Wednesday

Was There a Connection Between a Russian Bank and the Trump Campaign?

A team of computer scientists sifted through records of unusual Web traffic in search of answers.


In June, 2016, after news broke that the Democratic National Committee had been hacked, a group of prominent computer scientists went on alert. Reports said that the infiltrators were probably Russian, which suggested to most members of the group that one of the country’s intelligence agencies had been involved. They speculated that if the Russians were hacking the Democrats they must be hacking the Republicans, too. “We thought there was no way in the world the Russians would just attack the Democrats,” one of the computer scientists, who asked to be identified only as Max, told me.

The group was small—a handful of scientists, scattered across the country—and politically diverse. (Max described himself as “a John McCain Republican.”) Its members sometimes worked with law enforcement or for private clients, but mostly they acted as self-appointed guardians of the Internet, trying to thwart hackers and to keep the system clean of malware—software that hackers use to control a computer remotely, or to extract data. “People think the Internet runs on its own,” Max told me. “It doesn’t. We do this to keep the Internet safe.” The hack of the D.N.C. seemed like a pernicious attack on the integrity of the Web, as well as on the American political system. The scientists decided to investigate whether any Republicans had been hacked, too. “We were trying to protect them,” Max said.

Max’s group began combing the Domain Name System, a worldwide network that acts as a sort of phone book for the Internet, translating easy-to-remember domain names into I.P. addresses, the strings of numbers that computers use to identify one another. Whenever someone goes online—to send an e-mail, to visit a Web site—her device contacts the Domain Name System to locate the computer that it is trying to connect with. Each query, known as a D.N.S. lookup, can be logged, leaving records in a constellation of servers that extends through private companies, public institutions, and universities. Max and his group are part of a community that has unusual access to these records, which are especially useful to cybersecurity experts who work to protect clients from attacks.

Max and the other computer scientists asked me to withhold their names, out of concern for their privacy and their security. I met with Max and his lawyer repeatedly, and interviewed other prominent computer experts. (Among them were Jean Camp, of Indiana University; Steven Bellovin, of Columbia University; Daniel Kahn Gillmor, of the A.C.L.U.; Richard Clayton, of the University of Cambridge; Matt Blaze, of the University of Pennsylvania; and Paul Vixie, of Farsight Security.) Several of them independently reviewed the records that Max’s group had discovered and confirmed that they would be difficult to fake. A senior aide on Capitol Hill, who works in national security, said that Max’s research is widely respected among experts in computer science and cybersecurity.

As Max and his colleagues searched D.N.S. logs for domains associated with Republican candidates, they were perplexed by what they encountered. “We went looking for fingerprints similar to what was on the D.N.C. computers, but we didn’t find what we were looking for,” Max told me. “We found something totally different—something unique.” In the small town of Lititz, Pennsylvania, a domain linked to the Trump Organization (mail1.trump-email.com) seemed to be behaving in a peculiar way.

The server that housed the domain belonged to a company called Listrak, which mostly helped deliver mass-marketing e-mails: blasts of messages advertising spa treatments, Las Vegas weekends, and other enticements. Some Trump Organization domains sent mass e-mail blasts, but the one that Max and his colleagues spotted appeared not to be sending anything. At the same time, though, a very small group of companies seemed to be trying to communicate with it.

Examining records for the Trump domain, Max’s group discovered D.N.S. lookups from a pair of servers owned by Alfa Bank, one of the largest banks in Russia. Alfa Bank’s computers were looking up the address of the Trump server nearly every day. There were dozens of lookups on some days and far fewer on others, but the total number was notable: between May and September, Alfa Bank looked up the Trump Organization’s domain more than two thousand times. “We were watching this happen in real time—it was like watching an airplane fly by,” Max said. “And we thought, Why the hell is a Russian bank communicating with a server that belongs to the Trump Organization, and at such a rate?”

Only one other entity seemed to be reaching out to the Trump Organization’s domain with any frequency: Spectrum Health, of Grand Rapids, Michigan. Spectrum Health is closely linked to the DeVos family; Richard DeVos, Jr., is the chairman of the board, and one of its hospitals is named after his mother. His wife, Betsy DeVos, was appointed Secretary of Education by Donald Trump. Her brother, Erik Prince, is a Trump associate who has attracted the scrutiny of Robert Mueller, the special counsel investigating Trump’s ties to Russia. Mueller has been looking into Prince’s meeting, following the election, with a Russian official in the Seychelles, at which he reportedly discussed setting up a back channel between Trump and the Russian President, Vladimir Putin. (Prince maintains that the meeting was “incidental.”) In the summer of 2016, Max and the others weren’t aware of any of this. “We didn’t know who DeVos was,” Max said.

The D.N.S. records raised vexing questions. Why was the Trump Organization’s domain, set up to send mass-marketing e-mails, conducting such meagre activity? And why were computers at Alfa Bank and Spectrum Health trying to reach a server that didn’t seem to be doing anything? After analyzing the data, Max said, “We decided this was a covert communication channel.”

The Trump Organization, Alfa Bank, and Spectrum Health have repeatedly denied any contact. But the question of whether Max’s conclusion was correct remains enormously consequential. Was this evidence of an illicit connection between Russia and the Trump campaign? Or was it merely a coincidence, cyber trash, that fed suspicions in a dark time?
In August, 2016, Max decided to reveal the data that he and his colleagues had assembled. “If the covert communications were real, this potential threat to our country needed to be known before the election,” he said. After some discussion, he and his lawyer decided to hand over the findings to Eric Lichtblau, of the Times. Lichtblau met with Max, and began to look at the data.

Lichtblau had done breakthrough reporting on National Security Agency surveillance, and he knew that Max’s findings would require sophisticated analysis. D.N.S. lookups are metadata—records that indicate computer interactions but don’t necessarily demonstrate human communication. Lichtblau shared the data with three leading computer scientists, and, like Max, they were struck by the unusual traffic on the server. As Lichtblau talked to experts, he became increasingly convinced that the data suggested a substantive connection. “Not only is there clearly something there but there’s clearly something that someone has gone to great lengths to conceal,” he told me. Jean Camp, of Indiana University, had also vetted some of the data. “These people who should not be communicating are clearly communicating,” she said. In order to encourage discussion among analysts, Camp posted a portion of the raw data on her Web site.

As Lichtblau wrote a draft of an article for the Times, Max’s lawyer contacted the F.B.I. to alert agents that a story about Trump would be running in a national publication, and to pass along the data. A few days later, an F.B.I. official called Lichtblau and asked him to come to the Bureau’s headquarters, in Washington, D.C.

At the meeting, in late September, 2016, a roomful of officials told Lichtblau that they were looking into potential Russian interference in the election. According to a source who was briefed on the investigation, the Bureau had intelligence from informants suggesting a possible connection between the Trump Organization and Russian banks, but no data. The information from Max’s group could be a significant advance. “The F.B.I. was looking for people in the United States who were helping Russia to influence the election,” the source said. “It was very important to the Bureau. It was urgent.”

The F.B.I. officials asked Lichtblau to delay publishing his story, saying that releasing the news could jeopardize their investigation. As the story sat, Dean Baquet, the Times’ executive editor, decided that it would not suffice to report the existence of computer contacts without knowing their purpose.

Lichtblau disagreed, arguing that his story contained important news: that the F.B.I. had opened a counterintelligence investigation into Russian contacts with Trump’s aides. “It was a really tense debate,” Baquet told me. “If I were the reporter, I would have wanted to run it, too. It felt like there was something there.” But, with the election looming, Baquet thought that he could not publish the story without being more confident in its conclusions.

Over time, the F.B.I.’s interest in the possibility of an Alfa Bank connection seemed to wane. An agency official told Lichtblau that there could be an innocuous explanation for the computer traffic. Then, on October 30th, Senate Minority Leader Harry Reid wrote a letter to James Comey, the director of the F.B.I., charging that the Bureau was withholding information about “close ties and coordination” between the Trump campaign and Russia. “We had a window,” Lichtblau said. His story about Alfa Bank ran the next day. But it bore only a modest resemblance to what he had filed. The headline— “Investigating Donald Trump, F.B.I. Sees No Clear Link to Russia”—seemed to exonerate the Trump campaign. And, though the article mentioned the server, it omitted any reference to the computer scientists who had told Lichtblau that the Trump Organization and Alfa Bank might have been communicating. “We were saying that the investigation was basically over—and it was just beginning,” Lichtblau told me.

That same day, Slate ran a story, by Franklin Foer, that made a detailed case for the possibility of a covert link between Alfa Bank and Trump. Foer’s report was based largely on information from a colleague of Max’s who called himself Tea Leaves. Foer quoted several outside experts; most said that there appeared to be no other plausible explanation for the data.

One remarkable aspect of Foer’s story involved the way that the Trump domain had stopped working. On September 21st, he wrote, the Times had delivered potential evidence of communications to B.G.R., a Washington lobbying firm that worked for Alfa Bank. Two days later, the Trump domain vanished from the Internet. (Technically, its “A record,” which translates the domain name to an I.P. address, was deleted. If the D.N.S. is a phone book, the domain name was effectively decoupled from its number.) For four days, the servers at Alfa Bank kept trying to look up the Trump domain. Then, ten minutes after the last attempt, one of them looked up another domain, which had been configured to lead.

