Connect with us

Hi, what are you looking for?


Network Security

“Shadow Brokers” Put NSA Exploits Up for Direct Sale

After a failed attempt to sell stolen exploits from the National Security Agency at an auction just months ago, the hacker group calling itself Shadow Brokers has decided to sell them directly via a new website.

After a failed attempt to sell stolen exploits from the National Security Agency at an auction just months ago, the hacker group calling itself Shadow Brokers has decided to sell them directly via a new website.

In August, the group leaked 300 Mb of firewall exploits, implants and other tools allegedly stolen from the NSA-linked Equation Group, and decided to cash in on a second batch of files, which supposedly include exploits, vulnerabilities, RATs, persistence mechanisms and data collection tools. They launched an all-pay auction that raised less than two Bitcoin, so they switched to crowdfunding in October.

The goal was to raise 10,000 Bitcoins (roughly $7.8 million) through crowdfunding, but the hacker group apparently decided to attempt a new approach: selling the stolen exploits directly for only 1,000 Bitcoins (~$780,000). This new attempt comes weeks after the group released a batch of files at the end of October, saying that the IPs mentioned in the files correspond to machines used by the Equation Group.

A possible connection between the Equation Group and the NSA was made in Feb. 2015, and the Shadow Brokers leak appeared to consolidate that assumption. The leaked files appeared to come from the NSA-linked actor and were said to target a large number of devices from popular brands such as Fortinet, TOPSEC, Cisco, Juniper Networks, WatchGuard, and others.

Now, the Shadow Brokers apparently took it to ZeroNet, a platform for hosting websites using blockchain and BitTorrent technology, to come up with a site on which to sell the stolen exploits. Interested parties can pay 1,000 Bitcoins for the entire batch of files, or can purchase individual exploits that are priced at between 1 and 100 Bitcoins each.

The group decided to sort the available files by type, including implant, Trojan, and exploit, and also provide visitors with a selection of screenshots and files related to each item. One of the files is signed with a PGP key featuring a fingerprint matching that of the original dump from August, Motherboard reported.

Information about the new site initially appeared in a Medium post that also explained how interested parties could make purchases. They need to email a Shadow Brokers member, who responds with a Bitcoin address. After payment is made, the seller sends a link to the desired file, along with the decryption password.

Advertisement. Scroll to continue reading.

After looking at the files that the Shadow Brokers group leaked in August, some vendors discovered exploits that were targeting their products, such as Juniper. Cisco identified an ASA software zero-day and started patching it only days later, but in September the company discovered yet another zero-day linked to the Shadow Brokers leak, and revealed that over 840,000 devices were affected by the issue.

Related: Industry Reactions to Shadow Brokers Leak: Feedback Friday

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...