Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a

cyberespionage campaign targeting Microsoft Windows PCs at government and telecom

entities in China and Pakistan. They began in June 2020 and continued through to April 2021.
What piqued the researchers’ interest was the hacking software used by the digital spies,
whom Kaspersky had dubbed Bitter APT, a pseudonym for an unspecified government
agency. Aspects of the code looked like some the Moscow antivirus provider had previously
seen and attributed to a company it gave the cryptonym “Moses.”

Moses, said Kaspersky, was a mysterious provider of hacking tech known as a “zero-day
exploit broker.” Such companies operate in a niche market within the $130 billion overall
cybersecurity industry, creating software—an “exploit”—that can hack into computers via
unpatched vulnerabilities known as “zero days” (the term coming from the fact that
developers have “zero days” to fix the problem before it’s publicly known). They act like
super-powered lockpicks, finding loopholes in operating systems or apps to allow a hacker or
spy to break into targets’ digital lives. So rare are such exploits, they can fetch upwards of $2
million each. Buyers wielding them have the power to either protect themselves from those
who might have knowledge of the relevant zero day, or to inflict massive damage on others.
For instance, attackers used at least one zero in an infamous 2020 attack on $2.5 billion
market cap software provider SolarWinds and many of its customers—from U.S. government
departments to tech giants like Cisco and Microsoft. The attacks cost SolarWinds at least $18
million, with warnings that the overall figure, counting the cost for SolarWinds customers
who were also compromised, could get into the tens of billions.

Sometimes American companies aren’t the victims, but the ones fueling costly digital
espionage. Moses’ real identity, Forbes has learned, is an Austin, Texas, company called
Exodus Intelligence, according to two sources with knowledge of the Kaspersky research.
And Bitter APT, the Moses customer, is India, added one source.

Little known outside of the cybersecurity and intelligence worlds, over the last ten years,
Exodus has made a name for itself with a Time magazine cover story and the leak of a tool
that law enforcement used to hack the anonymizing browser Tor to ensnare child predators. It
also claims partnerships with the Defense Department’s research agency Darpa and major
tech firms like Cisco and Fortinet, a $2.6 billion (2020 sales) cybersecurity outfit. “They’re
significant because the size of the market is relatively small, and the skill set required [to find
zero days] is in possession of just a few thousand people worldwide at any given time,” says
Katie Moussouris, founder of Luta Security and creator of Microsoft’s bug bounty program to
reward hackers for vulnerability disclosures.

Exodus, when asked by Five Eyes countries (an alliance of intelligence-sharing countries that
includes the U.S., U.K., Canada, Australia, and New Zealand) or their allies, will provide
both information on a zero-day vulnerability and the software required to exploit it. But its
main product is akin to a Facebook news feed of software vulnerabilities, sans exploits, for
up to $250,000 a year. It’s marketed primarily as a tool for defenders, but customers can do
what they want with the information on those Exodus zero days—ones that typically cover
the most popular operating systems, from Windows to Google’s Android and Apple’s iOS.

That feed is what India bought and likely weaponized, says 37-year-old Exodus CEO and
cofounder Logan Brown. He tells Forbes that, after an investigation, he believes India
handpicked one of the Windows vulnerabilities from the feed—allowing deep access to
Microsoft’s operating system—and Indian government personnel or a contractor adapted it
for malicious means. India was subsequently cut off from buying new zero-day research from
his company in April, says Brown, and it has worked with Microsoft to patch the
vulnerabilities. The Indian use of his company’s research was beyond the pale, though
Exodus doesn’t limit what customers do with its findings, Brown says, adding, “You can use
it offensively if you want, but not if you’re going to be . . . shotgun blasting Pakistan and
China. I don't want any part of that.” (The Indian embassy in London hadn’t responded to
requests for comment.)

The company also looked at a second vulnerability Kaspersky had attributed to Moses,
another flaw that allowed a hacker to get higher privileges on a Windows computer. It was
not linked to any particular espionage campaign, but Brown confirms it was one of his
company’s, adding that it would “make sense” that India or one of its contractors had
weaponized that vulnerability, too.

