{ "version": "2026-06-21-firsthand-batch+archived-033355", "source": "research/2026-04-25-confirmed-prices/RESEARCH.md", "scope": "Confirmed offensive vulnerability/exploit/surveillance-product transactions only. Excludes broker offers (RESEARCH.md Section D), forum listings (Section F), and academic ranges/historical. Defensive bug bounties out of scope.", "schema": { "id": "Stable corpus row id (RESEARCH.md anchor)", "year": "Year of transaction (or contract effective year)", "year_revealed": "Year the transaction became public (if different)", "target": "What was sold (product, exploit chain, contract)", "target_class": "T1_mobile_chain | edge_appliance | enterprise_saas | foss_lib | iot | surveillance_product | exploit_primitive | access_per_inbox | access_country_program", "buyer": "Named buyer", "buyer_class": "western_government | surveillance_vendor | russian_state | prc_state | prc_contractor | corporate", "seller": "Named seller", "price_usd": "Price in USD (contemporary or contemporaneous estimate)", "currency_orig": "Original currency code", "amount_orig": "Original amount in source currency", "type": "SALE-CONFIRMED | SALE-CORROBORATED | SALE-REPORTED | LEAK-INVOICE | COURT-FILING | GOVERNMENT-DISCLOSURE", "confidence_tier": "1 (court-confirmed) | 2 (leaked invoice) | 3 (government disclosure) | 4 (multi-outlet journalism) | 5 (single-outlet journalism)", "source_url": "Primary citation URL", "archive_url": "Third-party archive snapshot URL (web.archive.org or archive.ph). null if no usable snapshot exists.", "archive_note": "When archive_url is null, this records the reason. Otherwise omitted.", "notes": "Optional caveats or reconciliation" }, "rows": [ { "id": "A1", "year": 2007, "target": "Linux kernel zero-day (single bug)", "target_class": "exploit_primitive", "buyer": "Unnamed US government agency", "buyer_class": "western_government", "seller": "Charlie Miller (independent)", "price_usd": 50000, "currency_orig": "USD", "amount_orig": 50000, "type": "SALE-CONFIRMED", "confidence_tier": 1, "source_url": "https://www.ise.io/wp-content/uploads/2019/11/cmiller_weis2007.pdf", "notes": "Self-reported by seller in WEIS 2007 paper; renegotiated down from $80K offer to remove Linux-flavor restriction. The first published seller-confirmed offensive sale in academic literature.", "archive_url": "https://web.archive.org/web/20241217193403/https://www.ise.io/wp-content/uploads/2019/11/cmiller_weis2007.pdf" }, { "id": "A6", "year": 2013, "target": "NSA TAO 'Cryptanalysis & Exploitation Services' annual budget for covert vulnerability acquisitions", "target_class": "exploit_primitive", "buyer": "NSA", "buyer_class": "western_government", "seller": "Multiple unnamed private vendors", "price_usd": 25100000, "currency_orig": "USD", "amount_orig": 25100000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.washingtonpost.com/world/national-security/black-budget-summary-details-us-spy-networks-successes-failures-and-objectives/2013/08/29/7e57bb78-10ab-11e3-8cdd-bcdc09410972_story.html", "notes": "Snowden Black Budget FY2013 line item. Aggregate annual budget, not single transaction. At then-prevailing $40K-$250K market rates this funded an estimated 100-600 exploit acquisitions per year.", "archive_url": "http://web.archive.org/web/20250715080753/https://www.washingtonpost.com/world/national-security/black-budget-summary-details-us-spy-networks-successes-failures-and-objectives/2013/08/29/7e57bb78-10ab-11e3-8cdd-bcdc09410972_story.html" }, { "id": "A5", "year": 2012, "target": "iOS exploit (specific named completed sale brokered by the Grugq)", "target_class": "T1_mobile_chain", "buyer": "US government contractor", "buyer_class": "western_government", "seller": "Anonymous developer via the Grugq (broker)", "price_usd": 250000, "currency_orig": "USD", "amount_orig": 250000, "type": "SALE-REPORTED", "confidence_tier": 4, "source_url": "https://seclists.org/fulldisclosure/2012/Mar/284", "notes": "Forbes 2012 (Greenberg). Less the broker's 15% commission. Canonical mainstream-press confirmed iOS sale of the early 2010s.", "archive_url": "https://web.archive.org/web/20260425214910/https://seclists.org/fulldisclosure/2012/Mar/284" }, { "id": "A14", "year": 2016, "year_revealed": 2021, "target": "iPhone 5C passcode-bypass exploit chain (iOS 9, Mozilla Lightning chain)", "target_class": "T1_mobile_chain", "buyer": "FBI", "buyer_class": "western_government", "seller": "Azimuth Security (Mark Dowd / David Wang / 'Cy')", "price_usd": 900000, "currency_orig": "USD", "amount_orig": 900000, "type": "SALE-CORROBORATED", "confidence_tier": 