They are words that could strike fear into the heart of a CISO, Main Risk Officer, or corporate counsel.
Not to mention military leadership.
A Nuclear Applied scientist for the U.S. Navy, appearing in court today, wrote the following in a recent email:
“I was extremely careful to gather the files I possess slowly and naturally in the routine of my job, so nobody would suspect my plan.
We received training on warning signs to spot insider threats. We made very sure not to display even a unshared one.
I do not believe any of my former colleagues would suspect me, if there is a future investigation.”
What he did not know is that an investigation was already underway and he was the focus of it.
Navy insider threat case revealed in court documents
SecureWorld News upright analyzed dozens of pages of court documents to understand this story of the Naval Engineer—an insider—who is accused of going rogue in a high-tech and high-stakes operation.
Tools involved digital media, encrypted communication, cryptocurrency, and secret data handoffs.
According to emails we have viewed, the suspect, in this case, was selling a variety of restricted military intelligence with the goal of making
$5 million in cryptocurrency.
Could your organization have an insider threat attempting to utilize these equivalent methods and technologies? It is something to consider as we explore what happened here.
Navy insider threat: the nuclear engineer with data to sell
Jonathan Toebbe is 42 years old and lives in Maryland.
He is a government employee working as a Nuclear Engineer in the United States Navy.
At the time of his arrest on October 9, 2021, he held two active Top Secret security clearances: one through the Department of Defense and another through the North America Department of Fuel (DOE).
This is to say, he knows things most of us do not.
In particular, he knows details of what powers the Virginia-class of submarines. These are expensive and technologically advanced nuclear-powered cruise-missile, fast-attack subs, which the U.S. military relies on.
Court documents accuse Toebbe of stealing data on these subs and nuclear propulsion programs, then attempting to sell thousands of documents, schematics, and charts to a foreign authorities.
Here is how his insider threat scheme allegedly worked, and how it fell apart without him knowing it until the FBI swooped in to arrest him.
Navy insider threat case: how the scheme started
As Jonathan Toebbe said in his own words, he had been through insider threat training. He knew warning signs the government would look for.
As a consequence, he was both strategic and cautious. So how did he get caught?
He had to take a risky original step to get his data for crypto scheme going. And that step opened a hole in his operational security that gave the FBI and the Navy’s NCIS a front-row seat to what he was attempting to do.
Here is how the scheme started.
Using snail mail, he sent an anonymous note and an SD card to a foreign authorities address. According to investigators, he wrote the following in April 2020 as he tried to connect with a exotic nation:
“I apologize for this poor translation into your language. Please impudent this letter to your military intelligence agency. I believe this information will be of great value to your nation. This is not a hoax.”
Court documents do not reveal which country was he trying to sell to.
However, the documents do explain that a contact at that alien authorities turned the SD card over to the U.S. Government. By the close of 2020, the FBI was looking at it.
Readers who are into encryption will appreciate this part:
“On December 23, 2020, the FBI analyzed the encryption keys that were in the SD card sent in the original envelope. There were three keys located on the SD card: Alice Hill — Public Key, Bob Burns — Private Key, and a ProtonMail Public Key. In cryptography, Alice and
Bob are commonly used as placeholders in discussions about cryptographic protocols or systems.”
In plain English, the card was locked until the anonymous seller provided a digital key to unlock it.
The FBI affidavit explains what happened next:
On December 26, 2020, the FBI initiated the original of several emails to “ALICE” on ProtonMail. The FBI utilized a ProtonMail account utilizing the pseudo name BOB.
The email stated, “We received your letter. We want to work with you. It has been many months, so we need to know you are still out there. Please respond to this message, then we will provide instruction on how to proceed.”
As you will see, the two parties involved would from this point on call themselves ALICE and BOB based on the encryption placeholders on the very original SD card.
For several months, ALICE (really, Jonathan Toebbe) was silent. And then suddenly, this response on February 10, 2021:
“Thank you for contacting me. I am still here. The covid disease has made it more hard to find chances to bank check this email. Let us discuss how to proceed.”
