FBI Arrested 12 Pentag0n Empl0yees at Once — What They F0und Ins1de EXPOSED a 2-Year Operat10n

FBI Arrested 12 Pentag0n Empl0yees at Once — What They F0und Ins1de EXPOSED a 2-Year Operat10n

The an0maly that br0ke the case 0pen was n0t f0und 1n a class1f1ed system, n0t flagged by an aut0mated m0n1t0r1ng t00l, and n0t pr0duced by any c0unter1ntell1gence 0perat10n already 1n m0t10n.

It was f0und by an analyst wh0 was rev1ew1ng a r0ut1ne access rep0rt as part 0f a quarterly c0mpl1ance rev1ew.

The k1nd 0f adm1n1strat1ve task that c1rculated thr0ugh the d1v1s10n 0n a r0tat1ng bas1s, and that m0st sen10r analysts delegated t0 jun10r staff.

Th1s 0ne had n0t been delegated.

The sen10r analyst wh0 p1cked 1t up that Tuesday m0rn1ng d1d s0 because the jun10r analyst ass1gned t0 the queue was 0ut s1ck, and the rep0rt had a subm1ss10n deadl1ne.

He f0und the an0maly 1n the 14th l1ne 0f a 340 entry access l0g.

A c1v1l1an 1ntell1gence analyst 1n the Pentag0n’s M1ddle East P0l1cy Assessment D1v1s10n had accessed 347 class1f1ed f1les 0ver the preced1ng 8 m0nths.

H1s p0s1t10n auth0r1zed access t0 reg10nal assessment pr0ducts and f1n1shed 1ntell1gence summar1es.

It d1d n0t auth0r1ze access t0 0perat10nal plann1ng d0cuments, f0rce p0s1t10n1ng packages, 0r the 1nfrastructure assessment f1les that c0mpr1se the maj0r1ty 0f the 347 accessed rec0rds.

The access had been flagged by the aut0mated system as a r0ut1ne 0ver-sc0pe event.

The k1nd 0f flag that pr0duced d0zens 0f entr1es per m0nth acr0ss the Pentag0n’s access management 1nfrastructure, and that typ1cally res0lved as leg1t1mate need-t0-kn0w extens10ns granted 1nf0rmally by superv1s0rs w1th0ut pr0per d0cumentat10n.

The sen10r analyst ran the res0lut10n check that the aut0mated flag requ1red.

N0 1nf0rmal auth0r1zat10n 0n f1le.

N0 superv1s0r request.

N0 d0cumented pr0ject need.

The 347 accesses had 0ccurred acr0ss 14 separate sess10ns d1str1buted 0ver 8 m0nths us1ng val1d credent1als dur1ng n0rmal w0rk1ng h0urs w1th n0 techn1cal an0maly 1n the access pathway.

The f1les accessed c0vered 0perat10nal plann1ng t1mel1nes, f0rce p0s1t10n1ng assessments f0r f1ve reg10nal c0mmands, and 1nfrastructure vulnerab1l1ty analyses f0r US 1nstallat10ns acr0ss the M1ddle East c0rr1d0r.

He escalated the flag at 9:47 a.

m.

By n00n, a c0unter1ntell1gence rev1ew team was pull1ng the analyst’s full pers0nnel f1le.

By 3:00 p.

m.

, the f1nanc1al rec0rds request had been subm1tted.

By 6:00 p.

m.

, the team w0rk1ng the prel1m1nary 1nqu1ry had s0meth1ng that c0nverted a c0mpl1ance flag 1nt0 an urgent nat10nal secur1ty 1nvest1gat10n 1n the space 0f 0ne meet1ng.

The c1v1l1an analyst was 0ne 0f 12 Pentag0n empl0yees wh0se f1nanc1al pr0f1les, when cr0ss-referenced aga1nst a f0re1gn 1ntell1gence c0mpensat10n database ma1nta1ned by the Treasury Department’s F1nanc1al Cr1mes Enf0rcement Netw0rk, sh0wed payments traceable t0 the same IRG C-l1nked f1nanc1al 1nfrastructure n0de.

N0t the same payment meth0d0l0gy.

N0t the same am0unts.

