Company That Buys Zero-Day Hacks Now Wants Exploits for Popular VPNs

Uh oh. An infamous company that pays thousands of dollars for iOS and Android hacking techniques is now out to acquire zero-day exploits for three popular VPN services. 

Zerodium today sent out a tweet calling for “zero-days” or publicly unknown attacks that work against ExpressVPN, NordVPN, or Surfshark. The attacks must be capable of leaking information from the VPNs, such as a computer’s IP address. Zerodium will also pay for exploits that can trigger a VPN to remotely execute computer code.

Zerodium didn’t say how much it’s willing to pay for the hacking techniques. But its bounties can range from $100,000 up to $2.5 million for the most powerful zero-day exploits against Android and iOS. For now, Zerodium is merely calling on hackers and security researchers to submit “pre-offers” for the zero-day exploits via its website.  

Zerodium’s tweet is unsettling, given that ExpressVPN, NordVPN, and Surfshark are highly rated and popular VPN services. But it’s also true that hackers and fraudsters rely on VPN services too.

The technology works by rerouting your internet activity to the VPN provider’s servers and encrypting the connection, which can prevent an internet service provider from learning what you’ve been browsing. However, the zero-day exploits Zerodium is asking for could unravel the encryption and even hijack your PC or smartphone. 

The bounty from Zerodium also suggests the company’s clients are looking to spy on some users of the three VPN apps. Those customers include government institutions in the US and Europe “in need of advanced zero-day exploits and cybersecurity capabilities,” according to Zerodium’s website. 

Recommended by Our Editors

“At Zerodium we take ethics very seriously and we choose our customers very carefully through a very strict due diligence and vetting process,” the site adds. “Access to acquired zero-day research is highly restricted and is limited to a very small number of government clients.”

Zerodium—along with ExpressVPN, NordVPN, and Surfshark—didn’t immediately respond to a request for comment. However, both ExpressVPN and NordVPN offer bug bounties, which means they’ll pay you for…


NuData Security, a Mastercard company Wins CyberSecurity Breakthrough Award

Los Angeles, September 30, 2021 – CyberSecurity Breakthrough, a leading independent market intelligence organization that recognizes the top companies, technologies and products in the global information security market, today announced that NuData Security, a Mastercard and online user verification company, has been selected as the winner of the “User Behavior Analytics Security Solution Provider of the Year” award in the fifth annual CyberSecurity Breakthrough Awards program.

NuData monitors billions of devices, processes nearly two billion events monthly, and mitigates threats with over 99% accuracy. The NuData flagship solution, NuDetect, helps companies trust users based on how they behave, without adding friction. The solution looks at things such as how a user types, moves the mouse, or holds the device, among several other data points. Clients can deploy the technology at any placement end-users interact with, such as opening an account, resetting a password or logging in, checking rewards, reviewing a booking, or sending a money transfer.

DevOps Experience

NuData solutions have specific machine learning models for each of the multiple use cases it addresses. By looking at how a user behaves, the technology can adjust to new and growing threats such as human farming, remotely accessing an end-user’s computer.
This breakthrough approach allows companies to prevent attacks and mitigate threats that bypass bot detection tools.

“Our breakthrough technology empowers clients to verify users based on their behavior. If there is a threat – it doesn’t matter if the credentials are correct, if the device information is the same, or the IP is a trusted one – by evaluating the behavior you can see there’s something off,” said Michelle Hafner, SVP of Product Strategy & Execution at NuData. “This award reaffirms our mission in providing secure environments without compromising user experiences. I consider it a strong testament to our momentum and the hard work we’ve done with our clients and partners.”

The mission of the CyberSecurity Breakthrough Awards is to honor excellence and recognize innovation, hard work and success in a range of information security categories….


VPN and mobile VPN: How to pick the best security solution for your company

With the influx of remote workers, companies must develop and implement guidelines to ensure network security.

Secure VPN Connection. Virtual Private Network or Internet Security Concept.

Image: Getty Images/iStockphoto

One of the most noticeable changes to the enterprise as a result of the COVID-19 pandemic is the move to hybrid or remote work. As more and more employees work remotely indefinitely, the need for secure access to networks, systems and data becomes even more paramount.

Deploying a virtual private network (VPN) in your organization accommodates remote employees by providing safe access to those internal resources. 

Enjoying this article?

Download this article and thousands of whitepapers and ebooks from our Premium library. Enjoy expert IT analyst briefings and access to the top IT professionals, all in an ad-free experience.

Join Premium Today

Another bonus: VPNs can be used in conjunction with single sign-on services and outside applications (such as Slack or G Suite) to streamline business applications usage and identity management, making it even easier for employees to work remotely.

However, providing employees with VPN access is just the start. Companies should also enforce a VPN usage policy. Otherwise, network security and internal resources may be at risk.

This VPN usage policy, from TechRepublic Premium, offers customizable guidelines to help IT ensure that VPNs are properly deployed, and it outlines acceptable use policies for end users on company-issued and personal devices.

TechRepublic Premium

Not only has demand increased for VPNs, but the availability of VPN options has increased too. Case in point: mobile VPNs. Mobile VPNs stay intact across changes in physical connectivity, hence the “mobile” in the name. This solution ensures data user mobility and…


190 Mainers’ data exposed in hack of web company that serves far-right clients

Financial and credit card information belonging to almost 200 Maine residents has been compromised in the hack of a web services company that’s popular with far-right groups.

The 190 Maine residents are among 110,000 people nationwide whose details were leaked in a breach of information from Epik, according to a data breach notice filed with the Maine Attorney General’s office last week. 

The information released through the hack has unmasked some Epik customers as operators behind websites supporting the Jan. 6 Capitol riot and promoting Holocaust denial. 

The compromised information included financial account numbers or credit and debit card numbers, including security codes, access codes, and other passwords needed to gain access to those accounts and cards. 

There were no other identifying details about the Mainers whose data were leaked in the data breach notice filed with the attorney general’s office. 

Almost 10 years’ worth of data from Epik customers, including payment information, domain purchases and transfers, email addresses, and account credentials, were captured, according to Anonymous, the decentralized internet hacking collective that claimed responsibility for the Sept. 13 hack. 

Epik discovered the breach two days later, on Sept. 15.

“We have retained multiple cybersecurity partners to investigate the incident, secure our services, help affected users, and notify you, law enforcement, and other relevant authorities,” Epik wrote in a letter to customers. “We are continuing to communicate with relevant authorities and other stakeholders as well.” 

The company, based outside of Seattle, Washington, said it would offer affected Epik users free credit monitoring until Sept. 15, 2023. 

Epik has been criticized for providing services to extremist groups and websites that had been barred from using other web hosting services for hosting racist and anti-Semitic content, such as the Proud Boys and the social media sites Gab, Parler and 8chan. 

Amazon Web Services cut off Parler’s web service earlier this year due to its links to Jan. 6 Capitol rioters, and 8chan and Gab have been linked to men responsible…