Operation Zero, a company that only sells Zero Days to the Russian government and local Russian companies, announced on Thursday it was looking for an exploit for popular messaging app Telegram, and is willing to offer up to $4 million.
Exploit Broker offers up to $500,000 for “one-click” Remote Code Execution (RCE) Exploit. For Zero Click RCE Exploits, up to $1.5 million. And up to $4 million for a “complete chain” exploit. It probably refers to a set of bugs that allow hackers to access the target telegram and access the entire operating system or device.
Zero-day companies like Operation Zero develop or acquire security vulnerabilities on popular operating systems and apps and resell them at a higher price. It makes sense for the company to focus on Telegram. The messaging app is considered to be particularly popular with users in both Russia and Ukrainians.
Considering the customers of exploit brokers (mainly the Russian government), the public price tag offers a total glimpse into priorities within the zero-day market, particularly the priorities of Russia, the country and the cybersecurity market.
It is not uncommon for exploit brokers to promote their search for bugs in a particular app or system when they know there is a timely demand. This means that the Russian government may have told Operation Zero that it is looking for a telegram bug. This will essentially lead brokers to publish their ads and offer higher payments as they know they can charge more from the Russian government.
Contact Us Is there any more information about Zero Operation Zero or other Zero-Day providers? From non-work devices, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or send an email. You can also contact TechCrunch via SecureDrop.
Sergey Zelenyuk, Chief Executive Officer of Operation Zero, did not respond to TechCrunch's request for comment.
Zero Day is a vulnerability unknown to software or hardware manufacturers and is especially valuable in the growing and in the industry that wants to purchase exploit brokers. This is because it gives manufacturers and targets a better opportunity to leverage target technology without having to do much about it.
RCE is one of the most valuable types of flaws as it allows hackers to remotely control an app or operating system. Zero-Click Exploits does not require interaction from the target, as opposed to phishing attacks. For example, make these bugs more valuable.
Zero Click, RCE Zero Day is essentially the most valuable exploit category.
Telegram targeting
The new prize for the Telegram bug comes from fear that the Ukrainian government last year banned the use of telegrams on government and military equipment, and could be particularly vulnerable to Russian government hackers.
Security and privacy experts have repeatedly warned that Telegram should not be considered as unsafe as competitors like WhatsApp and Signal. For one, Telegram doesn't use end-to-end encryption by default, and even if enabled by the user, the app doesn't use well-known audited end-to-end encryption. This will warn cryptography experts like Matthew Green that “the majority of one-to-one telegram conversations) are probably all group chats.
Those with knowledge of the exploit market said the telegram's zero operation price was “a little low,” but this may be because reselling the exploit will result in more operational zeros, and perhaps expecting a double or triple charge.
Those who asked to remain anonymous as they were not allowed to speak to the press said that zero could sell several times to different customers, or they could pay a lower price according to the criteria.
“I don't think they'll actually be full [price]. The exploits are not clear, they said, and they only make partial payments. “This is a bad business to ask me, but to be anonymous, there's no real incentive for an exploit writer to not do f-k.”
Another working in the zero-day industry said the prices advertised by zero-operation zero are not “roughly off.” But they also said there are factors like exclusivity and whether the price depends on whether Operation Zero takes into account the fact that it will internally redevelop the exploit or resell it as a broker.
Zero Day prices have generally risen over the last few years as apps and platforms become more difficult to hack. As TechCrunch reported in 2023, WhatsApp's zero-day could cost up to $8 million at the time. This takes into account how popular the app is.
Operation Zero previously created a headline to provide $20 million to a hacking tool that gives hackers complete control over iOS and Android devices. The company currently only offers $2.5 million for these types of bugs.