We all know about the infamous hacking collective Shadow Brokers as they were the ones who leaked the Windows SMB exploit in public that led to last weekend’s WannaCry menace.


Let’s see who is this Shadow Brokers and what they have done so far.


This team firstly appeared in the summer of 2016. They published several leaks containing hacking tools from the National Security Agency (NSA), including several zero-day exploits. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, anti-virus products, and Microsoft products.

Leak History of the Shadow Brokers

1. “Equation Group Cyber Weapons Auction – Invitation”

While the exact date is unclear, reports suggest that preparation of the leak started at least in the beginning of August, and that the initial publication occurred August 13, 2016 with a Tweet from a Twitter account “@shadowbrokerss” announcing a Pastebin page and a GitHub repository containing references and instructions for obtaining and decrypting the content of a file supposedly containing tools and exploits used by the Equation Group.

2. “Message #5 – TrickOrTreat”

This publication, made on October 31, 2016, contains a list of servers, supposedly compromised by Equation Group as well as references to seven supposedly undisclosed tools (DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK AND STOCSURGEON) also used by the threat actor.

3. “Message #6 – BLACK FRIDAY / CYBER MONDAY SALE”

This leak contains 60 folders named in a way to serve as reference to tools likely used by Equation Group. The leak doesn’t contain executable files, but rather screenshots of the tools file structure. While the leak could be a fake, the overall cohesion between previous and future leaks and references as well as the work required to fake such a fabrication, gives credibility to the theory that the referenced tools are genuine.

4. “Don’t Forget Your Base”

On April 8, 2017, the Medium account used by The Shadow Brokers posted a new update. The post released the password to encrypted files released last year to be CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN. Those files allegedly reveal more NSA hacking tools. This posting explicitly stated that the post was partially in response to President Trump’s attack against a Syrian airfield, which was also used by Russian forces.

5.   “Lost in Translation”

On April 14, 2017, the Twitter account used by The Shadow Brokers posted a tweet with a link to a Steemit story. Herein, a message with a link to the leak files, encrypted with the password Reeeeeeeeeeeeeee.

The overall content is based around three folders: “oddjob”, “swift” and “windows”. The fifth leak is suggested to be the “…most damaging release yet” and CNN quoted Matthew Hickey saying, “This is quite possibly the most damaging thing I’ve seen in the last several years,”.

Some of the exploits targeting the Windows operating system, had been patched in a Microsoft Security Bulletin on March 14, 2017, one month before the leak occurred. Some speculated that Microsoft may have been tipped off about the release of the exploits.