of an official he called Mr. He, saying, “Why don't you ask the head of the propaganda department?"

Multiple calls to Mr. He's number were not answered. Seven other people in the videos whose contact information could be found either declined to be interviewed or couldn't be reached. (The name of the car dealership's owner is being withheld to protect him from retribution by Chinese officials.)

In another sign of government coordination, language in the videos echoes written denunciations of Pompeo that Chinese state agencies issued around the same time.

Beginning in late January, government workers across Xinjiang held meetings to “speak out and show the sword" against “Pompeo's anti-China lies," according to statements on official websites.

The clips' effectiveness as propaganda comes in part because they will probably be most people's only glimpse into Xinjiang, a remote desert region closer to Kabul than to Beijing.

The Chinese authorities have thwarted efforts by journalists and others to gain unfettered access to the indoctrination camps where hundreds of thousands of Muslims have been sent for reeducation.

On government-led tours of the region, foreign diplomats and reporters have been allowed to speak with locals only under Chinese officials' watchful eyes, often in settings that seem staged and scripted.

For Western platforms hosting the Xinjiang testimonials, the fact that they are not immediately obvious as state propaganda poses a challenge.

To promote transparency, sites like YouTube and Twitter label accounts and posts that are associated with governments. The Xinjiang videos, however, carry no such tags.

YouTube said the clips did not violate its community guidelines. Twitter declined to comment on the videos, adding that it routinely releases data on campaigns that it can “reliably attribute to state-linked activity."

How the Videos Spread

The video campaign started this year after the State Department declared on Jan. 19, the final full day of the Trump presidency, that China was committing genocide in Xinjiang.

“I've referred to this over time as the stain of the century — it is truly that," Pompeo said.

Within days, videos criticizing Pompeo began appearing on an app called Pomegranate Cloud, which is owned by the regional arm of the official Communist Party newspaper, People's Daily. The name of the app is a reference to a propaganda slogan that calls on people of all ethnic groups in China to be as closely united as pomegranate seeds.

From there, the videos often jumped onto other Chinese platforms before making their way onto global social media sites like Twitter and YouTube.

On Twitter, ProPublica and The Times found, the clips were shared by more than 300 accounts whose posts strongly suggested they were no ordinary users. The accounts often posted messages that were identical but for a random string of characters at the end with no obvious meaning, either four Roman letters, five Chinese characters or three symbols such as percentage signs or parentheses.

Such strings were found in about three-quarters of the accounts' tweets. They caused the text of the posts to vary slightly, in an apparent attempt to bypass Twitter's automated anti-spam filters.

There were other signs that the Twitter accounts were part of a coordinated operation.

All of the accounts had been registered only in recent months. Many of them followed zero other users. Nearly all had fewer than five followers. The bulk of their tweeting took place between 10 a.m. and 8 p.m. Beijing time.

The text of several of the accounts' tweets contained traces of computer code, indicating that they had been posted, sloppily, by software.

Twitter suspended many of these accounts in March and April, before ProPublica and The Times inquired about them. Twitter said the accounts had violated its policies against platform manipulation and spam.

The accounts did not upload Xinjiang clips directly to Twitter. Rather, they tweeted links to videos on YouTube or retweeted videos that had been originally posted by other Twitter accounts.

Those YouTube and Twitter accounts often posted copies of the same Xinjiang videos at roughly the same time, according to analysis by ProPublica and The Times. Nearly three-quarters of the copied clips were posted by different accounts within 30 minutes of one another. This suggests the posts were coordinated, even though the accounts had no obvious connection.

Most of these accounts — seven on Twitter and nearly two dozen on YouTube — posted dozens of videos that originally appeared on Pomegranate Cloud. The accounts seem to have served solely as warehouses to store the clips, making it easier for other accounts in the network to share them.

How the Campaign Is Evolving

The effort continues to evolve. In some cases, state media and government officials have begun to openly spread the clips attacking Pompeo. Other videos have found new issues and people to target.

In one clip, a woman denies accusations of forced labor. “I have five greenhouses, and no one forces me to work," she says.

She turns the camera toward several other women behind her.

“Friends, is anyone forcing you to work?" she asks. “No!" they cry in unison.

The clip was posted by Global Times, a state-controlled newspaper, on the Chinese platform Kuaishou on Jan. 25. Two days later, the video was posted on Twitter and YouTube by the warehouse accounts within 30 minutes of one another. Just over a week later, two representatives for China's Ministry of Foreign Affairs posted the clip on Twitter as well.

The ministry did not respond to a faxed request for comment, nor did the Xinjiang offices of the Communist Party propaganda department.

Two months later, another wave of videos, shot in the same style and distributed in a similar way, raged against H&M and other international clothing brands that have expressed concern about possible labor abuses in Xinjiang's cotton and textile industries.

In one video, a Uyghur woman sits on a couch with her husband and young son.

“Mom, what's H&M?" the boy asks.

“H&M is a foreign company that uses our Xinjiang cotton and speaks ill of our Xinjiang," she says. “Tell me, is H&M bad or what?"

“Very bad," the boy says stiffly.

The clip was posted on Pomegranate Cloud on March 29. Six days later, it was posted on Twitter and YouTube, 20 minutes apart, by two warehouse accounts. As with all of the other clips that appeared on those platforms, English subtitles were added somewhere along the way, seemingly for the benefit of international audiences.

The anti-H&M campaign continues. By June 21, more than 800 cotton-related videos had been posted to Pomegranate Cloud, a large share of which were later reposted on YouTube or Twitter.

New videos are being uploaded to Pomegranate Cloud nearly every day. That means the campaign, which has already enlisted thousands of people in Xinjiang — teachers, shopkeepers, farmhands — could keep growing.

The audience outside China for the videos could also keep expanding.

The warehouse accounts on YouTube have attracted more than 480,000 views in total. People on YouTube, TikTok and other platforms have cited the testimonials to argue that all is well in Xinjiang — and received hundreds of thousands of additional views.

In a phone interview, Pompeo said friends, and occasionally his son, had come across the Xinjiang testimonials online and sent them to him.

As clumsy as the videos seem, he said, their influence should not be dismissed: “In places that don't have access to a great deal of media, that repetition, those storylines have an ability to take hold."

