Tracking the Kraken crew’s lies about the “German server”

Jonathan Karl’s book Betrayal recounts one of the strangest episodes of the post-2020 election season. Sometime after Thanksgiving, Trump “Kraken” lawyer Sidney Powell cold called a Pentagon official to demand that he launch a special operation to rescue CIA head Gina Haspel from Germany. According to Powell, millions of votes had been stolen from Trump at a Frankfurt server that belonged to Scytl, an election technology firm. Haspel had rushed there and gotten injured in the battle that followed.

Needless to say, none of this was true. But it wasn’t just an invention of Powell’s fevered imagination. The theory that “votes were stolen on Scytl’s German server” was very much in the Trump Zeitgeist during the November and December that followed the election. Elected officials, ex-military officials, and grassroots alike shared wild stories on social media: that Gina Haspel had confessed and been sent to Gitmo; that DoD and the CIA were involved in a firefight (with each other!) in Frankfurt; and that five Delta Force soldiers were killed as they raided the Scytl servers for evidence.

But—Scytl voting machines are not used in US elections. How, then, did this Spanish firm become such a lightning rod?

Election night reporting

The stories that centered Scytl as the site of vote tampering never made sense.

Many states do use a Scytl product: Clarity election night reporting. On election night, unofficial tallies flow from county offices into Clarity’s service. These are then published for media outlets to base their projections on. The company that sells Clarity is called SOE Software, a Tampa-based firm, that was bought by Scytl in 2012.

Two key words in the description above: unofficial and tallies.

The results received by Clarity are not the official results—those are still reported out of county offices. There is no flow backwards; Clarity only receives data, there is no mechanism for that data to flow upstream to county offices to affect the data there. Also, they are tallies. Clarity does not receive individual ballots or votes, only summary-level information.

Thus, even a massive hack that changes election night totals would be insulated from the totals held at county offices, which are the ones that are eventually certified (though it would cause consternation among cable news viewers).

Clarity’s servers do not live in Frankfurt, rather, they are hosted by Amazon’s content delivery network, CloudFront. With such systems, the question of the location of servers is unanswerable with any specificity, much like Schrodinger’s cat; it depends on who is asking and when. The servers themselves are often virtual: nothing but a slice of computation time allocated by Amazon, rather than a physical box. The geolocation reported for the server changes depending on where Amazon wants to direct your traffic—it can conjure up your server into existence at any one of its data centers in 63 cities across the world at any given time.

The theory just never made any sense.

Gohmert’s role

A couple weeks before Powell’s panicked call to the Pentagon, the theory of ballot theft in Germany had debuted through the mouth of Texas Congressman Louis Gohmert. On November 12th, he went on Newsmax and said that election fraud was proven because they had affidavits. It was a company called Scytl, he said, carefully spelling out S-C-Y-T-L, where the votes had “cycled through though they were not supposed to”. It was the Scytl servers, he claimed, that the US army had gone to Germany to seize.

For evidence he cited a tweet from an anonymous German account (archived by Lead Stories) posted a few days earlier. Translated, it reads: “Something big is coming. The Spanish software company Scytl, which offers election manipulation software used in the USA worldwide, is in the crosshairs. The server for the manipulation was located in Germany (Frankfurt). …. Last night the US ARMY seized the surfers with a huge contingent.”

One might think it odd that a Congressman relied on an unverified tweet for his fact witness, but he had heard this news from a more credible source as well. While he didn’t mention this in his interview, on the same day, Gohmert had also attended a private online prayer meeting, where he mentioned that some “former intel people” had told him “on Sunday” that Scytl servers had been involved in ballot theft.

In other words, on November 8th, barely a day after the networks had announced the election for Biden, some former intelligence officials were already dropping election fraud narratives regarding Scytl servers in Germany into a US Congressperson’s ear.

We now know who the former intelligence official was. But first, a brief digression.

