Comey, Durham and the Yahoo Leak

The Leak Investigations #2: Tropic Vortex

Aug 23, 2025

During the 2016-2017 transition, the incoming Trump administration was notoriously plagued with leaks of classified information. The most notorious early leaks were arguably the disclosure that the Steele dossier had been referenced approvingly in the highly classified version of ICA (CNN, January 10, 2017) and the disclosure of Flynn’s conversation with ambassador Kislyak on December 29, 2016 (Ignatius, Washington Post, January 12, 2017).

But the list of classified leaks was very long, with a new leak seemingly every few days. Recall the leak about Trump’s telephone call with Australian prime minister (February 2, 2017); the (incorrect) leak that Flynn had talked to Kislyak about sanctions (WaPo, February 10, 2017); the leak that CIA had briefed that "Putin aspired” to help Trump (WaPo, December 9, 2016; NBC, December 15, 2016) ; the leak that classified intelligence showed that Trump campaign aides had “repeated contacts with Russian intelligence” (NYT, February 14, 2017). Or even the in-campaign leak from congressional staff indirectly referring to the alleged meeting between Carter Page and top Russian officials (Isikoff, Sept 21, 2016).

Recently, Sean Davis of the Federalist (August 13, 2025 link; pdf) released documents on seven codename leak investigations. A week later (August 21, 2025), John Solomon (link; pdf) released a slightly less redacted version of one of the investigations (“Tropic Vortex”). The additional details in the less redacted version were critical and shed important new light on events that remain hard to understand.

Boente Opens Investigation (US Postal Inspection Service)

The investigation codenamed Tropic Vortex wasn’t opened until January 31, 2019, but its opening memorandum referred back to a leak investigation opened on March 22, 2017 by then A/Deputy Attorney General Dana Boente as follows:

It was then only three weeks since Sessions had recused himself from oversight of Russia collusion investigation (Comey’s role in which remains uninvestigated), thus placing A/DAG Boente as the senior oversight official. It was then only two weeks since Comey had obtained Boente’s consent to make a public announcement of the Russia collusion investigation, notwithstanding standard FBI policy to neither confirm nor deny an investigation (a policy that Comey had relied on in his discussions with Trump) - a briefing in which Comey withheld the exculpatory information from Igor Danchenko about the anonymous phone call. It was then only one week since Comey had briefed congressional leadership about the Russia collusion investigation, once again leaving out the exculpatory and refuting information. It was then only two days since Comey’s announcement of the Russia collusion investigation at a public hearing of the House Intelligence Committee, a public announcement that dramatically ratcheted up the public demand for a special counsel investigation.

It was at a time when the incoming Trump administration had been beset by classified leaks, with both Trump and Sessions demanding that the leaks stop.

So which leak did Boente open on March 22, 2017? The Steele dossier? The Flynn phone call? Putin “aspired”? The Australian ambassador call?

None of the above. Boente opened on an October 2016 article in New York Times following a criminal referral from REDACTED, putting John Durham and the US Postal Inspection Service in charge of the investigation. The most plausible infill of for redacted complainant who had made the criminal referral (30 characters) is National Security Agency (NSA).

walkafyre almost immediately figured out (correctly) that the “October 2016 NYT article” was an October 5, 2016 article by Charlie Savage and Nicole Perlroth entitled “Yahoo Said to Have Aided U.S. Email Surveillance by Adapting Spam Filter” (archive). The article began as follows:

A system intended to scan emails for child pornography and spam helped Yahoo satisfy a secret court order requiring it to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization, several people familiar with the matter said on Wednesday.
Two government officials who spoke on the condition of anonymity said the Justice Department obtained an individualized order from a judge of the Foreign Intelligence Surveillance Court last year. Yahoo was barred from disclosing the matter.
To comply, Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware, according to one of the officials and to a third person familiar with Yahoo’s response, who also spoke on the condition of anonymity.
With some modifications, the system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature. The collection is no longer taking place, those two people said.
The order was unusual because it involved the systematic scanning of all Yahoo users’ emails rather than individual accounts; several other tech companies said they had not encountered such a demand.

Two days earlier, Joseph Menn of Reuters had broken a similar story (link):

The criminal referral from the [NSA] pertained to the “two government officials” who confirmed the story to the New York Times. Boente referred to the investigation outside because one of the suspected leakers was James Baker, then general counsel to the FBI. By coincidence (or not), this was the exact period in which the FBI was confronted with the Alfa Bank hoax, which had been brought to Baker by Marc Elias of Perkins Coie. On October 5, 2016, FBI counterintelligence officials at headquarters were corresponding with the same FBI agents in San Francisco about the Yahoo story almost concurrently with the Alfa Bank hoax.

This suspicion proved correct. Baker was firmly identified by the US Postal Inspection Service as one of the two government sources for the leaked information in the October 2016 NYT article. The Postal Service investigation also revealed that FBI Chief of Staff Rybicki had “instructed [Baker] to disclose the information to the NYT” and that Baker “understood that Rybicki was conveying this information and authorization from Comey”:

The information on when Durham’s report was filed is inconsistent. In the FBI Opening EC for Tropic Vortex (January 31, 2019), it was dated to December 22, 2017 as a report to AG Sessions.

But in the Closing Concurrence (February 25, 2020]), it was dated to December 11, 2018 as a report to A/AG Matthew Whitaker.

Thus far, neither of these important reports has been declassified or released.

In any event, Durham recommended “NO prosecution of Baker or anyone else” in response to the NSA criminal referral.