1, "source_url": "https://www.washingtonpost.com/technology/2021/04/14/azimuth-san-bernardino-apple-iphone-fbi/", "notes": "Court-unsealed via Apple v. Corellium docket. WaPo 2021-04-14. Sen. Feinstein had previously stated 'more than $1M' at a 2017 hearing; $900K is the precise figure paid.", "archive_url": "https://web.archive.org/web/20250706132017/https://www.washingtonpost.com/technology/2021/04/14/azimuth-san-bernardino-apple-iphone-fbi/" }, { "id": "A15", "year": 2014, "target": "NSO Pegasus initial contract — Mexico Procuraduría General de la República", "target_class": "access_country_program", "buyer": "Mexico PGR (Attorney General's Office)", "buyer_class": "western_government", "seller": "NSO Group", "price_usd": 32000000, "currency_orig": "USD", "amount_orig": 32000000, "type": "SALE-CORROBORATED", "confidence_tier": 3, "source_url": "https://www.pbs.org/newshour/world/mexico-says-officials-spent-61-million-on-pegasus-spyware", "notes": "Government-disclosed by Mexican AG office. First publicly-confirmed eight-figure Pegasus contract.", "archive_url": "https://web.archive.org/web/20251004143738/https://www.pbs.org/newshour/world/mexico-says-officials-spent-61-million-on-pegasus-spyware" }, { "id": "A16", "year": 2018, "year_revealed": 2022, "target": "Mexico aggregate Pegasus spend — 31 contracts disclosed by Mexican government", "target_class": "access_country_program", "buyer": "Mexican federal agencies (multiple)", "buyer_class": "western_government", "seller": "NSO Group", "price_usd": 61000000, "currency_orig": "USD", "amount_orig": 61000000, "type": "GOVERNMENT-DISCLOSURE", "confidence_tier": 3, "source_url": "https://www.pbs.org/newshour/world/mexico-says-officials-spent-61-million-on-pegasus-spyware", "notes": "Mexican Public Safety Sec. Rosa Icela Rodríguez 2022 disclosure. Covers 31 contracts, 2011-2018 (Calderón + Peña Nieto admins). NYT 2017 had reported ~$80M; reconciliation in RESEARCH.md notes.", "archive_url": "https://web.archive.org/web/20251004143738/https://www.pbs.org/newshour/world/mexico-says-officials-spent-61-million-on-pegasus-spyware" }, { "id": "A17", "year": 2015, "target": "NSO Pegasus — Ghana NCA contract (court-confirmed via 2020 conviction)", "target_class": "access_country_program", "buyer": "Ghana National Communications Authority", "buyer_class": "western_government", "seller": "NSO Group → IDL reseller → NCA", "price_usd": 8000000, "currency_orig": "USD", "amount_orig": 8000000, "type": "COURT-FILING", "confidence_tier": 1, "source_url": "https://www.timesofisrael.com/ghana-jails-3-ex-government-officials-for-spyware-deal-with-israels-nso-group/", "notes": "End-user contract. NSO→IDL leg was $5.5M, IDL→NCA was $8M. Three Ghanaian officials criminally convicted Accra High Court 2020 for the deal.", "archive_url": "https://web.archive.org/web/20260425214549/https://www.timesofisrael.com/ghana-jails-3-ex-government-officials-for-spyware-deal-with-israels-nso-group/" }, { "id": "A18", "year": 2017, "target": "NSO Pegasus 3 — Saudi Arabia initial install fee", "target_class": "access_country_program", "buyer": "Saudi Arabia (royal court / GIP)", "buyer_class": "western_government", "seller": "NSO Group", "price_usd": 55000000, "currency_orig": "USD", "amount_orig": 55000000, "type": "SALE-REPORTED", "confidence_tier": 5, "source_url": "https://www.timesofisrael.com/israeli-hacking-firm-nso-group-offered-saudis-cellphone-spy-tools-report/", "notes": "Haaretz / Times of Israel reporting. Single-outlet originally (Bar-Eli/Shezaf series), corroborated by Bergman/NYT. NSO has never confirmed.", "archive_url": "https://web.archive.org/web/20260425215458/https://www.timesofisrael.com/israeli-hacking-firm-nso-group-offered-saudis-cellphone-spy-tools-report/" }, { "id": "A20", "year": 2025, "target": "WhatsApp v. NSO Group — punitive damages (jury verdict, then remittitur)", "target_class": "court_judgment", "buyer": "WhatsApp/Meta (plaintiff award)", "buyer_class": "corporate", "seller": "NSO Group (defendant)", "price_usd": 4000000, "currency_orig": "USD", "amount_orig": 4000000, "type": "COURT-FILING", "confidence_tier": 1, "source_url": "https://www.courtlistener.com/docket/16395340/whatsapp-inc-v-nso-group-technologies-limited/", "notes": "May 2025 jury verdict was $167.254M punitive; reduced by Judge Hamilton remittitur Oct 17 2025 to $4M punitive (or new trial on damages). Compensatory $444,719. Permanent injunction granted same date. 4:19-cv-07123 (N.D. Cal., Hamilton).", "archive_url": "https://web.archive.org/web/20251201113458/https://www.courtlistener.com/docket/16395340/whatsapp-inc-v-nso-group-technologies-limited/" }, { "id": "A22", "year": 