Patrick Byrne’s role

Patrick Byrne, ex-Overstock CEO, former lover of a Russian spy, spent the months after the election heavily pushing election denialism.

In his book, Deep Rig, he describes the central role he played. He claims that at a friend’s funeral in August 2020 he was introduced to some experts who had had roles in government, who were already worried that the upcoming elections would be riddled with fraud. One of these was a “retired army colonel with a background in military intelligence (including psyops)”. Once it became clear Trump lost, they were convinced that their fears had been realized.

So Byrne and his unnamed experts began gathering evidence. Pretty soon, he claims, they had a “tsunami” of evidence from around the country. Byrne rented a block of rooms at the Trump hotel. Using this as his office, he organized a posse of cyber-experts to whom he gives endearing nicknames such as “dolphin-speakers”, “bad news bears”, “propeller hatters”, and so on, to fly around the country examining evidence.

In the week after the election, he got introduced to Trump’s team: Sidney Powell, Gen. Flynn, and Rudy Giuliani. He began handing over the remarkable set of facts he had found that he claimed “proved” fraud.

What was this evidence? Much of it ended up as affidavits in Sidney Powell’s Kraken lawsuits. However, one particular affidavit draft did not, and was instead pasted into Byrne’s book in its entirety. It is from one of the “dolphin-speakers”, one that claims to have a background in the army, in intelligence and aviation related fields, and psyops. From the biography, it is clearly the expert Byrne met in August 2020.

In the affidavit, the expert points to the fact that some servers belonging to Scytl were located in Frankfurt, Germany.

That city again! We will examine his claims in a bit, but first, the expert with the Scytl/Frankfurt theory in Byrne’s book sounds a lot like the expert who dropped the worm into Gohmert’s ear. Could they be the same person?

Col. Phil Waldron’s role

Indeed, it is the same person. We now know that retired Army colonel Phil Waldron, an old associate of Gen. Flynn’s, was the one who called Gohmert on November 8th to tell him he thought votes were being routed through servers in Frankfurt. From the bio quoted in Byrne’s book, the psyops expert who wrote the affidavit is also clearly Col. Phil Waldron (compare his introductory factoids to his LinkedIn profile: Bachelor of Science, management, aviation, Texas, influence operations).

Col. Waldron claims that he was drafted into the fight to overturn the election in August 2020 by none other than Gen. Flynn. This is around the same time that Patrick Byrne claims to have gotten involved. In fact, Byrne and Waldron coordinated their efforts as they fed election fraud theories to Trump’s outside legal teams headed by Sidney Powell and Rudy Giuliani.

Waldron became a key figure in the attempted autogolpe—he met Trump’s COS Mark Meadows in the White House 8 to 10 times, had contact with DHS figures, and later, was found to have distributed a 38-page PowerPoint among White House staff that laid out a plan to perform a coup.

He was also an attendee at an Oval Office meeting on December 18th that several reporters have described as “wild”. It was at this meeting that Patrick Byrne, Gen. Flynn, Sidney Powell, and Col. Waldron met with Trump, and hatched a plan to institute a national emergency and seize voting machines. By all accounts, it was a frenzied meeting where Byrne nearly came to blows with White House Counsel, while the Counsel’s office threatened to quit en masse if these radical plans were carried out.

Waldron’s affidavit and EO 13848

As radical as these plans were, the Kraken crew came in waving a legal justification for them. The justification was to be provided by Executive Order 13848.

This EO permits the President to invoke emergency powers if an election is found to be marred with foreign intervention. Thus, Col. Waldron set out to prove foreign intervention.

His affidavit in Byrne’s book addresses EO 13848 straightforwardly. “This is a preliminary report on the various aspects of FOREIGN INTERFERENCE as defined by Executive Order 13848 issued on September 12, 2018,” it says.

Surprise—the affidavit finds that indeed, yes, such foreign intervention did occur. He even calls the evidence “definitive”. It is obvious that this is merely a fig leaf to unlock the powers of EO 13848. Because, as evidence, per se, it is so extraordinarily weak that it is absurd to call it evidence at all.

