A 30-year-old former National Security Agency (NSA) employee arrested for allegedly trying to sell classified information was tied the crime by FBI investigators who claim they linked him to the printing of secret documents after communicating with someone offering them for sale online.
The FBI alleges it then followed the money as it moved from a cryptocurrency exchange to the NSA staffer’s personal bank account.
Jareh Sebastian Dalke, who was employed at the NSA as an information security systems designer from June 6 to July 1, allegedly began communicating with what he believed to be a foreign agent on July 29, according to a statement from the Department of Justice (DoJ) announcing his arrest in Denver on September 28.
According to an FBI affidavit, however, the suspect was communicating with an undercover FBI agent via an encrypted foreign email service, that, while legitimate, is also used by cybercriminals.
“Dalke told that individual [the FBI agent] that he had taken highly sensitive information relating to foreign targeting of US systems, and information on US cyber operations, among other topics,” the DoJ alleged in a statement. “Dalke represented to the undercover FBI agent that he was still employed by the US government but said he was on a temporary assignment at a field location.”
The person the FBI spoke to said they needed money – telling the undercover agent they were $237,000 in debt – and wanted to be paid in a specific type of cryptocurrency in exchange for the National Defense Information (NDI), the statement said. The type of cryptocurrency was not specified in the statement or the related FBI affidavit.
To prove their bona fides, the individual sent excerpts of three classified documents and one full classified document that were related to three unidentified US government agencies. Dalke was tied to the email account used to communicate with the FBI agent and to send the documents after investigators scouring historical user activity on NSA systems claim they found that his user account had printed all four of the classified documents.
“Dalke was the only NSA employee to have printed all of these documents,” according to the affidavit.
After supplying the documents, the FBI says it sent the requested cryptocurrency to an address on August 9. That’s when investigators began tracking the money.
That same day, someone opened an account under Dalke’s real name on the Kraken crypto exchange and, it is alleged, after receiving the payment from the undercover agent, deposited a similar amount of the same cryptocurrency into Dalke’s exchange account.
The agency claims that Dalke – a resident of Colorado Springs – converted the crypto into dollars, and withdrew the dollars ($4,559.81) from the exchange on August 9, and three days later deposited the same amount of money into a bank account in Colorado, according to the FBI affidavit.
On September 18, an individual contacted the undercover agent asking that the agent set up a way for them to digitally transfer more sensitive information in Denver. Up to that point, they had only told the agent that they weren’t currently in the Washington DC area – the NSA is headquartered in Fort Meade, Maryland, through Dalke was assigned to an NSA facility in the Washington DC metro area – and said they were willing to travel to Denver to complete the transaction.
According to the DoJ, the person asked for $85,000 in return for the new information and added that more information would be available when they returned to the Washington DC area. Dalke reapplied to the NSA in August, according to the statement.
The person proposed that to receive the second batch of sensitive information, the undercover agent use a secure connection that was set up by the FBI in a public location in Denver. They told the agent they would transfer the data on September 28 or 29. Dalke then showed up at the Denver site on September 28, say the Feds, who arrested him.
He was charged with three violations of the Espionage Act.
It’s unclear what foreign nation the person the FBI communicated with wanted to give the information to, although the affidavit suggests it’s Russia. The affidavit said Dalke claims to have elementary proficiency in both Russian and Spanish and said the person they corresponded with told the undercover agent that their heritage “ties back to your country, which is part of why I have come to you as opposed to others.”
In addition, the person, asking for verification that the agent they were communicating with was a member of a foreign government, said they had reached through a number of channels to get a response, including a submission to the SVR Tor site.
The SVR is Russia’s foreign intelligence service. Tor is open-source software used to hide an internet user’s location and use by sending internet traffic through a relay network.
The FBI says the person they communicated with had criticized the United States for its actions around the world and said the “country it is not as great as it thinks it once was. It is all about the businesses and their money, not anything about the people or those that serve it to include the military.”
According to the affidavit, Dalke was in the army from 2015 to 2018, received a bachelor’s degree in cybersecurity and information assurance from Western Governors University a year later and apparently has a master’s degree from Norwich University, where he studied cyber policy and technical vulnerability analysis. The FBI said he was also pursuing a doctorate at the American Military University, studying cyber affairs and advanced persistent threats.
Dalke submitted his resignation to the NSA on June 28 this year, and was debriefed on July 1. According to the FBI, he told the NSA in the exit interview that the reason he was resigning was that he couldn’t get the nine months off he needed from the job to deal with a family illness. ®