The Untold History of America’s Zero-Day Market

“With the breakup of the Soviet Union, you had a lot of people with skills, without jobs,” Sabien explained. In Europe, hackers, some as young as 15 and 16, were trading their discoveries to zero-day dealers who would turn around and sell them directly to government agencies and their brokers. Some of the most talented hackers, Sabien told me, were in Israel, veterans of Israel’s Unit 8200. One of the best was a 16-year-old Israeli kid.

It was a secretive business and mind-blowingly convoluted. Sabien’s team couldn’t exactly call up hackers, ask them to send their exploit by email, and mail them back a check. Bugs and exploits had to be carefully tested across multiple systems. Sometimes hackers could do this over video. But most deals were done face-to-face, often in hotel rooms at hacker conventions.

Sabien’s team increasingly relied on these murky middlemen. For years, he said, his employer dispatched an Israeli middleman with duffel bags stuffed full of half a million dollars in cash to buy zero-day bugs from hackers in Poland and across Eastern Europe.

Every step in this insanely complex deal-making structure relied on trust and omertà. Governments had to trust contractors to deliver a zero-day that worked. Contractors had to trust middlemen and hackers not to blow the exploit in the course of their own escapades, or resell it to our worst enemies. Hackers had to trust contractors would pay them, not just take their demonstrations and develop their own variation of their bugs. This was before bitcoin. Some payments were doled out via Western Union, but most were done in cash.

You couldn’t dream up a less efficient market if you tried.

Which is why, in 2003, Sabien took note that iDefense was openly paying hackers for their bugs and called Watters.

To a businessman like Watters, who was trying to push the market out into the open, what the contractors were doing was idiotic, dangerous even.

“Nobody wanted to talk openly about what they were doing,” Watters recalled. “There was this whole air of mystery to it. But the darker the market, the less efficient it is. The more open the market, the more it matures, the more buyers are in charge. Instead they chose to work out of Pandora’s box, and the prices just kept going up.”

By late 2004, there was new demand from other governments and front companies, all of whom kept driving up the price of exploits and making it difficult for iDefense to compete.

As the market spread, what troubled Watters wasn’t the effect the market would have on iDefense; it was the increasing potential for an all-out cyberwar. “It’s like having cyber nukes in an unregulated market that can be bought and sold anywhere in the world without discretion,” he told me.

The certainty of the Cold War era—with its chilling equilibrium—was giving way to a vast uncharted digital wilderness. You weren’t quite sure where the enemy would pop up or when.

American intelligence agencies began relying more and more on cyberespionage to collect as much data about as many adversaries, and allies, as possible. But it wasn’t just spying. They also sought code that could sabotage infrastructure, take out the grid. The number of Beltway contractors eager to traffic in these tools began to double every year, Sabien said.

The big contractors—Lockheed Martin, Raytheon, Northrop Grumman, Boeing—couldn’t hire cyber specialists fast enough. They poached from inside the intel agencies and acquired smaller shops like Sabien’s. The agencies started procuring zero-day exploits from catalogs, offered by Vupen, a zero day broker in Montpelier, France, who would later rebrand as Zerodium. It set up shop closer to its best customers in the Beltway and started openly publishing its price lists online, offering as much as $1 million (and later $2.5 million) for a tried-and-tested way to remotely hack the iPhone. “We pay BIG bounties, not bug bounties,” went the slogan. Former NSA operators started their own businesses, like Immunity Inc., and trained foreign governments in their tradecraft. Some contractors, like CyberPoint, took their business overseas, stationing themselves in Abu Dhabi, where the Emiratis rewarded former NSA hackers handsomely for hacking its enemies, real and perceived. Soon, zero-day dealers like Crowdfense, that sold exclusively to the Saudis and Emiratis, started outbidding Zerodium by a million dollars or more. Eventually, those tools would be turned on Americans.