A Chinese threat group was using hacking tools developed by the NSA more than a year before Shadow Brokers leaked them in April 2017. The Buckeye threat group (also known to researchers as Gothic Panda, TG-0110, UPS, and APT3) has been active since at least 2010. Buckeye was using NSA hacking tools 13 months before they were leaked by the hacking group who stole them. The tools were later used in highly destructive attacks such as the WannaCry ransomware campaign from May 2017.
Source: https://www.bleepingcomputer.com/news/security/nsa-hacking-tools-used-by-chinese-hackers-one-year-before-leak/