BREAKING - The FBI Was Hacked on Super Bowl Sunday. 100 Terabytes of Epstein Evidence Vanished.

A

Hey, it's the creator of the Epstein Files. Before we get into today's episode, I need to tell you about my brand new podcast, Wardesk. If you value how we fact check the narrative and follow the raw data on this show, Wardesk is built for you. It's a massive ongoing investigation into the rapidly escalating developments happening in the Middle east right now. It is completely post partisan and follows the facts. Instead of cable news talking points, we go straight to the source to explain the reality of global conflict. Search for Wardesk on Apple Podcasts or Spotify right now. Or check this episode's description for the links and hit follow. Alright, let's get into the episode. Three million pages of evidence. Thousands of unsealed flight logs. Millions of data points, names, themes and timelines connected. You are listening to the Epstein Files, the world's first AI native investigation into the case that traditional journalism simply could not handle.

B

Welcome back to the Epstein Files. Last time we covered our last breaking news update and today breaking news has emerged about the FBI was hacked. On Super Bowl Sunday, 100 terabytes of Epstein evidence vanished. As always, every document we reference is at epsteinfiles fm. So the place to start is the EFTA documents. Because the DOJ release contains hundreds of emails that show exactly how this relationship functions.

C

The primary document you need to look at is the sworn declaration of Special Agent Aaron E. Spivak.

B

Right.

C

That is cataloged as EFTA0001-73569 PDF.

B

We have that in front of us.

C

To understand the sheer scale of this data loss, you have to understand the architecture of the FBI C20 computer lab. The declaration outlines this clearly.

B

It's not a standard office environment exactly.

C

It's a dedicated forensic space built to process massive volumes of highly sensitive digital evidence. You are looking at isolated systems, air gap. Air gapped? Yes. Network attached storage or nas, and sprawling RAID tower storage arrays. The documented function of this lab was processing child sexual abuse material. CSAM related to ongoing exploitation investigations. The legal and psychological weight of this material requires it to be completely isolated from external networks.

B

Standard operating procedure.

C

It prevents accidental dissemination and targeted external compromise.

B

But the sworn statement provides a minute by minute forensic accounting of an intrusion on Super Bowl Sunday, Feb. 12, 2023. Spivak provided a physical outline to the interviewing supervisory special agents. We have the chronological baseline right here. Starting the morning after Monday, February 13th, at 7:30am, Agent Spivat arrives at the C20 lab.

C

The first indicator is documented as a seemingly mundane anomaly. Spivak's Tolino forensic computer had restarted overnight.

B

For those reviewing the files with us, a Tolino system is not a desktop computer.

C

It's a heavy duty workstation built specifically for digital forensics. They have massive amounts of ram, specialized hardware write blockers.

B

Their function is ingesting terabytes of data

C

from seized hard drives, mobile devices. The hardware write blockers ensure the system reads the data without altering a single byte of the original evidence.

B

Because altering a byte breaks the chain of custody exactly.

C

And processes like hashing or indexing, these drives run continuously, often for weeks.

B

So a spontaneous overnight restart is a critical anomaly.

C

It indicates an interruption of the operating system that that the user did not initiate.

B

Ten minutes later, the severity of the restart is documented.

C

7:40am he logs into the Tolino system

B

and a text file automatically executes from the Windows startup folder.

C

The text file explicitly states the network has been compromised. It provides an email address for contact.

B

Concurrently, the antivirus software identifies a potential threat.

C

The documents show the classic digital footprint of a ransomware executable.

B

The threat actor drops a payload designed

C

to execute upon system boot. Putting it in the startup folder guarantees it is the first thing the user sees. Upon logging in.

B

The antivirus was active.

C

It was up to date. It flagged the anomalous activity.

B

But the documents show flagging a threat and neutralizing it are different things, especially

C

when the system hierarchy is compromised.

B

Which brings us to the next documented failure point.

C

Agent Spivak attempts to quarantine the threat.

B

He discovers his administrative privileges have been revoked.