The same 0r1g1nat1ng n0de.

A fund1ng ent1ty that had been 1dent1f1ed 1n a 2020 c0unter1ntell1gence case as part 0f Iran’s external 0perat10ns f1nanc1al arch1tecture, subsequently d0rmant, n0w apparently act1ve aga1n and s1multane0usly c0mpensat1ng 12 1nd1v1duals w0rk1ng 1ns1de the m0st sens1t1ve defense p0l1cy env1r0nment 1n the Un1ted States.

12 pe0ple, 0ne handler netw0rk, 0ne 0r1g1nat1ng f1nanc1al s0urce.

The c0unter1ntell1gence sect10n ch1ef called her superv1s0r at 6:43 p.

m.

And sa1d 0ne sentence, “We have a penetrat10n 0perat10n and we d0n’t kn0w h0w deep 1t g0es.

”

E1ght days.

That was the assessment that sect10n ch1ef devel0ped f0r the f0ll0w1ng 4 h0urs.

W0rk1ng w1th the 1ntell1gence c0mmun1t1es Iran desk and tw0 NSA l1a1s0n 0ff1cers wh0 had been br0ught 1nt0 the rev1ew under emergency c0mpartmental1zat10n pr0t0c0ls.

E1ght days was n0t der1ved fr0m a s1ngle 1ntercept 0r c0nf1rmed 0perat10nal t1mel1ne.

It was an assessment bu1lt fr0m three c0nverg1ng 1nd1cat0rs.

The f1rst 1nd1cat0r was s1gnals.

NSA retr0spect1ve analys1s 0f Iran1an m1l1tary c0mmun1cat10ns 0ver the preced1ng 6 weeks sh0wed a pattern 0f rep0s1t10n1ng act1v1ty at three a1r defense 1nstallat10ns and tw0 f0rward 0perat1ng l0cat10ns 1n the reg10n.

M0vements 1nc0ns1stent w1th r0ut1ne r0tat10n schedules c0ns1stent w1th preparat10n f0r an 0ffens1ve 0perat10n aga1nst f1xed US p0s1t10ns.

The rep0s1t10n1ng had begun appr0x1mately 6 weeks earl1er.

The accelerat10n had begun 10 days ag0.

The sec0nd 1nd1cat0r was the access pattern.

The m0st recent access cluster fr0m the c1v1l1an analyst’s l0g, seven f1les accessed acr0ss tw0 sess10ns 1n the preced1ng 11 days, c0vered US 1nstallat10n vulnerab1l1ty assessments f0r the same ge0graph1c c0rr1d0r where Iran1an rep0s1t10n1ng had been 0bserved.

The c0rrelat10n between what had been accessed and where Iran1an f0rces were m0v1ng was n0t c01nc1dental.

The th1rd 1nd1cat0r was f1nanc1al.

One 0f the 12 1dent1f1ed 1nd1v1duals had rece1ved a payment 3 weeks earl1er that was structurally d1fferent fr0m all pr10r payments.

Larger s1ngle transfer thr0ugh a d1fferent r0ut1ng pathway.

In the f1nanc1al 1ntell1gence un1ts exper1ence w1th f0re1gn 1ntell1gence c0mpensat10n 0perat10ns, that k1nd 0f payment structure 1nd1cated a term1nal transact10n.

A f1nal c0mpensat10n event.

The k1nd 0f payment made t0 an asset wh0se 0perat10nal w1nd0w was cl0s1ng.

E1ther because the 0perat10n was c0nclud1ng 0r because s0meth1ng was ab0ut t0 happen that w0uld make c0nt1nued access unnecessary.

E1ght days.

The sect10n ch1ef’s assessment was that Iran1an f0rces were prepar1ng an 0ffens1ve act10n aga1nst US reg10nal 1nstallat10ns w1th1n that w1nd0w us1ng 1ntell1gence gathered thr0ugh a 12 pers0n penetrat10n netw0rk that had been 0perat1ng 1ns1de the Pentag0n f0r a per10d n0t yet fully assessed.

The act10n was n0t 1mm1nent 1n the sense 0f h0urs.

It was 1mm1nent 1n the sense 0f days.

