Post-Mortem of a Triple Poisoning: New Details Emerge in GRU's Failed Murder Attempts in Bulgaria

  • In a series of previous investigations, we identified eight officers from the GRU’s clandestine overseas operations unit (an elite sub-unit of Military Unit 29155) who traveled under fake identities to Bulgaria in late 2014 and early 2015 in batches of two or three people each time. The timing of the last two trips of these groups of spies coincided with two severe poisoning incidents in April and May of that year involving a Bulgarian arms manufacturer, his son, and the production chief of his group of plants. In 2015, the poisonings had remained unresolved. A privately-commissioned analysis study at a OPCW-certified lab in Finland had found traces of an unknown substance from the organophoshate family.
  • One of the GRU spies present in Bulgaria during both poisonings was “Sergey Fedotov”, the cover identity of Denis Sergeev, a GRU Major General who was also in the UK during the 2018 attempt on the lives of Sergey Skripal and his daughter.
  • Following our disclosures and a request by the victim, in 2019 Bulgarian investigative authorities re-opened the cold case from 2015. They subsequently indicted three of the GRU officers and placed them on the Interpol Red Notice list. These three indicted men were Maj. Gen. Denis Sergeev (“Sergey Fedotov”), Lt. Col. Sergey Lyutenko (“Sergey Pavlov”), and Col. Egor Gordienko (“Georgy Gorshkov”).
  • We discovered that following the failed assassination attempt, Egor Gordienko had been deployed to Geneva as a senior Russian diplomat where he served until the end of 2018.
  • Bulgarian authorities also released surveillance footage showing one of the three – presumably Denis Sergeev – wearing a disguise and approaching several cars in an underground garage where the poison victims’ cars had been parked.
  • On 26 August 2020, Bulgaria’s prosecution office suspended the criminal proceedings against the three indicted suspects. The reasons given in the decision were the impossibility to proceed with fact-finding in the absence of detained suspects, and long delays in obtaining international legal assistance from third countries. While this step doesn’t imply a termination of the criminal proceedings, it means that the case will remain “frozen” for the foreseeable future.

Our investigative team, including Bellingcat and The Insider Russia, has obtained a copy of the suspension decision which contains a summary of Bulgarian investigators’ findings, many of which are previously unknown to the public. These shed more light on whom exactly the GRU targeted for assassination, as well as on the course of events surrounding the poisoning attempts including the time between exposure to the poison and the onset of the first symptoms. Paired with new booking and travel data obtained by our investigative team, these findings shed more light on the modus operandi of the GRU’s elite kill team.

These new findings may be particularly relevant in the context of the disclosure that the poisoning of Russian opposition leader Alexey Navalny was also caused by exposure to a substance from the Novichok family. The findings also showcase the extreme recklessness of this assassination method which exposes random people to the deadly substance – as seen both in the case with Gebrev’s son and in the death of Dawn Sturgess in 2018.

We have also obtained new data on the interaction of Bulgarian investigators with international bodies like the OPCW, the Finnish laboratory, and Finnish investigative authorities, which suggest that not all all avenues for fact-finding have been explored in full, and some efforts may have been blocked by third parties for unclear reasons. In addition, we note that the role of at least one accessory to the crime has not been investigated despite credible evidence of his involvement.

Anatomy of a Murder Attempt: The Long Stakeout

The three GRU undercover officers indicted by Bulgarian authorities

The prosecution’s document lays out the chronology of events that led to the intentional organoposphate poisoning of three Bulgarian citizens in April 2015, with a repeat attempt on their lives a month later. The facts presented in the case – which broadly align with the timeline previously identified by us, complemented by our additional findings, point to a well-prepared, long-running operation that involved a preparatory phase with multiple trips and different teams.

The first planning trip identified in the prosecution’s document was on 15 February 2015. The three indicted GRU officers arrived on the same date to Bulgaria’s capital of Sofia, but using three different flights and arrival countries: “Gorshkov” (Gordienko) arrived first at 12:23 on Aeroflot flight SU2060 from Moscow, “Fedotov” (Sergeev) flew in from Belgrade at 15:58 on Air Serbia flight JU122, and “Pavlov” (Lyutenko) arrived at 18:08 from Athens, Greece.

According to the indictment documents, “Sergey Pavlov” booked Hotel Hill for the week starting 15 February 2015, and requested a room on the third floor with a view to the parking area. Hotel Hill is adjacent to Emilian Gebrev’s main corporate office at Emco Ltd, and a view to the parking area in front of the hotel would also ensure a view to the complete walkway from Emco’s entrance to the underground garage where Gebrev and his employees park their cars.

