Security pros cancel bid to buy Shadow Brokers’ exploits

A group that decided to crowdfund its effort to buy exploits before the next WannaCry attack has realized that the potential legal problems are too overwhelming.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Polish zloty slides to three-month low, Poland

The Shadow Brokers are releasing June's batch of exploits for 100 ZCoin, which is worth more than $22,000, currently.


Cybersecurity experts wanted to buy the Shadow Brokers' exploits before it caused the next WannaCry, but legal complications got in the way.

A group of cybersecurity researchers launched on Wednesday a crowdfunding effort to raise the $25,000 being demanded by the Shadow Brokers, a hacker group. It raised $3,906.62 in 36 hours before the campaign was canceled. 

Lawyers and law enforcement experts warned the group that it was asking for trouble. The group decided to cancel the crowdfunding campaign after learning about the litany of legal problems it would run into by buying stolen hacks from a criminal organization.

"It was just too risky and the advice was: under no circumstances to proceed further with this," Matthew Hickey, a researcher from Hacker House who set up the campaign, said in a statement.

The Shadow Brokers are behind stolen National Security Agency tools used in the WannaCry attack that crippled Windows machines earlier this month.

On Tuesday, the Shadow Brokers provided instructions on how to buy more exploits and have threatened to release them in June as part of its "Data Dump of the Month," assuming they aren't sold. The group is demanding 100 Zcash, a form of cryptocurrency, that is currently worth $22,787 (£17688.29). 

Considering WannaCry, a form of ransomware that locked up machines in 150 countries, cost businesses, groups and individuals an estimated $4 billion in losses, the asking price may prove to be a bargain. The group said it has exploits that could hit Windows 10 machines, routers, phones and browsers. 

"Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments," the Shadow Brokers wrote in its instructions. "Playing 'the game' is involving risks.'"

The group wanted to raise enough money to buy June's leaked hacking tools, so they could research the exploits and find fixes for them.

"The thought of paying makes us very sad but so too did the countless calls of people affected" by the ransomware, the Shadow Brokers Response Team said. "If WannaCry could have been averted for a few measly cryptocurrency coins -- why wasn't it?"

Every person who backed the project would have be able to get their hands on the purchased data after the team has reviewed the exploits and shared the vulnerabilities with companies affected by it, they said.

Now the bitcoins paid to the campaign will be refunded. Any remaining donations will be sent to the Electronic Frontier Foundation, according to a statement.

"The worst case situation is that these tools end up in the hands of criminals and are used to conduct further attacks," the group said.

The idea of paying criminals to protect the public has sparked a debate among security experts, as people worry it would only encourage future threats.

"Security researchers wanting to get their hands on the exploits before cybercriminals sounds like a good thing," Michal Salat, Avast's director of threat intelligence said in an emailed statement. "However, we have to consider that paying the Shadow Brokers for the exploits would almost be like rewarding them for their criminal activities and will encourage them to continue."

First published May 31, 1:53 p.m. PT.
Update, June 1 at 7:30 a.m. PT: The group has canceled its fundraiser.

Logging Out: Welcome to the crossroads of online life and the afterlife.

Virtual reality 101: CNET tells you everything you need to know about VR.