Vault 7 (2017): The Leak of the CIA's Cyber Arsenal.

What Vault 7 was, in a paragraph.

Vault 7 is the name WikiLeaks gave to a series of publications, beginning on March 7, 2017, of documents and files describing the cyber-espionage capabilities of the U.S. Central Intelligence Agency — specifically those developed by the agency's Center for Cyber Intelligence (CCI) and its Engineering Development Group. The first release, dubbed “Year Zero,” comprised some 8,761 documents and files; subsequent releases through 2017 (under names like “Dark Matter,” “Marble,” “Grasshopper,” “Vault 8,” and others) added source code and further documentation. The material described a large toolkit of malware, exploits, and techniques for compromising Microsoft Windows, Apple iOS and macOS, Android, Linux, network routers, and even Samsung smart televisions — the last via an exploit called “Weeping Angel” that could place a TV in a fake-off state while it continued to record audio. The documents discussed the agency's use of “zero-day” vulnerabilities (security flaws unknown to the software vendors), techniques to obfuscate the authorship of its malware, and tools to compromise air-gapped networks and to interfere with vehicle control systems. WikiLeaks said it obtained the material from a source who wished to provoke a debate about the security and oversight of the CIA's cyber capabilities. The CIA declined to confirm the authenticity of specific documents but treated the leak as a serious breach; technology companies scrambled to assess and patch the described vulnerabilities. An internal CIA WikiLeaks Task Force report (later partially released) concluded that lax security at the CCI had enabled the theft and that the agency had not even detected the loss until WikiLeaks published. The source was identified as Joshua Schulte, a former CIA software engineer, who was convicted on espionage charges in 2022 (after an earlier mistrial) and sentenced in 2024.

The documented record.

The publication

Vault 7 unfolded as a series of releases through 2017. Verified The first and largest tranche, “Year Zero,” was published by WikiLeaks on March 7, 2017, and contained 8,761 documents and files. Over the following months WikiLeaks released additional batches focused on specific tools and projects, and in some cases (under the “Vault 8” banner) actual source code. WikiLeaks redacted certain operational details, such as deployed cyberweapon code in the initial release, while publishing the documentation [1][2].

The capabilities described

The documents portrayed a broad offensive cyber toolkit. Verified They described exploits and implants for Windows, macOS, iOS, Android, Linux, and networking equipment; techniques for compromising devices not connected to the internet (“air-gapped”), such as via infected USB media (the “Brutal Kangaroo” suite); and the “Weeping Angel” tool, developed with British intelligence, to turn Samsung smart TVs into covert microphones by faking a powered-off state. The documents also referenced the agency's interest in vehicle control systems. The toolkit reflected a mature, industrial-scale capability for compromising the consumer and enterprise technology in everyday use [1][2][3].

Zero-days and the Vulnerabilities Equities Process

A central policy issue concerned undisclosed vulnerabilities. Verified Many CIA tools relied on “zero-day” vulnerabilities — flaws unknown to the affected vendors and therefore unpatched. The U.S. government had a “Vulnerabilities Equities Process” meant to weigh whether to disclose such flaws to vendors (protecting the public) or retain them for intelligence use (leaving everyone running the software exposed). Vault 7 fueled criticism that agencies were hoarding vulnerabilities in widely used products, leaving billions of devices insecure, and that this stockpiling was itself a public-safety risk — a concern sharpened by the separate 2017 WannaCry and NotPetya attacks that exploited leaked NSA-linked tools [1][3][4].

The “Marble” obfuscation framework

One release addressed attribution. Verified The “Marble Framework” documents described tools the CIA used to obfuscate its malware — to make analysis and attribution harder, including by inserting text strings in foreign languages that could mislead investigators about a tool's origin. This prompted speculation, much of it overstated, about “false flag” cyber operations; the documents establish obfuscation and anti-attribution capability, not a specific program of framing other nations [1][2].

The security failure

The leak itself exposed an institutional failure. Verified An internal CIA WikiLeaks Task Force report, portions of which were later released (via Senator Ron Wyden in 2020), concluded that the Center for Cyber Intelligence had prioritized building cyber weapons over securing them: data was not adequately compartmented, user activity was not adequately monitored, and the agency did not even realize the material had been stolen until WikiLeaks published it. The report called it potentially the largest data loss in CIA history and attributed it to a culture of lax security [4][5].

Joshua Schulte

The source was prosecuted. Verified Federal prosecutors charged Joshua Schulte, a former CIA software engineer who had worked at the CCI, with stealing the Vault 7 material and transmitting it to WikiLeaks. A 2020 trial ended in a mistrial on the most serious counts; a 2022 retrial convicted him on espionage and related charges; he was also convicted on child-sexual-abuse-material charges found on his devices; and in 2024 he was sentenced to a long prison term (40 years). Schulte maintained his innocence on the leak charges [1][6].

The competing positions.

WikiLeaks framed Vault 7 as a public-interest disclosure intended to provoke debate about the CIA's cyber capabilities, their oversight, and the danger of the agency stockpiling vulnerabilities in consumer products. Claimed Its stated rationale emphasized that, once such tools escape (as they had), they become available to criminals and foreign adversaries, endangering the public the agency is meant to protect [1].

