Where People Go When They Want to Hack You

How do you

hack

something? We all know the answer. You sit by the computer and hit the keyboard. Some numbers and symbols fly across the screen. If the attack is intense enough, you succeed. Works in movies and TV shows. It should work. The same in real life, no matter how hard you try, no matter how many keyboards you break, you are not going to break good cyber security, for that you need something special, a secret, and to get that secret you have to be part of it. the deepest, darkest community on the internet, forget about dark web markets and

hack

er forums, it's deeper than that, it's a space whose entire existence is based on its cloaking,

where

the world's best hackers trade secrets for sums of money that change lives,

where

government megacorporations and criminal cartels compete.

About bits of information that can change the world, welcome to the zero day market, you are standing in front of a tall and strong wall, how do you get to the other side walls like this? They are on the Internet,

they

protect company data. Institutions of nations, even

people

like you,

when

someone buys a device or an app, the wall is included in the price that

people

pay to not be hacked, but how do you hack things and then how do you get to the bottom line? other side of that wall? Smaller walls can be made. scaled or broken, that's what most things like SQL injections and dos do.

We have even easier access just by talking your way, that's called social engineering, but for some, even the strongest brute force or the smartest infiltration won't work, you need a better way to enter, approach and inspect the bricks, such Maybe one of them is cracked or sticking out enough to give you a foothold, maybe it can be moved to reveal a secret passage. Windows 10 and Mac OS X, some of the most popular operating systems out there. You have about 80 million lines of code, if each line were a brick, you could build almost 300 M of wall with them 300 thousand 80 million bricks, what is the probability that one of them has a defect in the code? a defective brick is a bug, a vulnerability that can be used and exploited a hole in the system that you can walk through companies that build walls don't

want

defective bricks the income of those companies depends on shipping a safe product

they

have entire departments dedicated to finding flaws in the code and pay large sums of money to anyone who can reveal a bug and every time a company finds a vulnerability in its software, IT issues a patch, a solution that replaces the brick and eliminates the vulnerability, so the The importance of a security breach is measured by how long ago it occurred.

Old, weak bugs discovered are only as good as patched two or three days ago, probably all the wannabe hackers are exploiting the ones that exist and the patch is already on the way, but if a company has no idea that a bug exists, in In other words, if I had known. about a bug during zero days is another story, a useful zero day is the holy grail for hacking a secret vulnerability that can be exploited to breach the security of a device or an application or an entire network, you are not just escaping wall nobody even suspect you're doing it, but it's hard to find good days zero to find one, you have to be better at finding bugs than all the engineers hired by wall Building Company and even then you can spend ages looking at the code and looking for a useful bug or you can Find someone who has already done it.

This is a bug tracker from a mailing list that goes back to the early 90s and where you can find thousands of what used to be zero days for a long time. They really had very little interest in money and in the beginning,

when

they couldn't find exploits and when I say the beginning, I mean mainly the 9, they went to the companies that had written this sloppy software like HP Oracle Microsoft Sun Microsystems. and they would say hey, I found this bug in your software, it's a zero day, by the way, this is Nicole Worse, she's a New York Times journalist who spent years researching the zero day market and much of what we know about her history comes from her. report to create this story We reached out to experts like her who have hands-on experience.

Finding and contacting them is a little harder than it seems. The only reason we can do this is you, our viewers, and we are grateful for every show of your support. thanks you can give, whether it's a like, a subscribe or a comment, a small gesture can go a long way for the first hackers to try to contact companies and notify them about zero in their software and companies instead to look at this like, oh, thank you. you for free quality control. He often responded with a letter from his general counsel saying that if you snoop around our software again, we'll see that you go to prison, so track bugs, create a Snappy identifier, hide behind a proxy you take.

Your zero day and mail it to thousands of hackers around the world. The community obtains valuable information. The company is punished. As the years went by this state of affairs began to change into something unrecognizable there is a wall and you really need to get to the other side you have money you have connections you have resources all you need is a clue you go to bug tracking and look for names there is pneumonia Alf one pack nisty scores after dozens of handles many very capable people who do a lot of work for free, but maybe some of them would like a little compensation, you choose one, an email, a polite and well measured. offer and a sum more than what they earn in a year more than the software company is willing to pay for the same mistake there are very few problems that a bottomless budget cannot solve years go by doing the same thing over and over again you establish stronger connections networks some people are trustworthy others not so much you keep the trustworthy close the dangerous ones even closer you are not the only one who buys and your contacts are not the only ones who sell a market begins to form and grow with just sending a few emails you get zero days that can get around any wall and even if you have trouble finding sellers, there might be a solution for that middleman.