China's propaganda efforts will keep getting better, Pompeo added. “They'll continue to revise and become quicker, more authentic in their capacity to deliver this message," he said.

How the Videos Divided a Family

For one Uyghur activist living in exile in the United States since 2005, the videos have had a more personal impact.

Several of the Xinjiang videos feature family members of Rebiya Kadeer, 74, whom the Chinese government has accused of abetting terrorism. In one clip, two of Kadeer's granddaughters lash out at Pompeo while out shopping for a wedding.

“Grandma, I recently saw online that Pompeo's making reckless claims and talking nonsense about our Xinjiang," one granddaughter says. “I hope you won't be fooled again by those bad foreigners."

Kadeer said the videos were the first time she had heard her relatives' voices in years.

“I have been crying in my heart about my children," she said in a phone interview.

Kadeer said the videos had given her a chance to see what had become of her granddaughters. The last time she saw them, they were infants.

“Some people will believe these videos and believe Uyghurs are living a happy life," she said. “We can't say they have locked up everyone. But what they're saying in these videos — it's not true. They know they're not speaking the truth. But they have to say what the Chinese government wants them to say."

Few cops who used force on George Floyd protesters faced discipline: analysis

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

Last summer, ProPublica compiled 68 videos that appeared to show police officers using disproportionate force against protesters during the nationwide events following George Floyd's death in police custody.

We had culled the videos from hundreds circulating on social media in the wake of the protests and highlighted the cases that seemed to clearly show officers using disproportionate force. We then reached out to dozens of law enforcement agencies whose officers are in the videos and asked some straightforward questions: Have the officers' police departments investigated the incidents? And what consequences, if any, have the officers in the videos faced?

As time passed, we've been checking in with the departments to get their answers.

After a year, we wanted to give a final update on what we know: Departments have disclosed discipline for 10 officers.

A Seattle Police Department officer received a written reprimand for striking a protester with “six to eight punches over six seconds." In Grand Rapids, Michigan, an officer shot a man in the shoulder at close range with a long-range tear gas round. He received two days without pay. In Salt Lake City, an officer received “coaching and counseling" for using a shield to push an elderly man.

Six officers were initially fired, though two got their jobs back after a review. Criminal charges are also pending against 11 officers, including some who have already faced internal discipline.

In 17 cases that we followed, the departments have decided not to discipline the officers or could not identify them.

Investigations are still ongoing in 25 of the cases. This includes a high-profile case in Buffalo, New York, where two officers pushed a man backward, causing him to hit his head on the pavement. A grand jury dismissed felony assault charges against the officers, but a decision on departmental discipline is still pending.

Finally, in 18 instances, ProPublica could not determine the disciplinary outcome — either because the department did not respond or the department said it could not share the information.

The weaving journey of accountability has played out starkly around one of the cases in Atlanta.

In May 2020, the mayor announced the firing of two officers just a day after they were involved in the violent arrest of two college students who were pulled from a car.

But the officers quickly sued to get their jobs back, citing a lack of due process. In February, Atlanta's Civil Service Board agreed. The two officers are once again employed by the department but remain on administrative leave. The incident remains under investigation. Criminal charges have also been filed against the officers, including assault, though the district attorney who brought them has since been voted out of office.

One reason departments have declined to comment on the status of cases is that the incidents have been subject to litigation. But the back and forth on such suits can be illuminating.

Responding to a lawsuit by a protester who was hitby a Los Angeles Police Department vehicle, the city wrote that the “force used against plaintiff, if any, was caused and necessitated by the actions of plaintiff, and was reasonable and necessary for self-defense."

In about half of the cases we reviewed, including one resulting in discipline, the officer or officers involved have not been publicly identified. Sometimes, it's not even clear which law enforcement agency they worked for.

In Minneapolis, where Floyd's death occurred, sparking outrage across the world, a video captured the moment in May when officers patrolling a neighborhood fired paint rounds at a woman's home while enforcing a curfew.

A Minnesota National Guard spokesperson told ProPublica the agency was “not involved" in the incident. The Minneapolis Police Department said the incident was “not our agency." The Minnesota State Patrol said that it reviewed the video of the incident, and that “the officer who fired the marking round was not a State Patrol trooper." When asked which agency the officers who fired the paint round were from, the spokesperson said it was “unclear."

The Colonial Pipeline ransomware hackers had a secret weapon

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

Series: The Extortion Economy

U.S. Companies and Ransomware

On Jan. 11, antivirus company Bitdefender said it was “happy to announce" a startling breakthrough. It had found a flaw in the ransomware that a gang known as DarkSide was using to freeze computer networks of dozens of businesses in the U.S. and Europe. Companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers.

But Bitdefender wasn't the first to identify this flaw. Two other researchers, Fabian Wosar and Michael Gillespie, had noticed it the month before and had begun discreetly looking for victims to help. By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for."

“Special thanks to BitDefender for helping fix our issues," DarkSide said. “This will make us even better."

DarkSide soon proved it wasn't bluffing, unleashing a string of attacks. This month, it paralyzed the Colonial Pipeline Co., prompting a shutdown of the 5,500 mile pipeline that carries 45% of the fuel used on the East Coast, quickly followed by a rise in gasoline prices, panic buying of gas across the Southeast and closures of thousands of gas stations. Absent Bitdefender's announcement, it's possible that the crisis might have been contained, and that Colonial might have quietly restored its system with Wosar and Gillespie's decryption tool.

Instead, Colonial paid DarkSide $4.4 million in Bitcoin for a key to unlock its files. “I will admit that I wasn't comfortable seeing money go out the door to people like this," CEO Joseph Blount told The Wall Street Journal.

The missed opportunity was part of a broader pattern of botched or half-hearted responses to the growing menace of ransomware, which during the pandemic has disabled businesses, schools, hospitals and government agencies across the country. The incident also shows how antivirus companies eager to make a name for themselves sometimes violate one of the cardinal rules of the cat-and-mouse game of cyber-warfare: Don't let your opponents know what you've figured out. During World War II, when the British secret service learned from decrypted communications that the Gestapo was planning to abduct and murder a valuable double agent, Johnny Jebsen, his handler wasn't allowed to warn him for fear of cluing in the enemy that its cipher had been cracked. Today, ransomware hunters like Wosar and Gillespie try to prolong the attackers' ignorance, even at the cost of contacting fewer victims. Sooner or later, as payments drop off, the cybercriminals realize that something has gone wrong.

