"Tens of millions" for controlling stake in NSO is like an order of magnitude less than what I'd imagine in todays environment. Comes off as cheap.
Have their capabilities been overplayed? Is selling done under pressure? Are they not actually sitting on big bank and procurement network of valuable 0days?
I think the issue is more there is a cloud over their future. There is much more scrutiny on them and who they are selling to, whether they will be able to continue as they have been doesn’t seem so certain.
Why? Do you think zero-click exploits that can hack every phone in existence are expensive or rare?
They only cost a few million dollars to find or just buy and last I checked, a few years ago, there are multiple brokers each with tens in stock.
With that much prevailing stock, you do not run the risk of suddenly not having a supply, so you do not even need to keep a material hoard for yourself. They probably just had like 3-5 at any one time with a in-house team only requiring a few million a year in funding to keep up with the expected churn. If they got more churn than expected, then they buy them retail to keep their product working.
So even if we go with 9 M$ per 0-day (which is a multiple of actual cost), we would only expect them to have like 50 M$ in “assets” and a “procurement network/exploit factory” capable of keeping up with “depreciation” on-average.
Seems pretty reasonable to be under 100 M$. If we went with more reasonable numbers, it would not even be that weird if it was less than 20 M$ for over 50% even at their peak.
I think we imagine them to sell mostly consulting and re-using those 0-days on thousands of unconnected victoms bringing in many millions for a billion dollar valuation. This is somewhat in jest, but goes to show that the value of the zero days themselves doesn’t necessarily impact valuation much. That’s just an asset. It’s the business they have on top of that and the value it extracts that determines the free cash flow that an investor would hit with a multiple.
Huh? Given their valuation, their business is barely worth more than their zero-days which are just not very expensive.
People have the mistaken belief that total security compromises are challenging or expensive leading them to the mistaken belief that these companies must be valuable with valuable assets and high revenue.
Hacking-for-hire is barely more than a commodity, like aluminum smelting. There are capital costs, you need technology and expertise, but it is highly fungible leading to lots of suppliers competing on cost and quality of service (turn key, white-glove, etc.) Hell, it is even cheaper to get into and stay on top than aluminum smelting since the capital costs are so much lower.
Its more beneficial to report the amount for taxes, how much you wind up paying is a separate matter, but you need to report it to create the deductions
Do you think they report income on when Saudi Arabia pays them for Apple 0-days every time someone pisses of MBS there? I bet they filed taxes on what they or others like them got for Jamal Khashoggi or other journalists they helped take out.
Apple pays 2m for 0-days now, but I bet kings pay better yet.
History has documented what sort of player they are, I suppose it says something of the times that they still operate/proliferate with impunity.
Software exploits are not munitions and are not controlled, they are not illegal to find, they are illegal to use, hence why there is a market for selling them to sovereigns who have immunity from criminal liability
Shifting liability until it reaches the end user who has no liability or takes the risk
I honestly don’t think that companies working at that are involved so deeply in military/security follow the same logic and patterns of regular ones.
Under the hood there could be anything, we only know just the surface of information that they purposefully let reach the surface. If there was a valid motivation to make it appear as a billion dollar acquisition, I’m sure there’d have been a way to make it appear as such.
Have their capabilities been overplayed? Is selling done under pressure? Are they not actually sitting on big bank and procurement network of valuable 0days?