First, Waldron points to the foreign corporate ownership of two companies: Dominion and Scytl, as a scandal (“owned and controlled by foreign entities”).

To draw the German connection, Waldron digs into the geographical locations of the servers that belong to these companies. Among them, he finds one located in Frankfurt, Germany.

So…is that the definitive evidence we were looking for? No. Let’s look at the flaws in his logic.

The so-called “Frankfurt” server he geolocates is http://www.scytl.com—which is Scytl’s corporate website. Whether it is in Germany or not, it says nothing about where election night reports go. To make an analogy: even if, say, a corporate website such as “http://www.boeing.com” were to be hacked, this would not impact the software that pilots use to fly Boeing planes. He conflates corporate websites with balloting software all over the place.

Second, here’s a key fact he does not mention: this, too, is a virtual server on the Amazon AWS cloud. The Frankfurt address is that of an Amazon data center. Amazon controls security in their cloud, no matter where in the world their data centers are located; it is absurd to think of offshore use of the Amazon cloud as definitive evidence of foreign intervention (“we lose control of the data when it goes to a foreign country”).

Five Year Graph from DE CIX Frankfurt Internet Traffic, mentioned in affidavit

One last claim he makes is that he noted a 30% spike in internet traffic to Frankfurt on election night.

But here’s the thing about the spike: I checked, and it never happened (I’ve marked the approximate time of election night on the graph image on the left). He entirely made it up.

Ramsland’s affidavit

Another affidavit that centered Scytl came from Russell Ramsland Jr, founder of cybersecurity firm Allied Security Operations Group (ASOG). This one is a masterclass in deception.

He claims that a particular Scytl server staging.scytl.us is infected with malware called QSnatch, which can grievously compromise a system, allowing an attacker to steal passwords, data, and access the machine remotely. Sounds bad! Let’s look at his evidence.

To understand how wild and unsupported of a claim this is, read Twitter user Trapezoid of Discovery’s thread; but I’ll it summarize the main takeaway here. QSnatch is malware that infects network-attached storage (NAS) devices of a particular Taiwanese make, QNAP. These are external hard disks that can be directly hooked into a network—therefore, they get a network address, called an IP address, that looks like four numbers separated with dots, like this: “13.32.202.112“.

That network address above is the one that Ramsland quotes in his affidavit. It is a snippet from a threat report about a particular NAS that was infected by QSnatch at the end of 2020.

Now, Ramsland claims that a server belonging to Scytl called “staging.scytl.us” was also sitting at that network address 13.32.202.112. Therefore, it is infected by QSnatch.

Wait, wait, wait. To analogize to real life for a bit. An address can belong to a single-family home. If you tell me you are meeting someone at such an address, one can make a good educated guess about who that might be.

But an address can also belong to a hotel or a café. Thousands of people cycle in and out of such places every hour. If you say you are meeting someone at such a place, one has no real way to determine which of the multitudes of people you meant.

The address Ramsland identified is of the latter kind. It is an Amazon CloudFront host, like the one I described above for the Clarity server. I mentioned above that Amazon can conjure up your server at any of its data centers around the world—but the reverse is also true, in that Amazon treats CloudFront hosts like hotels, cycling thousands of servers in and out of an address at a time.

The address that Ramsland identified has housed a wide variety of websites, from an Australian government server, to a couple’s baby registry, a University of Michigan website, some online surveys, and so on. Thus, the fact that QSnatch infected a NAS sitting at that IP address is by no means evidence that Scytl’s server was infected by QSnatch.

At the same time, the entire issue is moot. As I said before, stipulate an election night reporting system that has been entirely corrupted and compromised by malware. Since official county totals are insulated from these unofficial tallies, even that cannot affect official results (though news consumers might feel jerked around).