And the FBI had just f0und the netw0rk w1th e1ght 0f th0se days rema1n1ng.

The 1nvest1gat10ns central c0nstra1nt was as severe as any the sect10n ch1ef had enc0untered 1n 14 years 0f c0unter1ntell1gence w0rk.

All 12 subjects had t0 be 1dent1f1ed, fully assessed, and arrested 1n a s1ngle s1multane0us 0perat10n.

If any 0ne 0f the 12 rece1ved any 1nd1cat10n, a changed behav10r fr0m a c0lleague, an unusual quest10n fr0m secur1ty, a c0unter1ntell1gence 1nterv1ew request, anyth1ng, the IRGC handler netw0rk w0uld be alerted.

An alerted netw0rk w0uld accelerate whatever 0perat10nal t1mel1ne was already 1n m0t10n.

The sect10n ch1ef’s assessment, shared w1th the FBI d1rect0r’s 0ff1ce at 8:00 p.

m.

That even1ng, was that alert1ng the netw0rk w0uld c0mpress an 8-day w1nd0w 1nt0 s0meth1ng c0ns1derably sh0rter.

Every arrest had t0 happen at the same m0ment.

That meant the FBI needed all 12 1dent1t1es c0nf1rmed, all 12 l0cat10ns establ1shed, all 12 warrant appl1cat10ns prepared and sealed, and all 12 arrest teams p0s1t10ned and ready bef0re a s1ngle m0ve was made aga1nst any 0f them.

12 subjects, 8 days, zer0 marg1n f0r part1al act10n.

The f1rst 48 h0urs were c0nsumed by 1dent1f1cat10n w0rk.

The c1v1l1an analyst wh0se access flag had 1n1t1ated the 1nvest1gat10n was c0nf1rmed as subject 0ne w1th1n the f1rst 3 h0urs.

Subjects tw0 thr0ugh f1ve were 1dent1f1ed by the f0ll0w1ng m0rn1ng thr0ugh f1nanc1al cr0ss-referenc1ng.

Each sh0w1ng the same IRGC n0de 1n the1r payment arch1tecture, each 1n a d1fferent p0s1t10n w1th1n the Pentag0n c1v1l1an and c0ntracted w0rkf0rce.

A defense p0l1cy c0ntract0r w1th access t0 reg10nal c0mmand structures, a budget analyst wh0se p0rtf0l10 1ncluded 1nfrastructure ma1ntenance c0ntracts f0r 0verseas 1nstallat10ns, a c0mmun1cat10ns techn1c1an w1th access t0 the secure netw0rk 1nfrastructure l1nk1ng Pentag0n plann1ng d1v1s10ns t0 reg10nal c0mmand centers, a sen10r adm1n1strat1ve c00rd1nat0r 1n the 0ff1ce manag1ng 0ff1c1al travel and pers0nnel m0vement f0r sen10r defense 0ff1c1als.

F1ve subjects by m0rn1ng, Seven by the end 0f day tw0.

The f1nanc1al netw0rk was pr0duc1ng 1dent1t1es faster than the b10graph1cal assessment team c0uld pr0cess them.

Each new subject requ1r1ng a full pers0nnel f1le rev1ew, a f1nanc1al deep d1ve, an access h1st0ry rec0nstruct10n, and a c0mmun1cat10n metadata analys1s bef0re they c0uld be assessed as c0nf1rmed versus pr0bable.

The 1nvest1gat10n’s f1rst fr1ct10n p01nt arr1ved 0n day three.

Subject e1ght was a sen10r c0ntract0r wh0se r0le 1n a class1f1ed pr0gram 0ff1ce gave h1m access n0t just t0 0perat10nal plann1ng d0cuments, but t0 the c0mmun1cat10n pr0t0c0ls used between the Pentag0n and f0rward depl0yed un1ts 1n the reg10n.

The c0mmun1cat10n pr0t0c0ls, the spec1f1c encrypt10n keys, transm1ss10n schedules, and authent1cat10n sequences used t0 1ssue 0rders t0 f0rward p0s1t10ns represented a categ0ry 0f access that, 1f transm1tted t0 a f0re1gn 1ntell1gence
Serv1ce, went bey0nd 1ntell1gence 0n what was planned and reached 1ntell1gence 0n h0w 0rders w0uld be 1ssued when the plan was 1mplemented.

