NSA computer security specialist Hal Martin worked for what was known as the agency’s Tailored Access Operations unit. | Patrick Semansky, File/AP Photo Legal Suspect’s Twitter messages played role in NSA hacking-tools leak probe

Hours before a 2016 leak of some of the National Security Agency’s most closely guarded hacking tools, a former NSA contractor sent a cryptic Twitter message that prompted alarm on the part of federal investigators, a federal judge has revealed.

Messages that the former NSA computer security specialist, Hal Martin, sent via Twitter appear to have led to an FBI raid on his Maryland home and to his arrest on charges of retaining a vast trove of classified information there without permission, according to a newly released court ruling .


Passages in the decision from U.S. District Court Judge Richard Bennett were deleted from a version made public by the court, but the remaining details suggest that investigators believed Martin was offering sensitive information to someone online shortly before a nebulous internet-based entity, the Shadow Brokers, released NSA hacking tools in August 2016 through the attention-grabbing technique of an online auction.

“In these messages, @HAL_999999999 asked for a meeting with the [redacted] and stated ‘shelf life, three weeks,’” Bennett wrote, describing the government’s assertions in court filings still under seal. “The Defendant’s Twitter messages … were sent just hours before what was purported to be stolen government property was advertised and posted on multiple online- content-sharing sites, including Twitter.”

The judge said the FBI maintained that Martin, who had worked for what was known as the NSA’s Tailored Access Operations unit, had access to the information advertised online that summer. Bennett said the combination of factors made him a logical suspect.

Morning Cybersecurity A daily briefing on politics and cybersecurity — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

“Although the Defendant’s Twitter messages could have had any number of innocuous meanings in another setting,” Bennett added, “these allegations regarding the context of Defendant’s messages provide a substantial basis for the Magistrate’s conclusion that there was a ‘fair probability’ that evidence of the crime of Theft of Government Property … would be found in information associated with the Defendant’s Twitter account.”

The newly disclosed legal opinion leaves little doubt that Martin, 54, was once one of the prime suspects in the Shadow Brokers leak two years ago. However, whether he ever actually leaked anything classified to anyone or even inadvertently disclosed anything that eventually appeared online remains unclear.

In addition, it is not clear from the documents whether Martin was ever directly or indirectly in contact with the elusive group.

Investigators have also zeroed in on other potential suspects. In addition, the leak of other sensitive U.S. government files to the Shadow Brokers has raised doubts about whether any one of the suspects could account for the entirety of the set of U.S. secrets the nebulous group has managed to assemble and make public.

In September, a federal judge sentenced another Maryland man who formerly worked for the same NSA hacking team, Nghia Pho, 68, to five years and six months in prison for taking a large amount of top-secret information home from 2010 to 2015. Pho appears to have been first charged secretly in March 2015, well before the Shadow Brokers’ announcement the next year that it had the hacking tools and was seeking to auction them.

At least some of Pho’s files are believed to have reached the Shadow Brokers and others through Kaspersky anti-virus software that Pho had on his home computer. The company has said its systems flagged some of the hacking tools as malware and scooped them up for further analysis. Russian government operatives allegedly used that feature of the Kaspersky software to scoop up classified files from Pho and others.

Pho said he took the classified files and records home for a rather pedestrian reason: to try to improve his performance review and boost his salary before retiring. However, NSA officials took the unusual step of telling the judge in that case that Pho’s actions had a severe impact, resulting in the spy agency’s having to abandon a number of techniques it previously relied on.

Martin’s attorneys have acknowledged that his home contained a huge volume of records from his government work, an estimated 50 terabytes of information — millions of documents. However, they contend that he suffered from a “hoarding” compulsion that led to highly disorganized mounds of papers in his home and car.

Martin, who has been jailed without bail since his arrest more than two years ago, faces 20 felony counts of retaining national defense information without permission. The charges carry a maximum possible sentence of 200 years in prison, although defendants are typically sentenced to shorter terms in accordance with federal sentencing guidelines.

Investigators have not tied Martin to any intentional disclosure, a source close to the case told POLITICO earlier this year. It’s unclear whether they have evidence that any part of the massive trove of documents at his home escaped his custody.

A Justice Department spokesman and an attorney for Martin declined to comment on the ruling.

Late last year, Martin sought to plead guilty to one of the 20 felony charges against him, in what appeared to be an unorthodox attempt to persuade the government to drop the remaining 19 charges. However, the plea was never accepted by the court. His trial is set for June 2019, nearly three years after his arrest.

The new, if scant, details about what brought Martin under suspicion emerged in response to a defense challenge to the validity of search warrants used to authorize a search of what appeared to be Martin’s Twitter account and, two days later, a search of Martin’s home in Glen Burnie, Md.

Bennett ruled that those search warrants were legally sufficient based on the Twitter messages and Martin’s access to the classified information being posted or offered publicly at the time.

While Martin’s lawyers from the Maryland federal defenders’ office failed to persuade the judge to knock out the evidence seized in the raid on their client’s home, they scored a notable win when Bennett held that Martin’s statements made to FBI agents that day could not be used against him at trial.

Citing testimony at a closed-door court hearing last month, the judge said the use of a SWAT team and a flash-bang grenade to carry out the search could reasonably have led Martin to believe he was not free to leave even though agents insisted he had not been arrested at that time. Martin was handcuffed for about 30 minutes at the outset of the raid, although he was not in cuffs when agents interviewed him.

Bennett said the FBI’s failure to read Martin his Miranda rights rendered his statements inadmissible given the circumstances.

“The Defendant was initially approached by nine SWAT agents dressed in protective gear, some of whom had their guns drawn at the Defendant. Multiple other officers were also on the scene,” wrote the judge, an appointee of President George W. Bush. “A reasonable person in the Defendant’s position would have felt that he was not free to leave.”

During a daylong hearing in Baltimore federal court last month, Bennett heard live testimony from FBI agents as well as two defense witnesses: Martin’s romantic partner, Deb Shaw, and, Anthony Contrini, a neighbor who was told by law enforcement to stay indoors as the raid was carried out.

The judge said the fact that Shaw was kept from Martin during the four-hour interrogation was a significant factor in rendering Martin’s statements inadmissible. The conditions amounted to “a police dominated atmosphere before and during the interrogation,” Bennett wrote.

A POLITICO reporter and other would-be onlookers were barred from the November hearing. Bennett said the closure was necessary because classified information might be discussed. He said a transcript would eventually be made public after it was reviewed for such details.

The government’s inability to use Martin’s statements at trial could pose obstacles for the prosecution, since it will have to show that that Martin had some degree of knowledge about the classified files and records in his home. However, prosecutors seem likely to argue that the volume of information he’d gathered was so great that it could not have been an accident and that he knew he wasn’t permitted to take any records from the NSA without explicit permission.

If the judge had ruled that all the evidence seized from Martin in the August 2016 raid was inadmissible, that would have been a much more severe, perhaps fatal, blow to the prosecution.

While Bennett excluded Martin’s statements from being used against him, the judge offered no criticism of the aggressive tactics used by the FBI during the raid. By all accounts, Martin put up no resistance and was cooperative with the agents. However, he had nine or 10 weapons at his home, including assault rifles, a history of binge drinking and threats of suicide.