Max’s group was surprised. The Trump domain had been shut down after the Times contacted Alfa Bank’s representatives—but before the newspaper contacted Trump. “That shows a human interaction,” Max concluded. “Certain actions leave fingerprints.” He reasoned that someone representing Alfa Bank had alerted the Trump Organization, which shut down the domain, set up another one, and then informed Alfa Bank of the new address.

A week after the Times story appeared, Trump won the election. On Inauguration Day, Liz Spayd, the Times’ ombudsman, published a column criticizing the paper’s handling of stories related to Trump and Russia, including the Alfa Bank connection. “The Times was too timid in its decisions not to publish the material it had,” she wrote. Spayd’s article did not sit well with Baquet. “It was a bad column,” he told the Washington Post. Spayd argued that Slate had acted correctly by publishing a more aggressive story, which Baquet dismissed as a “fairly ridiculous conclusion.” That June, Spayd’s job was eliminated, as the paper’s publisher said that the position of ombudsman had become outdated in the digital age. When I talked to Baquet recently, he still felt that he had been right to resist discussing the server in greater depth, but he acknowledged that the Times had been too quick to disclaim the possibility of Trump’s connections to Russia. “The story was written too knowingly,” he said. “The headline was flawed. We didn’t know then what we know now.”

In April, 2017, Lichtblau left the Times, after fifteen years—in part, he said, because of the way that the Alfa Bank story was handled. He went to work for CNN, but resigned less than two months later, amid controversy over another story that he had worked on, about the Trump aide Anthony Scaramucci. This April, Lichtblau returned to the Times newsroom for a celebration: he had been part of a team of Times reporters that was awarded a Pulitzer Prize for its work on other aspects of the Trump campaign. “It was quite a year,” he said.

Meanwhile, the Trump-Alfa Bank story seemed to fade. The Trump campaign dismissed any connection, saying, “The only covert server is the one Hillary Clinton recklessly established in her basement.” Bloggers and tech journalists assailed the Slate piece online. The cybersecurity researcher Robert Graham called the analysis “nonsense,” and complained, “This is why we can’t have nice things on the Internet.” He pointed out several problems. For instance, Foer’s sources had found that the Trump domain was blocking incoming e-mail, and argued that this was evidence that Trump and Alfa Bank were maintaining a private communications network; in fact, Listrak routinely configured its marketing servers to send e-mail but not to receive it. Graham also noted that the domain was administered not by Trump but by Cendyn, a company in Boca Raton that handled his company’s marketing e-mail.

Alfa Bank hired two cybersecurity firms, Mandiant and Stroz Friedberg, to review the data. Both firms reported that they had found no evidence of communications with the Trump Organization. The bank also began trying to uncover the anonymous sources in the Slate piece. Attorneys representing Alfa contacted Jean Camp, telling her that they were considering legal action and asking her to identify the researchers who had assembled the data. She declined to reveal their names. “This is what tenure is for,” she told me.

Alfa Bank was founded by Mikhail Fridman, in the last years of the Soviet Union. Fridman was born in western Ukraine and studied metallurgy in college. Like many others of his generation, he was introduced to the market economy through hustle. He sold theatre tickets, washed windows, and ran a student discothèque. After the Soviet Union collapsed, in 1991, Fridman joined the scramble to befriend members of the new government and amass a fortune with help from the state. Along with an economist named Petr Aven, who had previously served as the country’s minister for foreign economic relations, Fridman built Alfa Bank into one of the most successful businesses in the new Russia. Its parent company, Alfa Group, now controls the country’s largest private bank, along with financial institutions in several European nations.

Fridman and Aven acquired reputations as brilliant, relentless businessmen. Describing the lawless post-Soviet years to the journalist Chrystia Freeland, who is now the foreign minister of Canada, Fridman said, “We were absolute savages.” In a notorious episode in 2008, a group of Russian companies, including Alfa Group, tried to gain control of a joint venture they’d formed with British Petroleum. The power struggle was so fierce that the C.E.O. of the joint venture, Robert Dudley, felt compelled to leave Russia. The oligarchs kept pushing for control of the BP venture until it was sold to a state-owned petroleum company, for fifty-five billion dollars; Alfa Group’s cut was almost fourteen billion.

Alfa Bank prospered during the Yeltsin years and has continued to do so under Putin. Though Fridman and Aven are not part of Putin’s innermost circle, they have managed to avoid the fate of some other oligarchs, who have had assets seized and, in a few cases, been imprisoned, after falling out of favor. Michael McFaul, a former U.S. Ambassador to Russia, told me he was impressed that Fridman and Aven had “navigated the very difficult world of maintaining their private business interests and not crossing the Kremlin.”

One reason the server story alarmed Alfa Bank was that it threatened the bank’s standing in Washington. Members of Russia’s government and many of its businessmen have been under American economic sanctions since 2014, when Russia annexed Crimea, but Alfa’s principals and representatives have enjoyed access to U.S. politicians at the highest levels. Fridman and Aven met several times with officials at the Obama White House, discussing such issues as Russia’s effort to gain entrance to the World Trade Organization. (Alfa Bank maintains that it has “never advocated for political or trade issues on behalf of the Russian government.”) “Fridman and Aven were seen as people that Washington could talk to about U.S.-Russia, because they checked two boxes—they were ‘polite company’ oligarchs, and they could shed light on Putin’s intentions and perspective,” a senior official in the Obama Administration told me. “They got meetings at State and on the Hill and at the White House. And they were understood to be operating with the consent and guidance of Vladimir Putin.”

Alfa is still closely tied to the Russian system, but Fridman and Aven live much of the time in the United Kingdom. If there was a communications link with the Trump Organization, it might have been created without their knowledge. According to experts I spoke to, large Russian companies typically have a member of the intelligence services, either active or retired, working at a senior level. If a company’s services are required in some way, the officer—called a kurator—coördinates them. “A company couldn’t say no,” a Washington-based Russia expert told me. (When asked about this, an Alfa Bank spokesperson said, “To our knowledge there are no senior intelligence officials at senior levels at Alfa Bank.”)

This past May, I saw Petr Aven in New York, at the Four Seasons Hotel. He had just come from a dinner in Washington, at which he had met a group of prominent Americans, including officials from the White House, to discuss Russia’s economic situation. Aven seemed worried about surveillance; before we sat down, he brought his phone to the other side of the lobby and hid it behind a plant. He wouldn’t say much for the record, but he told me that his bank didn’t have “any connection at all with Trump—nothing.”

Aven and Fridman have visited Washington less often since Trump took office. But Trump’s victory appeared to elevate Alfa Bank’s connections there—at least by association. Don McGahn, the White House counsel, came from Jones Day, one of the law firms that represent Alfa Bank in the United States. McGahn brought five Jones Day lawyers with him into the White House; six more were appointed to senior posts in the Administration. Jones Day has done work for businesses belonging to a long list of Russian oligarchs, including Oleg Deripaska, Viktor Vekselberg, and Alexander Mashkevich. The firm has also represented the Trump campaign in its dealings with Robert Mueller. For this reason, McGahn secured an ethics waiver that allows him to talk to his old firm when its clients have business before the U.S. government.

In June, 2017, Trump nominated Brian Benczkowski, a lawyer who had overseen the Stroz Friedberg report for Alfa Bank, to lead the criminal division of the Justice Department. At his confirmation hearing, Benczkowski said emphatically that Stroz Friedberg, like Mandiant, had rejected the possibility of complicity. The investigation, he said, found that “there was no communications link between the Trump Organization and Alfa Bank.”

Democratic senators expressed concern that Benczkowski had taken on work for Alfa Bank; he had been a senior member of Trump’s transition team and had good reason to expect that he would be appointed to a job in the Administration. “The client was a Russian bank that is under suspicion of having a direct connection with the Trump campaign,” Senator Richard Durbin said, during the hearing.

He and the other Democratic senators were especially troubled that Benczkowski would not commit to recusing himself from dealing with Mueller’s investigation, even though he had worked for two of Russia’s leading oligarchs. “Why did you refuse to recuse yourself?” Senator Dianne Feinstein asked.

“I don’t know what’s in Special Prosecutor Mueller’s investigation,” Benczkowski said. “I’m a lawyer in private practice. I have no idea what he’s up to, other than what I read in the papers.”

Despite these questions, the Republican-led committee approved Benczkowski. This past July, the Senate confirmed him.
While Republicans in Congress have rejected the possibility of collusion, with some joining Trump in calling the Mueller inquiry a politically motivated “witch hunt,” a few Democrats have continued to pursue the matter. After Trump’s Inauguration, two Democratic senators who had reviewed the data assembled by Max’s group—Mark Warner and a colleague who requested anonymity—asked the F.B.I. for an assessment of any potential contacts between Alfa Bank and the Trump Organization. The material was also brought to the attention of the C.I.A., which found it substantial enough to suggest that the F.B.I. investigate. In March, 2017, a Pennsylvania news outlet called Lancaster Online reported that F.B.I. agents had visited the offices of Listrak, the company that housed the Trump server. Ross Kramer, Listrak’s C.E.O., told me, “I gave them everything they asked for.”

