00:00:00
[Music]
00:00:01
how do you hack something we all know
00:00:03
the answer you sit by the computer and
00:00:06
Bash the
00:00:07
keyboard some numbers and symbols fly
00:00:09
across the screen if the bashing is
00:00:11
intensive enough success you're in it
00:00:15
works on the movies and TV shows it
00:00:17
should work the same in real
00:00:22
life it doesn't no matter how hard you
00:00:26
try no matter how many keyboards you
00:00:28
break you are not going to break break
00:00:30
good cyber security for that you need
00:00:33
something special a
00:00:36
secret and to get that secret you have
00:00:39
to become part of the deepest and
00:00:41
darkest community on the
00:00:43
internet forget your dark web
00:00:45
marketplaces and hacker forums it's
00:00:48
deeper than that it's a space whose
00:00:51
entire existence rests on its covertness
00:00:54
where the world's best hackers trade
00:00:56
secrets for lifechanging sums of money
00:00:59
where government Mega corporations and
00:01:01
criminal cartels compete over Snippets
00:01:04
of information that can change the world
00:01:07
welcome to the zero day
00:01:12
[Music]
00:01:20
Market you're standing in front of a
00:01:23
high and strong
00:01:25
wall how do you get to the other side
00:01:29
walls like this are are all over the
00:01:30
Internet they guard the data of
00:01:32
companies Nations institutions even
00:01:35
people like you when somebody purchases
00:01:38
a gadget or an app the wall is included
00:01:40
in the price people are paying for not
00:01:43
getting
00:01:44
hacked but how do you hack things then
00:01:48
how do you get to the other side of that
00:01:50
wall smaller walls can be scaled or
00:01:53
broken through that's what things like
00:01:55
SQL injections and dos
00:01:58
do most w have an even easier access
00:02:01
just talking your way in that's called
00:02:04
social
00:02:04
engineering but for some even the
00:02:07
strongest brute force or the cleverest
00:02:09
infiltration is not going to work you
00:02:12
need a better way in you come closer and
00:02:15
inspect the bricks maybe one of them is
00:02:18
cracked or protrudes just enough to give
00:02:21
you a foothold maybe it can be moved to
00:02:23
reveal a secret passage Windows 10 and
00:02:26
Mac OS X some of the most popular
00:02:29
operational system systems out there
00:02:30
have around 80 million lines of code if
00:02:33
each line was a brick you could build
00:02:35
nearly 300 M of wall with them 300 mil
00:02:40
80 million bricks what's the chance that
00:02:43
one of them has a flaw in the code a
00:02:47
flawed brick is a bug a vulnerability
00:02:49
that can be used and exploited a hole in
00:02:52
the system you can slip through the
00:02:54
companies that build walls don't want
00:02:56
flawed bricks the income of those
00:02:58
companies depend on on shipping a secure
00:03:01
product they have entire departments
00:03:03
dedicated to finding flaws in the code
00:03:05
and pay Hefty sums of money to anyone
00:03:07
who can reveal a bug and whenever a
00:03:09
company finds a vulnerability in its
00:03:10
software IT issues a patch a fix that
00:03:13
replaces the brick and removes the
00:03:16
vulnerability so the importance of a
00:03:18
security flaw is measured by how long
00:03:21
ago it was discovered weak old bugs are
00:03:23
as good as patched two or 3 days old
00:03:26
ones are probably being exploited by
00:03:28
every wannabe hack out there and the
00:03:30
patch is already on the
00:03:32
way but if a company has no idea a bug
00:03:35
exists in other words if it had known
00:03:38
about a bug for zero days it's a whole
00:03:41
other story a useful zero day is the
00:03:45
Holy Grail of hacking a secret
00:03:47
vulnerability that can be exploited to
00:03:49
breach the security of a device or an
00:03:51
app or an entire network not only are
00:03:54
you slipping right through the wall
00:03:57
nobody even suspects you're doing it
00:04:00
but good zero days are hard to come by
00:04:03
to find one you have to be better at
00:04:04
spotting flaws than every single
00:04:06
engineer hired by the wall Building
00:04:08
Company and even then you may spend
00:04:11
years staring at the code and looking
00:04:13
for a useful flaw or you can look for
00:04:16
someone who already did
00:04:18
that this is bug track a mailing list
00:04:21
that dates back to the early '90s and
00:04:23
the place you can find thousands of what
00:04:25
used to be zero days for a long time
00:04:29
hackers really had very little interest
00:04:31
in money and in the beginning when they
00:04:33
would find zero exploits and when I say
00:04:35
the beginning I'm talking about um
00:04:37
mainly the 9s they would go to the
