In August, a group calling themselves The Shadow Brokers publicly released a cache of NSA hacking tools, and promised to sell more. After a failed crowd-funding and auction attempt, the group now appears to be offering a wealth of trojans, exploits, and implants directly to potential customers.
Since August, Motherboard has attempted to contact The Shadow Brokers through various different channels. On Thursday, the group replied.
"TheShadowBrokers no arrested," someone from the group wrote in an encrypted message.
In August, the US government charged Hal Martin, an NSA contractor who allegedly stole classified information from the agency, and who is the prime suspect behind The Shadow Brokers leaks, according to a Washington Post report.
Martin has been in detention since his arrest, but The Shadow Brokers have continued to post cryptographically signed messages. This latest communication is the strongest public evidence yet that The Shadow Brokers and Hal Martin, although possibly connected, are not necessarily one and the same.
On Wednesday, Motherboard reported that the group was apparently selling hacking tools from 1 to 100 bitcoins each ($780—$78,000). In their new message, The Shadow Brokers confirmed that the site did belong to the group.
"TheShadowBrokers is not being irresponsible criminals," the group told Motherboard. "TheShadowBrokers is opportunists. TheShadowBrokers is giving 'responsible parties' opportunity to making things right."
"They choosing no. Not very responsible parties!" they continued, not specifying who these responsible parties may be. "TheShadowBrokers is deserving reward for taking risks so ask for money. Risk is not being free. Behavior is obfuscation no deception."
The files the group dumped in August included exploits for hardware firewalls made by companies such as Cisco, Huawei, and Fortinet. Some hackers even went onto use the Cisco exploits in the wild. Another Shadow Brokers dump apparently included IP addresses and other information linked to the NSA.
According to a Reuters report from September, a leading theory for The Shadow Brokers leak is that an NSA hacker left the exploits on a remote server, which were then discovered by Russian hackers. Former NSA staffers previously told Motherboard they believed the leak could have originated from a rogue agency insider, with one claiming that this sort of material would only be available internally. The NSA did not immediately respond to a request for comment.
"TheShadowBrokers is not commenting on operation details, is bad opsec," the group told Motherboard.