A cybersecurity company on Wednesday asserted that the hack of 500 million account credentials from Yahoo was the work of an Eastern European criminal gang, adding another layer of intrigue to a murky investigation into the unprecedented data heist.
Arizona-based InfoArmor issued a report whose conclusion challenged Yahoo’s position that a nation-state actor orchestrated the heist, disclosed last week by the Internet company. InfoArmor, which provides companies with protection against employee identify theft, said the hacked trove of user data was later sold to at least three clients, including one state-sponsored group.
Reuters was unable to verify the report’s findings. Yahoo (YHOO) declined comment. The Federal Bureau of Investigation, which is investigating the hack, did not return a call seeking comment.
A U.S. government source familiar with the Yahoo investigation said there was no hard evidence yet on whether the hack was state-sponsored. Attribution for cyber attacks is widely considered difficult in both the intelligence and research communities.
Get Data Sheet, Fortune’s technology newsletter.
The task is made especially challenging by the fact that criminal hackers sometimes provide information to government intelligence agencies or offer their services for hire, making it hard to know who the ultimate mastermind of a hack might be.
Yahoo said last week that it only recently discovered the intrusion, which it blamed on a state-sponsored actor without providing technical evidence. Nation-state hackers are widely viewed as possessing more advanced capabilities than criminal groups, a perception that could benefit Yahoo as it works to minimize fallout from the breach and complete its sale to Verizon Communications (VZ).
InfoArmor concluded the Yahoo hackers were criminal after reviewing a small sample of compromised accounts, Andrew Komarov, the firm’s chief intelligence officer, said in an interview.
For more on the Yahoo hack, watch:
The hackers, dubbed Group E, have a track record of selling stolen personal data on the dark web, and have been previously linked to breaches at LinkedIn, Tumblr, and MySpace, Komarov said.
“They have never been hired by anyone to hack Yahoo,” Komarov, who is from Russia, said. “They were simply looking for well-known sites that had many users.”
In an illustration of the confusion about who carried out the hack and why, an NBC News report Wednesday interpreted Komarov’s findings as pointing to the Russian government as the ultimate perpetrator.
A Wall Street Journal report, which said that InfoArmor was able to crack encrypted passwords for some Yahoo accounts provided by the newspaper, came to the opposite conclusion.
