Tools that enable government hackers to break into iPhones and Android phones, popular software like the Chrome and Safari browsers, and chat apps like WhatsApp and iMessage are now worth millions of dollars — and their price has multiplied in recent years as these products become more difficult to carriage for hire.
On Monday, startup Crowdfense published its updated price list for these hacking tools, which are commonly known as “zero-days” because they rely on unpatched vulnerabilities in software that are unknown to the makers of that software. Companies such as Crowdfense and one of Zerodium’s competitors claim to acquire these zero-days with the goal of reselling them to other organizations, usually government agencies or government contractors, who claim they need the hacking tools to track or spy on criminals .
Crowdfense is now offering between $5 million and $7 million for zero-days to enter iPhones, up to $5 million for zero-days to enter Android phones, up to $3 million and $3.5 million for Chrome and Safari zero-days respectively and $3 to $5 million for WhatsApp and iMessage zero-days.
In his previous price listpublished in 2019, the highest payouts offered by Crowdfense were $3 million for Android and iOS zero-days.
The price hike comes as companies such as Apple, Google and Microsoft make their devices and apps harder to hack, meaning their users are better protected.
“It should be harder every year to exploit whatever software we’re using, whatever devices we’re using,” said Dustin Childs, who heads threat awareness at Trend Micro ZDI. Unlike CrowdFense and Zerodium, ZDI pays researchers to obtain zero-days and then reports them to affected companies with the goal of patching the vulnerabilities.
“As more zero-day vulnerabilities are discovered by threat intelligence groups like Google, and platform protections continue to improve, the time and effort required by attackers increases, increasing the cost of their findings,” he said. Shane Huntley, head of Google’s Threat Analysis Group, which monitors hackers and the use of zero-days.
In a report last monthGoogle said it saw hackers exploit 97 zero-day vulnerabilities in the wild in 2023. Spyware vendors, who often work with zero-day brokers, were responsible for 75% of zero-days targeting Google and Android products, according to with the company.
People in and around the zero-day industry agree that the job of exploiting vulnerabilities is getting harder.
David Manouchehri, a security analyst with knowledge of the zero-day market, said that “hard targets like Google’s Pixel and iPhone are getting harder to hack every year. I expect costs to continue to rise significantly over time.”
“The mitigations that sellers are putting in place are working and it’s driving the whole trade to become much more complex, much more time-consuming and so clearly that’s then reflected in the price,” said Paolo Stagno, director of research at Crowdfense. TechCrunch.
Contact us
Do you know more zero-day brokers? Or for spyware providers? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
Stagno explained that in 2015 or 2016 it was only possible for a researcher to find one or more zero-days and develop them into a full exploit targeting iPhone or Android. Now, he said, “that’s almost impossible,” as it requires a team of many researchers, which also causes prices to rise.
Crowdfense is currently offering the highest publicly known prices to date outside of Russia, where a company called Operation Zero announced last year that it was willing to pay up to $20 million for tools to hack iPhones and Android devices. Prices in Russia, however, may be inflated due to the war in Ukraine and subsequent sanctions, which could discourage or permanently prevent people from doing business with a Russian company.
Public opinion aside, governments and corporations are likely to pay even higher prices.
“Prices Crowdfense offers researchers for individual Chrome [Remote Code Execution] and [Sandbox Escape] The exploits are below market rates compared to what I’ve seen in the zero-day industry,” said Manouchehri, who previously worked at Linchpin Labs, a startup focused on developing and selling zero-days. Linchpin Labs was acquired by the American defense company L3 Technologies (now known as L3Harris) in 2018.
Alfonso de Gregorio, its founder Zeronomiconan Italy-based startup that acquires zero-days, agreed, telling TechCrunch that prices could “definitely” be higher.
Zero days have been used in court-sanctioned law enforcement operations. In 2016, the FBI used a zero-day provided by a startup called Azimuth to break into the iPhone of one of the shooters who killed 14 people in San Bernardino. according to the Washington Post. in 2020, Motherboard exposed that the FBI — with the help of Facebook and an unnamed third-party company — used a zero-day to track down a man who was later convicted of harassing and extorting young girls online.
There have also been several cases where zero-days and spyware have reportedly been used to target human rights dissidents and journalists in Ethiopia, Morocco, Saudi Arabiaand United Arab Emirates, among other countries with poor human rights records. There have also been similar cases of alleged abuse in democratic countries such as Hellas, Mexico, Polandand Spain. (Neither Crowdfense, Zerodium, or Zeronomicon have ever been accused of engaging in similar affairs.)
Zero-day brokers, as well as spyware companies such as NSO Group and Hacking Team, have often been criticized for selling their products to unsavory governments. In response, some of them are now pledging to respect export controls in an effort to curb potential abuses by their customers.
Stagno said Crowdfense follows the embargoes and sanctions imposed by the United States — even though the company is based in the United Arab Emirates. For example, Stagno said the company would not sell to Afghanistan, Belarus, Cuba, Iran, Iraq, North Korea, Russia, South Sudan, Sudan and Syria — all in the U.S. lists of sanctions.
“Whatever the US does, we’re on the ball,” Stagno said, adding that if an existing client was put on the US sanctions list, Crowdfense would drop it. “All companies and governments directly sanctioned by the US are exempt.”
At least one company, the spyware consortium Intellexa, is on Crowdfense’s specific blacklist.
“I can’t tell you if he was a client of ours and if he stopped being,” Stagno said. “However, as far as I’m concerned right now Intellexa could not be our client.”
In March, the US government announced sanctions against Intellexa founder Tal Dilian and a business associate, the first time the government has sanctioned people involved in the spyware industry. Intellexa and its sister company Cytrox were also sanctioned by the US, making it harder for the companies, as well as the people running them, to stay in business.
These penalties have caused concern in the spyware industry, as TechCrunch reported.
Intellexa’s spyware has been reported to have been used against US Congressman Michael McCaul, US Senator John Hoeven and European Parliament President Roberta Metzola, among others.
De Gregorio, Zeronomicon’s founder, declined to say who the company is selling to. On its website, the company has published a code of business ethicswhich includes screening customers to avoid dealings “with entities known to abuse human rights” and respecting export controls.
