# The Shadow Brokers

**en.wikipedia.org/wiki/The_Shadow_Brokers**

Contributors to Wikimedia projects

**The Shadow Brokers (TSB) is a** [hacker group who first appeared in the summer of 2016.](https://en.wikipedia.org/wiki/Hacker_group)



[1]



[2] [They published several leaks containing hacking tools, including several zero-day exploits,](https://en.wikipedia.org/wiki/Zero-day_(computing))

[1] [from the "Equation Group" who are widely suspected to be a branch of the National](https://en.wikipedia.org/wiki/Equation_Group)

Security Agency (NSA) of the United States.[3][4] Specifically, these exploits and
vulnerabilities[5][6] [targeted enterprise firewalls,](https://en.wikipedia.org/wiki/Firewall_(computing)) [antivirus software, and](https://en.wikipedia.org/wiki/Antivirus_software) [Microsoft products.[7]](https://en.wikipedia.org/wiki/Microsoft)
The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who
[have been tied to the NSA's Tailored Access Operations unit.[8][9][10][4]](https://en.wikipedia.org/wiki/Tailored_Access_Operations)

## Name and alias


Several news sources noted that the group's name was likely in reference to a character
from the _[Mass Effect video game series.[11][12]](https://en.wikipedia.org/wiki/Mass_Effect_(series))_ [Matt Suiche quoted the following description](https://en.wikipedia.org/wiki/Matt_Suiche)
of that character: "The Shadow Broker is an individual at the head of an expansive
organization which trades in information, always selling to the highest bidder. The Shadow
Broker appears to be highly competent at its trade: all secrets that are bought and sold never
allow one customer of the Broker to gain a significant advantage, forcing the customers to
continue trading information to avoid becoming disadvantaged, allowing the Broker to remain
in business."[13]

## Leak history

### First leak: "Equation Group Cyber Weapons Auction - Invitation"


[While the exact date is unclear, reports suggest that the preparation of the leak started at](https://en.wikipedia.org/wiki/Internet_leak)
least in the beginning of August,[14] and that the initial publication occurred August 13, 2016
with a Tweet from a [Twitter account "@shadowbrokerss" announcing a Pastebin page[6]](https://en.wikipedia.org/wiki/Twitter) and
a [GitHub repository containing references and instructions for obtaining and decrypting the](https://en.wikipedia.org/wiki/GitHub)
[content of a file supposedly containing tools and exploits used by the Equation Group.](https://en.wikipedia.org/wiki/Equation_Group)

**Publication and speculation about authenticity**


The Pastebin[6] introduces a section titled "Equation Group Cyber Weapons Auction Invitation", with the following content:


-----

Equation Group Cyber Chase Weapons Auction - Invitation

   - -----------------------------------------------
!!! Attention government sponsors of cyber warfare and those who profit from it !!!!

[How much you pay for enemies cyber weapons? Not malware you find in networks.](https://en.wikipedia.org/wiki/Cyber_weapon)
Both sides, [RAT + LP, full state sponsor tool set? We find cyber weapons made by](https://en.wikipedia.org/wiki/Remote_access_trojan)
creators of [stuxnet,](https://en.wikipedia.org/wiki/Stuxnet) [duqu,](https://en.wikipedia.org/wiki/Duqu) [flame.](https://en.wikipedia.org/wiki/Flame_(malware)) [Kaspersky calls Equation Group. We follow Equation](https://en.wikipedia.org/wiki/Kaspersky_Lab)
Group traffic. We find Equation Group source range. We hack Equation Group. We find
many many Equation Group cyber weapons. You see pictures. We give you some
Equation Group files free, you see. This is good proof no? You enjoy!!! You break many
things. You find many intrusions. You write many words. But not all, we are auction the
best files. .

The Pastebin includes various references for obtaining the file, named "EQGRP-Auction[Files.zip". This zip file contains seven files, two of which are the GPG-encrypted archives](https://en.wikipedia.org/wiki/Zip_(file_format))
"eqgrp-auction-file.tar.xz.gpg" and "eqgrp-free-file.tar.xz.gpg". The "eqgrp-free-file.tar.xz.gpg"
archive's password was revealed in the original Pastebin to be `theequationgroup . The`
"eqgrp-auction-file.tar.xz" archive's password was revealed in a later Medium post to be
```
CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN .

```
[The Pastebin continues with instructions for obtaining the password to the encrypted auction](https://en.wikipedia.org/wiki/Online_auction)
file:

Auction Instructions

   - -------------------
We auction best files to highest bidder. Auction files better than stuxnet. Auction files
better than free files we already give you. The party which sends most bitcoins to
address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before bidding stops is winner,
we tell how to decrypt. Very important!!! When you send bitcoin you add additional
output to transaction. You add OP_Return output. In Op_Return output you put your
(bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other
information will be disclosed by us publicly. Do not believe unsigned messages. We will
contact winner with decryption instructions. Winner can do with files as they please, we
not release files to public.

