Zero days—exploits that take advantage of vulnerabilities the vendor, such as Apple, doesn’t know about—are a hot commodity. With a zero day, a hacker, perhaps working for a government, can have a better chance of being able to break into a target’s computer or phone. If Apple or Google aren’t even aware of a security issue with their products, hackers don’t have to worry about a target’s device being patched to defend against it.
A booming industry of contractors, boutique exploit shops, and individual brokers are looking to buy such attacks, sometimes so they can then sell them to government clients. We recently got a rare look at how a company tried to source these exploits through private one-on-one deals.
I know, because the company tried to buy zero days from me.
Seemingly not understanding I was a journalist despite my online presence showing clearly I work for a media outlet, one person linked to a company based in Saudi Arabia reached out, and explained they were hoping to buy zero day exploits.
“Thanks and looking to deal with you,” the person, who said they worked for a cybersecurity company called Haboob, wrote in a message from a Saudi number.
While at Offensive Con, a relatively new security conference that took place in Berlin in February, I did what I usually do, and tweeted that I’m attending the event. I added that if anyone wants to talk about buying or selling zero days they can text me on the encrypted messaging app Signal.
This was not an unusual request. At Motherboard we regularly cover the zero day industry, and rely on our sources for that. We write about how companies inside the space operate, who their customers are, and how advancements in the security of devices is increasing the price and rarity of exploits for consumer devices such as iPhones.
It’s also clear from my Twitter account that I work for Motherboard, a media outlet. All I tweet is either bad jokes or information security news.
But apparently someone at Haboob didn’t pick up on that.
“How are you Joseph. I saw your tweet and we are very interested to buy 0days as well as hiring and building communications with others in this field,” the Haboob representative, who identified themselves as ‘A’, wrote in a message.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on email@example.com, or email firstname.lastname@example.org.
A described the company as a “leader” in cyber security that provides “cyber security services for all sectors.”
When asked what sort of purpose Haboob’s services are for, A replied “It’s for defensive and offensive.”
“We are also hiring the best researchers on the market as well,” A added.
Two sources familiar with the cybersecurity industry in the region said Haboob is connected to DarkMatter, a cybersecurity firm based in the United Arab Emirates. Motherboard granted a number of sources in this story anonymity to speak more candidly about a secretive industry.
Publicly, DarkMatter touts its defensive products. But in private, DarkMatter is part of offensive hacking operations and surveillance, previous investigations from The Intercept, Foreign Policy, and Reuters have found.
In a statement, DarkMatter denied being linked to Haboob.
“Similarly claims carried in the three reports cited have been refuted by DarkMatter CEO Karim Sabbagh, ‘We have never, nor will we ever, operate or manage non-defensive cyber activities against any nationality’,” the statement added.
On Haboob’s website, the company lists two Saudi universities as well as the country’s Ministry of Education as clients.
“We're trusted by several local companies and government sectors to secure their networks and protect their data,” Haboob’s website reads.
But in the conversation about zero days, A refused to confirm whether Haboob works with governments.
Haboob did not respond to a request for comment. Neither did DarkMatter.
When, trying to buy more time, I said I hadn’t spoken to anyone from the region for a while, A replied “Well, here we are :).”
Lorenzo Franceschi-Bicchierai provided additional reporting.
Update: This piece has been updated to include comment from DarkMatter.
Subscribe to our new cybersecurity podcast, CYBER.