ASOG’s role

Russell Ramsland and his firm ASOG have a longer history promoting conspiracy theories about voting infrastructure. This excellent deep dive by Washington Post is worth reading in full. Starting around the time that Republicans faced massive losses in the 2018 Blue Wave election, Ramsland’s cybersecurity firm ASOG began pushing the idea that what they were seeing were not legitimate Democratic victories, but rather election theft on a massive scale. Cybersecurity experts have called their theories nonsensical. Nevertheless, Ramsland found a pliant audience among some Republican elected officials. Among them, prominently, was Louie Gohmert.

ASOG constructed labyrinthine theories about vulnerabilities in all major election technology used in the US, from Dominion, ES&S, and Edison Research machines, to Tenex electronic poll books. Ramsland promoted his theories through his appearance on the Kevin Freeman’s Economic War Room show on BlazeTV. This is where he first introduced theories that we later came to identify with Sidney Powell and Kraken: the tie-in of Venezuela’s Hugo Chavez with Dominion machines, George Soros, and so on.

Republican Matt Bevin’s loss in the Kentucky governor’s race became a lightning rod for wild theorizing.

It so happens that Kentucky uses the Clarity reporting platform. This is where Kentuckians first saw Bevin’s defeat writ large: on CNN screens, fed by Clarity. Thus, Clarity became the center of ASOG’s fraud narrative.

In the clip above, watch how Ramsland and Freeman make a scandal out of unofficial results changing during the evening; putting great stress on the fact that if you ask a question differently, you get different results (this is a common feature of reporting systems). Left unsaid is that none of it matters for the purpose of the official tabulations at county offices.

As we know, Clarity’s corporate owner is Scytl, “the Spanish company”. Therefore, Ramsland was soon presenting charts like these to Kevin Freeman in an episode on election fraud from January 2020, showing that Scytl had become part of his confabulation. These charts were not factual, nor coherent. For example, Clarity and Scytl are not a separate systems, while SGO Smartmatic is in no way the “parent” of US election infrastructure.

Developing a coherent theory

However, by the time the 2020 election rolled around, Waldron and Ramsland, clearly workshopping together, had managed to come up with a coherent theory around Scytl that went like this:

  • Although election night reporting totals are supposed to be unofficial,
  • The Scytl server where they “go” is vulnerable to hacking due to QSnatch malware;
  • It is in Frankfurt Germany;
  • And this is where votes are changed and fed back into the “official” totals on Dominion and other machines (blue arrow below).

As we have seen above, each link of reasoning in this chain is incorrect. However, this is the theory they had workshopped by November 7th, the very day of the Four Seasons Total Landscaping press conference of blessed memory; the day cable news called the election for Biden.

Then, they went on a propaganda blitz.

Gohmert instantly called Trump. According to Betrayal, Trump was also watching Powell on TV give voice to the proto-Kraken. The rest, as they say, is history.

A chart that Ramsland showed during that interview is almost identical to the chart Waldron passed around as part of his 38-page PowerPoint, seen below.

By the end of November, just as the Kraken lawsuits were being unleashed, Waldron’s story had become even sharper. At an Arizona hearing with Rudy Giuliani, the “30% traffic spike into Frankfurt”—that as we saw earlier, never happened—had turned into a confident claim about having observed packet traffic going to a specific server in Frankfurt—that as we saw earlier, is merely Amazon’s data center, which hosts thousands of customers. “Your vote is not as secure as your Venmo,” he ended with a flourish.

They had to find foreign intervention, so Amazon’s Frankfurt data center was pressed into service. Then they had to somehow explain how unofficial tallies could affect official votes, and here, a random threat report they had found about unconnected malware sufficed. None of it made sense.


Amazingly, there was yet another conspiracy theory about Scytl in the Kraken lawsuit—and this one’s a doozy. I will cover that one in the next piece.


💌 Become a subscriber: Odd Post newsletter

➕ Follow me on Twitter: @TheOddPost

👉 Follow me on Facebook: The Odd Post

🌈 Get in touch: Email