Investigating Data Breach, Bulgarian Officials Target Journalist

As part of its investigation into the largest data breach in the country’s history, Bulgaria’s Special Prosecutor's Office has put out an investigative order to question Atanas Tchobanov, the editor-in-chief of Bivol, a journalism outlet that has a history of uncovering corruption and misuse of funds in the government.

Bivol-hack-story copy copyAmong the 13 photos posted as evidence is a picture of the suspected hacker allegedly texting someone saved under the name “Bivol” (Prosecutor’s Office of the Republic of Bulgaria) Bivol was also responsible for this year’s “ApartmentGate” scandal that saw support for the ruling GERB party drop.  

Prosecutors issued a European Investigative Order (EIO) on Friday to France, where Tchobanov has a permanent address. The EIO concerns alleged connections between Bivol and the TAD Group, an American cybersecurity company suspected of being behind the data breach in June that affected the financial information of over 5 million Bulgarians—some 70% of the population. 

Nearly a month after the initial hack, an individual claiming to be a Russian hacker sent several gigabytes of the stolen data to local newsrooms, including to Bivol, condemning the Bulgarian government for being corrupt and for having weak cybersecurity. The hacker also offered local journalists some “critically confidential” information about the government.

Officials arrested Kristian Boykov, 20, an employee of the Sofia-based TAD Group, on July 16 under suspicion of being the mastermind behind the hack, and with another colleague has since been officially charged with terrorism. A few days later, owner Ivan Todorov was arrested as he got off a plane from Istanbul, according to Bulgarian local media. 

 In an interview on Wednesday, the Counter-Terrorism Unit publicly linked the TAD Group employees with Bivol for the first time.  

Prosecutor Evghenia Stankova, who leads the unit, said that in searching through Boykov’s files, investigators noticed that “certain data” was provided to Bivol two weeks before it was sent to other news agencies, and that there had been a “secret” communication between Boykov and Bivol. 

“Analyzed evidence shows that the attack aimed at creating social instability against the current political system," she said.

On Thursday, the Prosecutor’s Office released images that it stated would be entered into evidence in the case against TAD Group, including a photo of the Telegram messaging app on Boykov’s phone that shows he was communicating with an entity under the name of “Bivol.”

Screen Shot 2019-08-05 at 6.25.39 PM(Prosecutor’s Office of the Republic of Bulgaria)

Tchobanov, who handles direct communication with sources for Bivol, told OCCRP he doesn’t know Boykov or anyone else from the TAD group, however. 

He added that in speaking with all sources, the organization uses the more secure Signal messaging app, as well as pseudonyms to obscure one another’s identities, as a security measure should authorities seize its telephones and computers.  

The EIO states only that Tchobanov is wanted for questioning “regarding facts relevant to the subject matter of the case,” but the journalist suspects that authorities will use the TAD Group investigation as an excuse to gain access to Bivol’s computers and servers—an action they have threatened before. 

“The intimidation tactics pattern is the same, and we experience a similar smearing and shit fan attack after each big investigation,” Tchobanov told OCCRP, “ApartmentGate hurts, but so does our investigation about the guesthouses built with EU money for private use, because Brussels is observing the case. And, of course, the exposure of the Attorney General [Sotir] Tsatsarov himself as tax dogger in a real estate transaction is hurting a lot.”

In June, the Bulgaria’s governing party appeared to be retaliating against the journalists for their ApartmentGate investigations when stories smearing both Tchobanov and Bivol's founder and publisher Assen Yordanov appeared in a pro-government newspaper. Yordanov was later subjected to a three hour interrogation with a prosecutor in what appeared to be a circumvention of Article 209 of Bulgaria’s Criminal Procedure Code.

In the past several days, some press groups have released statements condemning the Bulgarian government for putting out the EIO, with the International Press Institute describing it as a “pretext to silence Bivol." 

“We have been targeted by the prosecution office many times and we know their Stalinian methods,” Tchobanov said, “The prosecution in Bulgaria is not prosecuting the mafia and corruption, but the journalists who reveal them.”