2025, "target": "8 zero-day exploits stolen from L3Harris/Trenchant, sold to Operation Zero", "target_class": "exploit_primitive", "buyer": "Operation Zero (Russian state buyers)", "buyer_class": "russian_state", "seller": "Peter Williams (insider exfiltration, ex-Trenchant general manager)", "price_usd": 1300000, "currency_orig": "USD", "amount_orig": 1300000, "type": "COURT-FILING", "confidence_tier": 1, "source_url": "https://www.justice.gov/opa/pr/former-general-manager-us-defense-contractor-sentenced-87-months-selling-stolen-trade", "notes": "DOJ sentencing memo Oct 2025: Williams sentenced to 87 months. Cumulative $1.3M paid for 8 exploits = ~$162K/exploit average. Williams' $2M signed contract (Dec 4 2023) shows individual exploits priced higher than the average. Treasury OFAC sanctioned Operation Zero / Matrix LLC Feb 26 2026. DOJ Feb 2026 sentencing release adds: Williams sought up to $4M in cryptocurrency across the scheme and the theft caused ~$35M in loss to L3Harris/Trenchant — the $4M-sought vs $1.3M-realized gap is a direct offer-vs-sale (G1) signal.", "archive_url": "http://web.archive.org/web/20260312115849/https://www.justice.gov/opa/pr/former-general-manager-us-defense-contractor-sentenced-87-months-selling-stolen-trade" }, { "id": "A23a", "year": 2024, "target": "Email-inbox compromise (commodity hacking, lower tier)", "target_class": "access_per_inbox", "buyer": "China MSS / MPS (multiple)", "buyer_class": "prc_state", "seller": "i-Soon (安洵信息)", "price_usd": 10000, "currency_orig": "USD", "amount_orig": 10000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/", "notes": "Floor of i-Soon contract ledger range. SentinelOne characterized these prices as 'cut-rate.' Court-corroborated: the SDNY indictment (unsealed Mar 2025) states i-Soon charged the MSS/MPS between ~$10,000 and $75,000 per hacked inbox, plus fees to analyze stolen data, across 43 bureaus in 31 provinces (DOJ press release, justice.gov 2025-03-05).", "archive_url": "https://web.archive.org/web/20260305162344/https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/" }, { "id": "A23b", "year": 2024, "target": "Email-inbox compromise (commodity hacking, upper tier)", "target_class": "access_per_inbox", "buyer": "China MSS / MPS", "buyer_class": "prc_state", "seller": "i-Soon", "price_usd": 75000, "currency_orig": "USD", "amount_orig": 75000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/", "notes": "Ceiling of i-Soon contract ledger range. Per inbox.", "archive_url": "https://web.archive.org/web/20260305162344/https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/" }, { "id": "A24", "year": 2024, "target": "Vietnam Ministry of Economy compromise — single i-Soon contract", "target_class": "access_per_inbox", "buyer": "China MSS", "buyer_class": "prc_state", "seller": "i-Soon", "price_usd": 55000, "currency_orig": "USD", "amount_orig": 55000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/", "notes": "Specific identified target.", "archive_url": "https://web.archive.org/web/20260305162344/https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/" }, { "id": "A26", "year": 2008, "target": "Netragard EAP average sales (peak: single $200K sale)", "target_class": "exploit_primitive", "buyer": "US government buyers", "buyer_class": "western_government", "seller": "Netragard (Adriel Desautels)", "price_usd": 200000, "currency_orig": "USD", "amount_orig": 200000, "type": "SALE-REPORTED", "confidence_tier": 4, "source_url": "https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/", "notes": "Single peak sale. Average sales were $17-18K. Source via Vijayan Computerworld 2008 / Tsyrklevich 2015.", "archive_url": "https://web.archive.org/web/20260425214702/https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/" }, { "id": "A7", "year": 2013, "target": "Adobe Flash exploit 'FP1' (non-exclusive)", "target_class": "exploit_primitive", "buyer": "Hacking Team", "buyer_class": "surveillance_vendor", "seller": "Vitaliy Toropov (RU)", "price_usd": 45000, "currency_orig": "USD", "amount_orig": 45000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/", "notes": "50/25/25 monthly payment schedule. From 2015 WikiLeaks Hacking Team archive analyzed by Tsyrklevich.", "archive_url": "https://web.archive.org/web/20260425214702/https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/" }, { "id": "A10", "year": 2014, "target": "Adobe Reader XI exploit 'STARLIGHT-MULHERN' (exclusive)", "target_class": "exploit_primitive", "buyer": "Hacking Team", "buyer_class": "surveillance_vendor", "seller": "Netragard", "price_usd": 80500, "currency_orig": "USD", "amount_orig": 