Whether to tout a decryption tool is a “calculated decision," said Rob McLeod, senior director of the threat response unit for cybersecurity firm eSentire. From the marketing perspective, “You are singing that song from the rooftops about how you have come up with a security solution that will decrypt a victim's data. And then the security researcher angle says, 'Don't disclose any information here. Keep the ransomware bugs that we've found that allow us to decode the data secret, so as not to notify the threat actors.'"

Wosar said that publicly releasing tools, as Bitdefender did, has become riskier as ransoms have soared and the gangs have grown wealthier and more technically adept. In the early days of ransomware, when hackers froze home computers for a few hundred dollars, they often couldn't determine how their code was broken unless the flaw was specifically pointed out to them.

Today, the creators of ransomware “have access to reverse engineers and penetration testers who are very very capable," he said. “That's how they gain entrance to these oftentimes highly secured networks in the first place. They download the decryptor, they disassemble it, they reverse engineer it and they figure out exactly why we were able to decrypt their files. And 24 hours later, the whole thing is fixed. Bitdefender should have known better."

It wasn't the first time that Bitdefender trumpeted a solution that Wosar or Gillespie had beaten it to. Gillespie had broken the code of a ransomware strain called GoGoogle and was helping victims without any fanfare, when Bitdefender released a decryption tool in May 2020. Other companies have also announced breakthroughs publicly, Wosar and Gillespie said.

“People are desperate for a news mention, and big security companies don't care about victims," Wosar said.

Bogdan Botezatu, director of threat research at Bucharest, Romania-based Bitdefender, said the company wasn't aware of the earlier success in unlocking files infected by DarkSide. Regardless, he said, Bitdefender decided to publish its tool “because most victims who fall for ransomware do not have the right connection with ransomware support groups and won't know where to ask for help unless they can learn about the existence of tools from media reports or with a simple search."

Bitdefender has provided free technical support to more than a dozen DarkSide victims, and “we believe many others have successfully used the tool without our intervention," Botezatu said. Over the years, Bitdefender has helped individuals and businesses avoid paying more than $100 million in ransom, he said.

Bitdefender recognized that DarkSide might correct the flaw, Botezatu said. “We are well aware that attackers are agile and adapt to our decryptors." But DarkSide might have “spotted the issue" anyway. “We don't believe in ransomware decryptors made silently available. Attackers will learn about their existence by impersonating home users or companies in need, while the vast majority of victims will have no idea that they can get their data back for free."

The attack on Colonial Pipeline, and the ensuing chaos at the gas pumps throughout the Southeast, appears to have spurred the federal government to be more vigilant. President Joe Biden issued an executive order to improve cybersecurity and create a blueprint for a federal response to cyberattacks. DarkSide said it was shutting down under U.S. pressure, although ransomware crews have often disbanded to avoid scrutiny and then re-formed under new names, or their members have launched or joined other groups.

“As sophisticated as they are, these guys will pop up again, and they'll be that much smarter," said Aaron Tantleff, a Chicago cybersecurity attorney who has consulted with 10 companies attacked by DarkSide. “They'll come back with a vengeance."

At least until now, private researchers and companies have often been more effective than the government in fighting ransomware. Last October, Microsoft disrupted the infrastructure of Trickbot, a network of more than 1 million infected computers that disseminated the notorious Ryuk strain of ransomware, by disabling its servers and communications. That month, ProtonMail, the Swiss-based email service, shut down 20,000 Ryuk-related accounts.

Wosar and Gillespie, who belong to a worldwide volunteer group called the Ransomware Hunting Team, have cracked more than 300 major ransomware strains and variants, saving an estimated 4 million victims from paying billions of dollars.

By contrast, the FBI rarely decrypts ransomware or arrests the attackers, who are typically based in countries like Russia or Iran that lack extradition agreements with the U.S. DarkSide, for instance, is believed to operate out of Russia. Far more victims seek help from the Hunting Team, through websites maintained by its members, than from the FBI.

The U.S. Secret Service also investigates ransomware, which falls under its purview of combating financial crimes. But, especially in election years, it sometimes rotates agents off cyber assignments to carry out its better-known mission of protecting presidents, vice presidents, major party candidates and their families. European law enforcement, especially the Dutch National Police, has been more successful than the U.S. in arresting attackers and seizing servers.

Similarly, the U.S. government has made only modest headway in pushing private industry, including pipeline companies, to strengthen cybersecurity defenses. Cybersecurity oversight is divided among an alphabet soup of agencies, hampering coordination. The Department of Homeland Security conducts “vulnerability assessments" for critical infrastructure, which includes pipelines.

It reviewed Colonial Pipeline in around 2013 as part of a study of places where a cyberattack might cause a catastrophe. The pipeline was deemed resilient, meaning that it could recover quickly, according to a former DHS official. The department did not respond to questions about any subsequent reviews.

Five years later, DHS created a pipeline cybersecurity initiative to identify weaknesses in pipeline computer systems and recommend strategies to address them. Participation is voluntary, and a person familiar with the initiative said that it is more useful for smaller companies with limited in-house IT expertise than for big ones like Colonial. The National Risk Management Center, which oversees the initiative, also grapples with other thorny issues such as election security.

Ransomware has skyrocketed since 2012, when the advent of Bitcoin made it hard to track or block payments. The criminals' tactics have evolved from indiscriminate “spray and pray" campaigns seeking a few hundred dollars apiece to targeting specific businesses, government agencies and nonprofit groups with multimillion-dollar demands.

Attacks on energy businesses in particular have increased during the pandemic — not just in the U.S. but in Canada, Latin America and Europe. As the companies allowed employees to work from home, they relaxed some security controls, McLeod said.

Since 2019, numerous gangs have ratcheted up pressure with a technique known as “double extortion." Upon entering a system, they steal sensitive data before launching ransomware that encodes the files and makes it impossible for hospitals, universities and cities to do their daily work. If the loss of computer access is not sufficiently intimidating, they threaten to reveal confidential information, often posting samples as leverage. For instance, when the Washington, D.C., police department didn't pay the $4 million ransom demanded by a gang called Babuk last month, Babuk published intelligence briefings, names of criminal suspects and witnesses, and personnel files, from medical information to polygraph test results, of officers and job candidates.

