Exclusive: CIA ‘Leaker’ Josh Schulte Posted Agency Code Online—And CIA Never Noticed
He’s been fingered as the man who gave away some of the CIA’s most important secrets. And for years, he was practically hiding in plain sight.
Joshua Adam Schulte, the former CIA worker suspected of passing the agency’s hacking secrets to WikiLeaks, previously posted the source code for an internal CIA tool to his account on the public code-sharing site GitHub, The Daily Beast has learned.
That potential red flag was apparently missed by the spy agency just months after Edward Snowden walked out of the National Security Agency with a thumb drive of secrets in 2013. A spokesman for the CIA declined to comment.
Schulte, 29, worked at the CIA from 2010 to 2016. He was raided by the FBI on March 23, 2017, roughly two weeks after Julian Assange began releasing 8,000 CIA files under the rubric “Vault 7.” The files had been copied from an internal agency wiki sometime in 2016, and contained documentation and some source code for the hacking tools used by the CIA’s intrusion teams when conducting foreign surveillance.
When FBI agents examined Schulte’s hard drive, they found only a single classified document, but allegedly turned up 10,000 images of child pornography. Today Schulte is being held in a federal holding facility in Manhattan on one count each of possessing, receiving, and transporting child porn. He has not been charged with the Vault 7 leak, but, in January the FBI was still investigating him as the suspect.
Until now it’s been unclear how the FBI became suspicious of Schulte in the first place. In a statement to The Washington Post, which broke the story of the arrest, Schulte said the bureau went after him because he’d reported managerial incompetence to the CIA’s inspector general and then left the agency in 2016. “Due to these unfortunate coincidences, the FBI ultimately made the snap judgment that I was guilty of the leaks and targeted me.”
Prosecutor Matthew Larouch said at a January court appearance that “the government immediately had enough evidence to establish that [Schulte] was a target of that investigation,” but didn’t elaborate on the evidence.
Schulte has hosted 11 of his own coding projects on GitHub over the years. In the fall of 2013, he uploaded a robust software development tool he’d developed called OSB Project Wizard, described this way: “Create all types of projects following OSB build guidelines.” The OSB abbreviation went unexplained.
The project didn’t draw much attention. Nobody “forked” the code to build off of it, and it earned no stars or follows. Then years later, the WikiLeaks Vault 7 release happened, and it included a brief description of a CIA project with the exact same name and purpose as Schulte’s code. It turns out OSB stands for the CIA’s “Operational Support Branch”—the elite coding unit that makes the CIA’s hacking tools.
There’s nothing clearly sensitive in the code itself, and neither it nor the Vault 7 page describing it bears a classification marking. But if the appearance of an internal CIA tool in a public GitHub account was overlooked in 2013, it would surely have gotten the FBI’s attention in 2017 as it looked for suspects in one of the largest CIA leaks in history.
Even on Reddit, amateur detectives were able to quickly connect the leak to Schulte’s Github repository by running a Google search on the CIA’s internal name for the leaked wiki—“confluence.devlan.net.” That address is all over the Vault 7 documents, which describe Devlan as the CIA code shop’s “Top Secret network, dirty environment where we do 90% of our work.” Prior to the leak, the string “confluence.devlan.net” was nowhere on the web except in the source code for Schulte’s OSB Project Wizard.
“References to the Confluence server on devlan.net, plus a public repo of the code for a private, if benign, project that was listed in the leak—that would absolutely arouse suspicion,” said Michael Borohovski, co-founder of Tinfoil Security and an intelligence-community veteran.
Borohovski added that it’s unclear whether Schulte developed the code in public and then brought it into the CIA, or did the reverse—taking it out of the agency’s network and into the outside world. But “it’s more likely that this was hosted internally and then later taken out.”
Either way, he suspects the action was not authorized by the agency. “The code, I mean, in and of itself doesn’t appear to be particularly interesting, to be honest,” he said. “But I’d be very surprised if the CIA decided ‘Hey, 2013 is a great time to release one of our programs.’”