Around the same time, the second Democratic senator approached a former Senate staffer named Daniel Jones and asked him to give the data a closer look. Jones had served as a counterterrorism investigator for the F.B.I. and then spent ten years working for the Senate Intelligence Committee, where he led the inquiry into the use of torture under the George W. Bush Administration. Now he was running an investigations firm, the Penn Quarter Group, and a nonprofit initiative called the Democracy Integrity Project, which was intended to help keep elections free from foreign interference.

To assess the Alfa Bank data, Jones assembled a team of computer scientists, divided into two groups, one on each coast. (They also consulted with Jean Camp, who agreed to coöperate despite the possibility that Alfa Bank might take legal action.) All these experts have national reputations in the field. Some have held senior cybersecurity jobs in the Pentagon, the White House, and the intelligence services, as well as in leading American technology companies. In order to encourage an unbiased outcome, Jones never introduced the East Coast group to the West Coast group.

I met several times with the two members of the East Coast group and spoke with them repeatedly. They used pseudonyms, Paul and Leto, in part because they had been alarmed by encounters with Russia while they were working at high levels of government. Leto said that, in 2016, as he was investigating cyber intrusions that seemed to originate in Russia, he became convinced that he was being followed. Both he and Paul believed that their phones had been hacked. These incursions coincided with a period of intense Russian activity in the U.S., including the hacking of the D.N.C., a pro-Trump social-media blitz, and the arrival of Maria Butina, who is accused of being a Russian agent sent to ingratiate herself with American conservative leaders. (Butina has denied the accusations.)

As Paul and Leto began working, they needed to verify that Max’s data presented an accurate picture of the traffic. After the Slate story appeared, skeptics pointed out that no one has a comprehensive view of the Domain Name System. They speculated that other entities, besides Alfa Bank and Spectrum Health, had looked up the Trump domain, and that Max had failed to see them. The D.N.S. company Dyn told a reporter that it had seen lookups from other computers around the world. But Dyn turned out to have registered only two additional lookups, both from the same address in the Netherlands.

Max and his colleagues maintain that they are able to see nearly all the D.N.S. lookups on a given domain; the senior Capitol Hill aide I spoke to affirmed that Max’s group is widely understood to have this capability. Paul Vixie, one of the original architects of the D.N.S. network, examined the data and told me, “If this is a forgery, it’s better than any forgery I’ve seen.” Jones’s team also ran analyses and real-time tests to check Max’s access to D.N.S. records. “It’s completely implausible that he could have fooled us,” Paul said.

Max had provided the Jones team with thirty-seven million D.N.S. records, enough to fill thousands of screens with time stamps and I.P. addresses—long strings of numbers and letters in green type. Over the course of several months, Paul and Leto examined the data for patterns and anomalies. “We stared at a lot of green screens,” Paul said. They regarded their inquiry as a statistical enterprise, capturing each Alfa Bank D.N.S. query from the ocean of data that they had been given and plotting it over a four-month period. Both said that they began their work as skeptics. “I started from an assumption that this is a bunch of nonsense,” Leto told me.

Much of the information that was publicly available might well have supported that assumption. Foer’s article in Slate had prompted online discussions, in which commentators offered explanations ranging from the benign to the sinister. The timing of the lookups, which came in the summer just before the election, invited speculation. Foer claimed that the biggest flurries of traffic coincided with major campaign events, including the party conventions. Paul and Leto were dubious. If anything, the traffic coincided with Paul Manafort’s time as Trump’s campaign manager—but the D.N.S. queries continued after Manafort stepped down. “A lot of people are seeing faces in clouds,” Leto said.

The Trump Organization had done little to clarify the matter. In October, 2016, it released a statement denying interactions with Alfa Bank “or any Russian entity.” Instead, it offered a peculiar explanation for the D.N.S. traffic: it had been triggered when “an existing banking customer of Cendyn”—the marketing firm—had used the company’s systems to send communications to Alfa Bank. Such a scenario would be highly irregular; it was as if Gmail had allowed a user to send e-mail from another user’s account. “It makes no sense,” Paul told me.

Trump’s advocates claimed that the investigations sponsored by Alfa Bank had proved that Alfa and the Trump Organization were not communicating. In fact, they sidestepped the question. Mandiant, one of the cybersecurity firms, said that it was unable to inspect the bank’s D.N.S. logs from 2016, because Alfa retained such records for only twenty-four hours. The other firm, Stroz Friedberg, gave the same explanation for why it, too, was “unable to verify” the data.

As Jones’s team vetted the data, they examined various possible explanations. One was malware, which had played a role in the hack of the D.N.C.’s computers. Most malware has “distinctive patterns of behavior,” Camp told me. It is typically sent out in a blast, aimed simultaneously at multiple domains. There is a “payload”—a mechanism that activates the malicious activity—and a “recruitment mechanism,” which enables the malware to take over parts of a vulnerable computer. None of the experts whom Jones assembled found any evidence of this behavior on the Trump server. “Malware doesn’t keep banging on the door like that,” Paul said.

A second possibility was marketing e-mail. After the Slate article appeared, some commentators suggested that Trump’s server had innocently sent promotional e-mails to Alfa Bank, and that a computer there had responded with queries designed to verify the identity of the sender. This became a catchall answer for anyone who couldn’t explain what had happened. “Either this is something innocuous, like spam,” Rachel Cohen, a press secretary for Senator Warner, told me, “or it’s completely nefarious.”

Alfa Bank had received Trump marketing e-mails in the past. But Cendyn had told CNN that it stopped sending e-mails for the Trump Organization in March, 2016, before the peculiar activity began; Trump had transferred his online marketing to another company, called Serenata. Jones’s team investigated, and found additional evidence that the server wasn’t sending marketing e-mails at the time. One indicator was the unusually limited traffic. Kramer, of Listrak, told me that a typical client sends “tens of thousands of e-mails a day” to huge numbers of recipients. If the Trump server was following that pattern, it would have generated significant D.N.S. traffic. To establish a kind of control group, Jones’s team asked Max to capture the D.N.S. logs for the Denihan Hospitality Group—a hotel chain, similar in size to Trump’s, which was using Cendyn and Listrak to send marketing e-mails. In a sample spanning August and September, 2016, a Denihan domain received more than twenty thousand D.N.S. queries, from more than a thousand I.P. addresses. In the same period, the Trump domain had twenty-five hundred lookups, nearly all of them from Alfa Bank and Spectrum Health.

The timing and the frequency of the D.N.S. lookups also did not suggest spam, Paul and Leto believed. Mass-marketing e-mails are typically sent by an automated process, one after another, in an unbroken rhythm. The Alfa queries seemed to fall into two categories. Some came in a steady pulse, while others arrived irregularly—sometimes many in a day, sometimes a few. “The timing of the communication was not random, and it wasn’t regular-periodic,” Paul said. “It was a better match for human activity.”

But, if the Trump server wasn’t sending or receiving e-mail, what could explain the traffic? There was the possibility of “spoofing”—essentially, faking an identity. Did someone try to make it appear, falsely, that Alfa Bank was reaching out to the Trump Organization? Jones’s team concluded that such an attack would have been unlikely to produce thousands of D.N.S. lookups, over such a long time.

“Maybe for a few days, but not four months,” Leto said. There was also a question of motive. In the spring of 2016, very few people knew that Max and his colleagues were able to monitor D.N.S. traffic so comprehensively, so any spoofers would have been impersonating Alfa Bank with little expectation of being detected. News stories investigating the links between Trump and Russia were months away. “Why would someone do that?” Steven Bellovin, of Columbia, said. “And why would they pick those organizations?”

When I saw Petr Aven at the Four Seasons, he argued that the connections with the Trump Organization had been fabricated in order to frame his company. “This is a conspiracy against us,” he told me. “It is really much bigger than the computers.” Aven did not elaborate, but Jeffrey Birnbaum, a spokesperson for Alfa Bank, supplied more detail. The bank, he said, suspected that “we are victims of classic Russian kompromat—a well-known scam in which Russian competitors pay analysts to write false reports to damage reputations.” Birnbaum described the press inquiries into the matter as an extended affliction. “This has been a terrible ordeal for Alfa Bank, like living through a Kafka novel,” he said. (Max rejected the idea that his group had fabricated data. “If we were going to lie, then we would have made up a much better story than this!” he said.)

Because Alfa Bank did not retain its D.N.S. logs (many large companies don’t), its assessments of what produced the lookups in early 2016 are necessarily speculative. “We are as mystified as anybody about these false allegations,” Birnbaum told me this September. In a series of exchanges over three weeks, he offered a range of possibilities. He suggested that the data had been faked, but also that they had been stolen from the bank’s logs. He attributed the traffic to kompromat, but also expounded a scenario in which it had been caused by a technical glitch: Trump e-mails “hidden” in the system were intermittently processed by the bank’s security software, an application called Trend Micro Deep Discovery Inspector. In this explanation, Trump marketing e-mails from before March, 2016, had made it through the spam filter and been stored in a permanent archive, where the bank backs up all its e-mail. Periodically, the bank re-scanned that archive, as updates to the security software provided new information about which senders might be unsafe. During scans, the system performed D.N.S. lookups for every domain name contained in every e-mail. In the course of several months, the bank said, this could account for the traffic.

