The Outlets That Drove the “NXIVM Cult” Narrative Were Tied to the Hacking of NXIVM Servers

Individuals operating from the corporate networks of three major media organizations — Dow Jones (publisher of The Wall Street Journal), Advance Publications (Vanity Fair), and the Albany Times Union (owned by Hearst) — were logged inside the private, password-protected servers of NXIVM, the organization at the center of this case. This is not a claim that every company sanctioned it from the top; it is that the intrusions were traced to their networks — conduct for which an employer can bear legal responsibility. The access was unauthorized, it was tied to a New York State Police investigation, and several of those who assisted were criminally charged — one pleaded guilty.

These are the same media conglomerates now in legal conflict with President Trump — he is currently suing one of them, Dow Jones, for $10 billion. And the overlap runs far deeper than the outlets: many of the same actors who participated in this case, defended it, or blocked scrutiny of it later appeared in major lawfare actions against President Trump.

The backstory, briefly

NXIVM (pronounced “nex-ee-um”) was a personal-development company that served more than 17,000 clients across 33 countries over roughly two decades. Its leadership included the adult children — in their 30s, 40s, and older — of political and media dynasties. Among them were the son of a former Mexican president and the daughter of one of Latin America’s largest media moguls. Reportedly, they remained involved for years against the wishes of these powerful patriarchs — individuals with substantial media and political influence.

Early in its life, key media outlets framed the company as a “cult,” building public hostility against Mr. Raniere and NXIVM years before the EDNY prosecution in Brooklyn (the Eastern District of New York) — making the allegations easier to accept and contrary evidence easier to overlook.

And there is clear evidence that the very outlets that shaped that narrative were themselves implicated in the criminal server intrusions — raising serious doubts about whether the story that drove this case was ever trustworthy to begin with.

Timeline: from media-linked break-ins, to the narrative they built, to a federal conviction

Follow the story as it actually unfolded — from the first logged break-ins to the federal sentencing. Where a step has a primary-source document behind it, open it and read it yourself.

  1. From ~2006

    The break-ins begin — and trace back to media networks.

    Beginning around 2006, computers were logged entering NXIVM’s password-protected database without authorization. Years later, the New York State Police forensically traced those intrusions to the corporate networks of three major media companies — the publishers of the Wall Street Journal (Dow Jones), Vanity Fair (Advance Publications), and the Albany Times Union.

    NYSP-confirmed IP log showing the Dow Jones-Telerate and Times Union corporate networks accessing the NXIVM database
    IP access log filed as Exhibit 86-6 (Case 1:14-cv-01375) — the Dow Jones-Telerate and Times Union corporate networks on the NXIVM database; part of the matter the New York State Police investigated.
  2. November 2010

    Vanity Fair launches the national “cult” narrative.

    Vanity Fair publishes Suzanna Andrews’s “The Heiresses and the Cult,” the first major national story casting NXIVM as a cult that had captured the Bronfman fortune. It shaped how the public saw the group nearly a decade before any criminal charge — and Andrews’s own IP address matches the intrusion log.

  3. February 2012

    The Times Union escalates with “Secrets of NXIVM.”

    The Albany Times Union runs reporter James Odato’s four-part series “Secrets of NXIVM” — the most detailed reporting yet, and the first to publish the most explosive allegations against Raniere. The Times Union’s own corporate IP also sits inside the intrusion logs.

  4. 2014–2016

    The helpers are charged — but not the outlets.

    In November 2014, anti-NXIVM blogger John Tighe pleads guilty to felony computer trespass, admitting under oath that he entered NXIVM’s server 50 to 60 times using another person’s login. In February 2015, an Albany County grand jury indicts three more civilians — Toni Natalie, Barbara Bouchey, and Joseph O’Hara — on felony computer-trespass counts, later resolved in 2016 through adjournments in contemplation of dismissal (a deal that wipes the charge if no new offense follows). The media companies whose corporate networks appear in the same logs are never charged.

  5. March 2018

    The federal case begins.

    Keith Raniere is charged in the Eastern District of New York.

  6. June 12, 2018

    The trial judge says what he knew came from two newspapers — one of them in the hacking logs.

    At a pre-trial conference, Judge Nicholas Garaufis — who would preside over the entire trial — states on the record where his knowledge of the case came from:

    “That’s all I know about this case is what I read in The New York Times magazine and the Albany Times Union. Okay?” — Judge Nicholas G. Garaufis, pre-trial transcript, June 12, 2018, p. 24

    He named two outlets — the New York Times Magazine and the Times Union. One of them, the Albany Times Union, is among the outlets whose corporate IP sits inside the criminal hacking logs.