80500, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/", "notes": "Negotiated from $100K listed price.", "archive_url": "https://web.archive.org/web/20260425214702/https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/" }, { "id": "A12", "year": 2014, "target": "Windows LPE 'VBI-13-013' (exclusive)", "target_class": "exploit_primitive", "buyer": "Hacking Team", "buyer_class": "surveillance_vendor", "seller": "Vulnerabilities Brokerage Intl. (Dustin Trammell)", "price_usd": 95000, "currency_orig": "USD", "amount_orig": 95000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/", "notes": "Negotiated from $150K. Tsyrklevich 2015 analysis of leak.", "archive_url": "https://web.archive.org/web/20260425214702/https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/" }, { "id": "B1", "year": 2012, "target": "Hacking Team Remote Control System (RCS) — Sudan NISS contract", "target_class": "surveillance_product", "buyer": "Sudan NISS", "buyer_class": "western_government", "seller": "Hacking Team", "price_usd": 1250000, "currency_orig": "EUR", "amount_orig": 960000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://wikileaks.org/hackingteam/emails/", "notes": "Triple-corroborated: leaked invoice, UN Panel of Experts on Sudan inquiry, post-leak Reuters/Intercept reporting.", "archive_url": "https://web.archive.org/web/20260425214747/https://wikileaks.org/hackingteam/emails/" }, { "id": "B3", "year": 2014, "target": "Hacking Team RCS — Ethiopia INSA cumulative", "target_class": "surveillance_product", "buyer": "Ethiopia INSA", "buyer_class": "western_government", "seller": "Hacking Team", "price_usd": 1700000, "currency_orig": "EUR", "amount_orig": 1550000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://wikileaks.org/hackingteam/emails/", "notes": "Cumulative 2011-2014. Used to surveil ESAT journalists in diaspora per Citizen Lab.", "archive_url": "https://web.archive.org/web/20260425214747/https://wikileaks.org/hackingteam/emails/" }, { "id": "B8", "year": 2015, "target": "Hacking Team RCS — Morocco DST cumulative", "target_class": "surveillance_product", "buyer": "Morocco DST (Direction de la Surveillance du Territoire)", "buyer_class": "western_government", "seller": "Hacking Team", "price_usd": 3800000, "currency_orig": "EUR", "amount_orig": 3173550, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://privacyinternational.org/blog/1394/facing-truth-hacking-team-leak-confirms-moroccan-government-use-spyware", "notes": "Cumulative 2009-2015. Used against Mamfakinch journalists per Citizen Lab 2012.", "archive_url": "https://web.archive.org/web/20260425214702/https://privacyinternational.org/blog/1394/facing-truth-hacking-team-leak-confirms-moroccan-government-use-spyware" }, { "id": "B10", "year": 2015, "target": "Hacking Team RCS — Mexico aggregate (11 federal/state agencies)", "target_class": "surveillance_product", "buyer": "Mexican federal + state agencies (CISEN, PGR, Federal Police, SEDENA, PEMEX, etc.)", "buyer_class": "western_government", "seller": "Hacking Team", "price_usd": 6300000, "currency_orig": "USD", "amount_orig": 6300000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.vice.com/en/article/mexico-is-hacking-teams-biggest-paying-client-by-far/", "notes": "Largest single-country customer base for Hacking Team. Per-contract amounts ranged €319K-€925K.", "archive_url": "https://web.archive.org/web/20260321110943/https://www.vice.com/en/article/mexico-is-hacking-teams-biggest-paying-client-by-far/" }, { "id": "B11", "year": 2014, "target": "Hacking Team RCS — Chile (single largest contract on record in leak)", "target_class": "surveillance_product", "buyer": "Chile (PDI / state)", "buyer_class": "western_government", "seller": "Hacking Team", "price_usd": 2850000, "currency_orig": "USD", "amount_orig": 2850000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.vice.com/en/article/mexico-is-hacking-teams-biggest-paying-client-by-far/", "notes": "Single largest individual contract visible in the 2015 leak.", "archive_url": "https://web.archive.org/web/20260321110943/https://www.vice.com/en/article/mexico-is-hacking-teams-biggest-paying-client-by-far/" }, { "id": "B14", "year": 2012, "target": "Hacking Team RCS + 'Exploit Portal Full Access (Zero-Day level)' — DEA single invoice", "target_class": "surveillance_product", "buyer": "US DEA Office of Investigative Technology", "buyer_class": "western_government", "seller": "Hacking Team via Cicom USA reseller", "price_usd": 575000, "currency_orig": "USD", "amount_orig": 575000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.vice.com/en/article/heres-a-dea-invoice-for-zero-day-exploits/", "notes": "Most