Operation Zero, a company that acquires and sells zero days exclusively to the Russian government and local Russian companies, Announced Thursday That he is looking for exploits for the Popular Telegram messaging application and is ready to offer them up to $ 4 million.
The exploit broker offers up to $ 500,000 for a distant code feat “in one click” (RCE); Up to 1.5 million dollars for a zero-click RCE feat; And up to 4 million dollars for a “complete chain” of exploits, probably referring to a series of bugs that allow hackers to pass from access to the telegram from a target to the entire operating system or device.
Zero-day companies such as the Zero operation develop or acquire security vulnerabilities in popular operating systems and applications, then reconnect them at a higher price. For the company to focus on Telegram is logical, since the messaging application is particularly popular with users in Russia and Ukraine.
Given the customers of the broker in exploits – mainly the Russian government – the public price offers a rare overview of zero -day market priorities, in particular that of Russia, a country and a cybersecurity market often wrapped in secrets.
It is not uncommon to exploit brokers to announce that they are looking for bugs in specific applications or systems when they know that there is timely demand. This means that it is possible that the Russian government has declared to Operation Zero that it was looking for telegram bugs, which prompted the broker to publish what is essentially an advertisement and to offer higher payments because he knows that he can in turn invoice the Russian government more.
Contact us
Do you have more information on Operation Zero or other zero-day suppliers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai safely on the signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or e-mail. You can also contact Techcrunch via Secure.
The Director General of Operation Zero, Sergey Zelenyuk, did not respond to the request for comments from Techcrunch.
Zero-day Are vulnerabilities that are unknown to software or hardware manufacturers, which makes them particularly precious in the growing operating broker industry – and those who want to buy them – because it gives Pirates a better chance to exploit target technology without the manufacturer or the target able to do much about it.
A RCE is One of the most precious types of defects Because it allows hackers to take control remotely from an application or an operating system. Zero exploits click Does not require any interaction of the target, as opposed to a phishing attack, for example, which makes these bugs more precious.
One day zero-click, RCE ZERO-DAY is essentially the most precious feat category that exists.
Telegram targeting
The new generosity of telegrams bugs comes under the name of Ukrainian government prohibits the use of telegram On government and military staff systems last year, for fear of being particularly vulnerable to pirates of Russian government.
Security And confidentiality experts to have repeatedly warned This telegram should not be considered secure that competitors like WhatsApp and Signal. On the one hand, Telegram does not use encryption from start to finish by default, and even when the users allow it, the application does not use very well known and verified end -to -end encryption, which leads Crypto experts like Matthew Green To warn that “the vast majority of individual telegram conversations – and literally each group cat – are probably visible on the Telegram servers.”
A person who has knowledge on the farms of farms said that the prices of Operation Zero for Telegram “are a little low”, but this could be due to the fact that Operation Zero expects to invoice more, perhaps two or three times more, when they sell the exploits.
The person, who asked to remain anonymous because he was not allowed to speak to the press, said that the Zero operation could also sell them several times to different customers and could also pay lower prices depending on certain criteria.
“I don’t think they will really pay [price]. There will be a bar that the feat clearly does not make one partial payment, “they said.” Which is a bad deal if you ask me, but with everyone, there is no real incentive not to face the feat. »»
Another person who works in zero-day industry said the prices announced by Operation Zero are not “wildly turned off”. But they also said that it depends on if there are factors such as exclusivity, and if this price takes into account that the Zero operation will then redevelop the exploits internally, or reinforce them as a broker.
Zero-day price in general have increased in recent years As applications and platforms become more difficult to hack. As Techcrunch reported it in 2023, one day zero for WhatsApp could cost up to $ 8 million at the timeA price that also takes into account the popularity of the application.
Zero operation previously Make the headlines For having offered $ 20 million for hacking tools that would allow hackers to take total control of iOS and Android devices. The company currently offers only $ 2.5 million for this type of bugs.