Investigators also determined that during the same period, “Gorshkov” stayed at Hotel Marinella, which is a short walk from the Hill Hotel and the Emco offices. He requested a room on the 15th floor, with a direct view to the entrance to the underground garage. While Bulgarian investigators say they did not uncover records showing “Fedotov” stayed at the same hotel, Bellingcat has found records showing he stayed there together with “Gorshkov”.

 

 

Both “Gorshkov” and “Pavlov” rented cars upon arrival. It is unclear what their itinerary during the week was, but shopping records from “Gorshkov”‘s VISA credit card (issued in the name of his cover identity) show that at least he stayed within the limits of the capital Sofia during this period. However, his total mileage during the week was 128 km, which suggests he may have taken short trips outside Sofia. “Pavlov”‘s mileage was even lower, at 87 km. Investigators believe that this whole week was dedicated to tailing their main target – Emilian Gebrev – and identifying patterns of his daily routine.

Gorshkov’s car rental reservation, obtained by our investigative team

Curiously, “Gorshkov”‘s credit card records show multiple souvenir purchases from Sofia, including boutique cosmetics, sports goods and children toys. It appears personal shopping on a tax-payers’ funded credit card is not frowned upon within the GRU – possibly justified as alibi-ensuring behavior.

At the end of this preparatory visit, the three officers departed back to Russia – with “Fedotov” and “Pavlov” sharing an Aeroflot flight to Moscow on 22 February 2015, and “Gorshkov” leaving on a different Aeroflot flight that same day.

Repeat Tourists

The same trio of seeming independently traveling tourists returned to Bulgaria just two months later, On 22 April 2015, “Pavlov” flew from Moscow to Sofia. Two days later, on 24 April 2015, “Gorshkov” and “Fedotov” flew into the seaside resort city of Bourgas, apparently for increased operational security. Pavlov had initially rented an apartment approximately 50 meters from the Emco offices, and two days later – on the day the other two members arrived – moved in to the same Hill Hotel as during his first trip, requesting specifically the same room with a view on the third floor.

The other two chose a more circuitous arrival to the crime scene. Upon landing in Bourgas, “Fedotov” and “Gorshkov” rented a car in Gorshkov’s name and drove 140 km north in the direction of Varna, Bulgaria’s other large seaside city. There, they both checked in at the Best Western Park hotel just for one night. They drove on to Sofia the next day, but stayed at different locations there. Gorshkov booked a three-room apartment in downtown Sofia, about 3 km away from the Emco office. The reservation was made until 30 April – and both he and “Fedotov” had bought returning tickets to Moscow for that day. During the same period “Fedotov” had rented an apartment located approximately 300 meters from the offices of Emco.

None of the three would stay until the end of their prepaid period, or use their purchased return tickets. They bought new, earlier return tickets – and flew back to Moscow via Istanbul in the evening of 28 April 2015 – as soon as they (thought) they had completed their mission.

The Fruit of the Poisonous Three

Emilian Gebrev fell seriously ill and subsided into a coma on the evening of 28 April 2015, during a business dinner with Polish partners he was hosting in a restaurant at the Marinella Hotel – the same place where “Gorshkov” and “Fedotov” had stayed at in February. His company’s production manager – Valentin Tahchiev – fell seriously ill two days later, and Emilian’s adult son Hristo Gebrev showed milder symptoms of poisoning on 4 May 2015. The staggered timing of the poisoning of the three – as well as the choice of targets – had remained a source of mystery to observers. However, video footage from an underground garage used by the Gebrev’s company may hold answers to these puzzling questions.

Bulgarian businessman Emilian Gebrev. Photo (c) Capital.bg, used with permission

Bulgarian investigative authorities believe that a yet-unidentified type of organophosphate nerve agent was applied to the door handles of the victims’ cars while they were parked in a public garage just behind the Hill Hotel. The garage is open to the public on a subscription basis, and is the main parking area used by employees of Emco, the holding company for Gebrev’s arms manufacturing and trading business. An analysis of the the footage from the garage’s security cameras lays out a convincing case for this hypothesis.

On the day on which Emilian Gebrev first fell ill, 28 April 2015, he drove into the garage and parked his Nissan GTR at 11:07 am, promptly leaving on foot towards his office. In the following two hours his company’s production manager, Valentin Tahchiev, and his personal driver, Oleg Lazarov, parked their own cars – a Toyota Land Cruiser and a Mercedes S Class respectively, in the same garage.