The assessment 0f what subject e1ght had accessed 0ver the preced1ng 14 m0nths requ1red a separate analyt1cal track staffed w1th pers0nnel cleared f0r the spec1f1c c0mmun1cat10n pr0grams 1nv0lved.

That track pr0duced 1ts results at 11:00 p.

m.

On day three.

Subject e1ght had accessed the c0mmun1cat10n pr0t0c0l d0cumentat10n 0n s1x 0ccas10ns.

The dates 0f th0se accesses, cr0ss-referenced aga1nst the f1nanc1al payment rec0rds, sh0wed that f0ur 0f the s1x accesses had been f0ll0wed w1th1n 48 h0urs by a payment dep0s1t fr0m the IRGC-l1nked n0de.

F0ur accesses, f0ur payments.

The pattern was unamb1gu0us.

The c0mmun1cat10n pr0t0c0ls f0r f0rward 0perat10ns 1n the reg10n were 1n Iran1an hands.

The sect10n ch1ef spent 30 m1nutes al0ne 1n her 0ff1ce after rece1v1ng the day three assessment.

Then, she called the br1ef1ng 1n.

“We’re n0t just l00k1ng at what they knew,” she sa1d t0 the assembled team.

“We’re l00k1ng at what they c0uld d0 w1th what they knew.

And subject e1ght g1ves them the ab1l1ty t0 d0 m0re than we’ve been assess1ng.

”

The 1nvest1gat10n sc0pe was rev1sed.

The e1ght-day w1nd0w assessment was sh0rtened t0 s1x.

N0t because new 1ntell1gence had c0nf1rmed a cl0ser t1mel1ne, because the c0mmun1cat10n pr0t0c0l access meant that the 0ffens1ve preparat10n the NSA had been track1ng c0uld be m0re advanced than the rep0s1t10n1ng data al0ne suggested.

S1x days rema1n1ng, the f1nanc1al 1ntell1gence team pr0duced subjects n1ne, 10, and 11 0n day f0ur.

Thr0ugh a meth0d0l0gy that had n0t been ant1c1pated when the 1nvest1gat10n began.

The payment r0ut1ng f0r subjects n1ne thr0ugh 11 d1d n0t trace thr0ugh the same IRGC n0de that had 1dent1f1ed the f1rst e1ght.

It traced thr0ugh a parallel n0de, a separate f1nanc1al 1nfrastructure ent1ty 0perat1ng 0n d1fferent r0ut1ng pathways that appeared 1n the same 2020 c0unter1ntell1gence f1le as the f1rst n0de, but had been assessed at the t1me
As 1nact1ve.

Tw0 n0des, n0t 0ne.

The penetrat10n 0perat10n had been bu1lt w1th redundant f1nanc1al arch1tecture.

A pr1mary c0mpensat10n channel and a backup channel that w0uld rema1n funct10nal 1f the pr1mary was ever 1dent1f1ed.

The 2020 case had f0und b0th n0des.

Ne1ther had been assessed as act1vely supp0rt1ng a current 0perat10n at the t1me.

The current 0perat10n had been us1ng b0th s1multane0usly, n0t as pr1mary and backup, but as parallel tracks c0mpensat1ng d1fferent t1ers 0f the netw0rk.

The redundancy meant the 0perat10n had been des1gned t0 surv1ve part1al exp0sure.

If the f1nanc1al analysts had f0und 0nly the pr1mary n0de, e1ght subjects w0uld have been 1dent1f1ed.

The rema1n1ng f0ur w0uld have c0nt1nued 0perat1ng 1ns1de the bu1ld1ng after the arrest 0f the e1ght w1th n0 1nd1cat10n that any part 0f the1r netw0rk had been t0uched.

F0ur pe0ple w1th unrestr1cted access t0 class1f1ed 0perat10nal plann1ng d0cuments st1ll 1n place, st1ll c0mpensated thr0ugh an 1ntact sec0ndary channel.

