Someone Stole the Encryption Keys of WikiLeaks Precursor 'Cryptome'

It is unclear how the keys were compromised, John Young, one of the founders of the site, told Motherboard.

Sep 16 2015, 2:20pm

Photo: Shutterstock

The PGP encryption keys of established leaking and archival site Cryptome have reportedly been compromised, according to John Young, one of the owners of the site.

Yesterday, a message written by Young on read: "I have learned today that all PGP public keys of John Young and Cryptome have been compromised."

The message then says that those affected keys have been revoked, meaning that they shouldn't be used, and that two others have been generated in their place.

PGP, or Pretty Good Privacy, works by using two related encryption keys. When an attacker obtains the secret key, they can attempt to decrypt any communications or files sent to the affected party.

It is unclear how the keys were compromised, Young told Motherboard in an encrypted email. "Not conclusive yet, but initial review is that an isolated secure storage medium was accessed. Further review should give a better picture with possibility of decoy or diversion from other breach(es)."

As for why he thinks the Cryptome keys have been compromised, Young said "Encrypted material discovered in plain text. Not ready to reveal where and how discovered, nor nature of the material."

Coming years before Wikileaks, Cryptome launched in 1996, providing services to the now-infamous cypherpunks mailing list. The site owners, who work as fully licensed architects in New York, quickly gained a reputation for publishing any and all sensitive documents they could obtain, from details on nuclear power plants to lists of MI6 agents.

Young and Natsios have consistently called for all of the Snowden archive to be released publicly, as they discussed in an interview with Motherboard last year.

When asked by Gawker what Cryptome would have done if they had received the Snowden documents, Young said "We would have dumped it, the whole thing. Everyone else likes to play this game: 'What if we harm somebody' or all this kind of crap. Which is strictly cowardice. Of course the companies who run the outlets, their lawyers won't let them do this kind of thing, so if you've got money invested in your operation you won't take these kind of risks."