Kaspersky's analysis from January 2023 to September 2024 reveals that 51% of exploit listings on the dark web target zero-day and one-day vulnerabilities. This study identified 547 advertisements for buying and selling exploits across various dark web forums and Telegram channels. While these exploits are tools for cybercriminals to exploit software vulnerabilities—such as those in Microsoft products—many listings may be scams, making it difficult to verify their functionality.
Zero-day exploits target undiscovered vulnerabilities that have not yet been patched by software vendors, while one-day exploits focus on systems that have not applied existing patches. The average cost for remote code execution (RCE) exploits was found to be approximately $100,000, underscoring the lucrative nature of these vulnerabilities for cybercriminals.
“Exploits can target any program, but the most desirable and expensive ones often focus on enterprise-level software,” explains Anna Pavlovskaya, senior analyst at Kaspersky Digital Footprint Intelligence. She notes that these tools enable significant illegal gains, such as corporate data theft or espionage. However, many exploit listings could be fake or incomplete, complicating the assessment of the actual market for functional exploits.
The analysis highlights a peak in exploit activity in May 2024, with 50 relevant posts, contrasting with an average of 26 per month during other times. Notably, the dark web saw the sale of a Microsoft Outlook zero-day vulnerability priced at nearly $2 million during this peak. “While activity fluctuates, the threat is always present,” Pavlovskaya states, emphasizing the need for robust cybersecurity practices, including regular patching and monitoring of digital assets.
The dark web’s exploit market features various types, with RCE and local privilege escalation (LPE) exploits being the most common. RCE exploits, which allow attackers to control systems remotely, pose a greater danger than LPE exploits, which typically cost around $60,000.