00:04:40
companies that had written this sloppy
00:04:42
software like HP Oracle Microsoft Sun
00:04:48
Microsystems and they would say hey I
00:04:50
found this bug in your software it's a
00:04:52
zero day by the way this is Nicole peor
00:04:55
she's a New York Times journalist who
00:04:56
spent years investigating the zero day
00:04:58
Marketplace and a lot of what we know
00:05:00
about its history comes from her
00:05:02
reporting to create this story We
00:05:04
reached out to experts like her who have
00:05:06
actual hands-on experience finding and
00:05:09
contacting them is a bit more difficult
00:05:10
than it looks the only reason we can do
00:05:13
this is you our viewers and we are
00:05:15
thankful for every token of appreciation
00:05:18
you can give be it a like a subscribe or
00:05:21
a comment a small gesture can go a long
00:05:24
way so the early hackers would attempt
00:05:26
to contact the companies and notify them
00:05:29
about zero in their
00:05:30
software and the companies instead of
00:05:33
looking at this as oh thank you for the
00:05:35
free quality assurance uh often replied
00:05:39
with a letter from their general counsel
00:05:41
saying if you poke around our software
00:05:42
again we'll see to it that you go to
00:05:45
prison so bug track you create a Snappy
00:05:49
handle you hide behind a proxy you take
00:05:51
your zero day and mail it to thousands
00:05:53
of hackers across the world the
00:05:55
community gets valuable information the
00:05:58
company gets punished and you you get
00:05:59
street
00:06:00
cred sharing and exploring zero days was
00:06:03
a major part of the early hacker culture
00:06:05
and a source of Pride for many but as
00:06:08
the years went by this state of things
00:06:10
began changing into something
00:06:13
unrecognizable there is a wall and you
00:06:16
really really need to get to the other
00:06:18
side you have money you have connections
00:06:21
you have resources all you need is a
00:06:24
hint you go to bug track and look for
00:06:27
names there is pneumonics Alf one pack
00:06:30
nisy scores upon scores of handles a lot
00:06:34
of very skilled people who do a lot of
00:06:36
work for free but maybe some of them
00:06:38
would like a bit of
00:06:40
compensation you choose one an email a
00:06:44
polite well-measured
00:06:45
offer and a sum more than they earn in a
00:06:49
year more than the software company is
00:06:51
willing to pay for the same bug there
00:06:54
are very few problems a bottomless
00:06:56
budget can't solve years pass
00:07:00
you do the same again and again you
00:07:03
establish stronger connections
00:07:05
relationships networks some of the
00:07:07
people are reliable others not so much
00:07:11
you keep the reliable ones close the
00:07:13
Dangerous Ones even closer you are not
00:07:16
the only one buying and your contacts
00:07:19
are not the only one selling a market
00:07:21
begins to form and grow just by sending
00:07:24
some emails you get zero days that can
00:07:26
bypass any wall and even if you have a a
00:07:29
problem finding sellers there might be a
00:07:32
solution to that middlen emerge zero day
00:07:35
Brokers companies with Shady names and
00:07:38
even shadier backgrounds willing to help
00:07:40
you in your struggle they can find
00:07:42
whoever you need and conduct the
00:07:44
transaction they will even confirm if
00:07:46
the merchandise works and vouch for its
00:07:49
Effectiveness they're very much a
00:07:51
matchmaking service right government
00:07:53
right could go and and you know post
00:07:55
even you know anonymously on on Reddit
00:07:57
or you know some underground Forum hey I
00:07:59
want to go buy an exploit right but but
00:08:01
then you're dealing with some unknown um
00:08:03
some unknown party you have issues
00:08:05
around escrow all right you know both
00:08:07
trust from the buyer side and Trust From
00:08:10
the seller side and so these exploit
00:08:13
brokers work as middleman and
00:08:15
matchmakers they're holding stuff in
00:08:17
escrow and then they're confirming the
00:08:18
vulnerability or holding funds in escrow
00:08:20
and then confirming the vulnerability
00:08:22
actually works in many cases before even
00:08:24
brokering brokering the deal and then of
00:08:27
course for all those Services they take
00:08:28
a percentage off
00:08:30
so you buy a snippet of information from
00:08:32
a broker or an anonymous hacker online
00:08:35
you confirm that the vulnerability works
00:08:37
and you develop an exploit a piece of
00:08:39
malware that can reliably turn one
00:08:41
flawed piece of code into a safe Passage
00:08:44
through the
00:08:45
wall time to use
00:08:48
it what you are looking at now is an
00:08:51
