In 2009, the publication of emails stolen from the UK’s University of East Anglia made headlines across the world. It sparked a scandal dubbed “Climategate” by global warming skeptics. To this day, some critics see the emails as evidence of a conspiracy to dupe the public into believing in human-caused climate change.

Multiple investigations cleared the scientists of wrongdoing, but the false allegations proved enduring. Donald Trump publicly called on world leaders to tackle global warming just prior to the “Climategate” affair, but became skeptical of climate change after the story broke.

The identity of the hackers has remained a mystery despite the efforts of law enforcement and journalists. It can be revealed for the first time that evidence points to the Russian city of Ekaterinburg.

Clues had been inadvertently hidden within the scientists’ emails all along. Whoever released the hacked messages put each message in a text file and used a peculiar system to name each of these files. The names were generated through Unix Time — a system that counts seconds elapsed since the first of January 1970 in UTC.

This meant that each individual file in the email bundle had a name consisting of a number, the more recent the email, the higher the figure. This ordering system was likely used out of convenience, as it easily allows the sorting of the emails in chronological order making the messages easier to follow.

What the hackers failed to realize is that along with the sender, recipient and subject line, every emails they published contained the time and date they were sent, true to the in the UK time zone.

This image shows one example — a hacked email sent at 14:17:44. The filename containing this email is “1258053464” which decodes to 19:17:44. It means the system clock of the hacker’s computer is 5 hours ahead of the UK.

Crucially, when Unix Time file names are decoded there is a mismatch — the system clock of the computer used to handle the hacked files was five hours ahead of the UK. This places the computer in a time zone that spans countries including Pakistan and Uzbekistan, and a strip of Russia that includes the city of Ekaterinburg. Other evidence uncovered as part of this investigation hones in on the capital of Russia’s Ural region.

The stolen emails were released to the public in 2009 and 2011, each timed around a major climate summit. Both times, the “Climategate” hackers uploaded their findings to what were ostensibly public file sharing services that could have been used by anyone. In reality, they were obscure Russian websites with public file sharing functions.

The registration records of the website used to release the second batch of emails in 2011 server was originally registered to an employee of the Ural region Federal University in Ekaterinburg.

Left: web registration from the “climategate” site sinwt.ru Right: web registration details of personal website. The phone number matches and the registration also features the name of individual associated with the Ural Federal University.

The website’s registration record was made anonymous shortly before it was used to upload the stolen emails, but it has been possible to unearth the original domain details. These include phone and email details matching an individual who has a longstanding affiliation the Institute of Radioelectonics and Information Technology at Ural Federal University.

An internal document discovered on the Ural Federal University network confirms this connection and reveals that another individual — an academic with expertise on CO2 emissions — was issued with an email address at this suspect website.

The trove of emails contains complex academic discussion of climate science, and it is possible a scientist with a good knowledge of the subject was enlisted to select the most explosive messages for release.

A document from the Ural Federal University. It shows a scientist with emissions expertise has used an email address provided by a suspect Climategate website

I am not releasing the name of any individual looked at in this investigation to the public, but have shared all relevant evidence with the UK’s National Crime Agency.

The revelations that in 2016, Russia carried out the theft and release of emails of the Democratic National Convention have increased concerns over foreign influence in Western democratic processes.

This investigation highlights the scale of influence operations linked to Russia, believed by experts to use computer hacking and propaganda to bolster campaigns it sees as favorable to its national interests.

Such campaigns clearly have an effect on public opinion. Shortly before the 2009 climate summit Donald Trump signed an open letter in the New York Times calling for world leaders to take serious action on climate change. Just months later, Trump appeared to have reversed his position in the wake of the cyber-theft and publication of scientists’ emails.

He told a Fox News presenter: “the memorandum or whatever it was that they found a few months ago was devastating, by the leaders of the movement of global warming. I think that was devastating because that basically said you people are a bunch of jerks to follow us and we’re just kidding. And I really think that was the beginning.”