didn’t break into the United States National Security Agency after all. The latest research into the group of cybercriminals selling alleged NSA spy tools reinforced the idea that they’d received the classified materials from an insider within the intelligence agency, security company Flashpoint said.

, which was announced earlier in the month on the blogging platform Medium by “Boceffus Cleetus,” suggests the spy tools were initially taken directly from an NSA code repository by a rogue insider, Flashpoint said. The company’s researchers analyzed the sample file containing implants and exploits and various screenshots provided in the post and have “medium confidence” that an NSA employee or contractor initially leaked the tools, said Ronnie Tokazowski, senior malware analyst with Flashpoint. However, they were still “uncertain of how these documents were exfiltrated,” he said.

ShadowBrokers first began offering more than a dozen sophisticated tools for sale — such as software for extracting decryption keys from Cisco PIX firewalls — in underground marketplaces over the summer. The post-exploitation tools, intended to give attackers a way to gain a foothold in the network or move around laterally after the initial breach, targeted flaws in commercial appliances and software. The () would have allowed attackers to spy on encrypted communications, for example.

Flashpoint’s investigators believe the files were taken from a code repository because the sample file was written in the Markdown, a lightweight markup language commonly used in code repositories to simplify how files are parsed.

for stealing government materials. Some of the tools included in the ShadowBrokers dump were among the , suggesting some kind of involvement with the theft and sale.

While Flashpoint’s Tokazowski rejected the idea that the cybercriminals had stolen the files directly through external remote access or discovered them on an external staging server, he did not draw any conclusions whether Martin was involved. While the contractor denies he gave anyone the files, it seems quite possible that someone else may have broken into his non-classified computer to steal the tools.

The theft of the ShadowBrokers files overlap somewhat with former Booz Hamilton consultant Edward Snowden who stole thousands of NSA-related documents, but Flashpoint said there was nothing linking the theft of these tools with the former NSA contractor.