Security Experts:

Connect with us

Hi, what are you looking for?



‘Shadow Brokers’ Threaten to Dox Former NSA Hacker

The Shadow Brokers has sent out its first round of exploits and data as part of a recently announced monthly subscription service, and the group claims it has a significant number of subscribers.

The Shadow Brokers has sent out its first round of exploits and data as part of a recently announced monthly subscription service, and the group claims it has a significant number of subscribers.

The hackers, who claim to possess exploits and secret documents stolen from the U.S. National Security Agency (NSA), particularly the Equation Group actor linked to the agency, announced last month that anyone could obtain parts of the data for a monthly fee of 100 Zcash (ZEC), which at the time was worth roughly $20,000.

The group announced on Wednesday its data dump for the month of June and said that they had “many many subscribers.” As a result, individuals and organizations that want next month’s files will have to pay double – 200 ZEC or 1,000 XMR (Monero).

The Shadow Brokers also announced that following requests from several individuals, they have decided to launch a so-called “VIP Service.” Those who want the group’s attention – to learn if they have exploits for specific vulnerabilities or intel on a certain organization – have to make a one-time payment of 400 ZEC, which is currently worth roughly 130,000. The hackers claim someone has already signed up for the VIP service.

A significant part of the statement published on Wednesday by the Shadow Brokers is a message to an individual the hackers call “doctor.” This person, who they claim to have met on Twitter, sent the hackers some “ugly tweets” and later deleted them.

The hackers did some digging and they discovered that the “doctor” is a former member of the Equation Group and they believe he is responsible for building many tools and hacking organizations in China. They also claim that this individual is the co-founder of a new security company.

The Shadow Group told “doctor” that if he doesn’t sign up for their next monthly dump, they will dox him (i.e. expose his real identity).

“TheShadowBrokers is thinking this outcome may be having negative financial impact on new security companies international sales, so hoping ‘doctor’ person and security company is making smart choice and subscribe. But is being ‘doctor’ person’s choice. Is not being smart choice to be making ugly tweets with enough personal information to DOX self AND being former equation group AND being co-founder of security company,” the Shadow Brokers said.

While many of the exploits leaked in the past months by the Shadow Brokers had little value, the recent WannaCry ransomware attacks demonstrated that the group’s leaks can lead to significant damage. The hackers’ requests for money were largely ignored until the WannaCry outbreak, but these attacks have made many realize that the group’s exploits can be highly valuable.

Some members of the infosec community decided to launch a crowdfunding initiative to acquire Shadow Brokers exploits via the monthly dump service in an effort to help prevent a future WannaCry-like incident, but they ultimately decided to cancel the project due to legal concerns.

UPDATE. The “doctor” the Shadow Brokers are targeting appears to be the owner of the Twitter account @drwolfff. Before the hackers could leak the information they allegedly have on him, the owner of the account revealed himself to be Daniel R. Wolfford. He claims to reside in the United Arab Emirates, he has no connection to the Equation Group, and is not the co-founder of a cybersecurity startup.

Related: “Shadow Brokers” Data Obtained From Insider: Flashpoint

Related: Shadow Brokers Release More NSA Exploits

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.