C

Completely removed. He is locked out of the forensic machine's root controls.

B

Root access is foundational.

C

It gives you authority to install software, modify security configurations, delete system files.

B

So the loss of those privileges confirms

C

the system is compromised at the highest possible level. The intruder didn't just drop a text file. They rewrote the local user permissions.

B

They demoted the federal agent to a

C

standard user and elevated themselves to the administrator.

B

The threat actor holds root access, which

C

means they have the authority to override the antivirus software entirely. The quarantine protocols are useless.

B

The timeline shows the internal Response initiating

C

by 8:30am Spivak reaches out to Kristian

B

Idzila at the Computer Analysis Response Team

C

cart, asking for immediate assistance.

B

By 9.0am they reach out to external Tolino support.

C

The documents show Chalino support advised running the antivirus directly against the operating system hard drive.

B

To bypass the user interface lockouts.

C

Yes, and this process identifies the specific vector of the attack.

B

The threat is attributed to a program called Axiom Magnet.

C

Axiom A premier digital investigation platform used

B

globally by law enforcement.

C

Standard tool for recovering evidence from smartphones and cloud services. It is ubiquitous in a lab like C20.

B

The documents show the intrusion was a highly specific boot left by the hacker. The malware was dormant, designed to execute only when the Axiom forensic program was launched.

C

Which indicates the intruder possessed advanced knowledge of the specific software environment utilized by federal forensic examiners.

B

They tailored the attack to the exact tools the FBI uses to analyze digital evidence.

C

Yes.

B

Looking at the sworn statement, there is a specific technical root cause identified for this breach.

C

The documents show the hack resulted from an improperly configured remote desktop protocol port. RDP is a proprietary protocol developed by Microsoft. It lets a user take over a

B

computer from miles away, viewing the screen, controlling the mouse.

C

It's convenient for remote administration. But standard network security dictates RDP ports, specifically Port 3389, must never be exposed directly to the public Internet.

B

In a secure environment, RDP is shielded

C

behind virtual private networks, strict firewalls, multifactor authentication.

B

Exposing it directly to the Internet is a massive vulnerability.

C

Automated scanners constantly crawl the Internet looking for open RDP ports. They brute force the login credentials until they gain entry.

B

Agent Spivak explicitly notes the circumstances surrounding this configuration in his declaration.

C

He was attempting to set up remote

B

access to increase efficiency during the COVID 19 pandemic lockdowns.

C

The documented intention was allowing agents to monitor long running forensic processing on the Tolino machines which without physically traveling into the New York City field office.

B

We have to measure this against the institutional guidance documented in the file.

C

Spivag states he operated under guidance from

B

his direct supervisor, Supervisory Special Agent Heath Graves.

C

SSA Graves advised him to follow instructions available on the public Microsoft website for

B

setting up the rdp.

C

Yes. The declaration explicitly notes Spivak lacked formal training in network architecture.

B

He was not a credentialed system administrator.

C

He attempted to configure the port based on public web tutorials. He documented his belief that the FBI building's overarching security protocols would automatically prevent unauthorized access.

B

He had no idea he had opened the C20 Labs local area network directly to the outside Internet.

C

This is inconsistent with the baseline security protocols required at a premier law enforcement agency.

B

The the documents show the C20 lab completely lacked dedicated network administrators.

C

You are looking at digital forensic examiners,

B

experts in analyzing seized hard drives, tasked

C

with designing and securing their own local area network from scratch. Without the requisite training or institutional oversight,

B

the documented data loss resulting from this is severe.

C

The sworn declaration states 500 terabytes of data vanished as a direct result of the intrusion.

B

500 terabytes.

C

A single terabyte holds roughly 250,000 high resolution photographs or 500 hours of high definition video.

B

500 terabytes is an astronomical volume of

C

digital evidence in a lab processing CSAM and exploitation networks. This represents millions of individual evidentiary files.

B

Spivak documented the subsequent recovery efforts in detail.