Zero-day broker companies emerge with shady names and even shadier backgrounds willing to help you in your fight, they can find whoever you

want

. need and will carry out the transaction, including confirming whether the merchandise works and attesting to its effectiveness. They are very much a matchmaking service. Government right could work and you know, post even you know anonymously on Reddit or you know some underground forum. I want to buy an exploit, but then you're dealing with an unknown party, an unknown party, you have issues with escrow, you know, both trust on the buyer's side and trust on the seller's side, so these exploit brokers they work as intermediaries and matchmakers they have things in escrow and then they confirm the vulnerability or they keep funds in escrow and then they confirm that the vulnerability really works in many cases even before negotiating the agreement and then of course for all those Services They take a percentage discount for you to purchase a piece of information from a broker or an anonymous online hacker, confirm that the vulnerability works, and develop an exploit, a piece of malware that can reliably convert a broken piece of code in one step. safe through the wall.

Use it, what you are seeing now is an exploit, not a real one, but a reconstruction that a researcher managed to piece together after removing the remains of an attack on his phone. It is designed to infect iPhones through an invisible iMessage. The user never receives the notification. Even a flash on the screen, a piece of code just slides in and remains completely silent, begins to resolve a particular bug, a flaw that existed in Apple software for decades, a remnant of a feature that has been discontinued for For a long time, a warped brick that once held up a wall but no longer does so after sliding through the code takes a small part of the phone's memory just enough to do some minor things using this memory the message finds another larger hole on the wall another zero-day through which even more malicious code can be exploited from the outside, but once you're inside you can use it.

The new code is more powerful and begins a war against the phone's native systems. A brief battle rages under the unsuspecting user's fingers until the invading code you use appears. yet another vulnerability that allows it to bypass all defenses in several seconds the iPhone is conquered finally one more vulnerability is used to gain access and take over the Safari browser now the phone is at the mercy of the intruder and will report everything the owner sees or hears a four-day zero chain, a complete attack chain held together by very well-written code that gives you unrestricted access to any iPhone on the planet.

The researchers called this chain operation triangulation, a strange name for an attack that has four prongs, not three, but who are we to judge the strangely named wizards? These exploits are incredibly powerful and incredibly dangerous and to obtain that kind of capability you have to pay the price as with almost anything on an open market; the price is a reflection of the usefulness of one of the few glimpses we have into the cost of a tax like trading triangulation is a listing from zerodium, a major brokerage firm that actually publishes its prices according to zerodium, one day zero dat that allows you to bypass a phone passcode or PIN today is up to $100,000 a zero dat that lets you access your chat app, a web browser or an email could cost up to half a million zero days that give you access to someone's phone without any interaction on your part, they can cost between two and $2.5 million, so millions of dollars to access a phone and that's not counting the salaries of the small army of hackers who wrote the exploit to make day zero usable.

These are not the amounts of money you pay to keep an eye on your cheating fiancé, the people who use these attacks. aim much higher, the largest demographic of buyers, you know, in the open markets, it's probably the governments, I mean, I, you know they have, they have money that cybercriminals, you know, can't touch, you know, or no, possibly, you know, it's not possible that Mass even some of these larger ransomware gangs and the value that they get from the intelligence that they get with these zero days is not measured in dollars and cents, or some zero days are harmless, is it?

You know? find a bug in the code and it could be in a system that is not widely used or if it is even used by some niche audience, it is not that interesting, it is not worth the effort to get into that system, but the systems that hackers and nation states spend. A lot of time right now there's iPhone software, Android software, software that touches critical infrastructure, software that touches, like I said, you know, cryptocurrency systems, wallets that could make you a lot of cash, in cryptocurrency, you might We never know the real cost of operation. triangulation, there are only a small handful of brokerage companies that publish their prices and many more that do not.

The actual cost of a zero-day let alone an exploit can vary greatly. A good example of this is Operation zero, a broker that appeared recently. A few years ago, in September 2023, it offered the highest price for an exploit ever recorded: $20 million for an attack chain. Things like triangulating operations could cost at least as much or even more. All this to give him access to a phone. A small device that tracks its users, but some targets of this type of attack are larger, if purchased at zero-day for a similar price, it could gain entry to a desktop computer or an industrial controller or an entire network that maintains the infrastructure of a factory, a military base, a stagnant city. net one of the most advanced examples of malware used a chain of four zero-days to enter an Iranian nuclear facility and disable it, not Peta, the most damaging cyberattack ever recorded used a single zero-day to paralyze an entire country for several days causing billions of dollars worth of damage to international companies that operated there The phone of Jamal Kosagi, a journalist murdered by the government of Saudi Arabia in 2018, was monitored and tracked by the government after infecting his devices for zero days .

