The Dreadful Eight: GRU’s Unit 29155 and the 2015 Poisoning of Emilian Gebrev
In a previous investigation, Bellingcat and its investigative partner The Insider reported on the presence of a senior GRU officer, Denis Sergeev aka “Sergey Fedotov”, in Bulgaria at the time when a Bulgarian arms manufacturer collapsed into a coma following what was identified as poisoning by an unknown neuroparalytic substance.
At that same time, the entrepreneur’s son and the production manager of his factory were also poisoned. A possible second poisoning may have been attempted a month later, days after Gebrev and his son were released from hospital.We have previously identified Denis Sergeev as a Maj. General from Russia’s military intelligence elite overseas clandestine-operations unit, a sub-unit of military unit 29155. He traveled to the UK to coordinate the operation of Col. Chepiga and Col. Mishkin (aka “Boshirov” and “Petrov”) in Salisbury in March 2018. The clandestine sub-unit of GRU’s military unit 29155 is a top-secret intelligence squad comprising of approximately 20 undercover officers with hands-on combat experience and hailing from a broad array of backgrounds, ranging from signals intelligence to medicine.We have previously identified members of this sub-unit as being involved in the destabilization and annexation of Crimea (2014), destabilization campaigns in Moldova (2014), a failed coup in Montenegro (2016), WADA-linked operations in Switzerland (2016-2017).Currently unit 29155 is also under investigations in Spain – after disclosures by Bellingcat – over trips to Barcelona before and during the Catalonia independence referendum in 2017.
In a new joint investigation with Der Spiegel and The Insider, Bellingcat can now reveal that at the heart of the Bulgarian poisoning operation was a team of as many as eight GRU officers – all members of the same unit – who traveled to Bulgaria in the weeks surrounding the poisoning attempt. Crucially, constellations of teams of three – including Maj. General Denis Sergeev – were present in Bulgaria during both suspected poisonings.
The preparations for the attempt on Gebrev’s life may have been months in the making. The first member of the GRU sub-unit to visit frequently Bulgaria was “Vladimir Popov” – one of the two GRU officers indicted by Montenegro for orchestrating the country’s destabilization in late 2016 ahead of its accession to NATO. We previously identified “Vladimir Popov” as GRU officer Vladimir Moiseev.
https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/popov-warsaw-282x300.png 282w" sizes="(max-width: 563px) 100vw, 563px">
GRU officer Vladimir Moiseev, cover name Vladimir Popov. Photo from now defunct social media profile under the fake identity of “Popov”, geo-located to Warsaw, Poland
Approximately one year before Gebrev’s poisoning, Moiseev visited the country in March 2014 (16-18.3), followed by trips in September (12-16.9), November (18-21.11) and December (5-16.12) 2014. His visits were made under his cover persona, which has its own fake backstory as a photographer and journalist for a now-defunct Russian marine insurance journal.
Several months after Popov’s initial trip, several other members of the same GRU unit began regular visits to Bulgaria. “Fedotov” was accompanied by “Pavlov” in late February 2015 (15-22), a week later agents “Kononikhin” and “Lebedev” came on a joint “tourism” trip on 26 February and stayed until 8 March. During the same period, another team member – “Nikitin” also made a short visit to the country. “Popov” came back to Bulgaria during the last three days of their stay – from 6 March to 11 March 2015.
https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/comp_2-300x155.png 300w, https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/comp_2-768x396.png 768w, https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/comp_2-1200x619.png 1200w" sizes="(max-width: 1340px) 100vw, 1340px">
Nikolay Ezhov, aka “Nikolay Kononikhin”. Left, Ezhov photo from his driving permit. Right, “Kononikhin”‘s photo from a visa application document
https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/comp_kapr-300x170.jpg 300w, https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/comp_kapr-768x435.jpg 768w, https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/comp_kapr-1200x679.jpg 1200w" sizes="(max-width: 1240px) 100vw, 1240px">
Danil Kapralov, aka “Danil Stepanov”. Left, photo from social media profile of Kapralov’s family member, right, photo from “Stepanov’s” travel passport.
Those visits were likely a preparation for the main operation. The immediate arrangements for the operation however appear to have begun on 24 April 2015, when two GRU officers traveling undercover as the tourists “Georgy Gorshkov” and “Sergey Fedotov”, arrived to Bulgaria’s Black Sea resort city of Bourgas. (Gebrev believes he recognized “Gorshkov”’s face when we showed him a photograph, however given the long time after the incident he said he could not be sure).
https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/gorshkov_sharp-236x300.png 236w" sizes="(max-width: 388px) 100vw, 388px">
“Georgy Gorshkov”, one of the GRU team members who traveled to Bulgaria twice around Gebrev’s poisoning. Photo from a passport scan.
