Crowdfunding Effort to Buy ShadowBrokers Exploits Shuts Down

A crowdfunding effort to buy a subscription to the ShadowBrokers’ Monthly Dump Service of stolen exploits and data was shut down citing legal and ethical concerns.

Heeding the advice of attorneys, law enforcement and peers in the security industry, a crowdfunding campaign that spun up to purchase the next batch of ShadowBrokers leaks has been squashed.

The group announced this week more details on its impending Dump of the Month Service in which it promises to leak additional exploits and stolen data to subscribers. Those who join must pay in cryptocurrency (100 Zcash) approximately $24,450; this is as of today’s market value. The ShadowBrokers promoted the service last month, saying they still had in their possession browser and mobile handset exploits, attacks that work on Windows 10 systems and stolen nuclear and missile data belonging to Russian, China, Iran and North Korea.

The crowdfunding effort, begun by Matthew Hickey of My Hacker House in the UK and a researcher who goes by the handle x0rz, hoped to raise $25,000, which would be used to buy the exploits and have them patched by the affected vendors.

“If you ever want to hear a lawyer shout expletives at volume down a phone, you need to call him and tell him that you have created the first open source crowd-funded cyber arms acquisition attempt,” Hickey said in a statement via his Twitter account.

“It transpires that should funds change hands from ours to the Shadow Brokers, we would be certainly risking some form of legal complications,” Hickey said. “It was just too risky and the advice was under no circumstances to proceed further with this.”

X0rz’s statement, also via Twitter, had a similar tone and explained that their goal was to get the vulnerabilities involved patched and make “the 0days a little less toxic” than if released by the ShadowBrokers in the clear.

“I personally expect the Shadow Brokers to release the dump because that’s their agenda,” x0rz wrote, adding that the $3,900 raised so far would be refunded to 40 contributors. “They are not here for the money and are really just seeking media coverage, as we previously witnessed.”

Two days ago, Hickey hosted a Twitter poll asking whether a crowdfunding project to pay the subscription fee, perform an analysis on the dump and privately disclose would be a good idea. There were 1841 votes in 48 hours with 52 percent supporting the purchase; the poll also ignited a debate on the ethics of dealing with arms dealers or potentially a nation-state actor in the ShadowBrokers.

“The discussion and debate we had over the last 48 hours publicly makes me very proud of the infosec community and the people within it. Our idea resulted in a civil and lengthy ethical debate with many different opinions. I was glad to take part in that,” Hickey told Threatpost. “What we saw in the last 48 hours was a transparent and open discussion on a cyber security topic that goes on daily in secret behind closed doors. Companies often pay for malware samples, bug bounties, exploit data and this discussion was no different—if anything it shone the light on a murky ethics topic around exploits. Having technology ethics advisors weigh in and the collective discussion that resulted played a part in our decision to pull the plug.”

Hickey said there were a number of considerations around the crowdfunding effort, such as keeping it open and allowing the ShadowBrokers to claim it on the condition they privately disclosed, that the data could be validated prior to payment and that the group would work with researchers on getting vulnerabilities patched and/or mitigated.

“There is just no way around the complication of paying them and putting our own freedoms at risk, we have to respect that opinions are equally divided on this topic,” Hickey said.

Hickey also said he didn’t want to be caught in a tug of war between the U.S. and the ShadowBrokers if they are linked to the FSB and Russian intelligence.

“All we can do is wait and see how ShadowBrokers respond, there is no evidence yet they have any more data but if they do I hope their release of it doesn’t result in another global cyber incident,” Hickey said. “Worse, I hope it doesn’t end up in the hands of other criminals who will use it for harm.”

Suggested articles