Lessons From a Nuclear Spy Case
By TorchStone VP, Scott Stewart
Jonathan Toebbe walked carefully along the hiking path, watching for the signals that led to the dead drop device that his handlers had placed, while also being vigilant for the presence of other people on the trail.
Seeing that he had reached the spot and that the coast was clear, he stepped off the path to service the dead drop while his wife, Diane, watched his back. Finding the dead drop container, he carefully removed the note his handler had left and placed a secure digital memory card (SD card) inside the container.
As he and his wife returned to their car in the parking lot, they were swarmed by FBI agents who had witnessed Toebbe’s dead drop. Indeed, the “handler” Toebbe had been communicating with since December of 2020 was really an FBI agent. Toebbe and Diane have since been charged with attempting to sell restricted nuclear submarine secrets to a foreign government.
The path to Toebbe’s arrest began in April 2020 when he mailed a package to an unidentified foreign government from a dummy address in Pittsburgh. The package contained a sample of the technical materials in his possession and requested that the materials be passed to the country’s military intelligence agency.
In the note Toebbe using the pseudonym “Alice,” apologized for the poor translation into that country’s language, indicating it was not an English-speaking country. The package also contained instructions for establishing contact with Alice using encrypted ProtonMail email accounts.
Unfortunately for Toebbe, in December 2020, the intelligence service of the country the package had been sent to handed the package over to the FBI legal attaché at the U.S. Embassy in that country’s capitol.
After confirming that the sensitive materials were authentic, the FBI quickly launched an investigation and sent a message to Alice’s ProtonMail account to see if the as-yet-unidentified spy would respond.
That response finally came in April when Alice replied, “Thank you for contacting me. I am still here. The covid disease has made it more difficult to find chances to check this email. Let us discuss how to proceed.”
The FBI proposed an in-person meeting, but Alice resisted and instead suggested using an encrypted cloud storage account, which was to be paid for using the Monero cryptocurrency. This posed a quandary for the FBI, which had still not been able to identify Alice.
The FBI proposed using a physical dead drop to receive the information from Alice because it would provide them the opportunity to observe and record the transaction—and hopefully identify Alice.
Alice initially resisted using the physical dead drop, replying “I am concerned that using a dead drop location your friend prepares makes me very vulnerable. If other interested parties are observing the location, I will be unable to detect them. I am not a professional, and do not have a team supporting me.”
However, the FBI was eventually able to convince Alice that the physical dead drop would be more secure than using an encrypted file-sharing account, which is essentially an electronic dead drop, because it would “leave no electronic signature.”
After over a month of wrangling back and forth over the use of physical dead drop, Alice requested that a signal be left at the unidentified country’s embassy in Washington DC over the Memorial Day weekend that would be observable from the street. After the signal was left and received, and a good faith payment of $10,000 in Monero was made, Alice agreed to use the physical dead drop.
The FBI’s gambit worked.
On June 26, 2021, the FBI observed as Toebbe and his wife arrived at the predetermined location in Jefferson County West Virginia and serviced the dead drop. From the description in the criminal complaint, it appears to have been located near one of the trails at Harper’s Ferry.
After visiting the site, the couple walked through a more populated section of the area and appeared to the watching eyes of the FBI to be attempting to conduct surveillance detection.
But those countersurveillance attempts were in vain, as the FBI successfully identified the Toebbes and their vehicle. This permitted them to quickly determine that Toebbe was the Alice they had been searching for over the past many months.
Records checks quickly determined Toebbe was a civilian nuclear engineer with the U.S. Navy who had previously served on active duty and in the Navy Reserves. His duties provided him access to the sensitive and restricted nuclear secrets he was attempting to pass to the foreign country’s intelligence service.
Nuclear propulsion systems are one of the critical components that help a nuclear submarine to run quietly, and it has proved difficult for other nations to match the U.S. government developed technology that permits its vessels, such as the Virginia Class nuclear attack submarine, to operate so quietly.
The USG thus protects and restricts access to this information. This is also why this information is so highly coveted by other countries, and maybe why it took that country’s government eight months to pass Toebbe’s package to the Americans.
However, the third country did ultimately decide to alert the Americans, and now the FBI’s investigative efforts had identified Toebbe as the nuclear spy they had been hunting. After four additional months of contacts, dead drops, and payments, the FBI was able to determine that Toebbe was working alone and that there were no other spies connected to his efforts.
Armed with this knowledge, they decided to lead the case to a conclusion and arrested Toebbe after catching him in flagrante delicto at the Oct. 9 dead drop location.
The Toebbe case is worthy of further study, as it has several significant implications for insider threat programs in both the government and private sectors.
Toebbe was an “entrepreneurial” or self-initiated spy motivated by money. He was not targeted and recruited as an agent by the foreign intelligence agency. Instead, he decided himself that he wanted to become a spy, which country he wanted to spy for, and how much he demanded as compensation for his espionage. He approached them.
