The Shadow Brokers went dark, the NSA weakened and exposed in the cyber war


On January 12th, the Shadow Brokers announced they are ‘going dark’ by leaving a farewell: “So long, farewell peoples. TheShadowBrokers is going dark, making exit. Continuing is being much risk and b*******, not many bitcoins. … Despite theories, it always being about bitcoins for TheShadowBrokers. Free dumps and b******* political talk was being for marketing attention. There being no bitcoins in free dumps and giveaways. You are being disappointed? Nobody is being more disappointed than TheShadowBrokers.”


The message continues, “But TheShadowBrokers is leaving door open. You having TheShadowBrokers public bitcoin address ….. TheShadowBrokers offer is still being good, no expiration. If TheShadowBrokers receiving 10,000 btc in bitcoin address then coming out of hiding and dumping password for Linux + Windows.”

The Shadow Brokers offered up for bid a batch of exploits and hacking tools supposedly stolen from and used by the NSA on August 15th of 2016. A sample of the tools and exploits was openly posted while an encrypted dump supposedly contained the full set of tools and exploits. As of October 1st 2016 there were only bids totaling little over 1.7 BTC ($1,082 at the time), not even close to their asking price of 1 million BTC ($500 million at the time).

The Shadow Brokers abandoned their efforts to auction and started a crowdfunding campaign to raise 10,000 BTC ($6.38 million) with the promise to publish the password to decrypt the full dump once the sum raised. Although the crowdfunding seemed more reasonable, they gathered little over 2 BTC.

[You might also like: 5 ways hackers market their products and services]

On December 14th The Shadow Brokers put up the tools, exploits and implants for direct sale on ZeroNet. ZeroNet is a platform for hosting websites using blockchain and BitTorrent technology. Individual tools were on offer for prices ranging from 1 to 100 BTC as well as the whole archive for 1,000 BTC ($780,000 at the time).

Eventually, on January 12th, after nearly five months of campaigning and price drops from 1 million to as low as 1,000 BTC, The Shadow Brokers threw in the towel and announced their retirement from the dark scene… albeit not without leaving the (back)door open.

Computer keyboard overlaid with blue lighting and shadows

What conclusions can be drawn from this small piece of cyber-crime history?

  1. The economics of the dark markets is mainly based on un-exclusive, common, and inexpensive tools for opportunistic cyber criminals

The failed attempts at selling premium grade cyber warfare tools for excessive prices shows that there is no place for it on the ‘open’ black market. The economics of the dark markets is mainly based on un-exclusive, common, and inexpensive tools for the lower-profile cyber criminals that are looking for low-hanging fruit and are looking to make a quick buck. The more sophisticated, higher-profile hackers prefer to roll their own toolset and thrive on their own research to produce exclusive and untraceable exploits. In contrast with their opportunistic counterparts, they are patient, to the point they can stay covert for years, running hidden tools and maintaining inactive zombies, timing their actions well before making their ‘coup de grace’. The ‘Methbot’ ad fraud campaign that allegedly set back online advertisers up to $5 million a day adequately serves as an example.

  1. State actors are not interested in secondhand exploits and implants

Another conclusion, in my opinion, is that state actors are not interested in a handed down kit. We do know that they are prepared to pay top dollar for exclusive access to zero days and undisclosed exploits or implants, but not for tools that others also might have access to. It would be naïve of them to think that the NSA would not have secured, or has honeypots deployed, to protect itself and track down any attempts based on their own exposed tools by now.

  1. The Shadow Brokers might be operated by the NSA

Who says the NSA was not implicated in a larger plot? Maybe they are or they impersonated The Shadow Brokers, willfully exposing their old and deprecated tools for enemy state actors to get their hands on it. Once used against them by the enemy, the enemy would be identified, and exposed to counter attacks. Potentially, as some tools in the pricelist were categorized as ‘unknown’, the toolset could include a Trojan horse, unique fingerprints or some clever trackers which would allow the NSA to identify, track, correlate and increase intelligence on their enemy state actors.

What are the implications on the threat and cyber war landscapes?

  1. Expect a sudden and short rise in opportunistic campaigns based on the freebies left by The Shadow Brokers

Based on the first conclusion, it is not improbable that the freebie tools left as samples by The Shadow Brokers on their ZeroNet site will be picked up by opportunistic cyber criminals in campaigns to extort victims, gaining them access to easy money. More than half of the tools are already known and detected by most anti-malwares, and it is only a matter of time before security analysts have closed the gap and provide protection against the full threat archive. If there is something to expect from this, it might be a sudden and short rise in opportunistic campaigns. Enterprises should expect this and preferably already start to take measures to prevent them: update all systems, update IDP signatures and contact vendors for quick mitigation or measures specific to this threat package.

  1. The NSA lost its offensive arsenal and are left weakened and exposed to enemy state actors in the cyber war

If the NSA was not planning on this, they will have suffered a serious blow as their tools have been exposed now and they cannot be sure that they were not sold below the radar or given to or stolen from The Shadow Broker by enemy state actors. Consequently, they pretty much lost their offensive cyber arsenal and it will take them months, if not years, to get back to the same level of threat and offense. Without a good offense, they are weakened and exposed to enemy state actors that might embrace this opportunity to launch campaigns against the U.S.


Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.

Download Now

Previous articleThe DDoS Threat for Enterprises: Why Managed Security Matters
Next articlePopcorn Time…the First Malware Requiring a Moral Compass
As the Director, Threat Intelligence for Radware, Pascal helps execute the company's thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, did extensive research on Hajime and follows closely new developments of threats in the IoT space and the applications of AI in cyber security and hacking. Prior to Radware, Pascal was a consulting engineer for Juniper working with the largest EMEA cloud and service providers on their SDN/NFV and data center automation strategies. As an independent consultant, Pascal got skilled in several programming languages and designed industrial sensor networks, automated and developed PLC systems, and lead security infrastructure and software auditing projects. At the start of his career, he was a support engineer for IBM's Parallel System Support Program on AIX and a regular teacher and presenter at global IBM conferences on the topics of AIX kernel development and Perl scripting.


Please enter your comment!
Please enter your name here