In the long history of hacking, there have been numerous data breaches that, years or even decades later, remain unsolved. Countless hackers and hacking groups behind them have never been unmasked.
But prolific hacking groups do get caught. This is true whether they’re cybercriminals such as LAPSUS$, a notorious extortion gang that compromised companies such as Microsoft and Nvidia and that have had multiple members arrested, or sophisticated government hacking groups from Russia and China, whose members have been named, indicted, and placed on most-wanted lists.
Still, some of the most fascinating cases in cybersecurity history remain wide open — no culprits, no answers, and in some cases, not even a clear motive. We decided to revisit several of them in a series of articles, starting with one of the strangest episodes in the history of intelligence leaks.
The first installment centers on the Shadow Brokers — an enigmatic group that surfaced online, dumped a trove of hacking tools believed to belong to the NSA, and then vanished.
In the summer of 2016, in the midst of the Russian hacks related to the U.S. presidential elections, the group appeared on Twitter. They linked to a Pastebin post and @-mentioned several news outlets — a strange, ineffective strategy that meant most of those outlets likely never saw the tweets.
But if anyone had clicked on the link, they would have seen a document titled “Equation Group Cyber Weapons Auction — Invitation” — a reference to the shadowy hacking operation widely believed to be run by the NSA.
“!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies’ cyber weapons?” the hackers wrote, claiming to have hacked the Equation Group.
The document included links to download some hacking tools, as well as a link to download an encrypted file that interested buyers could decrypt by making a bid. “Auction files better than Stuxnet,” they wrote, referring to the famous malware used against Iranian nuclear facilities in a U.S.-Israeli cyberattack in 2007. They asked for at least 1 million Bitcoin.
The leak quickly attracted press coverage. Once security researchers analyzed the tools, they realized these were exceptionally sophisticated cyberweapons, very likely stolen from the NSA — a suspicion bolstered by the fact that some shared names with programs revealed by NSA whistleblower Edward Snowden.
The auction was likely a ruse, since the group eventually dumped many of the tools publicly months later. Much about the Shadow Brokers made little sense. Their broken English was almost comical, as if they were either trying too hard or deliberately signaling the artifice. Despite clearly seeking attention — and getting plenty of press coverage — the group only spoke to a journalist once, giving a brief interview to 404 Media’s Joseph Cox, then a reporter at VICE Motherboard.
Ten years later, we know literally nothing about who was behind the Shadow Brokers persona. Cox and I interviewed former NSA staffers at the time, who said an NSA insider or former insider could be involved. But nobody has ever been arrested and charged — extraordinary, given this was arguably one of the worst leaks of U.S. intelligence hacking tools ever.
One potential suspect was Harold T. Martin III, an NSA contractor arrested for stealing classified information from the agency. But the theory has a problem: While Martin was in custody, the Shadow Brokers remained active online. He has never been formally charged in connection with the leaks. The most widely credited theory is that the Shadow Brokers were created by a Russian government spy group as a propaganda tool.
The impact was massive. Among the tools released, the Shadow Brokers published EternalBlue — a family of zero-day vulnerabilities targeting Windows that allowed hackers to break into computers on a hacked network, rapidly expand their access, and deploy self-propagating worms. (Zero-day vulnerabilities are flaws unknown to the software maker, meaning no patch yet exists.) North Korean hackers used EternalBlue to unleash the WannaCry ransomware worm. Russian hackers later built it into NotPetya, which spiraled beyond its initial Ukrainian targets and caused an estimated $10 billion in damages globally. For businesses, the lesson was stark: Vulnerabilities hoarded by intelligence agencies don’t stay secret forever — and when they leak, the private sector pays the price.
The trove is still yielding discoveries. Among the leaked tools was one containing a list of project names — including one called Fast16, flagged only with the label “NOTHING TO SEE HERE — CARRY ON.” Last month, researchers announced they had located and examined it, finding malware dating to 2005, designed to tamper with software allegedly used by Iranian nuclear scientists.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.