DarkSide, which emerged last August, epitomized this new breed. It chose targets based on a careful financial analysis or information gleaned from corporate emails. For instance, it attacked one of Tantleff's clients during a week when the hackers knew the company would be vulnerable because it was transitioning its files to the cloud and didn't have clean backups.

To infiltrate target networks, the gang used advanced methods such as “zero-day exploits" that immediately take advantage of software vulnerabilities before they can be patched. Once inside, it moved swiftly, looking not only for sensitive data but also for the victim's cyber insurance policy, so it could peg its demands to the amount of coverage. After two to three days of poking around, DarkSide encrypted the files.

“They have a faster attack window," said Christopher Ballod, associate managing director for cyber risk at Kroll, the business investigations firm, who has advised half a dozen DarkSide victims. “The longer you dwell in the system, the more likely you are to be caught."

Typically, DarkSide's demands were “on the high end of the scale," $5 million and up, Ballod said. One scary tactic: If publicly traded companies didn't pay the ransom, DarkSide threatened to share information stolen from them with short-sellers who would profit if the share price dropped upon publication.

DarkSide's site on the dark web identified dozens of victims and described the confidential data it claimed to have filched from them. One was New Orleans law firm Stone Pigman Walther Wittmann. “A big annoyance is what it was," attorney Phil Wittmann said, referring to the DarkSide attack in February. “We paid them nothing," said Michael Walshe Jr., chair of the firm's management committee, declining to comment further.

Last November, DarkSide adopted what is known as a “ransomware-as-a-service" model. Under this model, it partnered with affiliates who launched the attacks. The affiliates received 75% to 90% of the ransom, with DarkSide keeping the remainder. As this partnership suggests, the ransomware ecosystem is a distorted mirror of corporate culture, with everything from job interviews to procedures for handling disputes. After DarkSide shut down, several people who identified themselves as its affiliates complained on a dispute resolution forum that it had stiffed them. “The target paid, but I did not receive my share," one wrote.

Together, DarkSide and its affiliates reportedly grossed at least $90 million. Seven of Tantleff's clients, including two companies in the energy industry, paid ransoms ranging from $1.25 million to $6 million, reflecting negotiated discounts from initial demands of $7.5 million to $30 million. His other three clients hit by DarkSide did not pay. In one of those cases, the hackers demanded $50 million. Negotiations grew acrimonious, and the two sides couldn't agree on a price.

DarkSide's representatives were shrewd bargainers, Tantleff said. If a victim said it couldn't afford the ransom because of the pandemic, DarkSide was ready with data showing that the company's revenue was up, or that COVID-19's impact was factored into the price.

DarkSide's grasp of geopolitics was less advanced than its approach to ransomware. Around the same time that it adopted the affiliate model, it posted that it was planning to safeguard information stolen from victims by storing it in servers in Iran. DarkSide apparently didn't realize that an Iranian connection would complicate its collection of ransoms from victims in the U.S., which has economic sanctions restricting financial transactions with Iran. Although DarkSide later walked back this statement, saying that it had only considered Iran as a possible location, numerous cyber insurers had concerns about covering payments to the group. Coveware, a Connecticut firm that negotiates with attackers on behalf of victims, stopped dealing with DarkSide.

Ballod said that, with their insurers unwilling to reimburse the ransom, none of his clients paid DarkSide, despite concerns about exposure of their data. Even if they had caved in to DarkSide, and received assurances from the hackers in return that the data would be shredded, the information might still leak, he said.

During DarkSide's changeover to the affiliate model, a flaw was introduced into its ransomware. The vulnerability caught the attention of members of the Ransomware Hunting Team. Established in 2016, the invitation-only team consists of about a dozen volunteers in the U.S., Spain, Italy, Germany, Hungary and the U.K. They work in cybersecurity or related fields. In their spare time, they collaborate in finding and decrypting new ransomware strains.

Several members, including Wosar, have little formal education but an aptitude for coding. A high school dropout, Wosar grew up in a working-class family near the German port city of Rostock. In 1992, at the age of 8, he saw a computer for the first time and was entranced. By 16, he was developing his own antivirus software and making money from it. Now 37, he has worked for antivirus firm Emsisoft since its inception almost two decades ago and is its chief technology officer. He moved to the U.K. from Germany in 2018 and lives near London.

He has been battling ransomware hackers since 2012, when he cracked a strain called ACCDFISA, which stood for “Anti Cyber Crime Department of Federal Internet Security Agency." This fictional agency was notifying people that child pornography had infected their computers, and so it was blocking access to their files unless they paid $100 to remove the virus.

The ACCDFISA hacker eventually noticed that the strain had been decrypted and released a revised version. Many of Wosar's subsequent triumphs were also fleeting. He and his teammates tried to keep criminals blissfully unaware for as long as possible that their strain was vulnerable. They left cryptic messages on forums inviting victims to contact them for assistance or sent direct messages to people who posted that they had been attacked.

In the course of protecting against computer intrusions, analysts at antivirus firms sometimes detected ransomware flaws and built decryption tools, though it wasn't their main focus. Sometimes they collided with Wosar.

In 2014, Wosar discovered that a ransomware strain called CryptoDefense copied and pasted from Microsoft Windows some of the code it used to lock and unlock files, not realizing that the same code was preserved in a folder on the victim's own computer. It was missing the signal, or “flag," in their program, usually included by ransomware creators to instruct Windows not to save a copy of the key.

Wosar quickly developed a decryption tool to retrieve the key. “We faced an interesting conundrum," Sarah White, another Hunting Team member, wrote on Emsisoft's blog. “How to get our tool out to the most victims possible without alerting the malware developer of his mistake?"

Wosar discreetly sought out CryptoDefense victims through support forums, volunteer networks and announcements of where to contact for help. He avoided describing how the tool worked or the blunder it exploited. When victims came forward, he supplied the fix, scrubbing the ransomware from at least 350 computers. CryptoDefense eventually “caught on to us ... but he still did not have access to the decrypter we used and had no idea how we were unlocking his victims' files," White wrote.

