WASHINGTON — Federal agents descended on the suburban Maryland house with the flash and bang of a stun grenade, blocked off the street and spent hours questioning the homeowner about a theft of government documents that prosecutors would later describe as “breathtaking” in its scale.
The suspect, Harold Martin, was a contractor for the National Security Agency. His arrest followed news of a devastating disclosure of government hacking tools by a mysterious internet group calling itself the Shadow Brokers. It seemed to some that the United States might have found another Edward Snowden, who also had been a contractor for the agency.
“You’re a bad man. There’s no way around that,” one law enforcement official conducting the raid told Martin, court papers say. “You’re a bad man.”
Later this month, about three years after that raid, the case against Martin is scheduled to be resolved in Baltimore’s federal court. But the identity of the Shadow Brokers, and whoever was responsible for a leak with extraordinary national security implications, will remain a public mystery even as the case concludes.
Authorities have established that Martin walked off with thousands of pages of secret documents over a two-decade career in national security, most recently with the NSA, whose headquarters is about 15 miles from his home in Glen Burnie, Maryland. He pleaded guilty to a single count of willful retention of national defense information and faces a nine-year prison sentence under a plea deal.
Investigators found in his home and car detailed description of computer infrastructure and classified technical operations in a raid that took place two weeks after the Shadow Brokers surfaced online to advertise the sale of some of the NSA’s closely guarded hacking tools. Yet authorities have never publicly linked Martin or anyone else to the Shadow Brokers and the U.S. has not announced whether it suspects government insiders, Russian intelligence or someone else entirely.
The question is important because the U.S. believes North Korea and Russia relied on the stolen tools, which provide the means to exploit software vulnerabilities in critical infrastructure, in unleashing punishing global cyberattacks on businesses, hospitals and cities. The release, which occurred while the NSA was already under scrutiny because of Snowden’s 2013 disclosures, raised questions about the government’s ability to maintain secrets.
“It was extraordinarily damaging, probably more damaging than Snowden,” cybersecurity expert Bruce Schneier said of the Shadow Brokers leaks. “Those tools were a lot of money to design and create.”
Yet none of that is likely to be mentioned at Martin’s July 17 sentencing. The hearing instead will turn on dramatically different depictions of the enigmatic Martin, a Navy veteran, longtime government contractor — most recently at Booz Allen Hamilton — and doctoral candidate at the time of his arrest.
Prosecutors allege Martin jeopardized national security by bringing home reams of classified information even as, they say, he once castigated colleagues as “clowns” for lax security measures. Soon after his arrest, they cast aspersions on his character and motives, citing a binge-drinking habit, his arsenal of unregistered weapons and online communication in Russian and other languages.
The agents who searched his house that August 2016 afternoon found a trove of documents in his car, home and a dusty, unlocked shed. The 50 terabytes of information from 1996 to 2016 included personal details of government employees and “Top Secret” email chains, handwritten notes describing the NSA’s classified computer infrastructure, and descriptions of classified technical operations.
Defense lawyers paint him as a compulsive hoarder whose quirky tendencies may have led him astray but who never betrayed his country.
It’s unclear how Martin came to the FBI’s attention, but a redacted court order from a judge suggests agents may have been looking for a Shadow Brokers link when they obtained search warrants for his Twitter account and property before the raid.
The December 2018 ruling from U.S. District Judge Richard Bennett notes that the FBI was investigating the online disclosure of stolen government property.
It cites a Twitter message from an account allegedly belonging to Martin — @HAL_999999999 — that requested a meeting with someone whose name is blacked out and stated “shelf life, three weeks.”
The recipient of the message is redacted, although Politico reported it went to the Moscow-based cybersecurity firm Kaspersky Lab, which in turn notified the U.S. Kaspersky declined to discuss the Martin case.
Martin was never charged with disclosing information and was accused only of unlawfully retaining defense information. The Shadow Brokers, which two weeks before Martin’s arrest surfaced on Twitter with the warning that it would auction off NSA hacking tools online, continued trickling out disclosures after Martin was in custody, a seeming indication that someone else may have been responsible.
As for the mystery of who or what is behind the Shadow Brokers, there’s little certainty that the government will ever publicly resolve that lingering question, especially given the classified nature of the theft and the embarrassment it caused the U.S.