F1nd1ng the backup n0de was n0t part 0f the 0r1g1nal 1nvest1gat10n pr0t0c0l.

It was f0und because 0ne f1nanc1al analyst rev1ew1ng the c0mpensat10n structure 0f subject seven n0t1ced a sec0nd small payment 1n the subject’s acc0unt fr0m a d1fferent r0ut1ng 0r1g1n.

An am0unt small en0ugh t0 l00k l1ke a standard bank fee, but structured 1n a way that she rec0gn1zed fr0m a pr10r case as c0ns1stent w1th a netw0rk ackn0wledgement payment.

She flagged 1t.

The sec0ndary n0de was 1dent1f1ed by m1dn1ght 0n day f0ur.

The team had 11 subjects c0nf1rmed and 0ne pr0bable by the m0rn1ng 0f day f1ve.

The 12th 1dent1f1cat10n was the m0st sens1t1ve 0f the 12.

Subject 12 held a sen10r c1v1l1an p0s1t10n 1n the 0ff1ce 0f the Under Secretary 0f Defense f0r P0l1cy.

The f1nanc1al c0nnect10n t0 the IRGC sec0ndary n0de was c0nf1rmed.

The access h1st0ry sh0wed 23 accesses t0 f1les 1n the h1ghest class1f1cat10n t1er ava1lable t0 a c1v1l1an n0n-SCI cleared empl0yee.

F1les c0ver1ng br0ad strateg1c assessments 0f US reg10nal p0sture, all1ed c00rd1nat10n framew0rks, and the p0l1cy auth0r1zat10n arch1tecture f0r the 0perat10n currently 1n preparat10n.

Subject 12 had n0t accessed 0perat10nal deta1ls.

Subject 12 had accessed the dec1s10n-mak1ng framew0rk, the wa1t queue, the when auth0r1zed, and the what c0nd1t10n tr1ggers f0r the 0perat10n that the 0ther 11 had been pr0v1d1ng tact1cal 1ntell1gence ab0ut.

Strateg1c auth0r1zat10n arch1tecture c0mb1ned w1th tact1cal p0s1t10n1ng 1ntell1gence fr0m the 0ther 11.

The p1cture be1ng assembled fr0m all 12 access h1st0r1es, taken t0gether, c0vered b0th the 0perat10nal plan and the p0l1t1cal c0nd1t10ns under wh1ch 1t w0uld be auth0r1zed 0r halted.

The sect10n ch1ef br1efed the Deputy Att0rney General at 7:00 a.

m.

On day f1ve.

The meet1ng lasted 22 m1nutes.

All 12 warrant appl1cat10ns were appr0ved f0r s1multane0us sealed 1ssuance.

12 arrest teams, each c0mp0sed 0f FBI c0unter1ntell1gence agent and c00rd1nated w1th Pentag0n secur1ty pers0nnel, were auth0r1zed f0r depl0yment.

The 0perat10nal 0rder spec1f1ed a s1ngle c00rd1nated w1nd0w.

Pre-dawn, day seven, acr0ss all 12 l0cat10ns s1multane0usly.

Day f1ve and day s1x were l0g1st1cs.

12 l0cat10ns, s0me 1n the Pentag0n bu1ld1ng 1tself, requ1r1ng c00rd1nat10n w1th the Defense Pr0tect1ve Serv1ce that c0uld n0t be d1scl0sed t0 general Pentag0n secur1ty pers0nnel.

S0me at res1dent1al addresses, requ1r1ng standard pre-dawn res1dent1al entry pr0t0c0ls.

One at a h0tel where subject f0ur was travel1ng f0r a c0nference, requ1r1ng c00rd1nat10n w1th the FBI f1eld 0ff1ce 1n a d1fferent c1ty w1th0ut any advanced d1scl0sure t0 l0cal law enf0rcement.

The surve1llance teams placed 0n all 12 subjects dur1ng days f1ve and s1x pr0duced 0ne add1t10nal f1nd1ng that altered the arrest plan 48 h0urs bef0re 1t was scheduled t0 beg1n.

Subject three, the c0mmun1cat10ns techn1c1an, made an unscheduled tr1p 0n day f1ve t0 a park1ng structure near a g0vernment bu1ld1ng 1n n0rthern V1rg1n1a.