Until now, we have been comparing a zero day to a defect in a wall, a brick that reveals a hidden doorway. This comparison is pretty harmless, maybe a little too much.Harmless a zero-day could also be compared to a weapon or, more correctly, a material from which a weapon can be made, a weapon more powerful than almost anything in the world. With the right set of zero-days, a government can wage a war. cyber war both against competing governments and against its own citizens, because for a government with enough funds to purchase such a collection and enough trained personnel to exploit it properly, there is no longer any security. an obstacle and most of these zero days were at some point traded on the zero day market, bought, sold and shared.

This happens every day, right under the noses of regulators and law enforcement corporations who can't and won't do anything. to combat it why zero day trading is even legal and why no one treats it with even a fraction of the seriousness that people treat selling weapons of mass destruction well the answer is a bit complicated the zero day market is a sprawling structure with several levels and a wide variety of players, today it seems harmless at first glance, unlike 20 or 30 years ago, many companies offer bug bounty programs, paying for any vulnerabilities found in their software and They encourage hackers to earn income legally and make the Internet easier. safe in the process, some companies and researchers do the same, but they independently look for bugs in popular software code and notify vendors, sometimes they pay them, in any case, they become exposed to the corporate version of the credibility of hackers.how the White Market works, the tip of the iceberg, something most people mean when they talk about zero days, but there is a level below the part of the market where the companies do not have catchy names and do not They really like to attract attention.

Researchers do not analyze their findings and many of them are redacted. You can search LinkedIn and find people who are hiring contractors who are hiring for vulnerability research. You know, they require a security clearance which is not an anomaly in the US but make no mistake about it, every government is researching them or buying them and probably some combination of the above, this is the gray market strictly speaking, It is not legal but it is not illegal either, governments are investing in research and hiding what they find. of the public pay hackers for their silence and use zero-days for espionage and cyber warfare.

It is difficult to understand that it is morally dubious and totally unregulated, but there is also a level below that, finally we are the black mark that governments sometimes are if there are international regulations. By limiting your ability to purchase exploits on the gray market, a lot of illegal activity takes place on the black market and the value is much higher than the white market. The market could be 10 to 100 times higher for exploits than the white market, so you will find many international criminal networks and organizations, some Rog governments, non-state actors of various types operating there illicitly recently, The world witnessed a very revealing example of exactly what it is about an application called move it, a file transfer protocol similar to Wi transfer or one drive.

It has a boring interface and a moderate market share. It's safe to say you've probably never used it unless you worked in a major corporation or government office before 2023, most of its clients were bigwigs like Sony and the US State Department. Energy in June 2023 , three Klo, a major ransomware gang, acquired a zero-day vulnerability in the Move It software immediately, it was used to breach the service and steal the data of all its customers and the result was the largest ransomware attack in recent years . The list of clops includes more than 22,000 companies and almost 90 million people more than the population of countries like Germany or France.

K began to extort companies by threatening to reveal their secrets if they did not pay the ransom. We will never know how many companies relented, but payments were most certainly made. many very very rich criminals all thanks to a single zero day so it started with nation states and their contractors and like most of these techniques and tools it has now migrated to cyber criminals and in recent years we have seen cyber criminals . use zero-day exploits in various r ransomware attacks, or hacks of cryptocurrency exchanges or wallets and that kind of thing, so that's the black part of the zero-day market, everything seems pretty clean and organized, it has the good guys who work openly. and look for zero days to expose them and make everyone safer, there are shady governments and companies that trade zero days to stay on top of the cyber warfare game and there are criminal organizations that buy zero days to steal data.

You can read all about it. on Wikipedia or anywhere, but this structure is clear only from the surface, when you start to look at the market more closely, the lines start to blur and things get worse. Let's go back to Operation Triangulation, an exploit that used 4 zero days to gain access to any iPhone. This operation was discovered after researchers from Kasperski, a Russian cybersecurity company, accidentally detected its traces on their phones. The researchers admitted that it is the most complex and advanced attack they have ever faced. It has all the telltale signs of a state-sponsored hacker.

