'Cash for hacks' crowd-funding campaign abandoned

  • Published
MoneyImage source, Getty Images
Image caption,

The hacking group was asking for roughly $22,000 via the crypto-currency Zcash

Security researchers have cancelled plans to buy potentially undetected software security vulnerabilities from a notorious group of hackers.

The plan involved buying hacking tools offered by the Shadow Brokers and then protecting computers before they could be targeted by cyber-criminals.

But critics had argued that the Shadow Brokers should not benefit in this way.

One of the researchers behind the plan said the scheme was being abandoned for "legal reasons".

Some critics had warned that paying the Shadow Brokers for access to their hacking tools, even with honest intentions, could be illegal.

50-50 split

The Shadow Brokers previously sold access to hacking tools allegedly stolen from the US National Security Agency - but often released the vulnerabilities for free later anyway.

One of the tools was used to help spread the WannaCry malware that affected thousands of organisations worldwide, including the UK's NHS.

The hacking group currently plans to sell a new batch of security exploits, for a payment via the crypto-currency Zcash, worth about $22,000 (£17,000).

On Tuesday, two security researchers set up a crowd-funding campaign to buy access to the exploits, so the vulnerabilities could be fixed instead.

But the idea divided the cyber-security community.

"There's a 50-50 split on whether it is a good idea and whether it would encourage Shadow Brokers to continue their activities," said Matthew Hickey from the cyber-security firm Hacker House, who set up the crowd-funding campaign.

Others were more outspoken: "Individuals and corps funding criminals is insane," said security researcher Kevin Beaumont, external.

Announcing the closure of the crowd-funding campaign on 1 June, Mr Hickey said: "If you ever want to hear a lawyer shout expletives at volume down a phone, you need to call him and tell him you have created the first open source crowd-funded cyber-arms acquisition attempt.

"It transpires that should funds change hands from ours to the Shadow Brokers we would certainly be risking some form of legal complications."

Those who have donated to the campaign using Bitcoin can seek a refund, and any unclaimed funds will be donated to online rights group the Electronic Frontier Foundation.

'Game involves risks'

The Shadow Brokers group has not specified what buyers will get if they pay the $22,000 bounty and has offered no guarantee that buyers will be rewarded at all.

"If you caring about loosing $20k+ Euro then not being for you... playing 'the game' is involving risks [sic]," the group said in a blog post.