The Untold History of America’s Zero-Day Market

This story is adapted from This Is How They Tell Me the World Ends, by Nicole Perlroth.

Getting to the bottom of the zero-day market was a fool’s errand, they told me. When it came to zero-days, secret vulnerabilities in code, governments weren’t regulators; they were clients. These holes made up the raw material for their espionage tools and cyberweapons. They had little incentive to disclose a highly secretive program, which dealt in highly secretive goods, to a reporter like me.

“You’re going to run into a lot of walls, Nicole,” Leon Panetta, the secretary of defense at the time, warned me. Michael Hayden, the former NSA director, laughed when I told him what I was up to. “Good luck,” he said, with an audible pat on the back.

Word about my quest that year, 2013, traveled fast. The zero-day dealers, the men who dealt in vulnerabilities and the code to exploit them, prepared for me with bug spray. I was disinvited from hacking conferences. At one point, someone on the dark web offered good money to anyone who could hack my email or phone. But I’d glimpsed enough to know I had to keep going.

The world’s infrastructure was racing online. So was its data. The most reliable way to access those systems and data was a zero-day exploit. Zero-days had become a critical component of American espionage and war planning. The Snowden leaks made clear that the US was the biggest player in this space, but I knew that it was hardly the only one. Oppressive regimes were catching on, and a market was cropping up to meet their demand. There were vulnerabilities everywhere, many of them of our own making, and powerful forces—including our own government—were ensuring it stayed this way. Many did not want this story to be told.

It took years to find a zero-day broker from the market’s earliest days who would talk. Many never responded. Some just hung up. One told me that not only would he not speak with me about the market, but he’d already warned everyone he knew not to. If I continued on this thread, he told me, I would only be putting myself in “danger.”

Most just feared for their bottom line. In their line of work, keeping your mouth shut was essential. Every deal required discretion, and most were wrapped in nondisclosure agreements and, increasingly, classified. The most profitable brokers kept their zero-day business, the sheer fact there was a business, a secret. The more discreet the broker, the more governments coveted his business. A broker’s quickest road to bankruptcy was to talk to the media. It still is.

This was not a matter of paranoia. Brokers have a case study in the perils of talking to a reporter about the zero-day market: a well-known South African exploit broker, based in Bangkok, called “the Grugq.” The Grugq just couldn’t help himself. Unlike most zero-day brokers, who avoid any platform that leaves a digital trace, the Grugq is on Twitter, where he has more than 100,000 followers. In 2012 he made the fatal mistake of openly discussing his business with a reporter. He would later tell me he was speaking off the record, but he was also happy to pose for a photo next to a large bag of cash. When Andy Greenberg’s story appeared in Forbes magazine, the Grugq became persona non grata. Governments stopped buying from him.

No broker was looking to follow in his footsteps, to forsake their fortune and reputation for fame or transparency. And so I reported out this market the only way I knew how, scratching at what was public and working my way in from there—until I found a zero-day dealer who would relay the industry’s untold history.

Every market starts with a wager. I learned that the zero-day market—or the public face of it at least—started with 10 bucks. That was what John P. Watters paid to acquire the Chantilly, Virginia-based cybersecurity company iDefense in the summer of 2002. Watters, a Texan with virtually no knowledge of cybersecurity, figured it was a fair price for a company that was hemorrhaging a million dollars a month, with no obvious plans to make it back. Employees hadn’t been paid in weeks. The Nasdaq would reach its lowest point of the dotcom crash the following month. Five trillion dollars in paper wealth up and vanished. In another two years, half of all dotcom companies would disappear. Even employees didn’t think iDefense stood a chance.