3. Documented Case Studies

The following cases are drawn from DOJ press releases, criminal complaints, appellate records, regulatory findings, and court judgments. Each entry documents:

1. What happened
2. Signals present in retrospect
3. What was missed
4. What triggered detection
5. Key detection lesson

Secondary press sources are used only where primary documents are not publicly accessible.

Case Index

#	Actor	Organisation	Category	Detection Trigger
3.1	Chelsea Manning	US Army	Espionage / mass exfiltration	Human tip
3.2	Edward Snowden	NSA / Booz Allen Hamilton	Espionage / data exfiltration	Journalistic publication
3.3	Roger Duronio	UBS PaineWebber	Sabotage (logic bomb)	Destructive execution
3.4	Anthony Levandowski	Waymo → Uber	Departing employee / IP theft	Civil litigation discovery
3.5	Sudhish Kasaba Ramesh	Cisco Systems	Sabotage / post-termination	Service outage
3.6	Xiaoqing Zheng	GE Aviation	Espionage / IP theft	FBI counterintelligence referral
3.7	Andrew Skelton	Morrisons	Disgruntled / data exfiltration	Newspaper contact
3.8	Reyes Daniel Ruiz	Yahoo	Privilege abuse / misuse	Employer observation
3.9	Nickolas Sharp	Ubiquiti	Data theft / extortion	VPN failure / OPSEC error
3.10	Volodymyr Kvashuk	Microsoft	Financial fraud	Internal anomaly detection
3.11	[Employee]	Desjardins Group	Data exfiltration	Police notification
3.12	[Former employees]	Tesla	Departing employee / exfiltration	Newspaper contact
3.13	Abouammo / Alzabarah	Twitter	Insider espionage / state-sponsored	Management observation
3.14	Juliana Barile	NY Credit Union	Sabotage / post-termination	Data loss discovery

Pattern Summary

Of 14 cases, initial detection came from human observation, external notification, law enforcement referral, or operational failure in the large majority of cases. Internal technical monitoring was the primary trigger in at most 2–3 (Kvashuk, arguably Twitter/Alzabarah and Yahoo/Ruiz).

This is not a statistically representative sample — it is directionally consistent with CERT's 61%/22% finding across sectors.