Brown is also now exploring whether or not its code has been leaked or abused by others.
Beyond the two zero days already abused, according to Kaspersky, “at least six
vulnerabilities” made by Moses have made it out “into the wild” in the last two years. Also
according to Kaspersky, another hacking crew known as DarkHotel—believed by some
cybersecurity researchers to be sponsored by South Korea—has used Moses’ zero days.
South Korea is not a customer of Exodus. “We are pretty sure India leaked some of our
research,” Brown says. “We cut them off and haven’t heard anything since then . . . so the
assumption is that we were correct.”

“I would not be involved in this company at all if we were, for example, working with the
Saudis.”

Pedram Amini, founder of the Zero Day Initiative and an advisor to Exodus Intelligence

Any such zero-day spill would be especially concerning coming from a company that tries to
keep a lid on around 50 zero days a year, covering the world’s most popular operating
systems, from Windows to Android to Apple’s iOS. And Brown isn’t alone in seeing his
creation used in ways he didn’t intend. Luca Todesco, an Italian zero-day developer and a
Forbes 30 Under 30 alum, tweeted last year about “the worst outcome I could see from doing
my line of work” after seeing iPhone hacks used for surveillance of the Uyghur community, a
minority persecuted by the Chinese government. After Google researchers detailed hacks of
iPhones belonging to members of the Uyghur community, Todesco realized that one of the
techniques detailed by the tech giant looked a lot like something he had developed and shared
with Chinese contacts. In direct messages over Twitter, Todesco denied that he’d ever sold
any code that ended up in the attacks, but said he’d been openly sharing his findings with
multiple, unnamed individuals. He claimed he didn’t know how or why his code ended up
being used in attacks on the Uighur community, but added, “I would have avoided sharing
had I known.” He continues to develop exploits as part of a new Italian company he
cofounded, Dataflow Security.

Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a

cyberespionage campaign targeting Microsoft Windows PCs at government and telecom
entities in China and Pakistan. They began in June 2020 and continued through to April 2021.
What piqued the researchers’ interest was the hacking software used by the digital spies,
whom Kaspersky had dubbed Bitter APT, a pseudonym for an unspecified government
agency. Aspects of the code looked like some the Moscow antivirus provider had previously
seen and attributed to a company it gave the cryptonym “Moses.”

Moses, said Kaspersky, was a mysterious provider of hacking tech known as a “zero-day
exploit broker.” Such companies operate in a niche market within the $130 billion overall
cybersecurity industry, creating software—an “exploit”—that can hack into computers via
unpatched vulnerabilities known as “zero days” (the term coming from the fact that
developers have “zero days” to fix the problem before it’s publicly known). They act like
super-powered lockpicks, finding loopholes in operating systems or apps to allow a hacker or
spy to break into targets’ digital lives. So rare are such exploits, they can fetch upwards of $2
million each. Buyers wielding them have the power to either protect themselves from those
who might have knowledge of the relevant zero day, or to inflict massive damage on others.
For instance, attackers used at least one zero in an infamous 2020 attack on $2.5 billion
market cap software provider SolarWinds and many of its customers—from U.S. government
departments to tech giants like Cisco and Microsoft. The attacks cost SolarWinds at least $18
million, with warnings that the overall figure, counting the cost for SolarWinds customers
who were also compromised, could get into the tens of billions.

Sometimes American companies aren’t the victims, but the ones fueling costly digital
espionage. Moses’ real identity, Forbes has learned, is an Austin, Texas, company called
Exodus Intelligence, according to two sources with knowledge of the Kaspersky research.
And Bitter APT, the Moses customer, is India, added one source.

Little known outside of the cybersecurity and intelligence worlds, over the last ten years,
Exodus has made a name for itself with a Time magazine cover story and the leak of a tool
that law enforcement used to hack the anonymizing browser Tor to ensnare child predators. It
also claims partnerships with the Defense Department’s research agency Darpa and major
tech firms like Cisco and Fortinet, a $2.6 billion (2020 sales) cybersecurity outfit. “They’re
significant because the size of the market is relatively small, and the skill set required [to find
zero days] is in possession of just a few thousand people worldwide at any given time,” says
Katie Moussouris, founder of Luta Security and creator of Microsoft’s bug bounty program to
reward hackers for vulnerability disclosures.

