The mysterious Shadow Brokers hacking group threatened Wednesday to reveal the identity of an alleged former NSA hacker.
In a message posted online, the group – responsible for leaking the NSA exploits which powered the WannaCry and so-called Petya ransomware outbreaks – accused the alleged hacker in broken English of “writing ugly tweet to theshadowbrokers” and of belonging to Equation Group, a highly sophisticated team suspected of being NSA.
— theshadowbrokers (@shadowbrokerss) June 28, 2017
“TheShadowBrokers is having special invitation message for ‘doctor’ person theshadowbrokers is meeting on Twitter,” the post reads. “’Doctor’ person is writing ugly tweets to theshadowbrokers not unusual but ‘doctor’ person is living in Hawaii and is sounding knowledgeable about theequationgroup.”
“Then ‘doctor’ person is deleting ugly tweets, maybe too much drinking and tweeting? Is very strange, so theshadowbrokers is doing some digging.”
The Shadow Brokers claimed that during his time at NSA, the alleged hacker helped develop tools used to hack Chinese organizations.
“TheShadowBrokers is thinking ‘doctor’ person is former EquationGroup developer who built many tools and hacked organization in China,” the post continues.
The hacking group then threatened to reveal the identity of the “doctor,” who they claim recently co-founded a cybersecurity group, unless a payment is made to the Shadow Brokers’ dump service – an alleged subscriber-based system offering monthly NSA exploits to paying customers.
“TheShadowBrokers is thinking ‘doctor’ person is co-founder of new security company and is having much venture capital. TheShadowBrokers is hoping ‘doctor’ person is deciding to subscribe to dump service in July,” the post adds. “If theshadowbrokers is not seeing subscription payment with corporate email address of [email protected] then theshadowbrokers might be taking tweets personally and dumping data of ‘doctor’ persons hacks of China with real id and security company name.”
“TheShadowBrokers is thinking this outcome may be having negative financial impact on new security companies international sales, so hoping ‘doctor’ person and security company is making smart choice and subscribe. But is being ‘doctor’ persons choice. Is not being smart choice to be making ugly tweets with enough personal information to DOX self AND being former equation group AND being co-founder of security company.”
A man believed to be the “doctor” responded on Twitter shortly after and denied ever belonging to Equation Group.
The “Doctor” referred to in the Shadow Brokers’ message responds, denies being former Equation Group pic.twitter.com/E7l7pCasEm
— Mikael Thalen (@MikaelThalen) June 28, 2017
Speaking with Bleeping Computer’s Catalin Cimpanu, the “doctor,” known on Twitter as @drwolfff, denied he lived in Hawaii, had worked for NSA and owned a cybersecurity startup.
Cimpanu later wrote that the “doctor” stated that “it’s possible” when asked if the Shadow Brokers might be targeting him for exposing cyber-espionage operations linked to the group.
The alleged hacker said he believed a former NSA contractor was behind the Shadow Brokers while others in the cybersecurity community say entities connected to Russia are responsible.
The “doctor” promised to reveal his identity online Thursday to protect himself from “further false accusations.”
To protect the innocent and prevent further false accusations, I will dox myself tomorrow. Nobody makes me bleed my own blood except me 4/4
— Daniel R. Wolfford (@drwolfff) June 28, 2017
Regardless of whether the “doctor” is former NSA, cybersecurity experts say the exposure of a former high-level government hacker would be an unprecedented move.
Contact Mikael securely: keybase.io/mikaelthalen