Exclusive: An intel analyst tried to prevent the Jan. 6 attack — but DHS failed to act

  • Oops!
    Something went wrong.
    Please try again later.
Throngs of Trump supporters gather outside the Capitol in Washington, D.C., on Jan. 6, 2021.
Trump supporters outside the U.S. Capitol on Jan. 6, 2021. (Tayfun Coskun/Anadolu Agency via Getty Images)

On Dec. 20, 2020, a 21-year-old intelligence analyst went online to search for local Washington, D.C., fishing holes and stumbled upon the blueprint of a plot to storm the Capitol and execute members of Congress and law enforcement officers to prevent the certification of electoral votes to make Joe Biden the next president.

The domestic terrorism analyst with the Department of Homeland Security saw a link to a website where people “actively at that moment were discussing the commission of acts of terroristic violence and the violent overthrow of the government of the United States,” according to the analyst’s written account later provided to investigators.

There the analyst “witnessed upwards of 500 pages worth of potential threats to national security,” including people urging others — and discussing how — to smuggle illegal weapons into the nation’s capital and avoid detection by law enforcement. The DHS intelligence analyst also saw “discussion references of overthrowing the US Government by force/sparking a second civil war, and veiled credible threats of violence toward other US persons who were perceived enemies, specifically Members of Congress and other federal employees.”

“Like so many Americans l watched the events of January 6th, 2021 transpire — shocked, scared, and horrified; but for me there was a deeper connection to the event, I was one of the DHS intelligence officials charged with trying to prevent that day’s violence,” the intelligence analyst wrote in a four-page letter provided to inspector general investigators. Yahoo News obtained a copy of this letter and the unredacted version of the final inspector general investigative report documenting this analyst’s efforts and dozens of credible threats that DHS saw, but did not act on, at the time.

What started as a literal fishing expedition turned into a failed 16-day effort to sound the alarm and push the various parts of the DHS intelligence apparatus into action. The office created in the wake of 9/11 to share intelligence more broadly and prevent another catastrophic attack failed to share its intelligence ahead of the Jan. 6 U.S. Capitol riot.

Over those 16 days, this analyst and others inside DHS’s Office of Intelligence and Analysis saw the plot unfold in excruciating detail. They watched as maps of the Capitol access tunnels were circulated online, along with tactical information about how to smuggle illegal weapons into D.C. and which radio frequencies to use for communication during the attack. They saw threats to members of Congress and local D.C. and Capitol police, and operational plans for the attack. They saw online posts by people who said they had put their last will and testament in order and told their children they were going to Washington, D.C., to defend the country and were willing, and expecting, to die for their cause.

On Jan. 6, 2021, a mob of President Donald Trump’s supporters as well as white supremacists, Proud Boys, Oath Keepers, militia and other violent extremists stormed the Capitol in an attempt to stop Congress from certifying Biden’s win in the presidential election. The attack left more than 100 police officers injured and is tied to at least nine deaths, including suicides, and over 880 indictments have been issued, according to a recent Senate report on DHS and FBI domestic counterterrorism failures.

Yahoo News obtained the unredacted copy of a March 2022 DHS Office of Inspector General report and underlying materials, including the four-page letter written by the intelligence analyst who did everything possible to warn of the impending attack.

Yahoo News is withholding the name of the analyst after DHS expressed concerns about the analyst’s personal safety.

It’s unclear how many, or if any, of the people DHS tracked but did not report were directly involved in the attack, but the methods and tactics discussed online match up with those used on Jan. 6. For example, the inspector general report says that in a Dec. 29 post “on a forum with over 5,000 likes and over 250 comments,” one user suggests bringing “hooks and ropes for taking down fencing” and breaching the Capitol complex.

Either way, the threats clearly fell under DHS’s obligation to alert other law enforcement agencies.

DHS’s duty to warn

A Capitol Police officer standing in a doorway on the Senate side of the Capitol building.
A Capitol Police officer on the Senate side of the Capitol building in June. (Tom Williams/CQ-Roll Call, Inc via Getty Images)

DHS’s Office of Intelligence and Analysis is the sole intelligence agency in the U.S. government charged by law with sharing emerging threat information with its vast network of federal, state, local and tribal partners across the country. This is referred to as its duty to warn.

