Shadow Brokers mystery endures: TechCrunch revisits the leak that reshaped global cyber risk

A 2026 TechCrunch article has revisited the case of the Shadow Brokers, an enigmatic group that surfaced in the summer of 2016 to leak a trove of hacking tools believed to originate from the US National Security Agency (NSA). The publication marks a decade since the group first appeared on Twitter, linking to a document titled “Equation Group Cyber Weapons Auction — Invitation” amidst the backdrop of Russian hacks related to the US Presidential elections.

The leak included EternalBlue, a critical zero-day vulnerability targeting Windows that allowed hackers to break into computers and deploy self-propagating worms. North Korean actors weaponised this tool for the WannaCry ransomware attack, while Russian operatives used it for the NotPetya cyberattack, which caused an estimated $10 billion in global damages. Despite the scale of the disruption, no arrests or charges have been made in connection with the leak.

The identity of the Shadow Brokers remains unknown, with theories ranging from an NSA insider to a Russian government propaganda operation. Former NSA staffers interviewed at the time suggested an insider or former insider could be involved. One potential suspect, Harold T. Martin III, an NSA contractor arrested for stealing classified information, was considered a suspect; however, the Shadow Brokers remained active online while Martin was in custody, and he has never been formally charged in connection with the leaks.

The group’s modus operandi was marked by inconsistencies. They initially attempted to auction the tools for at least one million Bitcoin via an encrypted file, a move likely intended as a ruse, before dumping many tools publicly months later. Their communication style featured broken English that was described as “almost comical,” suggesting either excessive effort or deliberate artifice. Despite seeking significant press attention, the group only spoke to a journalist once, giving a brief interview to Joseph Cox of 404 Media, then at VICE Motherboard.

Recent analysis highlights new discoveries from the leaked trove, including a tool named Fast16. Flagged in the original dump with the label “NOTHING TO SEE HERE — CARRY ON,” the malware dates back to 2005 and was designed to tamper with software allegedly used by Iranian nuclear scientists, referencing the famous Stuxnet attack. The article underscores the ongoing risk to businesses, noting that vulnerabilities hoarded by intelligence agencies do not stay secret forever and that the private sector often pays the price when they leak.