In Russia, opened the exchange for the purchase and sale of exploits

    0day for all versions of Windows is sold for $ 90 thousand.



    The structure of the archive stolen from the servers of the company Hacking Team . The company sold exploits to the secret services of Russia and other countries.

    The first exchange was opened in Russia, where developers and hackers can officially sell vulnerabilities in Linux, Windows, OS X, Tor, iOS, Android software, Chrome browsers, IE browsers. Selling the vulnerability to an interested client and keeping it secret, you can earn much more than the official reward program for vulnerability, which provides for the disclosure of information and the release of the patch.

    True, the ethics of such a business is questionable, because government agencies use these bugs to spy on citizens and foreign intelligence. But such activity is not against the law.

    The Russian stock exchange Expocod.com was founded by a former employee of Rosfinmonitoring, Andrey Shorokhov, writes Kommersant. The buyers of the exploit will be government agencies and companies in the field of information security. Representatives of the FSB have already contacted the exchange.

    Previously, the sale of fresh exploits and 0day bugs in popular software took place on the black market. Then the states entered the game: the exploits began to buy special services, intelligence agencies and law enforcement agencies that need to develop effective trojans and backdoors to track down criminals , foreign intelligence, sabotage foreign industrial enterprises . State structures remain the main customers now.

    The Russian hacker scene has always been one of the main suppliers of fresh exploits and 0day, but the trade was conducted underground.


    Grugq, a South African hacker who lives in Bangkok and works as an independent high-end exploit broker . In the bag are money for payments with suppliers.

    A few years ago, the first hacker companies appeared in the world that officially specialize in selling exploits. First in the public eye came the French company Vupen. In March 2012, after winning the Pwn2Own competition, she showed a valid exploit for Chrome and refused to transfer it to Google in order to “save for its customers”. That is, the company voluntarily refused the $ 60,000 reward offered by Google for opening a hole in Chrome. It became clear that "customers" will pay more.


    The French group Vupen has been selling exploits since 2012 and has repeatedly won hacker contests: the photo was taken at CanSecWest in 2014.

    There is nothing surprising, because on the black market, the cost of exploits, according to rumors, comes to $ 500,000. Vupen customers paid $ 100,000 a year just for subscribing to the news feed on fresh bugs that are on sale. If necessary, customers can buy the right to use a new tool for extra money. This is a very valuable commodity that allows for covert surveillance of suspects, penetration into the enemy’s computer network, and so on. Vupen carefully selected customers: they could only be from the NATO countries, ANZUS and ASEAN.

    Now the most famous world sites for the purchase of exploits are Zerodium, Zeronomicon, Zero Day Initiative and Mitnick's Absolute Zero-Day Exploit Exchange. There are about two dozen large sites for the purchase of exploits in the world. The volume of this market is growing rapidly.

    Some western traders of exploits declare that they do not sell exploits to countries where governments can use them in an incorrect way, for example, to pursue political opponents. Therefore, they do not work, for example, with Russian law enforcement agencies.

    The Russian stock exchange Expocod.com will not be so selective. Here, tools for hacking and espionage can be bought and sold by almost anyone. “We reserve the right to choose whom and what to sell, it is a matter of ethics and reputation. Of course, we will not sell exploits to some fighters for the independence of Somalia, the DPRK or similar regimes, and why not, and the rest, ”says Expocod founder Andrei Shorokhov.

    According to the information on the website, the cost of an exploit in Adobe Flash is up to $ 55 thousand, vulnerabilities in various browsers can be sold for $ 35-60 thousand, a hole in Tor anonymizer - $ 80 thousand, in Windows, OS X, Linux and other operating systems - for $ 35- $ 80 thousand.

    For comparison, 0day-vulnerability for all versions of Windows is now sold on the market for $ 90 thousand. The buyer has not yet been found, but experts believe that there will be.





    Andrei Shorokhov previously worked in financial intelligence in the financial investigation department of Rosfinmonitoring, where he specialized in investigating high-tech crimes: “I am the sole owner of Expocod and the ultimate beneficiary of this project, some secret investors are not here, I invest all the money in the development of the project” , He said in an interview with Kommersant. The Expocod team includes former hackers who have switched to the "bright side" and specialists from the security industry. Like Vupen, the Russian company will not only buy and resell vulnerabilities, but also develop exploits on its own.

    The company also creates a set of test exploits that will assess the degree of security of any IT system: “For example, we will be able to test whether there are ABS bank security vulnerabilities or whether a defense enterprise is vulnerable to external threats,” Sholokhov said.

    Unfortunately, for the sake of state interests, one has to sacrifice the security of software and operating systems. If exploits are sold on the black market under secret conditions, then patches will be released soon. The use of exploits by state agencies is “the need for the modern world to defend their strategic interests in the field of information security,” Sholokhov explained.

    Hackers (and programmers, participants of open source projects) can sell on the exchange vulnerabilities for bitcoins. For participants of open source projects, there is a temptation not to close the bug they found in the code, but to sell the information on the exchange. Let's hope that this does not negatively affect the quality of software projects.

    Also popular now: