In a message posted online early this morning, the Shadow Brokers — the cyber-espionage group believed to have stolen hacking tools from the NSA — announced new details about their upcoming “monthly dump service.”
The group previously teased the new monthly dump service in mid-May, four days after the WannaCry ransomware wreaked havoc across the world using two hacking tools the Shadow Brokers leaked online in mid-April.
Trying to capitalize on the hype around NSA hacking tools created by the WannaCry outbreak, this new monthly dump service is yet another attempt from the Shadow Brokers to commercialize and sell their exploits. Previously, the group held a public auction, a crowdfunding campaign, and tried to sell individual exploits, all of which have failed to attract the customers they hoped.
Group claims to have browser and Windows 10 exploits
The group now wants people to pay a monthly fee for a small dump of exploits each month. In mid-May, the Shadow Brokers promised they’d leak the following types of tools and data:
⎆ router exploits
⎆ mobile handset exploits and tools
⎆ items from newer Ops Disks
⎆ exploits for Windows 10
⎆ compromised network data from more SWIFT providers and central banks
⎆ compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs
The message the group posted today provides more details about how their monthly dump service would work:
#1 – Between 06/01/2017 and 06/30/2017 send 100 ZEC (Zcash) to this z_address:
#2 – Include a “delivery email address” in the “encrypted memo field” when sending Zcash payment
#3 – If #1 and #2 then a confirmation email will be sent to the “delivery email address” provided
#4 – Between 07/01/2017 and 07/17/2017 a “mass email” will be send to the “delivery email address” of all “confirmed subscribers” (#1, #2, #3)
#5 – The “mass email” will contain a link and a password for the June 2017 dump
The biggest change in the Shadow Brokers modus operandi is a switch from Bitcoin to Zcash, a cryptocurrency that is more private and almost impossible to track.
Earlier this week, the Shadow Brokers started moving the 10.5 Bitcoin (~ $24,000) they gained from their previous operations through a Bitcoin mixing service designed to hide the true recipient behind a wall of micro-transactions.
With Zcash, this wouldn’t be a problem, since this cryptocurrency hides the sender’s address, allowing money to move through the Blockchain without the fear of having it tracked.
There’s no evidence the Shadow Brokers have new exploits
Despite announcing the move to a new crypto-currency the Shadow Brokers immediately blast Zcash, saying the project has connections to the US government and Israeli intelligence.
According to some experts, this paranoid and non-sensical attack on Zcash, the lack of demo exploits, and the emptying of the main Bitcoin wallet is a sign that the Shadow Brokers don’t have the exploits they claim to have, and they’re only attempting a last cash grab.
“I think […] they don’t have much of value to showcase/publish anymore in terms of content,” Iliasse Sdiqui, cyber-analyst for the Delma Institute told Bleeping Computer.
The expert believes that by moving to Zcash, and then spending half of their announcement criticizing the crypto-currency they just switched to is a way to divert attention from the fact they haven’t released any evidence they are in possession of new exploits.
“[The] Shadow Brokers are just shifting focus away from the dump itself,” said Sdiqui. “That’s why they would blast the currency, just to prolong the text and fill up the blanks.”
Group want $22,000 per month from each subscriber
The price for subscribing to the Shadow Brokers’ monthly dump service is 100 Zcash, which is around $22,000 at today’s value. That’s a pretty high entry fee for a service there’s no evidence of having any palpable content.
Last year, when the Shadow Brokers announced their presence to the world, the group released tens of exploits to prove that they truly are in possession of NSA hacking tools. According to the Shadow Brokers themselves, all the tools which they initially announced have now been released.