{"id":96433,"date":"2026-04-23T12:05:38","date_gmt":"2026-04-23T09:05:38","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=96433"},"modified":"2026-04-23T12:11:33","modified_gmt":"2026-04-23T09:11:33","slug":"the-zero-day-market-discover-sell-and-keep-quiet","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/the-zero-day-market-discover-sell-and-keep-quiet\/","title":{"rendered":"The zero-day market: discover, sell and keep quiet"},"content":{"rendered":"<p>For years cyberweapons for espionage were thought to be the preserve of a narrow circle of intelligence services. But a US government <a href=\"https:\/\/www.state.gov\/releases\/office-of-the-spokesperson\/2026\/02\/designation-of-russia-based-zero-day-exploits-broker-and-affiliates-for-theft-of-u-s-trade-secrets\/\">investigation<\/a> into Operation Zero has exposed the scale of the zero-day trade. Two markets now surround exploits: one with brokers, price lists and suppliers; and a second where hackerware ends up after leaks or deliberate dumps.<\/p>\n<p>What skimping on intelligence can cost, how much states will pay to crack a smartphone, and how to trust researchers who surface bugs decades on\u2014the answers are in ForkLog\u2019s new report.<\/p>\n<h2 class=\"wp-block-heading\">The players\u00a0<\/h2>\n<p>A zero-day vulnerability is a critical flaw in software or hardware used by hackers before the developer learns of it and ships a fix (a patch). The name hints that creators have zero days to eliminate the threat.<\/p>\n<p>Demand centres not on the bug itself but on the \u201cwindow of opportunity\u201d\u2014the guaranteed period of covert access before detection.<\/p>\n<p>The 0-day market features three sets of participants:<\/p>\n<ol class=\"wp-block-list\">\n<li>The cybersecurity researcher. An individual or team that finds a vulnerability.<\/li>\n<li>The broker. Intermediary firms that buy exploits and refine them into ready-to-use commercial products (infection chains) for resale.<\/li>\n<li>The customer. Intelligence and military agencies that want turnkey spying tools\u2014cheaper and safer than recruiting human agents on the ground.<\/li>\n<\/ol>\n<h2 class=\"wp-block-heading\">On the edge of legality<\/h2>\n<p>This market long sat in a grey zone, but recent events have shed light on its true scale. In February 2026 the US Treasury and State Department imposed sanctions on the Russian firm \u201cMatrica\u201d (the Operation Zero brand) and its founder, Sergey Zelenyuk.\u00a0<\/p>\n<p>The organisation openly styled itself as a cyberweapons broker. According to materials from the Treasury\u2019s Office of Foreign Assets Control (OFAC), Operation Zero\u2019s cardinal rule was to sell tools to clients outside NATO, in particular to state intelligence bodies.\u00a0<\/p>\n<p>The case hinged on an Operation Zero supplier who stole accesses from a US defence contractor (reportedly L3Harris). From 2022 to 2025 the Australian freelancer Peter Williams pilfered eight 0-day exploits built for intelligence use. He sold them for $1.3m in cryptocurrency.<\/p>\n<p>This was not the first deployment of cyberweapons against US citizens, but it broke the market\u2019s unwritten rules. While others tried to balance in the grey zone of \u201cnational security\u201d, Operation Zero chose open confrontation with NATO.<\/p>\n<p>Previously, OFAC\u2019s sanctions list tended to catch malware developers only after high-profile scandals:<\/p>\n<ul class=\"wp-block-list\">\n<li>2021 \u2014 restrictions hit Israel\u2019s <a href=\"https:\/\/www.commerce.gov\/news\/press-releases\/2021\/11\/commerce-adds-nso-group-and-other-foreign-companies-entity-list\">NSO Group<\/a>, creator of Pegasus, which was used to spy on diplomats, journalists and dissidents;<\/li>\n<li>2024 \u2014 for aiding repression and surveillance, sanctions were imposed on the makers of the Predator spyware, <a href=\"https:\/\/home.treasury.gov\/news\/press-releases\/jy2155\">Intellexa and Cytrox<\/a> (Europe, Middle East).