Millions of US military emails have been misdirected to Mali through a “typo leak” that has exposed highly sensitive information, including diplomatic documents, tax returns, passwords and the travel details of top officers.

Despite repeated warnings over a decade, a steady flow of email traffic continues to the .ML domain, the country identifier for Mali, as a result of people mistyping .MIL, the suffix to all US military email addresses.

The problem was first identified almost a decade ago by Johannes Zuurbier, a Dutch internet entrepreneur who has a contract to manage Mali’s country domain.

Zuurbier has been collecting misdirected emails since January in an effort to persuade the US to take the issue seriously. He holds close to 117,000 misdirected messages — almost 1,000 arrived on Wednesday alone. In a letter he sent to the US in early July, Zuurbier wrote: “This risk is real and could be exploited by adversaries of the US.”

One misdirected email included the travel itinerary of General James McConville, the US army’s chief of staff, and his delegation as they prepared for a trip to Indonesia earlier this year

Control of the .ML domain will revert on Monday from Zuurbier to Mali’s government, which is closely allied with Russia. When Zuurbier’s 10-year management contract expires, Malian authorities will be able to gather the misdirected emails. The Malian government did not respond to requests for comment.

Zuurbier, managing director of Amsterdam-based Mali Dili, has approached US officials repeatedly, including through a defence attaché in Mali, a senior adviser to the US national cyber security service, and even White House officials.

Much of the email flow is spam and none is marked as classified. But some messages contain highly sensitive data on serving US military personnel, contractors and their families.

Their contents include X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records.

Mike Rogers, a retired American admiral who used to run the National Security Agency and the US Army’s Cyber Command, said: “If you have this kind of sustained access, you can generate intelligence even just from unclassified information.”

“This is not uncommon,” he added. “It’s not out of the norm that people make mistakes but the question is the scale, the duration and the sensitivity of the information.”

One misdirected email this year included the travel plans for General James McConville, the chief of staff of the US army, and his delegation for a then-forthcoming visit to Indonesia in May.

The email included a full list of room numbers, the itinerary for McConville and 20 others, as well as details of the collection of McConville’s room key at the Grand Hyatt Jakarta, where he received a VIP upgrade to a grand suite.

Rogers warned the transfer of control to Mali posed a significant problem. “It’s one thing when you are dealing with a domain administrator who is trying, even unsuccessfully, to articulate the concern,” said Rogers. “It’s another when it’s a foreign government that . . . sees it as an advantage that they can use.”

Lt. Cmdr Tim Gorman, a spokesman for the Pentagon, said the Department of Defense “is aware of this issue and takes all unauthorised disclosures of controlled national security information or controlled unclassified information seriously”.

He said that emails sent directly from the .mil domain to Malian addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients”.

When Zuurbier — who has managed similar operations for Tokelau, the Central African Republic, Gabon and Equatorial Guinea — took on the Mali country code in 2013, he rapidly noticed requests for domains such as and, which did not exist. Suspecting this was actually email, he set up a system to catch any such correspondence, which was rapidly overwhelmed and stopped collecting messages.

Zuurbier says that, after realising what was happening and taking legal advice, he made repeated attempts to alert the US authorities. He told the Financial Times that he gave his wife a copy of the legal advice “just in case the black helicopters landed in my backyard”.

His efforts to raise the alarm included joining a trade mission from the Netherlands in 2014 to enlist the help of Dutch diplomats. In 2015, he made a further effort to alert the US authorities, to no avail. Zuurbier began collecting misaddressed email once again this year in a final bid to alert the Pentagon.

The flow of data shows some systematic sources of leakage. Travel agents working for the military routinely misspell emails. Staff sending emails between their own accounts are also a problem.

One FBI agent with a naval role sought to forward six messages to their military email — and accidentally dispatched them to Mali. One included an urgent Turkish diplomatic letter to the US state department about possible operations by the militant Kurdistan Workers’ party (PKK) against Turkish interests in the US.

Visual of email with header stating that it’s from Turkish embassy and quote about PKK planning to ‘block, disturb and occupy’ branches of Turkish Airlines in the US
One FBI agent regularly mistyped their own email when forwarding notes, including an alert from the Turkish embassy in Washington on potential activities by a designated terrorist group

The same person also forwarded a series of briefings on domestic US terrorism marked “For Official Use Only” and a global counter-terrorism assessment headlined “Not Releasable to the Public or Foreign Governments”. A “sensitive” briefing on efforts by Iran’s Islamic Revolutionary Guards Corps to use Iranian students and the Telegram messaging app to conduct espionage in the US was also included.

Gorman told the FT: “While it is not possible to implement technical controls preventing the use of personal email accounts for government business, the department continues to provide direction and training to DoD personnel.”

About a dozen people mistakenly requested recovery passwords for an intelligence community system to be sent to Mali. Others sent the passwords needed to access documents hosted on the Department of Defence’s secure access file exchange. The FT did not attempt to use the passwords.

Many emails are from private contractors working with the US military. Twenty routine updates from defence contractor General Dynamics related to the production of grenade training cartridges to the army.

Some emails contain passport numbers sent by the state department’s special issuances agency, an entity that issues documents to diplomats and others travelling on official business for the US.

The Dutch army uses the domain, a keystroke away from There are more than a dozen emails from serving Dutch personnel that included discussions with Italian counterparts about an ammunition pick-up in Italy and detailed exchanges on Dutch Apache helicopters crews in the US.

Others included discussions of future military procurement options and a complaint about a Dutch Apache unit’s potential vulnerability to cyber attack.

The Dutch ministry of defence did not respond to a request for comment.

Eight emails from the Australian Department of Defence, intended for US recipients, went astray. Those included a presentation about corrosion problems affecting Australian F-35s and an artillery manual “carried by command post officers for each battery”.

The Australian defence ministry said it does “not comment on security matters”.


To Get The Latest News Update

Sign up to Our Subscription.

We don’t spam! Read our privacy policy for more info.

To Get The Latest News Update

Sign up to Our Subscription.

We don’t spam! Read our privacy policy for more info.

Leave a Reply

Your email address will not be published. Required fields are marked *