United States v. Keith Raniere et al.EDNY · 18-cr-204
The Outlets That Drove the “NXIVM Cult” Narrative Were Tied to the Hacking of NXIVM Servers
Individuals operating from the corporate networks of three major media
organizations — Dow Jones (publisher of
The Wall Street Journal), Advance Publications
(Vanity Fair), and the Albany Times Union (owned by
Hearst) — were logged inside the private,
password-protected servers of NXIVM, the organization at the center of this
case. This is not a claim that every company sanctioned it from the top;
it is that the intrusions were traced to their networks —
conduct for which an employer can bear legal responsibility. The access was
unauthorized, it was tied to a New York State Police
investigation, and several of those who assisted were criminally
charged — one pleaded guilty.
These are the same media conglomerates now in legal conflict with President
Trump — he is currently suing one of them, Dow Jones,
for $10 billion. And the overlap runs far deeper than the
outlets: many of the same actors who participated in this case, defended it,
or blocked scrutiny of it later
appeared in major lawfare actions against President Trump.
The backstory, briefly
NXIVM (pronounced “nex-ee-um”) was a personal-development
company that served more than 17,000 clients across 33 countries
over roughly two decades. Its leadership included the adult children — in
their 30s, 40s, and older — of political and media dynasties. Among them
were the son of a former Mexican president and the daughter of one of Latin
America’s largest media moguls. Reportedly, they remained involved for
years
against the wishes of these powerful patriarchs
— individuals with substantial media and political influence.
Early in its life, key media outlets framed the company as a “cult,”
building public hostility against Mr. Raniere and NXIVM
years before the EDNY prosecution in Brooklyn (the Eastern District of New
York) — making the allegations easier to accept and contrary evidence
easier to overlook.
And there is clear evidence that the very outlets that shaped that narrative
were themselves implicated in the criminal server intrusions — raising
serious doubts about whether the story that drove this case was ever
trustworthy to begin with.
Timeline: from media-linked break-ins, to the narrative they built, to a federal conviction
Follow the story as it actually unfolded — from the first logged
break-ins to the federal sentencing. Where a step has a primary-source
document behind it, open it and read it yourself.
From ~2006
The break-ins begin — and trace back to media networks.
Beginning around 2006, computers were logged entering
NXIVM’s password-protected database without authorization. Years
later, the
New York State Police forensically traced those
intrusions to the corporate networks of three major media companies
— the publishers of the Wall Street Journal (Dow Jones),
Vanity Fair (Advance Publications), and the Albany
Times Union.
IP access log filed as Exhibit 86-6 (Case 1:14-cv-01375) — the Dow Jones-Telerate and Times Union corporate networks on the NXIVM database; part of the matter the New York State Police investigated.
November 2010
Vanity Fair launches the national “cult” narrative.
Vanity Fair publishes Suzanna Andrews’s
“The Heiresses and the Cult,” the first
major national story casting NXIVM as a cult that had captured the
Bronfman fortune. It shaped how the public saw the group nearly a
decade before any criminal charge — and Andrews’s own IP
address matches the intrusion log.
February 2012
The Times Union escalates with “Secrets of NXIVM.”
The Albany Times Union runs reporter James Odato’s
four-part series “Secrets of NXIVM” —
the most detailed reporting yet, and the first to publish the most
explosive allegations against Raniere. The Times Union’s
own corporate IP also sits inside the intrusion logs.
2014–2016
The helpers are charged — but not the outlets.
In November 2014, anti-NXIVM blogger John Tighe pleads
guilty to felony computer trespass, admitting under oath
that he entered NXIVM’s server 50 to 60 times using
another person’s login. In February 2015, an Albany County grand
jury indicts three more civilians — Toni Natalie, Barbara Bouchey,
and Joseph O’Hara — on felony computer-trespass counts, later
resolved in 2016 through adjournments in contemplation of dismissal (a
deal that wipes the charge if no new offense follows). The media
companies whose corporate networks appear in the same logs are
never charged.
