Price of zero-day exploits rises as companies harden products against hackers

Tools that allow government hackers to break into iPhones and Android phones, popular software like the Chrome and Safari browsers, and chat apps like WhatsApp and iMessage, are now worth millions of dollars — and their price has multiplied in the last few years as these products get harder to hack.

On Monday, startup Crowdfense published its updated price list for these hacking tools, which are commonly known as “zero-days” because they rely on unpatched vulnerabilities in software that are unknown to the makers of that software. Companies like Crowdfense and one of its competitors, Zerodium, claim to acquire these zero-days with the goal of reselling them to other organizations, usually government agencies or government contractors, which claim they need the hacking tools to track or spy on criminals.

Crowdfense is now offering between $5 million and $7 million for zero-days to break into iPhones; up to $5 million for zero-days to break into Android phones; up to $3 million and $3.5 million for Chrome and Safari zero-days, respectively; and $3 million to $5 million for WhatsApp and iMessage zero-days.

In its previous price list, published in 2019, the highest payouts that Crowdfense was offering were $3 million for Android and iOS zero-days.

The increase in prices comes as companies like Apple, Google, and Microsoft are making it harder to hack their devices and apps, which means their users are better protected.

“It should be harder year over year to exploit whatever software we’re using, whatever devices we’re using,” said Dustin Childs, who is the head of threat awareness at Trend Micro ZDI. Unlike Crowdfense and Zerodium, ZDI pays researchers to acquire zero-days, then reports them to the companies affected with the goal of getting the vulnerabilities fixed.

“As more zero-day vulnerabilities are discovered by threat intelligence teams like Google’s, and platform protections continue to improve, the time and effort required from attackers increases, resulting in an increase in cost for their findings,” said Shane Huntley, the head of Google’s Threat Analysis Group, which tracks hackers and the use of zero-days.

In a report last month, Google said it saw hackers use 97 zero-day vulnerabilities in the wild in 2023. Spyware vendors, which often work with zero-day brokers, were responsible for 75% of zero-days targeting Google products and Android, according to the company.

People in and around the zero-day industry agree that the job of exploiting vulnerabilities is getting harder.

David Manouchehri, a security analyst with knowledge of the zero-day market, said that “hard targets like Google’s Pixel and the iPhone have been becoming harder to hack every year. I expect the cost to continue to increase significantly over time.”

“The mitigations that vendors are implementing are working, and it’s leading the whole trade to become much more complicated, much more time-consuming, and so clearly this is then reflected in the price,” Paolo Stagno, the director of research at Crowdfense, told TechCrunch.

Stagno explained that in 2015 or 2016, it was possible for only one researcher to find one or more zero-days and develop them into a full-fledged exploit targeting iPhones or Androids. Now, he said, “this thing is almost impossible,” as it requires a team of several researchers, which also causes prices to go up.

Crowdfense currently offers the highest publicly known prices to date outside of Russia, where a company called Operation Zero announced last year that it was willing to pay up to $20 million for tools to hack iPhones and Android devices. The prices in Russia, however, may be inflated because of the war in Ukraine and the subsequent sanctions, which could discourage or outright prevent people from dealing with a Russian company.

Outside of the public view, it’s possible that governments and companies are paying even higher prices.

“The prices Crowdfense is offering researchers for individual Chrome [Remote Code Execution] and [Sandbox Escape] exploits are below market rate from what I have seen in the zero-day industry,” said Manouchehri, who previously worked at Linchpin Labs, a startup that focused on developing and selling zero-days. Linchpin Labs was acquired by U.S. defense contractor L3 Technologies (now known as L3Harris) in 2018.

Alfonso de Gregorio, the founder of Zeronomicon, an Italy-based startup that acquires zero-days, agreed, telling TechCrunch that prices could “certainly” be higher.

Zero-days have been used in court-approved law enforcement operations. In 2016, the FBI used a zero-day provided by a startup called Azimuth to break into the iPhone of one of the shooters who killed 14 people in San Bernardino, according to The Washington Post. In 2020, Motherboard revealed that the FBI — with the help of Facebook and an unnamed third-party company — used a zero-day to track down a man who was later convicted for harassing and extorting young girls online.

There have also been several cases where zero-days and spyware have allegedly been used to target human rights dissidents and journalists in Ethiopia, Morocco, Saudi Arabia, and the United Arab Emirates, among other countries with poor human rights records. There have also been similar cases of alleged abuse in democratic countries like Greece, Mexico, Poland, and Spain. (Neither Crowdfense, Zerodium, or Zeronomicon, have ever been accused of being involved in similar cases.)

Zero-day brokers, as well as spyware companies like NSO Group and Hacking Team have often been criticized for selling its products to unsavory governments. In response, some of them now pledge to respect export controls in an effort to limit potential abuses from their customers.

Stagno said that Crowdfense follows the embargoes and sanctions imposed by the United States — even if the company is based in the United Arab Emirates. For example, Stagno said that the company wouldn’t sell to Afghanistan, Belarus, Cuba, Iran, Iraq, North Korea, Russia, South Sudan, Sudan, and Syria — all on U.S. sanctions lists.

“Everything the U.S. does, we are on the ball,” Stagno said, adding that if an existing customer gets on the U.S. sanctions list, Crowdfense would abandon it. “All the companies and governments directly sanctioned by the USA are excluded.”

At least one company, spyware consortium Intellexa, is on Crowdfense’s particular blocklist.

“I can’t tell you whether it has been a customer of ours and whether it has stopped being one,” Stagno said. “However, as far as I am concerned now at this moment Intellexa could not be a customer of ours.”

In March, the U.S. government announced sanctions against Intellexa’s founder Tal Dilian as well as a business associate of his, the first time the government imposed sanctions on individuals involved in the spyware industry. Intellexa and its partner company Cytrox was also sanctioned by the U.S., making it harder for the companies, as well as the people running it, to continue doing business.

These sanctions have caused concern in the spyware industry, as TechCrunch reported.

Intellexa’s spyware has been reported to have been used against U.S. congressman Michael McCaul, U.S. senator John Hoeven, and the president of the European Parliament Roberta Metsola, among others.

De Gregorio, the founder of Zeronomicon, declined to say who the company sells to. On its site, the company has published a code of business ethics, which includes vetting customers with the goal of avoiding doing business “with entities known for abusing human rights,” and respecting export controls.

Investors’ pledge to fight spyware undercut by past investments in US malware maker