Editor and fact-checker Ilya Behr analyzed in detail the situation surrounding whether Pentagon chief Pete Hegseth really has a Russian email.
Behr shared his findings on his Facebook page.
The fact checker stated that they found sources online that included this address not only alone, but with a password that "in terms of content" matches Hegset. And several people wrote to Ber that there was a mistake in that.
"And then the analysis of "Medusa" was also published, in which nothing is strictly stated, but the author makes it clear that he considers the email phegseth@mail ru to be the real email address that was once created by the then-ordinary American junior officer Hegseth. I am publishing part 3 of the analysis "Verified", in which we analyze, in particular, the arguments of "Medusa", and also conduct some experiments," said Behr.
But he noticed that the sources have several emails on different domains with the username phegseth and the same password. The Gmail account is definitely real, says Behr. So why might there be doubts about Mail ru?
"Users X are publishing screenshots from databases with various sources, where the same password (mls71881) is tied to five email addresses: phegseth@alumni pphegseth@alumni princeton edu, [email protected], phegseth@gmail com, phegseth@mail ru and phegseth@yahoo co uk. The first of them is the mailbox of a Princeton University graduate (Gegseth graduated from it in 2003), the second is apparently a "broken" version of the first, with a missing dot in front of the edu domain name, the third is an email that clearly belongs to Gegseth, he indicated it in his articles for the National Review. The fourth first appeared in the 2016 Exploit In leak, the fifth in the 2019 Collection #1 leak.
At the same time, there is a huge difference between the Gmail address and the addresses on Mail ru and Yahoo. Judging by the results of their analysis using OSINT Industries and other tools, the current Pentagon chief's profiles in various social networks and services - from Google Maps to running applications - are linked to the address phegseth@gmail com. As we wrote earlier, only a record on the Warrior Forum is linked to the address phegseth@mail ru, and phegseth@yahoo co uk is completely "naked", it is mentioned only in the source itself," the editor argues.
And then he gives a field of probability estimates. Behr claims that most likely the password mls71881 was actually used at some point for the mailbox phegseth@alumni princeton edu and/or phegseth@gmail com and it was in connection with one of them (or both) that it was leaked at one time. However, along with the real data, experts suggest that non-existent pairs of addresses and passwords can be added to such databases.
"The compilers of such databases are guided by two observations: firstly, the same person often registers the same mailboxes on different email services, and secondly, they use the same password. Due to the generation of additional pairs, on the one hand, the volume of the leak (and, accordingly, its price on the black market) increases manifold, on the other hand, the cracked password can really fit some of the "hypothetical" addresses. This is exactly what the compilers of the Exploit In leak could have done - they assumed the existence of the mailbox phegseth@mail ru and substituted it with a password that was previously used for phegseth@alumni princeton edu and/or phegseth@gmail com," the fact-checker states.
At the same time, it also speaks of the opposite situation: the attacker entered the real email address into the database, but did not gain access to the password and falsified it. For example, the same Exploit In leak revealed the personal emails of two "Verified" employees, but the passwords to these mailboxes listed in the compilation were never used by their owners.
"So there was no such address on Mail ru? On March 27, pro-Kremlin blogger Timofey Vi, who calls himself an "expert in combating disinformation," said on the social network X that he had managed to register the mailbox phegseth@mail ru. And he emphasized that "you cannot create a mailbox on Mail ru with a user nickname that has already been deleted." On this basis, Vi criticizes those who believed that the account he registered belonged to Hegseth, and publishes screenshots of the letters that come there," Ber adds.
Along with that, he says that it is theoretically possible that Vi was able to register the address [email protected] not because it was always free, but because Gegseth started it and deleted it no later than 2010. However, such a scenario, the editor suggests, seems unlikely.
"How is it possible that there are traces of an email, but it itself might not have existed? From 2019 to 2025, the address phegseth@mail ru was included in at least nine more compilations with leaks. Although, most likely, this is just the result of copying, if the email is available in several databases at once, it would be logical to assume that it was used and that some noticeable trace of it should remain. As we wrote above, the real account of Hegseth on Gmail has a huge one, and the probable one on Mail ru has a tiny one, this is a registration on the Warrior Forum," explains Behr.
Meanwhile, of the five addresses with the username phegseth found in the leaks, three are registered accounts on the Warrior Forum (including the "hacked" phegseth@alumni princetonedu). The exceptions are a real Gmail account and a Yahoo account, which is not in the Exploit In leak.
"And yet passwords. One password for five emails with the nickname phegseth, isn't that proof? Together with other facts, it's pretty weak. Internet users suggest that the password mls71881 is the initials of Hegseth's first wife, Meredith Lee Schwartz, and her date of birth (written in the American tradition, where the month comes before the day). Schwartz filed for divorce in 2008 after the future Secretary of Defense admitted to infidelity. Of course, we can assume that Hegseth had opened Gmail, Mail ru, and Yahoo accounts before that and used the same password in all three cases, but it's much more likely that it (to the exact real and probable addresses) was already substituted by the compilers of the Exploit In leak. And they got this password, perhaps by hacking Hegseth's mail on the Princeton University server, where he entered after graduating from the same school as his future wife Schwartz. As we and "We warned above, in this case we operate on probabilities," Ber commented.
And also summarized his analysis. So, in real life, one of two scenarios is possible:
1) An American officer named Hegset, who had no known ties to Russia, had an email account with a Russian provider by 2010 (there would be nothing wrong with him if he had, but why??), never used it anywhere except for one website, and then for some reason deleted it by 2010. Have you ever deleted your personal (non-work) mailbox yourself? I think few people here would answer in the affirmative. This is obviously a fairly rare user scenario, but it is entirely possible.
The only site on the Internet where Gegset used phegseth@mail ru to register was a little-known Internet forum dedicated to marketing. At the same time, Gegset registered not one account there, but 3 at once, one of them at the address [email protected], which in principle could not exist, because there is no dot in front of the edu domain. Needless to say, there is no message from at least one of these three accounts on the forum?
2. Some anonymous hackers who once hacked the Princeton University website obtained a real pair of Hegset's mailbox name and password. Then, in order to artificially inflate the leak for the sake of sale, they "supplemented" it with automatically generated pairs consisting of the same name and password in conjunction with popular email services. The fact that mail ru was substituted indicates, most likely, that this was done by Russian-speaking hackers who were going to sell the database mainly to Russian-speaking customers.
"At some point, these same or other hackers raided the Warrior forum, making hundreds of thousands of automatic registrations there, taking advantage of a security hole in the site, namely the lack of email address verification (proven!) for some of their own hacker goals. Theoretically, both scenarios are possible. But practically, I am sure that the first scenario in real life is so unlikely that it is not worth considering it seriously," the fact-checker summarized.
As a reminder, journalists found personal contact details of some US national security officials online. Among other things, a "Russian tail" was noticed behind Pentagon chief Pete Hegseth in the form of mail from the mail.ru domain.