March 2018
The federal case begins.
Keith Raniere is charged in the Eastern District
of New York.
June 12, 2018
The trial judge says what he knew came from two newspapers — one of them in the hacking logs.
At a pre-trial conference, Judge Nicholas Garaufis
— who would preside over the entire trial — states on the
record where his knowledge of the case came from:
“That’s all I know about this case is what I read in The New
York Times magazine and the Albany Times Union. Okay?”
— Judge Nicholas G. Garaufis, pre-trial transcript, June 12, 2018, p. 24
He named two outlets — the New York Times Magazine and
the Times Union. One of them, the Albany Times Union,
is among the outlets whose corporate IP sits inside the criminal
hacking logs.
June 19, 2019
Conviction.
A Brooklyn jury convicts Raniere on all counts, including racketeering
and sex trafficking. He is later sentenced to 120 years.
2020
The accused hackers become the “victims.”
HBO’s The Vow and Starz’s Seduced air to
mass audiences. At the October 2020 sentencing, two of the very
civilians indicted in 2015 — Natalie and Bouchey —
deliver victim-impact statements against Raniere.
And the rot was not confined to the newsroom. The same prosecution that
grew from that decade of coverage was itself later examined by some of the
most senior law-enforcement figures in the country — and what they put
on the record, under their own names, is blunt. Click either statement to
see exactly who signed it:
Why this isn’t necessarily over
The media companies were never charged — but that does not mean they
are beyond reach. The server intrusions did not happen in isolation; they
overlap with the same network of individuals who assisted the years-long
campaign against Mr. Raniere documented throughout this site — a
campaign whose misconduct has been verified or vetted by
three former U.S. Attorneys, multiple retired FBI agents and
forensic examiners, and other senior legal figures — former
FBI and DOJ officials who, in a 2025 letter to FBI Director Kash Patel,
called it
“clear evidence of indictable government crime.”
That kind of coordinated, ongoing conduct is precisely what can give rise
to liability under federal racketeering (RICO) law
— meaning these outlets arguably remain prosecutable.
This page is independent of whether Keith Raniere is innocent or
guilty. What the record shows is narrower, and harder to dismiss:
the public story of this case was not built by neutral observers.
Over more than a decade it was shaped by outlets whose own corporate
networks appear in criminal intrusion logs the New York State Police
confirmed — and amplified by individuals who were themselves
criminally charged before being recast as “victims.”
Even the trial judge said, in open court, that what he knew of the case
came from one of those same outlets.
Every link in that chain is documented above — open any of it and
read it for yourself.
Walking through the proof
Dow Jones / Wall Street Journal corporate IPs were logged accessing the defendants’ servers.
In plain terms: computers on the corporate network of Dow Jones — the company that publishes the Wall Street Journal — were recorded entering NXIVM’s private, password-protected database without permission. The New York State Police confirmed it.
IP addresses from the Dow Jones–Telerate corporate network
(New York, NY) were logged accessing NXIVM’s password-protected
database without authorization, on specific dates and times captured in
the server logs, and forensically confirmed by the New York
State Police.
Provenance: these records were produced under a sworn
business-records certification (custodian Benjamin Myers) tied to
New York State Police Investigation No. 4582273, and
were filed in court as Exhibit 86-6 in Case 1:14-cv-01375 — not a
document assembled for this website. The civil suit that placed these logs
on the docket was later dismissed on procedural grounds — but
neither the records nor the parallel State Police investigation was ever
found to be false.
IP log — Dow Jones-Telerate and Times Union networks accessing the NXIVM database.
Sources
Case 1:14-cv-01375, Doc. 86-6 — server access log.
A Vanity Fair writer’s IP matched the intrusion log — then she wrote the foundational “cult” story.
In plain terms: every device on the internet has an address (an “IP”). The break-in records contain the IP of Vanity Fair’s parent company and, separately, the personal IP of the writer who then published the original “cult” exposé. The writer who shaped how the public saw the group was herself tied to the break-in.
