For a long time, the use of cyber weapons for espionage was considered the domain of a select few intelligence agencies. However, a U.S. investigation into Operation Zero has revealed the scale of the zero-day vulnerability trade. Today, there are two markets surrounding exploits: one with its brokers, price lists, and suppliers, and another where hacker software settles due to leaks or intentional releases.

What are the risks of cutting corners on intelligence, how much are governments willing to pay for hacking a smartphone, and how can we trust researchers who discover bugs decades later? Answers can be found in this new ForkLog article.

Market Participants

A zero-day vulnerability is a critical flaw in software or hardware exploited by hackers before the developer is aware of it and releases a patch. The name implies that the creators have zero days to address the threat.

The market demands not the bug itself, but the "window of opportunity"—the guaranteed time of hidden access to the system before detection.

The zero-day vulnerability market consists of three categories of participants:

  1. Cybersecurity researcher: An individual or team that discovers the vulnerability.
  2. Broker: Intermediary companies that buy exploits, refine them into a commercially viable product (infection chains), and resell them.
  3. Client: Intelligence and military agencies that need a turnkey espionage tool—cheaper and safer than deploying agents on the ground.

On the Edge of Legitimacy

This market has long existed in a gray area, but recent events have shed light on its true scale. In February 2026, the U.S. Treasury and State Department imposed sanctions on the Russian company "Matrix" (brand of Operation Zero) and its founder Sergey Zelenyuk.

The organization openly positioned itself as a broker of cyber weapons. According to materials from the U.S. Treasury's Office of Foreign Assets Control (OFAC) investigation, Operation Zero's main rule was to sell tools to clients from countries outside NATO, primarily to state intelligence agencies.

A key figure in the case was an Operation Zero supplier who stole access from a U.S. defense contractor (presumably L3Harris). From 2022 to 2025, Australian freelancer Peter Williams managed to steal eight zero-day exploits created for intelligence purposes. He sold the tools for $1.3 million in cryptocurrency.

This is not the first instance of cyber weapons being used against U.S. citizens, but it "broke" the unspoken rules of the market. While other players tried to balance in the gray area of "national security," Operation Zero confronted NATO directly.

Previously, developers of malware were typically added to the OFAC sanctions list after high-profile incidents:

  • 2021 — sanctions were imposed on the Israeli company NSO Group, creator of Pegasus, used for spying on diplomats, journalists, and opposition figures;
  • 2024 — sanctions were imposed on developers of Predator software Intellexa and Cytrox (Europe, Middle East) for facilitating repression and surveillance.

Determining the legality of a cyber weapon seller is quite shaky. The market of official or semi-official (gray) organizations is a highly competitive environment with clear leaders like Crowdfense from the UAE. This company manages to avoid OFAC lists for several reasons:

  • Jurisdiction and export control. Crowdfense is registered in a country that maintains partnerships with the U.S. and its allies. According to its management, it adheres to strict export control and compliance rules. The transfer of cyber weapons is regulated like the trade of conventional arms;
  • Client selection. Clients include Five Eyes, as well as governments and law enforcement agencies of allied countries. For the U.S., Crowdfense is a legal contractor supplying weapons;
  • Legalization. Crowdfense positions itself as a tool for national security. When purchasing a vulnerability, they sign a non-disclosure agreement with the hacker and transfer the exploit, for example, to intelligence agencies for monitoring terrorists. Legally, this is a procurement of special means.

However, this "white zone" remains conditional. Practice shows that the status of a legal player holds until its tools end up at the center of a public scandal—especially if it involves surveillance of journalists or politicians in Western countries.

Price List

For the first time, the company Zerodium decided to bring the trade of zero-day vulnerabilities out of the dark web into the public and formally legal realm. Founded in 2015 by cybersecurity researcher Chaouki Bekrar, the organization began openly publishing price lists for purchasing exploits.

The acquired accesses were refined and resold to a narrow circle of trusted clients—primarily government agencies and law enforcement in NATO countries.

However, by the mid-2020s, this model became uncompetitive. Pressure increased from two sides. On one hand, new players with significantly larger budgets emerged, primarily Dubai's Crowdfense. On the other, Apple and Google accelerated their update cycles: the lifespan of vulnerabilities shortened, and risks for brokers increased.

Against this backdrop, Zerodium's upper payment limit—around $2.5 million—no longer seemed attractive. The market quickly shifted towards more aggressive pricing. Crowdfense effectively set a new benchmark: the cost of complex exploitation chains approached $10 million, and in 2024, the company allocated $30 million for its exploit acquisition program.

Today, the most sought-after exploits on the market remain zero-click smartphone hacks. At the time of writing, the broker offers up to $7 million for such exploits for iOS and up to $5 million for Android.

Intermediary companies do not inform the developer about the vulnerability, keeping it operational for the client. This exclusivity allows them to issue checks to researchers that are incomparable in amounts to classic bug bounties from leading software and gadget manufacturers.