But then an antivirus company, Symantec, uncovered the same problem and bragged about the discovery on a blog post that “contained enough information to help the CryptoDefense developer find and correct the flaw," White wrote. Within 24 hours the attackers began spreading a revised version. They changed its name to CryptoWall and made $325 million.

Symantec “chose quick publicity over helping CryptoDefense victims recover their files," White wrote. “Sometimes there are things that are better left unsaid."

A spokeswoman for Broadcom, which acquired Symantec's enterprise security business in 2019, declined to comment, saying that “the team members who worked on the tool are no longer with the company."

Like Wosar, the 29-year-old Gillespie comes from poverty and never went to college. When he was growing up in central Illinois, his family struggled so much financially that they sometimes had to move in with friends or relatives. After high school, he worked full time for 10 years at a computer repair chain called Nerds on Call. Last year, he became a malware and cybersecurity researcher at Coveware.

Last December, he messaged Wosar for help. Gillespie had been working with a DarkSide victim who had paid a ransom and received a tool to recover the data. But DarkSide's decryptor had a reputation for being slow, and the victim hoped that Gillespie could speed up the process.

Gillespie analyzed the software, which contained a key to release the files. He wanted to extract the key, but because it was stored in an unusually complex way, he couldn't. He turned to Wosar, who was able to isolate it.

The teammates then began testing the key on other files infected by DarkSide. Gillespie checked files uploaded by victims to the website he operates, ID Ransomware, while Wosar used VirusTotal, an online database of suspected malware.

That night, they shared a discovery.

“I have confirmation DarkSide is re-using their RSA keys," Gillespie wrote to the Hunting Team on its Slack channel. A type of cryptography, RSA generates two keys: a public key to encode data and a private key to decipher it. RSA is used legitimately to safeguard many aspects of e-commerce, such as protecting credit numbers. But it's also been co-opted by ransomware hackers.

“I noticed the same as I was able to decrypt newly encrypted files using their decrypter," Wosar replied less than an hour later, at 2:45 a.m. London time.

Their analysis showed that, before adopting the affiliate model, DarkSide had used a different public and private key for each victim. Wosar suspected that, during this transition, DarkSide introduced a mistake into its affiliate portal used to generate the ransomware for each target. Wosar and Gillespie could now use the key that Wosar had extracted to retrieve files from Windows machines seized by DarkSide. The cryptographic blunder didn't affect Linux operating systems.

“We were scratching our heads," Wosar said. “Could they really have fucked up this badly? DarkSide was one of the more professional ransomware-as-a-service schemes out there. For them to make such a huge mistake is very, very rare."

The Hunting Team celebrated quietly, without seeking publicity. White, who is a computer science student at Royal Holloway, part of the University of London, began looking for DarkSide victims. She contacted firms that handle digital forensics and incident response.

“We told them, 'Hey listen, if you have any DarkSide victims, tell them to reach out to us, we can help them. We can recover their files and they don't have to pay a huge ransom,'" Wosar said.

The DarkSide hackers mostly took the Christmas season off. Gillespie and Wosar expected that, when the attacks resumed in the new year, their discovery would help dozens of victims. But then Bitdefender published its post, under the headline “Darkside Ransomware Decryption Tool."

In a messaging channel with the ransomware response community, someone asked why Bitdefender would tip off the hackers. “Publicity," White responded. “Looks good. I can guarantee they'll fix it much faster now though."

She was right. The next day, DarkSide acknowledged the error that Wosar and Gillespie had found before Bitdefender. “Due to the problem with key generation, some companies have the same keys," the hackers wrote, adding that up to 40% of keys were affected.

DarkSide mocked Bitdefender for releasing the decryptor at “the wrong time…., as the activity of us and our partners during the New Year holidays is the lowest."

Adding to the team's frustrations, Wosar discovered that the Bitdefender tool had its own drawbacks. Using the company's decryptor, he tried to unlock samples infected by DarkSide and found that they were damaged in the process. “They actually implemented the decryption wrong," Wosar said. “That means if victims did use the Bitdefender tool, there's a good chance that they damaged the data."

Asked about Wosar's criticism, Botezatu said that data recovery is difficult, and that Bitdefender has “taken all precautions to make sure that we're not compromising user data" including exhaustive testing and “code that evaluates whether the resulting decrypted file is valid."

Even without Bitdefender, DarkSide might have soon realized its mistake anyway, Wosar and Gillespie said. For example, as they sifted through compromised networks, the hackers might have come across emails in which victims helped by the Hunting Team discussed the flaw.

“They might figure it out that way — that is always a possibility," Wosar said. “But it's especially painful if a vulnerability is being burned through something stupid like this."

The incident led the Hunting Team to coin a term for the premature exposure of a weakness in a ransomware strain. “Internally, we often joke, 'Yeah, they are probably going to pull a Bitdefender,'" Wosar said.

Trump officials used secret terrorism unit to question lawyers at the border: documents

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

Taylor Levy couldn't understand why she'd been held for hours by Customs and Border Protection officials when crossing back into El Paso, Texas, after getting dinner with friends in Ciudad Juarez, Mexico, in January 2019. And she didn't know why she was being questioned by an agent who'd introduced himself as a counterterrorism specialist.

Levy was part of the legal team representing the father of a girl who'd died the previous month in the custody of the Border Patrol, which is part of CBP. “There was so much hate for immigration lawyers at that time," she recalled. “I thought that somebody had put in an anonymous tip that I was a terrorist."

The truth was more troubling. Newly released records show that Levy was swept up as part of a broader than previously known push by the administration of President Donald Trump to use the federal government's expansive powers at the border to stop and question journalists, lawyers and activists.

The records reveal that Levy and attorney Héctor Ruiz were interrogated by members of CBP's secretive Tactical Terrorism Response Team. The lawyers were suspected of “providing assistance" to the migrant caravan that was then the focus of significant attention by the administration and right-wing media. Officials speculated in later reports that immigration lawyers were seeking to profit by moving migrants through Mexico, and that “Antifa" may have been involved.

