It’s quite the dilemma: A nefarious group of hackers plans to sell a cache of stolen National Security Agency exploits, but you can’t quite come up with the cryptocurrency needed to buy it.
What to do?
Well, if you’re two prominent security researchers, the answer is simple: crowdfund it. That’s right, there’s now a Patreon for buying stolen NSA hacking tools.
But it’s not what you might think. The researchers behind the Patreon campaign, Hacker Fantastic and x0rz, hope that by purchasing the data they will be able to analyze it and possibly prevent another attack like the WannaCry ransomware.
@TheWack0lian @2sec4u @x0rz we will notify vendors and share data with any researchers who are involved. we will be expecting responsible disclosure practices.
— Hacker Fantastic (@hackerfantastic) May 30, 2017
It all comes back to the Shadow Brokers, the group that dumped a host of exploits in April after ostensibly trying to sell them first. Its members made news again in May when they announced that they not only have more code, but that they intend to launch a subscription service to dole it out.
“TheShadowBrokers is launching new monthly subscription model,” they explained. “Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month.”
It’s a threat that should not be taken lightly. Just a single NSA exploit — EternalBlue — was crucial to the global spread of WannaCry. Imagine a new WannaCry-like worm every time the Shadow Brokers released additional exploits. It would be more than a digital nightmare — people could die.
That doesn’t need to happen, however. Hacker Fantastic and x0rz argue that early access to the exploits could provide security researchers time to develop and share fixes for vulnerable code. That’s where the Patreon campaign comes in.
The Shadow Brokers requested payment in the cryptocurrency Zcash, and the two researchers think paying up is actually the smart move. Why? Because one way or another, those exploits are likely to get out.
“I think they will eventually dump it to cause mayhem,” confirmed x0rz via Twitter direct message. “So far [the Shadow Brokers] didn’t say they are willing to dump them for free (but we can guess they will).”
X0rz, who declined to provide a real name, went on to note that gaining access “even 48hours before [the dump] can be good for the community” so that “vendors and [Free and open-source software] developers can catch up and fix the vulns.”
This approach is not without its critics. To be sure, giving 100 ZEC (approximately $23,344 at the time of this writing) to unknown criminal elements is not exactly without risk. The Shadow Brokers could use it to fund malicious actions, or at the very least just keep the money and not deliver.
Hacker Fantastic and x0rz think it’s worth the risk, however.
So yes, it’s bad and good. You make your choice. Don’t hate the player hate the game? 🤔
— x0rz (@x0rz) May 30, 2017
Those interested in helping the campaign reach its goal can donate any amount of money, but those who kick $1,300 or more will get direct access to the Shadow Brokers’ exploits as soon as they are released to paying members.
To prevent some random criminal from using this crowdfunding campaign to gain nation-state level toolkits for his or herself, Hacker Fantastic and x0rz are limiting code sharing to “whitehat ethical hackers” who can prove who they are. So that’s good.
Meanwhile, the clock is ticking. As the Shadow Brokers’ sale ends June 30, the two researchers have only a month to scrape together the money. Should they fall short, any funds they did collect will be donated.
But if they succeed? Well, then we all may just have a fighting chance against the next WannaCry.