explicit example in public record of a US federal LE agency paying for active 0-day exploit access. Total contract ceiling $2.4M.", "archive_url": "https://web.archive.org/web/20250324042253/https://www.vice.com/en/article/heres-a-dea-invoice-for-zero-day-exploits/" }, { "id": "B15", "year": 2015, "target": "Hacking Team RCS — FBI cumulative via Cicom USA", "target_class": "surveillance_product", "buyer": "FBI", "buyer_class": "western_government", "seller": "Hacking Team via Cicom USA reseller", "price_usd": 775000, "currency_orig": "USD", "amount_orig": 775000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://theintercept.com/2015/07/06/hacking-team-spyware-fbi/", "notes": "Cumulative 2011-2015 per The Intercept analysis of the leaked spreadsheet.", "archive_url": "https://web.archive.org/web/20260425214818/https://theintercept.com/2015/07/06/hacking-team-spyware-fbi/" }, { "id": "B17", "year": 2015, "target": "Hacking Team — TOTAL client revenues 2003-2015", "target_class": "surveillance_product", "buyer": "70 government clients globally", "buyer_class": "western_government", "seller": "Hacking Team", "price_usd": 44358072, "currency_orig": "EUR", "amount_orig": 40059308, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.defenseone.com/technology/2015/07/someone-just-leaked-price-list-cyberwar/117043/", "notes": "Aggregate revenue figure from leaked client spreadsheet. The single most-cited line from the breach.", "archive_url": "http://web.archive.org/web/20250907211406/https://www.defenseone.com/technology/2015/07/someone-just-leaked-price-list-cyberwar/117043/" }, { "id": "B18", "year": 2014, "target": "FinSpy full toolset — price list", "target_class": "surveillance_product", "buyer": "Government customer (offered)", "buyer_class": "western_government", "seller": "Gamma / FinFisher", "price_usd": 1800000, "currency_orig": "EUR", "amount_orig": 1400000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.vice.com/en/article/finfisher-leak/", "notes": "From 2014 PhineasFisher 40GB dump. Offered price; specific customer purchase amounts UNVERIFIED at this depth.", "archive_url": null, "archive_note": "Origin URL returns 404 (vice.com retired Motherboard archive); no Wayback snapshot has ever existed under this or alternate vice/motherboard URL forms. Article content available in PhineasFisher dump archives elsewhere." }, { "id": "B23", "year": 2016, "target": "NSO Pegasus base install fee (per leaked rate card)", "target_class": "access_country_program", "buyer": "Customer (per rate card)", "buyer_class": "western_government", "seller": "NSO Group", "price_usd": 500000, "currency_orig": "USD", "amount_orig": 500000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.engadget.com/2016-09-02-nso-group-encryption-price.html", "notes": "Per 2016 NSO commercial proposal leaked to NYT (Perlroth/Mazzetti).", "archive_url": "https://web.archive.org/web/20260425215011/https://www.engadget.com/2016-09-02-nso-group-encryption-price.html" }, { "id": "B24", "year": 2016, "target": "NSO Pegasus — 10 iOS or Android targets", "target_class": "access_per_target", "buyer": "Customer (per rate card)", "buyer_class": "western_government", "seller": "NSO Group", "price_usd": 650000, "currency_orig": "USD", "amount_orig": 650000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.engadget.com/2016-09-02-nso-group-encryption-price.html", "notes": "Per-target ≈ $65K. Foundational rate card for almost every subsequent Pegasus pricing estimate.", "archive_url": "https://web.archive.org/web/20260425215011/https://www.engadget.com/2016-09-02-nso-group-encryption-price.html" }, { "id": "B31", "year": 2022, "target": "Predator iOS RCE 0day capability — Spain tender", "target_class": "T1_mobile_chain", "buyer": "Spain (likely intelligence service)", "buyer_class": "western_government", "seller": "Intellexa", "price_usd": 8800000, "currency_orig": "EUR", "amount_orig": 8000000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.icij.org/investigations/cyprus-confidential/greek-court-convicts-intellexa-founder-tal-dilian-three-others-in-wiretapping-scandal/", "notes": "From 2023 Predator Files leak. Greek 'Predatorgate' prosecution: Tal Dilian + 3 others convicted, 8-year suspended sentences.", "archive_url": "http://web.archive.org/web/20260411115750/https://www.icij.org/investigations/cyprus-confidential/greek-court-convicts-intellexa-founder-tal-dilian-three-others-in-wiretapping-scandal/" }, { "id": "B32", "year": 2022, "target": "Predator generic offer — unlimited infections, 10 simultaneous monitored