Zero-day exploits for the “big two” mobile operating systems generally go for just $1 million to $3 million if they are particularly good, and often sell in the “mere” low hundreds of thousands of dollars if functional and useful. A Russian firm of uncertain backing called “Operation Zero” appears to be shaking up that market, offering up to $20 million if hackers and researchers come to them first.
That “up to” is a key piece of language, however, as the outfit is offering a floor of $200,000, something much more in line with typical pricing for mobile zero-day exploits. As to why it is seemingly offering massive overpayments, Operation Zero claims that the market is undervalued and that most of its competitors have not updated their publicly advertised prices in some time and already pay more for the best stuff on the market.
Inflation in the zero-day exploits market as upstart outfit offers huge payments
Operation Zero launched in 2022 and advertises for zero-day exploits via a Telegram channel and an X account. The group says that it currently only sells to Russian and Middle Eastern companies and government organizations, and that it will only deal with non-NATO countries.
There are a number of theories on why Operation Zero is suddenly offering so much for zero-day exploits. The simplest is that they don’t actually intend to pay anywhere near the $20 million maximum. But it could be that the market has moved substantially, as Operation Zero CEO Sergey Zelenyuk (a former researcher for Kaspersky Labs) claims. It is more difficult than ever to hack both iOS and Android, and successful exploits now generally require a chain of several vulnerabilities that might have individually sold for good money in years past.
If the client is the Russian government, there might also be willingness to overpay if they are guaranteed first dibs on anything really good. World governments are usually the leading clients and the highest bidders for zero-day exploits with others such as China, North Korea and Iran perpetually in the mix.
Zelenyuk believes that the premium prices and “competitive plans and bonuses for contract works” will prompt developers of exploits to make a beeline for the platform. Those interested in profit over everything else are already vendors to an assortment of similar outfits, such as Crowdfense (which offers up to $3 million for zero-day exploits) and Zerodium (which has been known to offer $2 to $2.5 million). These “gray market” dealers certainly top legitimate bug bounty platforms and manufacturer bounties, which only very rarely get into the millions of dollars.
Hot market for zero-day exploits as governments seek upper hand in spyware
While governments are usually the highest bidders for zero-day exploits, the NSA issued a report last year warning that some of the biggest Russia-based ransomware groups are wealthy enough that they can afford them as well. There is no confirmed link between Operation Zero and ransomware squads as of yet, but the company’s offer to sell to “private” groups in Russia does not preclude the likes of CLOP or LockBit from doing business with them.
One of the interesting twists in this underground market is that some governments have slapped export licenses on any discovery of zero-day exploits, requiring permission for them to be sold to overseas entities. The most prominent example is China, which has a law in place requiring that any hackers or researchers that discover exploits first notify the government before anyone else. This has raised the natural suspicion that the Chinese government is simply taking all exploits discovered in the country for itself and sitting on them for future deployment.
China and Russia are far from the only governments in the market for zero-day exploits, however. The “Vault 7” leaks revealed that the CIA has at least been an active purchaser in the past, given a budget of $25 million in 2013 expressly for the purpose of purchasing zero-days. Certain US defense contractors specialize in this area of research, and the government generally buys from them rather than the open underground marketplaces in foreign countries.
Governments often stockpile zero-day exploits for particular intelligence-gathering situations and uses. The approach is feasible as the average lifespan of a zero-day is about seven years, and generally ranges from about five to nine years of usability once discovered. Zero-days can be addressed by accident via software updates, but are generally not removed until they are spotted in active exploitation in the wild. But once a zero-day is discovered by the manufacturer, it generally has no more than a week to live before it is patched out.
Casey Ellis, Founder and CTO at Bugcrowd, notes that these sales are also usually highly regional due to the risks of crossing the wrong national lines: “Given that Russia is OFAC sanctioned, working with Operation Xero will be in violation of technology transfer sanctions, as well as financial transfer sanctions. Also, the range of $200K to $20M is incredibly broad, and $20M is currently an irrationally high offer for a full mobile chain under this model.”
Kern Smith, Mobile Security Expert at Zimperium, cautions that zero-day exploits are not the only tool in the toolbox of these groups: “Mobile devices are central to our personal and professional lives, and as such are a prime target for both nation state, and non-nation state actors. We have seen an exponential increase in attacks targeting mobile devices year over year, including the use of zero day exploits. While zero day mobile exploits for both iOS and Android are some of the most valuable tools in any actors arsenal, we are also seeing more and more attacks that are not reliant on OS vulnerabilities, such as malware, and phishing campaigns explicitly targeting mobile devices regardless of the OS. Mobile devices represent some of the most valuable and vulnerable targets for organizations and individuals, with high ROI, and low risk for attackers, and this grey market is prioritizing that accordingly.”