Computer security exploits are one of the more lucrative markets you've probably never heard of. Find a vulnerability in commonly used software, and sell it to the highest bidder. Ideally, the vulnerability is one the software designer doesn't know about yet -- called zero-day exploits -- but even vulnerabilities that have been identified and patched can still be exploited -- like a lot of us ordinary computer users, many governments agencies and companies don't keep their software up-to-date or run old versions that are still vulnerable.
Selling vulnerabilities, and the software tools that exploit them to give you greater access or control over a system than you're supposed to have, is big business -- and not confined by any means to criminals. How big seems to vary: when Italian security firm Hacking Team got hacked in 2014 and gigabytes of its internal documents were released online, we learnt zero-day exploits in major operating systems like iOS or the major browsers like Chrome could sell for a hundred thousand dollars -- in one case, up to a quarter of a million US dollars each. In 2011, the company Endgame was revealed to be offering 25 zero-day exploits for $2.5 million – the sort of numbers that explain why that company successfully raised millions in investment from major US institutions. But many exploits go for smaller sums: an alleged Microsoft Windows zero-day was on offer from Russian hackers recently for $90,000.