Russian exploit dealer offers $20 million for iOS and Android zero-days

A Russian zero-day trader raises prices for iOS and Android exploits to $20 million. That’s considerably more than most commercial exploit buyers offer for an operating system bug. The zero days are only used by non-NATO countries.

The Russian company Operation Zero says on X, the former Twitter, that it increases the maximum price for an iOS or Android exploit to twenty million dollars, equivalent to about nineteen million euros. This increases the price by a factor of ten; at this time the company pays another two million dollars for the same kind of exploit. This concerns the very highest category, where a vulnerability in iOS can be exploited to remotely increase a user’s rights to admin rights, all without user intervention.

The price increase is striking because it is so high. In the commercial market, mobile operating system exploits are worth a lot of money, usually more than the maximum reward that companies themselves offer, but twenty million is a lot more than competitors are offering. One of the best-known zero-day buyers, Zerodium, is still paying two million dollars for a similar vulnerability in iOS and $2.5 million for a vulnerability in Android.

There has been a vibrant market for software vulnerabilities for years. This market can be interesting for bug bounty hunters, because they can make much more money there than if they go directly to the companies. Apple, for example, pays itself a million dollars when researchers report similar exploits. Operation Zero says the price increase is due to ‘high demand in the market’. The company says it hopes other researchers and research teams will collaborate with them. This does not seem very attractive to Western bug bounty hunters; Operation Zero is working with the Russian government and says the zero-days will only be “used by non-NATO countries.”