Shadow Brokers double down on zero-day subscription service

Shortly after its leak of NSA exploit tools enabled the spread of WannaCry, the Shadow Brokers hacking group promised to launch a monthly subscription service for more zero days. Tuesday, it started offering details.

To get in on the action, Shadow Brokers requires that subscribers send them 100 ZEC (Zcash cryptocurrency) or $21,000 per month. The group emptied its Bitcoin wallet yesterday, then switched over to Zcash, though the group said it could require a different currency the following month.

So what will this subscription service get you? A roll of the dice, essentially. Shadow Brokers put it this way on their site:

Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments. Playing “the game” is involving risks.

They promise to continue with a seat-of-the-pants approach beyond June. Asked what will be in the next dump, the group said:

TheShadowBrokers is not deciding yet. Something of value to someone. See theshadowbrokers’ previous posts. The time for “I’ll show you mine if you show me yours first” is being over. Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers’ first. This is being wrong question. Question to be asking “Can my organization afford not to be first to get access to theshadowbrokers dumps?”

Meanwhile, some on Twitter are suggesting it might be a good idea to set up crowdfunded access to the dump:

Sophos CTO Joe Levy warns that those who consider doing business with Shadow Brokers and others like them should tread very carefully.

As recent leaks show, the Shadow Brokers crew certainly seem to have acquired some high-value stolen goods, although their previous attempts to auction them off came to nothing and they ended up dumping the data for free. But there’s no reason to believe they have an ongoing supply, or that their subscription service is anything but a cash grab. 

Would-be subscribers should ask themselves the following before diving in: what are you going to do if they don’t deliver? Ask for a refund? Report them to the ombudsman?

Sophos’s view is simple: don’t go there.

If you lie down with dogs, you’re likely get up with fleas, and maybe attract the entirely understandable attention of law enforcement.