A former U.S. National Security Agency (NSA) employee has been arrested on charges of attempting to sell classified information to a foreign spy, who was actually an undercover agent working for the Federal Bureau of Investigation (FBI).
Jareh Sebastian Dalke, 30, was employed at the NSA for less than a month from June 6, 2022, to July 1, 2022, serving as an Information Systems Security Designer as part of a temporary assignment in Washington D.C.
According to an affidavit filed by the FBI, Dalke was also a member of the U.S. Army from about 2015 to 2018 and held a Secret security clearance, which he received in 2016. The defendant further held a Top Secret security clearance during his tenure at the NSA.
"Between August and September 2022, Dalke used an encrypted email account to transmit excerpts of three classified documents he had obtained during his employment to an individual Dalke believed to be working for a foreign government," the Justice Department (DoJ) said in a press release.
Dalke is also alleged to have arranged to transfer additional National Defense Information (NDI) in his hands to the undercover FBI agent at an undisclosed location in the U.S. state of Colorado. He was subsequently arrested on September 28 by the law enforcement agency upon arriving at the agreed-upon location.
Conversations with the individual that Dalke assumed was associated with the foreign government commenced on July 29, 2022. In them, he claimed to have stolen sensitive data pertaining to foreign targeting of U.S. systems and information on U.S. cyber operations.
The first of the document excerpts shared as proof was classified at the Secret level, while the two others were classified at the Top Secret level, with Dalke demanding a cryptocurrency payment in return for passing the information.
Some of the snippets offered relate to the NSA's plans to update an unspecified cryptographic program as well as threat assessments related to sensitive U.S. defense capabilities and the foreign government's offensive capabilities.
"On or about August 26, 2022, Dalke requested $85,000 in return for additional information in his possession," the DoJ said, stating, "Dalke agreed to transmit additional information using a secure connection set up by the FBI at a public location in Denver," eventually leading to his capture.
The DoJ is tight-lipped about the name of the foreign government, but there are indications that it could be Russia, given the fact that Dalke claimed to have attempted to establish contact through a "submission to the SVR TOR site."
It's worth pointing out that SVR, Russia's Foreign Intelligence Service, set up a SecureDrop-like whistleblowing platform on the dark web in April 2021, as reported by The Record, to anonymously share information regarding "urgent threats to the security of the Russian Federation."
On top of that, email communications with the agent also show that Dalke was motivated by the fact his "heritage ties back to your country" and that he had "questioned our role in damage to the world in the past."
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!Don't Miss Out – Save Your Seat!
The ex-NSA employee has been charged with three violations of the Espionage Act, an allegation that, if proven guilty, carries a potential sentence of death or any term of years up to life.
Dalke's arrest arrives days after the Russian government granted Russian citizenship to former U.S. intelligence contractor Edward Snowden, who faces espionage charges for disclosing numerous surveillance programs run by members of the UKUSA community.
In a related development, researchers at the Citizen Lab at the University of Toronto disclosed "fatal" security flaws in the websites the U.S. Central Intelligence Agency (CIA) used as a front for covert communications with its informants, culminating in the arrest and execution of dozens of assets in China and Iran.
The now-defunct communication method leveraged hundreds of seemingly legitimate websites, including a soccer news portal called Iraniangoals[.]com, in which entering a password into the search field caused a hidden chat interface to pop up, Reuters reported.
The Citizen Lab said it was able to map the network of 885 sites, which were active between 2004 and 2013, just by using iraniangoals[.]com in conjunction with publicly available material from the Internet Archive's Wayback Machine, a task that could have been accomplished by a "motivated amateur sleuth."