The initial response to the publication was met with some skepticism,[15] as to whether or not
the content actually would be "...many many Equation Group cyber weapons."[6]


### Second leak: "Message #5 - TrickOrTreat"


-----

This publication, made on October 31, 2016, contains a list of servers, supposedly
compromised by Equation Group as well as references to seven supposedly undisclosed
tools (DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM,
SIDETRACK AND STOICSURGEON) also used by the threat actor.[16]

### Third leak: "Message #6 - BLACK FRIDAY / CYBER MONDAY SALE"

Message #6 reads as follows:

TheShadowBrokers is trying auction. Peoples no like. TheShadowBrokers is trying
crowdfunding. Peoples is no liking. Now TheShadowBrokers is trying direct sales. Be
checking out ListOfWarez. If you like, you email TheShadowBrokers with name of
Warez you want make purchase. TheShadowBrokers is emailing you back bitcoin
address. You make payment. TheShadowBrokers emailing you link + decryption
password. If not liking this transaction method, you finding TheShadowBrokers on
underground marketplaces and making transaction with escrow. Files as always being
signed.[17]


This leak[18] contains 60 folders named in a way to serve as reference to tools likely used by
Equation Group. The leak doesn't contain executable files, but rather screenshots of the
tools file structure. While the leak could be a fake, the overall cohesion between previous
and future leaks and references as well as the work required to fake such a fabrication, gives
credibility to the theory that the referenced tools are genuine.

### Fourth leak: "Don't Forget Your Base"

[On April 8, 2017, the Medium account used by The Shadow Brokers posted a new update.](https://en.wikipedia.org/wiki/Medium_(website))

[19] The post revealed the password to encrypted files released last year to be `CrDj"`
```
(;Va.*NdlnzB9M?@K2)#>deB7mN . Those files allegedly reveal more NSA hacking tools.[20]

```
This posting explicitly stated that the post was partially in response to President Trump's
[attack against a Syrian airfield, which was also used by Russian forces.](https://en.wikipedia.org/wiki/2017_Shayrat_missile_strike)


The decrypted file, eqgrp-auction-file.tar.xz, contained a collection of tools primarily for
compromising Linux/Unix based environments.[21]

### Fifth leak: "Lost in Translation"

On April 14, 2017, the [Twitter account used by The Shadow Brokers posted a tweet with a](https://en.wikipedia.org/wiki/Twitter)
link[22] to the Steem blockchain. Herein, a message with a link to the leak files, encrypted
with the password `Reeeeeeeeeeeeeee .`


The overall content is based around three folders: "oddjob", "swift" and "windows".[23] The
fifth leak is suggested to be the "...most damaging release yet"[24] and CNN quoted Matthew
Hickey saying, "This is quite possibly the most damaging thing I've seen in the last several
years,".[25]


-----

The leak includes, amongst other things, the tools and exploits codenamed:
DANDERSPIRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY,
[ETERNALROMANCE, ETERNALBLUE, EXPLODINGCAN and EWOKFRENZY.[24][26][27]](https://en.wikipedia.org/wiki/ETERNALBLUE)

Some of the exploits targeting the Windows operating system had been patched in a
Microsoft Security Bulletin on March 14, 2017, one month before the leak occurred.[28][29]
Som[30] e speculated that Microsoft may have been tipped off about the release of the exploits.


**Eternalblue**

Main article: [EternalBlue](https://en.wikipedia.org/wiki/EternalBlue)
Over 200,000 machines were infected with tools from this leak within the first two weeks,[31]
[and in May 2017, the major WannaCry ransomware attack used the ETERNALBLUE exploit](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack)
on [Server Message Block (SMB) to spread itself.[32]](https://en.wikipedia.org/wiki/Server_Message_Block) The exploit was also used to help carry
out the [2017 Petya cyberattack on June 27, 2017.[33]](https://en.wikipedia.org/wiki/2017_Petya_cyberattack)


[ETERNALBLUE contains kernel shellcode to load the non-persistent DoublePulsar](https://en.wikipedia.org/wiki/DoublePulsar)
[backdoor.[34]](https://en.wikipedia.org/wiki/Backdoor_(computing)) This allows for the installation of the PEDDLECHEAP payload which would
then be accessed by the attacker using the DanderSpritz Listening Post (LP) software.[35][36]

## Speculations and theories on motive and identity

### NSA insider threat


[James Bamford along with Matt Suiche speculated[37]](https://en.wikipedia.org/wiki/James_Bamford) that an insider, "possibly someone
[assigned to the [NSA's] highly sensitive Tailored Access Operations", stole the hacking tools.](https://en.wikipedia.org/wiki/Tailored_Access_Operations)

