The investigation into Russian involvement with the 2016 United States’ election has gained invaluable intel.

Dec. 29, the Department of Homeland Security released evidence for the tool used in the Russian hacking against the Democratic National Committee. That evidence pointed towards a malware program that was advertised on the dark web utilized by cybercriminals.

Shortly afterwards, the author, a young Ukrainian man known as “Profexer,” turned himself in to the Ukrainian Cyber Police. He admitted he wrote the malware, but did not know his customer’s intended use for it. Due to the legal grey zone, he is not under arrest but has become a key witness for the FBI, the first known to emerge and vastly impact the investigation, according to New York Times.

From this revelation, a clearer picture of the Russian cybercriminal group “Fancy Bear” has been drawn. Rather than being the military intelligence agency writing codes and malware and carries out attacks during their work hours, the group appears to operate as a place for financing and organization. The more technical work appears to be a result of a “far looser enterprise that draws on talent and hacking tools wherever they can be found,” Times reports.

There is no evidence to suggest Profexer knowingly worked for the Russian intelligence services, only that the malware he created did.