What Are the Malware Markets?

What Are the Malware Markets?

In many marketplaces, consumers don't have access to all the information they'd like to make a decision but still get to see and feel a product, like a toaster or a car, before buying it. The same cannot be said for the malware markets. Malware (and all software) is essentially information, so keeping products secret is often critically important. Take, for example, the interaction around the purchase of a software vulnerability. When purchasing a vulnerability, the buyer won’t be afforded the opportunity for a test-drive. Sellers have a strong interest in not revealing too much or else potential buyers may be able to discover the vulnerability themselves, thereby eliminating any incentive to pay for it. Further muddying the waters, when the buyer is a software vendor like Mozilla or Google, sellers have an incentive to spam the system, using alternate aliases to submit the same bug, hoping for multiple payouts.

A malicious software (malware) market is a network of organizations, individuals, and websites where malicious software is bought and sold. In these networks, monetization is key—profit often drives participation and participant behavior. These markets play host to services, in the form of customer support for products like botnets and offers to integrate different malware products into streamlined services. Popular malware used to steal banking credentials, like the Zeus trojan, are available for sale alongside offers to rent out exploit kits, which combine many different software vulnerabilities as a platform to infect as many users as possible. Where a country is unable or unwilling to develop their own malicious software, for surveillance or espionage or other activities in cyberspace, they can simply buy some from one of dozens of companies around the globe. Companies like Hacking Team, an Italian firm which sells surveillance software to governments along with training and support on how to use them, have a key role to play in these markets.

Malware markets act as a mechanism to spread malware to new and less capable users. If an individual criminal outfit cannot figure out how to build a tool themselves, they can simply outsource the problem. The rise of exploit kits was partly a product of the time and cost  of discovering vulnerabilities and engineering exploits. As defenders evolve, these kits can keep pace by adding new vulnerabilities and dropping ineffective ones. For the governments of countries like Sudan or Ethiopia, these markets are a way to gain access to surveillance technologies and capability that they might not be able to develop on their own. Even advanced states like the United States and Israel likely buy in these markets, albeit for very specific information like vulnerabilities in Apple’s iOS.

The History of Malware Markets


Notable Events in the 30+ Year History of Malware

First Computer Virus

Elk Cloner MessageThe first computer virus, named Elk Cloner, is used on Apple Macs through a floppy disk insertion. Since the World Wide Web had not yet been invented, the first viruses were spread through physically infiltrating computers.

November 2, 1988
Morris Worm

Morris Worm CybersecurityOriginally designed to gauge the size of the Internet, the Morris Worm was written by Cornall Grad student Robert Tappan Morris, and released from MIT's computers. While not intended to be malicious, the worm could reinfect computers multiple times, eventually slowing the computer down to the point of being unusable.

First Ransomware

Distributed in 1989, the AIDS Trojan targeted AIDS researchers with the first ransomware ever detected but not the last. While the widespread use of ransomware by criminals doesn’t really start until 2013, this early attack showed how disruptive it can be.

First Bug Bounty Program

Netscape LogoNetscape launches one of the first bug bounty programs (paying out small cash rewards in exchange for information about vulnerabilities) for their new web browser, Netscape Navigator 2.0. This set a precedent for many other companies in the decades to follow.


Loveletter virusLoveletter, one of the first email worms, reaches tens of millions of Windows PCs. An email titled “ILOVEYOU” with an attached VBA script that overwrote random local files. This marked the beginning of a surge in internet and email worms.

Expansion in Malware

F-Secure LogoAccording to security company F-Secure, "As much malware [was] produced in 2007 as in the previous 20 years altogether."


KeyboardThe Zeus virus is first discovered when it is used to steal information from the US Department of Transportation. Zeus will go on to become one of the most influential malicious toolkits in the criminal world with hundreds of later versions and variants.


ConfickerConficker was one of the largest internet worms and infected millions of computers, including government, business, and home computers around the world. Clean up efforts by companies and law enforcement were one of the first incident responses coordinated world-wide.

2011 - 2013
Silk Road

Department of JusticeSilk Road becomes the first darkweb marketplace to use both Tor (a software that allows a user to browse anonymously) and bitcoin escrow. While it is mainly known as a marketplace for drugs, it also fosters a prosperous market for malware and stolen data. It was shut down by the Department of Justice and the Drug Enforcement Agency in 2013, but it provided a model for future darkweb marketplaces, tens of which have been created since.

May 2011
Zeus Source Code Published
Credit Card Keyboard

ZeuS Banking Trojan, malware that sends users to customizable servers instead of their intended website, is leaked online. Countless other malware authors adapt the leaked code and new malware is created. Kits of ZeuS are posted online from $2,000 - $10,000 but prices fall as the code becomes available even on GitHub.

Target Breach

Target StoreHackers gained access to the credit card information of some 40 million customers, and the personal information of as many as 60 million by compromising Target’s point of sale systems. The sale of this information online reaps financial gains for the attackers and floods the marketplace with stolen credit card and identity information. This is a classic example of the sort of financial gain that drives demand in the malware markets

Ransomware Turns Pro

In 2013, the Cryptolocker malware appeared, introducing the world to the now common elements of ransomware including easy to use payment instructions for victims and ever more capable encryption algorithms. Many more would follow including CryptoWall and the talkative Cerber.

June 2013
Carberp Source Code Published

Carberp Source code is published on market and being sold for $50,000. It offers advanced funcitionality along with multiple add ons and additions to its capability. The source code is published on a Russian site.

May 2014

The malware markets can act as a way to distribute malware but also a place for innovation. The Zberp malware combines leaked source code from ZeuS and Carberp into a hybrid trojan horse which employs aspects of both to exploit software targeting banks and other financial institutions.

July 15, 2015 - July 28, 2015
Dark0de is Shut Down...Then Reopens

Darkc0de Screen FBIWith help from countries in Europe and South America, US law enforcement busts a major online marketplace for, among other things, malware. However, within a month the market is back online and operating with better security than before.

February 2016
GM Bot Source Code Leaked

Android PhoneThe code to a piece of malware for Android phones is leaked on the web. The GM Bot malware can intercept SMS messages and capture passwords typed into fake application windows, making it excellent for stealing banking information.

May 2017

WannacryWannaCry was a ransomware worm that spread around the globe like wildfire and was one of the first widely seen criminal malware based on technology leaked from the NSA.

July 20, 2017
AlphaBay, Hana Shut Down

Alphabay and Hana Shut DownAuthorities in the United States and EU announced they had shut down two major online marketplaces on the dark web after having run both for weeks.