WikiLeaks Vault 7: 5 Fast Facts You Need to Know

The photo hidden behind WikiLeaks’ Vault 7 tweet. (Flickr/David) (License)

WikiLeaks released access to its hugely hyped Vault 7 on Tuesday morning, an hour earlier than anticipated. The passphrase was supposed to be released at 9 a.m. Eastern, but WikiLeaks released it an hour early at 8 a.m. instead, when it was originally scheduled to have a press conference about the release. It turns out that Vault 7 is about a global hacking program being covertly operated by the CIA. Today’s release was just the first in a series of releases about Vault 7.

WikiLeaks tweeted a series of six cryptic tweets about Vault 7 in February, causing speculation ranging from Vault 7 being related to 9/11 to Hillary Clinton to a shadow government of some sort. WikiLeaks even dropped another Vault 7 clue in its tweet, with a photo hidden in what looked to just be a plain black background. Now we know that Vault 7 is about CIA’s “global hacking force”:

One of the biggest issues that WikiLeaks sought to bring to light in its release was that the CIA’s secret hacking division had produced malware and other means of hacking iPhones, Android phones, Samsung Smart TVs, and even bypassing encrypted apps like WhatsApp, Signal, and Telegram — and then lost control of the malware. According to WikiLeaks, an archive with the malware and other exploits was being circulated and some of it was given over to WikiLeaks by an unnamed source. But because the CIA didn’t tell the companies about its capabilities, they weren’t able to close the holes. According to WikiLeaks, the CIA even found ways to access phones that had used Presidential Twitter accounts and were looking into hacking into cars and trucks.

Here’s everything we know about Vault 7 so far. We will add to this as more information is available.

1. Vault 7 Is a Series of Leaks about the CIA that WikiLeaks Is Releasing, Starting With Year Zero


Julian Assange (Getty)

Vault 7 isn’t just one release, it’s a series of leaks that WikiLeaks is releasing starting March 7, all about a covert global hacking program being run by the CIA. (Interestingly, WikiLeaks may have named the leaks “Vault 7” because they are releasing it on the 7th. Or they may have picked this date to correspond with the Vault 7 release.)

The tweet announcing Vault 7’s release contained a photo hidden in what a casual viewer might have thought was just a plain black background. That photo read Prefecture 353. Find out more about the photo in this story below:

2. WikiLeaks Released the Year Zero Documents Via a Torrent File and a Passphrase

WikiLeaks provided instructions to the public on its Twitter page on how to access the Vault 7 file.

Note that if you simply click the file in the link above, it will automatically download a torrent file to your computer, so don’t click the link unless you are wanting to download a file. According to WikiLeaks, you will then need the 7zip program to unpack the file. At this point you will be asked for a passphrase, which WikiLeaks will released at 9 a.m. Eastern.

WikiLeaks is recommending TransmissionBT as a torrent downloader, according to its latest tweet:

WikiLeaks then released the passphrase to access the file:

Since originally posting the files in the form of a torrent file, WikiLeaks has now also made the file available online. They apparently released it both ways so the files are still accessible in case the website were to go down. You can view the files on WikiLeaks’ website here.

Meanwhile, WikiLeaks had scheduled a press conference about Vault 7, which was ultimately delayed due to the Facebook/Periscope video that Julian Assange was going to use being “under attack.” A livestream was posted to WikiLeaks’ Facebook page, but the press conference never actually went live. WikiLeaks has not yet stated when the new press conference will be.

Read more about what happened with the press conference in the story below:

3. Vault 7 Is About the CIA’s ‘Global Hacking Force’ and is the ‘Largest Ever Publication of Confidential Documents’ on the CIA

It will take a while to comb through everything in WikiLeaks’ Vault 7 release. WikiLeaks summarized some important points in a press release about Vault 7. These are a new series of leaks on the CIA and “the largest ever publication of confidential documents on the agency,” WikiLeaks explained. This first part in the series has 8,761 documents and files from a high-security network at Langley. WikiLeaks explained that it didn’t hack the CIA. Somehow, the CIA lost control of most of its hacking arsenal (malware, viruses, trojans, etc.) — amounting to several hundred million lines of code — in an archive that was circulated among former U.S. government hackers and contractors. WikiLeaks was given “portions” of the archive.