  7. June 19, 2019

    Conviction.

    A Brooklyn jury convicts Raniere on all counts, including racketeering and sex trafficking. He is later sentenced to 120 years.

  8. 2020

    The accused hackers become the “victims.”

    HBO’s The Vow and Starz’s Seduced air to mass audiences. At the October 2020 sentencing, two of the very civilians indicted in 2015 — Natalie and Bouchey — deliver victim-impact statements against Raniere.

Comprehensive Source Document
Full media-hacking records — IP traces, indictments, and criminal referrals (PDF)

The bigger picture

And the rot was not confined to the newsroom. The same prosecution that grew from that decade of coverage was itself later examined by some of the most senior law-enforcement figures in the country — and what they put on the record, under their own names, is blunt. Click either statement to see exactly who signed it:

Why this isn’t necessarily over

The media companies were never charged — but that does not mean they are beyond reach. The server intrusions did not happen in isolation; they overlap with the same network of individuals who assisted the years-long campaign against Mr. Raniere documented throughout this site — a campaign whose misconduct has been verified or vetted by three former U.S. Attorneys, multiple retired FBI agents and forensic examiners, and other senior legal figures — former FBI and DOJ officials who, in a 2025 letter to FBI Director Kash Patel, called it “clear evidence of indictable government crime.” That kind of coordinated, ongoing conduct is precisely what can give rise to liability under federal racketeering (RICO) law — meaning these outlets arguably remain prosecutable.

The same machine, applied to Trump
See the full overlap — the prosecutors, the judge, and the outlets that reappear in the cases against President Trump
Past the headlines
The charges that gave rise to this case collapse under scrutiny — see the sex-trafficking counts examined, one by one

The takeaway

This page is independent of whether Keith Raniere is innocent or guilty. What the record shows is narrower, and harder to dismiss: the public story of this case was not built by neutral observers.

Over more than a decade it was shaped by outlets whose own corporate networks appear in criminal intrusion logs the New York State Police confirmed — and amplified by individuals who were themselves criminally charged before being recast as “victims.” Even the trial judge said, in open court, that what he knew of the case came from one of those same outlets.

Every link in that chain is documented above — open any of it and read it for yourself.

Walking through the proof

Dow Jones / Wall Street Journal corporate IPs were logged accessing the defendants’ servers.

In plain terms: computers on the corporate network of Dow Jones — the company that publishes the Wall Street Journal — were recorded entering NXIVM’s private, password-protected database without permission. The New York State Police confirmed it.

IP addresses from the Dow Jones–Telerate corporate network (New York, NY) were logged accessing NXIVM’s password-protected database without authorization, on specific dates and times captured in the server logs, and forensically confirmed by the New York State Police.

Provenance: these records were produced under a sworn business-records certification (custodian Benjamin Myers) tied to New York State Police Investigation No. 4582273, and were filed in court as Exhibit 86-6 in Case 1:14-cv-01375 — not a document assembled for this website. The civil suit that placed these logs on the docket was later dismissed on procedural grounds — but neither the records nor the parallel State Police investigation was ever found to be false.

IP log — Dow Jones-Telerate network and Times Union network accessing NXIVM servers
IP log — Dow Jones-Telerate and Times Union networks accessing the NXIVM database.

Sources

Walking through the proof

A Vanity Fair writer’s IP matched the intrusion log — then she wrote the foundational “cult” story.

In plain terms: every device on the internet has an address (an “IP”). The break-in records contain the IP of Vanity Fair’s parent company and, separately, the personal IP of the writer who then published the original “cult” exposé. The writer who shaped how the public saw the group was herself tied to the break-in.

1. The corporate network was on the servers.

IP 69.2.120.11, belonging to Advance Publications (Condé Nast’s parent company, New York, NY), was confirmed by NYSP on NXIVM’s servers.

IP log — Advance Publications accessing NXIVM servers
IP log — Advance Publications corporate IP on the NXIVM database.

2. The writer’s personal IP matched the log.

Vanity Fair writer Suzanna Andrews’s IP address (207.237.232.82) was matched via email header to the intrusion log.

Email-to-IP match — Vanity Fair writer Suzanna Andrews tied to IP 207.237.232.82
Email-to-IP match — Suzanna Andrews tied to the intrusion log.

