HACKERS HAVE FOR years bought and sold their secrets in a de facto gray market for zero-day exploits—intrusion techniques for which no software patch exists. Now a new marketplace hopes to formalize that digital arms trade in a setting where it could flourish: under the cover of the Dark Web’s anonymity protections.
Over the last month, a darknet marketplace calling itself TheRealDeal Market has emerged; it focuses on brokering hackers’ zero-day attack methods. Like theSilk Road and its online black market successors, TheRealDeal uses the anonymity software Tor and the digital currency bitcoin to hide the identities of its buyers, sellers, and administrators. But while some other sites have sold only basic, low-level hacking tools and stolen financial details, TheRealDeal’s creators say they’re looking to broker premium hacker data like highly sought-after zero-days, source code, and hacking services. In some cases, these are offered on an exclusive, one-time sale basis.
“Welcome…We originally opened this market in order to be a ‘code market’—where rare information and code can be obtained,” reads a message from the site’s anonymous administrators. “Completely avoid the scam/scum and enjoy real code, real information and real products.”
So far, the market doesn’t offer many exploits for sale, but the few it does list appear significant: One, with a price tag of $17,000 in bitcoin, claims to be a new method of hacking Apple iCloud accounts. “Any account can be accessed with a malicious request from a proxy account,” reads the description. “Please arrange a demonstration using my service listing to hack an account of your choice.”
Others include a technique to hack WordPress’ multisite configuration, an exploit against Android’s Webview stock browser, and an Internet Explorer attack that claims to work on Windows XP, Windows Vista and Windows 7, available for around $8,000 in bitcoin. “Found 2 months ago by fuzzing,” the seller writes, referring to an automated method of testing a program against random samples of junk data to see when it crashes. “0day but might be exposed, can’t really tell without risking a lot of money,” he or she adds. “Willing to show a demo via the usual ways, message me but don’t waste my time!”
Apple, WordPress, Google, and Microsoft hadn’t responded to WIRED’s requests for comment at the time of publication.
To be clear, none of the exploits listed on the site have been confirmed to actually work (And WIRED hasn’t found a legal way to test them). Any of the listings could instead be attempts to scam gullible buyers. The $17,000 iCloud vulnerability in particular, which claims to offer access to virtually all of a user’s sensitive mobile data including emails and photos, seems like an unusually good bargain. For comparison, zero-day salesmen told me in 2012 that a working iOS exploit could sell for as much as $250,000. The next year The New York Times reported that one had sold to a government for a half million dollars.
But TheRealDeal does offer countermeasures against potential fraud. Like the Silk Road and its ilk, it asks that all bitcoin transactions through the site be kept in escrow, so the payment can be returned to the buyer if the seller doesn’t deliver. And unlike most Dark Web markets, it allows only so-called multisignature transactions. That means the bitcoins are held at an address jointly controlled by the buyer, the seller, and the market’s admins. For the money to be moved to the seller’s account, two out of three of those parties must sign off on the deal, giving the administrators the tie-breaking vote to resolve disputes. (Despite that system, it’s still not clear exactly how those disputes would be resolved. In many cases, TheRealDeal admins would likely have to test exploits themselves to know if a buyer had been scammed.)
TheRealDeal goes further than many past markets in attempting to assuage its users’ fears that the market itself might attempt to steal their bitcoins. Though it collects a fee on every transaction (3 percent or .1 bitcoin, depending on the size of the sale) it never asks the user to store their bitcoins in a wallet controlled by the market itself. Therefore, it can’t pull the sort of “exit scam” other markets like Sheep Marketplace and more recently Evolution have, abruptly shutting down and absconding with millions of dollars worth of users’ coins. “We don’t have a wallet, we don’t want your coins and want to assure you that we will not run away with your coins one day,” the site’s FAQ reads.
Just who’s running TheRealDeal is, as with most Dark Web markets, a mystery. An administrator didn’t immediately respond to WIRED’s requests for an interview, and the site’s creators describe themselves only as experts in information security with a background in zero-day sales. “We consist of 4 partners who have a lot of experience in infosec,” they wrote in an anonymous Q&A with the Dark Web blog DeepDotWeb.
We have a lot of experience dealing in the [unencrypted, traditional internet] when it comes to 0day exploit code, databases and so on .. But the problem is that 90% of these dealers are scammers. People with a lot of experience can always do their best to determine if what they are buying is real based on technical information and demos but some of these ‘vendors’ are very clever and very sneaky. We decided it would be much better if there was a place where people can trade such pieces of information and code combined with a system that will prevent fraud and also provide high anonymity.
TheRealDeal’s creators aren’t the first to try bringing this gray market economy online. A website called WabiSabiLabi launched in 2007 with the aim of becoming an eBay for exploits. But the business soon surrendered that notion, due in part to sellers’ inability to prove the validity of their exploits without fully revealing them. Despite all its multisignature protections and escrow system, TheRealDeal could face a similar problem.
Unlike other players in the zero-day industry, however, TheRealDeal doesn’t face the added hurdle of trying to keep its sales legal or ethical. Companies like the French hacking firm Vupen, by contrast, argue that it sells zero-day vulnerabilities only to NATO governments or allies. Zero-day sales have become alucrative underground trade in recent years, withgovernment intelligence and law enforcement agencies often the highest bidders. Those buyers might be turned off by TheRealDeal’s approach of using Tor and bitcoin to obscure sellers’ identities. But that anonymity instead enables a “no-questions-asked” system that could draw a customer base of cybercriminals or authoritarian regime hackers.
If there were any remaining question about TheRealDeal’s legality, the site also sells a variety of money laundering services, stolen accounts, and drugs. Its zero-day sales are only the featured items in an anything-goes smorgasbord that includes everything from stolen identities to LSD and amphetamines.
In fact, TheRealDeal represents the Dark-Web economy’s continued progression towards a true, lawless free market. The Silk Road, though it tolerated some simple and easily obtained hacking tools, generally enforced a policy of only “victimless” crime.
TheRealDeal has no such restrictions. Its rules ban only child pornography and, strangely, services that offer “doxing,” the posting of specific users’ private information. But victims, if its anonymous form of zero-day sales catches on, will be just another part of the business model.