The experts I spoke to confirmed that this was a technically plausible, if highly inefficient, way to configure security software. But the explanation raised questions of its own. Alfa Bank said that its scans ran for two days after each update. But Max’s data don’t show a consistent pattern of two-day spikes. Another concern lay in the chronology. The bank had received e-mails from the Trump domain in late 2015 and early 2016, which should have triggered lookups. But, according to the data, the lookups didn’t begin until May, 2016. In response to a question about this discrepancy, Birnbaum said that the Trend Micro software had not been “fully integrated” until March—but that wouldn’t account for the time between March and May.

A third problem was that, if Alfa Bank wasn’t receiving new e-mails from the Trump Organization after March, 2016, then the number of Trump e-mails in the archive—and thus the number of lookups—should have remained steady through the summer. But Max’s data showed a different pattern: no lookups in the spring, a small number in May, and then a slow increase starting in June, with spikes that lasted until the system went offline. When asked about the increase, Birnbaum offered another refinement of the explanation. The bank had previously said that the software had performed checks of old e-mails “multiple times over the six-month period.” Now he said that a security update “around August” had caused old e-mails to be re-scanned.

In any case, for an explanation of this kind to work, it would require the servers at Spectrum Health to be simultaneously experiencing the same glitch, or another one with similar effects. (Spectrum declined to answer questions about its computer systems.) Trend Micro has thousands of users, most of them businesses, but in the sample that Max and his colleagues could see, only Alfa Bank and Spectrum Health exhibited this peculiar behavior.

For some, the most baffling part of the puzzle was the way that the lookups stopped. The Trump domain vanished from the Web on the morning of Friday, September 23rd, two days after the Times presented its data to B.G.R., Alfa Bank’s lobbyists in Washington, but before it called Trump or Cendyn. In Max’s view, this was evidence of direct contact between Alfa Bank and Trump. One researcher whom Foer interviewed put it vividly: “The knee was hit in Moscow, the leg kicked in New York.” There is, however, at least one possibility that doesn’t involve Moscow: the lobbyists in Washington could have passed along a warning to Trump, as a courtesy. But B.G.R. denies doing this, calling the idea “ridiculous on its face.”

Whatever the reason that the Trump domain vanished, Alfa Bank’s servers continued trying to look it up: Max’s group observed fifteen failed attempts that Friday, twenty-eight on Saturday, none on Sunday, ninety on Monday, twenty on Tuesday. Spectrum Health’s machine kept trying, too, in a weeklong spasm of activity that entailed thousands of seemingly automated lookups. Spectrum never succeeded in relocating the Trump server—but Alfa did. On the night of Tuesday, September 27th, ten minutes after the bank made its last failed attempt, it looked up the domain name trump1.contact-client.com—which was, it turned out, another route to the same Trump server.

The alternative domain name does not appear to have been previously active; no one has produced an e-mail sent from it. So how did Alfa find it? The easiest method would have been by consulting a PTR record, which shows what domain names are associated with a given I.P. address. But the PTR record for the Trump address did not include the alternative name.

Birnbaum said that Alfa Bank’s researchers, investigating the traffic, found the new name in other public records and then performed a test lookup. Vixie said that such a lookup would be unusual, and questioned why the bank would feel that it was necessary: “Why did Alfa look up either name? And especially the second name?”

According to Max’s data, Alfa Bank looked up the new domain name only once. In the following months, he and his group stopped collecting data on the Trump Organization domains. After the Slate story came out, curious readers looked up the address thousands of times, and the D.N.S. traffic devolved into statistical noise. The Trump Organization now controls the original domain; in March, 2017, Cendyn told CNN that it had been “transferred back.” Records show that Cendyn handed over the domain only a few days before the CNN story ran—a year after the last e-mail was sent from it. Jones’s team believed that Cendyn had continued its relationship with the Trump Organization in 2016. “There were thousands of e-mails between Trump and Cendyn through the entire period that Alfa Bank was looking up the Trump server,” Max told me. Cendyn said that this was “regular business correspondence,” related to transferring back the domain. When I called the company’s C.E.O., Richard Deyo, to ask more broadly about the situation, he said, “This is old news—that’s just Internet traffic,” and then hung up. A spokesperson for Serenata, which took over Trump’s hotel marketing, told me that the company had nothing to say. “Don’t call again,” she said.

As Jones’s team sifted through explanations for the traffic, they began constructing their own theory. “What you have here is a minimally viable technical footprint of a small number of people who are using what I suspect is an ad-hoc system to communicate,” Paul said. “Anytime the F.B.I. or anyone else pulls apart a cyber-crime organization, there is always some communication structure that’s used for command and control. That’s where the high-value communications happen.” (Max and his colleagues did not see any D.N.S. evidence that the Trump Organization was attempting to access the server; they speculated that the organization was using a virtual private network, or V.P.N., a common security measure that obscures users’ digital footprints.)

If this was a communications mechanism, it appeared to have been relatively simple, suggesting that it had been set up spontaneously and refined over time. Because the Trump Organization did not have administrative control of the server, Paul and Leto theorized that any such system would have incorporated software that one of the parties was already using. “The likely scenario is not that the people using the server were incredibly sophisticated networking geniuses doing something obscure and special,” Max said. “The likely scenario is that they adapted a server and vender already available to them, which they felt was away from prying eyes.” Leto told me that he envisioned “something like a bulletin-board system.” Or it could have been an instant-messaging system that was part of software already in use on the server.

Kramer, of Listrak, insisted that his company’s servers were used exclusively for mass marketing. “We only do one thing here,” he told me. But Listrak’s services can be integrated with numerous Cendyn software packages, some of which allow instant messaging. One possibility is Metron, used to manage events at hotels. In fact, the Trump Organization’s October, 2016, statement, blaming the unusual traffic on a “banking customer” of Cendyn, suggested that the communications had gone through Metron, which supports both messaging and e-mail.

The parties might also have been using Webmail—e-mail that leaves few digital traces, other than D.N.S. lookups. Or, Paul and Leto said, they could have been communicating through software used to compose marketing e-mails. They might have used a method called foldering, in which messages are written but not sent; instead, they are saved in a drafts folder, where an accomplice who also has access to the account can read them. “This is a very common way for people to communicate with each other who don’t want to be detected,” Leto told me. David Petraeus, when he was the director of the C.I.A., used this method to exchange intimacies—and to share classified information—with his lover, Paula Broadwell. In June, an attorney for the Mueller investigation accused Paul Manafort of using foldering to facilitate secret communications.

Given the limitations of D.N.S. data, none of the independent experts I spoke to could be certain of what Alfa Bank and the Trump Organization were doing. Some of them cautioned that it was impossible even to guess at every way that an e-mail system might malfunction. A senior analyst at a D.N.S.-service provider said, “Things can get messed up in unexpected ways.” But Paul and Leto maintained that they had considered and rejected every scenario that they had encountered in decades of cybersecurity work. “Is it possible there is an innocuous explanation for all this?” Paul said. “Yes, of course. And it’s also possible that space aliens did this. It’s possible—just not very likely.”
Paul and Leto periodically went back to Max in the course of their research, interrogating his assumptions and asking for more information. In one tranche of data that he gave them, they noticed that a third entity, in addition to Alfa Bank and Spectrum Health, had been looking up the Trump domain: Heartland Payment Systems, a payments processor based in Princeton. Of the thirty-five hundred D.N.S. queries seen for the Trump domain, Heartland made only seventy-six—but no other visible entity made more than two. Heartland had a link to Alfa Bank, but a tenuous one. It had recently been acquired by Global Payments, which, in 2009, had paid seventy-five million dollars for United Card Services, Russia’s leading credit-card-processing company; two years later, United Card Services bought Alfa Bank’s credit-card-processing unit. (A spokesperson for Global Payments said that her company had never had any relationship with the Trump Organization or with Alfa Bank, and that its U.S. and Russia operations functioned entirely independently.)

Spectrum Health has a similarly indirect business tie to Alfa Bank. Richard DeVos’ father co-founded Amway, and his brother, Doug, has served as the company’s president since 2002. In 2014, Amway joined with Alfa Bank to create an “Alfa-Amway” loyalty-card program in Russia. But such connections are circumstantial at best; the DeVos family seems far more clearly linked to Trump than to Russia.
If Trump and Alfa Bank—as well as Spectrum Health and Heartland Payment Systems—were communicating, what might they have been talking about? Max and some of the other scientists I spoke to theorized that they may have been using the system to signal one another about events or tasks that had to be performed: money to be transferred, for instance, or data to be copied. “My guess is that, whenever someone wanted to talk, they would do a D.N.S. lookup and then route the traffic somewhere else,” Richard Clayton, of the University of Cambridge, said. Camp also speculated that the system may have been used to coördinate the movement of data. She noted that Cambridge Analytica, which was working for the Trump campaign, took millions of personal records from Facebook. In Camp’s scenario, these could have been transferred to the Russian government, to help guide its targeting of American voters before the election.