The U.S. government's position was that the leak was a grave breach that damaged national security and endangered intelligence operations and personnel. Claimed The CIA declined to authenticate specific documents but treated the material as genuine for damage-assessment purposes; prosecutors characterized Schulte's act as one of the most damaging leaks in the agency's history. The government distinguished lawful, targeted cyber-espionage against foreign intelligence targets from the indiscriminate exposure of the tools [4][6].

Technology companies and security researchers occupied a middle position. Disputed They used the disclosures to identify and patch vulnerabilities (noting that many described flaws were already fixed in current software versions), while criticizing the government's retention of zero-days. The debate over the Vulnerabilities Equities Process — how aggressively agencies should disclose flaws versus stockpile them — was sharpened but not resolved by Vault 7 [3][4].

The unanswered questions.

The full operational use

The documents describe capabilities, not a complete record of how, where, and against whom the tools were actually used. Unverified The operational history of the CIA's cyber toolkit — the specific targets and operations — was not part of the Vault 7 disclosure and remains classified [1][2].

The damage and the recipients

Whether the leaked tools reached or were used by hostile actors before or after publication, and the true scope of the operational damage, are not publicly established. Disputed The government asserted serious damage; the specifics were litigated partly in closed session and remain largely undisclosed [4][6].

Schulte's culpability questions

Although Schulte was convicted, he maintained innocence on the leak charges, and aspects of the case — including the security environment that made the theft possible and the strength of the digital-forensic evidence — were contested at trial. Disputed The conviction settled the legal question; some factual disputes around the mechanics of the leak persist [6].

Primary material.

The accessible record on Vault 7 is held principally at these locations:

• The WikiLeaks Vault 7 / Vault 8 publications (2017) — the documents and (in Vault 8) source code, the primary disclosure, hosted by WikiLeaks.
• The CIA WikiLeaks Task Force report — the internal review of the breach, a redacted portion of which was released via Senator Ron Wyden in 2020.
• The federal court record in United States v. Joshua Schulte (S.D.N.Y.) — the 2020 mistrial, 2022 conviction, and 2024 sentencing.
• Technology-company and security-researcher analyses assessing and patching the described vulnerabilities (Apple, Google, Microsoft, Samsung, Cisco, and others).
• Contemporary reporting by The New York Times, The Washington Post, Wired, and others on the releases and their significance.

Critical individual sources include: the “Year Zero” document set; the WikiLeaks Task Force report excerpt; and the Schulte trial record.

The sequence.

1. c. 2013–2016 The CIA's Center for Cyber Intelligence develops the tools later disclosed.
2. c. 2016 The material is stolen from a CIA network; the agency does not detect the loss.
3. March 7, 2017 WikiLeaks publishes “Year Zero” (8,761 documents); further Vault 7/Vault 8 releases follow through 2017.
4. 2017 Technology companies assess and patch described vulnerabilities; debate over zero-day stockpiling intensifies.
5. 2018 Joshua Schulte charged in connection with the leak.
6. 2020 A redacted CIA WikiLeaks Task Force report (via Sen. Wyden) blames lax CCI security; Schulte's first trial ends in a partial mistrial.
7. 2022 Schulte convicted on espionage counts at retrial.
8. 2024 Schulte sentenced to 40 years.

Cases on this archive that connect.

The Snowden Disclosures (File 025) — the NSA counterpart; Vault 7 is the CIA-side equivalent, exposing offensive cyber tools rather than mass-collection programs.

PRISM (File 176) and MUSCULAR (File 177) — NSA collection programs; Vault 7 reveals the distinct world of CIA device-level exploitation.

The CIA Family Jewels (File 094) — an earlier compendium of the agency's questionable activities; Vault 7 is, in part, a self-inflicted modern equivalent exposing capability and negligence.

STELLAR WIND (File 175) — the warrantless-surveillance program; both raise the question of oversight over secret technical capabilities.

More related files coming as the archive grows. Planned: the Shadow Brokers leak of NSA tools, WannaCry/NotPetya, and the Vulnerabilities Equities Process.

Full bibliography.

1. WikiLeaks, Vault 7 (“Year Zero” and subsequent releases) and Vault 8, 2017.
2. CIA WikiLeaks Task Force report (redacted excerpt released via Senator Ron Wyden), 2020.
3. Federal court record, United States v. Joshua Adam Schulte, U.S. District Court for the Southern District of New York, 2018–2024.
4. Shane, Scott, Mazzetti, Mark, and Rosenberg, Matthew, “WikiLeaks Releases Trove of Alleged C.I.A. Hacking Documents,” The New York Times, March 7, 2017.
5. Technology-company security advisories and researcher analyses of the Vault 7 vulnerabilities (Apple, Google, Microsoft, Samsung, Cisco), 2017.
6. Contemporary coverage in The Washington Post, Wired, and Ars Technica on the releases and the zero-day debate.