A bimonthly magazine on international affairs, edited in Germany's capital

Lessons of #MacronLeaks


The attempt to meddle with the French presidential election of 2017 failed. Still, it’s vital to learn the right lessons. Future disinformation campaigns will be ever more sophisticated.

© REUTERS/Pascal Rossignol

Amongst a flurry of election interference attempts in recent years, one case stands out: the 2017 French presidential election—most notably because it failed. The coordinated attempt to undermine Emmanuel Macron’s candidacy involved a disinformation campaign consisting of rumors and fake news, hacking the accounts of his campaign staff, and finally a leak two days before the final round of the presidential election. With the benefit of hindsight, it’s possible not only to examine how the campaign was thwarted but also what lessons can be learned to fight future disinformation campaigns.

The launch of the disinformation campaign against Macron coincided with his rise in the polls in January 2017. As Macron emerged as the front-runner, he became the target of more frequent, organized, and aggressive attacks from the American alt-right, the French far-right and Kremlin-linked accounts. The attempts to discredit him followed common themes, painting him as a globalist, a rich banker, a supporter of Islam and uncontrolled immigration, along with malicious comments about the age difference between him and his wife, and rumors about his sexuality.

Then came the hack. Macron’s campaign staff was targeted with a series of phishing attacks as early as December 2016. Other techniques included tabnabbing or email spoofing. In total, the professional and personal email accounts of at least five of Macron’s close colleagues were hacked. The emails and files obtained reached from March 2009 to April 24, 2017, only two weeks before the second and final round of voting in the presidential election.

The subsequent leaking of the hacked documents came on May 5, just hours before the start of a media blackout ahead of the election on May 7. The timing was deliberate as it prohibited Macron and his team from making any public statements or media appearances to address the leak. It also prevented any coverage or analysis of the documents by the traditional media.

As a result, social media, especially Twitter, became the primary arena for discussion of the leaked content. The documents were initially available on a number of file-sharing websites and first shared on Twitter by the American alt-right, which launched the hashtag #MacronLeaks. WikiLeaks then shared a link to the files. With the help of some of the same bot accounts used prior to the 2016 US presidential election, the hashtag #MacronLeaks appeared in half a million tweets within 24 hours.

No Single Actor

The leaked documents were mostly drawn from the hacked email accounts, but also included two additional folders of computer files. Because nothing incriminating was found in the original files, the hackers altered some of them. The “Macron leaks” therefore fall into the category of “tainted leaks,” where at least some of the documents are manipulated before being released. The fake messages insinuated that Macron used cocaine (“don’t forget to buy c. for the boss”) and was on the mailing list of “Vestiaire Gay,” a gay underwear brand.

Although these different elements seemed coordinated, it is actually unlikely that one single actor was behind them. Attributing the disinformation campaign is the easiest part as it was conducted overtly, mostly by the Russian state media and the American alt-right.

However, it is much more difficult to determine responsibility for the hack itself, which resulted in the theft of gigabytes of data. France has never officially pointed a finger. Many cybersecurity firms and researchers, however, identified it as a Russian intelligence operation, most probably executed by APT28, a Russian cyber espionage group often associated with the military intelligence agency GRU.

Meanwhile, the #MacronGate hashtag can be linked to an American neo-Nazi named Andrew Auernheimer. Meanwhile, William Craddick, founder of Disobedient Media and notorious for his contribution to the Pizzagate conspiracy theory that targeted the US Democratic Party during the 2016 American presidential campaign, seems to be the 4chan poster of the leaks. Thus, the most plausible scenario is a combination of Russian intelligence and American alt-right activity; however, it’s not clear to what extent they actually collaborated or if they simply worked in parallel toward the same goal.

Why It Failed

The failure of the “Macron Leaks” was due to a combination of factors. For a start, France’ political and media environment is less vulnerable than that of other countries.

First, the length of the French presidential campaign is regulated, and the election has two rounds, so it’s not always possible to predict which candidates will be in the second round. The election media environment is also more regulated in France than in the US. Paid political advertising is forbidden, while official political ads of equal duration are aired for free on national TV and radio stations during the official campaign period. The airtime allocated to politicians in broadcast media is also regulated.

The law requires media that publish opinion polls to explain how they were conducted. Publication of or commentary on any pre-election opinion poll is banned as part of a media blackout starting at midnight the day before the election until the polls close.

Second, in 2017, the French media environment was relatively robust. The Internet penetration rate was lower in France than in the US, Germany, Canada, or the United Kingdom, and social media penetration was particularly low. Furthermore, the French voters didn’t trust social networks as news source and tended to share better quality information than US voters. It must be said, however, that what was true in 2017 may no longer be true, as the yellow vests movement both revealed and boosted the growing role of “alternative” and conspiratorial media in France.

Third, the 2015 TV5Monde cyberattack had served as a wake-up call for most of the French media. And online jihadist propaganda, especially after France suffered regular terrorist attacks on its soil, contributed toward a distrust of digital platforms.

Not French Enough

There was also an element of luck involved. The attackers were poorly prepared, largely because they hadn’t anticipated Macron being in the second round. Not only was there not enough time to find dirt on him, but his relative youth meant made him unlikely to have many dark secrets or scandals to hide.