Exodus, when asked by Five Eyes countries (an alliance of intelligence-sharing countries that
includes the U.S., U.K., Canada, Australia, and New Zealand) or their allies, will provide
both information on a zero-day vulnerability and the software required to exploit it. But its
main product is akin to a Facebook news feed of software vulnerabilities, sans exploits, for
up to $250,000 a year. It’s marketed primarily as a tool for defenders, but customers can do
what they want with the information on those Exodus zero days—ones that typically cover
the most popular operating systems, from Windows to Google’s Android and Apple’s iOS.

That feed is what India bought and likely weaponized, says 37-year-old Exodus CEO and
cofounder Logan Brown. He tells Forbes that, after an investigation, he believes India
handpicked one of the Windows vulnerabilities from the feed—allowing deep access to
Microsoft’s operating system—and Indian government personnel or a contractor adapted it
for malicious means. India was subsequently cut off from buying new zero-day research from
his company in April, says Brown, and it has worked with Microsoft to patch the
vulnerabilities. The Indian use of his company’s research was beyond the pale, though
Exodus doesn’t limit what customers do with its findings, Brown says, adding, “You can use
it offensively if you want, but not if you’re going to be . . . shotgun blasting Pakistan and
China. I don't want any part of that.” (The Indian embassy in London hadn’t responded to
requests for comment.)

The company also looked at a second vulnerability Kaspersky had attributed to Moses,
another flaw that allowed a hacker to get higher privileges on a Windows computer. It was
not linked to any particular espionage campaign, but Brown confirms it was one of his
company’s, adding that it would “make sense” that India or one of its contractors had
weaponized that vulnerability, too.

Brown is also now exploring whether or not its code has been leaked or abused by others.
Beyond the two zero days already abused, according to Kaspersky, “at least six
vulnerabilities” made by Moses have made it out “into the wild” in the last two years. Also
according to Kaspersky, another hacking crew known as DarkHotel—believed by some
cybersecurity researchers to be sponsored by South Korea—has used Moses’ zero days.
South Korea is not a customer of Exodus. “We are pretty sure India leaked some of our
research,” Brown says. “We cut them off and haven’t heard anything since then . . . so the
assumption is that we were correct.”

“I would not be involved in this company at all if we were, for example, working with the
Saudis.”

Pedram Amini, founder of the Zero Day Initiative and an advisor to Exodus Intelligence

Any such zero-day spill would be especially concerning coming from a company that tries to
keep a lid on around 50 zero days a year, covering the world’s most popular operating
systems, from Windows to Android to Apple’s iOS. And Brown isn’t alone in seeing his
creation used in ways he didn’t intend. Luca Todesco, an Italian zero-day developer and a
Forbes 30 Under 30 alum, tweeted last year about “the worst outcome I could see from doing
my line of work” after seeing iPhone hacks used for surveillance of the Uyghur community, a
minority persecuted by the Chinese government. After Google researchers detailed hacks of
iPhones belonging to members of the Uyghur community, Todesco realized that one of the
techniques detailed by the tech giant looked a lot like something he had developed and shared
with Chinese contacts. In direct messages over Twitter, Todesco denied that he’d ever sold
any code that ended up in the attacks, but said he’d been openly sharing his findings with
multiple, unnamed individuals. He claimed he didn’t know how or why his code ended up
being used in attacks on the Uighur community, but added, “I would have avoided sharing
had I known.” He continues to develop exploits as part of a new Italian company he
cofounded, Dataflow Security.

Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a

cyberespionage campaign targeting Microsoft Windows PCs at government and telecom
entities in China and Pakistan. They began in June 2020 and continued through to April 2021.
What piqued the researchers’ interest was the hacking software used by the digital spies,
whom Kaspersky had dubbed Bitter APT, a pseudonym for an unspecified government
agency. Aspects of the code looked like some the Moscow antivirus provider had previously
seen and attributed to a company it gave the cryptonym “Moses.”
Moses, said Kaspersky, was a mysterious provider of hacking tech known as a “zero-day
exploit broker.” Such companies operate in a niche market within the $130 billion overall
cybersecurity industry, creating software—an “exploit”—that can hack into computers via
unpatched vulnerabilities known as “zero days” (the term coming from the fact that
developers have “zero days” to fix the problem before it’s publicly known). They act like
super-powered lockpicks, finding loopholes in operating systems or apps to allow a hacker or
spy to break into targets’ digital lives. So rare are such exploits, they can fetch upwards of $2
million each. Buyers wielding them have the power to either protect themselves from those
who might have knowledge of the relevant zero day, or to inflict massive damage on others.
For instance, attackers used at least one zero in an infamous 2020 attack on $2.5 billion
market cap software provider SolarWinds and many of its customers—from U.S. government
departments to tech giants like Cisco and Microsoft. The attacks cost SolarWinds at least $18
million, with warnings that the overall figure, counting the cost for SolarWinds customers
who were also compromised, could get into the tens of billions.