At 13:58 the surveillance cameras captured the presence in the garage of a person wearing a felt hat and black gloves, and holding something in hand. He initially approached Valentin Tahchiev’s Land Cruiser and lingered next to it – his hands out of camera view – for a few seconds. Then he turned towards Gebrev’s Nissan GTR – which was parked right next to the Toyota – and also lingered there for a few seconds. Here, too, the camera angle did not allow for his manipulation of the car to be seen. He circled each of the two cars three times in the course of 2 minutes.

Then the figure started walking towards the exit of the garage. A different camera registered him stopping and lingering at the Mercedes usually driven by Gebrev’s driver. Here, the person stayed for a few seconds on the right-hand (passenger) side of the car, before moving on towards the exit. At 14:02 – only four minutes after his first appearance in the garage – the figure took advantage of the garage slide-up door being opened by a new entering car, and exited the parking area in the same way as he had entered four minutes earlier.

Just over ten minutes after the figure exited the garage, at 14:15, Gebrev’s personal driver walked in and drove out with his Mercedes S. He picked up Emilian Gebrev shortly thereafter on the way to a business meeting. Gebrev felt the first symptoms of severe intoxication just before dinner, and collapsed into a coma at approximately 20:30 at the restaurant in the Marinella hotel.

Mr. Tahchiev, Emco’s production manager, didn’t pick up his car until two days later, in the early morning of 30 April. He drove out of the garage and returned the car to it three hours later, at 9:40. Shortly thereafter he also collapsed with symptoms similar to – but milder than – those of Gebrev. He checked into Sofia’s  Tokuda hospital at 6 pm on the same day. His symptoms included slurred speech, blurred vision, effusive perspiration, severely constricted pupils, extremely high blood pressure and continuous vomiting. After three days of sypmotmatic treatment, his status was somewhat improved but he had no memory of the preceding days. After his family discovered the similar symptoms experienced by Emilian Gebrev, he was  moved to a different hospital and was diagnosed with organophosphatic poisoning. The difference in severity between his symptoms and those experienced by Gebrev might be explained by the unexpectedly long time elapsed between the application of the substance to the car door handle and the moment of exposure.

At approximately 10:30 on the same morning, Emilian Gebrev’s son, Hristo Gebrev, entered the garage and approached his father’s car. He opened the trunk, appearing to inspect it; then walked around the car. He could be seen holding something resembling a hand-held measuring device near the driver-side window. He then did the same with the production director’s car parked right next to Gebrev’s one.

While the prosecution document does not propose a hypothesis for Gebrev’s son’s activity – and apparently did not even question him in the course of the investigation – sources close to the victims informed us that Hristo Gebrev was using a borrowed hand-held hazardous substances “sniffer” device in a desperate attempt to identify the cause of his father’s critical intoxication. At that time, doctors were struggling to find the source of the poisoning in order to select the appropriate treatment for Emilian Gebrev.

Hristo Gebrev himself fell ill four days later, on 4 May 2015. His symptoms were significantly milder than those of his father and Valentin Tahchiev, and this may be explained by the minimal exposure the the organoposphate during the two cars inspection.

“Mission Failed. Try Again?”

Both Emilian Gebrev and Valentin Tahchiev were admitted in critical conditions: Gebrev into the hospital of Sofia’s Military-Medical Academy, and Tahchieve into the emergency “Pirogov” clinic –  and were treated for severe poisoning with an unknown substance. As back in 2015 the public awareness of Russia’s revived use of organoposphates of the Novichok type was non-existent, they – and particularly Gebrev, who experienced by far more severe symptoms – survived solely due to aggressive symptomatic treatment by experienced doctors with hands-on war zone medical experience.

The Pirogov hospital diagnosis in the case of Mr. Tahchiev states: “Intoxication with an organoposphatic substance. Cholinomimetic syndrome M and N”

By mid-May both Gebrev and Tahchiev were released from hospital and began their recuperation period at their homes. Just three days later, on 18 May 2015, booking records obtained by our investigative team show the GRU kill team started planning a renewed attempt to complete their failed mission. Hotels were booked and tickets purchased on 18 May, and five days later on 23 May 2015, two of persistent trio of tourists returned to Bulgaria for the third time that year. “Sergey Fedotov” and “Georgy Gorshkov” flew in from Moscow to Sofia on a joint Aeroflot flight SU2060. This time, however, they were not joined by “Sergey Pavlov”.

The indictment document does not mention a third person during the GRU kill team’s remedial, third trip. However, as we reported earlier, based on leaked travel and hotel booking data reviewed by us, we discovered that during this visit the trio was replenished with a new member. He arrived from Moscow to Sofia on the same day as “Fedotov and “Gorshkov”. The new entry was “Danil Stepanov”, the cover identity of another member of the elite GRU kill team whose real name is Danil Kapralov.