<\/li>\n<\/ul>\n<p>Defining a cyberweapons seller\u2019s legality is slippery. The market of official or semi-official (grey) outfits is fiercely competitive, with clear leaders such as the UAE\u2019s Crowdfense. That firm has managed to avoid OFAC lists for several reasons:<\/p>\n<ul class=\"wp-block-list\">\n<li>jurisdiction and export control. Crowdfense is registered in a country with partner ties to the US and its allies. Its leadership says it adheres to strict export-control and compliance rules. The transfer of cyberweapons is regulated much like the trade in conventional arms;<\/li>\n<li>choice of customers. Clients include the <span data-descr=\"intelligence alliance of the US, the UK, Canada, Australia and New Zealand\" class=\"old_tooltip\">Five Eyes<\/span>, as well as allied governments and law-enforcement bodies. For the US, Crowdfense is a lawful contractor supplying weaponry;<\/li>\n<li>legalisation. Crowdfense presents itself as a national-security instrument. When buying a vulnerability, it signs an NDA with the hacker and passes the exploit, say, to security services for tracking terrorists. Legally, that is procurement of special equipment.<\/li>\n<\/ul>\n<p>Yet this \u201cwhite zone\u201d is conditional. In practice, a legal player\u2019s status lasts only until its tools are swept up in a public scandal\u2014especially if they enable surveillance of journalists or politicians in Western countries.<\/p>\n<h2 class=\"wp-block-heading\">The price list<\/h2>\n<div class=\"wp-block-text-wrappers-disclamer article_disclamer\"><span class=\"gtb_text-wrappers_disclamer_head\">Disclaimer<\/span><\/p>\n<p>This section is for information of public interest only. The ForkLog editorial team condemns cybercrime and all forms of violence.<\/p>\n<\/div>\n<p>Zerodium was the first to haul zero-day trading out of the dark web into the open\u2014formally lawful\u2014arena. Founded in 2015 by cybersecurity researcher Chaouki Bekrar, the firm began publishing public price lists for buying exploits.<\/p>\n<p>The company then refined the purchased accesses and resold them to a small circle of vetted clients\u2014chiefly state intelligence services and law-enforcement agencies in NATO countries.<\/p>\n<p>By the mid-2020s, however, that model had lost its edge. Pressure rose from two directions. On one side came new entrants with substantially deeper pockets, notably Dubai-based Crowdfense. On the other came faster update cycles at Apple and Google: exploit shelf lives shrank and broker risks <a href=\"https:\/\/cyberscoop.com\/ios-zero-day-zerodium-high-supply\/\">grew<\/a>.<\/p>\n<p>Against this backdrop Zerodium\u2019s top payout\u2014about <a href=\"https:\/\/cyberscoop.com\/zerodium-android-zero-days-bounty\/\">$2.5m<\/a>\u2014ceased to look attractive. The market quickly shifted to more aggressive pricing. Crowdfense effectively set a new marker: complex exploitation chains neared $10m, and in 2024 the company <a href=\"https:\/\/www.scworld.com\/brief\/crowdfense-expands-exploit-acquisition-program\">allocated<\/a> $30m to an exploit-acquisition programme.<\/p>\n<p>Today the hottest commodity remains a trace-free, zero-click smartphone compromise. At the time of writing the broker <a href=\"https:\/\/www.crowdfense.com\/exploit-acquisition-program\/\">offers<\/a> up to $7m for iOS and up to $5m for Android.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-f46036ccb2faef69-2535882871197663.webp\" alt=\"image\" class=\"wp-image-278871\"\/><figcaption class=\"wp-element-caption\">Price list. Source: Crowdfense.<\/figcaption><\/figure>\n<p>Intermediaries do not notify the vendor, preserving usability for the buyer. That exclusivity lets them write cheques far beyond classic bug bounties from leading software and gadget makers.<\/p>\n<p>In all of 2025 Google\u2019s total bug-bounty payouts <a href=\"https:\/\/bughunters.google.com\/about\/key-stats\">reached<\/a> about $17m. In 2022 the tech giant set a record: $605,000 <a href=\"https:\/\/security.googleblog.com\/2023\/02\/vulnerability-reward-program-2022-year.html\">went<\/a> to a five-bug Android exploit chain.\u00a0<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-c32412d8c9e9c520-2535882865063388.webp\" alt=\"image\" class=\"wp-image-278870\"\/><figcaption class=\"wp-element-caption\">Google\u2019s Android-focused bug-bounty rates. Source: <a href=\"https:\/\/bughunters.google.com\/about\/rules\/android-friends\/android-and-google-devices-security-reward-program-rules\">Google<\/a>.