According to the Department of Justice, IT specialist Nathan Vilas Laatsch, who held a Top Secret security clearance working with the DIA’s Insider Threat Division, was arrested after an FBI sting operation revealed his attempts to provide classified information to what he believed was a foreign government official.
Table of Contents
The Timeline of Events
The FBI initiated its operation in March 2025 after receiving a tip about an individual offering to share classified information. The FBI states that Laatsch had sent an email to an address associated with a foreign government that was friendly to the United States, offering to leak classified information to them. Attached to that email was a photo of Laatsch’s ID card, which he used to access his secure facility. The FBI says Laatsch wrote that he did not “agree or align with the values of this administration” and was therefore “willing to share classified information,” including “completed intelligence products, some unprocessed intelligence, and other assorted classified documentation.” The affidavit states Laatsch also requested that all future communication be conducted over an encrypted messaging app.
Court documents reveal that following his initial contact with an FBI agent, posing as a foreign official, Laatsch copied and exfiltrated a variety of classified information out of his secure facility. Laatsch then attempted a dead drop of the information by depositing a thumb drive in a public park. The device contained multiple typed documents marked up to Secret and Top Secret levels, along with a message indicating he had included “a decent sample size” of classified information to “decently demonstrate the range of types of products” to which he had access.
The affidavit states that when the FBI agent confirmed receipt and expressed interest in additional information, Laatsch revealed his ultimate motivation: seeking “citizenship for your country” because he did not “expect things here to improve in the long term.” While open to other forms of compensation, he stated that he was not seeking “material compensation.”
Between May 15 and May 27, the FBI claims Laatsch continued his espionage activities, repeatedly transcribing classified information on a variety of “information products” while logged into his workstation. His final arrest came on May 29 when he attempted to pass additional classified documents at another prearranged location.
Near-Miss at DIA
Laatsch’s arrest should send shockwaves through the intelligence community because of how confident he was in his success. An external FBI tip prevented what could have been a catastrophic breach.
Expert Knowledge Enabled Successful Exfiltration
Laatsch’s position gave him unique insights that he systematically exploited. According to the FBI affidavit, his duties included “enabling user activity monitoring on individuals with access to DIA systems, including individuals who are under investigation” and “assisting external partners, such as law enforcement, on the use of insider threat tools.” This expertise allowed him to operate with remarkable certainty. He gave his FBI handler: “a significant amount of detail on the monitoring and audit capabilities of the DIA and other U.S. Government agencies, including the use of specific programs and how those programs work.” Over three days in late April 2025, Laatsch confidently accessed classified information on a broad variety of subjects and classification levels without triggering alerts, and departed his secure facility multiple times with that information. When Laatsch told the agent that the government’s insider threat detection systems “should not be too difficult for me to avoid.”, this was an accurate assessment from someone who understood the system’s blind spots.
What Insider Threat Strategies Did Laatsch Know The Government Was Blind To
What makes this case particularly notable from a security perspective is how Laatsch, as an expert in the insider threat detection systems the government uses, allegedly chose to exfiltrate the data. Court documents reveal that Laatsch deliberately relied on analog methods that did not interact with the network monitoring and digital loss prevention system tools on his government systems. Laatsch would hand-transcribe the classified information products that he claimed weren’t “difficult to copy fully.” However, Laatsch apparently grew quickly tired of the task. After the first round of exfiltration, Laatsch allegedly told the agent, “As anticipated, the process of manually copying by hand will be time-intensive. Many of the provided products took around 40-60 minutes to fully complete, and often two full pages of notebook paper per-product. I did not choose products which were significantly longer.” Had this operation continued longer, or had Laatsch been asked to steal documents that aren’t easy to transcribe by hand like maps, blueprints, or manuals, it seems likely Laatsch would have used the methods that so many other government insider threat cases rely on: taking pictures of the information with a personal smartphone.
