In the long history of hacking, there have been numerous data breaches that, years or even decades later, remain unsolved. Countless hackers and the hacker groups behind them have never been exposed.
But productive hacking groups are caught. This is true whether it’s cybercriminals like LAPSUS$, a notorious extortion gang that breached companies like Microsoft and Nvidia and has had many members arrested, or sophisticated government hacking groups from Russia and China, whose members have been named, charged and placed on wanted lists.
Yet some of the most fascinating cases in cybersecurity history remain open — with no culprits, no answers, and in some cases, not even a clear motive. We decided to revisit many of them in a series of articles, starting with one of the strangest episodes in the history of information leaks.
The first installment focuses on the Shadow Brokers – a mysterious group that appeared on the Internet, dropped a trove of hacking tools believed to belong to the NSA, and then disappeared.
In the summer of 2016, amid Russian hacking related to the US presidential election, the group appeared on Twitter. They connected with one Pastebin post and @-mentioned multiple news outlets — a strange, ineffective strategy that meant most of those outlets likely never saw the tweets.
But if someone clicked on the link, they would see a document titled “Equation Group Cyber Weapons Auction — Invitation” — a reference to the shadowy hacking operation widely believed to be run by the NSA.
“!!! Beware of Government Sponsors of Cyber War and those who profit from it !!!! How much are you paying for the enemies cyber weapons?” the hackers wrote, claiming to have hacked Equation Group.
The document included links to download some hacking tools, as well as a link to download an encrypted file that interested buyers could decrypt by making a bid. “Auction files are better than Stuxnet,” they wrote, referring to the famous malware used against Iran’s nuclear facilities in a 2007 US-Israel cyber attack. They asked for at least 1 million Bitcoins.
The leak quickly attracted press coverage. Once security researchers analyzed the tools, they realized they were highly sophisticated cyber weapons, likely stolen from the NSA – a suspicion reinforced by the fact that some shared names with programs revealed by NSA whistleblower Edward Snowden.
The auction was likely a ruse, as the group eventually dumped many of the tools publicly months later. A lot about Shadow Brokers didn’t make sense. Their broken English was almost comical, as if they were either trying too hard or signaling artificiality on purpose. Despite clearly clamoring for attention—and receiving plenty of press coverage—the team only spoke to a reporter once, giving a short interview to 404 Media’s Joseph Cox, then a reporter at VICE Motherboard.
Ten years later, we know literally nothing about who was behind the Shadow Brokers persona. Cox and me interviewed former NSA officials at the time, who said an undercover or former NSA undercover could be involved. But no one has been arrested or charged – remarkable given that this was arguably one of the worst leaks of US intelligence hacking tools.
One possible suspect was Harold T. Martin III, an NSA contractor arrested for stealing classified information from the agency. But the theory has a problem: while Martin was in custody, the Shadow Brokers remained active online. He has never been formally charged in connection with the leaks. The most widely accepted theory is that the Shadow Brokers were created by a Russian government spy group as a propaganda tool.
The impact was huge. Among the tools released, they published Shadow Brokers EternalBlue — a family of zero-day vulnerabilities targeting Windows that allowed hackers to break into computers on a compromised network, rapidly expand their access, and deploy self-propagating worms. (Zero-day vulnerabilities are flaws unknown to the software manufacturer, meaning there is no patch yet.) North Korean hackers used EternalBlue to release the WannaCry ransomware worm. Russian hackers later created NotPetya, which surpassed its original Ukrainian targets and caused $10 billion in damage worldwide. For businesses, the lesson was stark: Vulnerabilities accumulated by intelligence agencies don’t stay secret forever — and when they leak, the private sector pays the price.
The vault is still yielding discoveries. Among the leaked tools was one that contained a list of project names — including one called Fast16, which was tagged only with “NOTHING TO SEE HERE — CARRY OF.” Last monthresearchers announced that they had located and examined it, finding malware dating back to 2005 designed to tamper with software allegedly used by Iranian nuclear scientists.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