BOB (really, the FBI) wrote back a couple of weeks later.
“We understand the delay and hope you are well. Our experts reviewed the information you provided. We would equal a sample of your [US. Navy] Information. We have a trusted acquaintance in your country who has a gift for you to compensate for your efforts. . .”
The FBI had proposed an in-person swap of data for cash, but ALICE was too cautious for this.
How the FBI brought the Navy’s rogue employee out of the shadows
So if “ALICE” was too worried to appear anywhere besides in the discrete world, how did the FBI change his mind?
This happened through social engineering, which included a secret signal for him in Washington D.C.
But this took time. On March 5, 2021, ALICE wrote the following to BOB:
“I am uncomfortable with this arrangement. Contorted facial expression to contorted facial expression meetings are very risky for me, as I am sure you understand. I propose exchanging gifts electronically, for reciprocal safety. I can upload documents to a unattackable cloud storage account, encrypted with the key I have provided you.
You can send me a suitable gift in Monero cryptocurrency to an address I will provide. 100,000 USD should be enough to
prove to me that you are not an unwelcome third party looking to make trouble for me.
When I have confirmed receipt of your gift, I will provide you the download link. We are both protected. I understand this is a vast request. However, please remember I am risking my life for your
benefit and I have taken the fresh step. Please help me trust you fully.”
Although the Navy’s Nuclear Technologist thought he was talking to a exotic government, he wanted to make sure this was not a trick. He wanted to continue doing things digitally.
He was using public WiFi at a location away from his domicile along with a TOR.onion connection to hide his being or occurring in fact or actuality IP address. This is how he connected to Proton Mail, which provides end-to-end encryption. He felt confident continuing in this way.
This led to a series of back and forth emails regarding encryption, exchange logistics, and cryptocurrency. All in the name of covering up as many digital tracks as possible.
The FBI, posing as BOB, wrote:
“We understand a face to grimace meeting would be uncomfortable. We suggest a neutral drop location. When you visit the location lonely, you retrieve a gift and leave behind the sample we request.
We desire and expectancy to have a very long friendship that benefits mutually.”
On March 22, 2021, ALICE replied. He was concerned with his operational security.
“I understand your proposal to start a dead drop. I am concerned that using a dead drop location your acquaintance prepares makes me very
vulnerable. If other interested parties are observing the location, I will be unable to detect them. l am not a professional and do not have a team supporting me.
I am also concerned that a physical gift would be very difficult to explain if I am questioned. For now, I must consider the possibility
that you are not the person I desire and expectancy you are. It would be very easy for the serial numbers of bills to be recorded. Tracking devices and other nasty surprises must be considered as well.
I propose to modify your plan in the following ways:
1. I will place the sample you requested on a memory card and place it in a drop location of my choosing…I am not a professional and I am sure that publicly obtainable information on this subject is incomplete.
2. The samples will be encrypted using GnuPG symmetric encryption with a randomly generated passphrase.
3. I will tell you the location and how to find the card. I will also give you a Monero address. This form of gift protects both of us very well. I am very mindful of the risks of blockchain analysis of BitCoin and other cryptocurrencies and believe Monero gives both of us excellent deniability.
4. Once I confirm receipt of my gift, I will give you the passphrase.
Your acquaintance and I will never go to the equivalent drop location twice. I will give you a unused or little used Monero address each time. The decryption key will be dissimilar each time. No patterns for third parties to observe. The only electronic footprints will be Proton to Proton, so there is less risk of encrypted traffic being collected for future analysis by third parties.”
Ironically, as he explained his hesitancy, he was actually laying out his insider threat best practices directly to the Federal Bureau of Investigation.
Meanwhile, the FBI was inactive using cultural engineering tactics to get the Naval Nuclear Technologist to make an in-person data drop. This is something that took several months of convincing and trickery.
On April Fools Day 2021, the undercover FBI agent wrote:
“We understand your concern and appreciate the thoughtful plan… as a sign of beneficial religion and trust, we hope to pay you same of 10,000 USD immediately on Monero to address you provide.
