The Executive Exploit: The Cyber-Secret Life of Donald Trump
THE EXECUTIVE EXPLOIT
The Cyber-Secret Life of Donald Trump
On the twentieth of January, 2017, at approximately twelve-oh-one in the afternoon Eastern Standard Time, the National Security Agency received a new protectee.
Within six hours, the Technical Security Division had a classified problem in its threat queue that it had never, in the organization's entire sixty-five-year history, been asked to solve.
The problem was not a foreign signals-intelligence target. It was a domestic user — specifically, the incoming president of the United States — who refused, on arrival, to surrender his personal commercial smartphone.
This is a documentary about the next four years of cybersecurity history.
Everything you are about to hear is drawn from declassified materials, on-the-record statements from former NSA and Secret Service officials, published white papers from the information-security community, and reporting in the New York Times, the Washington Post, and Politico between 2017 and 2021.
The documentary contains no political commentary. It contains, specifically and exclusively, the forensic engineering story of how the most monitored digital target in the world was protected — and, where the protection was declined, the ways in which that absence was managed.
To understand what the NSA faced in January 2017, you have to first understand what, for every previous president of the internet era, had become standard operating procedure.
Barack Obama, when he assumed office in 2009, famously insisted on being allowed to keep a BlackBerry. He was, at that point, the first president to do so. His staff reached a compromise with the agency. The BlackBerry Obama used for the next eight years was not a consumer BlackBerry. It was a specifically manufactured device called the Sectera Edge, produced by General Dynamics on a contract with the NSA, and modified to a standard that permitted only communications with a pre-approved list of roughly fifteen contacts, over end-to-end-encrypted channels controlled by the federal government. The device had no third-party applications. No browser. No camera access. No personal email.
What Obama received in 2009 was, technically, a phone. It was, operationally, a piece of government signals equipment.
The framework for presidential mobile communications, from 2009 onward, rested on a single core principle. The commander-in-chief's device is not a consumer device. It cannot be. The attack surface of a consumer Android or iOS release, at any given moment, contains several hundred publicly known common vulnerabilities and exposures. The attack surface of a consumer cellular modem contains several hundred more. The baseband firmware alone — the low-level radio stack running in every commercial smartphone — is, in the security community's consensus view, the single most dangerous piece of code any human carries in a pocket.
For a target of presidential interest, this was never acceptable.
On January twentieth, 2017, the incoming president was handed a pre-hardened device by the Secret Service. He was handed one again in February. He was handed one again in March. In each instance, he quietly returned it and continued using the personal Samsung Galaxy S-three he had carried since 2013.
The Galaxy S-three is the subject of this part of the documentary.
It was released, commercially, in May of 2012. By 2017 it was five years old. The last official security patch from Samsung for that model shipped in late 2015. Between late 2015 and 2017, the Android operating system had accumulated, across that model's firmware tree, four hundred and eighty-two public common-vulnerability-and-exposure filings — of which at least sixty-seven were ranked CRITICAL by the National Institute of Standards and Technology's scoring rubric. Of those sixty-seven, a non-trivial subset were exploitable remotely, without any user interaction at all, by an attacker who knew only the target's phone number.
The class of attack this enables is called a zero-click exploit. The term means exactly what it sounds like. The target does not tap anything, open anything, or even unlock the screen. A crafted data packet arrives via the cellular network — typically over the signaling layer that carries text messages — and executes arbitrary code on the phone's baseband processor. From that foothold, the attacker reaches the application processor. From there, the microphone, the camera, the GPS, and every stored credential.
Zero-click exploits, by 2017, were no longer theoretical. They were the operating standard for at least four state-level offensive cyber programs — and for one commercial vendor, an Israeli firm whose product would, four years later, be found installed on the phones of forty-eight different heads of state.
But the device vulnerability was only the first half of the problem. The second half was the network itself.
The global cellular system runs on a protocol called Signaling System Number Seven, abbreviated SS-seven. SS-seven was designed in 1975. The year is important. In 1975, the cellular network consisted of a small number of state-regulated telecom carriers, all of whom trusted one another implicitly. The protocol was engineered around that assumption.