 

Danil Kapralov, a.k.a. “Danil Stepanov”. Left, photograph from a social media profile of Kapralov’s family member, right, photograph from “Stepanov’s” travel passport.

Unlike Lyutenko (“Pavlov”), Kapralov had medical education in addition to his Spetsnaz skills. Like “Pavlov”, however, “Stepanov” was a lover of hotel rooms with the view. A reservation from Booking.com he made – obtained by our investigative team – shows him requesting literally “A room with a good view” at the Hill Hotel.

 

Just like during the previous GRU trip in April, only one member – “Stepanov” – was stationed near Gebrev’s office. The planned sojourn at the Hill Hotel was from 23-29 May 2015. “Fedotov” and “Gorshkov” again took residence for the same period at a relatively remote hotel, about 3 km away.

However, upon arrival to Sofia, the GRU trio was confronted with an unexpected development. Emilian Gebrev and his son had decided to drive to the family’s seaside house, where they thought the clean, iodine-filled air would accelerate the recovery process.

The Road Trip

The exact itinerary for the GRU trio for the next five days is not clear. They rented a car for the period 23-30 May – again in the name of “Gorshkov” – which had no in-built GPS system and therefore could not be traced by investigators (notably, in each case the GRU team chose a relatively old and/or inexpensive car model that did not have onboard GPS tracking). Credit card records show that the trio stayed in Sofia at least the first day upon arrival, as purchases from a sports good shop were registered that evening.

What investigators appear convinced about is that by 28 May 2015, the GRU officers had caught up with the Gebrevs’ at the seaside some four hours drive from Sofia. On that day, Emilian Gebrev felt a recurrence of the familiar symptoms and his condition began deteriorating. Upon the onset of symptoms, his son drove him back straight to the Military Medical Hospital in Sofia and checked him again in into the emergency ward.

The next day, 29 May, “Gorshkov” and “Fedotov” crossed the Bulgarian-Serbian border with their rented car and returned it on the following day at Belgrade airport. They flew back to Moscow that same day. “Stepanov” had returned to Moscow on a direct flight from Sofia on 29 May 2015.

Unanswered Questions

The prosecution decision to suspend investigations – which presumably tracks closely the indictment document in its fact-finding part – presents a convincing case for the direct causal relationship between the three named suspects and the near-fatal poisoning of the three Bulgarian citizens. However, the investigations completed thus far leave a number of open questions that need to be addressed.

  • Identity of the man with the hat

Bulgarian investigators do not name the identity of the figure in the underground garage, but conclude that he applied a powerful nerve agent of organophosphate group to the door handles of the cars to be likely used by Emilian Gebrev and his production manager. As we reported previously, Bulgarian authorities have requested assistance from US investigators in enhancing the quality of the surveillance video in order to determine the identity of the person. This has reportedly not yielded results.

Our previous reporting has concluded that the figure most likely is Maj. Gen. Denis Sergeev, a.k.a. “Sergey Fedotov”. He is the senior-most member of the mission who also took stronger operational security measures during both trips (few of the hotel or apartment bookings and none of the car rentals were in his name; also there were no credit card purchases made on his credit card). He was also the only member known to have been part of another similar assassination attempt – as a senior member of the Skripal poisoning mission in 2018. This determination is, however, not conclusive, and it is possible that one of the other two team members was charged with the last-mile task of applying the poisonous substance. An argument against the hypothesis for “Fedotov” would be the fact that in the Skripal case, he had a supervising role, and junior team members – Col. Mishkin and Col. Chepiga – were presumably tasked with crossing the last mile of the operation.

Determining the identity of the person in the garage is important not solely for attribution of culpability in the Bulgarian case but also to better understand the MO of Russian secret services protocols in similar assassination operations – knowledge that is likely to prove useful in deciphering other assassination attempts.

Possible approaches to determining the identity – absent facial data – include further investigation into telecoms data – identifying the number and residual metadata from the phones used by the three members, as well as gait analysis and comparison based on video samples of the three known suspects.

  • Partial list of suspects

The Bulgarian authorities have charged three suspects with the crime. However, evidence exists that ties at least three more members of the same GRU unit to the time and place of the operation. As we previously wrote, at least six of the Unit 21955 undercover officers appeared to have been involved in the planning of the Gebrev operation, based on the timing of their synchronized “staggered” arrivals and departures in the period from February to May 2015. The Bulgarian authorities have charged three of them, and the indictment documents do not include details of investigation of the potential role of any of the others.

