The untold story of the U.S. zero-day market


“With the breakup of the Soviet Union, you had a lot of people with skills, unemployed,” Sabien explained. In Europe, hackers, some as young as 15 and 16, traded their findings with zero-day merchants who turned around and sold them directly to government agencies and their brokers. Some of the most talented hackers, Sabien told me, were in Israel, veterans of Israel’s Unit 8200. One of the best was a 16-year-old Israeli boy.

It was a secret and incredibly complicated matter. Sabien’s team couldn’t exactly call the hackers, ask them to email their exploit, and return them a check. Bugs and exploits had to be thoroughly tested on multiple systems. Sometimes hackers can do this by video. But most of the deals were done face to face, often in hotel rooms at hacker conventions.

Sabien’s team relied more and more on these obscure intermediaries. For years, he said, his employer sent an Israeli middleman with gym bags filled with half a million dollars in cash to buy zero-day bugs from hackers in Poland and Europe from ballast.

Every step of this incredibly complex transaction structure was built on trust and omertà. Governments had to trust entrepreneurs to deliver a zero day that worked. Entrepreneurs had to trust intermediaries and hackers not to detonate the feat during their own escapades, nor to sell it to our worst enemies. Hackers had to trust the contractors who would pay them, not just to demonstrate and develop their own variant of their bugs. It was before bitcoin. Some payments were made via Western Union, but most were made in cash.

You couldn’t imagine a less efficient market if you tried.

That’s why, in 2003, Sabien took note that iDefense was openly paying hackers for their bugs and called Watters.

For a businessman like Watters, who was trying to bring the market to light, what entrepreneurs were doing was silly, even dangerous.

“No one wanted to talk openly about what they were doing,” Watters recalls. “There was all this air of mystery. But the darker the market, the less efficient it is. The more open the market, the more it matures, the more buyers are in the driver’s seat. Instead, they chose to step out of Pandora’s Box, and the prices kept going up. “

By the end of 2004, there was new demand from other governments and shell companies, all of which continued to drive up the price of exploits and make it difficult for iDefense to compete.

As the market grew, what troubled Watters was not the effect the market would have on iDefense; it was the growing potential for all-out cyber warfare. “It’s like having cyber nuclear weapons in an unregulated market that can be bought and sold anywhere in the world without discretion,” he told me.

The certainty of the Cold War era – with its frightening balance – gave way to a vast unexplored digital wilderness. You didn’t know exactly where the enemy would appear or when.

US intelligence agencies have started to rely more and more on cyber espionage to collect as much data on as many adversaries and allies as possible. But it wasn’t just espionage. They were also looking for code that could sabotage the infrastructure, take down the network. The number of Beltway entrepreneurs eager to traffic these tools has started to double each year, Sabien said.

The big contractors – Lockheed Martin, Raytheon, Northrop Grumman, Boeing – couldn’t hire cyber specialists quickly enough. They debauched inside the intelligence agencies and acquired small stores like Sabien’s. Agencies began sourcing zero-day exploits from catalogs, offered by Vupen, a zero-day broker in Montpelier, France, which would later be renamed Zerodium. He settled closer to his best customers in the Beltway and began publishing his price lists openly online, offering up to $ 1 million (and later $ 2.5 million) for a proven way. to hack the iPhone remotely. “We pay BIG premiums, not bugs against bugs,” the slogan read. Former NSA operators have started their own businesses, like Immunity Inc., and trained foreign governments in their craft. Some entrepreneurs, like CyberPoint, have taken their business abroad, stationed in Abu Dhabi, where the Emiratis generously rewarded former NSA hackers for hacking enemies, real and perceived. Soon zero-day resellers like Crowdfense, which sold exclusively to Saudis and Emiratis, began to outbid Zerodium by a million dollars or more. Eventually, these tools would be activated against the Americans.

Leave a Reply

Your email address will not be published. Required fields are marked *