devices", "target_class": "access_country_program", "buyer": "Unspecified", "buyer_class": "western_government", "seller": "Intellexa", "price_usd": 17500000, "currency_orig": "EUR", "amount_orig": 16000000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://www.icij.org/investigations/cyprus-confidential/greek-court-convicts-intellexa-founder-tal-dilian-three-others-in-wiretapping-scandal/", "notes": "Predator Files commercial proposal.", "archive_url": "http://web.archive.org/web/20260411115750/https://www.icij.org/investigations/cyprus-confidential/greek-court-convicts-intellexa-founder-tal-dilian-three-others-in-wiretapping-scandal/" }, { "id": "B34", "year": 2021, "target": "Candiru / DevilsTongue project proposal — unlimited infection attempts, 10 simultaneous devices", "target_class": "access_country_program", "buyer": "Unspecified government", "buyer_class": "western_government", "seller": "Candiru / Saito Tech", "price_usd": 17500000, "currency_orig": "EUR", "amount_orig": 16000000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", "notes": "Citizen Lab + Microsoft TAG/MSTIC joint disclosure July 2021. Same approximate scale as Predator generic offer.", "archive_url": "https://web.archive.org/web/20260425214704/https://citizenlab.ca/research/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/" }, { "id": "C1", "year": 2024, "target": "Cellebrite UFED 4PC Ultimate Subscription — FBI", "target_class": "surveillance_product", "buyer": "FBI", "buyer_class": "western_government", "seller": "Cellebrite", "price_usd": 2992531, "currency_orig": "USD", "amount_orig": 2992531, "type": "GOVERNMENT-DISCLOSURE", "confidence_tier": 3, "source_url": "https://sam.gov", "notes": "Active SAM.gov contract. Cellebrite is dual-use (forensic + offensive use of forensic capability).", "archive_url": "https://web.archive.org/web/20260425055910/https://sam.gov/" }, { "id": "C2", "year": 2019, "target": "Cellebrite UFED + accessories + training — ICE multi-year", "target_class": "surveillance_product", "buyer": "ICE", "buyer_class": "western_government", "seller": "Cellebrite", "price_usd": 35000000, "currency_orig": "USD", "amount_orig": 35000000, "type": "GOVERNMENT-DISCLOSURE", "confidence_tier": 3, "source_url": "https://www.thedailybeast.com/ice-just-spent-3035-million-on-cellebrite-the-iphone-cracking-firm-thats-locked-in-an-ip-spat-with-apple/", "notes": "Range $30-35M with options. Signed June 24 2019.", "archive_url": null, "archive_note": "Wayback rate-limited (429) on submission; no historical CDX snapshot. Re-submit later. ICE-Cellebrite contract is also documented in SAM.gov (already archived at C1 row)." }, { "id": "E2", "year": 2018, "target": "iPhone Safari→kernel chain ('Chaos') — Tianfu Cup, later weaponized against Uyghurs", "target_class": "T1_mobile_chain", "buyer": "Tianfu Cup organizers (then redirected to Chinese intelligence)", "buyer_class": "prc_state", "seller": "Qixun Zhao (Qihoo 360)", "price_usd": 200000, "currency_orig": "USD", "amount_orig": 200000, "type": "SALE-CONFIRMED", "confidence_tier": 4, "source_url": "https://www.technologyreview.com/2021/05/06/1024621/china-apple-spy-uyghur-hacker-tianfu/", "notes": "Best-documented contest-to-state pipeline globally. Single competition prize, vulnerability subsequently used by Chinese intel against Uyghurs.", "archive_url": "https://web.archive.org/web/20260302180855/https://www.technologyreview.com/2021/05/06/1024621/china-apple-spy-uyghur-hacker-tianfu/" }, { "id": "G1", "year": 2014, "target": "Acquisition of NSO Group (~70%)", "target_class": "vendor_acquisition", "buyer": "Francisco Partners", "buyer_class": "corporate", "seller": "NSO Group founders", "price_usd": 130000000, "currency_orig": "USD", "amount_orig": 130000000, "type": "SALE-CONFIRMED", "confidence_tier": 4, "source_url": "https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html", "notes": "Implied valuation ~$185M total.", "archive_url": "https://web.archive.org/web/20260221174551/https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html" }, { "id": "G2", "year": 2018, "target": "Acquisition of Azimuth Security + Linchpin Labs → Trenchant", "target_class": "vendor_acquisition", "buyer": "L3 (later L3Harris)", "buyer_class": "corporate", "seller": "Azimuth founders + Linchpin founders", "price_usd": 313000000, "currency_orig": "USD", "amount_orig": 313000000, "type": "SALE-CONFIRMED", "confidence_tier": 4, "source_url": "https://www.itnews.com.au/news/l3-buys-aussie-hacking-firm-azimuth-security-498938", "notes": "Base ~$200M + earnout up to ~$32M. Closed Aug 31 2018. Some outlets report $313M total