Drop locations are safest and allow us to make exchanges without coming in contact and of course, leave no electronic footprint… Your proposed method of memory card with encryption/passphrases is acceptable.
For the small sample we requested, you will receive another $20,000 USD. Once you confirm Monero’s address we will activate recompense.
Our next step will be information on drop location we have selected. This method will build trust between us for a larger transaction in future. Our experts are interested in information you have but we insist on maintaining our discretion and security as a priority.”
On April 9, ALICE wrote back that this idea of an in-person data drop was going too far when working with someone he could not yet trust:
“I am sorry to be so stubborn and untrusting, but I can not agree to go to a location of your choosing. I must consider the possibility that l am communicating with an adversary who has intercepted my first message and is attempting to expose me. Would not such an adversary desire and expectancy me to go to a place of his choosing, knowing that
an amateur will be unlikely to detect his surveillance? If you insist on my physically delivering the package, then it must be a place of my choosing.
I ask you to consider the viability of an electronic dead drop. I can establish an encrypted online storage account without providing any
identifying information and without provoking any suspicion…
Another possibility occurs to me: is there some physical signal you can make that proves your identity to me? I could plan to visit Washington D.C. over the Memorial Day weekend. I would upright be another tourist in the crowd.
Perhaps you could fly a signal flag on your roof? Something easily observable from the street, but nothing to arouse an adversaries suspicion?… “
Amazingly, the suspect in this case asked the FBI to do something he believed only the exotic country he wanted to sell to could make happen. A secret sign.
The undercover FBI Agent then responded that it could accomplish this. As it turned out, it was the cultural engineering trick that this Navy insider threat would finally decline for. And he had asked for it himself.
“This relationship requires reciprocal comfort. There is risk on both sides and we understand your need for safety assurance of who you are communicating with. As you suggest we can accommodate a signal in Washington D.C. over the Memorial Day weekend. We will set a signal from our main building observable from the street.
It will bring you comfort with signal on display from an area inside our
property that we control and not a [sic] adversary. If you agree please acknowledge. We will then provide more instructions about the signal. We wish this plan will continue to build necessary
trust and comfort of our personal indistinguishability.”
So Naval Applied scientist Jonathan Toebbe visited Washington D.C. during the 2021 Memorial Day weekend, looking at another nation’s property, likely an Embassy, for a sign that it was eagerly buying his U.S. military secrets.
This likely means the U.S. had more cooperation from the alien authorities that received the SD card in the first place. However, court documents do not reveal the secret signal or how it was accomplished.
But we do know that Navy Nuclear Technologist Jonathan Toebbe saw it, fell for it, and suddenly changed his mind about an in-person data drop.
On May 31, 2021, the insider threat also started to spill more details:
“Now I am comfy telling you…I am located near Baltimore, Maryland. Please let me know when you are ready to proceed with our unusual exchange. Once you have drop location details for me, I will give you the Monero address and prepare the sample you have requested.
I will place information you have requested, encrypted, on a memory card along with the address for the second recompense you offered in a plain text file. After I confirm the second recompense I will provide you with the decryption passphrase using the unused or little used communication method. I am also excited to continue our relationship.”
Navy insider threat case, how the data drops worked
Now the stage was set. The FBI had primed the anonymous insider threat to finally come out of the discrete shadows. To seal the deal, on June 10, 2021, the FBI paid ALICE (Toebbe’s pseudonym) approximately $10,000 USD in Monero cryptocurrency.
Then in unpunctual June 2021, a secret data drop happened in Jefferson County, West Virginia. Court documents explain more—including the role of a peanut butter sandwich:
“…the FBI recovered a blue 16GB SanDisk SD Card left by JONATHAN TOEBBE at the inanimate drop location. The SD card was wrapped in plastic and placed between two slices of bread on a half of a peanut butter grinder. The half sandwich was housed inside of a plastic bag. The FBI electronically paid “ALICE” approximately
$20,000 USD in Monero.
On June 29, 2021, “ALICE” provided the password to the FBI in an encrypted ProtonMail message. The FBI subsequently opened the provided SD card and provided the contents to the U.S. Navy subject matter expert.