exploit not an actual one but a
00:08:53
reconstruction a researcher managed to
00:08:55
piece together after scraping the
00:08:57
remains of an attack on his phone
00:09:00
it's designed to infect iPhones through
00:09:02
an invisible iMessage the user never
00:09:05
gets the notification not even a blip on
00:09:07
the screen a snippet of code just slips
00:09:10
in and stays completely silent it begins
00:09:13
working through a particular bug a flaw
00:09:16
that existed in Apple software for
00:09:18
decades a remnant of a function that has
00:09:20
long been discontinued a deformed brick
00:09:23
that once supported a wall but no longer
00:09:26
does after slipping through the code
00:09:29
takes over a small part of the phone's
00:09:30
memory just enough to get some minor
00:09:33
things done using this memory the
00:09:36
message finds another larger hole in the
00:09:38
wall another zero day through which an
00:09:41
even more malicious code can be brought
00:09:43
through it's unexploitable from outside
00:09:46
but once you're in you can use it the
00:09:49
new code is more potent and it begins a
00:09:51
war on the phone's native systems a
00:09:54
short battle rages under the fingers of
00:09:56
the unsuspecting user until the invading
00:09:58
code you uses yet another vulnerability
00:10:01
one that allows it to bypass all
00:10:03
defenses in several seconds the iPhone
00:10:06
is
00:10:07
conquered finally one more vulnerability
00:10:10
is used to gain access and take over the
00:10:13
Safari browser now the phone is at the
00:10:15
mercy of the Intruder and will report
00:10:18
everything the owner does sees or Hears
00:10:21
A String of four zero days an entire
00:10:23
attack chain tied together by some very
00:10:26
well-written code giving you
00:10:27
unrestricted access to any iPhone on the
00:10:30
planet the researchers called this chain
00:10:32
operation triangulation a weird name for
00:10:35
an attack that has four prongs not three
00:10:38
but who are we to judge weird naming
00:10:41
aide these exploits are incredibly
00:10:43
potent and Incredibly dangerous and to
00:10:46
get that sort of capability you have to
00:10:48
pay the
00:10:50
price just like with almost anything on
00:10:53
an open market the price is a reflection
00:10:55
of the
00:10:56
usefulness one of the very few glimpses
00:10:59
we get into the cost of a tax like
00:11:00
operation triangulation is a list by
00:11:03
zerodium a major broker company that
00:11:05
actually publishes its
00:11:07
prices according to zerodium a zero day
00:11:10
that allows you to bypass a phone's
00:11:12
passcode or a pin nowadays is up to
00:11:15
$100,000 a zero day that allows you to
00:11:18
access their chat application a web
00:11:20
browser or an email could cost up to a
00:11:22
half a million zero days that give you
00:11:25
access to somebody's phone without any
00:11:27
interaction on their part can that2 to
00:11:30
$2.5
00:11:32
million so millions of dollars to break
00:11:35
into a phone and that's not even
00:11:37
counting the salaries of the small army
00:11:39
of hackers who wrote the exploit making
00:11:42
the zero day
00:11:43
usable these are not the amounts of
00:11:45
money you pay to keep tabs on your
00:11:46
cheating fiance the people who use these
00:11:49
attacks aim a lot higher the biggest
00:11:52
demographic of buyers um you know on
00:11:54
open markets is is probably governments
00:11:56
I mean I I you know they they have they
00:11:59
have money that cyber criminals you know
00:12:01
can't touch um you know or can't
00:12:03
possibly you know can't possibly Mass
00:12:05
even some these larger ransomware gangs
00:12:06
and the value right that they get out of
00:12:08
the um you know out of the intelligence
00:12:10
that they gain with these zero days is
00:12:13
not measured in dollars and cents either
00:12:15
some zero days are harmless you know you
00:12:17
find a mistake in the code and it might
00:12:20
be in a system which is not widely used
00:12:23
or if it's even used by some Niche
00:12:26
audience it's not uh that interesting
00:12:28
not worth your effort to break into that
00:12:31
system but the systems that hackers and
00:12:34
nation states spend a lot of time on
00:12:36
right now are iPhone software Android
00:12:41
software software that touches critical
00:12:43
infrastructure software that touches um
00:12:47
like I said you know cryptocurrency
00:12:50
systems uh wallets that could get you a
00:12:52
lot of cash uh in cryptocurrency we may
00:12:55
never know the actual cost of operation
00:12:57
triangulation there's only a small
00:12:59
handful of broker companies that publish
00:13:01
their prices and countless more that
00:13:03