And yet, in the weeks leading up to Jan. 6, this arm of DHS produced no warnings, no bulletins and no alerts or other reports on threats it was seeing, documents obtained by Yahoo News show.

If it had, this could have impacted police posture at the Capitol, or freed up or activated more resources to better prepare for that day. But DHS’s intelligence office shared no information about potential threats, the inspector general report says.

The Capitol Police declined to speak to Yahoo News specifically about what information or warnings it did or did not receive from DHS but said via email: “Our Department has already improved the way we share and receive intelligence with law enforcement and intelligence partners as well as the way we disseminate that information with our own team.”

Inside DHS, the young analyst led the charge to activate the mechanism put in place to share critical intelligence among agencies. That person's attempts to sound the alarm were shut down, delayed or flat-out rejected at every turn, according to the analyst’s written account provided to inspector general investigators and an unredacted version of that final investigative report and other materials obtained by Yahoo News.

These systematic failures in the run-up to Jan. 6, 2021, raise questions about DHS’s ability to fulfill its core mission and about the future of its Office of Intelligence and Analysis, now helmed by Undersecretary Ken Wainstein. He testified Tuesday morning before the House Homeland Security Committee, his first public hearing since being confirmed by the Senate in June. (On Nov. 30, Wainstein testified before the Senate in a classified hearing.)

Wainstein is a longtime national security professional who was brought in to improve workplace morale and to steady and focus an embattled office with a history of manipulating intelligence and abusing its sweeping authorities over the American public.

While the failures of the Capitol Police ahead of Jan. 6 have been widely publicized through the department’s internal probes and the work of the House select committee investigating the Capitol riot, there has been no similar detailed accounting of DHS’s actions.

DHS and its Office of Intelligence and Analysis declined Yahoo News’ repeated requests for comment about the unredacted inspector general report and actions and inactions described in the intelligence analyst’s written account.

“We applaud the public servants at DHS’s Office of Intelligence & Analysis and across the federal government who worked to collect and share information leading up to the January 6 attack. DHS will continue to regularly share information with federal, state, local, tribal, territorial, and private sector partners to ensure the safety and security of all communities across the country,” a DHS spokesman told Yahoo News via email.

“Under the leadership of Secretary [Alejandro] Mayorkas, the Department of Homeland Security (DHS) has renewed its commitment to sharing timely and actionable intelligence and information with the public and our partners across every level of government, in the private sector, and local communities.”

DHS analyst flags plans to attack Capitol

An image of a tweet by former President Donald Trump is displayed during a House select committee hearing on June 9.
An image of a tweet by former President Donald Trump is displayed during a House select committee hearing on June 9. (Andrew Harnik/AP)

The young analyst’s story began on Dec. 20, 2020, with a search on Reddit for local fishing spots that uncovered the blueprints of a plot to overthrow the government. The day before, Trump had tweeted, “Statistically impossible to have lost the 2020 Election. Big protest in D.C. on January 6th. Be there, will be wild!”

This was perceived by some as a call to arms. The analyst soon found links to online forums, including Parler, and saw the beginnings of a plot to violently storm the Capitol on Jan. 6 to stop the electoral votes from being certified and prevent Biden from becoming president.

The next day, on Dec. 21, the analyst showed these findings to a senior member of the Counterterrorism Mission Center. This supervisor called these threats to attack the Capitol “a good find” and expressed interest in getting more information. The analyst was told to send an official Request for Information to the open source collection office, also part of DHS’s Office of Intelligence and Analysis. Do this “as soon as possible” and “mark it URGENT,” the manager said.

This tasking was essentially a way to turn what the analyst saw online into official government reporting that could be sent out to law enforcement partners in raw intelligence reports that could be used to produce broader intelligence assessments to warn local, state and federal agencies about an emerging threat.

The analyst’s Request for Information lists the Capitol Police, the FBI, the ATF, the Secret Service and all local D.C. agencies as the intended recipients of this information. “This matter is time sensitive/urgent as if material is found, federal and state, local partners will need to be informed quickly so contingency plans can be made for any planned events,” the request noted, adding that the information would no longer be useful after Jan. 6.

