@TheShadowBrokers may have gone dark on Twitter and toned down their Steemit posts, but it looks like people are still paying them for NSA malware.
I did it again for their July Monthly Dump Service and found that TSB may have had 2 customers (who probably don't follow infosec twitter closely), paying 1000 XMR each -- a total of approximately $88,000 US at today's Monero price. This figure does not include ZCash payments and the actual total may be much higher or lower.
My first article on TSB (I recommend reading it if you haven't because it goes into more detail) went largely unnoticed until @fsyourmoms made a post titled, 'TheShadowBrokers are NOT Making America Great again!!!', basically complaining that TSB sold them a worthless implant, followed by an interesting tirade against TSB.
I'm guessing that TSB follows TSB-related stuff on twitter pretty closely, because they revised their payment system for their August Monthly Dump Service. In a post titled, 'TheShadowBrokers Monthly Dump Service - August 2017 (2017-07-27 09:25:48 UTC), @TheShadowBrokers wrote:
If you wanting make subscribe to TheShadowBrokers Monthly Data Dump Service then sending theshadowbrokers an email request for payment address. TheShadowBrokers then be sending you unpublished payment address for you to be making payment.
Which email address theshadowbrokers using? For August Data Dump Service send payment address requests to email@example.com or firstname.lastname@example.org
July data dump for subscribers inbound. Interesting June data dump not published by subscribers.
Presumably, they're sending each buyer a unique "integrated address", so that people won't be able to scrape customer e-mails off of the blockchain.
If you want a more comprehensive timeline of TheShadowBroker's actions, I recommend checking Matt Suiche's presentation and whitepaper here.
All of the scraped data is available here. You can find the PIDs of interest with ctrl+f. (If you're having trouble with github and need the e-mail addresses for some reason, e-mail me.)
I found 5 PIDs that included e-mail addresses in the Monero blockchain during the month of July. However, there were only 3 unique e-mail addresses, one of which may be a typo.
I'm not including the e-mail addresses in this post due to privacy reasons -- anybody could have inserted these e-mails into the blockchain, not just the owners of the e-mail addresses, and they may be completely unrelated to TSB.
The first e-mail address
There are 3 PIDs of interest on July 17th. The PIDs are 64 character hex strings. I converted the hex string to ASCII and pasted the message here. I'm changing the e-mail address slightly so it doesn't appear in google searches or something, but this is representative of what happened:
TX 1 (02:00 UTC): email@example.com
TX 2( ~10:00 UTC): firstname.lastname@example.org advisory Dump
TX 3 (~11:00 UTC) : email@example.com advisory Dump
The second e-mail address
The second address appeared twice on July 22nd, about 50 minutes apart.
What does this data tell us?
This data only provides an upper limit for the number of Monero purchases. We know that TSB received no more than 2000 XMR. It is totally plausible that these e-mail addresses are unrelated to TSB. (It seems unlikely though, for reasons I gave in this article.)
It's also plausible that TSB just sent themselves some XMR transactions to make it appear as if they're getting sales.
Also, TSB is accepting ZCash. ZCash memo lines are encrypted so it's impossible to scrape e-mails the same way. There is [almost] no way to estimate the amount of money TSB made from ZCash.
Also, in their August post, TSB claims they made a lot of sales in July:
July is being good month for TheShadowBrokers Monthly Data Dump Service, make great benefit to theshadowbrokers.
Who is "hihi"?
I'm speculating that the "firstname.lastname@example.org" address (remember, this isn't the actual address) belongs to a non-native English speaker because "advisory dump" doesn't seem like something a proficient English speaker would say. I'll defer to the linguists though.
If you happen to have been scraping Shapeshift/Changelly transactions and have those logs, shoot me an e-mail. I have an interesting proposal for you!
If anything was unclear or you disagree or you have any other insights, please post a comment or e-mail me.