The records were provided to ProPublica by the Santa Fe Dreamers Project, a public interest law firm and advocacy group that received them after filing a Freedom of Information Act lawsuit about the stops of Levy and Ruiz at the border in El Paso.

Following revelations two years ago by NBC 7 San Diego that some journalists and others were targeted for questioning when crossing from Tijuana, Mexico, the Trump administration maintained that the incidents were limited to San Diego and a handful of U.S. citizens. But the new documents prove the operation went further — and raise questions about how many others were targeted.

While the records are heavily redacted, they provide a window into exactly how the targeting worked. They also show that the push was based in part on claims that were simply wrong — for example, that Levy met with members of the caravan in Mexico while they were traveling towards the border.

“This whole thing is COINTELPRO for dummies," said Mohammad Tajsar, an attorney at the American Civil Liberties Union, referring to a notorious domestic spying program from decades ago. Tajsar is representing some of the San Diego activists who were stopped. An “intel-gathering apparatus was shared and deployed through a number of different agencies and resulted in a dragnet that ensnared a whole bunch of people."

Responding to questions from ProPublica, a CBP spokesperson said in a statement: “In response to incidents in November 2018 and January 2019, which included assaults against Border Patrol Agents, CBP identified individuals who may have information relating to the instigators and/or organizers of these attacks. Efforts to gather this type of information are a standard law enforcement practice." The statement does not address the targeting of Levy and Ruiz or what role investigators suspected two lawyers in El Paso of playing in attacks on federal agents that were in San Diego.

The administration of President Joe Biden is continuing to fight several lawsuits filed against the Trump administration over the operation. The Department of Homeland Security's inspector general promised to investigate the allegations in 2019, as the CBP spokesperson noted to ProPublica, but it has not published its findings. The current head of U.S. Border Patrol is a career agent who was in charge of the San Diego sector when agents there were helping lead the surveillance effort.

Neither Levy nor Ruiz were told why they were being questioned. What they were asked about didn't give them many clues. Both were questioned about their activities in Mexico — specifically, if they had been to Tijuana recently. They were questioned about their jobs and educational backgrounds; Ruiz was asked about the funding of the Santa Fe Dreamers Project, where they work as an attorney.

Both lawyers also recall being asked about their beliefs. Levy remembers an agent asking her why she worked for a Catholic aid organization if she didn't believe in God, while Ruiz told ProPublica they were asked about their opinions of the Trump administration and the economy. Government notes of their interviews provided as part of the suit don't reference those questions, but they do cite comments from both Levy and Ruiz criticizing Trump's border policies.

Ruiz ultimately agreed to a phone search, despite their concerns about agents reading privileged attorney-client communications, which is exactly what the agents did. The records note the use of WhatsApp to communicate with people described as “foreign national" — Ruiz's clients.

Ruiz didn't tell anyone about their late-night interrogation for weeks after it happened. When they learned the same thing had happened to Levy, and when the NBC 7 story appeared two months later showing that similar episodes in San Diego had been part of a deliberate targeting effort, the El Paso lawyers sought to find out if they had been on the same watchlist. So Ruiz's then-colleague Allegra Love filed a Freedom of Information Act request followed by a lawsuit.

This spring, they finally got a complete-enough set of documents to piece the truth together.

In late November 2018, writing up an interview with a migrant who'd traveled with the “caravan," San Diego-area border agents identified Levy and Ruiz as two of “three attorneys/legal assistants that most likely traveled to meet with the caravan." The redacted notes leave it unclear whether the migrant identified the two by name, or whether agents made the connection on their own. Either way, by the time that email was forwarded to San Diego's Border Intelligence Center, the two were identified as “ASSOCIATED TO THE MIGRANT CARAVAN DEC 2018."

In fact, Levy had not only never met with people in the caravan, colleagues recall she'd vocally criticized the caravan at the time. Ruiz had conducted some legal workshops for caravan migrants weeks before their arrival in Tijuana, when they'd been staying in a soccer stadium in Mexico City. Ruiz and Love told ProPublica they had encouraged migrants with tenuous asylum claims not to attempt to come to the U.S. and didn't have any further involvement with the group.

According to emails obtained in the lawsuit, agents were instructed to flag Levy and Ruiz (as well as three others whose information is redacted) in the system for screening people coming through U.S. ports of entry.

When Ruiz came back to El Paso after a night out in Ciudad Juarez in December, and when Levy returned from that January dinner, the port officer checking their passports saw an alert that they should be interrogated by a member of CBP's Tactical Terrorism Response Team.

The team's stated mission is to stop suspected foreign terrorists from entering the country. But the government has expanded powers at the border that allow it to stop and question civilians entering the U.S. Records produced in an ongoing ACLU Freedom of Information Act lawsuit about the unit have shown that its members frequently question American citizens. (CBP did not respond to questions about the role of the terrorism teams.)

What exactly the interrogations of Levy and Ruiz were trying to uncover still isn't clear. Levy and Ruiz both got the impression that they were being accused of “coaching" asylum-seekers to lie to border agents. The newly disclosed records don't include anything about that, at least not in the unredacted text, but they do say that Ruiz “admitted to facilitating the migrant caravan by providing legal guidance free of charge and educate the migrant's with the Asylum process."

The accusation that telling asylum-seekers about how U.S. law works is “facilitating" their entry reflected a broader suspicion that asylum-seekers were trying to subvert U.S. law rather than accessing a legal right. One Border Patrol email from the San Diego side of the targeting operation, obtained in a Freedom of Information Act lawsuit by NBC 7 and the Reporters Committee for Freedom of the Press and shared with ProPublica, referred to crossing the border to claim asylum as exploiting “a loophole."

A Border Patrolintelligence reportfrom El Paso, written several months after Levy and Ruiz were interrogated and included in the newly released documents, cast further aspersions on asylum lawyers. The report states, “Mass migration from South America into the United States is said to be coordinated at some level by non profit organizations who wish to line their pockets with proceeds deriving from migrants transportation fees up to the U.S Mexico border, and ultimately proceeds deriving from the migrants paying for their asylum case lawyers once they have arrived to the United States." It goes on to associate this effort with “other groups such as Antifa."

The report also asserts, inaccurately, that Levy and Ruiz were “seen in Tijuana assisting with the migrant caravan."