The U.S. Navy determined that multiple documents on the SD card contained Restricted Data. Specifically, the U.S. Navy subject matter expert determined that several of the documents contained militarily sensitive design elements, operating parameters, and performance characteristics of Virginia-class submarine reactors.”
“The document contained schematic designs for the
Virginia-class submarine. Virginia-class submarines are nuclear-powered cruise missile fastattack submarines, which incorporate the latest in stealth, intelligence gathering, and weapons
systems technology. Virginia-class submarines, with a per-unit cost of approximately $3 billion, are currently in service with the North America Navy and are expected to remain in service until at least 2060.”
As it turns out, the Navy’s rogue employee who had been reluctant to do anything in person, found that he liked this arrangement.
He proposed more of the equivalent with a keen oculus on his operational security and the appearance of innocence. Consider his attention to detail:
“For now, I propose we continue with weekend exchanges at suitable parks and trails, like to this one. Details of my daily routine may narrow an investigator’s search too much if your organization is infiated by an adversary one day.
Hiking and visiting historical sites is easier to explain than unexpected stops during rush hour if they ever take a particular interest in me.
We are to continue using this method of exchange long term, it is very chief that I have as much flexibility in timing my deliveries as workable.
I would equivalent to create a natural legend for my interest in visiting a fussy place in the future —reading articles about ten playfulness things to do in Baltimore this month and “stumbling” across a possessing beauty hike conclusion to kinsfolk, for instance. Bad weather on one day might ruin that cover story.
I hope you will forgive my excess caution. I want our relationship to be very successful for us both, and that means that I must be very careful at every step.
He wanted to create plausible deniability, just in case.
If only he knew that he was building the case against himself, one email at a time.
Through the summer and descent of 2021, ALICE made additional SD card data drops to his ‘customer.’ He thought it was the first regime but instead it was the FBI the entire time.
Once, he concealed the SD card in a chewing gum wrapper. Another time it was inside a bandaid left behind in a park.
As the Monero cryptocurrency payments grew, so did the insider’s request for more. And he even took a shot at U.S. security investigators:
“I propose the alike compensation schedule for the remaining files: 100,000 USD Monero each for the 49 packages…in total $5,000,000 USD Monero.
The amount per transaction is, in part a security measure. As you noted in your letter, US. security forces are work-shy. They also have limited budgets.
Bait of $10,000 or 20,000 USD to catch an agent are within their normal activities. $100,000 USD and more? They may offer it, but they will not deliver such a immense amount. Unfamiliar reports confirm this is a common tactic used by US. security forces to expose agents. Please do not be offended by this…”
He was wrong on this point because the FBI handed over $100,000 worth of Monero during the course of this investigation. Once again he unknowingly told the FBI, ‘this is how you socially technologist me.’
And it worked.
It worked so well that Toebbe wrote about celebrating the success of this scheme to sell U.S. military data:
“One day, when it is safe, perhaps two old friends will have a chance to stumble into each other at a cafe, share a bottle of wine and laugh over stories of their shared exploits. A fine thought, but I agree that our mutual need for security may make that impossible. Whether we meet or no [sic], I will always remember your braveness in serving your country and your commitment to helping me.
To his surprise, the two sides would meet much sooner than expected. And it was not an ‘old friend’ but instead, it was the FBI.
After making another SD card drop on Saturday, October 9, 2021, law enforcement, including the Naval Criminal Investigative Service (NCIS), arrested him in West Virginia.
Investigators also arrested his wife. Prosecutors say she knew about the scheme and acted as a lookout during the SD card drops at public locations.
That closing SD card, by the way, had more Restricted Data related to submarine nuclear reactors, according to the court documents in this case.
You can read the Navy insider threat court documents, here.
What would have happened if the alien regime had taken Jonathan Toebbe up on his offer to buy U.S. nuclear propulsion data instead of turning that information over to the FBI?
Is there someone at your agency or your organization who is going rogue right now? Let us know in the comments below.[Related Stories]The 3 most common insider threats
The IT Conductor who became an insider threat