Between January 2023 and September 2024, Kaspersky digital footprint intelligence experts identified 547 listings to buy and sell exploits targeting software vulnerabilities. These advertisements are posted on various dark web forums and shadow Telegram channels with half involving zero-day and one-day vulnerabilities. However, it is difficult to confirm whether these exploits are functional as the dark market is rife with scams. Additionally, Kaspersky found, on average, the cost of exploits for remote code execution vulnerabilities amounted to US$100 000.
Exploits are tools used by cybercriminals to take advantage of vulnerabilities in various software programs, like those from Microsoft, to commit illegal activities such as gaining unauthorised access or stealing data. More than half of the dark web posts (51%) offered or sought to purchase exploits for zero-day or one-day vulnerabilities. Zero-day exploits target undiscovered vulnerabilities that software vendors have not identified and patched yet while one-day exploits focus on systems that do not have the patch installed.
“Exploits can target any program but the most desirable and expensive ones often focus on enterprise-level software. These tools enable cybercriminals to carry out attacks, which equate to substantial gains for them, such as stealing corporate information or spying on an organisation undetected. However, some exploit offers on the dark web may be fake or incomplete, meaning they don’t function as advertised. Additionally, a significant portion of transactions are likely to occur in private. These two factors complicate the assessment of the actual market volume for functional exploits,” explains Anna Pavlovskaya, senior analyst at Kaspersky Digital Footprint Intelligence.
The dark web market offers a wide array of different types of exploits. Two of the most widespread are those for remote code execution (RCE) and local privilege escalation (LPE) vulnerabilities. According to an analysis of over 20 listings, the average price for RCE exploits is around US$100 000 while LPE exploits typically cost about US$60 000. RCE vulnerabilities are considered more dangerous as they allow attackers to take control of a system or its components or confidential data.
Dark web listings for buying and selling exploits in 2023-2024. Some offers can be repetitive. Source: Kaspersky Digital Footprint Intelligence
This year, the peak level in exploit sales and purchases occurred in May with 50 relevant posts compared to an average of about 26 per month in the period around the surge. “Peaks in the exploit market’s activity are unpredictable and hard to link to specific events. Interestingly, in May, the dark web witnessed the sale of one of the most expensive exploits during the analysed period – allegedly for a Microsoft Outlook zero-day vulnerability priced at nearly US$2 million,” elaborates Pavlovskaya. “Overall, the exploit market remains stable. While activity fluctuates, the threat is always present. This highlights the need for cybersecurity hygiene practices such as the regular patching and monitoring of digital assets on the dark