Investigators believe the ShadowBrokers leaks were from a National Security Agency insider, the website CyberScoop reports.

Since August of last year, the ShadowBrokers have leaked files apparently stolen from the NSA, primarily source code for NSA hacking tools along with some additional files.

One set of files leaked by the group contained tools to hack into the Windows operating system. Those tools were eventually used in the devastating international ransomware attacks known as WannaCry and NotPetya.

{mosads}

WannaCry infected between hundreds of thousands and millions of systems, causing such damage to the United Kingdom’s hospitals that some patients were turned away. NotPetya caused significant damage to a major Russian energy firm and the U.S.-based pharmaceutical giant Merck.

Citing multiple sources familiar with the investigation, CyberScoop reports that ex-NSA employees have been contacted by investigators concerning how the ShadowBreakers obtained their cache of files.

The report claims that the leading theory is that an inside actor was at the helm but that other theories are still in the mix, including a foreign hacker.

Sources also told CyberScoop that the investigation “goes beyond” Harold Martin, the NSA contractor arrested for hoarding classified documents at his home last year.

The ShadowBrokers claim to have leaked files to raise interest for a planned sale of the remaining cache of documents. Currently, the group is offering a subscription, leak-of-the-month service.