In 2025, the total amount of rewards paid by Google was around $17 million. In 2022, the tech giant broke its payout record: $605,000 was awarded for a discovered exploit chain in Android consisting of five bugs.

In such conditions, cybersecurity analysts must choose: receive a staggering reward with the risk that the exploit could become a cyber weapon or work within the framework of responsible vulnerability disclosure.

The largest representative of the "white hats" in this specialization is the Zero Day Initiative (ZDI). The organization buys information about security gaps and passes it to Microsoft, Apple, or Google, demanding that the bug be fixed within a certain timeframe.

ZDI offers up to $1 million just for exceptional and very complex attack vectors as part of public competitions Pwn2Own. In everyday buyouts, the catalog of the white broker is valued between $500 and $150,000.

In addition to direct payments, ZDI has a reward points system ($1 = 1 point). As points accumulate over the calendar year, the researcher gains status and corresponding bonuses.

Thus, the zero-day market is increasingly divided into two segments—high-revenue but opaque, and legal but significantly less profitable. The gap between them continues to grow.

Weapon Migration to Hackers

The main problem of the exploit market is the inability to keep them under control. When intelligence agency employees use zero-days, the code can be intercepted, analyzed, and copied. The tool loses exclusivity and becomes available to groups targeting simpler but mass attacks.

In spring 2026, two high-profile incidents occurred that demonstrated such migration: the software Coruna and DarkSword.

In March, Google Threat Intelligence Group (GTIG) recorded the use of the Coruna framework, which contained 23 exploits and five complete zero-day chains for iOS versions from 13.0 to 17.2.1.

Researchers established that Coruna has direct links to Operation Triangulation—a spy campaign from 2023. The source code was likely written by a U.S. Department of Defense contractor and then resold through brokers on the secondary market.

The subsequent path of Coruna:

  1. The framework was used by the hacktivist group UNC6353 (Star Blizzard) for targeted espionage and attacks on Ukrainian users.
  2. The tool fell into the hands of Chinese hackers UNC6691. They placed government cyber weapons on fake cryptocurrency and financial websites. When accessed through Safari, the tool stealthily downloaded the PLASMAGRID stealer, granting access to device data, including cryptocurrency wallets.

The other case is DarkSword. Attacks were conducted through malicious websites: upon visiting them, an infection chain was triggered on the iPhone, providing full access to the device without the user's knowledge.

The distribution scheme of DarkSword turned out to be similar: initially, it was used by the aforementioned group UNC6353 to deploy spyware modules. Subsequently, the framework was modified: info stealers GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER were added, aimed at stealing financial data, including cryptocurrency wallets.

The final stage of DarkSword's lifecycle was its leak on GitHub in March 2026. Experts suspect that the developing company may have gone bankrupt and attempted to monetize the remaining code on the gray market, resulting in NSA-level tools becoming publicly accessible to ordinary cybercriminals.

A Bitcoin Error: Bug or Feature?

Amid the trade of exploits, a pertinent question arises: how can one determine whether a discovered flaw is a random programmer's mistake or an intentionally embedded backdoor?

In the cybersecurity industry, there exists the concept of "plausible deniability." This is the main principle of professional backdoor architecture. An ideal software backdoor should appear as a trivial vulnerability—a typo, improper memory handling, or classic buffer overflow. If a researcher finds such a "hole," the vendor can simply claim it was an accidental bug, release a patch, and maintain its reputation. Proving malicious intent in a mass of millions of lines of code is nearly impossible.

Nevertheless, there are markers that can raise suspicion of a backdoor:

  • Non-standard cryptography. The use of obscure or weakened cryptographic constants vulnerable to mathematical attacks;
  • Anomalous logic. Complicated data routing in places where it is unnecessary from an architectural standpoint;
  • Obfuscation. Intentional obfuscation of code sections in open-source projects or the use of supply chain compromise, where malicious code is injected through third-party libraries.

It is commonly believed that closed or partially closed systems, such as iOS or Android, are potentially more vulnerable due to limited transparency. In contrast, blockchain projects with open-source code are often cited. However, practice shows that there are no guarantees of security in them either.

In April 2026, researcher Loic Morel discovered a computational error in the Bitcoin mining mechanism.

According to the protocol, the mining difficulty of digital gold is adjusted every 2016 blocks to maintain a generation time of around 10 minutes. However, due to a bug in the code, the timestamp of the last block of the previous period is not considered in the calculation of the next one (timestamps of 2015 blocks are compared instead of 2016).

This gap made it possible to execute a "time distortion" attack. If a miner or pool with overwhelming hash power exploits the vulnerability, they can deceive the algorithm. The system will think that more time was spent on mining than actually was, critically reducing the difficulty, allowing Bitcoin to be mined at an abnormally high rate—up to six blocks per second.

Recent incidents have prompted a reevaluation of the work of independent cybersecurity researchers, for whom financial temptations have become a serious test of professional integrity and ethics.

Systems are created by humans, and thus, errors are inevitable. As long as they exist, there will be a market for those who monetize, conceal, or even create them.