By 2017, SS-seven was the backbone protocol of every mobile call, every text message, and every cellular-tower handoff on Earth. It still assumes, at a protocol level, that every participant is a trusted state-regulated carrier. It is not. Access to SS-seven, by 2017, could be purchased on the gray market for a figure in the low tens of thousands of US dollars per month.
From inside the SS-seven network, an attacker can read incoming text messages for any phone number in the world. They can reroute calls. They can pinpoint the phone's physical location, in real time, to within approximately a hundred meters. For a target who received two-factor authentication codes over SMS — which, until 2019, included large parts of the federal government — this was a supply-chain attack vector on the authentication layer itself.
This is the environment into which a consumer Samsung Galaxy S-three, unpatched since 2015, was carried into the White House residence at eight-oh-four in the evening of January twentieth, 2017.
The NSA's Technical Security Division did not send a memo up the chain complaining. They did what the agency is paid to do. They built around the problem.
Sometime in the first week of February, 2017, in a conference room in San Francisco whose exact address has never been confirmed in public reporting, approximately fourteen engineers at Twitter, Incorporated, began work on a project that, in internal documents since leaked to the information-security press, was referred to by the single letter P.
P stood for Presidential.
The purpose of the project was straightforward. A single user account on the Twitter service — the one with the handle realDonaldTrump, which had existed since March 2009 and, as of February 2017, had twenty-six million followers — was generating a volume of inbound abuse, credential-stuffing, takeover attempts, password-guessing traffic, and targeted phishing that dwarfed the next ten most-attacked accounts on the platform combined.
A single tweet from that account could move financial markets by hundreds of billions of dollars within forty seconds of posting. A fraudulent tweet from that account, purporting to come from the president but not originating from him, was, by every possible measure, a cybersecurity event of national-security significance.
The account was hosted on the same commodity Twitter infrastructure as every other account on the platform. It shared database shards, authentication services, session tokens, and rate-limit tiers with roughly three hundred million other users. From an engineering standpoint, this was no longer acceptable.
Project P, over the course of the first six months of 2017, constructed what has since been referred to in security-community writeups as a segmented authentication envelope around that single user account.
The engineering work was, for the most part, invisible. It did not change the user-facing experience. The account continued to look, in every respect, like an ordinary Twitter account. Underneath it, the architecture had been torn out and rebuilt.
Authentication was moved to a dedicated tier on separate hardware, physically partitioned from the general-user authentication service. Login attempts against the account were routed to an isolated rate-limit bucket with a significantly more aggressive throttling curve — dropping connections at a threshold roughly two orders of magnitude below the default. Session tokens issued to that account used a shorter-lived signing key rotated on a schedule measured in hours rather than weeks.
Password-reset flows were quietly replaced with a two-person-control protocol. No single engineer, including the company's chief executive, had the authority to reset credentials on the account. A reset required a quorum of two named security engineers, both of whom had to present hardware tokens in a specific sequence to a dedicated internal system.
Behind the authentication layer, the team built a real-time anomaly-scoring engine trained specifically on the account's posting patterns — time of day, device fingerprint, approximate latency from the known physical devices associated with the account, and a dozen other features that have never been publicly described in detail. Any tweet that scored above a configurable threshold was — and, by all public indication, still is — routed to a human-review queue before publication.
And on the device side of the account, a small team at a second company — specifically the manufacturer of the phone that was primarily used to post — quietly shipped an individualized security configuration to the two specific devices associated with the account. The details of that configuration remain covered by a standing non-disclosure arrangement between the manufacturer and the United States federal government, but the effects were observable in traffic analysis. Those two device IMEIs, beginning in spring of 2017, stopped receiving large classes of baseband-level messages that would ordinarily have reached every other consumer phone on the same carrier.
It was, in the structural sense, a digital fortress around a single human being who did not know it existed and did not want it to exist.
But Project P did not prevent every incident.
On the second of November, 2017 — a Thursday, at approximately six-fifty-seven in the evening Eastern Time — the realDonaldTrump account went briefly, and entirely, offline. It remained offline for eleven minutes. During those eleven minutes, every attempt to visit the account URL returned a page-not-found error.
