Suspected Accomplice in Berlin Tiergarten Murder Identified as FSB/Vympel Officer

  • Exactly one year ago this week, Zelimkhan Khangoshvili, a 40-year-old Georgian citizen and former Chechen rebel commander, was shot dead in Berlin’s Kleiner Tiergarten. The killer – traveling under the guise of a tourist and using a Russian passport in the name of Vadim Sokolov – was arrested by Berlin police following a tip-off from two teenagers who had seen him dispose of evidence into a river.
  • In a series of investigations, Bellingcat, together with Der Spiegel and The Insider, identified the assassin as Vadim Krasikov, a former Russian security officer previously linked to at least two contract murders in Russia.
  • Using telephone metadata, we established immediately prior to the trip to Berlin, Vadim Krasikov had interacted extensively with current and former FSB Spetsnaz officers, and had spent extended periods of time on an FSB training base outside Moscow. We also established that his most frequent contacts in the eve of the assassination had been with members of the Vympel Group of companies: a security services holding employing predominantly former Spetsnaz officers from the FSB’s elite Department “V”.
  • We subsequently disclosed that two weeks before the assassination, another person traveled by car from Russia to Poland – and possibly on to Germany on a fake passport issued on the same date, and having the same number range as that used by “Vadim Sokolov”. This second person – who is listed in German indictment documents as a person of interest and possibly an accomplice to the murder – traveled under the name “Roman Davydov”, having a birth date of 9 October 1981. Both “Davydov” and the suspected assassin had listed the same employer in their visa applications – the St. Petersburg company ZAO RUST.
  • While no person with these exact personal data exists in Russian national databases, we also discovered that a person with the same face and a different last name (“Roman Nikolaev”) and birth-date, traveled to Czechia in 2015. Using visa application documents and booking data, we linked “Roman Nikolaev” to six other fake identities who obtained visas to Czechia for the same period of time. We were able to link at least three of those people to at least one assassination of another Chechen former commander in Istanbul. At least one of these three co-travelers was linked to the Vympel group of companies.
  • Based on these findings, we hypothesized that the Vympel Group of companies – and an affiliated “Regional Association of Vympel Spetsnaz Veterans” – are used as a front organization for Russia’s security services in order to pursue a program of targeted assassinations of perceived Russian enemies abroad. While most of the known targets have been ethnic Chechens who had fought against Russia in the Chechen wars, at least one target was a Uzbeki cleric living in Turkey with no known association with the Chechen war.

We have now been able to positively identify the second person of interest in the Kleiner Tiergarten murder case previously known under the aliases “Roman Davydov” and “Roman Nikolaev”. This person is in fact Roman Yuryevich Demyanchenko, a former FSB Spetsnaz officer and current undercover FSB asset working under the cover of the Vympel Group of companies.

This is a joint investigation with The Insider (Russia) and Der Spiegel (Germany).

Who is Roman Demyanchenko?

Facial comparison of “Roman Davydov”, based on a photograph from his visa application documents, and Roman Yuryevich Demyanchenko, a photograph from a personal identity document. The comparison was performed using Microsoft’s Azure Face Verification Tool.

Roman Demyanchenko — the true identity of “Roman Davydov” and “Roman Nikolaev” — was born in Moscow on 4 December 1980. While he has almost no online footprint, data breadcrumbs from previously leaked residential databases and phone listings lead to the conclusion that he was a decorated FSB officer who, until 2011, served in the FSB’s Department V (Vympel).

Moscow residential data show he was a pensioner as early as in 2011, at age 31, suggesting early retirement (Spetsnaz officers of rank up to captain retire at age of 45; while higher ranks may serve up to 55 years.) This early retirement can possibly be explained either with a service related trauma or wound or with accelerated accumulation of service time, for example due to deployment in a war zone.  Both of these hypothesis are corroborated by the fact that as of 2008, he has been listed in Moscow residential databases as a person entitled to state benefits – a status usually given to people who have received a state award. According to former officers of Russia’s special service, an early retirement would not necessarily entitle a termination of the relationship with FSB; it can in fact be used as a legend for providing a valuable asset cover through the alibi of “civil employment”.

