The Zero-Day Vulnerability Market: From Discovery to Sale and Silence

Cyber Weapons Trading Emerges from Gray Zone into Public Spotlight

A U.S. federal investigation into Operation Zero has exposed the sprawling market for zero-day vulnerabilities—critical software flaws exploited by hackers before developers can release patches. The inquiry reveals two distinct markets have crystallized around these exploits: one operating through legitimate brokers with published price lists and suppliers, and another where hacking tools surface through data breaches or intentional leaks.

Market Participants and Structure

A zero-day vulnerability represents a critical error in software or hardware that attackers weaponize before the creator learns of it and issues a fix. The term itself signals developers have zero days to address the threat.

The actual commodity traded is not the bug itself, but the "window of opportunity"—a period of guaranteed covert system access before detection occurs.

The zero-day market encompasses three categories of participants:

• Cybersecurity researchers: Specialists or teams who discover vulnerabilities
• Brokers: Intermediary firms that acquire exploits, refine them into commercial-grade products—complete infection chains—and resell them
• Clients: Intelligence and military agencies seeking turnkey espionage tools, a cheaper and safer alternative to deploying human operatives

Operating in Legal Gray Areas

Though the market long remained murky, recent developments have illuminated its true scope. In February 2026, the U.S. Treasury Department and State Department imposed sanctions against Russian firm "Matritsa" (operating under the brand Operation Zero) and its founder Sergey Zelenyuk.

The organization openly marketed itself as a cyber weapons broker. According to findings by the Office of Foreign Assets Control (OFAC), Operation Zero's core principle was selling tools exclusively to non-NATO countries and, primarily, to state intelligence agencies.

A critical figure in the case emerged: a supplier to Operation Zero who stole credentials from a U.S. defense contractor, reportedly L3Harris. Between 2022 and 2025, Australian freelancer Peter Williams managed to steal eight zero-day exploits developed for intelligence purposes, selling them for $1.3 million in cryptocurrency.

While not the first instance of cyber weapons being used against American citizens, this breach "shattered" the market's unwritten rules. While competitors maneuvered within gray zones of "national security," Operation Zero engaged in direct confrontation with NATO.

Previously, malware developers typically landed on OFAC's sanctions list only after high-profile incidents:

• 2021: Restrictions targeted Israel-based NSO Group, creator of Pegasus, used to surveil diplomats, journalists, and opposition figures
• 2024: Sanctions imposed on developers of Predator and Cytrox software for aiding repression and surveillance across Europe and the Middle East

Determining legality for cyber weapons vendors remains tenuous. The market of official or semi-official (gray) entities represents highly competitive terrain dominated by players like Crowdfense of the UAE. This firm navigates around OFAC restrictions through several mechanisms:

• Jurisdiction and export controls: Crowdfense operates from a nation maintaining partnerships with the U.S. and allies, claiming strict adherence to export controls and compliance rules. Cyber weapons transfer is regulated like conventional arms sales
• Client selection: Customers include Five Eyes members and allied governments and law enforcement. For the U.S., Crowdfense functions as a legitimate contractor supplying weaponry
• Legitimization: Crowdfense positions itself as a national security tool. When acquiring vulnerabilities, it signs non-disclosure agreements with hackers and transfers exploits to intelligence agencies for counterterrorism surveillance. Legally, this constitutes procurement of specialized equipment

Yet this "white zone" remains conditional. Practice demonstrates that a player's legitimate status persists only until its tools ignite public scandal—particularly involving surveillance of journalists or politicians in Western nations.

The Price List

Disclaimer: This section is purely informational with public significance. ForkLog's editorial position condemns both cybercrime and all forms of violence.

Zerodium, founded in 2015 by cybersecurity researcher Chaouki Bekrar, became the first company to bring zero-day trading from the dark web into public and formally legal space by openly publishing price lists for exploit acquisition.

The firm would refine acquired access and resell to vetted clients—primarily NATO intelligence and law enforcement agencies.

By mid-2020s, this model had lost competitive viability. Pressure mounted from two directions: new players with substantially larger budgets, particularly Dubai-based Crowdfense, and accelerating update cycles from Apple and Google, compressing vulnerability lifespans while broker risks grew.

Zerodium's ceiling payments of approximately $2.5 million ceased appearing attractive. The market shifted sharply toward aggressive pricing. Crowdfense effectively set new benchmarks: complex exploitation chains approached $10 million, and by 2024 the firm allocated $30 million to its exploit acquisition program.

Today the most sought commodity remains zero-click smartphone compromises requiring no victim interaction. At the time of writing, brokers offered up to $7 million for iOS exploits and $5 million for Android access.

Intermediary firms withhold vulnerability disclosure from developers, preserving functionality for clients. This exclusivity enables them to offer researchers sums incomparable with traditional bug bounties from major software and hardware producers.