[38][39] In October 2016, _[The Washington Post reported that](https://en.wikipedia.org/wiki/The_Washington_Post)_ [Harold T. Martin III, a former](https://en.wikipedia.org/wiki/Harold_T._Martin_III)

contractor for [Booz Allen Hamilton accused of stealing approximately 50 terabytes of data](https://en.wikipedia.org/wiki/Booz_Allen_Hamilton)
from the [National Security Agency (NSA), was the lead suspect. The Shadow Brokers](https://en.wikipedia.org/wiki/National_Security_Agency)
continued posting messages that were cryptographically-signed and were interviewed by
media while Martin was detained.[40]


### Theory on ties to Russia

[Edward Snowden stated on](https://en.wikipedia.org/wiki/Edward_Snowden) [Twitter on August 16, 2016 that "circumstantial evidence and](https://en.wikipedia.org/wiki/Twitter)
[conventional wisdom indicates Russian responsibility"[41]](https://en.wikipedia.org/wiki/Conventional_wisdom) and that the leak "is likely a
warning that someone can prove responsibility for any attacks that originated from this
malware server"[42] summarizing that it looks like "somebody sending a message that an
escalation in the attribution game could get messy fast".[43][44]


_[The New York Times put the incident in the context of the](https://en.wikipedia.org/wiki/The_New_York_Times)_ Democratic National Committee
[cyber attacks and hacking of the Podesta emails. As US intelligence agencies were](https://en.wikipedia.org/wiki/Podesta_emails)
contemplating counter-attacks, the Shadow Brokers code release was to be seen as a
warning: "Retaliate for the D.N.C., and there are a lot more secrets, from the hackings of the


-----

State Department, the White House and the Pentagon, that might be spilled as well. One
[senior official compared it to the scene in The Godfather where the head of a favorite horse](https://en.wikipedia.org/wiki/The_Godfather)
is left in a bed, as a warning."[45]

In 2019, David Aitel, a computer scientist formerly employed by the NSA, summarized the
situation with: "I don’t know if anybody knows other than the Russians. And we don’t even
know if it’s the Russians. We don’t know at this point; anything could be true."[46]

## References


1. ^ a b _Ghosh, Agamoni (April 9, 2017). "'President Trump what the f**k are you doing'_

_say Shadow Brokers and dump more NSA hacking tools"._ _International Business Times_
_UK. Retrieved April 10, 2017._
2. ^
3. ^ _Brewster, Thomas._ _"Equation = NSA? Researchers Uncloak Huge 'American Cyber_


_Arsenal'". Forbes. Retrieved November 25, 2020._
4. ^ a b _Sam Biddle (August 19, 2016). "The NSA Leak is Real, Snowden Documents_

_Confirm"._ _[The Intercept. Retrieved April 15, 2017.](https://en.wikipedia.org/wiki/The_Intercept)_
5. ^ _Nakashima, Ellen (August 16, 2016). "Powerful NSA hacking tools have been_

_revealed online". The Washington Post._
6. ^ a b c d _["Equation Group - Cyber Weapons Auction - Pastebin.com". August 16, 2016.](https://archive.today/20160815133924/http://pastebin.com/NDTU5kJQ)_

_[Archived from the original on August 15, 2016.](http://pastebin.com/NDTU5kJQ)_
7. ^ _Dan Goodin (January 12, 2017). "NSA-leaking Shadow Brokers lob Molotov cocktail_

_before exiting world stage"._ _[Ars Technica. Retrieved January 14, 2017.](https://en.wikipedia.org/wiki/Ars_Technica)_
8. ^ _Goodin, Dan (August 16, 2016). "Confirmed: hacking tool leak came from_

_"omnipotent" NSA-tied group". Ars Technica. Retrieved January 14, 2017._
9. ^ _["The Equation giveaway - Securelist".](https://securelist.com/the-equation-giveaway/75812/)_
10. ^ _["Group claims to hack NSA-tied hackers, posts exploits as proof". August 16, 2016.](https://arstechnica.com/security/2016/08/group-claims-to-hack-nsa-tied-hackers-posts-exploits-as-proof/)_

11. ^ _["The 'Shadow Brokers' NSA theft puts the Snowden leaks to shame - ExtremeTech".](https://www.extremetech.com/extreme/234031-your-guide-to-the-shadow-brokers-nsa-theft-which-puts-the-snowden-leaks-to-shame)_

_Extremetech. August 19, 2016._
12. ^
13. ^
14. ^ _["The Shadow Brokers: Lifting the Shadows of the NSA's Equation Group?". August](https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/)_

_15, 2016._
15. ^ _Rob Price (August 15, 2016). "'Shadow Brokers' claim to have hacked an NSA-linked_

_elite computer security unit"._ _[Business Insider. Retrieved April 15, 2017.](https://en.wikipedia.org/wiki/Business_Insider)_
16. ^ _"'Shadow Brokers' Reveal List Of Servers Hacked By The NSA; China, Japan, And_