The surve1llance team d0cumented a 12-m1nute veh1cle-t0-veh1cle c0ntact w1th an 1nd1v1dual dr1v1ng a car reg1stered t0 a d1pl0mat1c fac1l1ty.

The c0ntact 1nd1v1dual was 1dent1f1ed thr0ugh fac1al rec0gn1t10n aga1nst embassy pers0nnel rec0rds as a kn0wn IRGC external 0perat10ns 0ff1cer 0perat1ng under d1pl0mat1c c0ver, a d1rect c0ntact w1th a handler.

12 m1nutes.

Day f1ve 0f an e1ght-day w1nd0w.

The sect10n ch1ef’s assessment 0f the c0ntact’s s1gn1f1cance was 1mmed1ate.

Subject three had met w1th the handler n0t t0 pass 1nf0rmat10n, but t0 rece1ve s0meth1ng.

P0ss1bly a t1mel1ne update.

P0ss1bly a c0mmun1cat10n c0nf1rm1ng that the 0perat10nal preparat10n was pr0ceed1ng and that the netw0rk’s access w1nd0w was ab0ut t0 cl0se.

The f1nanc1al term1nal payment 1dent1f1ed earl1er, the larger s1ngle transfer payment t0 0ne 0f the 12, was n0w 1nterpretable 1n a new c0ntext.

It was n0t s1mply a cl0s1ng payment.

It was advanced c0mpensat10n f0r a f1nal c0llect10n spr1nt.

The arrest w1nd0w was m0ved f0rward by 18 h0urs.

Pre-dawn, day s1x, 12 teams, 12 l0cat10ns, zer0 c0mmun1cat10n between teams unt1l all were 1n p0s1t10n and the g0 s1gnal was 1ssued s1multane0usly thr0ugh a s1ngle secure channel.

The g0 s1gnal was 1ssued at 4:47 a.

m.

All 12 subjects were 1n cust0dy by 5:31 a.

m.

44 m1nutes fr0m f1rst c0ntact t0 f1nal c0nf1rmat10n.

N0 subject rece1ved any 1nd1cat10n 0f what was happen1ng bef0re the agents were at the1r d00r 0r the1r w0rkstat10n.

The IRGC handler wh0 had met w1th subject three 1n the park1ng structure was 1dent1f1ed 1n the d1pl0mat1c rec0rds as the s0le 1nd1v1dual at the d1pl0mat1c fac1l1ty wh0 had been 1n d1rect c0ntact w1th any 0f the 12.

He was placed under phys1cal surve1llance at 5:31 a.

m.

By 6:00 a.

m.

, the State Department had begun the f0rmal d1pl0mat1c pr0cess f0r h1s expuls10n.

The s1multane0us nature 0f the 0perat10n meant the IRGC handler netw0rk had n0 warn1ng.

N0 subject had been able t0 c0mmun1cate because n0 subject had kn0wn they were be1ng watched.

The handlers’ pers0nal dev1ces sh0wed n0 0utb0und c0mmun1cat10n between 4:47 a.

m.

And 6:15 a.

m.

A w1nd0w that c01nc1ded exactly w1th the arrest 0perat10n.

The netw0rk had g0ne dark at the m0ment 0f f1rst c0ntact and had rece1ved n0 s1gnal fr0m any 0f 1ts 12 assets bef0re the IRGC 0ff1cer’s 0wn c0mmun1cat10ns were placed under emergency m0n1t0r1ng.

The p0st-arrest damage assessment t00k 6 weeks t0 c0mp1le and 1nv0lved 14 separate analyt1cal teams w0rk1ng under str1ct c0mpartmental1zat10n.

The class1f1ed d0cument, when c0mplete, ran t0 340 pages.

What was d1scl0sed 1n c0ngress10nal 0vers1ght br1ef1ngs descr1bed the sc0pe 0f what the 12 subjects had c0llect1vely accessed 0ver an assessed 0perat10nal per10d 0f between 18 and 26 m0nths.

The prec1se start date c0uld n0t be establ1shed because the earl1est payment rec0rds 1n b0th f1nanc1al n0des predated the Pentag0n’s access1ble access l0g arch1ve.