Sometimes American companies aren’t the victims, but the ones fueling costly digital
espionage. Moses’ real identity, Forbes has learned, is an Austin, Texas, company called
Exodus Intelligence, according to two sources with knowledge of the Kaspersky research.
And Bitter APT, the Moses customer, is India, added one source.

Little known outside of the cybersecurity and intelligence worlds, over the last ten years,
Exodus has made a name for itself with a Time magazine cover story and the leak of a tool
that law enforcement used to hack the anonymizing browser Tor to ensnare child predators. It
also claims partnerships with the Defense Department’s research agency Darpa and major
tech firms like Cisco and Fortinet, a $2.6 billion (2020 sales) cybersecurity outfit. “They’re
significant because the size of the market is relatively small, and the skill set required [to find
zero days] is in possession of just a few thousand people worldwide at any given time,” says
Katie Moussouris, founder of Luta Security and creator of Microsoft’s bug bounty program to
reward hackers for vulnerability disclosures.

Exodus, when asked by Five Eyes countries (an alliance of intelligence-sharing countries that
includes the U.S., U.K., Canada, Australia, and New Zealand) or their allies, will provide
both information on a zero-day vulnerability and the software required to exploit it. But its
main product is akin to a Facebook news feed of software vulnerabilities, sans exploits, for
up to $250,000 a year. It’s marketed primarily as a tool for defenders, but customers can do
what they want with the information on those Exodus zero days—ones that typically cover
the most popular operating systems, from Windows to Google’s Android and Apple’s iOS.

That feed is what India bought and likely weaponized, says 37-year-old Exodus CEO and
cofounder Logan Brown. He tells Forbes that, after an investigation, he believes India
handpicked one of the Windows vulnerabilities from the feed—allowing deep access to
Microsoft’s operating system—and Indian government personnel or a contractor adapted it
for malicious means. India was subsequently cut off from buying new zero-day research from
his company in April, says Brown, and it has worked with Microsoft to patch the
vulnerabilities. The Indian use of his company’s research was beyond the pale, though
Exodus doesn’t limit what customers do with its findings, Brown says, adding, “You can use
it offensively if you want, but not if you’re going to be . . . shotgun blasting Pakistan and
China. I don't want any part of that.” (The Indian embassy in London hadn’t responded to
requests for comment.)
The company also looked at a second vulnerability Kaspersky had attributed to Moses,
another flaw that allowed a hacker to get higher privileges on a Windows computer. It was
not linked to any particular espionage campaign, but Brown confirms it was one of his
company’s, adding that it would “make sense” that India or one of its contractors had
weaponized that vulnerability, too.

Brown is also now exploring whether or not its code has been leaked or abused by others.
Beyond the two zero days already abused, according to Kaspersky, “at least six
vulnerabilities” made by Moses have made it out “into the wild” in the last two years. Also
according to Kaspersky, another hacking crew known as DarkHotel—believed by some
cybersecurity researchers to be sponsored by South Korea—has used Moses’ zero days.
South Korea is not a customer of Exodus. “We are pretty sure India leaked some of our
research,” Brown says. “We cut them off and haven’t heard anything since then . . . so the
assumption is that we were correct.”

“I would not be involved in this company at all if we were, for example, working with the
Saudis.”