C

The squad was eventually able to recover approximately 400 terabytes of the compromised data.

B

The documents show this recovery relied entirely on the forensic practice of hashing.

C

A hash is a unique digital fingerprint

B

for a file generated by an algorithm.

C

Yes. Like an MD5 or SHA256 hash. A fixed length string of text and numbers.

B

If a single pixel in an image is altered, the entire hash value changes.

C

Law enforcement agencies maintain massive centralized databases of known hash values corresponding to illegal images.

B

So by running known hash values against the compromised storage arrays, the tolino system

C

identifies and reconstitutes the files based on

B

their mathematical fingerprint, avoiding the need for agents to visually review 400 terabytes of exploitation material.

C

Exactly. But the forensic math here is unforgiving.

B

The documents show exactly 100 terabytes of

C

data remain permanently lost, completely unaccounted for following the intrusion.

B

A permanent loss of 100 terabytes of evidence introduces catastrophic legal implications for any ongoing investigations tied to that data.

C

Chain of custody is paramount. In federal prosecutions, defense attorneys meticulously scrutinize data handling to ensure it hasn't been altered or accessed by unauthorized individuals.

B

When an unknown threat actor infiltrates a federal lab, gains root access, booby traps

C

forensic software, and permanently deletes or encrypts 100 terabytes of data, that chain of

B

custody is irrevocably broken.

C

Any prosecution relying on that compromised hardware faces severe admissibility challenges in court.

B

The documented institutional response to this data loss reveals a severe breakdown in operational support.

C

When Spizak realized the extent of the intrusion, he recognized the urgent need to network the standalone computers securely.

B

He escalated the issue. The declaration states, networking is explicitly not a digital extraction technician function.

C

Not a Dixie function. Correct.

B

He followed standard bureaucratic procedures.

C

He formally asked the Computer Analysis Response Team, the Operational Technology Division, and the Office of the Chief Information Officer asking for assistance in securing the lab.

B

The documents show the exact verbatim response from otd.

C

Agent Spizag was told to Google it.

B

The file states, plainly no one else tried to help us.

C

This is a squad inside the premier federal law enforcement agency dealing with a catastrophic breach of exploitation Evidence and the

B

official directive from the Operational Technology Division was to use a commercial search engine to solve the problem.

C

The desperation within the Squad is documented clearly.

B

The standard IT units handling FBI networks refused to assist with misattributed networks.

C

So the Squad was forced to operate outside of standard channels. The documents show they put out a canvas for a confidential human source. A CHS is typically an informant recruited for intelligence on criminal organizations.

B

But in this instance, the Squad was explicitly searching for an informant with a

C

background in networking or system administration simply to assist them in routing a local area network within their secure facility.

B

That doesn't add up.

C

The documented reality shows highly trained agents utilizing off the shelf commercial switch boxes,

B

relying on public Google searches for enterprise

C

network security protocols, and canvassing for human informants simply to cable a forensic lab.

B

It reveals severe systemic siloing within federal agencies.

C

Specialized units handling compartmentalized data are isolated from the broader institutional infrastructure.

B

When a crisis occurs, that isolation is

C

a critical vulnerability, leading agents to function as amateur tech support while handling terabytes of volatile evidence.

B

The correlation between this network vulnerability and the specific investigation files targeted is documented in the timeline.

C

Agent Spivak's log. From 4:30pm on the day of discovery,

B

the Squad analyzed the strange IP activity interact with their network.

C

The log explicitly documents that the external activity included combing through certain files pertaining to the Epstein investigation.

B

The documents show a direct intersection of events.

C

The improperly configured RDP port, the Axiom booby trap, the permanent loss of 100

B

terabytes of data, and the specific unauthorized accessing of the Epstein investigation files.

C

You must measure this physical compromise of evidence against the authorized administrative withholding of files currently documented in the Congressional Record.

B

This brings us to the February 25, 2026 letter from House Oversight Chairman James Comer to Attorney General Pamela Bondi.