_[Korea The Top 3 Targeted Countries; 49 Total Countries, Including: China, Japan,](http://fortunascorner.com/2016/11/01/shadow-brokers-reveal-list-of-servers-hacked-by-the-nsa-china-japan-and-korea-the-top-3-targeted-countries-49-total-countries-including-china-japan-germany-korea-india-italy-mexico-sp/)_
_Germany, Korea, India, Italy, Mexico, Spain, Taiwan, & Russia". Fortuna's Corner._
_November 1, 2016. Retrieved January 14, 2017._
17. ^ _["MESSAGE #6 - BLACK FRIDAY / CYBER MONDAY SALE". bit.no.com. bit.no.com.](https://bit.no.com:43110/theshadowbrokers.bit/post/message6/)_
18. ^ _["unix_screenshots.zip". bit.no.com.](https://bit.no.com:43110/theshadowbrokers.bit/files/unix_screenshots.zip)_


-----

[19. theshadowbrokers (April 8, 2017). Don t Forget Your Base . Medium. Retrieved April](https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1)

_9, 2017._
20. ^ _Cox, Joseph (April 8, 2017). "They're Back: The Shadow Brokers Release More_

_Alleged Exploits". Motherboard. Vice Motherboard. Retrieved April 8, 2017._
21. ^ _["GitHub - x0rz/EQGRP: Decrypted content of eqgrp-auction-file.tar.xz".](https://github.com/x0rz/EQGRP)_ _[GitHub.](https://en.wikipedia.org/wiki/GitHub)_

_February 26, 2022._
22. ^ _["Lost in Translation". Steemit. April 14, 2017. Retrieved April 14, 2017.](https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation)_
23. ^ _["Share". Yandex.Disk. Retrieved April 15, 2017.](https://yadi.sk/d/NJqzpqo_3GxZA4)_
24. ^ a b _["NSA-leaking Shadow Brokers just dumped its most damaging release yet". Ars](https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/)_

_Technica. Retrieved April 15, 2017._
25. ^ _Larson, Selena (April 14, 2017). "NSA's powerful Windows hacking tools leaked_

_online". CNNMoney. Retrieved April 15, 2017._
26. ^ _"Latest Shadow Brokers dump — owning SWIFT Alliance Access, Cisco and_

_Windows". Medium. April 14, 2017. Retrieved April 15, 2017._
27. ^ _["misterch0c". GitHub. Retrieved April 15, 2017.](https://github.com/misterch0c/shadowbroker)_
28. ^ _["Microsoft says users are protected from alleged NSA malware". AP News. Retrieved](https://apnews.com/7100004c2d7e4cc28b7e6b7d4e40f812/Microsoft-says-users-are-protected-from-alleged-NSA-malware)_

_April 15, 2017._
29. ^ _["Protecting customers and evaluating risk". MSRC. Retrieved April 15, 2017.](https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/)_
30. ^ _["Microsoft says it already patched 'Shadow Brokers' NSA leaks". Engadget.](https://www.engadget.com/2017/04/15/microsoft-says-it-already-patched-several-shadow-brokers-nsa-l/)_

_Retrieved April 15, 2017._
31. ^ _"Leaked NSA tools, now infecting over 200,000 machines, will be weaponized for_

_years". CyberScoop. April 24, 2017. Retrieved April 24, 2017._
32. ^ _["An NSA-derived ransomware worm is shutting down computers worldwide". May 12,](https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/?comments=1)_

_2017._
33. ^ _Perlroth, Nicole; Scott, Mark; Frenkel, Sheera (June 27, 2017). "Cyberattack Hits_

_Ukraine Then Spreads Internationally"._ _[The New York Times. p. 1. Retrieved June 27,](https://en.wikipedia.org/wiki/The_New_York_Times)_
_2017._
34. ^ _Sum, Zero (April 21, 2017)._ _"zerosum0x0: DoublePulsar Initial SMB Backdoor Ring 0_

_Shellcode Analysis". zerosum0x0. Retrieved November 15, 2017._
35. ^ _["Shining Light on The Shadow Brokers". The State of Security. May 18, 2017.](https://www.tripwire.com/state-of-security/security-data-protection/shining-light-shadow-brokers/)_

_Retrieved November 15, 2017._
36. ^ _["DanderSpritz/PeddleCheap Traffic Analysis" (PDF). Forcepoint. February 6, 2018.](https://www.forcepoint.com/sites/default/files/resources/files/datasheet_security_labs_dander_spritz_peddle_cheap_traffic_analysis_en.pdf)_

_Retrieved February 7, 2018._
37. ^ _["Shadow Brokers: The insider theory". August 17, 2016.](https://medium.com/@msuiche/shadowbrokers-the-insider-theory-ded733b39a55#.qmppg2xj6)_
38. ^ _["Commentary: Evidence points to another Snowden at the NSA". Reuters. August 23,](https://www.reuters.com/article/us-intelligence-nsa-commentary-idUSKCN10X01P)_

_2016._
39. ^ _["Hints suggest an insider helped the NSA "Equation Group" hacking tools leak". Ars](https://arstechnica.com/security/2016/08/hints-suggest-an-insider-helped-the-nsa-equation-group-hacking-tools-leak/)_