Pedram Amini, founder of the Zero Day Initiative and an advisor to Exodus Intelligence

Any such zero-day spill would be especially concerning coming from a company that tries to
keep a lid on around 50 zero days a year, covering the world’s most popular operating
systems, from Windows to Android to Apple’s iOS. And Brown isn’t alone in seeing his
creation used in ways he didn’t intend. Luca Todesco, an Italian zero-day developer and a
Forbes 30 Under 30 alum, tweeted last year about “the worst outcome I could see from doing
my line of work” after seeing iPhone hacks used for surveillance of the Uyghur community, a
minority persecuted by the Chinese government. After Google researchers detailed hacks of
iPhones belonging to members of the Uyghur community, Todesco realized that one of the
techniques detailed by the tech giant looked a lot like something he had developed and shared
with Chinese contacts. In direct messages over Twitter, Todesco denied that he’d ever sold
any code that ended up in the attacks, but said he’d been openly sharing his findings with
multiple, unnamed individuals. He claimed he didn’t know how or why his code ended up
being used in attacks on the Uighur community, but added, “I would have avoided sharing
had I known.” He continues to develop exploits as part of a new Italian company he
cofounded, Dataflow Security.

Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a

cyberespionage campaign targeting Microsoft Windows PCs at government and telecom
entities in China and Pakistan. They began in June 2020 and continued through to April 2021.
What piqued the researchers’ interest was the hacking software used by the digital spies,
whom Kaspersky had dubbed Bitter APT, a pseudonym for an unspecified government
agency. Aspects of the code looked like some the Moscow antivirus provider had previously
seen and attributed to a company it gave the cryptonym “Moses.”

Moses, said Kaspersky, was a mysterious provider of hacking tech known as a “zero-day
exploit broker.” Such companies operate in a niche market within the $130 billion overall
cybersecurity industry, creating software—an “exploit”—that can hack into computers via
unpatched vulnerabilities known as “zero days” (the term coming from the fact that
developers have “zero days” to fix the problem before it’s publicly known). They act like
super-powered lockpicks, finding loopholes in operating systems or apps to allow a hacker or
spy to break into targets’ digital lives. So rare are such exploits, they can fetch upwards of $2
million each. Buyers wielding them have the power to either protect themselves from those
who might have knowledge of the relevant zero day, or to inflict massive damage on others.
For instance, attackers used at least one zero in an infamous 2020 attack on $2.5 billion
market cap software provider SolarWinds and many of its customers—from U.S. government
departments to tech giants like Cisco and Microsoft. The attacks cost SolarWinds at least $18
million, with warnings that the overall figure, counting the cost for SolarWinds customers
who were also compromised, could get into the tens of billions.

Sometimes American companies aren’t the victims, but the ones fueling costly digital
espionage. Moses’ real identity, Forbes has learned, is an Austin, Texas, company called
Exodus Intelligence, according to two sources with knowledge of the Kaspersky research.
And Bitter APT, the Moses customer, is India, added one source.

Little known outside of the cybersecurity and intelligence worlds, over the last ten years,
Exodus has made a name for itself with a Time magazine cover story and the leak of a tool
that law enforcement used to hack the anonymizing browser Tor to ensnare child predators. It
also claims partnerships with the Defense Department’s research agency Darpa and major
tech firms like Cisco and Fortinet, a $2.6 billion (2020 sales) cybersecurity outfit. “They’re
significant because the size of the market is relatively small, and the skill set required [to find
zero days] is in possession of just a few thousand people worldwide at any given time,” says
Katie Moussouris, founder of Luta Security and creator of Microsoft’s bug bounty program to
reward hackers for vulnerability disclosures.

Exodus, when asked by Five Eyes countries (an alliance of intelligence-sharing countries that
includes the U.S., U.K., Canada, Australia, and New Zealand) or their allies, will provide
both information on a zero-day vulnerability and the software required to exploit it. But its
main product is akin to a Facebook news feed of software vulnerabilities, sans exploits, for
up to $250,000 a year. It’s marketed primarily as a tool for defenders, but customers can do
what they want with the information on those Exodus zero days—ones that typically cover
the most popular operating systems, from Windows to Google’s Android and Apple’s iOS.