This tasked open source collectors with searching for posts on social media and other public websites for potential threats of violence, calls for attacks by domestic extremist groups and talk of smuggling illegal weapons into and other threats to the Capitol on Jan. 6.

These warnings would then make other agencies aware of the threats, or give more weight to their own intelligence, and would likely prompt an adjustment of posture, impacting what resources and people were deployed where. They could also prompt agencies to ask law enforcement nearby to be on standby to assist.

The analyst checked back on the request the next day with the collections manager, who said no further action should be taken until the open source collectors produced the requested raw intelligence reports. A new process for submitting these requests delayed it an entire week, and during that time the analyst continued to track the threat and sound the alarm.

“We needed one of these reports or other government reporting to produce an accurate and unbiased report of the threat environment that would be used to fulfill our duty to warn and hopefully prevent any potential attack,” the intelligence analyst later explained in a written account.

Every day, multiple times a day between Dec. 29 and Jan. 4, the analyst sounded the alarm on the urgent need for reporting that could be used to warn other agencies.

Among the online posts, which were included in the inspector general report, were calls for people to bring weapons to D.C. on Jan. 6. “Bring your gun,” one post from Jan. 4, 2021, said. “It’s just gonna be another protest if you don’t, and you’ll watch Biden slide into the white house.” The report also included Jan. 2 posts from about 12 people who said they had told their families goodbye because they were willing to “die for the cause.”

By Jan. 5, the open source collection office still had not produced any reports or issued any warning on anything it had found, preventing the counterterrorism analyst and the entire mission center from warning agencies in D.C. of the threats they were seeing online. The analyst was tasked with producing a briefing that could quickly be turned into an intelligence product and sent out to warn Capitol Police and others in D.C.

“The threat assessment l drafted showed that all but one indicator of violence was [present] and there was an exceedingly high likelihood that mass violence would occur,” the analyst wrote in the account.

But the order to produce that intelligence product to send out to partner agencies never came.

“On the morning of January 6th, 2021,” the analyst wrote, “I made one more phone call begging for us to be given the intelligence reporting that we needed desperately which could have been used to inform those on the ground of the full kinetic threat and allow for threat postures of US Capitol Police to be adjusted, I was told they would have reporting for me soon; the reporting did not publish till after the attack on the US Capitol was already well underway and too late to effect tactical law enforcement operations on the ground.”

When approached by Yahoo News, this intelligence analyst could not comment on intelligence activities.

“I am even more appalled at what occurred that fateful day as I was on the tip of the United States Government’s spear attempting to stop the attack by domestic violent extremists,” the analyst wrote. “Unfortunately, despite my best & most valiant efforts in trying to disrupt the attack via strategic intelligence … my actions were not enough.”

The DHS OIG report

The unredacted DHS inspector general report from March 4, 2022, investigating the agency’s actions before Jan. 6 determined that the open source collection office failed to produce a single report in response to the request for information on threats submitted by the intelligence analyst.

The analyst’s letter that was provided to the investigators, and much of that person's account, reveals the extent of the threats the office was seeing online in the week before the attack. But despite seeing these threats, no reports were ever produced. The office brought the entire intelligence-sharing apparatus to a standstill.

Inside the open source collection office, internal communications seemed to show confusion and hesitancy from staffers to produce the reports requested because of a lack of training, ever-shifting guidelines or too high or unclear a reporting threshold — even as those who worked there became increasingly convinced an attack would take place.

The open source collectors found multiple threats when tasked with the counterterrorism analyst’s request for information. They found the posts concerning but for various reasons did not produce the raw intelligence reports the analyst desperately needed in order to send out warnings about the likely attack. In group chats, open source collectors discussed their findings.

A message from Jan. 1, 2021, states: “Also I found a map of all the exits and entrances to the capitol building. I feel like people are actually going to try and hurt politicians. Jan 6 is gonna be crazy.”

Another from Jan. 3, 2021, said, “I mean people are talking about storming Congress, bringing guns, willing to die for the cause, hanging politicians with ropes but still not meeting threshold lol.”

