Could be much simpler.
The IG report is ready but it can't be released publicly without declassification because so many of the crimes are related to classified FISA activities and evidence.
I dont think Occhienero is as innocent as he says, but it seems clear he was setup.
From trendmicro-
From a purely technical viewpoint, the origins of EyePyramid’s malware and its attribution remain unclear. While the license key registered to Giulio Occhionero’s name can be considered as strong evidence, it is unclear why a malware author would bother using (simple yet not so trivial) mechanisms to cover their traces (e.g., obfuscation, packing, encryption, disabling security tools), and then mistakenly embed the license key under his name in all of the main variants. Moreover, an analysis of the domain-to-IP historical data of the domain names listed in the court order reveals domains named “occhionero.com” and “occhionero.info,” which is again another oddity.
Read the whole thing.
https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/
Shills here are trying to discredit the evidence presented by associations with the coalition.
Be smarter than that.
The timing and interplay of Occhionero and Crossfire Hurricane events and people is enough to draw suspicion.
It cant all be coincidental.