A phone number which we identified as belonging to Roman Demyanchenko is listed in the phone number sharing app GetContact (which harvests data from its users’ phone contact books) as “Roma FSB”. This means at least one person has saved Demyanchenko’s number in their telephone with “Roma FSB” in their contact book.

A leaked database of employment records reviewed by us shows that in 2019, Demyanchenko was employed by Vympel Sodeystvie (Vympel Cooperation), a Moscow-based company officially owned by Eduard Bendersky. Bendersky is the chairman of the Regional Association of former Vympel Spetsnaz officers, and is himself a former Lt. Colonel from the Vympel’s Spetsnaz training unit in Balashikha, just outside Moscow.

In our previous investigations, we disclosed that Eduard Bendersky personally communicated with Vadim Krasikov dozens of times in the weeks and days before his trip to Berlin. Vympel Sodeystvie is one of a cluster of companies bearing the Vympel name that all offer security-related services. All of these companies are registered in the name of Bendersky, and are located at the same address which was visited many times by the Berlin assassin, Vadim Krasikov. Former employees of the Vympel group of companies have described them as a commercial front for high-ranking FSB officials.

Demyanchenko’s declared monthly income for January 2019, based on leaked tax data for that month, was 480,000 rubles (EUR 5,500). It is not clear if this is a regular monthly salary or if it includes an accrued annual bonus. If it refers to a single month’s salary, it would be a very high pay-rate for Moscow standards and would suggest a high rank within the organization.

Metadata from phone records of Demyanchenko show that he frequently visits the headquarters of the Vympel group of companies and communicates with its management – including with its president Eduard Bendersky, as well as with active FSB officers. He also frequently communicates with a person who actively communicated with both the suspected assassin Vadim Krasikov and with his wife in the months after the assassination. This person is an FSB colonel and a Vympel Spetsnaz alumnus, named Evgeny E.

Trips to St. Petersburg

As reported previously, Roman “Davydov” traveled to the Schengen area two weeks before the Kleiner Tiergarten murder using a Slovak visa issued in the St. Petersburg consulate of Slovakia. Since our report on this visa issuance, Slovakia has expelled two Russian diplomats over Russia’s abuse of their visa system. Having determined his real identity, we were able to use a leaked travel database to look up his trip from Moscow to St. Petersburg at the time of obtaining the visa. Roman Demyanchenko traveled by train from Moscow to St. Petersburg on 23 July 2019, and had a return ticket for 26 July 2019. He did not use that return ticket and booked another return trip on 29 July. Based on the visa application documents which we have reviewed, Demyanchenko/”Davydov” applied for his visa on 29 July. This suggest he needed more time than planned to compile the necessary package of (inauthentic) documents, and stayed longer than planned in St. Petersburg. As his visa was issued on 31 July 2019, this means someone else picked up his passport and visa from the consulate. He departed to the EU 2 days later, on 2 August 2019.

Prior Trips and Prior Identities

Roman Demyanchenko has traveled under at least three different identities with three different names and birthdays; under all of these he used a government-issued, valid passport. As we have written before, this is not possible without the direct involvement of the Russian state, and more specifically the FSB, As the FSB controls Russia’s border service, even other special services such as GRU and SVR require FSB’s involvement for the issuance of cover documents, to preclude discovery during border crossings.

Under his real identity, Demyanchenko has traveled only domestically and in former Soviet republics, such as Ukraine, Belarus, and Kazakhstan. Among his frequent destinations in the past five years were Crimea and Krasnodar. Krasnodar is near the base of the Wagner PMC, which, as reported earlier, is supervised by both GRU and FSB.

Under his latest identity – “Roman Davydov” – he took only one trip, from August 3 to August 7 2019, two weeks before the Berlin murder. This identity appears to have been created specifically for the Berlin operation.

Demyanchenko’s travels under his third identity, Roman “Nikolaev”, born 22 December 1980, appear to have been most prolific. These trips also appear to be most sensitive and zealously guarded by the Russian state. Travel logs under this identity have been purged from Russian border crossing databases, as well as from a comprehensive FSB-maintained database tracking all Russian residents’ movements. Partial offline archives, which exist beyond the reach of Russian security services, show a trip to Czechia in 2015 (which was already reported by us), as well as trips to Latakia (Syria). The trips to Syria are likely linked to the presence of Russian Spetsnaz (including FSB Spetsnaz) and mercenary units there.