A Pattern of Evolving Mobile Device Insider Threats
Laatsch’s case has striking similarities to Natalie Mayflower-Sours Edwards’, a FinCEN official who used her personal mobile device to record and transmit swaths of confidential financial information on Trump administration associates to a journalist, during his first administration. However, these targeted unauthorized disclosures seem to have accelerated during the second Trump administration. DNI Gabbard’s Director’s Initiative Group (DIG), which was tasked with preventing politicized leaks from within the Intelligence Community, announced it had already been investigating 15 intelligence officials for unauthorized disclosures within the first few months of Trump’s administration. In addition, there have been a troubling number of high-profile cases that have plagued government agencies in recent months, where individuals have allegedly stolen government information for sale to China, using personal mobile phones:
- Korbein Schultz (sentenced April 2025): The former Army intelligence analyst used his smartphone to download and transmit 92 sensitive military documents to Chinese contacts, receiving $42,000 in bribes. Attorney General Pamela Bondi emphasized that Schultz “swore an oath to defend the United States — instead, he betrayed it for a payout and put America’s military and service members at risk.”
- Jian Zhao (indicted March 2025): The Army Sergeant allegedly photographed classified military documents using his smartphone and transmitted sensitive data to unauthorized contacts overseas, using encrypted messaging platforms to share sensitive national defense information.
- Michael Schena (charged March 2025): The State Department desk officer allegedly photographed classified documents with a covert iPhone registered to a foreign number, accessing at least five SECRET-marked documents relating to U.S. diplomatic relationships.
The Wireless Dimension of Modern Espionage
What connects these cases—and what makes Laatsch’s analog approach particularly instructive—is how insiders are adapting their methods to evade detection. Laatsch was apparently confident that the government’s insider threat detection systems wouldn’t flag a malicious actor for accessing data on a workstation. The hard part was supposed to be getting the information in front of you, but maybe Laatsch inadvertently revealed to millions of people that getting it in front of you isn’t hard at all. Once it’s there, it’s easy to steal it with a pen, or a phone camera—something that doesn’t interact with the cybersecurity tools monitoring government systems. This is a serious security concern for the government. Millions of people have the same access to classified systems that Laatsch did. Had someone tried to do this with a cellphone instead, they could have stolen orders of magnitude more information than what Laatsch is alleged to have done—and they also likely would not have been detected. Following the Jack Teixeira leaks, the 2023 SecDef Memo now requires SCIFs and SAPFs to “implement continuous monitoring of the entire wireless environment to detect and mitigate wireless and personal device insider threats before they compromise sensitive information.” Yet, despite the rules being in place, it is estimated that fewer than 15% of secure government facilities have implemented wireless intrusion detection systems to prevent unauthorized cellphones from entering restricted areas. Until the government rolls out stronger detection tools to prevent cellphones from entering secure facilities, these cases of mass data exfiltration that we’ve seen in recent months will likely continue indefinitely.
Why Comprehensive Wireless Airspace Defense Matters
The Laatsch case demonstrates why organizations handling classified information need multi-layered security approaches that include wireless airspace defense:
- Detection of Unauthorized Devices: Comprehensive RF monitoring would detect any unauthorized smartphones, recording devices, or transmission equipment that other insiders might employ.
- Pattern Recognition: Advanced wireless monitoring systems can identify unusual device behavior patterns, such as smartphones appearing in restricted areas or devices attempting to connect to unauthorized networks.
- Closing the Physical-Digital Gap: As seen in the Korbein Schultz case, insiders often exploit “the gap between physical security controls and digital security monitoring by photographing confidential information and wirelessly transmitting it.”
- Real-Time Response: Unlike Laatsch’s multi-day transcription activities, wireless-enabled exfiltration can happen in seconds. Real-time wireless monitoring provides immediate alerts when suspicious activity occurs.
Following the Jack Teixeira leaks, the 2023 SecDef Memo now requires SCIFs and SAPFs to “implement continuous monitoring of the entire wireless environment to detect and mitigate wireless and personal device insider threats before they compromise sensitive information.”
Organizations must recognize that securing classified information requires:
- Real-time detection of unauthorized wireless devices
- Integration of physical and digital security measures
- Behavioral analytics to identify suspicious patterns
- Comprehensive visibility into the wireless airspace
As Sue J. Bai, head of the Justice Department’s National Security Division, and other officials work to prosecute these cases, the security community must evolve its defenses to match the creativity and determination of insider threats.
Note: A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