According to WikiLeaks’ press release, “Year Zero” exposes the CIA’s covert hacking program, including exploits against products like iPhone, Android, Windows, and Samsung TVs. The CIA has an extensive hacking division, WikiLeaks said, which is composed over over 5,000 registered users and more than a thousand hacking systems and malware. WikiLeaks’ press release adds that its source is questioning the scope of the CIA’s hacking and if it exceeds mandated powers. The leak, WikiLeaks said, was meant to “initiate public debate about the security, creation, use, proliferation, and democratic control of cyberweapons.”

Here are direct quotes from WikiLeaks describing Vault 7.

By the end of 2016, the CIA’s hacking division, which formally falls under the agency’s Center for Cyber Intelligence (CCI), had over 5,000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other “weaponized” malware. Such is the scale of the CIA’s undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its ‘own NSA’ with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified. In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”


These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.”

WikiLeaks continued.

The U.S. government’s commitment to the Vulnerabilities Equities Process came after significant lobbying by US technology companies, who risk losing their share of the global market over real and perceived hidden vulnerabilities. The government stated that it would disclose all pervasive vulnerabilities discovered after 2010 on an ongoing basis. ‘Year Zero’ documents show that the CIA breached the Obama administration’s commitments. Many of the vulnerabilities used in the CIA’s cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals.”

WikiLeaks redacted and anonymized some of the information before releasing it, including CIA targets throughout the U.S. and the world.

4. Vault 7 Revealed Vulnerabilities in iPhone, Smart TVs, and Android — Even Apps That Were Supposed To Be Encrypted

One thing revealed through the first Vault 7 release is that even apps that are supposed to be encrypted, like WhatsApp, Telegram, and Signal, are vulnerable to the CIA’s global hacking program, according to WikiLeaks’ releases. Here are just some highlights about how the hacks worked, according to WikiLeaks:

  • Samsung Smart TVs are vulnerable due to a Weeping Angel hack that puts the TV in a “Fake-Off” mode. The owner believes the TV is off when it’s actually on, allowing the CIA to record conversations in the room and send them through the internet to a covert CIA server.
  • Vehicle Control Systems of Cars and Trucks: It’s not known if these were hacked, but in 2014 the CIA was looking into infecting vehicle control systems used by modern cars and trucks. Motivation was unknown.
  • Remotely Hack Smart Phones: Infected phones would send the user’s geolocation, audio, and texts. It could covertly activate the camera and mic of the phone. A special division was devoted to hacking iOS products, like iPhones and iPads. Android phone were also targeted.
  • Bypassing Encrypted Apps: The CIA used techniques to bypass encrypted apps. WikiLeaks listed the following:  WhatsApp, Signal, Telegram, Wiebo, Confide, and Clockman. The smart phones would be hacked first, and then audio and message traffic was collected before encryption was applied through the apps.
  • Targeting Microsoft, Linux, and OSx with Malware: The CIA’s efforts also focused on infecting Microsoft Windows users with malware. Microsoft was targeted via viruses injected through CDs/DVDs, USBs, data hidden in images, covert disk areas, and other types of malware. Malware attacks were also aimed at Mac OS X, Solaris, Linus, and more.
  • Phones Running Presidential Twitter Accounts: Interestingly, WikiLeaks wrote that “specific CIA malware revealed in Year Zero is able to penetrate, infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts.” As WikiLeaks mentioned, if the CIA can hack these phones, so can anyone else who obtained or discovered the vulnerability. When WikiLeaks obtained the hack, it had been distributed to others too.
  • Router Exploitations: Hundreds of router exploitations are listed in the document.
  • The CIA Can Misdirect Their Cyber Attacks to Look Like Someone Else: According to WikiLeaks, the CIA collects attack techniques ‘stolen’ from malware produced in other states including Russia via a project called UMBRAGE. The CIA does this for many reasons, but one use they can do is leave behind fingerprints that misdirect attribution, making it look like their cyber attack was done by someone else. (Note: It’s unclear at this time if the misdirection is WikiLeaks’ interpretation of one thing the CIA could do, or if there’s a specific place in the document where the CIA mentions this use of UMBRAGE.)

