Russian Zero-Day Seller Offers Up to $4 Million for Telegram Exploits

Russian Zero-Day Seller Offers Up to $4 Million for Telegram Exploits

Operation Zero, a company that acquires and sells zero-days exclusively to the Russian government and local Russian companies, has announced that it's looking for exploits for the popular messaging app Telegram. The exploit broker is offering up to $4 million for them.

The new bounty for Telegram bugs comes as the Ukrainian government banned the use of Telegram on the devices of government and military personnel last year, out of fear that they could be especially vulnerable to Russian government hackers. Security and privacy experts have repeatedly warned that Telegram should not be considered as secure as competitors like WhatsApp and Signal.

Zero-day companies like Operation Zero develop or acquire security vulnerabilities in popular operating systems and apps and then re-sell them for a higher price. For the company to focus on Telegram makes sense, considering the messaging app is especially popular with users in both Russia and Ukraine.

Operation Zero's prices for Telegram "are a bit low," according to one person who has knowledge of the exploit market. However, it's possible that the Russian government has told Operation Zero that it is looking for Telegram bugs, which prompted the broker to publish what is essentially an advertisement for the bugs and offer higher payouts because it knows it can in turn charge the Russian government more for them.

Zero-days are vulnerabilities that are unknown to the software or hardware makers, which makes them particularly valuable within the growing industry of exploit brokers — and those who want to buy them — because it gives hackers a better chance to exploit the target technology without the maker or the target being able to do much about it. An RCE is one of the most valuable types of flaws because it allows hackers to remotely take control of an app or operating system.

Zero-click exploits don’t require any interaction from the target, as opposed to a phishing attack, for example, making these bugs more valuable. A zero-click, RCE zero-day is essentially the most valuable category of exploit there is.

The new bounty for Telegram bugs takes into account how popular the app is. Operation Zero previously made headlines for offering $20 million for hacking tools that would allow hackers to take full control of iOS and Android devices. The company currently only offers $2.5 million for those kinds of bugs.