That feed is what India bought and likely weaponized, says 37-year-old Exodus CEO and
cofounder Logan Brown. He tells Forbes that, after an investigation, he believes India
handpicked one of the Windows vulnerabilities from the feed—allowing deep access to
Microsoft’s operating system—and Indian government personnel or a contractor adapted it
for malicious means. India was subsequently cut off from buying new zero-day research from
his company in April, says Brown, and it has worked with Microsoft to patch the
vulnerabilities. The Indian use of his company’s research was beyond the pale, though
Exodus doesn’t limit what customers do with its findings, Brown says, adding, “You can use
it offensively if you want, but not if you’re going to be . . . shotgun blasting Pakistan and
China. I don't want any part of that.” (The Indian embassy in London hadn’t responded to
requests for comment.)

The company also looked at a second vulnerability Kaspersky had attributed to Moses,
another flaw that allowed a hacker to get higher privileges on a Windows computer. It was
not linked to any particular espionage campaign, but Brown confirms it was one of his
company’s, adding that it would “make sense” that India or one of its contractors had
weaponized that vulnerability, too.

Brown is also now exploring whether or not its code has been leaked or abused by others.
Beyond the two zero days already abused, according to Kaspersky, “at least six
vulnerabilities” made by Moses have made it out “into the wild” in the last two years. Also
according to Kaspersky, another hacking crew known as DarkHotel—believed by some
cybersecurity researchers to be sponsored by South Korea—has used Moses’ zero days.
South Korea is not a customer of Exodus. “We are pretty sure India leaked some of our
research,” Brown says. “We cut them off and haven’t heard anything since then . . . so the
assumption is that we were correct.”

“I would not be involved in this company at all if we were, for example, working with the
Saudis.”

Pedram Amini, founder of the Zero Day Initiative and an advisor to Exodus Intelligence

Any such zero-day spill would be especially concerning coming from a company that tries to
keep a lid on around 50 zero days a year, covering the world’s most popular operating
systems, from Windows to Android to Apple’s iOS. And Brown isn’t alone in seeing his
creation used in ways he didn’t intend. Luca Todesco, an Italian zero-day developer and a
Forbes 30 Under 30 alum, tweeted last year about “the worst outcome I could see from doing
my line of work” after seeing iPhone hacks used for surveillance of the Uyghur community, a
minority persecuted by the Chinese government. After Google researchers detailed hacks of
iPhones belonging to members of the Uyghur community, Todesco realized that one of the
techniques detailed by the tech giant looked a lot like something he had developed and shared
with Chinese contacts. In direct messages over Twitter, Todesco denied that he’d ever sold
any code that ended up in the attacks, but said he’d been openly sharing his findings with
multiple, unnamed individuals. He claimed he didn’t know how or why his code ended up
being used in attacks on the Uighur community, but added, “I would have avoided sharing
had I known.” He continues to develop exploits as part of a new Italian company he
cofounded, Dataflow Security.

Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a

cyberespionage campaign targeting Microsoft Windows PCs at government and telecom
entities in China and Pakistan. They began in June 2020 and continued through to April 2021.
What piqued the researchers’ interest was the hacking software used by the digital spies,
whom Kaspersky had dubbed Bitter APT, a pseudonym for an unspecified government
agency. Aspects of the code looked like some the Moscow antivirus provider had previously
seen and attributed to a company it gave the cryptonym “Moses.”

Moses, said Kaspersky, was a mysterious provider of hacking tech known as a “zero-day
exploit broker.” Such companies operate in a niche market within the $130 billion overall
cybersecurity industry, creating software—an “exploit”—that can hack into computers via
unpatched vulnerabilities known as “zero days” (the term coming from the fact that
developers have “zero days” to fix the problem before it’s publicly known). They act like
super-powered lockpicks, finding loopholes in operating systems or apps to allow a hacker or
spy to break into targets’ digital lives. So rare are such exploits, they can fetch upwards of $2
million each. Buyers wielding them have the power to either protect themselves from those
who might have knowledge of the relevant zero day, or to inflict massive damage on others.
For instance, attackers used at least one zero in an infamous 2020 attack on $2.5 billion
market cap software provider SolarWinds and many of its customers—from U.S. government
departments to tech giants like Cisco and Microsoft. The attacks cost SolarWinds at least $18
million, with warnings that the overall figure, counting the cost for SolarWinds customers
who were also compromised, could get into the tens of billions.

Sometimes American companies aren’t the victims, but the ones fueling costly digital
espionage. Moses’ real identity, Forbes has learned, is an Austin, Texas, company called
Exodus Intelligence, according to two sources with knowledge of the Kaspersky research.
And Bitter APT, the Moses customer, is India, added one source.

