Security Experts:

'Shadow Brokers' Threaten to Dox Former NSA Hacker

The Shadow Brokers has sent out its first round of exploits and data as part of a recently announced monthly subscription service, and the group claims it has a significant number of subscribers.

The hackers, who claim to possess exploits and secret documents stolen from the U.S. National Security Agency (NSA), particularly the Equation Group actor linked to the agency, announced last month that anyone could obtain parts of the data for a monthly fee of 100 Zcash (ZEC), which at the time was worth roughly $20,000.

The group announced on Wednesday its data dump for the month of June and said that they had “many many subscribers.” As a result, individuals and organizations that want next month’s files will have to pay double – 200 ZEC or 1,000 XMR (Monero).

The Shadow Brokers also announced that following requests from several individuals, they have decided to launch a so-called “VIP Service.” Those who want the group’s attention – to learn if they have exploits for specific vulnerabilities or intel on a certain organization – have to make a one-time payment of 400 ZEC, which is currently worth roughly 130,000. The hackers claim someone has already signed up for the VIP service.

A significant part of the statement published on Wednesday by the Shadow Brokers is a message to an individual the hackers call “doctor.” This person, who they claim to have met on Twitter, sent the hackers some “ugly tweets” and later deleted them.

The hackers did some digging and they discovered that the “doctor” is a former member of the Equation Group and they believe he is responsible for building many tools and hacking organizations in China. They also claim that this individual is the co-founder of a new security company.

The Shadow Group told “doctor” that if he doesn’t sign up for their next monthly dump, they will dox him (i.e. expose his real identity).

“TheShadowBrokers is thinking this outcome may be having negative financial impact on new security companies international sales, so hoping ‘doctor’ person and security company is making smart choice and subscribe. But is being ‘doctor’ person's choice. Is not being smart choice to be making ugly tweets with enough personal information to DOX self AND being former equation group AND being co-founder of security company,” the Shadow Brokers said.

While many of the exploits leaked in the past months by the Shadow Brokers had little value, the recent WannaCry ransomware attacks demonstrated that the group’s leaks can lead to significant damage. The hackers’ requests for money were largely ignored until the WannaCry outbreak, but these attacks have made many realize that the group’s exploits can be highly valuable.

Some members of the infosec community decided to launch a crowdfunding initiative to acquire Shadow Brokers exploits via the monthly dump service in an effort to help prevent a future WannaCry-like incident, but they ultimately decided to cancel the project due to legal concerns.

UPDATE. The "doctor" the Shadow Brokers are targeting appears to be the owner of the Twitter account @drwolfff. Before the hackers could leak the information they allegedly have on him, the owner of the account revealed himself to be Daniel R. Wolfford. He claims to reside in the United Arab Emirates, he has no connection to the Equation Group, and is not the co-founder of a cybersecurity startup.

Related: "Shadow Brokers" Data Obtained From Insider: Flashpoint

Related: Shadow Brokers Release More NSA Exploits

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.