Zerodium Wants to Acquire Zero-Day Exploits for VPNs

Close up of a woman holding a smart phone With the NordVPN application on screen

Zerodium, a company known to buy zero-day hacks, has sent out a call for exploits affecting popular VPNs. It posted a tweet seeking hacks for the Windows versions of ExpressVPN, NordVPN, and Surfshark.

The company added that the exploits should be capable of “information disclosure, IP address leak, or remote code execution” and that “local privilege escalation is out of scope.”

A “zero-day hack” refers to existing vulnerabilities that the software developer or provider is not aware of.

According to Zerodium’s website, its customers mainly include government institutions from North America and Europe who require “advanced zero-day exploits and cybersecurity capabilities.”

What is Zerodium?

Zerodium brands itself as the premier exploit acquisition platform in the world, focusing on “premium zero-days and advanced cybersecurity research.”

It was founded in 2015 by cybersecurity experts with an extensive background in zero-day research and exploitation. Its official website states that it is a “global community of independent security researchers working together to provide the most powerful cybersecurity capabilities to institutional clients.”

The company only purchases “high-risk vulnerabilities with fully functional/reliable exploits” and sells them to its customers.

The company states that it pays the highest bounties in the market for zero-day exploits. It claims that this is the only way to support the community that works on zero-day research and to procure the highest standard and most innovative research from across the globe.

What Does Zerodium’s Call Mean for VPN Users?

Zerodium’s tweet focuses on three big names in the world of VPNs — ExpressVPN, NordVPN, and Surfshark. All of these are very popular and trusted services.

VPNs are a key tool for gaining access to services or unlocking restricted content. They work by rerouting a user’s internet activity to the provider’s servers (which could be based in other parts of the world) and encrypting the connection.

This service allows users to bypass restrictions, and also prevent internet service providers from viewing a user’s browsing information.

From its tweet, it would seem that Zerodium’s clients are trying to snoop on certain users of the three VPNs. The type of exploit that it has asked for would reduce the security offered by these popular applications.

The company says it chooses its customers after a thorough and extensive vetting process. Additionally, it only gives information to a few government clients.

“At Zerodium, we take ethics very seriously, and we choose our customers very carefully through a very strict due diligence and vetting process,” the site adds.

“Access to acquired zero-day research is highly restricted and is limited to a very small number of government clients.”

It is important to note that VPN providers constantly work on upgrading their cybersecurity. ExpressVPN and NordVPN even offer rewards to those who find vulnerabilities in their services.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.