On a Telegram channel with a handful of subscribers, a self-described hacker boasts that they have something they would like to show off.
Two messages later, they have posted what they claim to be a directory of thousands of FBI employees, from intelligence analysts to interns at the US law enforcement agency; classified manuals for US warplanes; and databases from police departments across the US.
What’s next, asks one awed subscriber. “The Feds,” jokes another, before posting a training manual for the Drug Enforcement Agency, saying: “Here’s something from the collection.”
This forum is just one venue in a raucous marketplace for America’s secrets, traded by low-level hackers and conspiracy theorists for cash and bragging rights, and accessible without passwords, special software or knowledge of the dark web.
Following leads from cyber security researchers who study hacker forums for a living, the Financial Times observed over two weeks several chat groups hosting tens of thousands of pages of documents, sometimes freshly harvested from recent security breaches, sometimes consisting of repackaged nuggets from previous hacks.
They ranged from the classified material US National Guardsman Jack Teixeira is alleged to have leaked to the recently extracted gigabytes of corporate secrets that unpaid ransomware groups unceremoniously dump when negotiations with their victims fail. There were also private communications between American law enforcement and tech companies.
Often on Telegram, but also on dark-web forums where hackers and ransomware criminals share tips and show off their exploits, the anonymous participants discuss world politics and give dating advice in addition to trading leaked data.
Recently, the greatest prestige has come from sharing as yet unreported details from the Teixeira leaks.
Within seconds of one subscriber on a Telegram channel asking for the documents, a link appeared to several dozen of the leaked slides, hosted on an open directory on Dropbox. When the FT saw them, several had been unreported by the world’s media — China building cyberweapons to take over western satellites and Russian mercenary group Wagner seeking weapons around the world.
The caches pale in comparison to what whistleblowers have described as the “avalanche” of data from Russian organizations exposed by pro-Ukrainian hackers.
But the variety of documents and the relative ease with which such forums can be accessed online make it seem “like you are [seeing] the tip of an iceberg”, according to one US diplomat. “Even old classified documents have operational value — they show how we approach problems, how we assess threats, how we train people.”
Hackers’ boasts, albeit uncorroborated, appear to confirm this. “This is not the best stuff,” said one member of a group observed by the FT, referring to documents on one Telegram channel. [the dark web]and never get invited to the right room.”
In the right rooms, the “best stuff” is advertised as screenshots, and often traded for stolen US or European commercial data — credit card information, emails, social security numbers.
That so many of the briefing slides Teixeira is alleged to have leaked have become currency in pro-Russian online forums shows there is a lingering risk from the disclosure. Analysts said there remained a real possibility that some of the documents had yet to surface, or that new, doctored ones could appear in Russian disinformation campaigns.
“Once this kind of data finds itself on the highway of the internet, it doesn’t take long for a small group of people to stumble upon it — and once they do, it spreads on the internet like an epidemic,” said Osher Assor , head of the cyber security department at consultancy Auren Israel.
“Every day it becomes easier to get these classified files, and it puts the US government in very big trouble — on top of the originals, we see more fake or manipulated files being added to further confuse and divert,” Assor said.
As new documents become public, US officials have scrambled to assess the depth of the disclosures, with some releases catching them by surprise. Pentagon press secretary Brigadier General Pat Ryder said on Tuesday that the defense department was still assessing the scale and impact of the Teixeira leaks.
The FBI declined to comment on the scale and seriousness of the wider leaks.
The wide variety of US government-related material being shared underlines its value in the underground information economy in which hackers trade. Its relative scarcity compared with Russian data made fresh leaks exceptionally valuable, said two people involved in such online forums.
Of some comfort to US authorities is that few of these hackers breach the government’s most secure databases: the most damaging leaks have come from insiders — Chelsea Manning, convicted of leaking the Iraq war logs and state department cables; Joshua Schulte, convicted of leaking the technical details of how the CIA hacks high-value targets; and Edward Snowden, who leaked highly classified National Security Agency information.
“You get big ones, like [Schulte]once in five years — here, you move fast, collect everything, hide everything, sell quickly,” said one broker of these data sets. “But then you have little ones all the time — you find something here, something there, and then you have a file on a person that’s valuable to another person.”
He described selling to a French citizen the details of a US eavesdropping operation that he had learned about by hacking the emails of a European prosecutor who was being briefed on possible criminal activity. It was not possible for the FT to verify the broker’s claims, which Included a screenshot of a $250,000 wire transfer to an Albanian bank account — allegedly the payment for the tipoff.
In many instances, the criminal groups have distant ties to the Russian state, providing opportunities to disseminate documents — doctored or original — that help with Russian propaganda.
One hacker showed off sample source code, settings and test data from an industrial process that was described as producing the alloy used to reinforce the armor on American-made infantry fighting vehicles. In another conversation observed by the FT, an unidentified buyer asked if anyone had for sale a more recent copy of the US no-fly list, which contains the names of people banned from traveling by aircraft into, out of or within the country. A 2019 copy of that list had already leaked on to the internet earlier this year.
“Check DM [direct messages],” replied one user in the Telegram group, promising that what he was sharing was the “most recent”.