Crowdfense Offers Record Payouts for Zero-Day Exploits in iPhone, Android, WhatsApp, and iMessage

Crowdfense, a company specializing in the acquisition of high-quality zero-day exploits and advanced vulnerability research, is offering a total of $30 million for exploits targeting zero-day vulnerabilities in Android, iOS, Chrome, and Safari. According to the company, prices have increased several times over in recent years as hacking these products has become increasingly difficult.

Founded in 2017, Crowdfense describes itself as a “research hub and acquisition platform for high-quality 0-day exploits and advanced vulnerability research.” Companies like Crowdfense (and other well-known exploit brokers such as Zerodium) purchase exploits and vulnerability information to resell to other organizations, typically government agencies and state contractors. These clients claim to use the data for tracking or monitoring criminals.

A recent Google report noted that hackers exploited a total of 97 zero-day vulnerabilities in 2023. Spyware vendors, who often work closely with exploit brokers, were responsible for 75% of the zero-days targeting Google and Android products.

Current Crowdfense Payouts

• $5–7 million for zero-day vulnerabilities in iPhone
• Up to $5 million for exploits targeting Android devices
• Up to $3.5 million for zero-day vulnerabilities in Chrome and Safari browsers
• $3–5 million for exploits in WhatsApp and iMessage
• For zero-click exploits related to SMS and MMS messages, the company is willing to pay a record $7–9 million

For example, exploits that enable remote code execution and sandbox escape in iOS are valued at $3.5 million. Remote code execution and local privilege escalation in Chrome can fetch $2–3 million, while similar exploits for Safari are valued at $2.5–3.5 million.

The last time Crowdfense updated its pricing was in 2019, when the highest payouts offered were $3 million for zero-day vulnerabilities and exploits in Android and iOS.

Why Are Exploit Prices Rising?

Dustin Childs, head of threat research at Trend Micro ZDI, told TechCrunch that the significant price increase is likely due to Apple, Google, Microsoft, and other major companies making it increasingly difficult to hack their devices and applications.

“Year after year, it’s getting harder to exploit any software and devices we use,” Childs said.

Shane Huntley, head of Google’s Threat Analysis Group, agreed: “As threat analysis teams like Google’s Threat Analysis Group discover more zero-day vulnerabilities and platform defenses continue to improve, the time and effort required by attackers increases, which drives up the cost of vulnerabilities.”

Paolo Stagno, Director of Research at Crowdfense, also commented to TechCrunch:

“The protections implemented by manufacturers are working, making the entire [vulnerability discovery] process much more complex and time-consuming, which obviously affects the price,” he explained.

According to Stagno, ten years ago, a single researcher could find several zero-days and develop them into full-fledged exploits targeting iPhone or Android. Now, it takes a team of specialists, who may ultimately find nothing. This, too, contributes to rising prices.

Export Controls and Market Competition

Exploit brokers and legal spyware vendors (such as NSO Group and Hacking Team) have often faced criticism and are now required to comply with export control regulations to limit potential abuse by their clients.

Stagno stated that Crowdfense complies with all U.S. embargoes and sanctions, even though the company is based in the United Arab Emirates. For example, he said the company will not sell its products to Afghanistan, Belarus, Cuba, Iran, Iraq, North Korea, Russia, South Sudan, Sudan, or Syria.

According to TechCrunch, Crowdfense currently offers some of the highest payouts for zero-day exploits. However, last year, Operation Zero, a Russian platform specializing in acquiring zero-day vulnerabilities and exploits, announced it was willing to pay up to $20 million for complete exploit chains targeting iOS and Android, citing “high market demand.”