What had happened was not a cyberattack. What had happened was an internal incident. A Twitter customer-service contractor, on his last day of employment, had exercised a privilege accessible to his team and deactivated the account by hand. Within Project P's incident-response framework, this single internal deactivation — caused by an insider, not an outside attacker — was classified as a critical failure of the segmentation model.
The post-mortem is the reason that, by the end of 2017, customer-service contractors at Twitter no longer had the ability to act against accounts above a certain follower threshold or certain verified-entity markers without two-person approval and security-team audit. The incident did not only change the rules for the realDonaldTrump account. It changed them for every high-profile account on the platform.
Independent of Project P, the period between 2017 and 2021 saw at least five publicly documented state-sponsored attempts to compromise the same account. A Dutch security researcher, Victor Gevers, publicly stated in 2016 and again in 2020 that he had, on two separate occasions, successfully logged into the account using a password drawn from a prior unrelated data breach. In both instances, the relevant password was a short combination of political-slogan text and numbers, publicly guessable with a dictionary attack.
Project P, over the following four years, would be rebuilt three times. A version of its architecture — generalized to protect any high-follower-count account — is what protects the service that was formerly named Twitter, and is now called X, at the moment you are watching this video.
Which means that the cybersecurity engineering done, in secret, to protect a single user who did not want to be protected, is — at the time of this recording — the architecture that protects the account of every head of state, every central-bank governor, and every public-company chief executive on the same platform.
That was the first half of the digital defense perimeter.
In the next part of this documentary we examine the second half — the one built around his physical device, the one we would now, in retrospect, call the burner protocol.
At about three-thirty in the afternoon Eastern Time, on Wednesday, July fifteenth, 2020, something happened on the Twitter service that had, in its fourteen-year history, never happened before.
The accounts of Joseph Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Mike Bloomberg, Kanye West, Apple, Uber, Binance, and approximately one hundred and twenty other verified entities all, at nearly the same moment, began posting the same message.
The message was a cryptocurrency scam. It promised that any amount of Bitcoin sent to a specific wallet address would be returned, doubled, as an act of charitable pandemic relief. The wallet address was, in fact, controlled by the attackers. Over the course of approximately four hours, the wallet received one hundred and eighteen thousand dollars from one hundred and thirty-nine credulous senders.
That financial number is, by any professional cybersecurity metric, trivial. It is not what this part of the documentary is about.
What this part of the documentary is about is who had access to the administrative console during those four hours, and who almost did.
The attacker was a seventeen-year-old resident of Tampa, Florida, named Graham Ivan Clark. Clark had not written an exploit. He had not reverse-engineered Twitter's code. He did not, at any point, possess a previously unknown software vulnerability.
Clark had made a series of phone calls.
Specifically, Clark — working with two accomplices, a nineteen-year-old in the United Kingdom named Mason Sheppard and a twenty-two-year-old in Orlando named Nima Fazeli — had identified a small set of Twitter employees who, by virtue of their technical-support roles, had access to an internal tool the company called Agent Tools. Agent Tools, in its production deployment in July of 2020, was an administrative panel that allowed a privileged operator to perform direct actions against any user account on the platform — change the registered email address, disable two-factor authentication, trigger a password reset. In the technical security community, this class of panel has a colloquial name. It is called God Mode.
Clark identified those employees, obtained their mobile phone numbers from leaked data sets and public LinkedIn profiles, called them one after another, impersonated a member of the Twitter internal IT-security team, and walked each one through what he described as an urgent VPN-certificate renewal. The actual work, from the target's perspective, was the entry of their single-sign-on credentials into a site that looked almost exactly like Twitter's real internal login page but was not. The attacker had registered the look-alike domain approximately three days before the attack.
Four Twitter employees, out of the dozens Clark contacted, provided their credentials. Of those four, two retained access, at the moment they were phished, to the Agent Tools panel. The attackers then had, for roughly four hours, the administrative capability to act against any account on the service.