Google distributed approximately $17 million in rewards throughout 2025. In 2022, the tech giant set its payment record: $605,000 went toward a discovered Android exploitation chain comprising five distinct errors.

Facing such economics, cybersecurity analysts must choose: accept astronomical compensation knowing the exploit may become cyber weaponry, or operate within responsible vulnerability disclosure frameworks.

Zero Day Initiative (ZDI) represents the leading "white hat" organization in this specialty. The firm acquires breach information and transfers it to Microsoft, Apple, or Google, demanding fixes within specified timeframes.

ZDI offers up to $1 million exclusively for exceptional and highly complex attack vectors through public Pwn2Own competitions. Regular acquisitions range from $500 to $150,000.

Beyond direct payments, ZDI operates a points system ($1 equals one point). As researchers accumulate calendar-year points, they achieve status tiers with corresponding bonuses.

The zero-day market thus divides increasingly clearly into two segments—highly profitable but opaque, and legal but substantially less lucrative. The gap continues widening.

Weapons Migration to Hackers

The exploit market's fundamental problem is maintaining control. When intelligence operatives deploy zero-days, code may be intercepted, analyzed, and replicated. Tools lose exclusivity and become available to criminal groups targeting simpler, mass-market attacks.

Spring 2026 witnessed two significant incidents demonstrating this migration: the Coruna and DarkSword platforms.

In March, Google Threat Intelligence Group detected Coruna framework usage, containing 23 exploits and five complete zero-day chains for iOS versions 13.0 through 17.2.1.

Researchers established Coruna maintained direct connections to Operation Triangulation—a 2023 espionage campaign. The original code was likely written by a U.S. Defense Department contractor, then resold through brokers on secondary markets.

Coruna's subsequent trajectory:

• The framework was deployed by hacktivist group UNC6353 (Star Blizzard) for targeted espionage and attacks against Ukrainian users
• Chinese hackers UNC6691 obtained the tool, posting government cyber weapons on fraudulent cryptocurrency and financial sites. Visiting through Safari triggered covert PLASMAGRID stealer installation, granting device data access including crypto wallets

The DarkSword case followed similar patterns. Attacks occurred through malicious websites: visiting on iPhone triggered an infection chain providing complete device access without user awareness.

DarkSword's distribution mechanism proved analogous: UNC6353 initially used it to deploy espionage modules. Subsequently modified, the framework incorporated GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER infostealers targeting financial data theft including cryptocurrency wallets.

DarkSword's lifecycle concluded with its March 2026 GitHub leak. Experts speculate the developer company may have faced bankruptcy and attempted monetizing remaining code through gray markets, resulting in NSA-level tools becoming accessible to ordinary cybercriminals.

Bitcoin Error: Bug or Feature?

Amid exploit trading emerges a legitimate question: how distinguish whether discovered breaches represent programmer mistakes or intentionally embedded backdoors?

Cybersecurity industry employs the "plausible deniability" concept—the governing principle of professional backdoor architecture. The ideal software implant appears as trivial vulnerability—typographical error, memory handling mistake, or classic buffer overflow. Should researchers discover such "holes," vendors simply declare accidental bugs, release patches, and preserve reputation. Proving malicious intent within millions of code lines remains practically impossible.

Nevertheless, certain markers suggest backdoors:

• Non-standard cryptography: Employing obscure or weakened cryptographic constants vulnerable to mathematical attacks
• Anomalous logic: Unnecessarily complex data routing where architectural necessity doesn't exist
• Obfuscation: Deliberate code obscuration in open-source projects or supply-chain compromise via malicious third-party libraries

Conventional wisdom holds that closed or partially closed systems like iOS or Android face higher vulnerability risk due to limited transparency. Open-source blockchain projects often serve as counterarguments. Yet practice demonstrates such systems offer no security guarantees either.

In April 2026, researcher Loic Morel discovered a computational error in Bitcoin's mining mechanism.

Protocol specifies mining difficulty adjusts every 2016 blocks to maintain 10-minute generation intervals. However, a code bug meant the final block's timestamp from the previous period wasn't counted in subsequent calculations—comparing 2015 block timestamps rather than 2016.

This gap enabled "time warp" attacks. Should a miner or pool controlling overwhelming hash rate exploit this vulnerability, they could deceive the algorithm into believing mining consumed more time than occurred, critically reducing difficulty and enabling bitcoin extraction at anomalously high rates—up to six blocks per second.

Recent incidents have prompted reconsideration of independent cybersecurity researchers' work, for whom financial incentives have become serious tests of professional integrity and ethics.

Systems are human creations; errors remain inevitable. As long as vulnerabilities exist, markets will persist for those who monetize, conceal, or even create them.