9 Weekends in Canada and $47K in Foreign Payments — Nuclear Deal Leak Found With 5 Days Left

The ambassador’s message had been specific in a way that made the leak undeniable.

A senior State Department official had received the message through a classified diplomatic channel on a Tuesday morning.

The ambassador representing an allied government had expressed concern about information that appeared to have reached a third party, a government with whom the United States was conducting sensitive back channel negotiations on a nuclear program.

The ambassador described with a precision that the State Department official found immediately disturbing.

Three specific details from the previous week’s negotiating session that had not been shared with the Allied government had not been documented in any distributed summary and had been discussed only in a single closed meeting attended by four American participants.

Three details, one meeting, four people.

The State Department official had forwarded the ambassador’s message to the FBI’s counter intelligence division within 4 hours of receiving it.

The forwarding note was two sentences.

The second sentence read, “We need to know which of the four.

” The field agent assigned to the case had 11 years of counter intelligence experience.

He had worked leak investigations before.

He understood their geometry.

The more precisely the adversary could demonstrate that specific information had been obtained, the more precisely the investigator could identify who had provided it.

The ambassador’s message was from an investigative standpoint almost a gift.

Three specific details narrowed to four people.

His job was to eliminate three of them.

He began with access.

All four participants had legitimate access to the meeting’s content.

All four held appropriate clearances.

All four had been attending the negotiating sessions as part of their professional roles.

Two were State Department officials involved in the diplomatic process.

One was a policy analyst from the National Security Council and one was a legal adviser from a defense adjacent agency whose portfolio included treaty compliance analysis.

The access analysis produced nothing discriminating.

All four had equal reason to be there and equal opportunity to have been the source.

He moved to behavior.

He requested personal financial disclosures.

foreign contact reports and travel records for all four.

The financial disclosures were clean, no obvious anomalies, no unexplained assets, no lifestyle gaps inconsistent with documented income.

The foreign contact reports were clean.

The travel records were where he slowed down.

He had been in this kind of investigation before.

The hardest part was not finding the anomaly.

It was resisting the temptation to stop looking once you found one.

His protocol was to complete the full picture on all four before assigning weight to anything.

He read all four travel records before he read any of them twice.

Three of the four had travel histories that were unremarkable.

Occasional personal vacations to documented destinations, professional travel consistent with their roles, no patterns that warranted extended attention.

The fourth had something different over the preceding 11 months.

The fourth participant had taken a series of weekend trips that were consistent in their structure and sparse in their documentation.

Nine trips in 11 months.

All departing on Thursday evenings and returning on Sunday afternoons.

All departures from Dallas International.

All on flights bound for Toronto.

No hotel registrations in the Canadian travel database the agent could access through a bilateral law enforcement information sharing arrangement.

No credit card transactions at Toronto venues during any of the nine weekends.

No documented activities of any kind between Thursday evening departure and Sunday afternoon return.

Nine trips to Canada.

No record of what he had done when he got there.

The agent submitted a records request to Canadian Border Services for the fourth participant’s entry and exit records.

The response confirmed nine border crossings corresponding to the nine flight departures and nine return flights.

No violations, no flags, no incidents.

The fourth participant had entered Canada on nine Thursday evenings and had left on nine Sunday afternoons.

What he had done between those two events was not documented in any record the agent could access through standard bilateral channels.

He submitted an expanded financial background inquiry on all four participants to the FBI’s financial crimes coordination desk.

The inquiry asked for any existing Fininsen referral or financial investigation associated with the names of any of the four.

The inquiry entered the coordination desk’s processing queue on a Thursday morning.

In a fourth floor office at the Treasury Department’s Financial Crimes Enforcement Network analytical division, a financial crimes analyst had been working a referral for 4 months that she had initially assessed as minor and had subsequently reassessed as something else entirely.

The referral had come from a regional bank in Northern Virginia that had flagged a series of incoming wire transfers to a personal checking account as structurally unusual.

The transfers were small, between $3,800 and $4,600, averaging approximately $4,200.

and they arrived at monthly intervals.