3. A former U.S. Attorney’s referral — citing the State Police.

This was not merely an “email match.” In an August 3, 2015 referral letter, former U.S. Attorney Dennis K. Burke (writing as counsel to Clare Bronfman) urged the U.S. Attorney for the Northern District of New York to take up the New York State Special Prosecutor’s referral of Andrews. The letter states that “the New York State Police have been conducting an ongoing investigation,” that Andrews “repeatedly accessed the NXIVM website from her home,” and that there is “sufficient evidence that was obtained by the New York State Police… to sustain a conviction.” Andrews, it notes, admitted she logged in.

August 3, 2015 referral letter from former U.S. Attorney Dennis K. Burke to the NDNY U.S. Attorney, referring Suzanna Andrews and citing the New York State Police investigation
Referral letter, Aug. 3, 2015 — former U.S. Attorney Dennis K. Burke to the NDNY U.S. Attorney, citing the New York State Police investigation of Andrews.

4. The article that followed.

In the November 2010 issue, Andrews authored “The Heiresses and the Cult” in Vanity Fair — one of the foundational media narratives that shaped public perception of the case years before any federal charges were filed.

Vanity Fair, November 2010 — 'The Heiresses and the Cult' by Suzanna Andrews
Vanity Fair, November 2010 — the foundational “cult” piece.
Walking through the proof

The trial judge stated, in open court, that his prior knowledge of the case came from an outlet whose corporate IP sits inside the hacking log.

In plain terms: the Albany Times Union’s network shows up in the break-in records — and the federal judge who presided over the entire trial said, on the record, that what he already knew about the case came from that same newspaper.

1. The Times Union’s corporate IP was on the servers.

IP address 167.166.23.253, belonging to the Albany Times Union network (Saratoga Springs, NY), was logged accessing NXIVM’s password-protected database and forensically confirmed by NYSP.

IP log — Times Union network (Saratoga Springs, NY) accessing NXIVM servers, alongside Dow Jones-Telerate
NYSP-confirmed IP log — the Times Union (Saratoga Springs, NY) row, alongside Dow Jones-Telerate.

2. What the trial judge said on the record.

At a pre-trial conference on June 12, 2018, Judge Nicholas G. Garaufis — the judge who would preside over the entire trial — stated on the record that all he knew about the case was what he had read in the New York Times Magazine and the Albany Times Union.

Pre-trial transcript, June 12, 2018, p. 24 — Garaufis: all he knows is from NY Times Magazine and Times Union
Pre-trial conference transcript, June 12, 2018, p. 24.

The federal trial judge thus described, in open court, that his prior knowledge of the case came from two newspapers — and one of them, the Albany Times Union, is among the outlets whose corporate IP address sits inside the criminal hacking logs.

Sources

Walking through the proof

A 2015 Albany County grand jury indicted three civilian co-conspirators for the same hacking activity.

In plain terms: a grand jury is a panel of citizens that decides whether there is enough evidence to bring criminal charges. In 2015 one did exactly that here — formally charging three people connected to the break-ins with computer trespass, a felony.

On February 27, 2015, an Albany County grand jury returned indictments against three non-media civilians for Computer Trespass under NY Penal Law §156.10(2), a Class E Felony — 7 counts in all: Toni F. Natalie (4 counts), Barbara J. Bouchey (1 count), and Joseph J. O’Hara (2 counts).

Notably, those charged were the civilians who assisted the media outlets. The media companies themselves — whose corporate networks appear in the same break-in logs — were not prosecuted.

How it resolved: in February 2016 the charges against Natalie, Bouchey, and O’Hara were resolved through adjournments in contemplation of dismissal. Separately, Saratoga blogger John Tighe had already pleaded guilty in November 2014 to felony computer trespass for accessing NXIVM’s server 50–60 times without authorization — a sworn admission that the intrusions occurred.

Albany County grand jury indictment — 7 counts of Computer Trespass, February 27, 2015
Albany County grand jury indictment of Toni F. Natalie, Feb. 27, 2015 — one of three; the Bouchey and O’Hara indictments are in the records below.
Walking through the proof

Two of the indicted civilians later delivered “victim” impact statements at the federal sentencing.

In plain terms: a victim-impact statement is a victim’s chance to address the court before a defendant is sentenced. Two of the very people charged over the hacking stood up as “victims” at Raniere’s sentencing — the accused hackers became the case’s victims.

Toni Natalie and Barbara Bouchey did not disappear after the 2015 indictment. They became central “victim” voices in the EDNY prosecution: they delivered impact statements at Raniere’s sentencing, appeared in HBO’s The Vow and Starz’s Seduced, and served as the media’s go-to “former NXIVM” voices throughout the run-up to the federal trial.

The same people indicted for criminally hacking the defendants’ servers were retrofitted into “victims” in the federal sex-crime case built off the narrative those hacks helped seed.