by Nuno Menezes
On May 30, a group of cybersecurity researchers launched a crowdfunding campaign in the hopes of raising $25,000 with which they were planning to pay a hacker group called the Shadow Brokers for hacking tools that were supposedly taken from the NSA. The effort raised $3,906.62 in 36 hours. However, the campaign was canceled. The cybersecurity group later decided that buying these tools from a criminal organization could raise a lot of legal issues.
Before the group could go any further with this bid, lawyers and legal experts warned the organization that it would run into serious trouble by buying stolen hacks from a criminal organization linked with WannaCry, the latest cyber epidemic that affected millions of Windows users worldwide. The group then decided to cancel the crowdfunding campaign.
One of the campaign organizers, Matthew Hickey, a researcher from Hacker House who stated:
“It was just too risky, and the advice was: under no circumstances to proceed further with this.”
The campaign was supposed to raise enough money to buy June’s leaked hacking tools so that the group could research the exploits and find fixes for them.
The group thought the campaign could help them get to the exploits before the next WannaCry attack, however, paying for these tools could mean that all the researchers involved could sooner or later find themselves surrounded by a flood of legal issues.
The Shadow Brokers are the criminal organization behind stolen NSA tools which were used in the WannaCry attack earlier this month. This attack had a serious impact on millions of Windows users around the world.
In the week beginning May 22, the Shadow Brokers started moving the 10.5 bitcoin they gathered from their activities through a Bitcoin mixing service designed to hide the true recipient behind a wall of micro-transactions. Now, the organization is switching to Zcash, a similar cryptocurrency that offers complete anonymity. The new exploits the group is now selling has never been advertised or mentioned before, which is very concerning, according to the campaign organizers.
According to the Shadow Brokers themselves, all the tools which they initially announced have now been released. Last year, when the Shadow Brokers announced their presence by releasing tens of exploits proving they actually are in possession of NSA hacking tools.
The day before launching the campaign, the Shadow Brokers released instructions on how to buy more exploits. They also stated that if the exploits could not be sold, they would release them in June as part of its “Data Dump of the Month.” What is new in this request by the Shadow Brokers is that rather than bitcoin they are demanding 100 Zcash, which is currently worth around $25,000.
The Shadow Brokers also revealed that the exploits could hit Windows 10 machines, routers, phones and browsers which constitutes a serious threat capable of affecting millions of users worldwide. Considering WannaCry, which was capable of locking up machines in 150 countries, having a cost to businesses, groups and individuals to the magnitude of an estimated $4 billion in losses, many of other new exploits which will soon be released can do even more damage. The Shadow Brokers stated in its release:
“Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments. Playing ‘the game’ is involving risks.”
All the researchers backing up the campaign would have been able to get their hands on the purchased data and after reviewing the exploits and created fixes would share the vulnerabilities with companies affected by it. The idea of paying criminals to protect the public has sparked a debate among security experts, as people worry it would only encourage future threats.
In an email, Avast’s director of threat intelligence Michal Salat revealed:
“Security researchers wanting to get their hands on the exploits before cybercriminals sounds like a good thing. However, we have to consider that paying the Shadow Brokers for the exploits would almost be like rewarding them for their criminal activities and will encourage them to continue. The worst case situation is that these tools end up in the hands of criminals and are used to conduct further attacks.”
The bitcoins gathered through the campaign will be refunded, and any remaining donations will be sent to the Electronic Frontier Foundation. Now, the group of researchers fears that many of these exploits may end up in the wrong hands.