“Sergey Pavlov” arrived on the same day directly to the capital Sofia where Gebrev was at the time. Ticketing data shows that both “Fedotov” and “Gorshkov” were supposed to fly back from Sofia to Moscow on 30 April 2015. However, neither of them waited for their return flights. Instead, late on the evening of 28 April 2015, they both flew to Istanbul and then onward from Istanbul’s Ataturk airport for Moscow. The next morning, 29 April 2015, “Pavlov” flew directly to Moscow from Sofia on a Bulgaria Air flight.
https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/comp_pavlov-300x154.png 300w, https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/comp_pavlov-768x395.png 768w, https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/comp_pavlov-1200x618.png 1200w" sizes="(max-width: 1387px) 100vw, 1387px">
Sergey Lyutenkov, aka “Sergey Pavlov”. Left, Lyutenkov’s passport photo. Right, “Pavlov”‘s visa application photo.
About 20 hours before the tourists’ premature departure, late in the evening of 27 April 2015, Emilian Gebrev felt the first symptoms of what would soon turn out to be a near-fatal poisoning. Initially he felt a burning sensation in one of his eyes, then the uncomfortable feeling progressed to both of them. Later that night he says he felt dizzy, and had flashes and blurred vision.
He did not read too much into these early symptoms, and attributed them to tiredness or early signs of flu. However, the following day his symptoms progressed, and during dinner with business partners on the evening of 28 April, Emilian Gebrev felt that he was going to collapse. Having a good contact at Sofia’s military hospital, he was rushed there just in time before falling into a coma.
In the next several hours, both his son and his production director – neither of whom attended the dinner – also felt weak and fell down with inexplicable, albeit somewhat less severe symptoms. They all ended up in hospital during the next day.
The medical examination of all three showed symptoms of severe poisoning, with Gebrev’s condition deteriorating the fastest. The medical team treating him was unable to identify the poison, but – partly thanks to experience while deployed in peace-keeping operations in war-zones – the lead doctor was able to mitigate the symptoms sufficiently to maintain Gebrev’s vital signs while keeping him in a medically induced coma.
https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/comp_fed-300x155.png 300w, https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/comp_fed-768x397.png 768w, https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/comp_fed-1200x621.png 1200w" sizes="(max-width: 1384px) 100vw, 1384px">
Denis Sergeev, aka Sergey Fedotov. Left, still from a 1997 documentary showcasing Sergeev’s role in hostilities in Dagestan. Right, “Fedotov’s photo from a visa application document.
Approximately 20 days after initially being admitted to hospital, Emilian Gebrev’s status improved substantially and he was released. The doctors – still in the dark about the actual cause of his sudden illness – advised Gebrev and his son to spend some time away from the polluted city air, and so they drove to the beach resort of Sinemorets.
It was while the Gebrevs were at their seaside house that a revamped GRU team returned to Bulgaria.
First “Danil Stepanov” arrived on 23 May 2015. The next day he was joined by senior officer “Fedotov” who flew to Sofia on a direct flight from Moscow. “Fedotov” had booked a return ticket on May 28, 2015, however, once again, he did not show up for the flight. Instead, two days later, on 30 May 2015, he took a flight from neighbouring Serbia to Moscow. Notably, on 28 May 2015 the two were joined in Bulgaria by “Gorshkov”, who accompanied “Fedotov” in his detour via Belgrad to Moscow on 30 May. “Danil Stepanov” left Bulgaria on 29 May on a direct flight to Moscow.
On 26 May 2015 – during the stay of “Fedotov” and “Stepanov” in Bulgaria – Gebrev and his son once again felt early symptoms similar to what they had experienced a month prior, and went for examination into Sofia’s military hospital that same evening.
As we reported earlier, Gebrevs diagnosis remained inconclusive with doctors unable to determine the source or type of poisoning. At Gebrev’s own initiative, the Finnish research institute Verifin was asked to analyse serum and urine samples. The analysis performed was not examining the actual poison, but its biological descendants (metabolites) that had remained in the human body. Verifin found traces of two organophosphates that could be linked to pesticides, and a third one that the laboratory was unfamiliar with and could not identify.
Following the news of the Skripals poisoning with Novichok in 2018, and recognizing some of the symptoms described in their case, Gebrev approached Bulgarian authorities with a request to reopen the cold-case investigation and probe for the possible use of Novichok or a similar substance on him. He also urged Bulgarian authorities to request a new chemical analysis of the samples submitted to Verifin in 2015, with the hindsight awareness of the possible use of Novichok, and accumulated knowledge of its residual manifestations in blood and urine. While the Bulgarian government has reopened the investigation and is known to be cooperating with UK law enforcement, Gebrev’s requests for a repeat chemical analysis – in cooperation with the OPCW – have not yet been acted upon.
Possible motivation behind the attack
The precise motivation for the apparent poisoning attempts is still not determined by the Bulgarian investigation, nor is it clear even to the victim. Gebrev’s arms business was not a major factor in arms sales to countries or militant groups that Russia’s Defense Ministry considers adversaries. While Gebrev did export weapons to Georgia during the Russia-Georgian war in 2008 and ended up in a Russian Ministry of Defense blacklist, he tells us his business accounted for no more than 10% of Bulgaria’s total arms sales to Georgia during the war. He is adamant that he did not export arms to Ukraine, directly or indirectly, after Russia annexed Crimea in February 2014.
