Cryptocurrency Transactions May Uncover Sales of Shadow Broker Hacking Tools
In 2016, a group of self-described hackers started releasing a steady stream of code stolen from the NSA. As well as dumping some hacking tools publicly, such as exploits that were later incorporated into the crippling WannaCry ransomware attack, the so-called Shadow Brokers also listed more tools on a dedicated online shop and a “monthly dump service” to access additional code. A team of University College London (UCL) researchers recently found likely evidence of payments for those alleged exploits by examining transactions in Zcash, a privacy-focused cryptocurrency that the Shadow Brokers asked potential customers to use, and traced the movement of some of the coins to a specific cryptocurrency exchange.
The paper was published to the arXiv preprint server in May and presented this week at the first Zcash conference in Montreal. It highlights not only techniques that could help identify the activity of Zcash users, but also how investigators may be able to follow a trail related to the Shadow Brokers, and find who potentially bought NSA tools.