don't the actual cost of a zero day let
00:13:06
alone an exploit can vary a lot a good
00:13:10
example of that is Operation zero a
00:13:12
broker that popped up just a few years
00:13:14
ago in September 2023 it offered the
00:13:17
highest price for an exploit that has
00:13:18
ever been recorded $20 million for an
00:13:21
attack chain things like operation
00:13:23
triangulation could cost at least as
00:13:26
much or even more all of that to give
00:13:29
give you access to a phone a small
00:13:31
device that tracks its users but some
00:13:34
targets of such attacks are
00:13:36
bigger zero day bought for a similar
00:13:38
price might net you an entrance to a
00:13:40
desktop computer or an industrial
00:13:43
controller or an entire network that
00:13:45
maintains infrastructure of a factory a
00:13:47
military base a
00:13:51
city stuck net one of the most advanced
00:13:54
examples of malware used a string of
00:13:56
four zero days to enter an Iranian
00:13:59
nuclear facility and disable
00:14:01
it not Peta the most damaging Cyber
00:14:04
attack ever recorded used one single
00:14:07
zero day to paralyze an entire country
00:14:09
for several days causing billions of
00:14:11
dollars worth of damage to International
00:14:13
companies that operated
00:14:15
there the phone of Jamal kosagi a
00:14:18
journalist murdered by the Saudi Arabian
00:14:20
government in 2018 was monitored and
00:14:23
tracked by the government after
00:14:24
infecting his devices through zero days
00:14:29
so far we've been comparing a zero Day
00:14:31
to a flaw in a wall a brick that reveals
00:14:34
a hidden entrance this comparison is
00:14:36
quite harmless maybe a bit too harmless
00:14:40
a zero day could also be compared to a
00:14:42
weapon or more correctly a material from
00:14:45
which a weapon can be made a more
00:14:48
powerful weapon than almost anything in
00:14:50
the world with the right set of zero
00:14:53
days a government can wage cyber war
00:14:55
against both competing governments and
00:14:57
its own citizens for for a government
00:14:59
with enough funds to buy such a
00:15:01
collection and enough skilled Personnel
00:15:03
to correctly exploit it any security is
00:15:06
no longer an
00:15:08
obstacle and most of these zero days
00:15:10
have at some point been traded on the
00:15:12
zero day Market they were bought sold
00:15:15
and
00:15:15
shared this happens every day right
00:15:18
there under the noses of law enforcement
00:15:20
regulators and corporations that can't
00:15:23
and won't do anything to fight
00:15:25
it why how is trading zero days even
00:15:29
legal and why nobody treats it with at
00:15:31
least a fraction of the seriousness
00:15:33
people treat the sale of weapons of mass
00:15:36
destruction well the answer to that is a
00:15:39
bit
00:15:41
complicated the zero day Market is a
00:15:43
sprawling structure with several levels
00:15:46
and a huge variety of players it seems
00:15:49
harmless on the surface nowadays unlike
00:15:51
20 or 30 years ago lots of companies
00:15:54
offer bug Bounty programs they pay for
00:15:57
any vulnerabilities found in their
00:15:58
software encouraging hackers to earn
00:16:00
their income legally and make the
00:16:02
internet more secure in the process some
00:16:05
firms and researchers do the same but
00:16:07
independently they look for bugs on the
00:16:09
code of popular software and notify the
00:16:11
vendors sometimes they get paid in any
00:16:14
case they get exposure the corporate
00:16:17
version of hacker street cred this is
00:16:20
how the White Market works the tip of
00:16:22
the iceberg something most people mean
00:16:25
when they talk about zero days but there
00:16:28
is a level below that the part of the
00:16:30
market where companies don't have catchy
00:16:32
names and aren't too fond of being
00:16:34
noticed where researchers don't atise
00:16:37
their findings and a lot of them get
00:16:39
redacted you can go search LinkedIn um
00:16:43
and find people that are um you know
00:16:45
hiring contractors right that are hiring
00:16:47
for vulnerability research um you know
00:16:51
requiring security clearance that's not
00:16:53
an anomaly in the US but make no mistake
00:16:55
about it right all all all governments
00:16:57
are are either researching these or
00:16:59
purchasing them and probably some
00:17:02
combination thereof this is the gray
00:17:04
Market strictly speaking it's not legal
00:17:07
but it's not illegal either the
00:17:10
governments are investing in research
00:17:11
and hiding what they find from the
00:17:13
public they pay the hackers for their
00:17:15
silence and use the zero days for spying
00:17:17
and cyber warfare it's hard to
00:17:19
comprehend morally dubious and entirely