The researchers I spoke with were careful to point out that the limits of D.N.S. data prevent them from going beyond speculation. If employees of the companies were talking, the traffic reveals nothing about who they were or what they were saying; it is difficult to rule out something as banal as a protracted game of video poker. “If I’m a cop, I’m not going to take this to the D.A. and say we’re ready to prosecute,” Leto said. “I’m going to say we have enough to ask for a search warrant.” More complete information could be difficult to obtain. This March, after Republicans on the House Intelligence Committee announced that it had found no evidence of collusion between the Trump campaign and Russia, the committee’s Democrats filed a dissent, arguing that there were many matters still to be investigated, including the Trump Organization’s connections to Alfa Bank. The Democrats implored the majority to force Cendyn to turn over computer data that would help determine what had happened. Those records could show who in the Trump Organization used the server. There would probably also be a record of who shut down the Trump domain after the Times contacted Alfa Bank. Cendyn might have records of any outgoing communications sent by the Trump Organization. But the request for further investigation is unlikely to proceed as long as Republicans hold the majority. “We’ve all looked at the data, and it doesn’t look right,” a congressional staffer told me. “But how do you get to the truth?”

The enigma, for now, remains an enigma. The only people likely to finally resolve the question of Alfa Bank and the Trump Organization are federal investigators. Max told me that no one in his group had been contacted. But, he said, it wasn’t necessary for anyone in the F.B.I. to talk to him, if the agents gathered the right information from other sources, like Listrak and Cendyn. “I hope Mueller has all of it,” he said.

cont. Trump Engaged in Suspect Tax Schemes as He Reaped Riches From His Father : A Family Reckoning

Fred Trump had given careful thought to what would become of his empire after he died, and had hired one of the nation’s top estate lawyers to draft his will. But in December 1990, Donald Trump sent his father a document, drafted by one of his own lawyers, that sought to make significant changes to that will.
Fred Trump, then 85, had never before set eyes on the document, 12 pages of dense legalese. Nor had he authorized its preparation. Nor had he met the lawyer who drafted it.
Yet his son sent instructions that he needed to sign it immediately.
What happened next was described years later in sworn depositions by members of the Trump family during a dispute, later settled, over the inheritance Fred Trump left to Fred Jr.’s children. These depositions, obtained by The Times, reveal something startling: Fred Trump believed that the document potentially put his life’s work at risk.
The document, known as a codicil, did many things. It protected Donald Trump’s portion of the inheritance from his creditors and from his impending divorce settlement with his first wife, Ivana Trump. It strengthened provisions in the existing will making him the sole executor of his father’s estate. But more than any of the particulars, it was the entirety of the codicil and its presentation as a fait accompli that alarmed Fred Trump, the depositions show. He confided to family members that he viewed the codicil as an attempt to go behind his back and give his son total control over his affairs. He said he feared that it could let Donald Trump denude his empire, even using it as collateral to rescue his failing businesses. (It was, in fact, the very month of the $3.5 million casino rescue.)
As close as they were — or perhaps because they were so close — Fred Trump did not immediately confront his son. Instead he turned to his daughter Maryanne Trump Barry, then a federal judge whom he often consulted on legal matters. “This doesn’t pass the smell test,” he told her, she recalled during her deposition. When Judge Barry read the codicil, she reached the same conclusion. “Donald was in precarious financial straits by his own admission,” she said, “and Dad was very concerned as a man who worked hard for his money and never wanted any of it to leave the family.” (In a brief telephone interview, Judge Barry declined to comment.)
Fred Trump took prompt action to thwart his son. He dispatched his daughter to find new estate lawyers. One of them took notes on the instructions she passed on from her father: “Protect assets from DJT, Donald’s creditors.” The lawyers quickly drafted a new codicil stripping Donald Trump of sole control over his father’s estate. Fred Trump signed it immediately.
Clumsy as it was, Donald Trump’s failed attempt to change his father’s will brought a family reckoning about two related issues: Fred Trump’s declining health and his reluctance to relinquish ownership of his empire. Surgeons had removed a neck tumor a few years earlier, and he would soon endure hip replacement surgery and be found to have mild senile dementia. Yet for all the financial support he had lavished on his children, for all his abhorrence of taxes, Fred Trump had stubbornly resisted his advisers’ recommendations to transfer ownership of his empire to the children to minimize estate taxes.
With every passing year, the actuarial odds increased that Fred Trump would die owning apartment buildings worth many hundreds of millions of dollars, all of it exposed to the 55 percent estate tax. Just as exposed was the mountain of cash he was sitting on. His buildings, well maintained and carrying little debt, consistently produced millions of dollars a year in profits. Even after he paid himself $109.7 million from 1988 through 1993, his companies were holding $50 million in cash and investments, financial records show. Tens of millions of dollars more passed each month through a maze of personal accounts at Chase Manhattan Bank, Chemical Bank, Manufacturers Hanover Trust, UBS, Bowery Savings and United Mizrahi, an Israeli bank.
Simply put, without immediate action, Fred Trump’s heirs faced the prospect of losing hundreds of millions of dollars to estate taxes.
Whatever their differences, the Trumps formulated a plan to avoid this fate. How they did it is a story never before told.
It is also a story in which Donald Trump played a central role. He took the lead in strategy sessions where the plan was devised with the consent and participation of his father and his father’s closest advisers, people who attended the meetings told The Times. Robert Trump, the youngest sibling and the beta to Donald’s alpha, was given the task of overseeing day-to-day details. After years of working for his brother, Robert Trump went to work for his father in late 1991.
The Trumps’ plan, executed over the next decade, blended traditional techniques — such as rewriting Fred Trump’s will to maximize tax avoidance — with unorthodox strategies that tax experts told The Times were legally dubious and, in some cases, appeared to be fraudulent. As a result, the Trump children would gain ownership of virtually all of their father’s buildings without having to pay a penny of their own. They would turn the mountain of cash into a molehill of cash. And hundreds of millions of dollars that otherwise would have gone to the United States Treasury would instead go to Fred Trump’s children.

‘A Disguised Gift’

A family company let Fred Trump funnel money to his children by effectively overcharging himself for repairs and improvements on his properties. 

One of the first steps came on Aug. 13, 1992, when the Trumps incorporated a company named All County Building Supply & Maintenance.
All County had no corporate offices. Its address was the Manhasset, N.Y., home of John Walter, a favorite nephew of Fred Trump’s. Mr. Walter, who died in January, spent decades working for Fred Trump, primarily helping computerize his payroll and billing systems. He also was the unofficial keeper of Fred Trump’s personal and business papers, his basement crowded with boxes of old Trump financial records. John Walter and the four Trump children each owned 20 percent of All County, records show.
All County’s main purpose, The Times found, was to enable Fred Trump to make large cash gifts to his children and disguise them as legitimate business transactions, thus evading the 55 percent tax.
The way it worked was remarkably simple.
Each year Fred Trump spent millions of dollars maintaining and improving his properties. Some of the vendors who supplied his building superintendents and maintenance crews had been cashing Fred Trump’s checks for decades. Starting in August 1992, though, a different name began to appear on their checks — All County Building Supply & Maintenance.
Mr. Walter’s computer systems, meanwhile, churned out All County invoices that billed Fred Trump’s empire for those same services and supplies, with one difference: All County’s invoices were padded, marked up by 20 percent, or 50 percent, or even more, records show.
The Trump siblings split the markup, along with Mr. Walter.
The self-dealing at the heart of this arrangement was best illustrated by Robert Trump, whose father paid him a $500,000 annual salary. He approved many of the payments Fred Trump’s empire made to All County; he was also All County’s chief executive, as well as a co-owner. As for the work of All County — generating invoices — that fell to Mr. Walter, also on Fred Trump’s payroll, along with a personal assistant Mr. Walter paid to work on his side businesses.
Years later, in his deposition during the dispute over Fred Trump’s estate, Robert Trump would say that All County actually saved Fred Trump money by negotiating better deals. Given Fred Trump’s long experience expertly squeezing better prices out of contractors, it was a surprising claim. It was also not true.
The Times’s examination of thousands of pages of financial documents from Fred Trump’s buildings shows that his costs shot up once All County entered the picture.