Army and a very powerful one. At the same time, the Federal Security Service, the Russian analogue of the US NSA, announced that it had discovered the same attack patterns on thousands of Russian government officials' phones. The service said that they managed to identify the attacker, a US intelligence agency that spied on Russian citizens in this unprecedented international attack. According to the FSB, this attack had to be coordinated with Apple, which would not allow errors like those to remain in their systems. for no reason, but then there is Operation Zero, the company that offered 20 million dollars for the same attack chain hints that the attack is more than possible without Apple's participation, as with most vendors, we know very little about zero operation, but one thing we know and it is something the company is proud and loud about is that it sells its exploits. only to Russian intelligence agencies and companies.

Another thing we know is that it was founded by a former Kasperski employee, the same company that was later attacked by Operation Triangulation so that a citizen of the United States sold a zero day to zerodium which was What would happen for the NSA would be to work on the gray market to sell the same error to operation zero, the citizen would have to enter the black market and for a Russian hacker who discovered the same day zero the situation would be strictly the opposite to contact the operation zero would make them millionaires and contacting zerodium would probably land them in jail, but only a small minority of hackers live in the United States or Russia.

Every country in the world aspires to gain an advantage in cyberspace and each of them sets their own rules according to their alignment, each has its own white, gray and black markets, and because the world is as interconnected as it is , nothing stops a government from approaching the black market of other governments that are not looking for morally dubious things, uh, things generally use gray. and the white markets uh to get those types of vulnerabilities if they go to the black market. It's really because they can't access it any other way and it becomes quite complicated.

Both zerodium and zero trade are pretty straightforward and sell to their governments and are transparent about it, but when it comes to brokers, those two are an exception. Most zero-day companies work completely in the shadows. What they sell, who they sell to, and who works for them is a total secret and, as far as we know, they often use it to further blur the lines between markets, whether by accident or not entirely, so that in They may actually sell to unsanctioned regimes because that would obviously be illegal, but they probably aren't doing as much due diligence as you.

Otherwise, you might want to um and even in some cases, um, you know, through that lack of due diligence they would be working with, you know, some possibly unknowingly with some cyber promotion, but then we have these high profile incidents. where groups like the hacking team that was based in Milan, Italy, um, get hacked and we say, oh, they're selling to African nations that have horrible human rights records or to Russia, which initially might not have fit with these hackers, uh, moral calculus about who is a good country and who is a bad country. who has a free press and who doesn't, and thanks to all this secrecy and all this confusion, imposing any kind of regulation on the zero-day market or even going after anyone who crosses the line becomes almost impossible.

Prosecute someone you know. Anonymous and who facilitates anonymous purchases is very complicated even when you know the party is involved and nobody likes to do that because they also want to see the brokers as sources of information, so for them it is better to give immunity to the broker and have them they cough hide everything they know about the deal and then go after them and create additional interested parties to cover everything up even more, which is why they are not very likely to be prosecuted and that is how the zero day market operates without regulation, without the processing always at the limit of legality and morality is extensive and complex and at the same time almost invisible and completely opaque for people who find out about it for the first time it is difficult to have any kind of positive reaction after all we are talking about clandestine sales of weapons that can be, and sometimes are, used against each of us, so the need to directly regulate or ban may be overwhelming, no matter how difficult or impossible it may seem, but there may be a different perspective on it, a perspective that many people have who used to work in intelligence agencies and witnessed what governments use their zero days for, yeah, this one is quite complex for me, you know, I'm not speaking purely from opinion, a little bit of it is from experience, um , I think it's known at this point, you know I'm a former intelligence professional and a former government hacker, right, and so you know I've seen first and the value of, you know the value of retaining a today, purely for, you know, purely. for offensive purposes, of course, there is a risk, and that's why the US government, you know, has the vulnerability actions process, where you meet very smart people, very smart, very educated people from different government agencies that meet approximately zero days. we have knowledge and we may or may not have put it together, it may be available for sale, what do you have? and discuss the value of using it for intelligence versus the value of making our infrastructure secure and, on a global level, the infrastructure says so.

It's a little complex for me. I absolutely cannot be on the side of people who say that all zero days are the same. That can't be, that can't be the case. What you're seeing now is a theoretical feat of a vulnerability in PHP, a scripting language that forms the backbone of the Internet, both the visible one, like the page you're on right now, and the invisible one, the dark web, a place you've probably heard of. The websites and servers are based on it. principles than normal websites and are susceptible to the same vulnerabilities sometime in late 2023, someone somewhere discovered a broken brick in the wall that is part of PHP, we don't know who it was and why they did it, maybe They found day zero.