00:17:23
unregulated but there's a level below
00:17:26
that too finally we the black mark which
00:17:29
is sometimes governments if there are
00:17:31
international regulations limiting their
00:17:34
ability to buy du the exploits on the
00:17:37
gray Market a lot of illegal activity
00:17:39
goes on on black market and the value is
00:17:43
much higher than white Market could be
00:17:44
10 to 100 times as high for exploits as
00:17:47
on the White Market so you will find a
00:17:50
lot of international crime networks and
00:17:52
organizations some Rog governments
00:17:55
non-state actors of various types
00:17:57
operating there illicitly
00:17:59
recently the world witnessed a very
00:18:01
telling example of exactly that this is
00:18:04
an app called move it a file transfer
00:18:06
protocol similar to Wi transfer or one
00:18:08
drive it has a boring interface and a
00:18:11
moderate market share safe to say you've
00:18:14
probably never used it unless you worked
00:18:17
at a major corporation or government
00:18:19
office before 2023 most of its clients
00:18:22
were the big shots the likes of shell
00:18:24
Sony and the US Department of energy in
00:18:27
June 2023 three Klo a major ransomware
00:18:31
gang acquired a zerod day vulnerability
00:18:33
in Move It software immediately it was
00:18:36
used to breach the service and steal the
00:18:38
data of all its clients and what
00:18:41
resulted was the largest ransomware
00:18:43
attack in recent years kops list
00:18:45
includes over 22,000 companies and
00:18:48
nearly 90 million people more than the
00:18:51
population of such countries as Germany
00:18:53
or France Kap began extorting the
00:18:55
companies threatening to release their
00:18:57
secrets if they didn't pay Ransom we'll
00:19:00
never know how many companies budged but
00:19:02
the payouts quite certainly made a lot
00:19:04
of criminals very very rich all thanks
00:19:07
to one single zero
00:19:12
day so it started with nation states and
00:19:15
their
00:19:16
contractors and like most of these
00:19:18
techniques and tools it has now migrated
00:19:21
to cyber criminals and over the past few
00:19:25
years we've seen cyber criminals use
00:19:26
zero day exploits in various r
00:19:28
ransomware attacks um or hacks of
00:19:31
cryptocurrency exchanges or wallets and
00:19:33
that kind of thing so that's the black
00:19:36
part of the zero day Market with it the
00:19:38
whole thing seems quite neat and
00:19:40
organized you have the good guys who
00:19:42
work openly and hunt for zero days to
00:19:45
expose them and make everyone safer you
00:19:47
have governments and Shady companies who
00:19:49
trade zero days to stay on top of the
00:19:51
cyber warfare game and you have the
00:19:53
criminal organizations that buy zero
00:19:55
days to steal data you can read all
00:19:58
about this on Wikipedia or well
00:20:01
anywhere but this structure is clear
00:20:03
only from the surface when you begin
00:20:06
looking at the market closer the lines
00:20:08
begin to blur and things get
00:20:14
worse let's get back to operation
00:20:16
triangulation an exploit that used 4
00:20:19
zero days to gain access to any
00:20:21
iPhone this operation was discovered
00:20:24
after researchers at kasperski a Russian
00:20:26
cyber security company accidentally
00:20:28
detected its traces on their phones the
00:20:31
researchers admitted it is the most
00:20:33
complex and most advanced attack they've
00:20:36
ever dealt with it has all the telltale
00:20:38
signs of a state- sponsored hacker Army
00:20:41
and a very powerful one at that at the
00:20:44
same time the Federal Security Service
00:20:47
the Russian analog of America's NSA
00:20:49
announced discovering the same attack
00:20:51
patterns on thousands of phones of
00:20:53
Russian government officials the service
00:20:56
said they managed to identify the
00:20:57
attacker a American intelligence
00:20:59
agencies who spied on Russian citizens
00:21:02
in this unparalleled International
00:21:04
attack according to the FSB such an
00:21:07
attack had to be coordinated with apple
00:21:09
which would not allow bugs like those to
00:21:11
remain in their systems without any
00:21:13
reason but then there is Operation zero
00:21:17
the company which offered $20 million
00:21:19
for the same attack chain hinting that
00:21:21
the attack is more than possible without
00:21:24
Apple's input just like with most
00:21:26
vendors we know very little about
00:21:28
operation zero but one thing we know and
00:21:31
it's a thing the company is out louded
00:21:32
and proud about is that it sells its
00:21:35
exploits only to Russian intelligence
00:21:37
agencies and companies another thing we
00:21:39