Now that the lawyers know more about why they were stopped — and by whom — they are all the more concerned it could happen again. Levy has since moved to California but told ProPublica she fears retaliation for this article.

Ruiz still crosses the border multiple times a week for work. “I'm still super fearful," they told ProPublica. “I don't know if this is the day they're going to detain me again." The caravans and Trump are both gone, but “I'm still doing this work. And I don't know what sort of false accusations they can throw going forward."

An unhinged jailhouse letter from a Capitol rioter sheds light on the radicalization of Trump supporters

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

Series: The Insurrection

The Effort to Overturn the Election

In a letter sent from behind bars, a key defendant in the Jan. 6 riot at the U.S. Capitol said he and fellow inmates have bonded in jail, and boasted that those attacking the building could have overthrown the government if they had wanted.

The letter is signed “the 1/6ers" and expresses no remorse for the assault on the Capitol, in which five people died. While no names appeared on it, ProPublica was able to determine, through interviews with his family and a review of his correspondence from jail, that it was penned by Guy Reffitt, a member of the Three Percenter right-wing militant group accused of participating in the riot. The letter said the inmates arrested for their role in the attack regularly recite the Pledge of Allegiance inside the Washington, D.C. jail and sing the national anthem “all in unison, loud and proud most everyday."

“January 6th was nothing short of a satirical way to overthrow a government," said the letter, written by hand on yellow lined paper. “If overthrow was the quest, it would have no doubt been overthrown."

The letter sent to ProPublica is believed to be one of the first public statements from a Jan. 6 rioter currently in detention. ProPublica also obtained text messages with Reffitt's family and was able to ask a few questions of him via text from the D.C. Jail, with his wife, Nicole Reffitt, acting as a relay. Guy Reffitt declined to participate in a fuller interview on the advice of his lawyer, his wife said.

Reffitt faces a variety of charges, including obstructing an official proceeding, which carries a maximum sentence of 20 years. He is awaiting trial and has pleaded not guilty. In text messages he sent last month to his wife, Reffitt said he was resigning from the Texas Three Percenters.

Last week, Reffitt told ProPublica via his wife that more than 30 people arrested in connection with the Jan. 6 attack had discussed the letter while in custody. He said that the “1/6ers" are “not organized" and that there are “no leaders," just “people chatting about things" because they are “stuck here together."

Reffitt said that the suspects communicate with one another with what are known as “kites," jailhouse slang for messages passed from cell to cell. They are also able to socialize during the two hours a day they're let out of their cells. The Department of Justice declined to comment.

Those detained in connection with the Capitol siege have been treated by D.C. officials as “maximum security" prisoners and kept in restrictive housing, according to media reports. Three defendants that Nicole Reffitt said she understood to be parties to the letter denied any knowledge of it when contacted by ProPublica. One of them said he became friends with Guy Reffitt inside the D.C. Jail, but had been moved to another unit by the time the letter was penned.

Nicole Reffitt said she helped her husband write the letter and solicit support through phone calls and a jailhouse messaging app inmates are allowed to use periodically to communicate with the outside world. The D.C. Jail has held dozens of defendants in connection with the riot, on charges ranging from obstructing an official proceeding to assaulting a police officer with a dangerous weapon.

The letter counters the notion that there was a “plan" or “conspiracy" to take down Congress on Jan. 6, blaming much of the violence on “isolated overly emotional individuals." It suggests that their actions were meant to put the country on notice: “The people clearly are not happy," Guy Reffitt said in response to questions sent through his wife.

“Ask the Capitol Police for [their] opinion of how it could have been," the letter says. “They are grateful it wasn't a real insurrection complete with mind, body and soul."

Reffitt had a moment of notoriety in late January when it became public that his son had contacted the FBI to report him roughly two weeks before the riot. In text messages reviewed by ProPublica, Reffitt asked his wife for a list of presidents so that the group could use it to create cell names. Reffitt now resides in a cell he has dubbed “the Garfield suite," named after the 20th U.S. president, James A. Garfield.

ProPublica reporters visited Reffitt's family in Wylie, Texas, a Dallas suburb, and interviewed Nicole Reffitt and their two daughters. The reporters also met with the Reffitts' son, Jackson Reffitt, who had reported concerns about his father's activities to the FBI. Jackson Reffitt said the bureau did not follow up until the Capitol was under siege. The FBI did not immediately respond to questions from ProPublica.

The family shared group text message chats from the past year and some of their correspondence with Guy Reffitt during his more than three months in jail.

The material sheds light on the radicalization of Reffitt, whom federal prosecutors characterized in a court filing as a “serious danger ... not only to his family and Congress, but to the entire system of justice."

Reffitt, 48, worked most of his adult life on oil rigs, an occupation that took him and sometimes his family around the world, including three years in Malaysia. But when the coronavirus hit in 2020, work dried up and he intensified his political activity, focusing on the Black Lives Matter movement, which he viewed as destructive.

Reffitt saw his actions on Jan. 6 as a critical step in protecting his wife and kids from what he viewed as a decades-long American slide toward “tyranny," according to his text messages.

“We watch the people of other countries rise up against authoritarianism and think, how sad they must be to want freedom and liberty so much," the letter said. “Here, the more you try to divide, bend or even break America. The more The Republic of The People will stand indivisible and resolute."

Reffitt's son covertly recorded conversations with his father that have shown up in court filings as evidence that Reffitt came to the Capitol armed and with violent intentions.

“You'll find out that I had every constitutional right to carry a weapon and take over the Congress, as we tried to do," he said in one recording, according to a transcript in court files. Jackson Reffitt, 18, has since moved out of the family home and is raising money to support himself and his schooling.

In another excerpt in court files, Guy Reffitt was blunt: “I did bring a weapon on property that we own. Federal grounds or not. The law is written, but it doesn't mean it's right law. The people that were around me were all carrying too."

Reffitt's wife and daughters said his statements were more benign than they sound — that Reffitt is notorious for his hyperbole and left the Capitol when he learned rioters had made it inside. Nicole Reffitt said she has long referred to her husband teasingly as “Queenie" because of his flair for the dramatic. Prosecutors have not accused him of entering the Capitol building or hurting anyone.

