The zero-day market explained

Ever wondered what it would be like to be a hacker? You often see them in TV shows and movies, where a person is bashing their keyboard, causing a lot of numbers and symbols to appear on screen, and bang, they’re in.

But that’s not what it’s like in the real world.

It takes a lot of time and effort to bypass cybersecurity protocols, as it’s an intricate process to infiltrate an organization’s systems, particularly high-value targets.

But there is one way of getting around the hard stuff. It’s still not easy, but many of the world’s hackers have a trick up their sleeve. A secret. One you won’t find on the clearnet, not even the darknet.

A place where the world’s best hackers trade secrets for life-changing sums of money. Where governments, megacorporations, and criminal cartels compete over snippets of information that can change the world.

This is the zero-day market, where you can purchase coveted exploits for a price.

A good zero-day

A useful zero-day is what’s known as the holy grail of hacking. A zero-day is a secret vulnerability that can be exploited to breach the security of an app, a device, or a network.

A zero-day means that the vendor has zero days to fix the flaw, as threat actors can already exploit the zero-day to access the vulnerable system.

This is different from a regular vulnerability as these vulnerabilities may be older, and vendors may have already applied fixes by updating or patching based on instructions.

But good zero-days are hard to find, meaning that you must be a master of spotting flaws, better than a single engineer hired by the company. Even then, you might spend years staring at the code, looking for a flaw to exploit.

Or, you could just piggyback off someone who has already located that exploit.

BugTracq

There’s this thing called BugTracq, which has been used since the early 90s. This mailing list allows people to find thousands of zero-day bugs.

For a long time, hackers really had very little interest in doing this for some kind of financial motivation. In the beginning, when they would find zero-day exploits, they would go to the companies that had written this sloppy software, like Sun Microsystems, HP, Oracle, and Microsoft – Nicole Perlorth, New York Times journalist.

In the early days, hackers would contact, or at least try to contact, companies and notify them of zero-day vulnerabilities in their software.

“And the companies, instead of looking at this as “oh, thank you for the free quality assurance,” often replied with a letter from their general counsel saying, “If you poke around our software again, we'll see to it that you go to prison,” Nicole Perlorth, a New York Times journalist, said.

So, BugTracq was created to stick it to the companies who had threatened them in the first place. You create a handle, hide behind a proxy, take your zero-days, and send them off to hackers worldwide. This was at the very root of hacking culture in those early days.

The beginning

The beginning of the market starts humbly: you head to BugTracq and check out a few handles. You see Mnemonix, Aleph One, and Hacknisty, and you send a polite email with an offer that’s way more than they might earn in a year.

From there, you continue doing the same thing: you establish strong connections, relationships, and networks. Some may be reliable, and others aren’t, but the fact remains that you keep those reliable ones close and the volatile ones even closer.

Then, a market begins to form and grows rapidly, all by sending some emails and obtaining zero-days that can bypass any cybersecurity wall.

Middlemen and matchmakers

Then middlemen emerge, zero-day brokers, companies with dodgy names and weird backgrounds that will help you on your conquest. Those people can locate whoever you need to complete the transaction – they even confirm whether the software works and vouch for its effectiveness.

“They’re very much a matchmaking service,” says Jake Williams, a seasoned security researcher, “you could go and post anonymously on Reddit or some underground forum…but then you’re dealing with some unknown party. You have issues around escrow…(but) these exploit brokers work as middlemen and matchmakers.”

Once that’s arranged, you buy a snippet of information from a broker or an anon hacker online, confirm that vulnerability works, and develop an exploit – malware that can effectively transform one flawed piece of code into a safe passageway.

Now it’s time to use it.

Exploit time

One exploit known to many is Operation Triangulation, it was reconstructed from what a researcher could scrape from his phone.

It’s designed to infect an iPhone using an invisible iMessage, the user never receives a notification, but the snippet of code slips under the radar and onto the user's device.

The code begins working on a particular bug, a flaw that has existed in Apple’s software for decades.

Once in, it takes over a small part of the device's memory, where it finds another hole in the system. Another zero-day through which an even more malicious code can be executed. It is unexploitable from the outside, but once you’re in, you can use it.

This new code is more powerful than the first and begins to wage war on the device’s native systems. It then exploits another vulnerability that bypasses the device’s defenses. In a matter of moments, the war is won, and the iPhone is conquered.

Just like that, one more vulnerability is used to gain access to and take over the Safari browser. The intruder has won the fight and can now see everything the device owner does, sees, and hears.