know is that it was founded by a former
00:21:41
employee of kasperski the same company
00:21:44
that was later attacked by operation
00:21:48
triangulation for a citizen of the
00:21:50
United States selling a zero day to
00:21:52
zerodium which would pass it on to the
00:21:54
NSA would be the work on the gry market
00:21:57
to sell the same bug to operation zero
00:22:00
the citizen would have to enter the
00:22:01
black market and for a Russian hacker
00:22:05
who discovered the same zero day the
00:22:07
situation would be strictly reversed
00:22:09
contacting operation zero would make
00:22:11
them a millionaire and contacting
00:22:12
zerodium would likely land them in jail
00:22:16
but only a small minority of hackers
00:22:18
live in the United States or Russia
00:22:20
every country in the world aims to get
00:22:21
an edge in cyberspace and each one of
00:22:24
them sets its own rules in accordance
00:22:26
with its alignment each one has its own
00:22:28
white gray and black markets and thanks
00:22:31
to the world being as interconnected as
00:22:33
it is absolutely nothing prevents one
00:22:36
government from reaching out to a black
00:22:37
market of another governments that are
00:22:40
not looking for morally dubious uh
00:22:43
things generally use gray and white
00:22:46
markets uh to get those types of
00:22:48
vulnerabilities if they go in the black
00:22:50
market It's really because they can't
00:22:52
get to it in any other way and it gets
00:22:56
pretty complicated
00:23:01
both zerodium and operation zero are
00:23:03
pretty straightforward they sell to
00:23:05
their governments and are transparent
00:23:07
about it but when it comes to Brokers
00:23:10
those two are an
00:23:12
exception most companies that trade in
00:23:14
zero days work entirely in the shade
00:23:17
what they sell and who they sell to and
00:23:19
who works for them is a total secret and
00:23:22
from what we know they often use that to
00:23:24
blur the lines between the markets even
00:23:26
more either on accident or not entirely
00:23:30
so they may actually um you know sell to
00:23:34
not sanctioned regimes because that
00:23:35
would obviously be illegal but they
00:23:37
probably aren't doing like as much due
00:23:40
diligence as you might otherwise you
00:23:42
know want um and they might even in some
00:23:44
cases um you know through that lack of
00:23:47
due diligence be working with you know
00:23:49
some possibly unwittingly with some
00:23:51
cyber promote but then we have these
00:23:53
high-profile incidents where groups like
00:23:55
hacking team which was based in Milan
00:23:57
Italy um um get hacked themselves and we
00:24:01
say oh they're selling to uh African
00:24:05
nations that have
00:24:06
horrific human rights records or to
00:24:10
Russia which might not have initially
00:24:11
fit these hackers uh moral calculus on
00:24:15
who's a good country who's a Bad Country
00:24:16
who has free press and who doesn't and
00:24:19
thanks to all this secrecy and all of
00:24:21
this blurring imposing any kind of
00:24:23
regulation on the zero day Market or
00:24:25
even going after anybody who crosses the
00:24:27
line becomes nearly impossible a
00:24:30
Prosecuting somebody who is you know
00:24:33
themselves Anonymous and who facilitates
00:24:35
Anonymous purchases is very complicated
00:24:38
even when you know the part is involved
00:24:41
and no one likes doing that um because
00:24:43
they also want to see Brokers as sources
00:24:45
of information so for them it's better
00:24:47
to give the broker immunity and get them
00:24:50
to C up whatever they know about uh the
00:24:53
deal then to go after them and make
00:24:56
additional uh parties within interest to
00:24:58
cover everything up even more that's why
00:25:00
they're not very likely to be
00:25:02
prosecuted and this is how the zero day
00:25:05
Market operates with no regulation with
00:25:08
no prosecution always on the border of
00:25:10
legality and morality it is sprawling
00:25:13
and complex and at the same time mostly
00:25:16
invisible and entirely
00:25:18
opaque for people who first learn about
00:25:21
it it's difficult to have any kind of
00:25:23
positive reaction after all we are
00:25:25
speaking about the underground sale of
00:25:27
weapons that can be and sometimes are
00:25:29
used against every one of us so an urge
00:25:33
to regulate or straight up ban can be
00:25:35
overwhelming no matter how difficult or
00:25:37
impossible that might seem but there can
00:25:40
be a different perspective on this a
00:25:43
perspective held by a lot of people who
00:25:45
used to work in intelligence agencies
00:25:47
and witness what governments use their
00:25:48
zero days for yeah this one's a rather