ceiling.", "archive_url": null, "archive_note": "itnews.com.au repurposed this URL ID in 2025+; the URL now serves a different article (\"Push to insert human rights into emerging tech\"). The 2026-04-26 /save/ attempt captured this wrong-content redirect; rejected. Original article unrecoverable; alternate citation needed (Reuters, SecurityWeek covered the L3 acquisition)." }, { "id": "G3", "year": 2019, "target": "Acquisition of HackingTeam (post-bankruptcy distressed)", "target_class": "vendor_acquisition", "buyer": "InTheCyber Group / Memento Labs", "buyer_class": "corporate", "seller": "HackingTeam shareholders", "price_usd": 1, "currency_orig": "EUR", "amount_orig": 1, "type": "SALE-CONFIRMED", "confidence_tier": 4, "source_url": "https://www.technologyreview.com/2019/11/14/132164/an-italian-spyware-merchant-the-tools-of-a-cyberweapons-arms-dealer/", "notes": "Nominal/symbolic price. Distressed asset acquisition by Paolo Lezzi.", "archive_url": null, "archive_note": "Wayback rate-limited (429) on submission; no historical CDX snapshot at this URL. Re-submit later." }, { "id": "G4", "year": 2019, "target": "Acquisition of Endgame Systems (post-pivot to defensive EDR)", "target_class": "vendor_acquisition", "buyer": "Elastic", "buyer_class": "corporate", "seller": "Endgame Systems", "price_usd": 234000000, "currency_orig": "USD", "amount_orig": 234000000, "type": "SALE-CONFIRMED", "confidence_tier": 4, "source_url": "https://www.elastic.co/blog/elastic-completes-acquisition-of-endgame", "notes": "Endgame had transitioned out of offensive sales by ~2014; sold as defensive EDR vendor.", "archive_url": null, "archive_note": "Wayback /save/ returns 523 (origin unreachable from Wayback CDN); no historical CDX snapshot. Acquisition is well-documented elsewhere — alternate citation candidates: Reuters, SEC 8-K filing, BusinessWire press release." }, { "id": "C3", "year": 2025, "target": "Cellebrite digital-forensic subscription — ICE-HSI annual award (PO 70CMSD25P00000141)", "target_class": "surveillance_product", "buyer": "U.S. Immigration and Customs Enforcement (HSI)", "buyer_class": "western_government", "seller": "Cellebrite Inc.", "price_usd": 11112194, "currency_orig": "USD", "amount_orig": 11112194, "type": "GOVERNMENT-DISCLOSURE", "confidence_tier": 3, "source_url": "https://www.usaspending.gov/award/CONT_AWD_70CMSD25P00000141", "notes": "Exact-dollar federal procurement record (USAspending.gov API, re-verified 2026-06-21). ICE-HSI's recurring annual Cellebrite spend. The ICE->Cellebrite series runs $4.95M (2021) -> $5.12M (2022) -> $6.17M (2023) -> $9.60M (2024) -> $11.11M (2025); the 'ICE $35M' figure in C2 is a multi-year aggregate, not an annual rate. Forensic-extraction tooling (not a 0-day) — included as a government-procurement floor and a same-product price-over-time series for the time-baseline (G4) work.", "archive_url": "https://web.archive.org/web/20260621104459/https://www.usaspending.gov/award/CONT_AWD_70CMSD25P00000141" }, { "id": "C5", "year": 2023, "target": "Cellebrite digital-forensic subscription — ICE-HSI annual award (PO 70CMSD23FR0000076)", "target_class": "surveillance_product", "buyer": "U.S. Immigration and Customs Enforcement (HSI)", "buyer_class": "western_government", "seller": "Cellebrite Inc.", "price_usd": 6171600, "currency_orig": "USD", "amount_orig": 6171600, "type": "GOVERNMENT-DISCLOSURE", "confidence_tier": 3, "source_url": "https://www.usaspending.gov/award/CONT_AWD_70CMSD23FR0000076", "notes": "Exact-dollar federal procurement record (USAspending.gov API). Mid-point of the ICE->Cellebrite 2021-2025 series; see C3.", "archive_url": "https://web.archive.org/web/20260621104319/https://www.usaspending.gov/award/CONT_AWD_70CMSD23FR0000076" }, { "id": "C7", "year": 2021, "target": "Cellebrite digital-forensic subscription — ICE-HSI annual award (PO 70CMSD21FR0000118)", "target_class": "surveillance_product", "buyer": "U.S. Immigration and Customs Enforcement (HSI)", "buyer_class": "western_government", "seller": "Cellebrite Inc.", "price_usd": 4945309, "currency_orig": "USD", "amount_orig": 4945309, "type": "GOVERNMENT-DISCLOSURE", "confidence_tier": 3, "source_url": "https://www.usaspending.gov/award/CONT_AWD_70CMSD21FR0000118", "notes": "Exact-dollar federal procurement record (USAspending.gov API). Earliest point of the ICE->Cellebrite 2021-2025 series; see C3.", "archive_url": "https://web.archive.org/web/20260621104137/https://www.usaspending.gov/award/CONT_AWD_70CMSD21FR0000118" }, { "id": "B35", "year": 2021, "target": "Intellexa Predator — 'magazine' of 100 successful infections (~€9,000 per successful