This was Operation Triangulation, a string of four zero-days, an attack chain formed using some very well-written code, which gives you unrestricted access to any iPhone on the planet.

This exploit is extremely powerful and incredibly dangerous, and with that comes a pretty hefty price tag.

Paying the price

Zerodium trades zero days and openly talks about prices, which is one of the only ideas we have about the cost of these attacks.

According to Zerodium, a zero-day that allows you to bypass a phone’s passcode or a PIN nowadays is worth up to $100,000.

Whereas a zero-day that allows you to access a chat application, web browser, or email could cost up to $500,000.

Zero-days that give you access to somebody’s phone without any interaction can cost up to $2 million to $2.5 million.

It costs millions of dollars to break into a phone, not including the salaries of a small battalion of hackers who must write the exploit, which makes the zero-day usable.

The general public who are keeping tabs on a cheating spouse may not go to these lengths, but the ones who are paying for these zero-days have bigger fish to fry.

“The biggest demographic of buyers on open markets is probably governments. I mean, they have money that cybercriminals can't touch. And the value that they get out of the intelligence that they gain with these zero-days is not measured in dollars and cents either,” says Perlorth.

“Some zero-days are harmless. You know, you find a mistake in the code, and it might be in a system that is not widely used, or if it's even used by some niche audience, it's not that interesting. It's not worth your effort to break into that system. But the systems that hackers and nation states spend a lot of time on are now iPhone software, Android software, software that touches critical infrastructure,” Perlorth continued.

The price of operations like Operation Triangulation is still unknown, as only a small number of broke companies publish these prices, and the cost of a zero-day, let alone an exploit, can vary dramatically.

One example is Operation Zero, a broker that surfaced only a few years ago. In September 2023, this broker offered the highest ever recorded price for an exploit, which was $20 million for an attack chain. Therefore, Operation Triangulation could have cost at least $20 million or more.

But some organizations or those looking for exploits may be looking for bigger targets, bigger than a single device.

Zero-days bought for a similar price might allow you access to a desktop computer, industrial controller, or an entire network that maintains the infrastructure of a factory, military base, or city.

Zero-days have been used to thwart many operations and have caused global devastation.

Examples of zero-days in the wild

Stuxnet was one of the most advanced examples of malware, which used a string of zero-days to enter an Iranian nuclear facility and disable it.

NotPetya, one of the most devastating cyberattacks ever recorded, used a singular zero-day to paralyze the country of Ukraine for several days and caused billions of dollars worth of damage to international companies operating in the country.

Jamal Khashoggi, a journalist working for a US company, was murdered by the Saudi government in 2018 and was tracked through his infected devices.

A zero-day could be compared to a powerful weapon or a material from which a weapon could be created.

With the right set of zero-days, a government could wage cyberwar against competing governments and its own citizens. Governments have enough funds to buy collections of zero-days and enough personnel to exploit these zero-days accurately.

Most of these zero-days have been traded on the zero-day market, and this happens every day, right under law enforcement, regulators, and corporations' noses.

So, why is the selling of zero-days legal, and why does nobody treat it the same as dealing weapons of mass destruction?

The answer isn’t as straightforward as you might think.

The complicated truth

The zero-day market is a vast structure with several layers and a huge variety of players.

Unlike twenty or thirty years ago, lots of companies offer bug bounty programs where they pay for any vulnerability found in their software, which encourages hackers to earn income legally while making the internet a more secure place.

Some firms and researchers do the same thing, just independently. They look for bugs in the code of popular software and notify the vendors. They might get paid, but in all cases, they get exposure.

This is how the white market works – just the tip of the iceberg. This is what people mean when they talk about zero-days.

Yet there’s a level below this white market, a portion of the market where companies aren’t too fond of being noticed, where researchers don’t advertise their findings, and a lot of them get redacted.

This is known as the gray market, which is not legal but also not illegal. Governments are investing in research and concealing what they find from the public. They pay hackers for their silence and use the zero-days for spying and cyberwarfare. An entirely incomprehensible, ethically dubious, and entirely unregulated space.

But the layers go even deeper. This is the black market.

So, you have the good guys working openly to hunt for zero-days to expose them, thus making everyone safer. Then you have governments and shady corporations who trade zero-days to stay on top of the cyber warfare game. Then you have criminal organizations that buy zero-days to steal data.

If you want to learn more about the zero-day market in-depth, check out our latest video on the Cybernews YouTube channel.