Because the CIA kept the vulnerabilities hidden, even after they were exposed, WikiLeaks said this put the population at large at risk, including members of the U.S. government, Congress, top CEOs, and engineers. Without letting Apple and Google know about their vulnerabilities, the companies had no means to fix the hacks after they leaked.

iPhone & Android Hack Details

Here are more details about the iPhone and Android phone hacks:

Samsung SmartTV Hack Details

Interestingly enough, the Samsung SmartTV hack isn’t a big surprise. In fact, before Smart TVs became popular, it was known that the CIA wanted to spy on people through their appliances, according to this article by Network World. Then-CIA Director David Petraeus spoke at a CIA’s venture capital firm in 2012 and said the CIA was interested in monitoring items connected to the Internet. Back in 2015, Samsung’s SmartTV privacy policy warned people not to share private information in front of their TV:

Antivirus Hack Details

So what are some of the takeways from this? There are many. But essentially, because the CIA was targeting Android devices, iOS devices, Smart TVs, and even Microsoft and Mac OSX and Linus systems, it seems that almost anything is vulnerable — especially any device that is microphone- and camera-equipped and connects to the Internet. These seem to be the biggest targets.

And antivirus systems really won’t stop them. According to WikiLeaks, “CIA hackers developed successful attacks against most well known anti-virus programs. These are documented in AV defeats, Personal Security Products, Detecting and defeating PSPs and PSP/Debugger/RE Avoidance.” Some of the antivirus and security programs that they may have found defeats or workaround for included (Note: It’s unclear if these were all bypassed, because some files were redacted by WikiLeaks):

  • Bitdefender
  • Comodo
  • AVG
  • F-Secure
  • Avira
  • Avast
  • Zone Alarm
  • Trend Micro
  • Norton
  • Panda
  • Malwarebytes
  • McAfee
  • Microsoft Security Essentials
  • Kaspersky
  • ESET
  • ClamAV
  • Symantec
  • Rising
  • DART (?)
  • Zemana Antilogger

They even discussed how the NSA got some things wrong and how they could do it better.

Infiltration Via Emoticons on Sites Like Reddit?

Among the weirder pages in the docs are a strange focus on emojis and emoticons. For example, an entire page is devoted to “Japanese Style Faces” here, including the ever-so-popular shrugging emoji. Were they trying to get these faces correct to infiltrate Internet conversations? An entire section is devoted to “Faces of the Internet,” including sideways faces, multiline faces, one line faces, and “weird right to left faces.” The comment on the section is “I would like to put in a request for the reddit ‘implied perverse interpretation’ face.” (Does this mean they were posting on Reddit too? It’s possible, because one user did say they visit Reddit’s NetSec subreddit for ideas.)

There are other aspects to Vault 7 that are still being deciphered. For example, some are concerned that the CIA was infiltrating online games, because of one page’s reference to League of Legends, Hearthstone, and Heroes of the Storm.