1. The corporate network was on the servers.
IP 69.2.120.11, belonging to Advance Publications
(Condé Nast’s parent company, New York, NY), was confirmed
by NYSP on NXIVM’s servers.
IP log — Advance Publications corporate IP on the NXIVM database.
2. The writer’s personal IP matched the log.
Vanity Fair writer Suzanna Andrews’s
IP address (207.237.232.82) was matched via email header to the
intrusion log.
Email-to-IP match — Suzanna Andrews tied to the intrusion log.
3. A former U.S. Attorney’s referral — citing the State Police.
This was not merely an “email match.” In an August 3,
2015 referral letter, former U.S. Attorney
Dennis K. Burke (writing as counsel to Clare Bronfman)
urged the U.S. Attorney for the Northern District of New York to take up
the New York State Special Prosecutor’s referral of Andrews.
The letter states that “the New York State Police have been
conducting an ongoing investigation,” that Andrews
“repeatedly accessed the NXIVM website from her home,” and that
there is “sufficient evidence that was obtained by the New
York State Police… to sustain a conviction.” Andrews,
it notes, admitted she logged in.
Referral letter, Aug. 3, 2015 — former U.S. Attorney Dennis K. Burke to the NDNY U.S. Attorney, citing the New York State Police investigation of Andrews.
4. The article that followed.
In the November 2010 issue, Andrews authored “The Heiresses
and the Cult” in Vanity Fair — one of the
foundational media narratives that shaped public perception of the case
years before any federal charges were filed.
Vanity Fair, November 2010 — the foundational “cult” piece.
The trial judge stated, in open court, that his prior knowledge of the case came from an outlet whose corporate IP sits inside the hacking log.
In plain terms: the Albany Times Union’s network shows up in the break-in records — and the federal judge who presided over the entire trial said, on the record, that what he already knew about the case came from that same newspaper.
1. The Times Union’s corporate IP was on the servers.
IP address 167.166.23.253, belonging to the Albany
Times Union network (Saratoga Springs, NY), was logged
accessing NXIVM’s password-protected database and
forensically confirmed by NYSP.
NYSP-confirmed IP log — the Times Union (Saratoga Springs, NY) row, alongside Dow Jones-Telerate.
2. What the trial judge said on the record.
At a pre-trial conference on June 12, 2018,
Judge Nicholas G. Garaufis — the judge who would preside over
the entire trial — stated on the record that all he knew about
the case was what he had read in the New York Times Magazine
and the Albany Times Union.
Pre-trial conference transcript, June 12, 2018, p. 24.
The federal trial judge thus described, in open court, that his prior
knowledge of the case came from two newspapers — and one of them,
the Albany Times Union, is among the outlets whose corporate IP
address sits inside the criminal hacking logs.
Case 1:14-cv-01375, Doc. 86-6 — server access log (Times Union IP).
Walking through the proof
A 2015 Albany County grand jury indicted three civilian co-conspirators for the same hacking activity.
In plain terms: a grand jury is a panel of citizens that decides whether there is enough evidence to bring criminal charges. In 2015 one did exactly that here — formally charging three people connected to the break-ins with computer trespass, a felony.
On February 27, 2015, an Albany County grand jury
returned indictments against three non-media civilians for Computer
Trespass under NY Penal Law §156.10(2), a Class E Felony — 7
counts in all: Toni F. Natalie (4 counts),
Barbara J. Bouchey (1 count), and
Joseph J. O’Hara (2 counts).
Notably, those charged were the civilians who assisted the
media outlets. The media companies themselves — whose
corporate networks appear in the same break-in logs — were
not prosecuted.
How it resolved: in February 2016 the charges against
Natalie, Bouchey, and O’Hara were resolved through
adjournments in contemplation of dismissal. Separately, Saratoga
blogger John Tighe had already pleaded guilty in
November 2014 to felony computer trespass for accessing
NXIVM’s server 50–60 times without authorization — a
sworn admission that the intrusions occurred.
