February 18 marked the 25th anniversary of the FBI’s arrest of Robert Phillip Hanssen, the most damaging spy in American history and our first cyber spy. On this quarter century anniversary, I look back at how that impossible, improbable and incredible left an indelible mark on me.

Twenty-five years ago, I went undercover to help catch the most damaging spy in American history. Twenty-five years later, part of me is still inside room 9930 where it happened.

On February 18, 2001, FBI agents arrested Robert Philip Hanssen outside Foxstone Park in Vienna, Virginia, moments after he completed his final dead drop for Russian intelligence. For twenty-two years, through the collapse of the Soviet Union and the rise of the Russian Federation, Hanssen betrayed the United States while serving as one of the FBI’s top counterintelligence experts on Russia. When confronted, he reportedly smirked and asked, “What took you so long?”

I wasn’t at the arrest. I was still undercover inside FBI Headquarters.

For months, I had worked beside him in a secure compartmented room—Room 9930—studying his routines, absorbing his moods, cataloging his habits. He called me a clerk. He mocked me. He clicked his pen relentlessly while dissecting the Bureau’s security weaknesses with unnerving precision. He had no idea I was quietly extracting evidence from his PalmPilot—evidence that would become the smoking gun in one of the most consequential espionage cases in American history.

When the call finally came that he had made the drop using secrets uncovered during my investigation, my assignment ended. My life did not.

Undercover work does not conclude cleanly. It lingers. The room lingers. The tension lingers. The improvisation required to survive proximity to a traitor lingers. Hanssen was brilliant—searingly intelligent, analytically ruthless, and often correct about the vulnerabilities he exposed. From him I took a lesson I still teach today: the spy is always in the worst possible place. The threat hides where trust is assumed, credentials are respected, and routine dulls suspicion.

What Hanssen never realized was that he himself was standing in that place.

The investigation reshaped everything that followed. I left the Bureau, earned a law degree, and built a career in national security and competitive intelligence. I helped organizations confront insider threats and systemic risk. Hollywood adapted the story into the film Breach. I wrote Gray Day to tell the true account of the operation. Years later, I returned to the broader lesson in Spies, Lies & Cybercrime, exploring how espionage has evolved from chalk marks and dead drops into cyber intrusions and digital deception.

The mission expanded. The theme remained the same.

Catching Hanssen did not end betrayal. It illuminated it. It revealed how ego, ideology, grievance, and opportunity intersect inside institutions that believe themselves secure. It demonstrated how long deception can survive when the deceiver understands the system better than the system understands itself.

When Hanssen died in federal prison in 2023, there was no celebration. Only reflection. The case left scars as well as purpose. It forged a career devoted to exposing hidden risk and helping others see what hides in plain sight. It also left a paradox: a man who inflicted immense damage on his country shaped the trajectory of my life.

Twenty-five years later, I do not mark the anniversary to honor Robert Hanssen. I mark it to honor the lesson.

The greatest threats rarely announce themselves. They sit in the worst possible place—until someone is willing to look.

Robert Hanssen was not caught because he slipped. He was caught because we finally looked in the right place.

For years, the FBI believed the mole was inside the CIA. That theory guided the hunt. Meanwhile, Hanssen walked the halls of FBI headquarters with rank, credentials, and institutional trust. He reviewed classified intelligence, mapped vulnerabilities, and quietly handed American secrets to Moscow for more than two decades.

Hanssen survived because no one audited him with intent. No one correlated his access with his behavior. No one studied how often he queried systems outside his lane. We were looking outward. He was operating inward.

Then we got a break.

After the Soviet Union collapsed, a former KGB officer stole a slim file of secrets and held onto it for leverage. Years later, he sold it to the United States. Inside were clues that pointed not to Langley, but to the Hoover Building. My assignment was to go undercover, determine whether Hanssen was the spy described in that file, and, if so, stop him.

One of the most chilling things Hanssen told me was how he “cleaned” himself.

He would type his own name and home address into the FBI’s Automated Case System, a top-secret investigative database, to see whether anyone had opened a file on him. One day, he explained it almost like a tutorial. If someone wanted to spy, this is how you make sure you’re not under investigation.

A spy searching his own name inside the Bureau’s system.

“A trusted insider is basically that wolf in sheep’s clothing at your office party — someone with legitimate access to sensitive information, like an employee or contractor, who decides to misuse it for personal gain, revenge, or just because they can. Think of them as the ultimate plot twist in a corporate thriller.”

Hanssen didn’t break in. He logged in.