12 transfers over 11 months.

Total inflow approximately $47,000.

The flagging criterion was not the amount but the origination.

All 12 transfers had originated from a Canadian financial institution whose name appeared in Fininsen’s international correspondent banking risk registry as associated with accounts used by foreign state- linked entities to conduct financial transactions in North America.

The Canadian institution was not in itself proof of anything.

Legitimate account holders used institutions on the risk registry every day for entirely legitimate reasons.

The registry was a risk indicator, not a determination.

What had elevated this particular SAR from a routine referral to a 4-month investigation was the account holder’s professional status.

The account was held by an individual whose employment verification run as a standard step in the financial background process returned a federal government security clearance confirmation.

A cleared federal employee receiving monthly transfers from a Canadian institution associated with foreign state linked activity was a different category of concern than an ordinary account holder receiving the same transfers.

She had spent 4 months building the financial picture around the transfers.

The Canadian institution traced through the correspondent banking chain connected through four intermediate hops to an account at a financial institution in a third country whose beneficial ownership structure she had obtained through a classified Treasury intelligence assessment.

The beneficial ownership pointed to a corporate entity that appeared in two prior separate investigations she had reviewed as a financial node used by a foreign intelligence service to compensate recruited assets in North America.

The methodology small monthly transfers through a Canadian intermediary structured to appear below reportable thresholds moving through correspondent banking chains designed to create documentation complexity was consistent with a compensation pattern she had seen documented in classified analytical products.

She had the payment chain.

She had the amount pattern.

She had the account holder’s identity and his federal employment.

She did not yet have his role.

What specifically he did for the federal government, what he had access to, what the payments had been for.

She had submitted a request for his personnel records through the appropriate inter agency channel 11 days ago and was waiting for a response when the FBI’s financial background inquiry arrived in her coordination inbox on a Thursday afternoon.

She read the inquiry.

Four names.

The fourth name matched the name on her S investigation file.

She looked at the name for a moment.

Then she looked at her case file.

Then she called the coordination desk’s processing officer.

The fourth name on the inquiry that just came in.

She said, “What’s the originating case?” The processing officer told her, “A counter inelligence leak investigation, a State Department matter, active case filed out of the counter inelligence division’s Washington field office.

” She called the Washington field offic’s coordination contact at 4:30 p.

m.

The coordination contact connected her to the field agent supervisor at 5:15 p.

m.

The field agent was still in his office.

When the supervisor walked in and said, “Treasury has a financial investigation on one of your four.

” The field agent looked up.

Which one? The supervisor told him.

[clears throat] The joint briefing convened the following morning.

connecting the field agent, the Treasury analyst, a senior counter inelligence supervisor, and a representative from the State Department Security Division who had been added to the call at the supervisor’s request to provide context on the subject’s specific role in the negotiating process.

The Treasury analyst presented first 11 months of monthly transfers from a Canadian institution connected through four correspondent banking hops to a compensation methodology associated with foreign intelligence payments to recruited North American assets.

Approximately $47,000 in total documented inflow.

an account holder who was a cleared federal employee, a payment pattern that was consistent with a regular compensation arrangement rather than a one-time payment or a casual financial relationship.

The field agent presented second.

Nine weekend trips to Canada over 11 months.

No documented hotel stays.

No documented financial activity during the Canadian visits.

consistent Thursday departure and Sunday return pattern.

A participant in nine classified negotiating sessions corresponding in his preliminary calendar analysis to nine of the 11 months covered by the Treasury investigation and a leak.

three specific details from a single negotiating session transmitted to an adversary through a channel the ambassador’s message had made impossible to deny.

The State Department representative spoke third.

The subject’s role in the negotiating process had given him access to everything discussed in every session.

He was a legal adviser whose function required him to be present for the complete substance of each meeting, including the most sensitive elements of the American negotiating position.

The negotiations themselves concerned the terms under which a specific country’s nuclear program would be subject to international oversight and constraint.

the American negotiating position, the conditions the US would accept, the thresholds it considered non-negotiable, the areas where it had flexibility it had not disclosed to the other side, was the information whose protection the entire negotiating strategy depended on.