5. WikiLeaks Built Hype for Vault 7 By Releasing Six Tweets About It, Asking: ‘Who, What, Where, When, Why and How’

In February, WikiLeaks released six tweets about Vault 7, using journalism’s classic “who, what, where, when, why, and how” method. The first was this:

The photo is of the Svalbard Seed Vault on the Norwegian island of Spitsbergen in a remote Arctic archipelago. The vault was created to preserve plant seeds from around the world, in case of a global or regional crisis. Here’s a video explaining the seed vault in more detail:

Inside the Svalbard Seed VaultA rare look inside the Svalbard Global Seed Vault which is closed ~350 days a year Check out Audible: More info on the seed vault: My trip to Norway was funded by Screen Australia, Film Victoria and Genepool Productions as part of a new project. More information soon. Special thanks to Bente Naeverdal…2016-05-04T14:00:01Z

What you see above the entrance to the vault, in the photo, is an illuminated public artwork. It was made by Dyveke Sanne and is called “Perpetual Repercussion.”

The second tweet was this:

The photo in the tweet shows Nazi gold stored in Merkers Salt Mine (it’s referenced in this Wikipedia article.)  The gold at Merkers was discovered when the U.S. Army took Merkers in 1945 during World War II. Two French women had reported that the Kaiseroda salt mine had gold stored by Germans, which was how the U.S. Army first discovered it. According to the National Archives, the mine contained gold bullion, gold Reichsmarks, British gold pounds, French gold francs, American gold pieces, gold and silver coins, additional foreign currency, silver bars, platinum bars, artwork, and more. Nazi gold was allegedly transferred by Nazi Germany to overseas banks during World War II, and to this day people are trying to guess and discover what happened to that missing Nazi gold. A group of Holocaust survivors brought a civil suit against the Vatican Bank over it in 1999. The case was dismissed in 2003, but then reinstated in part in 2005. Various parts of the case were dismissed again in 2007-2009.

The third tweet was this:



The photo in the tweet was from 2010, taken at Langley Air Force Base in Virginia, while running a jet inspection test on a Pratt and Whitney F119-PW-100 jet engine. The article talks about soundproof hush houses that are used for jet engine testing, sometimes called “vaults.” The engine’s name fed theories that Vault 7 was about 9/11, because F119 is 911 backwards.

Here’s the fourth tweet, which asks Who is #Vault7?

The photos are part of a series of spy posters created by the U.S. government. You can see all of the posters in the series at the Center for Development of Security Excellence’s website. Beneath Snowden’s photo the poster reads: “Spilled the Beans and Ran.” Beneath Assange’s it reads: “The Hack Behind WikiLeaks.” Beneath Manning’s it reads: “Leaked the Largest Cache of Classifieds.” Since Manning is currently still in jail, this likely doesn’t mean that these three people were the source of the Vault 7 leak.

Here’s the fifth tweet, which asks “Why Is #Vault7?”

A reverse image search revealed this photo to be from an article posted by Whiteman Air Force Base. The caption of the photo reads: “Staff Sgt. Adam Boyd, 509th Civil Engineer Squadron structural supervisor, welds a box blade for a snow plow, Feb. 27. Structures Airmen perform jobs such as this one to save the Air Force from having to possibly spend money on parts made by civilian companies.” This photo fed more theories that these tweets are about 9/11, since box cutters were used and there is a theory circulating about welding pillars incorrectly.

The sixth tweet read: “How did #Vault7 Make Its Way to Wikileaks?” Here it is:

This photo can be found in several locations, including Open Society Foundations’ “Images from the Secret Stasi Archives” here. The caption reads: “When mailboxes were being observed by Stasi agents, every person posting a letter was photographed. Some films found in the Stasi archives also show persons dressed in civilian clothing emptying the mailbox after the conclusion of the surveillance action.” It’s part of a series of photos of people at mailboxes. Stasi is The Ministry for State Security, which was the official state security service of the German Democratic Republic (East Germany.) Wikipedia cites several sources as saying Stasi was often referred to as one of the most effective and repressive intelligence and secret police agencies in history.

George Soros is the founder and chairman of Open Society Foundations, the source of this photo. This tweet confirmed that #Vault7 referred to files that WikiLeaks has, rather than to a specific person, as some had surmised prior to this tweet.

