In 2016, a group of self-described hackers started releasing a steady stream of code stolen from the NSA. As well as dumping some hacking tools publicly, such as exploits that were later incorporated into the crippling WannaCry ransomware attack, the so-called Shadow Brokers also listed more tools on a dedicated online shop and a “monthly dump service” to access additional code.

A team of University College London (UCL) researchers recently found likely evidence of payments for those alleged exploits by examining transactions in Zcash, a privacy-focused cryptocurrency that the Shadow Brokers asked potential customers to use, and traced the movement of some of the coins to a specific cryptocurrency exchange.

The paper was published to the arXiv preprint server in May and presented this week at the first Zcash conference in Montreal. It highlights not only techniques that could help identify the activity of Zcash users, but also how investigators may be able to follow a trail related to the Shadow Brokers, and find who potentially bought NSA tools.

“We routinely receive legal process from law enforcement agents and regulators conducting investigations. It is our policy not to comment on any such requests,” a spokesperson for Bitfinex, the cryptocurrency exchange the researchers linked to potential Shadow Brokers-related transactions, told Motherboard in a statement.

In summer 2017, the Shadow Brokers started asking anybody wanting to buy alleged exploits and tools to use Zcash. In exchange for 100 ZEC ($15,900 USD at today’s rates, and around $22,800 at the time of the sale), buyers could access some more Shadow Broker-provided tools, although it’s not clear exactly what. The Shadow Brokers offered similar deals for several months.

The researchers zoned in on a number of transactions for the same amount that the Shadow Brokers requested, and in the same time window that the group opened up for sales. In particular, the researchers identified a selection of transactions that may be a “regular customer,” their paper reads.

“The idea is that based on the timings and amounts of the transactions (and other metadata about the cluster sending them), there is some reasonable chance this reflects someone sending money to the Shadow Brokers,” Sarah Meiklejohn, a member of the UCL team behind the research, told Motherboard in an email. Specifically, the researchers identified a June transaction for 100 ZEC, one in July for 200 ZEC, and another in August for 500 ZEC, “matching TSB [The Shadow Brokers] prices exactly,” the paper reads.

“The cluster belonged to a new user, and most of the money in this user’s cluster came directly from Bitfinex,” the paper adds.

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

With that information, investigators may be able to approach Bitfinex and ask, or demand, information on who owned the particular account moving Zcash. Although this tactic may not provide details on who is behind the Shadow Brokers entity itself, it could reveal who has been attempting to buy exploits from the mysterious group—a security researcher, hacker, or perhaps the government trying to determine what other tools, if any, the Shadow Brokers had obtained.

Carol Cratty from the FBI’s National Press Office said the Bureau had no comment on whether investigators have contacted Bitfinex regarding this information.

As for the research, Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, and a scientist affiliated with the Zcash project, told Motherboard in an online chat that “I think this is exactly the sort of work that Zcash and the privacy community need to make things better.” Zooko Wilcox, founder of the cryptocurrency and chief executive officer of the Zcash Company, pointed Motherboard to a May blog post, which explained some of the issues the research demonstrated.

In August last year, a security researcher was able to identify the email addresses of people who subscribed to the monthly dump service. At the time, the researcher, who goes by the handle wh1sks, estimated that the Shadow Brokers made up to $88,000 in Monero, another privacy-focused cryptocurrency. Shortly beforehand, an anonymous poster claimed that, after paying from the monthly dump service, the Shadow Brokers only provided a low quality tool.

The Shadow Brokers themselves last posted about their monthly dump service, it seems, in September last year.