C

We are strictly conveying the contents of this primary source material impartially without endorsing any of its viewpoints. The letter documents specific allegations that the Department of Justice is withholding Epstein related

B

materials pursuant to the Epstein Files Transparency

C

Act, EFTA and a previously issued congressional subpoena.

B

The document details allegations that the DOJ is suppressing files relating to the alleged sexual abuse of a minor by Donald Trump.

C

The letter references a documented response from the DOJ regarding these withheld materials.

B

The DOJ stated it is legally withholding materials that fall into three specific categories.

C

Duplicates, Privileged information.

B

Yeah.

C

Or files that are part of an ongoing federal investigation.

B

You have to analyze those legal justifications. Withholding duplicates is a standard administrative procedure to prevent volume redundancy.

C

Claiming privilege typically refers to executive privilege or attorney client protections.

B

Citing an ongoing federal investigation is the most substantial justification.

C

It implies active law enforcement operations that could be compromised by public disclosure.

B

Chairman Comer's letter cites specific independent reporting

C

in its footnotes, referencing a substack article

B

by Roger Sullenberger and detailed reporting From NPR dated February 23 and 24, 2026.

C

These citations document allegations regarding the exposure of the underage accuser's name after she reportedly refused to cooperate against him.

B

The letter demands the immediate production of

C

all withheld files and a full accounting of the precise legal basis for withholding these documents from congressional oversight.

B

We cross reference these documented institutional decisions with the public opinion data provided in the CNN and Ipsos polling source.

C

The data shows 65% of surveyed adults believe the statement that the federal government is hiding information about the death of accused sex trafficker Jeffrey Epstein is true.

B

This belief crosses political affiliations uniformly 57%

C

of Republicans, 76% of Democrats, 64% of independents, all marking the statement as true.

B

The polling data also addresses the public perception of institutional accountability.

C

When asked how well the statement the F scene files show that powerful people in the US Are rarely held accountable for their actions describes their views, significant majorities align with the statement the documents

B

show a clear statistical consensus regarding a perception of institutional concealment.

C

When you put these realities side by side, the contrast is strictly documented in the source material.

B

On one hand, you have the unauthorized access and permanent loss of 100 terabytes of evidence via the Super Bowl Sunday

C

hack facilitated by systemic negligence in the C20 lab.

B

On the other hand, you have the authorized concealment of specific investigation files by

C

the doj, citing privilege and active investigations.

B

Both vectors result in a documented lack of public transparency regarding the totality of the Epstein files.

C

To understand the scope of the specific files being targeted by the hackers and withheld by the doj, you must audit the recovered EFTA email correspondence.

B

This establishes the documented day to day footprint of the network.

C

The source material contains a series of communications linked to the primary email address gvacationmail.com the email ledger provides precise dates, subjects and specific individuals mapping exactly how

B

mundane social planning operated parallel to the criminal enterprise.

C

August 9, 2010 an email from David Grossoff is sent to the GVCATION account.

B

The communication references a Sloan MBA graduate named Jason Sulphin.

C

The email notes Sulphin is moving to Enterprise Software Project Management, focusing on the

B

mansion renovation of ultra high net worth individuals at Vanacker Construction.

C

The document notes the company's specific focus is on 30 to $100 million estates

B

in the San Francisco Bay Area and Napa Valley.

C

The email specifically infers a Pritzker son has been one of the customers taken care of by this firm.

B

This email demonstrates the strategic targeting of real estate and development networks catering strictly

C

to the ultra wealthy. It documents the continuous monitoring of high net worth ecosystems in California, entirely separate

B

from the Florida and New York operations primarily associated with the investigation.

C

The networking extends to the highest levels

B

of Media and Society August 24, 2010 the documents show an internal forward from Leslie Grof to the G Vacation account.

C

The subject line is simply FW Lists from Peggy.

B

The email contains the finalized guest list for what is described as William Astor's dinner.

