Newly Uncovered Site Suggests NSA Exploits for Direct Sale

Share this…

The Shadow Brokers—a hacker or group of hackers that stole computer exploits from the National Security Agency—has been quiet for some time. After their auction and crowd-funded approach for selling the exploits met a lukewarm reception, the group seemingly stopped posting new messages in October.

But a newly uncovered website, which includes a file apparently signed with The Shadow Brokers’ cryptographic key, suggests the group is trying to sell hacking tools directly to buyers one by one, and a cache of files appears to include more information on specific exploits.

On Wednesday, someone calling themselves Boceffus Cleetus published a Medium post called “Are the Shadow Brokers selling NSA tools on ZeroNet?” Cleetus, who has an American flag with swastikas as their profile picture, also tweeted the post from a Twitter account created this month.

“Well howdy partners! I don’t wanna be getting arrested for passing on fake news and all. I rekon [sic] I ain’t no security professional but I am whutcha might call a ZeroNet enthusiast,” Cleetus writes. ZeroNet is a platform for hosting websites using blockchain and BitTorrent technology.

“Those dastardly ole shadow brokers have themselves a zite on ZeroNet. Yep and fars as I can tell they appears to be sellin NSA tools individually now,” Cleetus continues.

Image: A screenshot from the site.

The site includes a long list of supposed items for sale, with names like ENVOYTOMATO, EGGBASKET, and YELLOWSPIRIT. Each is sorted into a type, such as “implant,” “trojan,” and “exploit,” and comes with a price tag between 1 and 100 bitcoins ($780—$78,000). Customers can purchase the whole lot for 1000 bitcoins ($780,000).

The site also lets visitors download a selection of screenshots and files related to each item. Along with those is a file signed with a PGP key with an identical fingerprint to that linked to the original Shadow Brokers dump of exploits from August. This newly uncovered file was apparently signed on 1 September; a different date to any of The Shadow Brokers’ previously signed messages.

“If you like, you email TheShadowBrokers with name of Warez [the item] you want make purchase,” a message on the site reads. “TheShadowBrokers emailing you back bitcoin address. You make payment. TheShadowBrokers emailing you link + decryption password. Files as always being signed,” it adds.

The Shadow Brokers did not respond to a request to clarify that the site did indeed belong to them.

On August 29, the US government charged Hal Martin, an NSA contractor who allegedly stole classified information. According to a Washington Post report in October, Martin was the prime suspect behind The Shadow Brokers leaks. The group, however, continued to post cryptographically signed messages after Martin was detained.

Some previously released files included information apparently revealing what bodies and organizations had been targeted by the NSA, and other dumps contained fully working exploits against hardware firewalls, made by companies such as Cisco.