The world of zero-day exploits is an opaque market that has long resisted public scrutiny, but there are some outfits that offer general indicators of price. Chains of exploits that can reliably compromise Apple or Android phones usually top out at $2 to $3 million, or at least that was what the best prior public information was.
A relatively new Russian outfit called “Operation Zero” has made major waves by offering up to $20 million for successful zero-day exploits, a price that would have previously been thought crazy for anything but perhaps the most advanced possible techniques (such as the Pegasus zero-click exploits of iMessage). That offer comes with caveats so it is very possible that the group is just looking to drum up free press, but there are also some indicators that the market has indeed gone up substantially as it becomes more difficult to hack phones.
Zero-day exploits bid up by governments, major ransomware groups
The two well-funded groups that are interested in zero-day exploits are governments and ransomware groups. Governments can usually outspend criminal gangs by a country mile, but some of the biggest ransomware groups are now amassing such huge amounts of stolen funds that they are viable bidders as well.
It is unclear if Operation Zero is willing to sell to criminals. The group says that it will not allow zero-day exploits to “fall into the wrong hands,” but also says that it sells to “private” interests in Russia. It definitely sells to the Russian government, something it advertises openly. This may be why it is able to command above-market prices for some of its inventory. It has also expanded into the Middle East recently, courting governments there.
All governments purchase zero-day exploits for their intelligence programs, something even the US has been known to do. But these markets are generally regional, for example with the US exclusively buying from domestic defense contractors rather than underground markets such as Operation Zero. The Russian outfit says that it will not do business with NATO countries, likely facing major trouble from its own government if it did.
Zero-day exploits have a long shelf life. They are generally exploitable for at least five years and can stretch up to nine or ten years, usually not exposed until someone makes use of them in the wild to compromise devices. Phone hacks increasingly require chains of exploits, however, with as many as a few used simultaneously to actually breach a target device.
While Operation Zero says that it will pay “up to” $20 million for exploits, the minimum it offers is $200,000, something much closer to what is offered by legitimate bug bounty programs.
Operation Zero betting on average payment amounts rising
The new Russian group launched in 2022, headed up by former Kaspersky Labs researcher Sergey Zelenyuk. There are still unresolved questions about how well-funded the organization really is, and how it might have the funds to offer $20 million per exploit if the advertising is legitimate. But the group is on both Telegram and X courting any and all offers, at least within its preferred geographic territories.
Zelenyuk says that these elevated prices are where the market has moved to, and the listed offers of $2 to $3 million from some competitors are outdated and don’t reflect what is actually paid for top zero-day exploits. These prices are certainly not beyond reach for governments that have a specific intelligence use in mind for them.