A company that acquires and sells zero-day exploits — flaws in software that are unknown to the affected developer — is now offering to pay researchers $20 million for hacking tools that would allow its customers to hack iPhones and Android devices.
On Wednesday, Operation Zero announced on its Telegram accounts and on its official account on X, formerly Twitter, that it was increasing payments for zero-days in those platforms from $200,000 to $20 million.
“By increasing the premium and providing competitive plans and bonuses for contract works, we encourage the developer teams to work with our platform,” the company wrote.
Operation Zero, which is based in Russia and launched in 2021, also added that “as always, the end user is a non-NATO country.” On its official website, the company says that “our clients are Russian private and government organizations only.”
When asked why they only sell to non-NATO countries, Operation Zero CEO Sergey Zelenyuk declined to say. “No reasons other than obvious ones,” he said.
Zelenyuk also said that the bounties Operation Zero offer right now may be temporary, and a reflection of a particular time in the market, and the difficulty of hacking iOS and Android.
“The price formation of specific items is heavily dependent on availability of the product on the zero-day market,” Zelenyuk said in an email. “Full chain exploits for mobile phones are the most expensive products right now and they’re used mostly by government actors. When an actor needs a product, sometimes they’re ready to pay as much as possible to possess it before it gets into the hands of other parties.”
For at least a decade, various companies around the world have offered bounties to security researchers willing to sell the bugs and hacking techniques to exploit those flaws. Unlike traditional bug bounty platforms like Hacker One or Bugcrowd, companies like Operation Zero don’t alert the vendors whose products are vulnerable, but instead sell them to government customers.
This is inherently a gray market, where prices fluctuate and the identity of the customers is often secret. But there are and have been public price lists such as the ones published by Operation Zero.
Zerodium, a company that was launched in 2015, offers up to $2.5 million for a chain of bugs that allows customers to hack an Android device with no interaction from the target, meaning the target doesn’t have to fall for a phishing link, for example. For the same type of chain, Zerodium offers up to $2 million, according to its website.
On modern mobile devices, thanks to improved security mitigations and defenses, hackers might need a series of zero-days to fully compromise and take control of a targeted device.
Crowdfense, a competitor based in the United Arab Emirates, offers up to $3 million for the same kind of chain of bugs on Android and iOS.
Referring to the bounties offered by Zerodium and Crowdfense, Zelenyuk said that he doesn’t believe they will ever drop so low.
“The Zerodium price sheet is outdated, but it doesn’t mean the company still buys for such low prices. They just don’t need to update them, the zero-day business works fine regardless of that,” said Zelenyuk.
The market for zero-days is largely unregulated. But in some countries, companies may have to obtain export licenses from the governments they operate from. This process essentially entails asking permission to sell to certain countries, which may be restricted. This has created a fractured market that is increasingly affected by politics. For example, a recently passed law in China mandates that security researchers alert the Chinese government of bugs before they alert the software makers. This law, according to experts, effectively means China is cornering the market for zero-days in an attempt to use them for intelligence purposes.
“This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them,” Microsoft said in a report from last year.