<\/figcaption><\/figure>\n<p>In such conditions, security researchers must choose: accept a princely sum knowing an exploit may become a cyberweapon, or work within responsible disclosure.<\/p>\n<p>The biggest name among the \u201c<a href=\"https:\/\/forklog.com\/en\/news\/who-are-the-white-hats-and-how-do-they-protect-the-blockchain-industry\">white hats<\/a>\u201d in this niche is Zero Day Initiative (ZDI). It buys details of vulnerabilities and passes them to Microsoft, Apple or Google, demanding a fix within a set deadline.<\/p>\n<p>ZDI offers up to $1m only for exceptional, highly complex attack vectors during the public <a href=\"https:\/\/www.trendmicro.com\/ru_ru\/zero-day-initiative\/pwn2own.html\">Pwn2Own<\/a> competitions. Day to day, the white broker\u2019s catalogue pays from $500 to $150,000.\u00a0<\/p>\n<p>Beyond direct payouts, ZDI runs an <a href=\"https:\/\/www.zerodayinitiative.com\/about\/benefits\/\">incentives system<\/a> ($1 = 1 point). As points accrue over a calendar year, a researcher gains status and a matching bonus.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-d40a818afe60a9be-2535882892186704.webp\" alt=\"image\" class=\"wp-image-278872\"\/><figcaption class=\"wp-element-caption\">Cumulative rewards. Source: ZDI.<\/figcaption><\/figure>\n<p>Thus the 0-day market is bifurcating: high-margin but opaque versus legal yet far less lucrative. The gap is widening.<\/p>\n<h2 class=\"wp-block-heading\">When weapons migrate to hackers<\/h2>\n<p>The market\u2019s central problem is the impossibility of keeping exploits contained. When intelligence officers deploy 0-days, their code can be intercepted, analysed and copied. The tool loses exclusivity and becomes available to groups pursuing simpler, mass attacks.<\/p>\n<p>In spring 2026 two headline cases showed this migration: <a href=\"https:\/\/forklog.com\/en\/news\/cyberattacks-surge-amid-middle-east-escalation-leaked-iphone-spyware-and-other-cybersecurity-news\">Coruna<\/a> and <a href=\"https:\/\/forklog.com\/en\/news\/google-uncovers-darksword-exploit-chain-targeting-iphones\">DarkSword<\/a>.<\/p>\n<p>In March Google Threat Intelligence Group (GTIG) observed use of the Coruna framework, which packed 23 exploits and five full zero-day chains for iOS from versions 13.0 to 17.2.1.\u00a0<\/p>\n<p>Researchers found that Coruna has direct links to <a href=\"https:\/\/www.kaspersky.com\/about\/press-releases\/kaspersky-discloses-iphone-hardware-feature-vital-in-operation-triangulation-case\">Operation Triangulation<\/a>, a spying campaign in 2023. The source code was most likely written by a US Department of Defense contractor and later resold via brokers on the secondary market.<\/p>\n<p>Coruna\u2019s subsequent path:<\/p>\n<ol class=\"wp-block-list\">\n<li>The framework was used by the hacktivist group UNC6353 (Star Blizzard) for targeted espionage and attacks on Ukrainian users.<\/li>\n<li>The tool fell into the hands of China-based hackers UNC6691. They planted government-grade cyberweapons on fake cryptocurrency and financial sites. Visiting via Safari silently loaded the PLASMAGRID stealer, opening access to device data, including crypto wallets.<\/li>\n<\/ol>\n<p>The other case was DarkSword. Attacks ran via malicious websites: visiting them triggered an infection chain on iPhones, granting full device access without the user\u2019s knowledge.\u00a0<\/p>\n<p>DarkSword\u2019s distribution proved <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones\/\">similar<\/a>: initially it was used by the same UNC6353 group to implant spyware. The framework was later modified with the GHOSTBLADE, GHOSTKNIFE and GHOSTSABER infostealers, geared to pilfer financial data, including crypto wallets.<\/p>\n<p>DarkSword\u2019s lifecycle ended with its <a href=\"https:\/\/techcrunch.com\/2026\/03\/23\/someone-has-publicly-leaked-an-exploit-kit-that-can-hack-millions-of-iphones\/\">leak<\/a> to GitHub in March 2026. Experts believe the developer firm may have gone bankrupt and tried to monetise leftover code on the grey market, leaving a tool at the level of the <span data-descr=\"US National Security Agency\" class=\"old_tooltip\">NSA<\/span> in the open for common cybercriminals.