Shadow Broking

Sustainable Business Plan?

The now infamous hacking group termed “The Shadow Brokers” recently announced that they will be selling exploits and other tools initially hacked from the NSA in the autumn of 2013. For the somewhat staggering sum of 20,000 USD a month you can subscribe and receive monthly released exploits as well as SWIFT network data and information concerning Russian, Chinese, and North Korean nuclear programs. The group would like the fee paid in Zcash, a cryptocurrency advertised as “permissionless cryptocurrency that can fully protect the privacy of transactions using zero-knowledge cryptography.” 100 Zcash is approximately 20,000 USD. The group who initially gained notoriety for the above-mentioned hack recently gained their name in headlines as the group that released the EternalBlue and DoublePulsar exploits that aided WannaCry in infecting a number of computers it did. They have threatened to release more in the month of June but this new subscription business model has got experts asking more questions than they have answers.

This is not the first time the group has looked to monetise their hacking skills. They initially attempted to auction of all the data to the highest bidder, for which it was proposed that the group expected to receive over 10,000 Bitcoin for the exploits. That did not materialize and then attempted a Kickstarter campaign to raise the funds they thought the information was worth. It is estimated that the group has earned only 10,5 Bitcoin, or roughly 24,000 USD, through the various fundraising methods. It is yet to be seen if the subscription model will be a success. The group itself has admitted that they looking at what they deem as “high rollers” to be their main customer base. Based on previous attempts to monetise their hacking ability, experts are not convinced this will meet with any more success.

Little is known about the group, many suspects to be a Russian group of hackers and whether they are linked to state actors or not. Although no consensus as to the group’s identity exists certain assumptions can be made based on the group’s history.

A Brief History

As was mentioned above the group began its rise to notoriety by accessing and stealing exploits, zero-day events, and other hacking tools from an NSA external staging server. The creators of the exploits are seen by many experts to be linked to the Equation Group, a group seen to have close ties with the NSA and other state actors. It seems to be one of the aims of “The Shadow Brokers” to be considered the equals of the Equation Group other than turning a profit.

shadow broking

Since the initial hack in 2013 “The Shadow Brokers” have released four groups of NSA files into the wild. The first was a set of exploits that targeted routers; the second were exploits which targeted mail servers; the third related to Windows exploits; finally the fourth was a directory associated with how an NSA analyst broke into the SWIFT banking network. When looking at the date stamps of the released information they all came from around 2013.

These dumps have occurred concurrently with efforts, although unsuccessful, to generate a profit from their attempts. This latest attempt can be seen as an extension of the group’s modus operandi in that it looks to turn its hacks into a business. While it seems that generating a profit is problematic they are making more headlines than what most multi-national corporations could only dream of.


Based on the numerous communications it is assumed that the group is Russian, or Eastern European, based on the grammatical errors and spelling conventions used by Slavic speakers speaking English. This, however, would not stand up in a court of law in proving identity. Could the group be hacktivists, whistle-blowers, or state actors?

The group is probably not hacktivists as they are primarily looking to generate a profit. This is not seen as an activity, that been hacking for profit, as what is normally done by either hacktivists or ethical hacking groups. As to whether the group was a whistle-blower is also in doubt such as Snowden or Manning. Looking to gain profit is also not the traditional purpose of the whistle-blower. There are a few other clues as to why the release is not related to whistle-blowing. The first being that the dump was not redacted in any form as would be done typically by a whistle-blower or in conjunction with a journalist in order to protect the whistle-blower. Also typically the information is published immediately once collected. Another thing to consider is that although the exploits stockpiled by the NSA are not as important as how they are used to the whistle-blower for ethical or even political considerations.

If assumed that the group is mere cyber criminals it does not explain why they would not use the exploits themselves to extort and steal money from unsuspecting victims. While if linked to a state actor, which can be assumed based on communications supporting and then decrying the current Trump administration while claiming to be an ally of both America and Russia, further confuses the matter. While journalists around the globe are making educated guesses or wild claims as to the group's identity nothing has been released that can conclusively point a finger in any direction.

Dump of the Month

While the next dump is expected to occur at the start of July, the group itself seems to hope that they can generate enough interest to attract financial backers with deep pockets. For the amount asked they seem to want State Agencies with their large budgetary requirements to take the bait. It still leaves the world guessing as to the content of the next dump and whether there will be another attack similar to WannaCry using newly dumped exploits.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal