Cryptographic proof that one of TheShadowBrokers' Monthly Dump Service customers left them negative feedback

If you're unfamiliar with TheShadowBroker's Monthly Dump Service, start out by reading the Monthly Dump Service background section of my post here. Otherwise, skip right ahead:

Negative Feedback

On July 11th at 21:38 (UTC), Hive account@fsyourmoms made a post on Steemit titled, "TheShadowBrokers are NOT Making America Great again!!!", accompanied by a tweet which mentioned some of the prominent InfoSec twitter personalities who are involved in the @TheShadowBrokers saga.

The post begins:

TheShadowBrokers ripped me off. I paid 500 XMR for their “Wine of the Month Club” and only they sent me a single tool that already requires me to have a box exploited.

and then turns into an interesting tirade against TheShadowBrokers.

Rational followers of hacking news remained skeptical -- after all, anonymous posters make crazy claims with no way to back them up all the time. The most likely explanation was that Hive account@fsyourmoms was just a hoaxer, FUDster or LARPer. Because of this, the post was largely ignored.

I did notice one interesting detail in Hive account@fsyourmoms post, which inspired a response post by me where I pointed out a detail which lent some credence to Hive account@fsyourmoms:

In an earlier article, I described how I scraped e-mail addresses for TheShadowBrokers's(TSB) Monero customers from the XMR blockchain, and found a cap for how much XMR TSB may have earned from their monthly dump service. After seeing Hive account@fsyourmoms' steemit post, I noted I found an e-mail address that may have belonged to Hive account@fsyourmoms. What I wrote in the post:

One of the e-mail addresses I found was fucksyourmoms@**********.com. This is very similar to Hive account@fsyourmoms username.

Of course, just using the same username as a publicly available e-mail address is pretty weak evidence for such grand claims and careful observers (myself included) remained skeptical.

Fortunately, Monero was actually designed to be able to handle situations like this, and thus it is possible to prove that a payment was sent if you have the payment address, payment transaction ID, and a secret payment key known only to the sender.

Read this link. It explains the secret payment key better than I can.

In my post, I set goal lines for what would convince me (and most cryptographers) that Hive account@fsyourmoms was for real:

If it's not a hoax and Hive account@fsyourmoms wants to improve their credibility, they could prove they're legit in the following ways:
1.) Using the e-mail address from the tx linked above. (Proves identity but doesn't actually prove payment was sent.)
2.) Post the secret tx key from their Monero payment to TSB. (Proves identity AND that payment was sent.)

Well, Hive account@fsyourmoms delivered.

In a steemit post and tweet earlier today, Hive account@fsyourmoms provided both the private key from their XMR payment, and a screenshot of the e-mail from TSB.

We now have:

• TSB's XMR payment address (41jwGGMNRBKNurVnuo7ZW4HqrgPnfiJbfHUi3k46b5nFhvbpwcK6KdTSjvTRdbzdEzZbQ1t5GWhsW7scxcNv2adUJSbtExP) from this post by TSB
• the payment transaction ID (782dc6139511ac4f5515a91452b1c5f019594b63a8cc8e015b8cd4b411af0d36) from the tx that I identified as containing the fucksyourmoms@**********.com e-mail address in my post here.
• Hive account@fsyourmoms secret transaction key (a944723f77415dd06c5d34260363935e24ac6d5ac7fe711366f64768fa055803) from their steemit post/tweet.

I entered these into Monero GUI 2:

Click check and voilà:

Of course, you shouldn't take my word for it. You should download a Monero client and check yourself. Alternatively, if you trust xmrchain.net, you can verify it there:

1. View the Monero transaction on xmrchain.net
2. Scroll down to the box that says 'Decode outputs/Prove sending', select 'Prove sending'
3. Enter the private key and TSB payment address from above.
4. Click prove sending and it will verify the payment for you.

It'll look like this:

Conclusions:

• Hive account@theshadowbrokers received at least 500 XMR from their June Monthly Dump. (They may have received significantly more, see my post about that.)
• Hive account@fsyourmoms revealed a private key which proves they sent 500 XMR to TSB's June Monthly Dump address. This is a fact.
• Hive account@fsyourmoms revealed a screenshot which appears to show a gpg signed file that came from TSB. Since the e-mail address was publicly available, anybody (feds) could have sent that e-mail as a honey pot or something, but presumably, Hive account@fsyourmoms verified the signature and it did indeed come from TSB.
• Hive account@fsyourmoms says they only received 1 tool from TSB and they're disappointed with it. (I have no idea what the tool actually was, nor any way to evaluate whether the tool was worth 500 XMR. And it's none of my business anyways, this is between TSB and Hive account@fsyourmoms.)

To be clear, my intention with these posts is in no way to judge or interfere with TSB's and Hive account@fsyourmoms business. I'm just eating popcorn, watching the drama unfold, trying to inform people about cryptocurrencies and trying to provide unbiased analysis that I'm certain LE and criminal hackers already have.

---

If you have any questions or comments, or caught any mistakes, please don't hesitate to post a comment, PM me or e-mail me. If you didn't get something, odds are a lot of other readers didn't understand it either so please ask me to clarify it!

wh1sks@keemail.me PGP key

follow me on twitter to get updates beamed straight to a screen near you.