Potential Further Persons of Interest Discovered

During one trip to St. Petersburg in 2017, Demyanchenko traveled with three other men on same train booking. One of them – Andrey Sazontsev – was previously identified by us as a member of the “Magnificent Seven”: an FSB/Vympel team that made repeated trips overseas under fake identities covert operations, including at least two murders in Istanbul in 2015. The other two co-passengers are both employed by the Vympel group of companies, and are former FSB Spetsnaz officers. We are not disclosing their identities at this stage while investigating their possible link to the Berlin assassination or other covert operations.

One of Demyanchenko’s co-passengers – Andrey Sazontsev – is a former senior police officer working at Moscow’s police criminal search department. He traveled to Czechia in 2015 using a cover identity of “Andrey Mitrakov”. He was also in frequent telephone contact with the assassin Vadim Krasikov prior to his trip to Berlin, and called the assassin’s wife immediately after the murder. He also spoke with Demyanchenko repeatedly in the last few months, as shown in telephone records obtained by us. While his link to the Berlin murder is yet uncertain, it is clear from the pattern of communication that he was aware of the operation. Based on the identity change pattern used by Demyanchenko, it can be assumed that if he did indeed play an active role in the Berlin murder – and if he traveled to Germany as part of the kill team – he would likely have used a different, newly issued cover identity than the previously used “Mitrakov”.

Left, Andrey Sazontsev, personal ID document. Right, “Andrey Mitrakov”, photo from 2015 visa application documents

Identification Method

The starting point for the identification of Demyanchenko was his alter ego “Roman Davydov”, born on 9 October 1981, who was originally discovered based on his use of a sequential passport number and identical employer, in the visa application, as those of the suspected assassin .

As always in our investigations, we initially attempted to identify the real person behind the “Davydov” persona using several open-source reverse-face-search tools offering look-ups of people on Russian social media sites based on a photograph. In this case, there was no match for the photograph used by “Davydov” in his visa application, indicating Demyanchenko does not have social media presence. We had to switch to a deductive method.

A basic rule of thumb in identifying Russian spies – both of GRU and FSB provenance – is that they tend to use the same first name and middle name or initial, and sometimes the same birth date, in both their real and fake identities. The latter however is more often true of GRU operatives than of FSB spies who tend to have better operational security and rarely use the exact same birth date. Even so, both sets of operatives typically use a cover identity with a birth year that is either the same or at most one year different than their real one.

Unusually, in this case we had discovered that the person behind “Roman Davydov” had also used a previous cover identity – that of “Roman Nikolaev”, born on 22 December 1980. As this identity had been used earlier – before Bellingcat’s and others’ disclosures of a number of Russian undercover operations, and the possible subsequent improvement of Russian OpSec routines – we assumed that the real identity would have more in common with the “Nikolaev” cover identity than with that of the later created “Davydov”.

Our starting hypothesis was that the real “Roman Davydov” would likely also have a first name “Roman”, and that his birth year would be 1980, or less likely 1981 or 1979. Based on traffic camera logs of the Infiniti car which “Davydov” had used before and after the August 2019 trip to the EU, we could establish also the likely general area of his residence in Moscow. While these characteristics gave us a possible profile, none of them was specific enough to filter the possible candidates to a manageable shortlist.

We initially attempted to identify “Davydov” via obtaining passenger records for the flights which Krasikov took to and from St. Petersburg in late July. We hypothesized that the two may have flown together from Moscow to St. Petersburg, given that “Davydov” had applied for a visa on 29 July 2019, and Krasikov had been in St. Petersburg at that time. However we did not find any co-passenger of Krasikov’s matching the above criteria.

Our next approach was to use as a starting point the telephone logs from Vadim Krasikov’s telephone number. We had obtained his main number’s metadata for the period from February to September 2019, which included periods both before and after the assassination in Berlin. We had discovered that he did not take his phone with him on his mission, but instead used a new, burner phone registered in his cover identity of “Vadim Sokolov”. His main phone, however, remained switched on and connected to the network even after he departed for Berlin. Cell tower connection data showed it stayed at his residence, which suggested that after his departure, calls to and from it were handled by his wife.

