Zerodium zeroes in on popular VPN provider exploits

Bug bounty

Zerodium has a rather infamous reputation. Working out of Washington DC and with bases in Europe, it has made a business out of developing and acquiring premium zero day exploits.

Now it has its eyes on some of the world’s most popular and secure VPN providers, if a tweet it put out yesterday is anything to go by.

Zerodium targets three popular VPNs

In the tweet, Zerodium writes, “We’re looking for #0day exploits affecting VPN software for Windows: ExpressVPN, NordVPN, Surfshark. Exploit types: information disclosure, IP address leak, or remote code execution. Local privilege escalation is out of scope.”

In layman’s terms, what they are asking is that anyone who knows a way of hacking into any of these three VPN providers that is not yet in the public domain gets in touch with a view to selling it to them.

No set price is revealed in the tweet, but the amounts involved are likely to be sizable.

Between 2015 and 2021, Zerodium has paid out an estimated US$50 million in bounties. Its publicly available price list suggests that zero day vulnerabilities of this type could be worth anything between US$100,000 and US$2.5 million.

If you are wondering how Zerodium makes money, the answer is by sharing these zero day vulnerabilities with clients and, quite likely, helping them to exploit them too.

The clear suggestion from this tweet is that at least some of Zerodium’s clients have an interest in spying on users of these three VPNs.

Zerodium’s client base

So, just who does Zerodium work for? According to their website, Zerodium works with government bodies in the US and Europe that are “in need of advanced zero-day exploits and cybersecurity capabilities.”

The fact that the company is based primarily in Washington DC means that suspicion has to turn towards at least one arm of the US Government.

Needless to say, Zerodium is not confirming who its clients are or which clients this request has been made on behalf of.

But the details of what it is asking for suggest that their client is serious about hacking users of these VPNs. Such vulnerabilities would potentially enable them to unravel a VPN’s encryption and even hijack the devices of VPN users.

What are the risks for VPN users?

The key word here is ‘potentially’ because there is, of course, no guarantee that such zero day vulnerabilities exist. This tweet is little more than a fishing exercise at this stage.

Neither ExpressVPN, NordVPN, or Surfshark have commented publicly on the situation at the time of writing. But NordVPN and ExpressVPN have both conducted independent audits of their software to check for vulnerabilities.

Both also offer their own longstanding bug bounty programmes which pay ethical hackers to reveal vulnerabilities to them directly to give them enough time to fix them before the information is made public.

These bug bounty programmes will not reward hackers on anything like the same scale as Zerodium are able to, but they have been around for a lot longer and such programmes offer more regular income to ethical hackers.

They would hope that these programmes help them to close any major vulnerabilities that might exist in their software or programming.

And it is also worth remembering that the fact Zerodium is publicly seeking vulnerabilities doesn’t increase the risk of them existing. If hackers have already identified such threats, they may already be being exploited by others, but the vulnerability is already there.

Patching such vulnerabilities is a key security function for a VPN and all three of those VPNs targeted in this tweet have a good record in this area.

If users are worried, our advice would be to reach out to your provider to ask what they are doing to step up security in light of this interest in their service from Zerodium.

But our view is that there is no more cause for alarm now than there was before this tweet went out.

ExpressVPN, NordVPN, and Surfshark are still secure and dependable VPNs and because of this they are still a target for hackers. Usually, these hackers lurk in the darkness, but Zerodium has decided to step into the light.

The threat level remains the same and there is no reason to trust your VPN provider any less as a result of this one speculative tweet.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter

Get the latest privacy news, expert VPN guides & TV unblocking how-to’s sent straight to your inbox.