Russian Vulnerability Broker Offers Up to $4 Million for Zero-Click Telegram Exploits
Operation Zero, a company positioning itself as a Russian platform specializing in the acquisition and sale of 0-day exploits for the Russian government and local companies, has announced that it is seeking exploits for the Telegram messenger and is willing to pay up to $4 million for them.
The vulnerability broker stated that it is prepared to pay up to $500,000 for a one-click remote code execution (RCE) exploit, up to $1.5 million for a zero-click exploit, and up to $4 million for a “full chain.” A full chain refers to a series of vulnerabilities that, when combined, allow an attacker to move from compromising a Telegram account to taking over the entire operating system or device.
According to TechCrunch, Operation Zero’s interest in zero-day vulnerabilities in Telegram is not surprising, given that the messenger is “especially popular among users in both Russia and Ukraine.” The publication notes that the broker’s clients are mostly Russian authorities, and the public listing of exploit prices offers a rare glimpse into the priorities of Russia’s 0-day market, about which little is generally known. Journalists believe that the publication of these prices indicates a demand from the Russian government for bugs in Telegram, prompting Operation Zero to advertise such high payouts. The company is confident it can offer large sums because its clients are willing to pay even more for these vulnerabilities.
TechCrunch cites an anonymous expert familiar with the exploit market, who said that Operation Zero’s prices for Telegram bugs are “a bit low.” The expert suggested this might be because the company expects to resell the exploits for two to three times more. Another anonymous specialist working in the 0-day industry commented that Operation Zero’s rates do not seem excessively high. He noted that factors such as exclusivity and the broker’s intention to resell the exploits influence the pricing.
After Operation Zero’s advertisement attracted media attention, Telegram’s press office told the publication “Durov’s Code” that the messenger “has never been vulnerable to zero-click exploits.” Telegram representatives stated that the app’s open-source code and documented encryption protocols have been audited by security researchers, emphasizing that Telegram is the only messenger with verifiable applications.
“The fact that money is being offered for the discovery of such an exploit only means that they have not been able to find one,” the messenger’s press office said.