Hunting and gathering: OpZero raises stakes in zero-day exploit market


OpZero, the shady Russian zero-day exploit broker, has struck again. It’s still fairly new as a player in the game, but the company has once more massively increased its payouts for top-tier mobile exploits.

The intermediary, based in the Russian port city of Saint Petersburg, raised many eyebrows last year when it increased its price for Signal RCE (remote code execution) exploits so much (to $1.5M) that it exceeded the money on offer by a much better-known company, Zerodium, by a factor of three.

Back then, the firm’s founder, Sergey Zelenyuk, told Cybernews that OpZero couldn’t really buy an expensive exploit on its own and directly asked its clients to pay for vulnerabilities discovered by researchers or hackers.

ADVERTISEMENT

And because OpZero officially claims it’s only working with “Russian private and government organizations,” many experts said they assumed that the intermediary was actually a front for the Russian government, still rich enough to try and gain access to valuable communications.

Almost a year later, it would appear that OpZero – or, if one supposed it really was just a front for the Kremlin – has even more cash at its disposal.

Every vulnerability an asset

On X, the firm’s account said: “Due to high demand on the market, we're increasing payouts for top-tier mobile exploits.”

What OpZero – or, again, its client – is offering is simply staggering. For instance, the firm would allegedly pay $20M for an iOS RCE, local privilege escalation (LPE), Sandbox escape or bypass (SBX), or a full exploit chain.

This is up from $200,000 – and the same amount would supposedly be paid for exploits in the Android operating system.

“As always, the end user is a non-NATO country,” OpZero adds. This could be interpreted as a message to potential exploit spotters that the person or the organization that would use the zero-day vulnerability is not based in the West.

ADVERTISEMENT

“Increasing prices of Russian-affiliated zero-day brokers reflect the increasing demand for these exploits. It’s a clear indicator of the intensifying cyber arms race, where every vulnerability is a valuable asset,” said Mantas Sasnauskas, the head of security research at Cybernews.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, who served on the Commission on Cybersecurity for US President Obama’s administration, also told Cybernews in 2022 that he thought OpZero was probably collaborating with Russia’s GRU military intelligence agency or with the Federal Security Service.

“The Russian dark web is an economy of scale with a myriad of miscreants offering a variety of cybercrime services. The Russian forums enjoy a protection racket with Russian intelligence,” said Kellermann.

Sign of desperation?

However, Joe Stewart, a researcher with eSentire’s security research team Threat Response Unit, was doubtful. He said that Zelenyuk must have discovered that money was to be made in purchasing zero-day exploit code and reselling it to the Kremlin.

Or, indeed, any parties with similar interests and deep pockets. They don’t even have to be states – for example, the notorious NSO Group uses zero-day vulnerabilities in its Pegasus software that gives its customers access to targeted mobile devices.

Either way, the new offer by OpZero strongly suggests that its customer is now, more than ever, interested in successfully compromising iOS and Android systems.

And if the Russian government is really behind this broker, it might also signal desperation to regain the initiative from Western governments that are increasingly bolder in purchasing zero-day exploits and sanctioning cyberattacks against their adversaries.

“It's nice seeing non-NATO countries invest in their espionage operations. Soon they too can illegally spy on journalists, activists, and political opponents,” the popular hacker repository, vx-underground, sarcastically replied to OpZero’s post on X.

Novel zero-day vulnerabilities are discovered every year. According to Google’s Project Zero, which tracks new zero-day problems at major software vendors, 45 such issues have already been discovered in the nine months of 2023 – more than in the whole year of 2022.

ADVERTISEMENT