The supervisory agent asked the question that established the clock.

When was the next session? The next session was scheduled for 5 days from the date of the briefing.

It was, the State Department representative noted, the session at which the American delegation intended to table its final comprehensive proposal, a document that had been in preparation for 3 months and whose contents represented the full extent of the American position.

5 days the subject had access to the final proposal.

He had 11 months of demonstrated willingness to transmit negotiating details to a foreign party.

He had a pattern of monthly visits to Canada that corresponded to the monthly transfer cycle that was paying him for those transmissions.

The merge had given them both halves of the picture.

The field agent had the behavioral pattern and the leak.

The Treasury analyst had the payment mechanism and the financial trail.

Together, they described an 11-month operation in which a legal adviser with full access to classified nuclear negotiating sessions had been meeting a handler in Canada on a regular schedule and transmitting session content in exchange for monthly payments structured to avoid financial monitoring.

The subject was placed under continuous covert physical surveillance at 8:00 am the morning of the joint briefing.

His personal communications were placed under a court authorized monitoring order or by 11 am His access to the classified negotiating materials including the draft final proposal know was maintained without modification.

The supervisor had made that decision deliberately.

Removing or restricting his access would alert him that the investigation existed.

As long as he believed his access was normal, his behavior would remain consistent with his established pattern.

And his established pattern, the field agent had documented, included a behavior that was about to become critical.

a trip to Canada.

The next scheduled session was in five days.

The subject’s prior travel pattern showed that his Canada trips occurred approximately 1 week before or after each negotiating session.

Sometimes before to receive tasking, sometimes after to transmit session content.

The most recent session had been 11 days ago.

The most recent trip to Canada had been 14 days ago.

The pattern suggested a post session transmission trip was either overdue or imminent.

On the second day of surveillance, the subject purchased a one-way train ticket to New York on an Amtrak service departing Thursday evening.

He had purchased no return ticket.

He hadn’t used a credit card to purchase the ticket.

He had used a prepaid cash card whose purchase history the financial monitoring could not trace in real time.

The surveillance team documented the ticket purchase and reported it to the field agent at 3:47 p.

m.

New York, not Canada, New York.

The pattern had changed.

The supervisor authorized an expanded surveillance package.

a team in New York to supplement the Washington surveillance team, monitoring of the subject’s known communications channels, and a request for emergency access to Amtrak’s passenger manifest for the Thursday departure.

The subject boarded the Thursday evening train at Union Station at 7:22 p.

m.

The surveillance team boarded two cars behind him.

He arrived at Penn Station at 11:47 p.

m.

and took a taxi to a hotel in Midtown that he had not pre-ooked through any documented reservation system.

He paid for the room with the same prepaid cash card he had used to purchase the train ticket.

He went to his room at 12:14 am At 9:47 am on Friday, a man entered the hotel’s lobby and proceeded to the elevator without speaking to the front desk.

The surveillance team photographed him from four positions.

He was not in any database the team could query in real time.

He went to the 11th floor.

He remained on the 11th floor for 37 minutes.

He left the building at 10:24 am without stopping at the front desk.

The subject left his room at 10:31 am, checked out at 10:34 am, and walked to Penn Station.

He was back in Washington by 3:30 p.

m.

The Friday visitor was identified through the surveillance photographs within 48 hours.

His visa records showed entry into the United States 6 months ago on a diplomatic passport with a stated purpose of cultural exchange representation.

His assignment, traced through State Department diplomatic registration records, placed him at a consular office in New York, whose parent mission had been the subject of counterintelligence attention in three prior unrelated investigations.

His specific consular function was listed in the registration as science and technology affairs.

The Counter Intelligence Division’s classified case files on his parent mission included a notation, 3 years old, assessing his science and technology affairs function as a possible cover designation for technical intelligence collection.

37 minutes in a Midtown hotel.

