In June, the mysterious group who for almost a year has been dumping hacking tools and exploits stolen from the NSA launched a subscription service that promised to provide new tools to subscribers every month.
The group, known as the Shadow Brokers, said this was like "wine of month club [sic]" but for router, browser, and Windows 10 exploits, among others. Since then, the subscription service has mostly been shrouded in mystery. Now, a security researcher has shed at least some light on it, claims to have identified several subscribers and estimating how much money the Shadow Brokers have made so far from the service.
Read more: Your Government's Hacking Tools Are Not Safe
"It looks like people are still paying them for NSA malware," the researcher, who goes by wh1sks, wrote in a recent blog post.
Wh1sks estimated that, between June and early August, the Shadow Brokers have made up to $88,000 in an alternative cryptocurrency called Monero. The group made 10.489 bitcoins (around $35,000) when they were accepting donations made with the more well-known cryptocurrency.
Moreover, Wh1sks was able to find out the email addresses of five people who have subscribed to the Shadow Brokers' monthly dump service. The researcher, who declined to reveal his real identity, was able to decode the Monero payment IDs, which contained the subscribers' emails. When the Shadow Brokers announced their service, they asked potential customers to include a delivery email address when subscribing.
None of the five subscribers immediately responded to Motherboard's requests for comment.
One of the subscribers came out publicly around a month ago. In a blog post, the subscriber, who called themselves fsyourmoms, complained about the quality of the exploit they received.
"TheShadowBrokers ripped me off," fsyourmoms wrote, complaining that he only received what looked like an old, low-quality tool. fsyourmoms did not respond to a request for comment.
Unless the other subscribers come out and reveal what tools, if any, they received, it's impossible to know what the Shadow Brokers have been sending around. When the group emerged last year, observers believed the tools in their initial dump were the best they had. But earlier this year, after they'd been active for months, the group dumped several highly valuable exploits for Windows systems which, at the time, put thousands of computers in danger. Some of those tools were then repurposed by unknown hackers to spread a destructive ransomware strain known as WannaCry.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Get six of our favorite Motherboard stories every day by signing up for our newsletter.