Russian Vulnerability Broker Offers Up to $4 Million for Telegram Exploits

Operation Zero, a company specializing in acquiring and selling zero-day vulnerabilities exclusively to the Russian government and local businesses, announced on Thursday that it is looking for exploits for the widely-used messaging app Telegram and is willing to pay up to $4 million for them.

The exploit broker is offering up to $500,000 for a one-click remote code execution (RCE) exploit, up to $1.5 million for a zero-click RCE exploit, which doesn’t require any user interaction, and as much as $4 million for a full chain of exploits. This «full chain» likely refers to a series of vulnerabilities that would allow hackers to gain access not just to a victim’s Telegram but also to their entire operating system or device.

Companies like Operation Zero develop or acquire vulnerabilities in popular operating systems and applications and then resell them at a premium. The focus on Telegram makes sense considering its popularity among users in both Russia and Ukraine.

Given that the primary clients for this exploit broker are government entities in Russia, the publicly available prices reveal a rare glimpse into the priorities of the zero-day vulnerability market, particularly within Russia’s often opaque cybersecurity landscape.

It is common practice for exploit brokers to advertise their search for bugs in specific applications or systems when they are aware of current demand. This could indicate that the Russian government has signaled to Operation Zero its interest in Telegram vulnerabilities, prompting the broker to effectively publish an ad and offer higher rewards, knowing they can charge the government more in return.

Zero-day vulnerabilities refer to those unknown to software or hardware makers, which makes them particularly valuable in the growing market for exploit brokers and purchasers, as they provide hackers with a better chance to exploit targeted technology without the manufacturer or target being able to respond.

Remote code execution (RCE) vulnerabilities are among the most prized types, as they allow hackers to take control of applications or operating systems remotely. Zero-click exploits do not require any interaction from the victim, unlike phishing attacks, making them even more valuable.

The new bounty for Telegram bugs comes after the Ukrainian government banned the use of the app on the devices of state and military personnel last year due to concerns regarding potential vulnerabilities to Russian government hackers.

Security and privacy experts have warned repeatedly that Telegram should not be considered as secure as competitors like WhatsApp and Signal. For instance, Telegram does not employ end-to-end encryption by default, and even when users enable it, the app does not utilize well-established and vetted encryption protocols. This leads cryptography experts like Matthew Green to caution that «the vast majority of private conversations on Telegram — and literally every group chat — are likely visible on Telegram’s servers.»

A source familiar with the exploit market mentioned that Operation Zero’s prices for Telegram exploits «seem a bit low,» possibly indicating that the company plans to charge significantly more, perhaps two to three times higher, when reselling these exploits.

This individual, who requested anonymity due to not being authorized to speak with the press, stated that Operation Zero may also sell the same exploits multiple times to different clients, potentially offering lower prices based on various criteria.

«I don’t believe they will actually pay the full price. There will be a limit that the exploit won’t surpass, and they will only make partial payments,» the source commented. «This is poor business practice, in my opinion, but in anonymity, they have no real incentive not to cheat the exploit developer.»

Another person working within the zero-day vulnerability industry noted that the prices advertised by Operation Zero are not «significantly different from market rates.» However, they also pointed out that this can depend on factors such as exclusivity and consideration of whether Operation Zero plans to enhance the exploits internally or resell them as a broker.

Overall, zero-day vulnerability prices have risen in recent years as applications and platforms have become harder to exploit. As reported by TechCrunch in 2023, a zero-day vulnerability for WhatsApp could be valued at up to $8 million — a figure that also reflects the app’s popularity.

Operation Zero previously made headlines by offering $20 million for hacking tools that would allow complete control over iOS and Android devices. Currently, the company’s offer for such types of vulnerabilities stands at $2.5 million.

—

**P.S.** The earliest report of this news was made on my [Telegram Channel](https://t.me/+ALvKsWVwvbA5YWIy).