The subject had changed his pattern from Canada to New York, not because the Canadian arrangement had become unavailable.

The border was still open.

The Canadian account was still active.

But because something had changed in the coordination of the meetings, the handler had come to him rather than receiving him in Canada.

The change in pattern was consistent with an elevated operational tempo, a situation in which the handler needed to be closer to the subject because the content the subject was about to provide was too significant for the standard monthly exchange.

The final proposal session was 4 days away.

The expanded monitoring of the subject’s communications produced on Saturday a 19se secondond voice message transmitted through an encrypted application to a phone number that resolved to a device registered in a jurisdiction outside the United States.

The message content was partially recoverable.

The application’s encryption had been partially addressed through a technical process.

the team’s cyber unit had developed for this category of device.

And what was recovered was consistent with a briefing on the content and timing of an upcoming negotiating document.

He had told the handler that the final proposal was coming.

The court authorization for arrest was obtained at 6 am on Monday, 4 days before the scheduled session.

The subject was arrested at his apartment in Arlington at 7:14 am He was carrying a laptop and a personal phone.

Both devices were encrypted.

Both were seized under the arrest warrant.

He did not speak when the agents identified themselves.

He looked at his laptop bag in a way that the arresting agent noted in his incident report.

a look that the agent described as someone taking inventory of what had been in the bag and what it meant that the bag was no longer going to remain private.

2 days later, through his legal counsel, he requested a meeting with the prosecution team.

The meeting was not immediately granted.

The encrypted devices were still being processed.

The prosecution team preferred to know what was on the devices before entering any cooperation discussion.

The processing took 11 days.

What the decryption produced when the technical unit completed its work was a document archive organized in a folder structure whose naming convention the counter intelligence division’s senior analyst described in a classified written assessment as consistent with a systematic reporting protocol organized by session date indexed by subject matter.

formatted in a manner consistent with intelligence product preparation rather than personal note takingaking.

11 folders, 11 months, 11 sessions.

The Friday visitor in the Midtown Hotel had departed the United States on Saturday evening, one day after the meeting, before the identification process had been completed.

His diplomatic status had given him a window.

The investigation could not close in time.

The State Department was notified through the appropriate channel.

A formal diplomatic communication was pending.

The final proposal session was postponed.

The American negotiating team was briefed on the investigation’s findings in a session that the field agent was not cleared to attend.

The State Department representative who had participated in the joint briefing was present.

The field agent learned through a written summary he received 2 weeks after the arrest.

That the postponement was characterized internally as a procedural delay rather than a security concern.

to avoid providing the other side with information about the investigation’s existence or scope.

The Treasury Department’s Fininsen monitoring program had generated the SAR referral 11 months ago.

The referral had been processed through Fininsen’s standard triage system and had been assigned to the analyst queue based on the risk registry flag from the Canadian institution.

The Fininsen monitoring program ran continuous transaction monitoring against a defined set of risk indicators and generated referrals when a combination of indicators exceeded a threshold score.

The Canadian institutions registry flag was one indicator.

The transfer amount pattern was a second.

The frequency monthly consistent 11 consecutive months was a third.

No single indicator would have generated a referral.

The combination crossed the threshold.

The analyst had been working the referral for 4 months when the FBI’s financial background inquiry landed in her inbox.

The FBI’s financial background inquiry had been submitted by the field agent as a routine investigative step.

Standard procedure in any case involving cleared personnel with potential financial anomalies.

The inquiry had been submitted for all four participants, not specifically for the fourth.

If the fourth participant’s name had not appeared in the fins system, the inquiry would have returned nothing and the financial investigation that had been running for 4 months would have continued without connection to the leak investigation that had been running for 3 weeks.

The connection was not the result of a designed cross reference.

It was the result of one of four names matching an existing file that had been built through a separate process by a separate analyst in a separate agency for separate reasons.

11 months of payments, no nine trips to Canada, one trip to New York, a final proposal 4 days away.

Those are the numbers.

The encrypted devices are still being processed.

The postponed session was rescheduled.

The final proposal was modified before it was tabled.