How a Video Game Villain Led Researchers to the Man Behind ‘The Shadow Brokers’

A new group of hackers emerged in August, motivated by money and going after big game. They called themselves the “Shadow Brokers,” and in their first introduction they started an auction promising to sell hacking tools stolen from the National Security Agency (NSA) to the highest bidder.

Posts from the Shadow Brokers raised broad speculation that the Russian government was behind it, but researchers may have unmasked the group. Rather than secretive government agents, or a sophisticated cybercrime syndicate, it may just be a hacker in Russia whose poor choice in an alias was his downfall.

An operative with BLACKOPS Cyber (BOC), a private intelligence company, was able to trace the origins of the Shadow Brokers to an account on VK, a popular European social network. The account belonged to a man in Kurgan, Russia, who goes by the first name Kirill.

Catching a Crook

The Shadow Brokers account has since gone quiet, and the account belonging to the Russian national believed to be behind it has since been deleted—and BOC may be the reason for both of these.

Soon after the Shadow Brokers made its debut, a BOC operative began following the case.

The current theory is the Shadow Brokers didn’t hack the data in the first place—and that instead the files were sold to it by NSA contractor Harold T. Martin III, who was arrested in August and allegedly stole tools matching the description of what the Shadow Brokers was selling.

As for the Shadow Brokers itself, the operative who was investigating it analyzed connections between its name and other linked accounts, including the image it used on Twitter of a multi-eyed creature from the video game “Mass Effect.”

The fictional creature, notes a BOC report, was part of a group called the “Shadow Brokers” and works as a “Galactic Information Broker.”

The operative contacted other online accounts using similar names and images and tried to elicit a response similar to the official account of the Shadow Brokers.

Eventually the operative found another Twitter account that had actively promoted the auction and seemed connected to an account on the VK social network that used the same imagery and broken English.

The VK account belonged to a young man whose first name is Kirill, a high school graduate from Kurgan, Russia, who runs a video game marketplace.

After locating the account, the operative then went back to the main account of the Shadow Brokers and tweeted a simple “Hi Kirill.”

Almost immediately after the tweet, the person on the European social network deleted his personal VK account and his profile picture.

BOC Chief Intelligence Officer Ed Alexander said, “It’s definitively him.”

“He would have no reason to backtrack and hide if it wasn’t him,” Alexander said. “He just panicked.”

The Highest Bidder

The Shadow Brokers made its debut with online posts that could have been straight out of a ’90s hacker film.

On Aug. 13, using the Twitter account “@theshadowbrokerss,” it posted a link to instructions on how to download and decrypt a file, which it claimed contained hacking tools from the Equation Group, a hacker group widely believed to be connected to the NSA.

The post was written in poor English and claimed the tools were just a sample from a large cache of similar files stolen from Equation Group that would be sold to the highest bidder.

“We hack Equation Group. We find many, many Equation Group cyber weapons,” it said, going on to encourage people to use the leak to “break many things” and “enjoy.”

It then added the leak was not all. “We are auction the best files.”

According to Alexander, the files appeared legitimate.

The post, and others that followed, garnered broad media coverage with plenty of speculation on who was behind the Shadow Brokers. Security company Sophos also said in a blog post that the files appeared legitimate and came from tools the Equation Group “carelessly left behind on a remote server.”

NSA hacker Edward Snowden even chimed in on Twitter, stating in a series of tweets on Aug. 16 that “circumstantial evidence and conventional wisdom indicates Russian responsibility.”

For the Shadow Brokers, however, the attention didn’t turn into cash. By Oct. 1, the bids only totaled 1.76 bitcoins, about $1,082. It wrote a follow-up post on Medium trying to enforce its legitimacy, stating “auction is sounding crazy but is being real,” and continued trying to urge bidders.

Alexander said the case is  important because the tools Shadow Brokers was trying to sell are dangerous. “Countries with lesser security, such as Mexico, are now subject to those antiquated tools being able to access their information.”