How the Chinese hackers learned of the Double Pulsar hacking tool remains unknown. But Symantec speculates they may have captured some network traffic of the NSA using it in an actual attack, allowing them to re-engineer the once confidential tool.
Source Link
