“Hi,” the email from Google began, before turning more ominous. “Someone just used your password to try to sign in to your Google Account.” Change your password immediately, it urged, by clicking here. But the email wasn’t actually from Google, and it wasn’t sent randomly. It was from hackers connected to Russia who were targeting Hillary Clinton’s presidential campaign.

What eventually emerged from the successful hack – thousands of embarrassing emails from campaign chairman John Podesta and others – was widely reported in the summer and fall of 2016. But the anatomy of how that hack occurred had never been revealed, until now. That investigative story, by Raphael Satter, Justin Myers, Jeff Donn and Chad Day, and a companion piece about wider Russian efforts targeting an array of Kremlin opponents, is this week’s Beat of the Week.

Ap 17299811862880 Inline

A portion of a phishing email sent to a Hillary Clinton campaign official on March 19, 2016. The email address of the recipient has been redacted to protect the user's privacy.

AP Photo

The AP determined that the phishing attempts began on March 10, 2016 and were initially aimed at former Clinton staffers whose old addresses were still kicking around the web. All but one hit a defunct email address and bounced back to the senders. But the one that made it through got a click, and that was enough to open the door just enough for the digital thieves to get to work. They eventually found the email address of Podesta. And when an authentic-looking phishing email came his way, he clicked – and exposed a gold mine of 50,000 emails to the Russians.

A two-month investigation by a team of AP reporters across the globe, led by International Investigations Editor Trish Wilson, reconstructed how and when the digital break-ins occurred. The reporting began with basic source work by Paris-based investigative reporter Raphael Satter. A source on his cybersecurity beat pointed him to a firm called Secureworks, which was holding a list of some 19,000 malicious links created by a group called Fancy Bear that U.S. intelligence says has ties to the Russian government. Among the revelations: Almost without exception, the phishing emails were sent during the work day – Moscow time.

Satter invoked the AP’s reputation for fairness and sensitivity, and its protection of personal data. Secureworks was persuaded.

Satter reached out and asked if the company would share the list, invoking the AP’s reputation for fairness and sensitivity. He forwarded the company a story he and another reporter had written previously to show Secureworks how responsible the AP is about protecting personal data. The company was persuaded, and soon after, Satter had the list.

But then what? What Satter showed Wilson, his editor, was a mess of thousands of unknown email addresses. Wilson recruited other reporters to harness the full reach of the AP’s investigative resources. The reporters and data journalists mapped out a strategy for organizing and verifying the email addresses, eventually identifying roughly 2,300 people. They then spent weeks trying to verifying the emails and contacting their owners. What emerged were two distinctive stories: one about the forensics of the attack on Clinton’s inner circle, and one about the broader attack on opponents of the Russian government. Targets included opposition leaders, top U.S. diplomats and military leaders, even members of the Moscow-based punk band Pussy Riot.

The AP team finished the background analysis, reporting, writing and detailed, line-by-line fact-checking in a little over two months.

“It was a classic investigation,” Wilson said. Satter had obtained the list in August. Aware that another other journalists had peeked at the email list, the AP team pushed hard, finishing the background analysis, reporting, writing and detailed, line-by-line fact-checking in a little over two months. U.S.-based investigative reporters Jeff Donn and Chad Day conducted interviews with Democrats while data journalist Justin Myers in Chicago crunched the numbers to show who was targeted where and when. The final package included an animation that laid out how Podesta had been hacked and a video that took viewers to an obscure Romanian hosting company where one of the hackers’ leak sites was based.

All major media outlets have been reporting on Russia’s attempt to sway voters via social media and the investigation into whether it colluded with the Trump campaign. But only one – the AP – traced the digital footprints that led from the Clinton campaign email accounts back to Moscow. For their work, Raphael Satter, Justin Myers, Jeff Donn and Chad Day share this week’s $500 Beat of the Week prize.