Harold T. Martin III is reportedly the prime suspect in the Shadow Brokers investigation, but while he has been in detention, the hackers have posted more messages.
On Thursday, the Department of Justice elaborated on its case against NSA contractor Harold T. Martin III, who allegedly stole classified information, and who may also face charges under the Espionage Act. According to The Washington Post, Martin is the prime suspect in the investigation of The Shadow Brokers, a group or individual that recently dumped NSA hacking tools onto the internet for anyone to download.
But curiously, while Martin has been in detention, The Shadow Brokers have penned additional messages signed with the same cryptographic key as their original announcement back in August.
"Attention government sponsors of cyber warfare and those who profit from it!!!!" The Shadow Brokers wrote in their first post, pasted to several websites on August 13. That post included download links for a slew of NSA hacking tools and exploits, many of which could be used to break into hardware firewall appliances, and in turn, corporate or government networks.
The Shadow Brokers claimed that they would release the password for an additional set of encrypted files, apparently containing more exploits, to the highest bidder of an online auction. Or, if enough people pooled in and sent a total of 1 million bitcoin ($568 million), then they would publicly distribute those files too.
That auction had somewhat limited success, with only a handful of bidders sending any funds at all. In response, on August 28, The Shadow Brokers posted another message.
According to court documents, Martin was charged just one day later, on August 29. On the same day, he made his initial appearance in court and consented to detention.
But, The Shadow Brokers did not stop posting messages. Instead, they just kept going.
"TheShadowBrokers Equation Group Auction is being real. If you peoples is being easily confuse, you be stopping here. If you peoples be wanting to know more then keeping reading," they wrote. On October 5, the government announced Martin's arrest.
Then most recently, on October 15, some 48 days after Martin was detained, The Shadow Brokers posted another message to Pastebin, claiming to call the auction off entirely.
"Auction off. Auction finish. Auction done. No winners. So who is wanting password? TheShadowBrokers is publicly posting the password when receive 10,000 btc (ten thousand bitcoins)," the group wrote.
Two of the hackers' messages, including the most recent one, were signed with the same PGP key used to sign the original posts dumping the NSA hacking tools. The October 15 message was not only posted, but also signed after Martin had been detained. (When trying to validate the signature on the third post, dated October 1, Motherboard encountered an error message).
The Shadow Brokers did not respond to multiple requests for comment.
Of course, none of this necessarily exonerates Martin for having some sort of connection to The Shadow Brokers. But it is a curious aspect of an increasingly strange story.