There were dozens of threats identified but not shared or reported during this time. The inspector general report said inexperienced and poorly trained collectors lacked an understanding of what could be reported under the guidelines in place at the time. The report also cited a lack of understanding about the domestic terrorism landscape and the behavior and language associated with various groups, including the Proud Boys.

In one instance, a collector had drafted a report — in response to the analyst’s initial request — about a person who claimed to be heading to D.C. from North Dakota with enough ammo to win a small war. The post included a phrase associated with the Proud Boys, but open source collectors did not have knowledge of such domestic terrorism groups, so they were unable to determine if posts like this met the guidelines for what they could report. When the same person posted again on Jan. 5, saying they’d arrived in D.C. and were scouting locations for where to smuggle weapons into the city, the collectors were still unsure if it could be reported.

Emails from the DHS intelligence law division overseeing its intelligence operations at the time repeatedly told then-source collectors that they could compile reports on threats associated with the Proud Boys, a known threat actor, and also on discussions to evade detection and smuggle illegal weapons into D.C. for Jan. 6. Still, the report was not published. This delayed a report on Proud Boys associates discussing how to evade law enforcement and smuggle weapons into Washington for the attack. This was finally published on Jan. 8 — two days after the attack.

Trump supporters clash with police and security forces as they storm the Capitol on Jan. 6, 2021.
Trump supporters clash with police and security forces as they storm the Capitol on Jan. 6, 2021. (Roberto Schmidt/AFP via Getty Images)

The inspector general report also found that backlash to the reports this same office had produced on protesters, journalists and others related to the 2020 protests in Portland, Ore., led to hesitancy about what to report, even when told by its lawyers that certain threats fell within the newly changed guidelines on what to collect. In October, citing an internal DHS review, the Associated Press reported that DHS officials in the Trump administration had compiled intelligence dossiers on the people who were arrested during Black Lives Matter protests in Oregon.

When the Trump official leading that manipulation of intelligence for political purposes was removed from his post at DHS’s Office of Intelligence and Analysis, new guidelines were established to prevent that kind of domestic intelligence collection. The new protocol required that something or someone had to be deemed a “true threat.”

The new “true threat” threshold for election-related products in the wake of Portland was nearly impossible to meet — or at least that’s what those looking on social media and other websites for threat information related to Jan. 6 believed at the time.

In other instances, reports were drafted but then held or ultimately killed, according to the inspector general report. Others told investigators they simply did not believe it was possible to “storm the Capitol,” so they dismissed those threats as hyperbole.

The inspector general probe was narrowly focused. It evaluated the Office of Intelligence and Analysis’s responsibility for providing intel to state and local officials in advance of Jan. 6. It also reviewed whether the office warned law enforcement about specific threats prior to the attack.

An intelligence failure

The account of the young intelligence analyst exposes broader institutional failures across the department and reveals the deeply flawed intelligence collection guidelines in place at that time.

It also raises additional questions about whether infrastructure created in the wake of 9/11 is equipped to prevent threats coming from inside the U.S., where intelligence collection is much more complex and more tightly governed, largely because of the First Amendment.

“Our nation’s counterterrorism capabilities were designed to prevent attacks such as that experienced on Sept. 11, 2001,” said John Cohen, former DHS undersecretary at the Office of Intelligence and Analysis. “The problem is that terrorism threat facing the U.S. today has evolved and is very different than the one faced on 9/11. The events at the Capitol on Jan. 6 are an illustration of that fact.”

Cohen, who ran the intelligence office immediately after Jan. 6, told Yahoo News that the lead-up to that day was “not just an intelligence failure, but it also represented a failure to take intelligence and take steps operationally to protect against the threat.”

Cohen said there are two major lessons from Jan. 6. “One, we need to look at intelligence differently,” he said. Critical intelligence about emerging threats may be publicly available and not require sensitive collection. And the second lesson is: We have to be more effective in using that intelligence to inform operational planning. Neither occurred on Jan. 6, and how well we will do that in the future is still unclear."

Steps were taken to improve the training, leadership and legal guidance to analysts and collectors so they could more effectively gather intelligence while at the same time protecting civil rights and civil liberties, Cohen said. “But only time will tell if that work will be institutionalized to a sufficient degree to protect the nation.”