Cybersecurity firm offers ‘premium’ cash rewards to hackers who can break Tor

Will this make the company a target?

A big pay day is coming to the hacker who can break the Tor anonymity network and reveal the identity of users around the world.

Less than 24 hours after the Tor Project accused the Federal Bureau of Investigation of paying Carnegie Mellon University $1 million to attack Tor and out its users, a prominent security startup called Zerodium is now offering to pay hackers who find new ways to crack Tor’s security.

Zerodium pays high cash rewards to hackers and security researchers who find zero-day exploits. Zero-days are critical software vulnerabilities that no one else has yet discovered. The company made headlines earlier this month when it rewarded $1 million to hackers who compromised the newest iPhone.

Zerodium’s price for new Tor zero-day exploits may reach as high as $30,000, according to Forbes. The company emphasizes the “premium rewards” and “focus on high-risk vulnerabilities,” phrases that overtly promise hackers they’ll be paid top dollar for their work.

Zero-days that break Tor “are the holy grail of exploits for government agencies in charge of criminal investigations,” Zerodium founder Zhaouki Bekrar told Forbes on Thursday.

The startup makes money by paying hackers for exploits and then selling them to corporations in the defense, technology, and finance industries. The company also sells zero-day exploits to governments.

Roger Dingledine, Tor’s project leader, said on Wednesday that these kind of initiatives are “‘experiments’ for pay that indiscriminately endanger strangers without their knowledge or consent.”

Zerodium also advertises that it will pay for high-risk zero-day exploits for everything ranging from all major operating systems, Web browsers, servers, mobile phones, Web applications, email, and more.

Much of the zero-day industry in which Zerodium works has been highly criticized by security researchers who say selling zero-day exploits to governments and corporations is unethical and dangerous. 

Hacking Team, another company that sells zero-day exploits, was hacked in July after years of criticism for its sale of exploits to governments and private companies.

Just minutes after Zerodium announced that they were targeting Tor, many publicly wondered if the company would be targeted by hackers themselves in retaliation for the cash reward to break anonymity.

Neither Tor nor Zerodium responded to a request for comment in time for publication.

Photo via hexidecimal/Flickr (CC BY SA 2.0) | Remix by Fernando Alfonso III

Patrick Howell O'Neill

Patrick Howell O'Neill

Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.