_Technica. August 22, 2016._
40. ^ _Cox, Joseph (January 12, 2017). "NSA Exploit Peddlers The Shadow Brokers Call It_

_Quits". Motherboard._
41. ^


-----

42. _This leak is likely a warning that someone can prove US responsibility for any_

_attacks that originated from this malware server". August 16, 2016. Retrieved August_
_22, 2016._
43. ^ _Price, Rob (August 16, 2016). "Edward Snowden: Russia might have leaked alleged_

_NSA cyberweapons as a 'warning'"._ _[Business Insider. Retrieved August 22, 2016.](https://en.wikipedia.org/wiki/Business_Insider)_
44. ^ _Eric Lipton, David E. Sanger and Scott Shane (December 13, 2016). "The Perfect_

_Weapon: How Russian Cyberpower Invaded the U.S."_ _[New York Times. Retrieved April](https://en.wikipedia.org/wiki/New_York_Times)_
_[15, 2017. {{cite news}} : CS1 maint: uses authors parameter (link)](https://en.wikipedia.org/wiki/Template:Cite_news)_
45. ^ _Abdollah, Tami; Tucker, Eric (July 6, 2019)._ _"Mystery of NSA leak lingers as stolen_

_document case winds up"._ _[Associated Press.](https://en.wikipedia.org/wiki/Associated_Press)_ _[Archived from the original on July 6,](https://web.archive.org/web/20190706152343/https://abcnews.go.com/Technology/wireStory/mystery-nsa-leak-lingers-stolen-document-case-winds-64163448)_
_2019._

**Hacking in the**
**2010s**

[Timeline](https://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history#2010s)

**Major incidents**

[Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora)
[Australian cyberattacks](https://en.wikipedia.org/wiki/February_2010_Australian_cyberattacks)
[Operation ShadowNet](https://en.wikipedia.org/wiki/Shadow_Network)
[Operation Payback](https://en.wikipedia.org/wiki/Operation_Payback)

**2010**

[DigiNotar](https://en.wikipedia.org/wiki/DigiNotar)
[DNSChanger](https://en.wikipedia.org/wiki/DNSChanger)
[HBGary Federal](https://en.wikipedia.org/wiki/HBGary)
[Operation AntiSec](https://en.wikipedia.org/wiki/Operation_AntiSec)
[Operation Tunisia](https://en.wikipedia.org/wiki/Operation_Tunisia)
[PlayStation](https://en.wikipedia.org/wiki/2011_PlayStation_Network_outage)
[RSA SecurID compromise](https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise)

**2011**

[LinkedIn hack](https://en.wikipedia.org/wiki/2012_LinkedIn_hack)
[Stratfor email leak](https://en.wikipedia.org/wiki/2012%E2%80%9313_Stratfor_email_leak)
[Operation High Roller](https://en.wikipedia.org/wiki/Operation_High_Roller)

**2012**

[South Korea cyberattack](https://en.wikipedia.org/wiki/2013_South_Korea_cyberattack)
[Snapchat hack](https://en.wikipedia.org/wiki/Snapchat#December_2013_hack)
[Cyberterrorism Attack of June 25](https://en.wikipedia.org/wiki/June_25_cyber_terror)
[2013 Yahoo! data breach](https://en.wikipedia.org/wiki/Yahoo!_data_breaches#August_2013_breach)
[Singapore cyberattacks](https://en.wikipedia.org/wiki/2013_Singapore_cyberattacks)

**2013**


-----

**2014**

**2015**

**2016**

**2017**

**2018**

**2019**


[Anthem medical data breach](https://en.wikipedia.org/wiki/Anthem_medical_data_breach)
[Operation Tovar](https://en.wikipedia.org/wiki/Operation_Tovar)
[2014 celebrity nude photo leak](https://en.wikipedia.org/wiki/2014_celebrity_nude_photo_leak)
[2014 JPMorgan Chase data breach](https://en.wikipedia.org/wiki/2014_JPMorgan_Chase_data_breach)
[Sony Pictures hack](https://en.wikipedia.org/wiki/Sony_Pictures_hack)
[Russian hacker password theft](https://en.wikipedia.org/wiki/2014_Russian_hacker_password_theft)
[2014 Yahoo! data breach](https://en.wikipedia.org/wiki/Yahoo!_data_breaches#Late_2014_breach)

[Office of Personnel Management data breach](https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach)
[Hacking Team](https://en.wikipedia.org/wiki/Hacking_Team#2015_data_breach)
[Ashley Madison data breach](https://en.wikipedia.org/wiki/Ashley_Madison_data_breach)
[VTech data breach](https://en.wikipedia.org/wiki/VTech#2015_data_breach)
[Ukrainian Power Grid Cyberattack](https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack)
[SWIFT banking hack](https://en.wikipedia.org/wiki/2015%E2%80%932016_SWIFT_banking_hack)