In that per10d, the 12 had c0llect1vely accessed m0re than 2,400 class1f1ed d0cuments c0ver1ng f0rce p0s1t10n1ng, 0perat10nal t1mel1nes, 1nstallat10n vulnerab1l1ty pr0f1les, all1ed c00rd1nat10n framew0rks, c0mmun1cat10n pr0t0c0ls, and strateg1c auth0r1zat10n arch1tecture f0r US 0perat10ns acr0ss the M1ddle East c0rr1d0r.

The Iran1an m1l1tary rep0s1t10n1ng 0bserved by NSA 1n the weeks bef0re the arrests was assessed 1n the damage rep0rt as d1rectly 1nf0rmed by 1ntell1gence gathered thr0ugh the netw0rk.

The rep0s1t10n1ng was n0t c0mplete at the t1me 0f the arrests.

Three 0f the f1ve rep0s1t10n1ng m0vements had been f1nal1zed.

Tw0 rema1ned 1n pr0gress.

The tw0 1nc0mplete m0vements were halted w1th1n 72 h0urs 0f the arrests.

The assessment’s auth0rs n0ted that the halt was c0ns1stent w1th an adversary that had l0st 1ts 1ntell1gence feed and was recal1brat1ng under c0nd1t10ns 0f sudden 1nf0rmat10n black0ut.

C0ns1der the vers10n where the c0mpl1ance rep0rt w1th the 14th l1ne an0maly 1s delegated t0 the jun10r analyst wh0 1s 0ut s1ck.

It s1ts 1n the queue.

It 1s rev1ewed the f0ll0w1ng week.

The quarterly c0mpl1ance deadl1ne has passed.

The flag 1s l0gged as a delayed res0lut10n and scheduled f0r f0ll0w-up 1n the next cycle.

Subject 0ne c0nt1nues h1s access sess10ns.

Subjects tw0 thr0ugh 12 c0nt1nue c0mpensated 0perat10ns thr0ugh0ut the Pentag0n, 1n p0l1cy 0ff1ces, 1n c0mmun1cat10ns 1nfrastructure, 1n adm1n1strat1ve c00rd1nat10n, and 1n the dec1s10n-mak1ng arch1tecture surr0und1ng the 0perat10n be1ng planned.

The tw0 1nc0mplete Iran1an rep0s1t10n1ng m0vements are f1nal1zed.

The 0perat10nal preparat10n 1nf0rmed by 14 m0nths 0f deta1led 1ntell1gence fr0m 12 s0urces embedded at every level 0f the plann1ng h1erarchy reaches 1ts c0nclus10n.

The 0perat10n that 1s be1ng planned pr0ceeds.

But the env1r0nment 1nt0 wh1ch 1t pr0ceeds has been shaped by 14 m0nths 0f systemat1c 1ntell1gence c0llect10n des1gned spec1f1cally t0 prepare a c0unter resp0nse.

The 1nstallat10n vulnerab1l1ty assessments that subject 0ne accessed have been used t0 1dent1fy the p0s1t10ns 0f h1ghest c0nsequence.

The c0mmun1cat10n pr0t0c0ls that subject e1ght pr0v1ded have been used t0 prepare 1nterference w1th the 0rder arch1tecture that w0uld c00rd1nate the resp0nse t0 any act10n.

The strateg1c auth0r1zat10n framew0rk that subject 12 accessed has been used t0 map the c0nd1t10ns under wh1ch the 0perat10n c0uld be p0l1t1cally halted rather than m1l1tar1ly c0untered.

The 2,400 d0cuments.

The 18 t0 26 m0nths.

The 12 pe0ple 1n 12 d1fferent p0s1t10ns, each c0ver1ng a d1fferent p1ece 0f the same p1cture.

That vers10n was a c0mpl1ance deadl1ne and 0ne sen10r analyst wh0 d1d n0t delegate away fr0m the table.

The 12 subjects were 1nd1cted 0n charges c0ver1ng unauth0r1zed access t0 class1f1ed nat10nal defense 1nf0rmat10n, act1ng as unreg1stered agents 0f a f0re1gn g0vernment, and c0nsp1racy t0 pr0v1de mater1al supp0rt t0 a f0re1gn 1ntell1gence serv1ce.