Beach Haven Apartments illustrates how this happened: In 1991 and 1992, Fred Trump bought 78 refrigerator-stove combinations for Beach Haven from Long Island Appliance Wholesalers. The average price was $642.69. But in 1993, when he began paying All County for refrigerator-stove combinations, the price jumped by 46 percent. Likewise, the price he paid for trash-compacting services at Beach Haven increased 64 percent. Janitorial supplies went up more than 100 percent. Plumbing repairs and supplies rose 122 percent. And on it went in building after building. The more Fred Trump paid, the more All County made, which was precisely the plan.
While All County systematically overcharged Fred Trump for thousands of items, the job of negotiating with vendors fell, as it always had, to Fred Trump and his staff.
Leon Eastmond can attest to this.
Mr. Eastmond is the owner of A. L. Eastmond & Sons, a Bronx company that makes industrial boilers. In 1993, he and Fred Trump met at Gargiulo’s, an old-school Italian restaurant in Coney Island that was one of Fred Trump’s favorites, to hash out the price of 60 boilers. Fred Trump, accompanied by his secretary and Robert Trump, drove a hard bargain. After negotiating a 10 percent discount, he made one last demand: “I had to pay the tab,” Mr. Eastmond recalled with a chuckle.
There was no mention of All County. Mr. Eastmond first heard of the company when its checks started rolling in. “I remember opening my mail one day and out came a check for $100,000,” he recalled. “I didn’t recognize the company. I didn’t know who the hell they were.”
But as All County paid Mr. Eastmond the price negotiated by Fred Trump, its invoices to Fred Trump were padded by 20 to 25 percent, records obtained by The Times show. This added hundreds of thousands of dollars to the cost of the 60 boilers, money that then flowed through All County to Fred Trump’s children without incurring any gift tax.
All County’s owners devised another ruse to profit off Mr. Eastmond’s boilers. To win Fred Trump’s business, Mr. Eastmond had also agreed to provide mobile boilers for Fred Trump’s buildings free of charge while new boilers were being installed. Yet All County charged Fred Trump rent on the same mobile boilers Mr. Eastmond was providing free, along with hookup fees, disconnection fees, transportation fees and operating and maintenance fees, records show. These charges siphoned hundreds of thousands of dollars more from Fred Trump’s empire.
Mr. Walter, asked during a deposition why Fred Trump chose not to make himself one of All County’s owners, replied, “He said because he would have to pay a death tax on it.”
After being briefed on All County by The Times, Mr. Tritt, the University of Florida law professor, said the Trumps’ use of the company was “highly suspicious” and could constitute criminal tax fraud. “It certainly looks like a disguised gift,” he said.
While All County was all upside for Donald Trump and his siblings, it had an insidious downside for Fred Trump’s tenants.
As an owner of rent-stabilized buildings in New York, Fred Trump needed state approval to raise rents beyond the annual increases set by a government board. One way to justify a rent increase was to make a major capital improvement. It did not take much to get approval; an invoice or canceled check would do if the expense seemed reasonable.
The Trumps used the padded All County invoices to justify higher rent increases in Fred Trump’s rent-regulated buildings. Fred Trump, according to Mr. Walter, saw All County as a way to have his cake and eat it, too. If he used his “expert negotiating ability” to buy a $350 refrigerator for $200, he could raise the rent based only on that $200, not on the $350 sticker price “a normal person” would pay, Mr. Walter explained. All County was the way around this problem. “You have to understand the thinking that went behind this,” he said.
As Robert Trump acknowledged in his deposition, “The higher the markup would be, the higher the rent that might be charged.”
State records show that after All County’s creation, the Trumps got approval to raise rents on thousands of apartments by claiming more than $30 million in major capital improvements. Tenants repeatedly protested the increases, almost always to no avail, the records show.
One of the improvements most often cited by the Trumps: new boilers.
“All of this smells like a crime,” said Adam S. Kaufmann, a former chief of investigations for the Manhattan district attorney’s office who is now a partner at the law firm Lewis Baach Kaufmann Middlemiss. While the statute of limitations has long since lapsed, Mr. Kaufmann said the Trumps’ use of All County would have warranted investigation for defrauding tenants, tax fraud and filing false documents.
Mr. Harder, the president’s lawyer, disputed The Times’s reporting: “Should The Times state or imply that President Trump participated in fraud, tax evasion or any other crime, it will be exposing itself to substantial liability and damages for defamation.”
All County was not the only company the Trumps set up to drain cash from Fred Trump’s empire. A lucrative income source for Fred Trump was the management fees he charged his buildings. His primary management company, Trump Management, earned $6.8 million in 1993 alone. The Trumps found a way to redirect those fees to the children, too.
On Jan. 21, 1994, they created a company called Apartment Management Associates Inc., with a mailing address at Mr. Walter’s Manhasset home. Two months later, records show, Apartment Management started collecting fees that had previously gone to Trump Management.
The only difference was that Donald Trump and his siblings owned Apartment Management.
Between All County and Apartment Management, Fred Trump’s mountain of cash was rapidly dwindling. By 1998, records show, All County and Apartment Management were generating today’s equivalent of $2.2 million a year for each of the Trump children. Whatever income tax they owed on this money, it was considerably less than the 55 percent tax Fred Trump would have owed had he simply given each of them $2.2 million a year.
But these savings were trivial compared with those that would come when Fred Trump transferred his empire — the actual bricks and mortar — to his children.


The Alchemy of Value

The transfer of most of Fred Trump’s empire to his children began with a ‘friendly’ appraisal and an incredible shrinking act.

In his 90th year, Fred Trump still showed up at work a few days a week, ever dapper in suit and tie. But he had trouble remembering names — his dementia was getting worse — and he could get confused. In May 1995, with an unsteady hand, he signed documents granting Robert Trump power of attorney to act “in my name, place and stead.”
Six months later, on Nov. 22, the Trumps began transferring ownership of most of Fred Trump’s empire. (A few properties were excluded.) The instrument they used to do this was a special type of trust with a clunky acronym only a tax lawyer could love: GRAT, short for grantor-retained annuity trust.
GRATs are one of the tax code’s great gifts to the ultrawealthy. They let dynastic families like the Trumps pass wealth from one generation to the next — be it stocks, real estate, even art collections — without paying a dime of estate taxes.
The details are numbingly complex, but the mechanics are straightforward. For the Trumps, it meant putting half the properties to be transferred into a GRAT in Fred Trump’s name and the other half into a GRAT in his wife’s name. Then Fred and Mary Trump gave their children roughly two-thirds of the assets in their GRATs. The children bought the remaining third by making annuity payments to their parents over the next two years. By Nov. 22, 1997, it was done; the Trump children owned nearly all of Fred Trump’s empire free and clear of estate taxes.
As for gift taxes, the Trumps found a way around those, too.
The entire transaction turned on one number: the market value of Fred Trump’s empire. This determined the amount of gift taxes Fred and Mary Trump owed for the portion of the empire they gave to their children. It also determined the amount of annuity payments their children owed for the rest.
The I.R.S. recognizes that GRATs create powerful incentives to greatly undervalue assets, especially when those assets are not publicly traded stocks with transparent prices. Indeed, every $10 million reduction in the valuation of Fred Trump’s empire would save the Trumps either $10 million in annuity payments or $5.5 million in gift taxes. This is why the I.R.S. requires families taking advantage of GRATs to submit independent appraisals and threatens penalties for those who lowball valuations.
In practice, though, gift tax returns get little scrutiny from the I.R.S. It is an open secret among tax practitioners that evasion of gift taxes is rampant and rarely prosecuted. Punishment, such as it is, usually consists of an auditor’s requiring a tax payment closer to what should have been paid in the first place. “GRATs are typically structured so that no tax is due, which means the I.R.S. has reduced incentive to audit them,” said Mitchell Gans, a professor of tax law at Hofstra University. “So if a gift is in fact undervalued, it may very well go unnoticed.”
This appears to be precisely what the Trumps were counting on. The Times found evidence that the Trumps dodged hundreds of millions of dollars in gift taxes by submitting tax returns that grossly undervalued the real estate assets they placed in Fred and Mary Trump’s GRATs.
According to Fred Trump’s 1995 gift tax return, obtained by The Times, the Trumps claimed that properties including 25 apartment complexes with 6,988 apartments — and twice the floor space of the Empire State Building — were worth just $41.4 million. The implausibility of this claim would be made plain in 2004, when banks put a valuation of nearly $900 million on that same real estate.
The methods the Trumps used to pull off this incredible shrinking act were hatched in the strategy sessions Donald Trump participated in during the early 1990s, documents and interviews show. Their basic strategy had two components: Get what is widely known as a “friendly” appraisal of the empire’s worth, then drive that number even lower by changing the ownership structure to make the empire look less valuable to the I.R.S.
A crucial step was finding a property appraiser attuned to their needs. As anyone who has ever bought or sold a home knows, appraisers can arrive at sharply different valuations depending on their methods and assumptions. And like stock analysts, property appraisers have been known to massage those methods and assumptions in ways that coincide with their clients’ interests.
The Trumps used Robert Von Ancken, a favorite of New York City’s big real estate families. Over a 45-year career, Mr. Von Ancken has appraised many of the city’s landmarks, including Rockefeller Center, the World Trade Center, the Chrysler Building and the Empire State Building. Donald Trump recruited him after Fred Trump Jr. died and the family needed friendly appraisals to help shield the estate from taxes.
Mr. Von Ancken appraised the 25 apartment complexes and other properties in the Trumps’ GRATs and concluded that their total value was $93.9 million, tax records show.
To assess the accuracy of those valuations, The Times examined the prices paid for comparable apartment buildings that sold within a year of Mr. Von Ancken’s appraisals. A pattern quickly emerged. Again and again, buildings in the same neighborhood as Trump buildings sold for two to four times as much per square foot as Mr. Von Ancken’s appraisals, even when the buildings were decades older, had fewer amenities and smaller apartments, and were deemed less valuable by city property tax appraisers.
Mr. Von Ancken valued Argyle Hall, a six-story brick Trump building in Brooklyn, at $9.04 per square foot. Six blocks away, another six-story brick building, two decades older, had sold a few months earlier for nearly $30 per square foot. He valued Belcrest Hall, a Trump building in Queens, at $8.57 per square foot. A few blocks away, another six-story brick building, four decades older with apartments a third smaller, sold for $25.18 per square foot.