[Bangladesh Bank robbery](https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery)
Hollywood Presbyterian Medical Center ransomware
incident
[Commission on Elections data breach](https://en.wikipedia.org/wiki/Commission_on_Elections_data_breach)
[Democratic National Committee cyber attacks](https://en.wikipedia.org/wiki/Democratic_National_Committee_cyber_attacks)
[Vietnam Airport Hacks](https://en.wikipedia.org/wiki/Vietnamese_airports_hackings)
[DCCC cyber attacks](https://en.wikipedia.org/wiki/Democratic_Congressional_Campaign_Committee_cyber_attacks)
[Indian Bank data breaches](https://en.wikipedia.org/wiki/2016_Indian_Banks_data_breach)
[Surkov leaks](https://en.wikipedia.org/wiki/Surkov_leaks)
[Dyn cyberattack](https://en.wikipedia.org/wiki/2016_Dyn_cyberattack)
[Russian interference in the 2016 U.S. elections](https://en.wikipedia.org/wiki/Russian_interference_in_the_2016_United_States_elections)
[2016 Bitfinex hack](https://en.wikipedia.org/wiki/2016_Bitfinex_hack)

[2017 Macron e-mail leaks](https://en.wikipedia.org/wiki/2017_Macron_e-mail_leaks)
[WannaCry ransomware attack](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack)
[Westminster data breach](https://en.wikipedia.org/wiki/2017_Westminster_data_breach)
[Petya cyberattack](https://en.wikipedia.org/wiki/Petya_(malware))

[2017 cyberattacks on Ukraine](https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine)
[Equifax data breach](https://en.wikipedia.org/wiki/2017_Equifax_data_breach)
[Deloitte breach](https://en.wikipedia.org/wiki/Deloitte#E-mail_hack)
[Disqus breach](https://en.wikipedia.org/wiki/Disqus#October_2017_security_breach)

[Trustico](https://en.wikipedia.org/wiki/Trustico#DigiCert_and_Trustico_spat,_2018)
[Atlanta cyberattack](https://en.wikipedia.org/wiki/Atlanta_government_ransomware_attack)
[SingHealth data breach](https://en.wikipedia.org/wiki/2018_SingHealth_data_breach)

[Sri Lanka cyberattack](https://en.wikipedia.org/wiki/2019_cyberattacks_on_Sri_Lanka)
[Baltimore ransomware attack](https://en.wikipedia.org/wiki/2019_Baltimore_ransomware_attack)
[Bulgarian revenue agency hack](https://en.wikipedia.org/wiki/2019_Bulgarian_revenue_agency_hack)
[Jeff Bezos phone hacking](https://en.wikipedia.org/wiki/Jeff_Bezos_phone_hacking)


-----

**[Hacktivism](https://en.wikipedia.org/wiki/Hacktivism)**

**Advanced**
**persistent threats**


[Anonymous](https://en.wikipedia.org/wiki/Anonymous_(group))

[associated events](https://en.wikipedia.org/wiki/Timeline_of_events_associated_with_Anonymous)
[CyberBerkut](https://en.wikipedia.org/wiki/CyberBerkut)
[GNAA](https://en.wikipedia.org/wiki/Gay_Nigger_Association_of_America)
[Goatse Security](https://en.wikipedia.org/wiki/Goatse_Security)
[Lizard Squad](https://en.wikipedia.org/wiki/Lizard_Squad)
[LulzRaft](https://en.wikipedia.org/wiki/LulzRaft)
[LulzSec](https://en.wikipedia.org/wiki/LulzSec)
[New World Hackers](https://en.wikipedia.org/wiki/2016_Dyn_cyberattack#Perpetrators)
[NullCrew](https://en.wikipedia.org/wiki/NullCrew)
[OurMine](https://en.wikipedia.org/wiki/OurMine)
[PayPal 14](https://en.wikipedia.org/wiki/PayPal_14)
[RedHack](https://en.wikipedia.org/wiki/RedHack)
[TeaMp0isoN](https://en.wikipedia.org/wiki/TeaMp0isoN)
[TDO](https://en.wikipedia.org/wiki/The_Dark_Overlord_(hacker_group))
[UGNazi](https://en.wikipedia.org/wiki/UGNazi)
[Ukrainian Cyber Alliance](https://en.wikipedia.org/wiki/Ukrainian_Cyber_Alliance)

