In the wake of the recent WannaCry ransomware attack, secretive hacking group The Shadow Brokers has revealed plans to release more stolen data through a subscription service. But who is behind this mysterious disruptive force? Foreign intelligence, anarchic hackers or someone inside the United States?

The Shadow Brokers first appeared in August 2016, announcing an auction to sell off a set of security exploits the group purportedly stole from the NSA. After the auction failed to reach the absurd asking price of one million bitcoins, the group publicly released four sets of exploits over the following months. One of those exploits contained the now infamous EternalBlue vulnerability that underpinned the recent WannaCry attack.

GET 30% OFF NEW ATLAS PLUS

Read the site and newsletter without ads. Use the coupon code EOFY before June 30 for 30% off the usual price.

BUY NOW

Since the WannaCry outbreak, the Shadow Brokers have been threatening to release more NSA hacking tools, and in early May the group published a blog post in broken English ominously announcing a bizarre subscription model offering members a monthly haul of data.

The group described it as a, "new monthly subscription model. Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members."

In a follow-up post published more recently, the group explained the process in greater detail. Subscribers can pay 100 Zcash coins (equivalent to over US$20,000) to access the data dump, which will be revealed in the first two weeks of July.

Zcash is a relatively new cryptocurrency launched in October 2016. Purportedly more secure than Bitcoin, the Shadow Brokers' use of Zcash seems to be less about using a safer cryptocurrency and more about revealing to the public the US government's connection to its development.

The Shadow Brokers' blog post explicitly points out that the development of Zcash is allegedly linked to the Department of Defense, DARPA and Israel. It also claims the new cryptocurrency, which was recently accepted as a legitimate currency on iOS and Android platforms, could be a trojan horse with a cryptographic flaw monitored by the NSA or used by the government to send money to deep cover assets outside of banking systems.

This odd series of actions, which seem to be constantly iterating information with a strong anti-government bent, has caused many to question who The Shadows Brokers actually are, and whether their motives are simply mercenary.

Much speculation has floated around the possibility that the group could be a foreign nation state working to embarrass or disrupt the US government's cyber-spying efforts. A former NSA employee tells Ars Technica that they, "are foreign intelligence, and the continued requests for money are all geared towards plausible deniability that they are intel."

Edward Snowden tweeted suspicions that the group were Russian hackers back in August 2016, when the original auction was revealed. Over a series of 15 tweets he laid out a compelling case for the original NSA hacks coming from a foreign intelligence, in particular, Russia.

Security specialist Bruce Schneier also published a more recent, and exhaustive, investigation into the source of the mysterious hacking group. He concludes, quite reasonably, that while they are seemingly not just random hackers or cybercriminals, it also looks unlikely they are a cyber-intelligence sector of a nation state due to their erratic and anarchic activities.

Schneier suspects the source of the original NSA hacks that started all of this could be either an NSA contractor who was arrested in August 2016 for hoarding agency secrets, or a second NSA leaker that has not been revealed publicly. This leads Schneier to conclude that The Shadow Brokers may be more domestically grounded in the United States than many previously thought.

"I know that many people, both inside the government and out, think there is some sort of domestic involvement; things may be more complicated than I realize," Schneier writes.

To back up the theory of a domestic basis, The Shadow Brokers tweeted in early April, "9 months still living in homeland USA USA USA our country theshadowbrokers not run, theshadowbrokers stay and fight".

Be they foreign intelligence, anarchist hackers, or internal NSA whistleblowers, one thing is for sure: this is not the end of the story. The Shadow Brokers still claim to have valuable data to reveal, and while we cannot imagine this strange subscription data dump model working, it is surely making many security specialists and US government officials uncomfortable.

Source: The Shadow Brokers