Gray market exploit brokers are alive and well, and the latest sign of this thriving market comes in the form of a bidding war for zero-day messaging app Signal from a relatively new vendor.
Russia-based OpZero recently drew attention with a $1.5 million bid for Signal Remote Code Execution (RCE) exploits, triple the relatively stable peak for those offered by American company Zerodium apartment
Cybersecurity experts say this particular bidding war shows the Russian government’s desperation to gain surveillance capabilities over Ukrainians using Signal to communicate. But price action on this front also offers a microcosmic insight into the broader reliance of gray market clients (mostly governments) on intermediary brokers.
The shady “Gray Hat” world of cybersecurity exploit brokers
These brokers are sometimes independent traders, sometimes thinly disguised fronts for national intelligence agencies buying from security researchers interested in profiting from their exploit work.
The market works on the principle of “don’t ask me questions and I won’t tell you lies,” say researchers. Brokers have no qualms about working with both white and black hat security researchers — and exploit developers don’t ask how their exploits are used or by whom. The agreements place this market in a boggy middle ground between the vendor-driven, highly structured bug-bounty vulnerability market and the chaotic and patently criminal activities of the dark web, which is dominated by black hats.
“Exploit brokers act as market makers by contracting with suppliers (security researchers) who manage a portfolio of exploits and selling them to buyers (actors deploying offensive cyber operations),” says a recent article about the Exploit World of Gray Market presented at the 21st Workshop on the Economics of Information Security (WEIS’22) in Tulsa, Oklahoma earlier this year.
“This allows brokers to manage transaction costs more efficiently compared to sellers and buyers who deal directly with each other. Additionally, brokers provide a layer of insulation against reputation and legal consequences,” the paper explained, adding that the price of exploits has risen 1,240% over the past six years on the gray market.
War in Ukraine triggers signal exploit bidding war
Perhaps one of the most high-profile and prolific players in the market is Zerodium, an American company with a covert client list of “government institutions primarily from Europe and North America,” according to the company’s FAQ.
The company offers up to $2 million for iOS bugs and presents many public offers for exploits across a range of operating systems and applications. The company has had a permanent offer of “up to” $500,000 since 2017 for exploits of Signal and other social messaging apps, including Facebook Messenger, WhatsApp and Telegram.
OpZero’s entry into the mix with a triple-price offer has experts like security researcher The Grugq positing that the company is a proxy for Russian intelligence agencies “desperate” for Android and Signal exploits.
“Android has almost 80% market share in Ukraine and Signal has over 2 million daily active users,” The Grugq recently wrote. “Android phones with Signal are robust security platforms. They’re not military gear, but they’re perfectly capable of providing protection against a wide range of security threats. Including nation-state threat actors. Russia doesn’t seem to have Android or Signal capability.”
