The Untold History of America’s Zero-Day Market

“With the breakup of the Soviet Union, you had many people with skills, without jobs,” Sabian explained. In Europe, hackers, who were as young as 15 and 16, were giving their discoveries to zero-day dealers, who then converted and sold them directly to government agencies and their brokers. Some of the most talented hackers, Sabian told me, were among the veterans of Israel’s Unit 8200. One of the best was a 16-year-old Israeli child.

It was a secret business and was firm in mind. Sabian’s team couldn’t call the hackers, ask them to send their exploits by email, and mail them a check back. Bugs and feats had to be carefully tested in many systems. Sometimes hackers could do this on video. But most of the deals were done face-to-face, often at hacker conferences in hotel rooms.

Sabian’s team became increasingly dependent on these swamp intermediaries. For years, he said, his employer sent an Israeli middleman stuffed with duffel bags to buy half-a-million dollars of cash from hackers in Poland and throughout Eastern Europe to buy zero-day bugs.

Every step in this insanely complex deal-making relied on trust and omertà. Governments had to rely on contractors to give them zero working days. The contractors had to rely on middlemen and hackers not to spark exploitation during their own exodus, or to give it away again to our worst enemies. Hackers had to trust that contractors would pay them, not just take their demonstrations and develop their bug variety. This was before bitcoin. Some payments were made through Western Union, but most were made in cash.

If you try, you cannot dream of a less efficient market.

This is why, in 2003, Sabian noted that iDefense was openly paying hackers for their bugs and called Waters.

For a businessman like Waters, who was trying to push the market out in the open, what the contractor was doing was foolish, even dangerous.

“Nobody wanted to talk openly about what they were doing,” Waters recalled. “It was a full air of mystery. But the deeper the market, the less efficient it is. The more the market opens, the more mature it is, and the more buyers are in charge. Instead he preferred to work outside Pandora’s box, and prices just kept rising. “

By the end of 2004, there was new demand from other governments and front companies, all of which continued to drive up the price of the feats and made it difficult for iDefense to compete.

As the market expanded, troubled Waters did not see the effect the market would have on IDefense; This was a growing potential for an all-out cyberber. “It’s like having cyber nukes in an unorganized market that can be bought and sold anywhere in the world,” he said.

The certainty of the Cold War era — with chilling balance — was giving way to a vast unknown digital jungle. You were not quite sure where or when the enemy would arrive.

American intelligence agencies began to rely more and more on cyberspace, as many adversaries as possible, and to collect data about allies. But it was not just espionage. They also sought code that could break the infrastructure, pull out the grid. Sabine said the number of beltway contractors eager for traffic in these devices doubled every year.

Large contractors — Lockheed Martin, Raytheon, Northrop Grumman, Boeing — cannot rapidly hire cyber experts. He hunted from inside Intel agencies and acquired small shops like Sabian. Agencies began purchasing zero-day feats from the catalog, offering zero-day brokers in Montpellier, France, who would later rebrand as Xerodium. It set up shop for its best customers in the Beltway and began to openly publish its price lists in a tried and tested way to remotely hack the iPhone for $ 1 million (and later $ 2.5 Million) offered. “We pay big rewards, not bug rewards,” went the slogan. Former NSA operators started their own businesses, such as Immunity Inc. And trained foreign governments in their tradecraft. Some contractors, such as CyberPoint, took over Their business is overseas, While stationing himself in Abu Dhabi, where the Emirati rewarded former NSA hackers for hacking their enemies, real and perceived. Soon, zero-day merchants such as Crowdfens, which were sold exclusively to the Saudis and the Amiritas, began to disperse xerodium by a million dollars or more. Eventually, those devices will be turned on the Americans.