In 2016 a group of hackers Shadow Brokers posted in open access, the exploits of the national security Agency USA (NSA). These exploits were later used in large-scale attacks WannaCry and Petya. Also Shadow Brokers traded online additional exploits and tools through the “plum monthly” (monthly dump service).

Recently a group of researchers from University College London (UCL) found possible evidence of payment of these exploits, examining transaction zcash for one of the cryptocurrencies with increased anonymity, which was adopted Shadow Brokers. Moreover, the specialists were able to track the path to the zcash for cryptocurrency exchanges.

The document was published on the arXiv service in may and presented this week during the first conference of the zcash for in Montreal. It emphasizes methods that can identify user activity zcash for, but also how the investigators are able to track and find those who could buy tools of the NSA.

Last summer Shadow Brokers for several months to sell these exploits for 100 ZEC ($15 900 today and about $22 800 for the period of the sale). The researchers selected a number of transactions for the same amount that at the time, asked for Shadow Brokers. Sarah Meiklejohn, a member of the research team of UCL, gave the Motherboard the following comment:

The idea is that, based on the time and volume of transactions (and other metadata), we received information that someone was sending money to the hackers Shadow Brokers. In particular, researchers have identified one of the June transaction 100 ZEC, one in July 200 and 500 ZEC ZEC in August, which corresponds exactly to the Shadow prices Brokers. The money belonged to the new user, and most of the money came directly from Bitfinex.

Based on this information, investigators could request Bitfinex information about the owner of the account. Of course, it does not answer the question of who is behind the Shadow Brokers, but will help find out who tried to purchase exploits.

Carol Cratty from the press service of the Federal Bureau of investigation declined to comment on the question of whether the contacted Agency staff with Bitfinex. The representative Bitfinex announced Motherboard:

We regularly receive legal requests from law enforcement and regulators, who carry out the investigations. It is our policy not to comment on such requests.

As for research, Matthew green, scientist, senior lecturer and specialist in cryptography at Johns Hopkins University and one of the founders of the zcash for the project, told Motherboard that “it is precisely those aspects which the team and the community needs to improve.” Zuko Wilcox, founder and CEO of cryptocurrency company zcash for, referred to the may blog post that explains some of the problems uncovered by the study.

In August last year, experts managed to identify e-mail addresses of people who subscribe to monthly dump service. They calculated that the Shadow Brokers then earn up to $88 000 in Monero. Shortly before that, an anonymous user claimed that after paying the hackers have provided the tools of low quality. Themselves Shadow Brokers last have posted their dumps in September last year.

According to the materials of the Motherboard