[Bureau 121](https://en.wikipedia.org/wiki/Bureau_121)
[Charming Kitten](https://en.wikipedia.org/wiki/Charming_Kitten)
[Cozy Bear](https://en.wikipedia.org/wiki/Cozy_Bear)
[Dark Basin](https://en.wikipedia.org/wiki/Dark_Basin)
[Elfin Team](https://en.wikipedia.org/wiki/Elfin_Team)
[Equation Group](https://en.wikipedia.org/wiki/Equation_Group)
[Fancy Bear](https://en.wikipedia.org/wiki/Fancy_Bear)
[Guccifer 2.0](https://en.wikipedia.org/wiki/Guccifer_2.0)
[Hacking Team](https://en.wikipedia.org/wiki/Hacking_Team)
[Helix Kitten](https://en.wikipedia.org/wiki/Helix_Kitten)
[Iranian Cyber Army](https://en.wikipedia.org/wiki/Iranian_Cyber_Army)
[Lazarus Group (BlueNorOff) (AndAriel)](https://en.wikipedia.org/wiki/Lazarus_Group)
[NSO Group](https://en.wikipedia.org/wiki/NSO_Group)
[PLA Unit 61398](https://en.wikipedia.org/wiki/PLA_Unit_61398)
[PLA Unit 61486](https://en.wikipedia.org/wiki/PLA_Unit_61486)
[PLATINUM](https://en.wikipedia.org/wiki/PLATINUM_(cybercrime_group))
[Pranknet](https://en.wikipedia.org/wiki/Pranknet)
[Red Apollo](https://en.wikipedia.org/wiki/Red_Apollo)
[Rocket Kitten](https://en.wikipedia.org/wiki/Rocket_Kitten)
[Syrian Electronic Army](https://en.wikipedia.org/wiki/Syrian_Electronic_Army)
[Tailored Access Operations](https://en.wikipedia.org/wiki/Tailored_Access_Operations)
The Shadow Brokers
[Yemen Cyber Army](https://en.wikipedia.org/wiki/Yemen_Cyber_Army)


-----

**[Individuals](https://en.wikipedia.org/wiki/Hacker)**

**Major**
**[vulnerabilities](https://en.wikipedia.org/wiki/Vulnerability_(computing))**
**publicly** **[disclosed](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security))**

**[Malware](https://en.wikipedia.org/wiki/Malware)**


[George Hotz](https://en.wikipedia.org/wiki/George_Hotz)
[Guccifer](https://en.wikipedia.org/wiki/Guccifer)
[Jeremy Hammond](https://en.wikipedia.org/wiki/Jeremy_Hammond)
[Junaid Hussain](https://en.wikipedia.org/wiki/Junaid_Hussain)
[Kristoffer von Hassel](https://en.wikipedia.org/wiki/Kristoffer_von_Hassel)
[Mustafa Al-Bassam](https://en.wikipedia.org/wiki/Mustafa_Al-Bassam)
[MLT](https://en.wikipedia.org/wiki/MLT_(hacktivist))
[Ryan Ackroyd](https://en.wikipedia.org/wiki/Ryan_Ackroyd)
[Sabu](https://en.wikipedia.org/wiki/Hector_Monsegur)
[Topiary](https://en.wikipedia.org/wiki/Topiary_(hacktivist))
[Track2](https://en.wikipedia.org/wiki/Roman_Seleznev)
[The Jester](https://en.wikipedia.org/wiki/The_Jester_(hacktivist))

[Evercookie (2010)](https://en.wikipedia.org/wiki/Evercookie)
[iSeeYou (2013)](https://en.wikipedia.org/wiki/ISeeYou)
[Heartbleed (2014)](https://en.wikipedia.org/wiki/Heartbleed)
[Shellshock (2014)](https://en.wikipedia.org/wiki/Shellshock_(software_bug))
[POODLE (2014)](https://en.wikipedia.org/wiki/POODLE)
[Rootpipe (2014)](https://en.wikipedia.org/wiki/Rootpipe)
[Row hammer (2014)](https://en.wikipedia.org/wiki/Row_hammer)
[JASBUG (2015)](https://en.wikipedia.org/wiki/JASBUG)
[Stagefright (2015)](https://en.wikipedia.org/wiki/Stagefright_(bug))
[DROWN (2016)](https://en.wikipedia.org/wiki/DROWN_attack)
[Badlock (2016)](https://en.wikipedia.org/wiki/Badlock)
[Dirty COW (2016)](https://en.wikipedia.org/wiki/Dirty_COW)
[Cloudbleed (2017)](https://en.wikipedia.org/wiki/Cloudbleed)
[Broadcom Wi-Fi (2017)](https://en.wikipedia.org/wiki/Broadcom_Corporation#soc-wifi-vulns)
[EternalBlue (2017)](https://en.wikipedia.org/wiki/EternalBlue)
[DoublePulsar (2017)](https://en.wikipedia.org/wiki/DoublePulsar)
[Silent Bob is Silent (2017)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Silent_Bob_is_Silent)
[KRACK (2017)](https://en.wikipedia.org/wiki/KRACK)
[ROCA vulnerability (2017)](https://en.wikipedia.org/wiki/ROCA_vulnerability)
[BlueBorne (2017)](https://en.wikipedia.org/wiki/BlueBorne_(security_vulnerability))
[Meltdown (2018)](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability))
[Spectre (2018)](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability))
[EFAIL (2018)](https://en.wikipedia.org/wiki/EFAIL)
[Exactis (2018)](https://en.wikipedia.org/wiki/Exactis)
[Speculative Store Bypass (2018)](https://en.wikipedia.org/wiki/Speculative_Store_Bypass)
[Lazy FP State Restore (2018)](https://en.wikipedia.org/wiki/Lazy_FP_State_Restore)
[TLBleed (2018)](https://en.wikipedia.org/wiki/TLBleed)
[SigSpoof (2018)](https://en.wikipedia.org/wiki/SigSpoof)
[Foreshadow (2018)](https://en.wikipedia.org/wiki/Foreshadow)
[Microarchitectural Data Sampling (2019)](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling)
[BlueKeep (2019)](https://en.wikipedia.org/wiki/BlueKeep)
[Kr00k (2019)](https://en.wikipedia.org/wiki/Kr00k)