Albany County grand jury indictment of Toni F. Natalie, Feb. 27, 2015 — one of three; the Bouchey and O’Hara indictments are in the records below.
Two of the indicted civilians later delivered “victim” impact statements at the federal sentencing.
In plain terms: a victim-impact statement is a victim’s chance to address the court before a defendant is sentenced. Two of the very people charged over the hacking stood up as “victims” at Raniere’s sentencing — the accused hackers became the case’s victims.
Toni Natalie and Barbara Bouchey
did not disappear after the 2015 indictment. They became central
“victim” voices in the EDNY prosecution: they delivered
impact statements at Raniere’s sentencing, appeared in HBO’s
The Vow and Starz’s Seduced, and served as the
media’s go-to “former NXIVM” voices throughout the
run-up to the federal trial.
The same people indicted for criminally hacking the
defendants’ servers were retrofitted into “victims”
in the federal sex-crime case built off the narrative those hacks
helped seed.
On the record, under their names
Three former U.S. Attorneys & the experts beside them
“In our collective experience, we have never seen a case with this degree of widespread government malfeasance as United States v. Keith Raniere et. al.”
MS
Michael Sullivan
Former U.S. Attorney, District of Massachusetts
BT
Brett Tolman
Former U.S. Attorney, District of Utah
BC
Bud Cummins
Former U.S. Attorney, E.D. Arkansas
RM
Hon. Richard Mays, Sr.
Retired Justice, Arkansas Supreme Court
AE
Alan Ellis
Past President, NACDL
JK
Dr. James R. Kiper
Retired FBI Forensic Examiner · 20 yrs FBI
MB
Mark D. Bowling
Retired FBI Asst. Special Agent in Charge & Forensic Examiner, 20 yrs
KD
Kenneth DeNardo
Former FBI Senior Evidence Technician, 23 yrs
SA
Steven Abrams
Digital Forensics Expert; former U.S. Secret Service
WN
Wayne Norris
Computer Forensic Expert; 36 yrs as expert witness
SB
Stephen Bunting
Former Captain, U-Del Police; author of 5 forensics textbooks
What other voices say
RS
Ronald S. Sullivan Jr.
Harvard Law Professor; has led the exoneration of more than 6,000 wrongfully convicted individuals — more than any attorney in U.S. history.
“Keith Raniere’s case represents one of the most egregious miscarriages of justice I have encountered.”
AD
Alan Dershowitz
Harvard Law Professor Emeritus; constitutional & criminal-defense attorney.
“The scale of government malfeasance uncovered in this case is both remarkable and dangerous.”
Under penalty of perjury
Seven forensic experts
Seven forensic experts — four of them former FBI examiners — concluded under penalty of perjury that the evidence the prosecution called the “heart” of its case was planted on a hard drive and a camera’s memory card, with falsified timestamps.
“The involvement of government personnel in this evidentiary fraud is inescapable — an unprecedented finding in our combined 150+ years of forensic experience.”
JK
Dr. James R. Kiper, Ph.D.
Retired FBI Special Agent & Unit Chief, FBI Academy (20 yrs)
SE
Stacy Eldridge
Former FBI Senior Forensic Examiner (10 yrs)
MB
Mark D. Bowling
Retired FBI Asst. Special Agent in Charge & Forensic Examiner (20 yrs)
WO
William Odom
Former FBI Special Agent & Forensic Examiner (25+ yrs)
SA
Steven Abrams, J.D., M.S.
Digital Forensics Expert; former U.S. Secret Service (25+ yrs)
SB
Stephen Bunting
Former Captain, U-Del Police; author of 5 forensics textbooks
WN
Wayne Norris
Computer Forensic Expert; 36 yrs as expert witness
An independent expert retained by Newsweek verified their findings.
Newsweek’s independent expert reviewed the evidence separately — and agreed.