The pattern persisted with Fred Trump’s higher-end buildings. Mr. Von Ancken appraised Lawrence Towers, a Trump building in Brooklyn with spacious balcony apartments, at $24.54 per square foot. A few months earlier, an apartment building abutting car repair shops a mile away, with units 20 percent smaller, had sold for $48.23 per square foot.

The Times found even starker discrepancies when comparing the GRAT appraisals against appraisals commissioned by the Trumps when they had an incentive to show the highest possible valuations.
Such was the case with Patio Gardens, a complex of nearly 500 apartments in Brooklyn.
Of all Fred Trump’s properties, Patio Gardens was one of the least profitable, which may be why he decided to use it as a tax deduction. In 1992, he donated Patio Gardens to the National Kidney Foundation of New York/New Jersey, one of the largest charitable donations he ever made. The greater the value of Patio Gardens, the bigger his deduction. The appraisal cited in Fred Trump’s 1992 tax return valued Patio Gardens at $34 million, or $61.90 a square foot.
By contrast, Mr. Von Ancken’s GRAT appraisals found that the crown jewels of Fred Trump’s empire, Beach Haven and Shore Haven, with five times as many apartments as Patio Gardens, were together worth just $23 million, or $11.01 per square foot.
In an interview, Mr. Von Ancken said that because neither he nor The Times had the working papers that described how he arrived at his valuations, there was simply no way to evaluate the methodologies behind his numbers. “There would be explanations within the appraisals to justify all the values,” he said, adding, “Basically, when we prepare these things, we feel that these are going to be presented to the Internal Revenue Service for their review, and they better be right.”
Of all the GRAT appraisals Mr. Von Ancken did for the Trumps, the most startling was for 886 rental apartments in two buildings at Trump Village, a complex in Coney Island. Mr. Von Ancken claimed that they were worth less than nothing — negative $5.9 million, to be exact. These were the same 886 units that city tax assessors valued that same year at $38.1 million, and that a bank would value at $106.6 million in 2004.

It appears Mr. Von Ancken arrived at his negative valuation by departing from the methodology that he has repeatedly testified is most appropriate for properties like Trump Village, where past years’ profits are a poor gauge of future value.
In 1992, the Trumps had removed the two Trump Village buildings from an affordable housing program so they could raise rents and increase their profits. But doing so cost them a property tax exemption, which temporarily put the buildings in the red. The methodology described by Mr. Von Ancken would have disregarded this blip into the red and valued the buildings based on the higher rents the Trumps would be charging. Mr. Von Ancken, however, appears to have based his valuation on the blip, producing an appraisal that, taken at face value, meant Fred Trump would have had to pay someone millions of dollars to take the property off his hands.
Mr. Von Ancken told The Times that he did not recall which appraisal method he used on the two Trump Village buildings. “I can only say that we value the properties based on market information, and based on the expected income and expenses of the building and what they would sell for,” he said. As for the enormous gaps between his valuation and the 1995 city property tax appraisal and the 2004 bank valuation, he argued that such comparisons were pointless. “I can’t say what happened afterwards,” he said. “Maybe they increased the income tremendously.”

The Minority Owner

To further whittle the empire’s valuation, the family created the appearance that Fred Trump held only 49.8 percent.


Armed with Mr. Von Ancken’s $93.9 million appraisal, the Trumps focused on slashing even this valuation by changing the ownership structure of Fred Trump’s empire.
The I.R.S. has long accepted the idea that ownership with control is more valuable than ownership without control. Someone with a controlling interest in a building can decide if and when the building is sold, how it is marketed and what price to accept. However, since someone who owns, say, 10 percent of a $100 million building lacks control over any of those decisions, the I.R.S. will let him claim that his stake should be taxed as if it were worth only $7 million or $8 million.
But Fred Trump had exercised total control over his empire for more than seven decades. With rare exceptions, he owned 100 percent of his buildings. So the Trumps set out to create the fiction that Fred Trump was a minority owner. All it took was splitting the ownership structure of his empire. Fred and Mary Trump each ended up with 49.8 percent of the corporate entities that owned his buildings. The other 0.4 percent was split among their four children.
Splitting ownership into minority interests is a widely used method of tax avoidance. There is one circumstance, however, where it has at times been found to be illegal. It involves what is known in tax law as the step transaction doctrine — where it can be shown that the corporate restructuring was part of a rapid sequence of seemingly separate maneuvers actually conceived and executed to dodge taxes. A key issue, according to tax experts, is timing — in the Trumps’ case, whether they split up Fred Trump’s empire just before they set up the GRATs.
In all, the Trumps broke up 12 corporate entities to create the appearance of minority ownership. The Times could not determine when five of the 12 companies were divided. But records reveal that the other seven were split up just before the GRATs were established.
The pattern was clear. For decades, the companies had been owned solely by Fred Trump, each operating a different apartment complex or shopping center. In September 1995, the Trumps formed seven new limited liability companies. Between Oct. 31 and Nov. 8, they transferred the deeds to the seven properties into their respective L.L.C.’s. On Nov. 21, they recorded six of the deed transfers in public property records. (The seventh was recorded on Nov. 24.) And on Nov. 22, 49.8 percent of the shares in these seven L.L.C.’s was transferred into Fred Trump’s GRAT and 49.8 percent into Mary Trump’s GRAT.
That enabled the Trumps to slash Mr. Von Ancken’s valuation in a way that was legally dubious. They claimed that Fred and Mary Trump’s status as minority owners, plus the fact that a building couldn’t be sold as easily as a share of stock, entitled them to lop 45 percent off Mr. Von Ancken’s $93.9 million valuation. This claim, combined with $18.3 million more in standard deductions, completed the alchemy of turning real estate that would soon be valued at nearly $900 million into $41.4 million.
According to tax experts, claiming a 45 percent discount was questionable even back then, and far higher than the 20 to 30 percent discount the I.R.S. would allow today.
As it happened, the Trumps’ GRATs did not completely elude I.R.S. scrutiny. Documents obtained by The Times reveal that the I.R.S. audited Fred Trump’s 1995 gift tax return and concluded that Fred Trump and his wife had significantly undervalued the assets being transferred through their GRATs.
The I.R.S. determined that the Trumps’ assets were worth $57.1 million, 38 percent more than the couple had claimed. From the perspective of an I.R.S. auditor, pulling in nearly $5 million in additional revenue could be considered a good day’s work. For the Trumps, getting the I.R.S. to agree that Fred Trump’s properties were worth only $57.1 million was a triumph.
“All estate matters were handled by licensed attorneys, licensed C.P.A.s and licensed real estate appraisers who followed all laws and rules strictly,” Mr. Harder, the president’s lawyer, said in his statement.
In the end, the transfer of the Trump empire cost Fred and Mary Trump $20.5 million in gift taxes and their children $21 million in annuity payments. That is hundreds of millions of dollars less than they would have paid based on the empire’s market value, The Times found.
Better still for the Trump children, they did not have to pay out a penny of their own. They simply used their father’s empire as collateral to secure a line of credit from M&T Bank. They used the line of credit to make the $21 million in annuity payments, then used the revenue from their father’s empire to repay the money they had borrowed.
On the day the Trump children finally took ownership of Fred Trump’s empire, Donald Trump’s net worth instantly increased by many tens of millions of dollars. And from then on, the profits from his father’s empire would flow directly to him and his siblings. The next year, 1998, Donald Trump’s share amounted to today’s equivalent of $9.6 million, The Times found.
This sudden influx of wealth came only weeks after he had published “The Art of the Comeback.”
“I learned a lot about myself during these hard times,” he wrote. “I learned about handling pressure. I was able to home in, buckle down, get back to the basics, and make things work. I worked much harder, I focused, and I got myself out of a box.”
Over 244 pages he did not mention that he was being handed nearly 25 percent of his father’s empire.

Remnants of Empire

After Fred Trump’s death, his children used familiar methods to devalue what little of his life’s work was still in his name.


During Fred Trump’s final years, dementia stole most of his memories. When family visited, there was one name he could reliably put to a face.

Donald.




