[andrewstuart]

Why would cybercriminals not just report the bug and pick up the cash from Google? Is it genuinely that much more lucrative to exploit it?

[imposterr]

You can only sell to Google once. You can sell it to different exploit houses many times.

But also historically, some places pay in the several hundred thousand compared to tech companies that pay in the tens of thousands. So even if they only sell it once, they can make more.

[lawnchair_larry]

It isn’t cybercriminals. Cybercriminals pretty much never have top tier 0day. This one is North Korean intelligence, and they get far more value out of it than Google is willing to pay.

[wnevets]

>Why would cybercriminals not just report the bug and pick up the cash from Google?

Probably because they're not the ones actually finding the bugs.