Entrepreneurial spies, who are frequently referred to as “walk-ins” in intelligence parlance, have long proved to be incredibly harmful. Some of the most damaging spies in American espionage history have been self-initiated, entrepreneurial spies; figures like John Walker, Aldrich Ames, Robert Hanssen, Christopher Boyce, and Edward Howard, among others.
But entrepreneurial spies are not just a problem for the government, as a number of cases in recent years attests.
- In 2018 two men were arrested in Germany and charged with stealing commercial secrets from the Cologne-based chemical company Lanxess. They intended to of open a rival company in China. The men even attempted to poach Lanxess clients at a chemical trade fair for their new company, a move that appears to have tipped off the company to the pair’s activities.
- In 2017 an employee of chemical company Chemours, the world’s largest producer of sodium cyanide (which is used in mining), was arrested and charged with attempting to steal the company’s trade secrets to sell to investors in a competing company.
- Also In 2017, four executives at the U.S. manufacturer Applied Materials were arrested and charged with stealing proprietary schematics that contained sensitive details and processes related to the company’s semiconductor production; they also intended to use to set up a competing company.
- In 2016 an employee with the pharmaceutical company GlaxoSmithKline was arrested after he stole proprietary information he hoped to use to attract Chinese investors in a bid to set up a rival company.
When employees know the information they have access to is of great value to someone else, greed can often cause them to betray the trust placed in them. In communications with his FBI handler, Toebbe noted that he was attempting to parlay the cache of documents he had stolen into $5 million in Monero.
While Toebbe appears to have been primarily motivated by greed, there may also be a bit of an ideological element to this case. Diane Toebbe’s social media accounts made clear her progressive social and political views and her opposition to Donald Trump. At one point she told a friend that she and her husband had even contemplated moving to Australia after Trump was elected in 2016.
Even if there was no direct ideological motive for Toebbe’s espionage, the opposition to Trump may have helped him justify his treason.
The current heated and polarized U.S. political environment may help motivate or justify the espionage in the minds of the perpetrators or of other government employees or corporate employees who disagree with the policies of their governments or companies. I’ve recently written on the extremist insider threat, and would again emphasize that the damage extremist insiders can cause goes beyond just physical workplace violence attacks.
Patient and Deliberate
While many press accounts of this case have poked fun at Toebbe for things such as placing an SD card inside a half-eaten peanut butter sandwich that he left at a dead drop, after reading the government’s complaint against him, I believe that he was anything but sloppy in his tradecraft—especially for someone with no formal espionage training. It is also important to recognize that hiding the SD card in a peanut butter sandwich was per the FBI’s instructions and not Toebbe’s own plan.
Toebbe appears to be a very intelligent individual, and he put a great deal of thought and planning into his espionage attempt. He literally spent years carefully planning and methodically executing his plot.
Consider the following:
- Although Toebbe resided in Annapolis, MD, he traveled to Pittsburgh, PA to mail his initial package to the foreign government in an effort to obfuscate his true location.
- The fact that the FBI was not able to identify him from this package indicates he made efforts to ensure he did not leave fingerprints or other forensic evidence on the package that could be used to identify him.
- Toebbe refused bulk cash payments, preferring instead to receive payment in easier to hide and harder to trace cryptocurrency.
- He slowly and patiently stole the restricted information. As he told his handler in one email: “This information was slowly and carefully collected over several years in the normal course of my job to avoid attracting attention and smuggled past security checkpoints a few pages at a time.”
- He was able to steal the restricted information despite measures put in place to prevent such thefts.
- The use of ProtonMail accessed through TOR (the onion router) and using public Wifi was well-conceived, and was also planned well in advance. As he told his handler: “My new Proton is actually an old one I established quietly with a cash-only burner phone while on vacation several years ago.”
- He offered his handler a duress code that he would use to indicate that he had been caught and was being forced to communicate.
- He refused a face-to-face meeting and repeatedly resisted using a physical dead drop as it would endanger his operational security.
- When the FBI did finally convince him to use physical dead drop, he insisted they be placed in locations that he could create a plausible reason to visit, and that would not raise suspicion if he was seen there. “I would like to create a natural legend for my interest in visiting a particular place in the future.” He added, “Hiking and visiting historical sites is easier to explain than unexpected stops during rush hour if they ever take a special interest in me.”
- He was also very cognizant of indicators that could alert the authorities to his activities and took measures to avoid exhibiting such indicators. He told his handler, “We received training on warning signs to spot insider threats. We made very sure not to display even a single one. I do not believe any of my former colleagues would suspect me if there is a future investigation.”
In fact, given the care Toebbe took in executing this plot, if he had not agreed to visit the physical dead drop location, it would have been far more difficult for the FBI to identify and ultimately arrest him.
In the end, the Toebbe case is a cautionary one for insider threat practitioners.
A patient, methodical and intelligent spy can be very difficult to detect as he is stealing sensitive information, and as he establishes contact with a foreign intelligence agency. If the government Toebbe approached had not notified the Americans, he may still be operating.