On June 7, 1999, Fred Trump was admitted to Long Island Jewish Medical Center, not far from the house in Jamaica Estates, for treatment of pneumonia. He died there on June 25, at the age of 93.
Fifteen months later, Fred Trump’s executors — Donald, Maryanne and Robert — filed his estate tax return. The return, obtained by The Times, vividly illustrates the effectiveness of the tax strategies devised by the Trumps in the early 1990s.
Fred Trump, one of the most prolific New York developers of his time, owned just five apartment complexes, two small strip malls and a scattering of co-ops in the city upon his death. The man who paid himself $50 million in 1990 died with just $1.9 million in the bank. He owned not a single stock, bond or Treasury bill. According to his estate tax return, his most valuable asset was a $10.3 million I.O.U. from Donald Trump, money his son appears to have borrowed the year before Fred Trump died.
The bulk of Fred Trump’s empire was nowhere to be found on his estate tax return. And yet Donald Trump and his siblings were not done. Recycling the legally dubious techniques they had mastered with the GRATs, they dodged tens of millions of dollars in estate taxes on the remnants of empire that Fred Trump still owned when he died, The Times found.
As with the GRATs, they obtained appraisals from Mr. Von Ancken that grossly understated the actual market value of those remnants. And as with the GRATs, they aggressively discounted Mr. Von Ancken’s appraisals. The result: They claimed that the five apartment complexes and two strip malls were worth $15 million. In 2004, records show, bankers would put a value of $176.2 million on the exact same properties.
The most improbable of these valuations was for Tysens Park Apartments, a complex of eight buildings with 1,019 units on Staten Island. On the portion of the estate tax return where they were required to list Tysens Park’s value, the Trumps simply left a blank space and claimed they owed no estate taxes on it at all.
As with the Trump Village appraisal, the Trumps appear to have hidden key facts from the I.R.S. Tysens Park, like Trump Village, had operated for years under an affordable housing program that by law capped Fred Trump’s profits. This cap drastically reduced the property’s market value.





Except for one thing: The Trumps had removed Tysens Park from the affordable housing program the year before Fred Trump died, The Times found. When Donald Trump and his siblings filed Fred Trump’s estate tax return, there were no limits on their profits. In fact, they had already begun raising rents.
As their father’s executors, Donald, Maryanne and Robert were legally responsible for the accuracy of his estate tax return. They were obligated not only to give the I.R.S. a complete accounting of the value of his estate’s assets, but also to disclose all the taxable gifts he made during his lifetime, including, for example, the $15.5 million Trump Palace gift to Donald Trump and the millions of dollars he gave his children via All County’s padded invoices.
“If they knew anything was wrong they could be in violation of tax law,” Mr. Tritt, the University of Florida law professor, said. “They can’t just stick their heads in the sand.”
In addition to drastically understating the value of apartment complexes and shopping centers, Fred Trump’s estate tax return made no mention of either Trump Palace or All County.
It wasn’t until after Fred Trump’s wife, Mary, died at 88 on Aug. 7, 2000, that the I.R.S. completed its audit of their combined estates. The audit concluded that their estates were worth $51.8 million, 23 percent more than Donald Trump and his siblings had claimed.
That meant an additional $5.2 million in estate taxes. Even so, the Trumps’ tax bill was a fraction of what they would have owed had they reported the market value of what Fred and Mary Trump owned at the time of their deaths.
Mr. Harder, the president’s lawyer, defended the tax returns filed by the Trumps. “The returns and tax positions that The Times now attacks were examined in real time by the relevant taxing authorities,” he said. “The taxing authorities requested a few minor adjustments, which were made, and then fully approved all of the tax filings. These matters have now been closed for more than a decade.”

A Good Time to Sell

Donald Trump, in financial trouble again, pitched the idea of selling the still-profitable empire that his father had wanted to keep in the family.
In 2003, the Trump siblings gathered at Trump Tower for one of their periodic updates on their inherited empire.
As always, Robert Trump drove into Manhattan with several of his lieutenants. Donald Trump appeared with Allen H. Weisselberg, who had worked for Fred Trump for two decades before becoming his son’s chief financial officer. The sisters, Maryanne Trump Barry and Elizabeth Trump Grau, were there as well.
The meeting followed the usual routine: a financial report, a rundown of operational issues and then the real business — distributing profits to each Trump. The task of handing out the checks fell to Steve Gurien, the empire’s finance chief.
A moment later, Donald Trump abruptly changed the course of his family’s history: He said it was a good time to sell.
Fred Trump’s empire, in fact, was continuing to produce healthy profits, and selling contradicted his stated wish to keep his legacy in the family. But Donald Trump insisted that the real estate market had peaked and that the time was right, according to a person familiar with the meeting.
He was also, once again, in financial trouble. His Atlantic City casinos were veering toward another bankruptcy. His creditors would soon threaten to oust him unless he committed to invest $55 million of his own money.
Yet if Donald Trump’s sudden push to sell stunned the room, it met with no apparent resistance from his siblings. He directed his brother to solicit private bids, saying he wanted the sale handled quickly and quietly. Donald Trump’s signature skill — drumming up publicity for the Trump brand — would sit this one out.

Three potential bidders were given access to the finances of Fred Trump’s empire — 37 apartment complexes and several shopping centers. Ruby Schron, a major New York City landlord, quickly emerged as the favorite. In December 2003, Mr. Schron called Donald Trump and they came to an agreement; Mr. Schron paid $705.6 million for most of the empire, which included paying off the Trumps’ mortgages. A few remaining properties were sold to other buyers, bringing the total sales price to $737.9 million.
On May 4, 2004, the Trump children spent most of the day signing away ownership of what their father had doggedly built over 70 years. The sale received little news coverage, and an article in The Staten Island Advance included the rarest of phrases: “Trump did not return a phone call seeking comment.”
Even more extraordinary was this unreported fact: The banks financing Mr. Schron’s purchase valued Fred Trump’s empire at nearly $1 billion. In other words, Donald Trump, master dealmaker, sold his father’s empire for hundreds of millions less than it was worth.
Within a year of the sale, Mr. Trump spent $149 million in cash on a rapid series of transactions that bolstered his billionaire bona fides. In June 2004 he agreed to pay $73 million to buy out his partner in the planned Trump International Hotel & Tower in Chicago. (“I’m just buying it with my own cash,” he told reporters.) He paid $55 million in cash to make peace with his casino creditors. Then he put up $21 million more in cash to help finance his purchase of Maison de l’Amitié, a waterfront mansion in Palm Beach, Fla., that he later sold to a Russian oligarch.
*****
The first season of “The Apprentice” was broadcast in 2004, just as Donald Trump was wrapping up the sale of his father’s empire. The show’s opening montage — quick cuts of a glittering Trump casino, then Trump Tower, then a Trump helicopter mid-flight, then a limousine depositing the man himself at the steps of his jet, all set to the song “For the Love of Money” — is a reminder that the story of Donald Trump is fundamentally a story of money.
Money is at the core of the brand Mr. Trump has so successfully sold to the world. Yet essential to that mythmaking has been keeping the truth of his money — how much of it he actually has, where and whom it came from — hidden or obscured. Across the decades, aided and abetted by less-than-aggressive journalism, Mr. Trump has made sure his financial history would be sensationalized far more than seen.

Just this year, in a confessional essay for The Washington Post, Jonathan Greenberg, a former reporter for Forbes, described how Mr. Trump, identifying himself as John Barron, a spokesman for Donald Trump, repeatedly and flagrantly lied to get himself on the magazine’s first-ever list of wealthiest Americans in 1982. Because of Mr. Trump’s refusal to release his tax returns, the public has been left to interpret contradictory glimpses of his income offered up by anonymous leaks. A few pages from one tax return, mailed to The Times in September 2016, showed that he declared a staggering loss of $916 million in 1995. A couple of pages from another return, disclosed on Rachel Maddow’s program, showed that he earned an impressive $150 million in 2005.
In a statement to The Times, the president’s spokeswoman, Sarah Huckabee Sanders, reiterated what Mr. Trump has always claimed about the evolution of his fortune: “The president’s father gave him an initial $1 million loan, which he paid back. President Trump used this money to build an incredibly successful company as well as net worth of over $10 billion, including owning some of the world’s greatest real estate.”
Today, the chasm between that claim of being worth more than $10 billion and a Bloomberg estimate of $2.8 billion reflects the depth of uncertainty that remains about one of the most chronicled public figures in American history. Questions about newer money sources are rapidly accumulating because of the Russia investigation and lawsuits alleging that Mr. Trump is violating the Constitution by continuing to do business with foreign governments.
But the more than 100,000 pages of records obtained during this investigation make it possible to sweep away decades of misinformation and arrive at a clear understanding about the original source of Mr. Trump’s wealth — his father.
Here is what can be said with certainty: Had Mr. Trump done nothing but invest the money his father gave him in an index fund that tracks the Standard & Poor’s 500, he would be worth $1.96 billion today. As for that $1 million loan, Fred Trump actually lent him at least $60.7 million, or $140 million in today’s dollars, The Times found.
And there is one more Fred Trump windfall coming Donald Trump’s way. Starrett City, the Brooklyn housing complex that the Trumps invested in back in the 1970s, sold this year for $905 million. Donald Trump’s share of the proceeds is expected to exceed $16 million, records show.
It was an investment made with Fred Trump’s money and connections. But in Donald Trump’s version of his life, Starrett City is always and forever “one of the best investments I ever made.”