Tropic Vortex, January 2019

In January 2019, the US Attorney for DC submitted a memorandum to FBI Counterintelligence advising them that the case file from the Postal Service investigation “may contain information relevant” to several codenamed leak investigations (Echos Fate, Foggy Falls, Genetic Christmas and Sirens Lure.

The opening paragraph of one of the opening documents was anomalously completely redacted - even the date.

On April 8, 2019, WFO completed their review of the US Postal Service investigation documents, from which they identified one incident of considerable potential interest.

They observed that “multiple DOJ and FBI officials were asked [by US Postal Inspection Service] about their discussions, actions, and responses” to Trump’s March 4, 2017 tweet about phones at Trump Tower being wiretapped and a March 5, 2017 NYT article which reported that “Comey asked the DOJ to publicly reject the assertions” in Trump’s tweets - leaked information that had not then been released by DOJ, The document stated that the “tweets and article occurred shortly after the initiation of the USPIS investigation” - a statement that is seemingly inconsistent with the official opening date of March 22, 2017. However, the US Postal Service investigation had not determined the source of this leak.

WFO investigated this incident further and, on October 21, 2019 (during first impeachment hearings), WFO reported that Rybicki had “forwarded an email containing a proposed statement to the news media regarding the tweets to his (Rybicki’ s) presumed personal email account” and that “the proposed statement originated from Comey”. WFO “assessed Rybicki did so in furtherance of a potentially unauthorized disclosure to the news media, which appeared to be at the impli[ed direction of C]omey”. WFO presented these findings to the “attorneys, agents and” various other concerned parties.

However, USAO-DC [Jesse Liu] “declined to pursue additional legal process as the proposed statement appeared to be UNCLASSIFIED”.

On January 20, 2020, USAO-DC Liu issued a prosecution declination on this issue. Liu resigned soon afterwards.

Reprise

Nearly all of the classified leak investigations came up empty. Nobody was identified in regard to leaks re Flynn (Echo Falls), leaks re Putin “aspired” (Genetic Christmas), leaks re Carter Page FISA (Foggy Falls, Riding Hood), leaks re use of hacked Russian intercepts (Sirens Lure).

Only two of the codenamed leak investigations (so far reported) were able to identify leakers: Baker and Rybicki (both at Comey’s direction) in Tropic Vortex; and Strzok also to New York Times (Arctic Haze, April 22, 2017 article) also at Comey’s direction. None of the leakers operating at Comey’s direction were charged. Ironically, A/DAG Boente’s opening of the leak investigation on March 22, 2017 (eventually implicating senior FBI officials) occurred in the midst of Strzok’s briefings to NYT (later the subject of Arctic Haze) also implicating classified information:

Here’s a question that no one has asked yet.

Under normal circumstances, it’s inconceivable that an Acting Deputy Attorney General would commission a US Attorney from Connecticut and the US Postal Service Inspection Service to investigate a criminal referral from NSA potentially implicating the highest FBI officials without advising and obtaining approval from the Attorney General, who would, in turn, have advised and obtained approval from White House Counsel.

But is this what happened with the US Postal Service Inspection Division investigation?

AG Sessions isn’t mentioned in connection with the opening - only A/DAG Boente. AG Sessions had recused himself from the Russia collusion investigation, but the leak in the October 5, 2016 Yahoo article wasn’t connected to the Russia collusion investigation. It’s possible that A/DAG Boente had fully briefed and fully informed AG Sessions on the NSA criminal referral potentially implicating senior FBI personnel, but, in the febrile atmosphere of March 22, 2017, it’s equally, maybe more possible, that he didn’t. If they had known, it’s hard to believe that Trump and/or White House Counsel wouldn’t have used the information when it came to firing Comey.

Be that as it may, the backstory of how A/DAG Boente appointed Durham and the US Postal Service Inspection Division remains untold and a definite dig-here.

Postscript

Incorporating comments by @walkafyre in prior discussion (see, for example, thread).

On October 4, 2016, Strzok sent an email to Baker, Priestap, Lisa Page and a redacted (NSD)(JMD) that the “article under discussion was out”. This was the Reuters article of October 4, 2016 about the Yahoo backdoor for US intel agencies.

The next day (one day before the NYT article), Strzok sent an email to three SF agents (Elvis Chan et al?), a USACAN agent (Jeffrey Shih?), Trish Anderson and Lisa Page, presumably to respond to Reuters article on Yahoo backdoor.

During the meeting *link), Strzik sent a Lync to Page mentioning “Madsen”, who walkafyre plausibly identified as Chris Madsen, then Yahoo Assistant General Counsel.

xxx

On January 17, 2019, Robert Litt (former DNI official) published article in Lawfare (link) stating that Baker’s lawyer had stated “that Baker could not answer certain questions during his congressional testimony because Baker was the subject of a criminal investigation into leaks being conducted by Durham”. He cited a letter from Republican HPSCI members (link). We now know that this is the Durham-USPIS investigation.

walkafyre also observed that Durham had been trying to interview Peter Strzok on or about May 17, 2017 (link) - just as Mueller investigation was being announced. This can now be interpreted as pertaining to the USPIS leak investigation. (As of September 2020, Strzok still hadn’t been interviewed by Durham - in either iteration (link)

On December 21, 2017 (again h/t walkafyre), Barrett, Nakashima and Leonnig at Washington Post reported that Baker was going to be re-assigned. This was on the eve of the December 22, 2017 date on which, according to xx, Durham submitted his no charge recommendation re Baker. The story gave some details on the subject of the leak.