The Untold History of America’s Zero-Day Market

“With the breakup of the Soviet Union, you had a lot of people with skills, without jobs,” Sabien explained. In Europe, hackers, some as young as 15 and 16, were trading their discoveries to zero-day dealers who would turn around and sell them directly to government agencies and their brokers. Some of the most talented hackers, Sabien told me, were in Israel, veterans of Israel’s Unit 8200. One of the best was a 16-year-old Israeli kid.

It was a secretive business and mind-blowingly convoluted. Sabien’s team couldn’t exactly call up hackers, ask them to send their exploit by email, and mail them back a check. Bugs and exploits had to be carefully tested across multiple systems. Sometimes hackers could do this over video. But most deals were done face-to-face, often in hotel rooms at hacker conventions.

Sabien’s team increasingly relied on these murky middlemen. For years, he said, his employer dispatched an Israeli middleman with duffel bags stuffed full of half a million dollars in cash to buy zero-day bugs from hackers in Poland and across Eastern Europe.

Every step in this insanely complex deal-making structure relied on trust and omertà. Governments had to trust contractors to deliver a zero-day that worked. Contractors had to trust middlemen and hackers not to blow the exploit in the course of their own escapades, or resell it to our worst enemies. Hackers had to trust contractors would pay them, not just take their demonstrations and develop their own variation of their bugs. This was before bitcoin. Some payments were doled out via Western Union, but most were done in cash.

You couldn’t dream up a less efficient market if you tried.

Which is why, in 2003, Sabien took note that iDefense was openly paying hackers for their bugs and called Watters.

To a businessman like Watters, who was trying to push the market out into the open, what the contractors were doing was idiotic, dangerous even.

“Nobody wanted to talk openly about what they were doing,” Watters recalled. “There was this whole air of mystery to it. But the darker the market, the less efficient it is. The more open the market, the more it matures, the more buyers are in charge. Instead they chose to…