How a Russian hacker made $45,000 selling a 0-day Flash exploit to Hacking Team

If you’re a Moscow-based zero-day exploit seller, all you have to do is e-mail a spyware company like Hacking Team out of the blue. You can go from initial, unsolicited message to getting paid tens of thousands of dollars in just a matter of weeks.

After Hacking Team, the Italian spyware vendor, was itself hacked and 400GB of its internal data released onto BitTorrent, Ars reviewed internal e-mails from the company. The chain of e-mails that follow offer a rare look into exactly how new security vulnerabilities get sold to companies and governments around the globe.

The Moscow vendor’s first e-mail, dated October 13, 2013, was short and to the point:

Hi, is your company interested in buying zero-day vulnerabilities with RCE exploits for the latest versions of Flash Player, Silverlight, Java, Safari?

All exploits allow to embed and remote execute custom payloads and demonstrate modern techniques for bypassing ASLR [address space layout randomization] and DEP [data execution prevention]-like protections on Windows, OS X, and iOS without using of unreliable ROP and heap sprays.

The e-mail contained no identifying information about its sender except for the e-mail address: [email protected].

The Hacking Team response, direct from CEO David Vincenzetti, came within 24 hours:

Absolutely.
Would you please elaborate your offer?

Regards,
David

A rap sheet

Tovis responded that he had “six ready-to-delivery exploits,” for Windows, OS X, and iOS, each priced at $30,000 to $45,000. Internally, Hacking Team decided it was only interested in one of them, an Adobe Flash exploit.

On October 23, Tovis revealed himself:

All prices in the list are non-exclusive. Exclusive sales are possible but the price will grow in 3 times [sic]. Volume discounts are possible if you take several bugs. All 0days were discovered by me, all exploits are written by me and I sell them as individual person (not a company). About me: Vitaliy Toropov, 33 yo, from Moscow, Russia.

Hacking Team staff discussed how to proceed and were excited when Guido Landi, a senior software developer, discovered that Toropov had a reputation—his own entry on OSCDB, the open sourced, Web-based vulnerability database.

On October 25, 2013, the two parties came to an agreement.

Toropov wrote to Hacking Team’s Gianni Russo:

Hi, Gianni.

Here is the brief recap:

1) The price is US$45,000.00 for the non-exclusive sale of any special discount for the “first” deal together will be greatly appreciated :)

2) information about vulnerability in Adobe Flash Player 9.x/10.x/11.x with the RCE exploit for the current Flash Player 11.9.x for Windows 32/64-bit and OS X 64-bit. The exploit code executes custom payloads with the privileges of the target process (it doesn’t give any privilege escalation or a sandbox escape).

3) I send you sources (today or on next Monday, on your choice). I guess our guys can test it starting from Tuesday 29th.

4) The first payment is $20,000.00 which should be done by you in October 2013 via bank wire transfer.

5) The second payment is $15,000.00 in November 2013.

6) The final payment is $10,000.00 in December 2013.

7) The payment process can be stopped by you in case if this 0day is patched by vendor. agreed

8) You promise to not report this 0day to vendor or disclosure it before the patch. obviously it is not our interest!

The two men then exchanged PGP keys, which they used to exchange a number of encrypted messages, presumably one including how Toropov would like to be paid.

Marco Valleri, the company’s chief technology officer, then wrote in Italian to his colleagues, “We will have to assess whether it makes sense to make it commercially available to selected customers.”

Landi wrote back that same day, proclaiming the exploit “great” and saying that it was “perfectly engineered, easy to customize, fast and stable.”

The CEO, Vincenzetti, responded within less than an hour, saying, “Proceed without delay!”

Invoices and everything

The following day, October 30, Russo wrote to Toropov directly. “The test we are perfoming [sic] are really positive till now,” he said. “We will provide you with a final feedback by tomorrow.”

The day after that, Toropov got his first payment: $20,000.

Russo wrote, “I confirm I just disposed the wire trasfer [sic] of 20k USD to your account. Please consider that tomorrow is bank holiday in Italy so probably you will see the money early next week.”

Immediately, Toropov tried to give him a repeat customer discount:

Ok. Thanks.

Now your discount on the next buy is -5k and -10k is for a third bug.

I recommend you the fresh 0day for iOS 7/OS X Safari or my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well.

Hacking Team continued to work with Toropov until at least April 20, 2015, when they paid $35,000 to his bank in Moscow.

“I’m not even curious how this happened”

Ars contacted Toropov, who, rather amazingly, wrote back. He didn’t really answer our questions, but he did respond to questions asked by “other journalists” in a terse fashion.

“I think [Hacking Team] will be fine until some other security company will take their place,” he wrote.

He continued:

Here are my answers to other journalists.

– What do you make of the Hacking Team hack? Were you expecting it?

I didn’t expect it of course, but I’m not surprised. Such leaks happen all the time. I’m not even curious how this happened.

– What do you say about the experts who think that Hacking Team’s tools aren’t that good? (See here.)

Maybe, HT was demonized to much before this leak, and some part of audience is disappointed now.

– What was your role with Hacking Team? I gather you sold 0days, but what more specifically? What was it like working for HT? Did they pay well?

I didn’t work for HT as employee. I’ve read somewhere about their company and offered them my findings. Just the routine sales like with ZDI, VCP, pentesters and other legal 0day buyers.

– Who else sold their exploits to HT? How many of you? I hear there’s a couple more of you guys.

HT didn’t tell me about other researchers. I guess you can find them all in the HT’s mail now.

– What did you think about HT’s clients? Did you know about them?

I thought HT sells to the US and EU gov structures mostly, LEAs and etc.

Sorry for boring answers. Such questions.

It’s clear after reviewing other e-mails in the Hacking team archive that the firm wasn’t just buying from Toropov but from numerous others as well, including a “Dustin Trammell” of vulnbroker.com. Eric Rabe, Hacking Team’s spokesman, did not immediately respond to Ars’ questions about the company’s history and expenditures on zero-days.