One possible hypothesis for Gebrev becoming a target was the internal power struggle of oligarchs in Bulgaria, on whom Russia exerted significant influence during the period 2014-2015.
Russia did consider the arms industry in Bulgaria hostile to its interests, since by early 2015, a number of Bulgarian arms manufacturing and exporting companies were scrambling for a clandestine US budget allocation for supplying weapons to the Syrian rebels. The demand for Eastern-type light/medium weapons and munitions had grown exponentially and Bulgarian exporters were eager to get a cut of the allocation. The exported weapons, naturally, were not going directly to the Syrian insurgents armies, but were initially sold to proxies, such as Azerbaijan and Saudi Arabia.
Gebrev insists now that his company, Emco, did not bid for any arms sales under this clandestine program. He says his main export markets – India and Northern Africa – required high volumes and he was fully focused on fulfilling those export commitments. However, an export license application for a shipment to Azerbaijan – that was allegedly intended for Syria – was filed with Bulgarian foreign ministry, coincidentally, on April 27 – hours before Gebrev felt the initial symptoms of poisoning.
Gebrev’s main hypothesis is that this was a forgery by a competitor, who wanted to eliminate his business from the market by turning the Russians against him. We have reviewed correspondence between the Bulgarian Ministry of Foreign Affairs and the Embassy of Azerbaijan from April 2015 which does show that Emco’s name was fraudulently – or erroneously – included in the export request.
https://017qndpynh-flywheel.netdna-ssl.com/wp-content/uploads/2019/11/mfa_bg-235x300.png 235w" sizes="(max-width: 650px) 100vw, 650px">
MFA letter to Azerbaijani correcting the name of the actual export applicant initially listed as Emco
While the timing of this erroneous inclusion of Gebrev’s company into a transaction seen by Russia as hostile, and his initial poisoning, is a remarkable coincidence, it is unlikely that there is a direct causal relationship between the two, as there would not have been sufficient time between the “set-up” and the poisoning operation. At the same time, it is beyond doubt that during 2015, 2016 and 2017 there were attempts to discredit Emco internationally, including through an English-language article in a Bulgarian newspaper that used the false export license application to implicate Emco in arms exports to ISIS-linked militants.
The journalist who authored the article incorrectly implicating Emco cited documents allegedly leaked to it from a little-known organization calling itself “Anonymous Bulgaria”. The only evidence of this organization’s existence is a Twitter account which has posted almost exclusively Kremlin-aligned (dis)information, including an hacked email dump relating to an Azerbaijani company’s alleged involvement in arms trading with ISIS-linked groups, as well as promoting a conspiracy theory that Azerbaijan used diplomatic mail to ship white phosphorus to Armenia for a false-flag attack. After being dismissed from the Bulgarian newspaper over the incorrect reporting, the journalist launched an English-language website called Armswatch.com which publishes information and unverifiable claims focusing on the arms trade usually aligned with Russia’s military-industrial complex. A recent publication alleging illicit Serbian arms exports to Ukraine (and citing 4-years-old data) appeared within hours of the escalation between the Serbian government and Russia following the publication of a surveillance video showing a GRU officer exchanging bags with a Serbian military officer in December 2018.
The long-term campaign against Emco –including by sources aligned and seem to be acting in sync with the Russian military – make it plausible that attempts may have started before the erroneous export application from April 27.
In the absence of logical alternative explanations, Gebrev’s own hypothesis that he may have been targeted based on false information fed by competitors to the Kremlin, stands out as the most plausible scenario.
As we have reported earlier, GRU officers from Unit 21955 traveling undercover are issued passport in batches, and their passports are renewed approximately every two years. Each batch contains sequentially numbered passports, most of which are reserved to GRU officers. This has allowed us to identify all members of this GRU sub-unit by using as seed the cover identities – and associated passport numbers – of the trio of the Skripal-poisoning suspects.
The validation of a suspected officer from this unit can be done by searching for such suspect’s domestic passport number, usually available from a number of leaked car registration or residential databases. Once the number is obtained, we can typically verify if a real person with that identity exists, by searching for that “persons”‘s tax ID number on a Russian government-run website. Cover identities do not have a tax ID number, since they were removed the the tax database following our initial investigations into the Skripal suspects in 2018.
Identifying the real identity – the longest and most cumbersome process – requires trying various permutations of initial, patronyimic and family names, and using the cover persona’s birth date, to locate a candidate with a residential address (current or historic) at one of several known addresses of GRU-linked dormitories.
A final step requires the photographic match between a photo of the cover identity with one of the suspected real identity. A number of different sources are used to locate photographs in each case, including social media (usually of family members), passport dossier files accessed via whistle-blowers, or Schengen visa application documents.