In the case of at least one additional person (“Stepanov”/Kapralov), the links are hard to explain away with any other hypothesis than direct involvement in the incriminated operation. Bulgarian investigators could relatively easily prove or disprove the hypothesis of involvement of the other members by applying data collection similar to the one implemented on the main three. This does not appear to have been done.

  • Non-attribution

The prosecution document refers to the three indicted suspects by their cover identities only. As previously disclosed by us, these are artificially created identities that do not exist; thus, charging suspects under these identities is little more than an empty gesture. The real identities behind the suspects’ cover names have been publicly disclosed by us and Bulgarian investigators have reportedly issued Interpol warrants under both sets of names, in line with our identifications.

Non-inclusion of the real names, as well as the absence of attribution of the actions of the three indicted persons to Russia’s military intelligence, also leads to inability to determine a motive for the crime. Predictably, therefore, motives are not even discussed in the prosecution’s decision.

Based on information from the victims, the prosecution authorities have not even filed a formal request with Russian authorities in relation to the actual identity of the suspects. While a response from Russia – in keeping with recent precedent – is unlikely to result in usable information, an unconvincing reaction will permit investigative authorities in Bulgaria to use alternative methods, including intelligence, to determine the real identities.

Notably, the prosecution document notes that it has received information from Swedish intelligence that one of the indicted suspects – “Sergey Fedotov” – received a short-term Swedish-issued Schengen visa in early 2014 on the basis of a joint application with “Alexander Petrov”. The birth date for “Petrov” matches that of Alexander Mishkin, one of the main two suspects in the Skripal attempted murder case – which UK authorities have officially been attributed to the GRU. While Bulgarian prosecutors point to this direct link with the Skripal case as corroboration for the guilt of “Fedotov”, they shy away from following through with the logical conclusion that the same group – GRU – must have been behind the Bulgarian operation.

Our Russian investigative partner The Insider has addressed Russian investigative authorities with a question whether they have received a formal request for assistance in determining the identity of the suspects and bringing them to justice.

International Dysfunction

While some of the lack of progress in the investigation of the Gebrev poisoning case can be attributed to the seemingly timid actions of Bulgarian prosecutors, other aspects appear to be caused by deadlocks and inefficiencies in international legal cooperation. A crucial deadlock in this case is the absence of definitive determination of the used poisonous substance.

Bulgarian prosecutors’ timid attempts to engage the OPCW’s expertise in determining the substance ended up in a legal cul-de-sac, as Bulgarian authorities insisted on the application of Bulgarian criminal code of procedure to the OPCW involvement, while the organization declined to comply and referred to existing regulation that necessitates a peer-to-peer (state-party) approach to interactions with the OPCW. While from a legalistic perspective the OPCW position appears to be correct, the (global) public interest in this case would presuppose a higher level of proactive involvement by the only international organization having the ability to harness the available expertise needed to determine the nature and provenance of a particularly dangerous chemical substance.

Bulgarian investigators’ efforts to receive assistance from Verifin – the OPCW-accredited lab in Finland which conducted the initial analysis of blood samples from Emilian Gebrev in 2015 – appear to have stalled as well. While the original report from Verifin contained a commitment that samples will be kept and available for a five year period – until June 2020 – an official 2019 query from Bulgarian investigators to Verifin seen by us yielded a much belated response that no samples are available anymore. No further explanations were provided in the response. In the meantime, the original five-year conservation period has lapsed, leaving Bulgarian investigators with no obvious way forward to determine the exact substance used. A personal attempt by Emilian Gebrev to invoke the assistance of the Finnish lab VERIFIN – for whose analysis he had paid in 2015 – yielded no response. He then asked for help from Finland’s prosecution to establish how and why his own blood samples – to which he had received a commitment of storage for 5 years – had vanished from VERIFIN – this also yielded no results. In a formal response he received, Finnish prosecutors point him to Bulgarian law enforcement as “the crime was committed on Bulgarian territory.”

The lack of proactive international cooperation in this case appears to be systemic and has ramifications well beyond the individual criminal proceedings in Bulgaria. It also possibly pits the victims’ truth-finding interests against opaque and possibly political interests of state parties. The disappearing test samples in Gebrev’s case draw parallels to another recent case in which a Russian opposition figure targeted presumably by Russian security services had his test results withheld and “classified” by the FBI, leaving him uncertain of what really happened to him, and how he can prevent it from happening again.

Given the mounting evidence of state parties such as Russia using chemical weapons and nerve agents for extrajudicial assassinations – both abroad and, as it appears from the Navalny case, at home – little progress can be expected in crime solving or prevention without a vastly more streamlined, technocratic system of international legal cooperation that is impermeable to political interests.