The market for zero-day vulnerabilities — previously unknown software flaws that can be exploited by attackers — has doubled in size since 2024, with governments now paying up to $5 million for the most valuable mobile exploits.
The price increase reflects both the growing difficulty of finding vulnerabilities in modern software and the increasing value that intelligence agencies place on offensive cyber capabilities.
Apple iOS and Google Android exploits command the highest prices, as mobile devices are the primary communication tools for high-value intelligence targets. A full iPhone exploit chain (enabling remote access without user interaction) now commands $3-5 million.
The ethical debate intensifies. Privacy advocates argue that governments buying and stockpiling zero-days makes everyone less safe, as the vulnerabilities could be leaked or discovered independently by malicious actors.