In their most recent filing, prosecutors added new evidence to their case against Guy Reffitt. They obtained a recording of a Jan. 10 Zoom meeting involving Reffitt and two other Three Percenters. In it, Reffitt allegedly said he helped lead the charge on the Capitol with a .40-caliber pistol at his side, at one point telling a U.S. Capitol Police officer who was firing nonlethal rounds at him, “Sorry, darling. You better get a bigger damn gun."

Reffitt went on to describe how the group might be able to disable a social media company's servers by using a sniper rifle to disable the generators at a nearby Texas facility. According to court records, he said attacking the servers would “make them feel it back" in Washington, D.C. He added: “Then they won't know we're coming next time."

In court filings, his lawyer said that prosecutors have “relied on bragging" and that none of the government's video or photographs from the Capitol show Reffitt to be armed. Reffitt has not been charged with a gun crime.

The letter expressed hope that the events of Jan. 6 wouldn't need to be repeated: “I hope that was the only day in American history we would without doubt, feel the need to notify our government, they have transgressed much too far."

Several experts on extremism reviewed the letter for ProPublica and had differing views of its implications.

“I tend to look at this letter as a person puffing themself up," said Jason Blazakis, a former senior counterterrorism official at the Department of State.

Peter Simi, an associate professor at Chapman University in Southern California, found the language in the letter more alarming, especially in how it characterizes the Jan. 6 riot as inevitable.

“I would interpret it as a threat. You can say it's thinly veiled, but I don't think it's that thinly veiled," Simi said. “This is the preamble — what you saw on the 6th. More is coming ... If you thought the 6th was bad, just wait and see."

The Meet and Greet

As Reffitt struggled to find work in the spring of 2020, he spent hours watching Fox News and getting angry over the Black Lives Matter protests, his family said. His teenage children supported the movement; Reffitt viewed it as “bullshit," according to his texts. One argument with his son ended with Reffitt throwing a coffee mug across the room. About a week later, Jackson Reffitt went to march in a BLM rally in Wylie. His father went armed, the family said, standing guard outside the suburb's Olde City Park.

Around that time, Guy Reffitt was introduced to the Three Percenters, a decentralized anti-government movement. The group, which takes its name from the myth that only three percent of the population fought the British in the American Revolution, is credited with popularizing the militia movement by framing it in more palatable, patriotic terms.

Nicole Reffitt recalled a “meet and greet" in June, with about 20 members coming to the Reffitt home for a barbecue.

After some awkward small talk, the conversation turned to “what everyone could do," she said. Who had military experience? Who had a license to carry? Who knew how to stop a bleed? Someone took notes to be sent up the chain of command.

Guy Reffitt was enthralled. Afterwards, he began doing what he called “intel," doing background checks on new recruits. His wife was relieved he seemed to have a sense of purpose.

In August, Reffitt drove to a BLM demonstration in Mississippi, hoping to surveil a particular activist. The family said that Reffitt intended to place a GPS tracking device on the man's car. He abandoned the plan when he wasn't sure he had the right vehicle.

Nicole Reffitt said she was alarmed when she found multiple license plates in the bed of her husband's pickup truck. She said her husband told her he used them to make sure he wasn't being tracked. “I was like, 'What the fuck? What are we doing?'" she said. “He told me to go to work and keep my business to myself."

After then-President Donald Trump lost his bid for reelection, Guy Reffitt began to sequester himself in the front room of his suburban brick home, glued to Newsmax as it reported theories of how the vote was rigged.

On Dec. 19, Reffitt found a new obsession, his family said, when Trump tweeted: “Big protest in D.C. on January 6th. Be there, will be wild!"

From then on, Reffitt's texts bounced between plans for shopping and cooking prime rib for Christmas and talk of going to D.C. to “shock the world."

“It's the government that is going to be destroyed in this fight," Reffitt texted his family on Dec. 21. “Congress has made fatal mistakes this time."

Feeling “paranoid" about his father, Jackson Reffitt sent in a tip via the FBI website. He said he wrote that his father was a militia member who made threatening statements about public officials and kept talking about doing “something big."

Full Battle Rattle

After Christmas, Guy Reffitt firmed up plans to travel to Washington for the Jan. 6 rally. His family said he planned to bring weapons, which was unsurprising; they said he went most everywhere armed. Nicole Reffitt told ProPublica her husband promised to disassemble the weapons to comply with Washington, D.C., laws. His defense attorney has argued that there is no evidence that he “carried a loaded firearm."

But according to court records, on Dec. 28, Guy messaged an unnamed individual. “I don't think unarmed will be the case this time," he said. “I will be in full battle rattle. If that's a law I break, so be it, but I won't do it alone."

When he left to drive to Washington, he told his family, “If everything works out, I'll see you again," in what Nicole said was a typically melodramatic goodbye.

“I love ALL of you with ALL of my heart and soul," he texted on the morning of Jan. 6. “This is for our country and for ALL OF YOU and your kids."

Jackson Reffitt came home to find his mother and sister transfixed by the television as protestors pushed past police lines. “What the hell?" he recalled asking. “Is dad there?" The screen showed police in the Senate chambers, guns drawn.

“Your father is there," his mother responded.

Finally acting on Jackson Reffitt's earlier tip, an FBI agent called him to set up a meeting.

Two days later, Guy Reffitt came home, eager to boast. His son decided to record him. Jackson Reffitt met with the FBI agent the following week.

In the pre-dawn hours of Jan. 16, a squad of more than a dozen officers rolled up to the Reffitt home, armed for a SWAT raid, according to his family and footage from their neighbor's security camera. A mobile battering ram idled in front of their house as the officers tossed flash-bang grenades. The family clambered out, some still in their underwear.

Guy Reffitt went without resistance, assuring the kids that the federal agents were only doing their jobs. He was expecting to be arrested by then, his family said, and even laughed with an officer who accompanied him to the bathroom after he'd been handcuffed.

As he was being carted off in the back of a police vehicle, he yelled out the window: “I didn't ask for this!"

He has been behind bars since.

On April 22, Reffitt messaged his wife a note of encouragement.

“You are superstars to more than half the country," he wrote. “There's no going back now."

BRAND NEW STORIES

Don't Sit on the Sidelines of History. Join Alternet All Access and Go Ad-Free. Support Honest Journalism.