00:25:51
you know complex one for me um you know
00:25:53
I don't speak purely from opinion a
00:25:55
little bit of it's from experience um I
00:25:57
think it's known at this point uh you
00:25:59
know that I'm a Former Intelligence
00:26:00
professional and a former government
00:26:02
hacker right um and so you know I've
00:26:05
seen firstand the value of um you know
00:26:08
the value of retaining an oday um purely
00:26:11
for uh you know purely for offensive
00:26:13
purposes of course there's a risk there
00:26:15
right and that's why the US government
00:26:17
um you know has the vulnerability
00:26:18
equities process um where you know very
00:26:21
smart people um very smart and very
00:26:23
educated people from across different
00:26:25
agencies in the government meet about
00:26:27
zer days that we have knowledge of and
00:26:30
may have may or may not have weaponized
00:26:31
may be available for sale what have you
00:26:34
and discuss the um you know the value of
00:26:37
using it for intelligence versus the
00:26:40
value of making our infrastructure safe
00:26:42
right and and globally infrastructure
00:26:44
say it it's it's a bit complex for me I
00:26:46
I I absolutely can't side with the folks
00:26:49
that say all zero days are equ that's
00:26:53
that can't be that that can't be the
00:26:56
case what you're looking looking at now
00:26:58
is a theoretical exploit of a
00:27:00
vulnerability in PHP a scripting
00:27:02
language that forms the backbone of the
00:27:04
internet both the visible one such as
00:27:07
the page you are on right now and the
00:27:10
invisible one the dark web a place
00:27:12
you've probably heard of websites and
00:27:15
servers there are based on the same
00:27:16
principles as regular websites and they
00:27:19
are susceptible to the same
00:27:21
vulnerabilities sometime in late 2023
00:27:24
somebody somewhere discovered a cracked
00:27:27
brick in the wall that forms a part of
00:27:30
PHP we don't know who that was and why
00:27:32
they did it maybe they found the zero
00:27:34
day themselves maybe they bought it on
00:27:36
the
00:27:37
market and then they took that cracked
00:27:39
brick and turned it into a passage with
00:27:42
that passage they could have accessed
00:27:44
any server overtake any website in the
00:27:47
world but the website they did attack
00:27:49
looked like this it's the dark web blog
00:27:53
of lock bit one of the largest criminal
00:27:55
organizations in the world and several
00:27:58
years of their existence lock bit
00:28:00
attacked thousands of people and
00:28:01
extorted billions after stealing their
00:28:03
data and demanding Ransom at the height
00:28:06
of their activity they comprised almost
00:28:08
half of the entire ransomware Market in
00:28:10
the world in early 2024 lock bit was
00:28:14
taken down their whole infrastructure
00:28:17
spanning dozens of servers and the
00:28:19
accounts of hundreds of cimber criminals
00:28:21
was taken over by a combined task force
00:28:23
of law enforcement from 11 countries
00:28:25
they hit the gang so hard that it
00:28:28
practically had to recreate itself a new
00:28:30
and might never return to the top of the
00:28:32
food chain and this entire operation was
00:28:36
most likely conducted thanks to a zero
00:28:39
day so yes it can be difficult to admit
00:28:43
but sometimes the governments and law
00:28:45
enforcement agencies just do their job
00:28:48
and sometimes that job requires a
00:28:51
well-placed
00:28:52
exploit well it could be unethical but
00:28:55
the problem is it works both ways yes
00:28:58
could facilitate governments looking to
00:29:00
spy on opposition members journalist and
00:29:03
and so forth and there are many
00:29:05
campaigns constantly attacking
00:29:07
governments and companies for doing
00:29:09
exactly that it could also be the RSE it
00:29:12
could be other governments going after
00:29:14
the oppressive governments and trying to
00:29:17
cause them problems uh it could also be
00:29:20
private initiatives looking for exploits
00:29:22
to attack these governments such as what
00:29:26
Anonymous Affiliates we doing against
00:29:28
Russia during the war with Ukraine so if
00:29:30
you start going after this Market it
00:29:32
will end up hurting both sides and more
00:29:34
likely the government will win anyway in
00:29:37
that scenario because they have more
00:29:39
money to spend they're not operating at
00:29:42
a risk when they those markets they will
00:29:45
use third parties who they'll burn but
00:29:47
they'll then they'll find somebody else
00:29:50
so everything is a lot blurrier than it
00:29:52
might seem the zero day Market is a huge
00:29:54
Tangled mass of legal and moral
00:29:56