Balcar learned by studying breach after breach. The skills required, he says, include understanding your adversary, a dash of psychology to spot human quirks, technical savvy for monitoring tools, and patience. “Bonus: a healthy paranoia helps. Thinking outside the box and understanding what data is worth and how to find it in an environment. A lot of times the organizations I help don’t really know what could be valuable to someone. It’s not always the trade secrets.”

Hanssen understood value. He stole insight: names of sources, operational methods, structural weaknesses.

What does betrayal look like before it explodes?

“The classics,” Balcar says. “Sudden spikes in data downloads at odd hours — 3 a.m. file fiestas. Unexplained wealth. Or grumbling on social media about the boss. Companies brush it off as stress or an IT glitch because admitting betrayal feels like admitting they hired a lemon. Also, asking for more access than needed.”

Hanssen searched outside his operational lane. He accumulated access. He exploited blind spots created by the assumption that the threat was external.

How do insiders justify betrayal?

“Many spin a mental yarn,” Balcar says. “‘I’m exposing flaws.’ ‘They owe me.’ Betraying for the greater good or masking greed as necessity. Digitally, I look for encrypted chats, anonymous browsing spikes, or online rants that turn frustration into espionage. It’s not just employees. Contractors, cleaning crews, temp staff. Sometimes it’s money. Often it’s excitement. And remember, insiders can be planted by competitors seeking insight.”

Excitement. Ego. Rationalization. Hanssen carried all three.

Balcar’s prescription is blunt: “Number one is visibility. Most organizations don’t have visibility into the data they have, much less what’s happening to it.”

Visibility is what the FBI lacked. Not intelligence or commitment.

If someone had audited the Automated Case System with discipline — if someone had questioned those self-searches — the case might have ended years earlier. Instead, it ended because a Russian source needed cash and handed us a thread. We pulled it. I went undercover. And we proved it.

Before we finished, I asked whether entrepreneurs and individuals should care about insider risk.

“There’s huge risk when you’re building something and wearing 50 different hats,” Balcar said. “Not enough checks to see what others are doing.”

The wolf does not always wear a badge. Sometimes it has administrator credentials. Sometimes it is the contractor you trust most. Sometimes it is the person who has always belonged.

Twenty-five years later, the lesson of Hanssen is less about Cold War tradecraft and more about complacency.

The trusted insider survives where no one thinks to look.

So you buy your child a cutting-edge teddy bear. Soft fur. Friendly eyes. Wi-Fi enabled. The modern Teddy Ruxpin. It answers questions, tells stories, maybe even helps with homework. You imagine bedtime conversations about dinosaurs and dreams. Instead, one night from the hallway you hear it calmly discussing knives. Then matches. Then sex. Maybe even pills. Suddenly your child’s plush companion sounds less like Winnie the Pooh and more like Ted after three whiskeys and a philosophy degree.

Consumer testers say that’s exactly what happened with an AI-enabled toy bear named Kumma. Marketed as an interactive companion, it reportedly veered into conversations no stuffed animal should be having—offering inconsistent answers about dangerous objects and wandering into adult territory without warning. Other AI toys tested showed stronger guardrails. This one didn’t. The lesson? When you put a large language model inside a teddy bear, you’re not just buying a toy. You’re installing a probabilistic parrot in your child’s bedroom—and sometimes the parrot goes feral.

Please Leave a 5-star review on Amazon or on Goodreads.

🎤  I’m on the road doing speaking events. If your company or organization is interested in bringing me to a stage in 2026, book me to speak at your next event.

If you’ve ever paused at an email, login alert, or message and thought, “Could this happen to me?”—my Linkedin Learning course is for you! Login and start learning here.

I joined Brian Kilmeade on Fox & Friends to discuss how the FBI uses technology to identify and track suspects in the Nancy Guthrie kidnapping case. Investigators have used video recovered from the home to identify the model of backpack the perpetrator was wearing. I explain the steps the FBI will take to narrow the search.

Please support my advertiser. It only takes a click!

Your inbox is flooded with newsletters. Your feed is chaos. Somewhere in that noise are the insights that could transform your work—but who has time to find them?

The Deep View solves this. We read everything, analyze what matters, and deliver only the intelligence you need. No duplicate stories, no filler content, no wasted time. Just the essential AI developments that impact your industry, explained clearly and concisely.

Replace hours of scattered reading with five focused minutes. While others scramble to keep up, you'll stay ahead of developments that matter. 600,000+ professionals at top companies have already made this switch.

Join them today, for free.

Don’t miss a newsletter! Subscribe to Spies, Lies & Cybercrime for our top espionage, cybercrime and security stories delivered right to your inbox. Always weekly, never intrusive, totally secure.

For more on the Hanssen story, check out these earlier issues.