Blog

Trusted Access: Smuggled Secrets, SD Cards and Peanut Butter Sandwiches

Insider Threat

The Paranoia and Betrayal of Jonathan Toebbe

By Shikha Sangwan, Sr. Security Research Engineer

Some insider threats are quiet and compulsive. Others come wrapped in a peanut butter sandwich.

In 2021, U.S. Navy engineer Jonathan Toebbe was arrested for attempting to sell classified submarine technology to a foreign government. He wasn’t forced into it. He wasn’t coerced. He initiated the contact himself, asking for hundreds of thousands of dollars in cryptocurrency in exchange for nuclear secrets.

 

This wasn’t a data dump or a careless mistake. It was premeditated. He used encrypted emails, steganography, and dead drops to try to mask his activity. He even involved his wife, Diana, as a lookout during the handoffs.

Toebbe didn’t act out of ideology. He acted out of dissatisfaction, greed, and an inflated belief that his “spycraft” was too sophisticated to detect. In reality, his behavior was filled with digital signals and risk patterns that the right platform could have surfaced early.

Here is how this would have played out differently with Securonix Unified Defense SIEM.

 

A Trusted Insider with a Hidden Plan

One of the most bizarre items Jonathan Toebbe used was concealing classified data on SD cards hidden inside a peanut butter sandwich. In one dead drop, he wrapped the memory card in plastic and placed it inside a half-eaten sandwich, which he then left at a pre-arranged location for what he believed was a foreign intelligence agent. This low-tech concealment method was meant to blend in with everyday litter or lunch to avoid suspicion. Despite its simplicity, it reflected his reliance on traditional spycraft and his confidence that analog methods would escape modern surveillance, an assumption that ultimately failed.

But beneath the spy tricks was something much more familiar. Repeated access to classified documents. Suspicious use of encryption. Behavior that gradually drifted from baseline. A growing gap between his access and his job role.

These are exactly the kinds of behaviors Securonix is designed to detect.

 

Why It Mattered

The Toebbe case is a chilling reminder that insider threats don’t always come from obvious enemies or ideologues. Sometimes, they come from trusted professionals working quietly within the system. Toebbe didn’t hack networks or use sophisticated malware. He used removable drives, everyday objects, and patience.

His actions exposed vulnerabilities in how classified information is accessed, monitored, and protected, especially within highly sensitive defense programs.

It underscores the urgent need for continuous vetting, behavioral monitoring, and zero-trust enforcement, even for individuals with high-level clearance.

 

How Securonix Would Have Detected Toebbe

Securonix is not a rule-based system that waits for alerts. It is a behavior-focused, cloud-native platform that understands users, connects the dots across systems, and raises the signal when something changes. Here’s how Toebbe’s actions would have surfaced.

Here is how Toebbe’s activity would have stood out in a Securonix AI-powered environment.

 

Abnormal Access to Sensitive Data

Toebbe accessed restricted files repeatedly over time. These were not documents tied to his active projects or peer group. Securonix uses contextual baselining to detect out-of-scope access and escalating data volume.

What would trigger alerts:
  • Accessing sensitive submarine design files not tied to current work
  • Repeated downloads from high-security directories
  • Peer group deviation in file types and frequency

 

Use of Removable Media and Encryption

Toebbe used SD cards to exfiltrate data and encrypted them to hide the contents. Securonix tracks removable media usage, monitors high-entropy file creation, and detects abnormal file compression or encryption behavior.

What would trigger alerts:
  • Frequent SD card usage by a non-IT user
  • Detection of encrypted files created after classified document access
  • Unusual file types with steganographic signatures

 

Unsanctioned Email and Shadow Communications

He used anonymous ProtonMail addresses to communicate with what he believed was a foreign government. Securonix flags use of non-approved communication tools and correlates activity with data movement.

What would trigger alerts:
  • Access to personal webmail following document access
  • Attempts to obfuscate communication methods
  • Unapproved domains associated with encrypted message traffic

 

Identity Drift and Behavioral Anomalies

Toebbe’s behavior changed gradually. He accessed systems during irregular hours. He displayed signs of increasing isolation. He overstepped his role boundaries. Securonix monitors identity risk scores and flags behavioral shifts over time.

What would trigger alerts:
  • Off-hours system activity not associated with project urgency
  • Growing divergence from baseline identity risk profile
  • Lack of collaboration or shared file access with teammates

 

Co-Conspirator Behavior and Correlated Physical Movement

Toebbe’s wife was involved in the operation, serving as a lookout during drop-offs. Securonix correlates physical movement and access events across identities. Even if she had no system credentials, her proximity could be flagged.

What would trigger alerts:
  • Repeated location overlap between insider and non-employee
  • Off-network presence of second device near sensitive activity
  • Badge access pattern anomalies if physical systems were in use

 

Human Risk Indicators

Toebbe’s psychological profile revealed greed, calculated risk-taking, and a detachment from ethical boundaries. While these traits may not surface through traditional monitoring, Securonix uses identity-centric analytics to flag behaviors like repeated access to sensitive files, staged exfiltration patterns, and collaboration with non-privileged users.

 

What This Teaches Us

Jonathan Toebbe believed he could outsmart the system. He used encrypted messages, dead drops, and homemade concealment. But none of it changed the underlying behavior. He accessed the wrong files. He moved data in suspicious ways. He drifted from baseline over time. He made mistakes.

Traditional systems look for attacks. Securonix looks for patterns.

And when those patterns break the mold of trusted user behavior, the system responds, even when the user looks clean on paper.

 

The Securonix Advantage

With Securonix, insider threats are surfaced using a combination of analytics, identity context, and unified telemetry. This allows security teams to see the entire story — not just the alerts.

 

Out-of-the-box detection capabilities include:
  • Behavior-based data exfiltration policies
  • USB and removable media monitoring
  • File encryption and high-entropy file alerts
  • Identity risk scoring and behavioral drift
  • Cross-system correlation for communication and access anomalies

 

No signatures. No manual chasing. Just a platform built to catch what others miss.

 

Looking Ahead

Our next Insider Threat Profile will examine Gregory Chung, the aerospace engineer who slowly leaked sensitive defense technology to China for over a decade. His method was simple, his access was trusted, and the damage was real.

Because every story has a lesson. And every threat leaves a trace.

 

Want to see how Securonix helps stop insider threats before they escalate?
Visit our Insider Threat Use Case to learn more or request a demo.

Related Resource

View all
Threat Intelligence
JS#SMUGGLER: Multi-Stage - Hidden Iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery
Learn More
AWS
Built for AWS. Built for How Security Teams Really Work.
Learn More
Threat Research
Securonix Threat Labs Monthly Intelligence Insights – October 2025
Learn More
Market Research
The Evolution of Cybersecurity Automation and AI Adoption
Learn More

Securonix 2025. All Rights Reserved Legal Center | Privacy Policy

Contact Us