<\/p>\n<h2 class=\"wp-block-heading\">A Bitcoin bug: flaw or feature?<\/h2>\n<p>Amid the exploit trade, a natural question arises: is a discovered breach a programmer\u2019s mistake or a deliberately planted backdoor?<\/p>\n<p>Cybersecurity has a concept of \u201cplausible deniability\u201d. It is the guiding principle for professional backdoors. The ideal planted entry point should look like a trivial flaw\u2014 a typo, faulty memory handling or a classic buffer overflow. If a researcher finds such a \u201chole\u201d, the vendor can call it an accident, ship a patch and preserve its reputation. Proving malicious intent in millions of lines of code is nearly impossible.<\/p>\n<p>There are, however, markers that can raise suspicions of a backdoor:<\/p>\n<ul class=\"wp-block-list\">\n<li>non-standard cryptography. The use of little-known or weakened cryptographic constants vulnerable to mathematical attacks;<\/li>\n<li>anomalous logic. Needlessly complex data paths where architecture does not require them;<\/li>\n<li>obfuscation. Deliberate tangling of code in open-source projects, or supply-chain compromise, when malicious code is injected via third-party libraries.<\/li>\n<\/ul>\n<p>Closed or partly closed systems such as iOS or Android are often thought to be more vulnerable because of limited transparency. Open-source blockchain projects are sometimes held up as a counterexample. In practice, they offer no guarantees either.<\/p>\n<p>In April 2026 researcher Lo\u00efc Morel <a href=\"https:\/\/forklog.com\/en\/news\/zero-day-flaw-discovered-in-bitcoin-mining-mechanism\">discovered<\/a> a computational flaw in Bitcoin\u2019s mechanism.<\/p>\n<p>Under the protocol, the <a href=\"https:\/\/forklog.com\/en\/news\/how-bitcoin-mining-works\">mining difficulty<\/a> of digital gold is adjusted every 2016 blocks to keep block time near ten minutes. But because of a bug, the timestamp of the last block in the previous period is omitted from the next calculation (it compares 2015 blocks, not 2016).<\/p>\n<p>This gap made a \u201ctime-warp\u201d attack possible. If a miner or pool with overwhelming hashrate exploited the flaw, it could trick the algorithm. The system would conclude that mining took longer than it did and dramatically cut difficulty, enabling bitcoin to be mined at an anomalously high pace\u2014up to six blocks per second.<\/p>\n<p>Recent incidents have prompted a rethink of the role of independent security researchers, for whom financial temptation has become a severe test of professionalism and ethics.<\/p>\n<p>Systems are made by humans, so errors are inevitable. While they persist, there will be a market for those who monetise, conceal or even create them.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How states buy zero-day exploits, then impose sanctions and fight hackers.<\/p>\n","protected":false},"author":1,"featured_media":96434,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Inside zero-day trade: brokers, prices, sanctions and leaked tools hitting phones and crypto.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[1144],"tags":[18,1301,1111],"class_list":["post-96433","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-longreads","tag-bitcoin","tag-blockchain-vulnerabilities","tag-cybersecurity"],"aioseo_notices":[],"amp_enabled":true,"views":"16","promo_type":"1","layout_type":"1","short_excerpt":"Inside zero-day trade: brokers, prices, sanctions and leaked tools hitting phones and crypto.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96433","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=96433"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96433\/revisions"}],"predecessor-version":[{"id":96435,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96433\/revisions\/96435"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/96434"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=96433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=96433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=96433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}