A Russian company known as Operation Zero is now offering a payout of $20 million to researchers who can provide hacking tools that can exploit iPhones and Android devices. The company, which acquires and sells zero-day exploits, has increased its payments from $200,000 to the staggering $20 million in an effort to encourage developer teams to work with their platform.
Operation Zero, based in Russia and launched in 2021, stated that their end users are non-NATO countries and that their clients are Russian private and government organizations only. The CEO, Sergey Zelenyuk, declined to provide specific reasons for selling only to non-NATO countries, citing “obvious reasons.”
Zelenyuk also mentioned that the current bounties being offered by Operation Zero may be temporary and dependent on the market and the difficulty of hacking iOS and Android. He explained that the price formation of specific items is heavily dependent on the availability of the product on the zero-day market. Full chain exploits for mobile phones are currently the most expensive products and are predominantly used by government actors.
The market for zero-day exploits has been in existence for at least a decade, with various companies around the world offering bounties to security researchers for selling bugs and hacking techniques. Unlike traditional bug bounty platforms, companies like Operation Zero do not alert the software vendors about the vulnerabilities but instead sell them to government customers. This creates a gray market where prices fluctuate, and the identity of customers is often confidential.
Zerodium, a company launched in 2015, offers up to $2.5 million for a chain of bugs that allows customers to hack an Android device with no interaction from the target. Crowdfense, a competitor based in the United Arab Emirates, offers up to $3 million for the same kind of chain of bugs on Android and iOS.
The market for zero-days is largely unregulated, although some countries may require companies to obtain export licenses from their respective governments. The process involves obtaining permission to sell to certain countries that may be restricted. This regulatory landscape has resulted in a fragmented market that is increasingly influenced by politics. For example, a recently passed law in China requires security researchers to alert the Chinese government about bugs before notifying the software makers. Experts view this law as an attempt by China to corner the market for zero-days and potentially use them for intelligence purposes.
In conclusion, Operation Zero’s new $20 million payout for hacking tools that exploit iPhones and Android devices has attracted attention to the market for zero-day exploits. This market, which has existed for several years, operates in a gray area with fluctuating prices and confidential customer identities. The increase in payout by Operation Zero reflects the demand for full chain exploits for mobile phones and the willingness of government actors to pay high prices to acquire them. The market for zero-days remains largely unregulated, and its dynamics are influenced by political factors.