The Exploit Economy: How Zero-Days Are Bought, Sold, and Weaponized

Executive Summary

• The global zero‑day market remains a high‑value economy serving nation‑states, cybercriminals and surveillance vendors. Seventy‑five zero‑day vulnerabilities were exploited in the wild during 2024, down from 98 in 2023but still far above pre‑2021 levels.
  
• Exploit prices have surged, with premium chains fetching between $5–7 million for iOS zero‑click exploits, up to $5 million for Android, and roughly $3–3.5 million for Chrome/Safari—reflecting an estimated 44 % annual increase driven by improved vendor security and competition with legitimate bug‑bounty programs.
  
• Governments are the dominant buyers; China‑nexus and North Korean actors, along with commercial surveillance vendors, accounted for over half of zero‑day exploitation in 2024. Roughly 75 % of financially‑motivated zero‑day exploitation supported ransomware operations, highlighting the convergence of espionage and crime.
  
• Initial access brokers (IABs) have expanded the ecosystem by selling compromised credentials and VPN access at an average price of USD 2,700, with 71 % of brokers offering privileged access. This parallel market lowers the barrier to large‑scale compromise.
  
• Law‑enforcement operations (e.g., Operation Cookie Monster and the XSS.forum takedown) briefly disrupted marketplaces but the underground economy rapidly reconstituted itself, showing significant resilience.

Background & Context

The zero‑day exploit trade has matured into a structured global market. Vulnerabilities are discovered through independent researchers seeking financial reward, nation‑state cyber units, commercial vulnerability‑research firms, and defensive research by academia and industry. Brokers such as Zerodium and Crowdfense run acquisition programs where researchers can anonymously submit exploits via secure portals and receive million‑dollar payouts. On the other end of the spectrum, dark‑web forums and initial‑access brokers sell finished exploits or network access at commodity prices.

Market prices have risen dramatically. Early brokers offered up to $2.5 million for an iOS chain, but current programs advertise $5–7 million. The cost reflects the increasing complexity of modern operating systems and security mitigations as well as the competition from legitimate bug‑bounty programs. Governments, particularly the United States, China, Russia, Iran and North Korea, remain the primary buyers, acquiring exploits for both espionage and offensive operations. Commercial surveillance vendors, such as spyware firms, also fuel demand and often operate in legal gray zones.

Key Drivers & Trends

• Price Inflation & Professionalization: Exploit prices are increasing roughly 44 % per annum, driven by improved security hardening and competition with legitimate bug‑bounty programs. Brokers now offer multimillion‑dollar payouts for mobile, browser and messaging exploits.
  
• AI‑Driven Discovery: Artificial intelligence has begun accelerating vulnerability discovery and exploit development. Google’s AI model “Big Sleep” reportedly uncovered a critical SQLite zero‑day, suggesting that automated analysis may soon flood the market with new vulnerabilities.
  
• Enterprise Targeting: Attackers increasingly focus on enterprise infrastructure. The proportion of zero‑day exploitation aimed at security and networking products rose from 37 % in 2023 to 44 % in 2024, reflecting the efficiency of compromising core systems.
  
• Ransomware Convergence: Financially motivated actors use zero‑days to deploy ransomware, accounting for 75 % of such exploitation. Groups like RomCom chain browser and OS zero‑days to deliver backdoors without user interaction.
  
• Geopolitical Patterns: Chinese and North Korean operations exploited multiple zero‑days in 2024 while Iranian groups expanded campaigns across espionage and disruption. Regional infrastructure—such as Russian IP ranges—facilitates cross‑border operations.
  
• Law‑Enforcement Disruption & Resilience: Operations targeting markets like Genesis Market or forums such as XSS.is cause temporary disruption but vendors quickly migrate to new domains. Takedowns appear more effective at deterring casual buyers than dismantling infrastructure.

Operational Relevance

For defenders, the zero‑day economy underscores the need for robust vulnerability management and threat intelligence. Enterprises should:

• Prioritize Patch Management: Rapidly deploy vendor updates for widely exploited software such as VMware ESXi, Windows CLFS and Chrome. Consider virtual patching or network segmentation when patches are unavailable.
  
• Monitor Exploit Indicators: Track exploited CVEs (e.g., CVE‑2024‑37085, CVE‑2025‑29824, CVE‑2024‑9680) and integrate threat intelligence feeds into detection systems to spot weaponization early.
  
• Harden Enterprise Infrastructure: Enforce least‑privilege access, segment networks, and monitor administrative group membership to defend against attacks that pivot through hypervisors or VPNs.
  
• Counter Initial‑Access Brokers: Deploy multifactor authentication and continuous credential monitoring to mitigate credential theft. Regularly audit VPN and remote‑management services for unauthorized logins.
  
• Balance Offensive & Defensive Policy: Organisations that develop exploit capabilities must weigh offensive value against defensive risk; the vulnerability‑equities process should ensure timely disclosure to vendors.

Case Study / Example

Ransomware Exploitation of VMware ESXi (CVE‑2024‑37085)

In June 2024 a authentication‑bypass vulnerability (CVE‑2024‑37085) in VMware ESXi allowed remote attackers to create an ESX Admins group in Active Directory. Multiple ransomware groups—including Storm‑0506, Storm‑1175, Octo Tempest and Manatee Tempest—chained this zero‑day with lateral‑movement techniques to deploy Akira and Black Basta ransomware. The vulnerability was exploited before VMware released a patch on 25 June 2024, highlighting the shrinking window between discovery and weaponization.

Attackers used the zero‑day to gain hypervisor‑level access, encrypting multiple guest systems simultaneously. In some cases they extorted victims by threatening to release stolen data. This case illustrates how enterprise infrastructure vulnerabilities can yield outsized operational impact and why defenders must treat hypervisors as high‑value assets.

Mitigation & Strategic Actions

• Comprehensive Asset Management: Maintain up‑to‑date inventories of software and hardware. Apply patches promptly and prioritize systems exposed to the internet or providing critical functions.
  
• Threat Hunting & Detection Engineering: Develop detection logic for exploitation techniques rather than specific payloads. Monitor logs for unusual authentication events, process creation anomalies and modifications to privileged groups.
  
• Segmentation & Privilege Controls: Implement network segmentation and strict access controls to contain breaches. Review remote‑administration tools and restrict their use to hardened management networks.
  
• Credential Protection: Enforce multifactor authentication, rotate privileged credentials regularly and monitor for leaked credentials on dark‑web forums. Educate staff on phishing and credential‑theft tactics.
  
• Policy & Contractual Measures: Engage with government processes such as the vulnerability‑equities processto advocate for responsible disclosure. When procuring software, include contract clauses mandating timely security updates and vulnerability handling.

Noorstream Perspective

The zero‑day exploit economy underscores the inseparability of cyber operations from geopolitical and criminal agendas. States, criminals and commercial actors share the same supply chain of vulnerabilities, blurring lines between espionage and crime. Defenders must therefore treat zero‑day intelligence not as exotic edge cases but as a core component of risk management. In our doctrine, priority goes to operational hardening—rapid patching, segmentation and credential protection—paired with strategic advocacy to rebalance incentives toward defense. A resilient enterprise assumes that vulnerabilities exist and focuses on detecting, containing and responding rather than seeking perfect prevention.