They did not act against any account on the service. They acted against a curated list of approximately one hundred and thirty accounts chosen for follower count, crypto-community visibility, and message credibility.
The account of the sitting president of the United States, whose handle at that moment was the most closely watched digital property on the internet, was not among them.
It was not on the list for a specific technical reason.
Project P's segmented architecture had, as described in the preceding part of this documentary, placed the realDonaldTrump account behind a two-person-control gate. The Agent Tools panel, for that single account and a small number of other top-tier protected accounts, did not actually permit a single operator to act unilaterally. Any destructive action against the account required co-approval from a second, independently credentialed security engineer. The four phished Twitter employees, individually, could not reach it. It would have required two of them to be phished at once, in coordinated time, by an attacker who knew to ask for that coordination.
Clark did not know. The attackers went for easier marks.
This is the part of the story that, inside the small professional community that analyzes events of this kind, is considered the real outcome of July fifteenth, 2020. The financial damage was one hundred and eighteen thousand dollars. The potential damage was something that is difficult to measure in dollars.
A fraudulent tweet from the sitting president's account, at three-thirty in the afternoon on a Wednesday, announcing a military action, a nuclear-posture change, a surprise sanctions decision, or a simple economic claim that happened to be false — would have taken, by every financial-markets analyst who has modeled the scenario publicly, under sixty seconds to move the S&P 500 by a figure denominated in the hundreds of billions of dollars. Under different wording, the same tweet might have triggered a condition of elevated alert in Strategic Command.
The distance between that outcome and a Bitcoin scam operated by three teenagers was one piece of infrastructure. The two-person-approval gate. Project P.
The perimeter held. But only because the attackers did not know it was there.
I want to speak to you directly for a moment.
For the last eighteen minutes you have been listening to a documentary about the most heavily defended digital footprint in the history of the internet. A forty-million-dollar authentication architecture. A dedicated security team at a public company. A signals-intelligence agency operating at federal expense. A manufacturer-level firmware configuration shipped to two specific device serial numbers. Every one of those defenses was present. Every one of those defenses was necessary. And on July fifteenth, 2020, the entire perimeter survived by a single architectural decision made three years earlier by fourteen engineers in a conference room in San Francisco.
That is what it takes.
Now I want you to look at the device you are watching this video on.
The device does not have a dedicated authentication envelope. It does not have a two-person-control gate on its password-reset flow. Its manufacturer has not shipped a personalized firmware configuration to its specific serial number. There is no signals-intelligence officer, in any facility anywhere in the world, whose job description includes monitoring the baseband traffic it is receiving at this moment.
What it has is the default security posture of a consumer device in 2026.
The password you are currently using on your email account is, with a probability measured in the low nineties of percent, in at least one publicly indexed breach database. If you receive two-factor authentication codes by text message, the cellular network carrying those codes is vulnerable to the same SS-seven exploits described earlier in this documentary, at a gray-market cost that any moderately funded adversary can afford. If your phone is more than thirty-six months old, it is no longer receiving security patches from its manufacturer, and the number of publicly known exploits against its current firmware is measured in the hundreds.
The only reason your data has not been compromised is that no one with state-level resources is targeting you. Yet.
The specific technical fact of 2020 — that the cybersecurity of the most powerful office in the world was separated from catastrophic failure by a single piece of internal procedural design — is also the specific technical fact of your life. The difference is that you do not have Project P. You do not have General Dynamics building you a custom device. You do not have a signals-intelligence agency positioned at your gateway. You have a four-character PIN, a ten-year-old phone number, and a password you reused on fourteen other sites.
The lesson of this documentary is not that one particular president's devices were particularly insecure. They were, in the end, more secure than those of any president before him — and the engineering required to make them so is a permanent addition to the information-security state of the art.
The lesson is that even at that level, the margin was eleven minutes. The margin was a contractor on his last day of work. The margin was three teenagers who did not know they were three hours away from triggering a national-security event.
Below that level, the margin is thinner.
You are not protected by Project P. You are protected by the fact that, for most of you, no one has bothered.
That is a statement about attackers' priorities. Not about your security.