They themselves maybe bought it on the market and then took that broken brick and turned it into a passage with that passage they could have accessed any server, surpassed any website in the world, but the website they attacked looked like this: it is the dark web blog. of lock bit one of the largest criminal organizations in the world and for several years of its existence, lock bit attacked thousands of people and extorted billions after stealing their data and demanding a ransom at the height of its activity, they represented nearly half of the entire ransomware market in the world in early 2024, Lock Bit was taken down.

Its entire infrastructure, spanning dozens of servers, and the accounts of hundreds of cybercriminals were taken over by a combined task force of law enforcement agencies from 11 countries. They hit the gang so hard they practically had to. recreate themselves in a new way and may never return to the top of the food chain and this whole operation was probably carried out thanks to a zero day, so yes, it may be hard to admit, but sometimes governments and agencies law enforcementthey just do their job and sometimes that job requires a well placed exploit, well it could be unethical but the problem is it works both ways, yes it could make it easier for governments looking to spy on members of the opposition, journalists etc. , and there are many campaigns constantly attacking governments and companies for doing exactly that.

It could also be CSR, it could be other governments going after oppressive governments and trying to cause problems for them. They could also be private initiatives looking for exploits to attack these governments, like what Anonymous Affiliates are doing against Russia during the war with Ukraine. So if you start going after this market you will end up hurting both parties and the government is more likely to win anyway in that scenario because they have more money to spend, they are not operating at risk when in those markets they will use third parties. who they will burn but then they will find someone else, so everything is much blurrier than it might seem.

The zero-day market is a huge tangled mass of legal and moral issues from companies that sell to criminals and governments alike from agencies that search for exploits and pay millions but consider it illegal to use the same exploits against them from criminals who attack governments and from governments attacking criminals and from hackers who are the source of all this people who make a living staring at the wall most of the day zero The market is completely secret, but after all we know it well, so someone is definitely breaking the first rule of Fight Club. Sometimes it is former government employees who say everything they can without crossing the line.

Sometimes they are brokers who want to attract the attention of both potential sellers and potential sellers. The buyers and sometimes it's the hackers themselves who decide to speak up despite what others tell them, as I document in the book, there are several cases where, certain brokers, there was a very famous one based in Thailand. I don't know where he is now. gr is a very respected member of the hacking community um he talked to a Forbes reporter, a friend of mine, Andy Greenberg, at one point and he thought he was speaking off the record, basically gr shared a lot of priceless information huh , you already know some rules of At one point the game even posed for a photo next to a duffel bag that I don't know if there was real money inside, but it looked like there was cash, I don't know if it was real or not and From what I understand after he showed up, he was visited by the Thai police and basically, according to friends and colleagues of his, he lost half his business because there were a lot of governments that had been buying zero days from him and said, "I don't want to." . doing business with someone who's going to pose next to a bag a bag of cash in Forbes magazine that's the antithesis of who I want to work with and that became a very public example to other zero-day brokers that they would do well to keep your mouth closed.

We tried to contact Grug for this story and it seems like he learned his lesson like almost any zero-day seller or broker you can find on the internet, some of them have public profiles, some reveal some details of their trades, some even share their names, but the vast majority have to operate through multiple layers of encryption and when you get to that point of secrecy, there is simply no way of knowing who you are dealing with and, frankly, it is dangerous for you to know and that is why it is particularly done That way, the reason no one wants to talk about this is one that you know your clients require complete discretion, no one, no government wants to buy a zero day from someone who is out there talking about what they have, who they talk to.

They're selling it, you know they need to be able to trust these people. Keeping these sales quiet, so discretion is essential, so while we know a lot about the zero-day market, there is much more that we don't know and will probably never know, even despite the impact it has and will have on our lives, so here it goes. zero-day Commercialize the digital underworld full of elite hackers and horrible secrets, a world that sometimes spills into our reality causing massive damage, but also a world that is inseparably intertwined with ours with links that simply cannot and probably will not be able to. break the walls.

They are built by people and as long as that happens, some bricks in them will have defects and as long as there are defective bricks, there will be people who will pay money to find them, so the zero-day market will persist. We hope you enjoyed this. Brief immersion in another extremely complicated topic. We are very grateful to the person whose book about zero days served as the inspiration for this story. Don't hesitate to give our other explainers a chance. We cover everything cyber related and usually upload one after the other. Week stay informed and have a good stay.