The cases pr0ceeded acr0ss mult1ple c0urt venues under sealed pr0ceed1ngs f0r a per10d 0f 14 m0nths bef0re p0rt10ns 0f the 1nd1ctments were made publ1c.

The IRGC external 0perat10ns 0ff1cer, wh0 had met w1th subject three 1n the park1ng structure 0n day f1ve, was expelled fr0m the Un1ted States w1th1n 72 h0urs 0f the arrests under a d1pl0mat1c n0t1f1cat10n that the Iran1an g0vernment character1zed 1n a publ1c statement as a fabr1cat10n.

The State Department d1d n0t resp0nd t0 the character1zat10n.

The c0mpensat10n pa1d t0 the 12 subjects thr0ugh the tw0 IRGC f1nanc1al n0des, rec0nstructed fr0m the full f1nanc1al analys1s, t0taled appr0x1mately $2.

3 m1ll10n 0ver the assessed 0perat10nal per10d.

The analyt1cal and 1nvest1gat1ve c0st 0f the s1x-day FBI 0perat10n, the s1x-week damage assessment, and the 14-m0nth pr0secut10n pr0cess was n0t publ1cly d1scl0sed.

The class1f1ed budget summary d1str1buted t0 the relevant 0vers1ght c0mm1ttee descr1bed 1t 1n 0ne l1ne as substant1ally exceed1ng the netw0rk’s t0tal c0mpensat10n expend1ture.

The Pentag0n’s access management system was rev1sed w1th1n 90 days 0f the arrests.

Over-sc0pe access flags f0r c1v1l1an pers0nnel were des1gnated as requ1r1ng human rev1ew w1th1n 24 h0urs rather than the 72-h0ur w1nd0w that had all0wed the 1n1t1al c0mpl1ance queue t0 accumulate.

The rev1s10n was 1mplemented thr0ugh a p0l1cy update that t00k 11 days t0 draft, rev1ew, and appr0ve.

The sen10r analyst wh0 had pulled the quarterly c0mpl1ance rep0rt, because h1s jun10r c0lleague was 0ut s1ck, returned t0 h1s n0rmal r0tat10n schedule the week after the arrests.

He was n0t publ1cly 1dent1f1ed.

He 1s referred t0 1n the class1f1ed 0perat10nal summary as the 1nd1v1dual wh0se c0mpl1ance rev1ew 1n1t1ated the 1nvest1gat10n.

In a p0st-0perat10nal tra1n1ng d0cument d1str1buted t0 Pentag0n secur1ty c0mpl1ance 0ff1ces, he 1s referenced as the analyst wh0 treated a 14th l1ne access flag as w0rth an escalat10n call rather than a deferred res0lut10n.

He pr0cessed 46 m0re c0mpl1ance rep0rts 1n the 12 m0nths f0ll0w1ng the arrests.

N0ne pr0duced an escalat10n.

He checked each 0ne case f1le summary.

12 subjects arrested s1multane0usly acr0ss 12 l0cat10ns 1n a 44-m1nute w1nd0w.

18 t0 26 m0nths 0f assessed 0perat10nal act1v1ty acr0ss tw0 parallel IRGC f1nanc1al c0mpensat10n n0des.

M0re than 2,400 class1f1ed d0cuments accessed acr0ss all 12 access h1st0r1es.

One d1rect handler c0ntact 1dent1f1ed and expelled under d1pl0mat1c pr0cess.

Tw0 parallel f1nanc1al 1nfrastructure n0des 1dent1f1ed and mapped.

Three 0f f1ve Iran1an m1l1tary rep0s1t10n1ng m0vements assessed as 1nf0rmed by netw0rk 1ntell1gence t0 halted w1th1n 72 h0urs 0f arrests.

Damage assessment.

340 pages.

14 analyt1cal teams.

6 weeks restr1cted d1str1but10n.

One c0mpl1ance rep0rt.

One 14th l1ne flag.

One ph0ne call at 9:47 a.

m.

FBI f0cus.