Little known outside of the cybersecurity and intelligence worlds, over the last ten years,
Exodus has made a name for itself with a Time magazine cover story and the leak of a tool
that law enforcement used to hack the anonymizing browser Tor to ensnare child predators. It
also claims partnerships with the Defense Department’s research agency Darpa and major
tech firms like Cisco and Fortinet, a $2.6 billion (2020 sales) cybersecurity outfit. “They’re
significant because the size of the market is relatively small, and the skill set required [to find
zero days] is in possession of just a few thousand people worldwide at any given time,” says
Katie Moussouris, founder of Luta Security and creator of Microsoft’s bug bounty program to
reward hackers for vulnerability disclosures.

Exodus, when asked by Five Eyes countries (an alliance of intelligence-sharing countries that
includes the U.S., U.K., Canada, Australia, and New Zealand) or their allies, will provide
both information on a zero-day vulnerability and the software required to exploit it. But its
main product is akin to a Facebook news feed of software vulnerabilities, sans exploits, for
up to $250,000 a year. It’s marketed primarily as a tool for defenders, but customers can do
what they want with the information on those Exodus zero days—ones that typically cover
the most popular operating systems, from Windows to Google’s Android and Apple’s iOS.

That feed is what India bought and likely weaponized, says 37-year-old Exodus CEO and
cofounder Logan Brown. He tells Forbes that, after an investigation, he believes India
handpicked one of the Windows vulnerabilities from the feed—allowing deep access to
Microsoft’s operating system—and Indian government personnel or a contractor adapted it
for malicious means. India was subsequently cut off from buying new zero-day research from
his company in April, says Brown, and it has worked with Microsoft to patch the
vulnerabilities. The Indian use of his company’s research was beyond the pale, though
Exodus doesn’t limit what customers do with its findings, Brown says, adding, “You can use
it offensively if you want, but not if you’re going to be . . . shotgun blasting Pakistan and
China. I don't want any part of that.” (The Indian embassy in London hadn’t responded to
requests for comment.)

The company also looked at a second vulnerability Kaspersky had attributed to Moses,
another flaw that allowed a hacker to get higher privileges on a Windows computer. It was
not linked to any particular espionage campaign, but Brown confirms it was one of his
company’s, adding that it would “make sense” that India or one of its contractors had
weaponized that vulnerability, too.
Brown is also now exploring whether or not its code has been leaked or abused by others.
Beyond the two zero days already abused, according to Kaspersky, “at least six
vulnerabilities” made by Moses have made it out “into the wild” in the last two years. Also
according to Kaspersky, another hacking crew known as DarkHotel—believed by some
cybersecurity researchers to be sponsored by South Korea—has used Moses’ zero days.
South Korea is not a customer of Exodus. “We are pretty sure India leaked some of our
research,” Brown says. “We cut them off and haven’t heard anything since then . . . so the
assumption is that we were correct.”

“I would not be involved in this company at all if we were, for example, working with the
Saudis.”

Pedram Amini, founder of the Zero Day Initiative and an advisor to Exodus Intelligence

Any such zero-day spill would be especially concerning coming from a company that tries to
keep a lid on around 50 zero days a year, covering the world’s most popular operating
systems, from Windows to Android to Apple’s iOS. And Brown isn’t alone in seeing his
creation used in ways he didn’t intend. Luca Todesco, an Italian zero-day developer and a
Forbes 30 Under 30 alum, tweeted last year about “the worst outcome I could see from doing
my line of work” after seeing iPhone hacks used for surveillance of the Uyghur community, a
minority persecuted by the Chinese government. After Google researchers detailed hacks of
iPhones belonging to members of the Uyghur community, Todesco realized that one of the
techniques detailed by the tech giant looked a lot like something he had developed and shared
with Chinese contacts. In direct messages over Twitter, Todesco denied that he’d ever sold
any code that ended up in the attacks, but said he’d been openly sharing his findings with
multiple, unnamed individuals. He claimed he didn’t know how or why his code ended up
being used in attacks on the Uighur community, but added, “I would have avoided sharing
had I known.” He continues to develop exploits as part of a new Italian company he
cofounded, Dataflow Security.