The fact that no incriminating or suspicious information was revealed even with the leak of over 21,000 emails turned to Macron’s advantage. It was in stark contrast to his rival Marine Le Pen, who was facing legal problems without being subject to anywhere near the level of transparency that the leaks brought to Macron’s campaign. Furthermore, the forged emails were so absurd that they threatened to discredit the entire leak.

Another factor was a lack of cultural understanding. Firstly, the attackers tried to spread the rumor that Macron was gay, ignoring that such a revelation was hardly scandalous in France, where the private lives of political leaders are much less of a concern than in the US. Additionally, the operation likely suffered from its overwhelmingly Anglophone nature. This reduced the capacity to spread disinformation to most French voters and may have provoked anti-American sentiments and resentment amongst a nationalist segment of the electorate, which might have been more receptive to such messaging if it had been in French.

Don’t Copy Obama

Learning the lessons of the failure of the “Macron Leaks” may help in the battle against similar disinformation campaigns. For one thing, France benefited from knowing about previous election cyberattacks and disinformation campaigns, most notably the 2016 US presidential campaign. The French authorities were alert to the threat and cooperated with US authorities to learn from their experience.

The Obama administration did not intervene even when it became obvious that a campaign of disinformation and cyberattacks was being conducted because it was afraid of appearing partisan (and because it was confident that Clinton would win anyway). The French example demonstrates that administrative, independent, and non-political authorities can work together to provide expertise aimed at guaranteeing the integrity of the election process. Agencies like the National Cybersecurity Agency (ANSSI) and the National Commission for the Control of the Electoral Campaign for the Presidential Election (CNCCEP) played a key role in alerting political parties to the risk of cyberattacks, and providing tools to monitor and detect suspicious activity.

There was also an important effort from journalists to counter the disinformation campaign through fact-checking initiatives. The French government sought to show resolve throughout the presidential campaign, both publicly and through diplomatic channels, insisting that France would not tolerate any foreign interference in its elections, and that it was willing to respond strongly to any such interference.

Be Vigilant

In terms of technical precautions, the French government announced the end of electronic voting for citizens abroad because of the “extremely high risk” of cyberattacks. Meanwhile, Facebook suspended nearly 70,000 fake accounts in France, responding to public and state pressure.

There was also a concerted effort by Macron’s political movement En Marche! to communicate openly about its susceptibility to hacking and about the hack when it occurred. This transparency helped raise public awareness of the issue, but it also kept Macron’s campaign team on high alert. One reason there was nothing scandalous in the leaks was the team’s vigilance: confidential information was shared on encrypted apps, and any sensitive information was discussed face-to-face, with email reserved for trivial and logistical matters.

Furthermore, the Macron campaign team created false email accounts and documents in anticipation of a hack, helping to damage the leak’s credibility. Macron’s campaign staff remained focused on promoting his political platform, but it also responded quickly to posts and comments that spread disinformation online, in certain situations using humor and irony. Since the leaked documents didn’t reveal anything illegal or even particularly interesting, they only improved Macron’s image as a “clean” and scandal-free candidate.

The legal system was also vigilant. The public prosecutor’s office in Paris opened an investigation into the leaks within hours of their release.

Meanwhile, Macron’s team denied accreditation to RT and Sputnik during the final stages of the campaign. This decision was justified on the basis that they were propaganda outlets and not legitimate media outlets. The rest of the media acted responsibly, they cooperated when the CNCCEP called for the media to refrain from covering the leaks and the disinformation disseminated on social media.

Push Your Own Story

There were also international efforts to quickly analyze and publicize what was happening. Within hours of the initial dump, several analyses, for example from the UK’s Ben Nimmo, helped steer the international media conversation. As a result, the main story wasn’t about the content of the leaks, but about the implication of the American alt-right in some kind of influence operation against the French election. Thus a handful of open-source researchers helped to derail the attackers’ narrative.

The main lesson here, according to Nimmo, is that this is less about information warfare than “narrative warfare.” In Nimmo words, “we have the facts,” but “they have the stories.” To counteract this, it’s important to push other stories and deconstruct theirs.

Furthermore, it’s vital to encourage and develop international civil society initiatives that scan the web on a permanent basis—and not just during election periods—searching for trolls, bots, and disinformation actors, and exposing their identities, methods, and networks.

The Next Campaign Will Be Worse

Despite its success fending off the “Macron Leaks,” France should not rest on its laurels.

First, information manipulation is a daily threat, not one that reemerges every two years or so. The measures taken should certainly not be limited to electoral periods. Recent examples of disinformation campaigns associated with the yellow vests movement are useful reminders that France’s adversaries will use any opportunity, anytime, to divide and spread doubt, confusion and conspiracies.

Second, Macron was facing Le Pen, someone most voters are still not prepared to support. He consistently polled at 20 to 25 percentage points higher than she did, and he logically won by a huge margin. But the French political landscape may evolve. In the 2022 election, if Macron faces a more socially acceptable far-right candidate, the margin could be much smaller, which could make such an operation decisive.

Third, the threat will only grow. France’s adversaries will learn from their mistakes. They will adapt, improve, and professionalize their techniques, tailor their approach, and find new methods and targets. With technological developments and the rise of Artificial intelligence, manipulations will become more sophisticated. Improvements in voice and video editing will make detecting misinformation all but impossible, eroding public trust. It is important to be aware of all these challenges and prepare accordingly.

* This article is based on the report The Macron Leaks Operation: A Post-Mortem (Atlantic Council/IRSEM).