The group calling itself “The Shadow Brokers” has changed tactics and announced the launch of a crowdfunding campaign for the exploits allegedly stolen from the NSA-linked threat actor known as the Equation Group.
In mid-August, The Shadow Brokers leaked 300 Mb of firewall exploits, implants and tools, claiming that the files had been obtained from the Equation Group. The hackers launched an all-pay auction in hopes of making a serious profit for a second batch of files that allegedly includes exploits, vulnerabilities, RATs, persistence mechanisms and data collection tools.
However, since the auction only raised less than two bitcoins, the group has decided to try a different approach: crowdfunding. They have insisted that their only goal is to get paid for the exploits.
“TheShadowBrokers is not being interested in fame. TheShadowBrokers is selling to be making money and you peoples is never hearing from TheShadowBrokers again!,” the group said. “TheShadowBrokers is being disappointed peoples no seeing novelty of auction solution. Auction is design for to make benefit TheShadowBrokers.”
The first statement published by the hackers led many to believe that they had been demanding one million bitcoins for the second batch of files, but the group later clarified that their demands were misunderstood.
They claimed the second batch was up for auction and that the one million bitcoins were actually related to a “consolation prize.” Since only the winner of the auction would get the files, the hackers were prepared to leak more information for free if they raised one million bitcoins.
“TheShadowBrokers is publicly posting the password when receive 10,000 btc (ten thousand bitcoins),” the hackers said. “Sharing risk. Sharing reward. Everyone winning.”
Experts confirmed that the first files published by Shadow Brokers were genuine and Cisco even discovered zero-day exploits in the leak.
There are several theories on who is behind Shadow Brokers. Some believe it’s the work of the Russian government, while others suggested that it could be an NSA insider. Some speculated that the files might have been inadvertently exposed on a server, allowing anyone to grab them.