My understanding is that in places like Russia or China they have full blown military units with uniformed officers and men that are developing these sorts of things. In the US a lot of it is (was?) NSA related like EternalBlue. Are you saying in the west now that we are buying exploits from the grey market instead of getting them from NSA researchers? I thought that more broadly the government had been learning its lesson that there is no such thing as a NOBUS vuln and that America has more to lose than our adversaries from these things.