Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Dark Web Market Is Selling Zero-Day Exploits

Posted by samzenpus on from the finest-crime dept.

Sparrowvsrevolution writes Over the last month, a marketplace calling itself TheRealDeal Market has emerged on the dark web, with a focus on sales of hackers' zero-day attack methods. Like the Silk Road and its online black market successors like Agora and the recently defunct Evolution, TheRealDeal runs as a Tor hidden service and uses bitcoin to hide the identities of its buyers, sellers, and administrators. But while some other sites have sold only basic, low-level hacking tools and stolen financial details, TheRealDeal's creators say they're looking to broker premium hacker data like zero-days, source code, and hacking services, often offered on an exclusive, one-time sale basis.

Currently an iCloud exploit is being offered for sale on the site with a price tag of $17,000 in bitcoin, claiming to be a new method of hacking Apple iCloud accounts. "Any account can be accessed with a malicious request from a proxy account," reads the description. "Please arrange a demonstration using my service listing to hack an account of your choice." Others include a technique to hack WordPress' multisite configuration, an exploit against Android's Webview stock browser, and an Internet Explorer attack that claims to work on Windows XP, Windows Vista and Windows 7, available for around $8,000 in bitcoin. None of these zero days have yet been proven to be real, but an escrow system on the site using bitcoin's multisignature transaction feature is designed to prevent scammers from selling fake exploits.

6 of 30 comments (clear)

  1. first by bigger · · Score: 2

    This sounds like a honeypot to me..

    1. Re:first by monkeyzoo · · Score: 3, Insightful

      Perhaps the vendors themselves should buy the exploits. Perhaps, it's not that different than a bounty program except for the fact that market pricing would determine the value of a vulnerability (and the lack of nobility in the mercernary nature of the process).

    2. Re:first by jeffmeden · · Score: 2

      This sounds like a honeypot to me..

      Especially when selling 0-days isn't actually illegal in most circumstances, only rather shady. Researchers do deals all the time. Total anonymity on one or both sides doesn't really help anyone. Hell, it's so commonplace they have discussed it on NPR: http://www.npr.org/blogs/money...

      If anything this is just a new way to scam people out of money or to ferret out security researchers for further recruitment/waterboarding by the CIA.

  2. First thoughts... by Anonymous Coward · · Score: 2, Interesting

    At first I realized even on the darknet, and for exploits, Apple commands a price premium. Hopefully the exploit is well polished and deserves this premium. Second, the site uses a multiple signature escrow system to assure an exploit is real. The presumption being the site is real and is not itself a means to pirate Bitcoin by them being put in escrow.

  3. Re:Who cares by jythie · · Score: 4, Insightful

    The danger the NSA presents is largely symbolic and philosophical.

    The danger presented by script kitties and hackers is much more likely to actually effect your life and property.

  4. Re:Who cares by slashmydots · · Score: 2

    Or it might even AFFECT it as well.