C

Impartially reading the documented list, it includes Dan Abrams, William Aquivella, Christiane Amanpour, Lord

B

and Lady Astor, Andre Balaz, Martin Bashir, Sid Bass.

C

Reviewing that list, you are looking at a precise cross section of global influence gathered at a single dinner.

B

High profile broadcast journalism represented by Amanpour

C

and Bashir, legal and media analysis represented

B

by Abrams, luxury hospitality represented by Balaz,

C

Legacy wealth represented by the Astors and Base.

B

The documents show how these highly curated social engagements function as operational camouflage.

C

The network relied on proximity to legitimate global influence to normalize its operations and insulate itself from scrutiny.

B

This brings us to a critical piece of newly released viral evidence drifting how

C

the operator viewed his own profile within this network.

B

The documents show an email exchange dated

C

December 28, 2018, sent from the gvacationmail.com account to Masha Drakova.

B

To contextualize this communication, Masha Trakova had introduced several female contacts to the network.

C

The email document's introductions to Katya described

B

as a corporate lawyer, Alezia described as a film director working on a human rights virtual reality project, and Alexandra described as an actress. The introduction of these young women fits the documented pattern of continuous recruitment and networking.

C

The reply from the GVCATION account to this introduction is highly specific.

B

Writing in response, the operator states, she almost fainted when I told her that person is me. In reference to someone researching a bad guy who gets children for sex sent to his island.

C

This language requires meticulous forensic analysis. You are looking at documentation from December

B

2018, a period long after the initial 2008 Florida conviction.

C

The operator is actively acknowledging his own public profile as a prolific criminal, openly

B

discussing an individual researching a bad guy who gets children for sex sent to

C

his island and explicitly confirming that person is me.

B

The psychology documented here is profound. He is putting in writing to a third party a direct acknowledgment of the exact criminal behavior under investigation, using it

C

almost as a conversational anecdote, while simultaneously continuing to network with new female contacts like Katya, Alazaiya and Alexandra.

B

It demonstrates a documented belief in complete impunity.

C

The operator is not attempting to conceal his reputation from these new contacts. He is openly weaponizing that notoriety within routine social correspondence.

B

This is the caliber of primary source evidence contained within the EFTA releases, which

C

contextualizes why these specific files were targeted during the Super Bowl Sunday intrusion.

B

Moving forward in the chronology of The Ledger on February 8, 2013, correspondence with Bill Siegel is documented.

C

The subject line references a front page magazine interview titled the Control Factor.

B

Within this exchange, the G Vacation account writes, I became friendly with Shirley MacLaine last year and went to her ranch in Santa Fe. I may go back and remember you own half the ranch land here or something. Do you still like it there?

C

The location is further specified in a previous reply within the thread as Zorro Ranch.

B

This correspondence documents the continuous expansion of geographic and social access.

C

The networking was not limited to New York or Florida. It extended into private ranch lands in

B

New Mexico, leveraging connections with established entertainment figures like Shirley MacLaine to secure access

C

and further normalize the operations footprint in

B

the American west beyond individual communications and private dinners. The documents show the expansive digital architecture required to manage the Enterprise's public facilities.

C

Face document EFT 01534118 provides a sprawling ledger titled Other Internet Account Information.

B

This is not a list of COVID servers.

C

It is a spreadsheet listing everyday Internet accounts, websites, blog sites, and public profiles administered by third party reputation management service providers engaged by the network.

B

The list is exhaustive. It documents managed business directory listings on platforms like Facebook, 411, 8 Coupons, Chamber of Commerce.com, citysearch, and Crunchbase.

C

It outlines social network directories on Flickr and Cloud, manage public profiles on Gather

B

and LinkedIn foundation directories on Grantwatch.

C

Maintaining a reputation management profile on a site like 8 Coupons seems entirely disjointed from the profile of an international financier,

B

but it illustrates the mechanics of search

C

engine optimization utilized to flood search results. By paying third party providers to generate and manage hundreds of mundane profiles across business directories and coupon sites, the enterprise ensured that any public Internet search of the name would return pages of benign

B

corporate results, effectively burying critical news coverage or victim testimonies under an avalanche of generated noise.