questions of companies that sell to
00:29:58
criminals and governments alike of
00:30:01
agencies that seek exploits and pay
00:30:03
millions but call it illegal to use the
00:30:05
same exploits against them of criminals
00:30:08
attacking governments and governments
00:30:10
attacking criminals and of hackers who
00:30:13
are the source of it all people who earn
00:30:15
their living staring into the
00:30:18
[Music]
00:30:21
wall most of the zero day Market is
00:30:23
completely secret but after all we know
00:30:26
about it right so somebody is definitely
00:30:29
breaking the first rule of Fight
00:30:31
Club sometimes it's former government
00:30:33
employees who say as much as they can
00:30:36
without crossing the
00:30:37
line sometimes it's brokers who want to
00:30:40
attract attention both from potential
00:30:42
sellers and buyers and sometimes it's
00:30:45
hackers themselves who decide to talk
00:30:48
despite what others tell them as I
00:30:51
document in the book there are various
00:30:52
cases where um certain uh Brokers there
00:30:57
was a very famous One based in uh
00:31:00
Thailand I don't know where he is now
00:31:02
the gr he's a very well-respected member
00:31:05
of the hacking
00:31:06
Community um spoke to a Forbes reporter
00:31:11
a friend of mine Andy Greenberg at one
00:31:14
point and thought he was speaking off
00:31:16
the Record basically the gr shared a lot
00:31:18
of information Priceless uh you know
00:31:22
some rules of the game at one point even
00:31:25
posed for a photo next to a duffel bag
00:31:27
with which I don't know whether there
00:31:29
was actual cash in it but it looked like
00:31:32
there was Cash in it I don't know if it
00:31:33
was real or not and from what I
00:31:36
understand after that appeared he was
00:31:39
visited by Thai police and basically
00:31:42
according to friends and colleagues of
00:31:44
his um lost half his business because
00:31:47
there were a lot of governments who had
00:31:48
been buying zero days from him who said
00:31:50
I don't want to do business with someone
00:31:53
who's going to pose next to a bag a deel
00:31:55
bag of cash in Forbes Magazine that is
00:31:58
the antithesis of who I want to be
00:32:01
working with and so that became a very
00:32:04
um public example to other zero day
00:32:08
Brokers that they would do well to keep
00:32:11
their mouth
00:32:13
shut we tried contacting grug for this
00:32:16
story and it seems he learned his lesson
00:32:20
just like almost any zero day seller or
00:32:22
broker you can find on the internet some
00:32:24
of them have public profiles some reveal
00:32:26
some details of their operations some
00:32:29
even share their names but the
00:32:31
overwhelming majority have to operate
00:32:34
through multiple layers of encryption
00:32:36
and when you get to that point of
00:32:37
secrecy there's just no way to know who
00:32:40
you're dealing with and frankly it's
00:32:41
dangerous for you to do to know and
00:32:43
that's why it's done particularly in
00:32:45
that way so the reason why no one wants
00:32:48
to talk about this is one you know their
00:32:51
customers
00:32:53
require um complete
00:32:55
discretion no one no government
00:32:58
wants to purchase a zero day from
00:33:01
someone who's out there mouthing off
00:33:05
about what they have who they're selling
00:33:08
it to you know they they need to be able
00:33:11
to trust these people to keep these
00:33:14
sales quiet so discretion is is critical
00:33:18
which is why while we know a lot about
00:33:20
the zero day Market there's much more we
00:33:22
don't and probably never will even
00:33:25
despite the impact it has and will have
00:33:27
on our lives so there you go the zero
00:33:30
day Market the digital underworld full
00:33:33
of elite hackers and horrific Secrets a
00:33:36
world that sometimes spills into our
00:33:38
reality causing massive harm but also a
00:33:42
world that is inseparably intertwined
00:33:44
with ours with ties That simply can't
00:33:47
and probably won't be
00:33:49
broken the walls are built by people and
00:33:53
as long as that happens some bricks in
00:33:55
them will be
00:33:56
flawed and as long as there are flawed
00:33:59
bricks there will be people who will pay
00:34:01
money to have them
00:34:02
found and so the zero day Market will
00:34:06
persist we hope you enjoyed this short
00:34:09
dive into another extremely complicated
00:34:11
topic we're very thankful to nle peror
00:34:14
whose book on zero days served as an
00:34:16
inspiration for this story don't
00:34:19
hesitate to give a chance to our other
00:34:20
explainers we cover all things cyber and
00:34:23
usually upload one every other week stay
00:34:26
informed and have a nice stay