-----

**2010**

**2011**

**2012**

**2013**

**2014**

**2015**

**2016**


[Bad Rabbit](https://en.wikipedia.org/wiki/Ransomware#Bad_Rabbit)
[SpyEye](https://en.wikipedia.org/wiki/SpyEye)
[Stuxnet](https://en.wikipedia.org/wiki/Stuxnet)

[Alureon](https://en.wikipedia.org/wiki/Alureon)
[Duqu](https://en.wikipedia.org/wiki/Duqu)
[Kelihos](https://en.wikipedia.org/wiki/Kelihos_botnet)
[Metulji botnet](https://en.wikipedia.org/wiki/Metulji_botnet)
[Stars](https://en.wikipedia.org/wiki/Stars_virus)

[Carna](https://en.wikipedia.org/wiki/Carna_botnet)
[Dexter](https://en.wikipedia.org/wiki/Dexter_(malware))
[FBI](https://en.wikipedia.org/wiki/FBI_MoneyPak_Ransomware)
[Flame](https://en.wikipedia.org/wiki/Flame_(malware))
[Mahdi](https://en.wikipedia.org/wiki/Mahdi_(malware))
[Red October](https://en.wikipedia.org/wiki/Red_October_(malware))
[Shamoon](https://en.wikipedia.org/wiki/Shamoon)

[CryptoLocker](https://en.wikipedia.org/wiki/CryptoLocker)
[DarkSeoul](https://en.wikipedia.org/wiki/DarkSeoul_(wiper))

[Brambul](https://en.wikipedia.org/wiki/Brambul)
[Carbanak](https://en.wikipedia.org/wiki/Carbanak)
[Careto](https://en.wikipedia.org/wiki/Careto_(malware))
[DarkHotel](https://en.wikipedia.org/wiki/DarkHotel)
[Duqu 2.0](https://en.wikipedia.org/wiki/Duqu_2.0)
[FinFisher](https://en.wikipedia.org/wiki/FinFisher)
[Gameover ZeuS](https://en.wikipedia.org/wiki/Gameover_ZeuS)
[Regin](https://en.wikipedia.org/wiki/Regin_(malware))

[Dridex](https://en.wikipedia.org/wiki/Dridex)
[Hidden Tear](https://en.wikipedia.org/wiki/Hidden_Tear)
[Rombertik](https://en.wikipedia.org/wiki/Rombertik)
[TeslaCrypt](https://en.wikipedia.org/wiki/TeslaCrypt)

[Hitler](https://en.wikipedia.org/wiki/Hitler-Ransomware)
[Jigsaw](https://en.wikipedia.org/wiki/Jigsaw_(ransomware))
[KeRanger](https://en.wikipedia.org/wiki/KeRanger)
[MEMZ](https://en.wikipedia.org/wiki/MEMZ)
[Mirai](https://en.wikipedia.org/wiki/Mirai_(malware))
[Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware))
[Petya (NotPetya)](https://en.wikipedia.org/wiki/Petya_(malware))
[X-Agent](https://en.wikipedia.org/wiki/X-Agent)


-----

**2017**

**2019**


[BrickerBot](https://en.wikipedia.org/wiki/BrickerBot)
[Kirk](https://en.wikipedia.org/wiki/Kirk_Ransomware)
[LogicLocker](https://en.wikipedia.org/wiki/LogicLocker)
_[Rensenware ransomware](https://en.wikipedia.org/wiki/Rensenware)_
[Triton](https://en.wikipedia.org/wiki/Triton_(malware))
[WannaCry](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack)
[XafeCopy](https://en.wikipedia.org/wiki/Xafecopy_Trojan)

[Grum](https://en.wikipedia.org/wiki/Grum_botnet)
[Joanap](https://en.wikipedia.org/wiki/Joanap)
[NetTraveler](https://en.wikipedia.org/wiki/NetTraveler)
[R2D2](https://en.wikipedia.org/wiki/Chaos_Computer_Club#Staatstrojaner_affair)
[Tinba](https://en.wikipedia.org/wiki/Tinba)
[Titanium](https://en.wikipedia.org/wiki/Titanium_(malware))
[Vault 7](https://en.wikipedia.org/wiki/Vault_7)
[ZeroAccess botnet](https://en.wikipedia.org/wiki/ZeroAccess_botnet)


-----