C

The documents show how this mundane digital networking operated continuously to sanitize the public

B

record the EFTA communications map the true breadth of the network. The primary source evidence demonstrates high profile dinner lists with global media figures, targeted

C

real estate networking in the San Francisco

B

Bay Area, brazen admissions of criminal profiles

C

in routine emails, and a sprawling digital management strategy occurring parallel to the criminal enterprise.

B

The targeting of these specific investigation files by strange IP addresses during the C20 lab intrusion highlights the extraordinary value of this data to external actors.

C

Summarizing the documented facts versus what remains definitively unknown requires strict adherence to the

B

primary sources, provided the documents prove, via a sworn declaration that a severe breach of the FBI's C20 forensic lab occurred on February 12, 2023.

C

This breach was facilitated via a misconfigured RDP port.

B

This critical error was made by an agent lacking formal networking training who was

C

attempting to establish remote access during the operational strain of the COVID 19 pandemic,

B

acting on supervisor adv device to consult public websites.

C

The documents prove that during this intrusion, the deployed Axiom booby trap allowed strange IP activity to comb directly through the Epstein investigation files.

B

The hack resulted in the total compromise of 500 terabytes of evidence.

C

Despite hashing recovery efforts, 100 terabytes of this data are permanently lost, effectively destroying

B

the chain of custody for that specific material.

C

Furthermore, the source material proves a current congressional standoff exists over the remaining secured DOJ documents.

B

The House Oversight Committee has documented formal allegations that files relating to Donald Trump are being actively suppressed, while the DOJ

C

has documented its legal stance that the withheld files are duplicates, protected by privilege, or part of an ongoing federal investigation.

B

What remains completely unknown is the exact file by file contents of the hundred terabytes of data, perhaps permanently lost during the Super Bowl Sunday hack.

C

We simply do not have documentation detailing which specific Epstein files vanished into the ether.

B

Additionally, the scope and outcome of the ongoing federal investigations cited by the DOJ as the primary justification for withholding the remaining FT files remains entirely unknown to the public and to congressional oversight committees.

C

There is a final analytical question raised directly by the source text regarding broader institutional security.

B

Buried within the pages of the Spivak declaration is a brief reference to the use of an external program called Apostle X.

C

The document states this specific program was installed on a completely standalone computer connected

B

to a misattributed, essentially covert Internet line originating from within the secure FBI facility.

C

Agent Spivak documents the operational protocols for this machine.

B

He states he used his personal cellular telephone to conduct facetime and video chats with the external APOSTOLICS engineers while physically

C

standing inside the restricted FB space.

B

The Declaration notes the squad would meticulously sanitize the physical room so the outside engineers could not see any sensitive material or CSAM over the video calls.

C

Spivvac notes he did not have a background in computer coding, so he would manually type in the coding instructions verbally given to him by the outside engineers over his personal phone to update the standalone machine.

B

The Declaration plainly states there was no formalized process set up for updating this standalone computer.

C

This is entirely inconsistent with the baseline requirements of secured forensic environments.

B

You have federal agents using personal iPhones to facilitate manual code injections into a

C

specialized law enforcement network by uncleared external engineers.

B

If a simple documented RDP misconfiguration on a local network resulted in the permanent loss of 100 terabytes of high profile evidence, how many other unmonitored misattributed networks like the Apostle X setup are currently operating outside standard security protocols, quietly exposing other critical investigations to similar vulnerabilities?

C

We don't have documentation for that.

B

We'll be watching this closely. If more documents surface, we'll be back with an update.

A

You have just heard an analysis of the official record. Every claim name and date mentioned in this episode is backed by primary source documents. You can view the original files for yourself@epsteinfiles.com fm if you value this data first approach to journalism. Please leave a 5 star review wherever you're listening right now. It helps keep this investigation visible. We'll see you in the next file.