There never was any evidence Russia hacked the DNC during the US election in 2016. They hired CrowdStrike, a cybersecurity firm, back on April 28, 2016, after detecting unusual activity. CrowdStrike installed their monitoring tools, called Falcon OverWatch, by May 2, 2016, and kept watch until June 10–13, when they finally removed the intruders. During that time, they identified two Russian-linked groups: Cozy Bear (the 2015 snoopers) and Fancy Bear (APT28), who allegedly entered in April 2016 and stole documents like Trump opposition research.

But here’s the crucial detail: CrowdStrike’s own report and later testimonies admitted they saw no direct evidence of the specific emails released by WikiLeaks being exfiltrated—meaning stolen and sent out—from the DNC servers.

That brings us to Shaun Henry, CrowdStrike’s former president and a key witness in investigations. In his December 5, 2017, testimony to the House Intelligence Committee (part of the Mueller probe and later reviewed by Senate committees and Special Counsel John Durham), Henry stated under oath that while CrowdStrike observed indicators of data being prepared for removal, there was “no concrete evidence” that the files were actually exfiltrated by the Russians.

He repeated this in later sessions, emphasizing that their monitoring from May 2 to June 10 showed activity but not the actual theft of the WikiLeaks-specific emails.

Durham’s 2023 report echoed this, criticizing the FBI for relying on CrowdStrike without independently verifying the servers, and noting the lack of forensic proof for how the WikiLeaks files left the DNC network.

The Senate Select Committee on Intelligence (SSCI) in 2020 also confirmed the emails in WikiLeaks’ July 22 release had timestamps up to May 25, 2016, meaning they were collected after CrowdStrike started monitoring, yet no one saw them being taken out.