infection)", "target_class": "access_country_program", "buyer": "Unspecified government client", "buyer_class": "western_government", "seller": "Intellexa", "price_usd": 990000, "currency_orig": "EUR", "amount_orig": 900000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/", "notes": "From the leaked Intellexa commercial proposals analyzed by Amnesty International Security Lab (Predator Files, Oct 2023; figures re-verified on the source page 2026-06-21). A rare explicit per-outcome unit price: €900,000 buys a 'magazine' of 100 successful infections = ~€9,000 per infection. Distinct from the per-capability anchors — this is access priced per successful use.", "archive_url": "http://web.archive.org/web/20260609072324/https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/" }, { "id": "B36", "year": 2022, "target": "Intellexa Predator — persistency add-on (persistent iOS + Android infection)", "target_class": "T1_mobile_chain", "buyer": "Unspecified government client", "buyer_class": "western_government", "seller": "Intellexa", "price_usd": 3300000, "currency_orig": "EUR", "amount_orig": 3000000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/", "notes": "Leaked 2022 Intellexa proposal (Amnesty Predator Files). Persistence — surviving reboot — is priced as a €3M add-on on top of the ~€8M base system: a concrete decomposition of capability value.", "archive_url": "http://web.archive.org/web/20260609072324/https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/" }, { "id": "B37", "year": 2022, "target": "Intellexa Predator — 'Nova' international add-on (5 additional target countries)", "target_class": "access_country_program", "buyer": "Unspecified government client", "buyer_class": "western_government", "seller": "Intellexa", "price_usd": 1320000, "currency_orig": "EUR", "amount_orig": 1200000, "type": "LEAK-INVOICE", "confidence_tier": 2, "source_url": "https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/", "notes": "Leaked 2022 Intellexa proposal (Amnesty Predator Files). Geographic scope priced as an add-on: €1.2M to extend targeting to 5 additional countries beyond the domestic-only base — the 'cross-border premium' as an explicit line item.", "archive_url": "http://web.archive.org/web/20260609072324/https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/" }, { "id": "A27", "year": 2019, "year_revealed": 2025, "target": "NSO Pegasus — 'standard price' for 15 concurrent targets (NSO financial-witness deposition)", "target_class": "access_country_program", "buyer": "NSO government customer (standard commercial pricing)", "buyer_class": "western_government", "seller": "NSO Group", "price_usd": 7000000, "currency_orig": "USD", "amount_orig": 7000000, "type": "COURT-FILING", "confidence_tier": 1, "source_url": "https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Gil-Transcrips_Case-4-19-cv-07123-PJH.pdf", "notes": "Verbatim deposition of Sarit Bizinsky Gil (NSO VP Global Business Operations, designated financial witness), WhatsApp v. NSO, N.D. Cal. 4:19-cv-07123-PJH: 'the standard price was around 7 million' (107:04) for '15 concurrent targets' (110:23); cross-border/'covert vector' add-on ~$1-2M (108:17, 122:11). Filed under seal at docket 400/401 (Sept 2024); figures surfaced via Meta-published deposition transcripts (May 2025). NSO's standard commercial offering, not pinned to a single sale; dated to the case-conduct period. DISTINCT from the 2016 NSO rate card ($500K install + $650K/10 targets, rows B23/B24, which trace to NYT 2016 — not this docket).", "archive_url": null, "archive_note": "Meta-hosted PDF; re-archive at next run." }, { "id": "B38", "year": 2012, "target": "DEA Remote Control System (RCS / Galileo) surveillance-suite contract via Cicom USA", "target_class": "surveillance_product", "buyer": "US Drug Enforcement Administration (DEA)", "buyer_class": "western_government", "seller": "Hacking Team (via Cicom USA reseller)", "price_usd": 2400000, "currency_orig": "USD", "amount_orig": 2400000, "type": "GOVERNMENT-DISCLOSURE", "confidence_tier": 3, "source_url": "https://www.documentcloud.org/documents/2713902-DEA-and-CicomUSA-Hacking-Team-Contract.html", "notes": "FOIA-released DEA-Cicom USA contract (Motherboard/Vice). $2.4M total for Hacking Team's Remote Control System (Galileo), signed 2012-08-20; ~$927K paid before DEA cancelled July 2015. The separate $575K 'Exploit Portal Full Access (Zero-Day level)' invoice (Oct 2012) is at documentcloud.org/documents/3673439. This row is the surveillance-suite contract, not the 0-day invoice.", "archive_url": null, "archive_note": "DocumentCloud bot-blocks raw curl; re-archive at next run." } ] }