These photos may have also been chosen because of the lack of copyright restrictions on them.

Another possible clue was tweeted by EmbassyCat, a Twitter account “run” by Julian Assange’s cat. (It’s an official Twitter account associated with WikiLeaks.)

EmbassyCat, a Twitter account “run” by Assange’s cat, only posted one thing possibly related to Vault 7.

On Twitter, @gal_deplorable provided a translation of the comic:

It talks about how the Papyrus proved that Caesar was lying and all Gaul was not conquered. The “whole empire will tremble” when the scandal comes out. The year 353 AD was referenced in WikiLeaks’ tweet about Vault 7’s release, which also relates back to Gaul. Ultimately, it appears this clue was simply related to how groundshaking WikiLeaks believed the release would be.

As the clues grew, theories about WikiLeaks abounded, fed in part by a press conference related to Anthony Weiner’s laptop that was delayed on March 7. This ended up not being related to WikiLeaks’ Vault 7 in any way. Here are just a few of the theories that were suggested about Vault 7. In the end, Vault 7 ended up being about something most people weren’t suspecting: CIA hacking.

Clinton’s Missing Emails or the FBI’s Vault on Clinton

Some believed this was about a seventh “vault” of FBI emails, since the FBI had released six sets of Clinton emails and information at the time that the tweets were published. But this was less than likely, since the FBI just released Part 7 of its Clinton vault here. Others believed that it was related to Clinton’s missing 33,000 emails. This theory gained new traction after a federal court hearing about Anthony Weiner and Huma Abedin’s laptop emails, scheduled for Tuesday March 7, was postponed on March 6. However, it’s unclear at this time if the postponement happened before or after WikiLeak’s announcement. Read the press release from Judicial Watch, where they mention the hearing was postponed, here.

Obama Wiretapping

Because of President Donald Trump’s recent tweets claiming President Barack Obama “wiretapped” him, some believe that Vault 7 is about this. However, the wiretapping suspicion so far is unsubstantiated.


Others theorized this was somehow related to a longstanding conspiracy theory about “pizzagate,” which involves the idea that high-ranking politicians are involved in a pedophile ring. So far no conclusive evidence has been found to support this theory. It gained traction after WikiLeaks released John Podesta’s emails.

September 11

Still others believed that Vault 7 was related to September 11, 2001. In the third #Vault7 tweet, the engine was an F119 which is “911” backwards. The fifth tweet featured a photo of someone welding, which some believe is a reference to a conspiracy theory about an angled cut on a World Trade Center beam.

George Soros & Democrats

Others believed that Vault 7 had something to do with George Soros and the Democrats, since his website was the source for one of the photos.

Government Spending or Military Involvement

Another theory was that WikiLeaks would release something related to government spending or military projects. The fifth tweet referenced a photo from Whiteman Air Force Base, the only permanent base for the B-2. B-2 bombers were used in October 2001 in Afghanistan.

Extinction of Animals or Climate Change

In several WikiLeaks Reddit discussions, some said #Vault7 might reference the next mass extinction event following the sixth, which some scientists say we are in the middle of. This theory is connected to the tweet of the seed vault, and proposed #Vault7 had something to do with climate change.

Shadow Government

CNBC reported in October that a new FBI release featured claims of a “shadow government” composed of high-ranking state officials, whom some referred to as “The 7th Floor Group.” So some believed Vault 7 was somehow connected to this.

WikiLeaks supporters and the curious posted many things on social media as they waited to hear about WikiLeaks’ Vault 7.

Now all that remains is to wait for the passphrase to see what Vault 7 really is. Here are some reactions online as people wait to find out what’s next:

Some, however, weren’t so happy about the news:

After Vault 7 was released, Edward Snowden weighed in to say that it looks authentic to him:

Would love your thoughts, please comment.x