As part of our investigation into Krasikov’s circle of contacts, using open-source phone number reverse look-up tools (primarily the apps GetContact and NumBuster) we had identified all people with whom he interacted via regular GSM phone calls. There was no match for a person meeting the “Davydov” criteria, implying that they either did not communicate at all, or (more plausibly), did it via untraceable VoIP messengers such as WhatsApp, Signal or Telegram.

Therefore, we had to go one step further and look for a “Davydov” candidate among the larger universe of contacts of Krasikov’s own contacts. In order to limit the scope, we decided to focus only on those contacts of Krasikov who were most likely to have been involved in the planning of the assassination. We had discovered that only two of Krasikov’s contacts continued calling his phone after the murder – likely, communicating with his wife after the arrest, and giving her assistance and/or instructions. These two contacts were Col. Evgeny E., and Andrey Sazontsev.  By this stage we had discovered that Andrey Sazontsev had used a fake identity to travel with “Davydov” on a previous covert overseas operation in 2015, which implied Sazontsev would likely be in long-term contact with “Davydov”.

Based on this hypothesis, we obtained – from a source at a Russian mobile operator – Andrey Sazontsev’s phone records for the last three months.  Using reverse phone search tools, we identified his most frequent contacts, and encountered one person who matched the initial criteria: a Roman Yuryevich Demyanchenko, born on 4 December 1980.

To confirm our hypothesis that Demyanchenko is in fact “Davydov”, we then obtained from a source with access to offline copies of Russian passport data, a copy of Demyanchenko’s ID document, and indeed confirmed that his face closely resembled “Davydov”‘s. A face comparison using Microsoft Azure’s Face Verification tool resulted in a conclusive >0.9 match which positively validated our identification.

Relevance of Findings

These latest findings corroborate our previous conclusion that the assassination of Zelimkhan Khangoshvili in Berlin was organized by the FSB which used the Vympel group of companies (and the affiliated Regional Association of Former FSB Spetsnaz veterans) for the practical implementation and as deniable cover. It is logical to conclude that the Vympel group of companies is a de facto arm of the FSB earmarked, at least partly, for deniable overseas assassinations or other unlawful interventions. The role of the Vympel group for such targeted assassinations is not dissimilar to the use of Wagner PMC for deniable military operations abroad. At the same time, FSB’s use of a proxy for overseas illegal operations is different than the modus operandi of the GRU who only use staff officers for clandestine operations abroad.

As stated in previous reports, our findings also point to a gaping security hole in the European visa issuance system permitting the award of visas to false identities with no credible documentary background, and with relatively easily identifiable doppelgangers working for Russian security services (or for their proxy organizations). Our findings show that the deficiency is systemic and is not restricted to one particular country’s consular service, as we have observed successful abuses of the visa issuance systems deployed against the UK, France, Italy, Slovakia, Czechia and Switzerland.  The abuse is made possible partly due to the continued acceptance of non-biometric passports for Russian travelers.

The case of Demyanchenko/”Nikolaev”/”Davydov” however indicates that a mandatory requirement for biometric passports may not be a sufficient measure to curtail the flow of covert illegal operatives infiltrating the European space under fake identities. Demyanchenko was apparently able to obtain (at least) two Schengen-space visas based on two different identities. In theory, this should not have been possible due to the mandatory collection of biometric data upon visa application, and its entry into a central EU maintained database called the Visa Information Service. A previously collected fingerprint under one identity should have alerted the visa issuance officer when the same fingerprints are used for a new visa application under a different identity.

In response to a question from Der Spiegel in this regard, the European Commission replied that:

“..the Visa Information System central system provides Member States with all necessary tools and that such type of fraudulent application should have been detected in the procedure. Further analysis would be needed to determine whether all relevant checks were conducted in line with the obligations stemming from the Visa Code and the Visa Information System Regulation.  Relevant Member States can check the logs of their national visa systems as well as their internal working procedures, to find out whether the decision resulted from a technical or human error (e.g. non-compliance with the procedures indicated in the respective regulations and handbooks)

….

As regards the quality of fingerprints, each Member State is expected to use tools that ensure compliance with the standards established for the Visa Information System central system, including the associated functionality offered by the central system (check fingerprint quality) to ensure that the enrolment of biometric data complies with the agreed specifications. In case of low quality fingerprints, the visa authority should retry their capture.”