FYI.

This story is over 5 years old.

Tech

Feds Raid Apartment of Suspected CIA Leaker, Find 10,000 Images of Child Porn

Former CIA and NSA agent Joshua Schulte is being prosecuted on child porn-related charges, but not on charges related to allegedly leaking the "Vault 7" hacking tools to Wikileaks.
Image: Saul Loeb/AFP/ via Getty Images

In March 2017, the FBI agents raided the Manhattan apartment of former NSA and CIA operative Joshua Schulte looking for top secret documents and hacking tools that the defendant allegedly leaked to WikiLeaks. We don’t know if they found what they were looking for, but according to court transcripts and documents reviewed by Motherboard, the feds did find at least 10,000 images of child porn on his personal computer, and an IRC-focused file-sharing server that had at least 5 terabytes of data on it.

Advertisement

Roughly two weeks before the raid, on March 7, 2017, WikiLeaks started releasing top secret documents allegedly stolen from a CIA hacking group. Julian Assange’s organization called the leaks ‘Vault 7' and said it’d be an ongoing series. Its most recent release, in November of 2017, was source code of alleged CIA hacking operations, which it dubbed “Vault 8.” Until today, when The Washington Post revealed that the government had identified Schulte as the potential source of the leak, there was no suspect.

Court transcripts reviewed by Motherboard confirm that Schulte, who is 29 years old, is a suspect in the case, but thus far he has been hit with child porn charges, and there’s no specific public evidence tying Schulte to Vault 7 beyond the government saying he is a suspect in court proceedings. Schulte does not appear to have been charged with crimes stemming from leaking classified information.

Transcripts from Schulte’s bail hearings show that the case is quite complex. Publicly available transcripts from late 2017 and early 2018 show that the US government originally got a search warrant to raid his apartment in connection with a national security case, but the vast majority of incriminating material discovered by federal agents was child porn.

“While most of the national security stuff does not involve … the actual charges against Mr. Schulte, the basis for the search warrants in this case involve national security,” Jacob Kaplan, one of Schulte’s attorneys, argued in a court proceeding in December of last year.

Advertisement

But it’s not clear that the government discovered anything to tie him to the Vault 7 leaks. Instead, the government seized Schulte’s personal computer and found more than 10,000 images and videos of child pornography in an encrypted folder stored on a virtual machine on the device, according to a federal complaint that has been unsealed. The federal government was able to decrypt the folder. According to a court transcript, the passwords Schulte used to encrypt child porn on his computer were the same as the ones he used to login to his bank account online; the criminal complaint says that it was “able to defeat the encryption by entering passwords recovered from a cellular telephone” belonging to Schulte. Schulte consented to a search of his phone, according to the complaint.

An archived image of The Crypt's homepage

According to the complaint, Schulte ran a filesharing server called "The Crypt" (Cryptm.org), which, according to archived versions of the site, appears on the surface to have been an open directory associated with the “IRC Knights.” On The Crypt, Schulte allegedly went by the name “Josh.” An archived version of his page there shows that he had files related to chess, an episode of South Park, a copy of The 40 Year Old Virgin, textbooks, C Programming textbooks, and a folder called “Facebook Convos.” According to the archived version of the server viewed by Motherboard, the IRC Knights had at least 10 members.

Advertisement

A screengrab of an archived look at Schulte's folder on the server.

The server was live as of February 2017, according to the Internet Archive. The domain is still active, according to public records.

“The Crypt” may have nothing to do with Vault 7—and it may have nothing to do with the child porn case against him, either—but both the government and his lawyers have spent a lot of time talking about it. His defense has argued that, because many different people had access to it, it’s difficult to prove that Schulte has anything to do with anything incriminating that the government may find on it. Meanwhile, the government has used chat logs associated with The Crypt and the IRC Knights—which date between 2006 and 2009—to suggest that, at least at one point, The Crypt was where Schulte stored his child porn and invited other people to view it.

Schulte’s lawyers argued that he and his friends—who were teens at the time—were simply joking around. But the feds did indeed find child porn on his personal computers; reading through court transcripts and indictments, it is not totally clear whether any child porn was found on The Crypt.

Regardless, for the last year, the government has been prosecuting a child porn case—not a national security case—against Schulte, while Schulte’s lawyers have argued that the government got its warrants under false pretenses. In a January hearing, Kaplan argued that “the FBI believed that Mr. Schulte was involved in [the Vault 7] leak … we believe that many of the facts relied on to get the search warrants were just flat inaccurate and not true.”

Advertisement

“The government had full access to his computers and his phone, and they found the child pornography in this case, but what they didn’t find was any connection to the WikiLeaks investigation,” Kaplan argued at a hearing in January.

Lawyers for the government said that’s not the case. At that hearing, Matthew LaRoche, an assistant US attorney for the southern district of New York, said that the Vault 7 material was taken while Schulte was working for the CIA, and that “the government immediately had enough evidence to establish that he was a target of that investigation.”

“I would disagree with defense counsel’s characterization that those search warrants haven’t yielded anything that is consistent with his involvement in the disclosure,” LaRoche said. “In fact, our investigation is ongoing. He remains a target of that investigation. And part of that investigation is analyzing whether and to what extent TOR was used in transmitting classified information.”

Taken together, this is one of the more bizarre cases we’ve seen, and we don’t know whether the government will attempt to pursue additional charges associated with the Vault 7 leaks or not.

Schulte worked at the CIA for more than six years, between 2010 and 2016 as a developer, working on Windows and Linux tools “to support clandestine operations.” Before that, he had a brief 5-month stint as an NSA systems engineer, where he “administered and maintained high-speed passive signals intelligence (SIGINT) collection systems on Linux (Red Hat Enterprise) servers,” according to his Linkedin profile. At the time of his arrest, he was working for Bloomberg.

Schulte is currently held at a jail in Manhattan, New York, according to the Federal Bureau of Prisons.

The US Department of Justice declined to comment on the case. Reached on her phone on Tuesday afternoon, Schulte’s attorney Sabrina Shroff declined to comment as well.