Figure 8 - Leading digital wallets hacking intentions by threat actors between 2016-2020 Sale of Vulnerabilities Another trend we observed, which, although not yet common, is notable, is the sale of vulnerabilities in digital wallets. On one Darknet market an exploit for Apple Pay, Samsung Pay and Google Pay is offered for sale by a threat actor for CAD$140 or USD$104. The comments to the posts confirm the credibility of the exploits. Figure 9 - An Apple Pay/Samsung Pay/Google Pay exploit is offered for sale on the Canadian headquarters market Vulnerabilities in digital wallets have been found and shared online in the past. In 2016, a security researcher found a flaw in Samsung Pay that lets attackers eavesdrop on a payment transaction and generate a token that can be used to make an unauthorized purchase. Another flaw using the NFC communication standard was discovered by the same researcher later that year. We discovered that up until 2019 there was a steady increase of interest in vulnerabilities, whereas we can see a decline in 2020. This decline does not include the possible vulnerabilities that can be found on the devices themselves, or in the NFC protocol that can be exploited to steal victim’s digital wallet accounts. Figure 1 - Leading digital wallets vulnerability selling and buying intentions by threat actors between 2016-2020