Telegram Exploit Bounty: Russian Hacker Offers $4 Million
Operation Zero Seeks Telegram Exploits, Offering Millions
Operation Zero, a firm specializing in the acquisition and sale of zero-day vulnerabilities – exclusively to the Russian government and Russian-based entities – announced on Thursday its search for exploits targeting the Telegram messaging application.
Bounty Amounts for Telegram Exploits
The exploit broker is prepared to pay up to $4 million for successful submissions. Specifically, the offered rewards are structured as follows:
- Up to $500,000 for a “one-click” remote code execution (RCE) exploit.
- Up to $1.5 million for a zero-click RCE exploit.
- Up to $4 million for a “full chain” of exploits, indicating a sequence of vulnerabilities enabling progression from Telegram account access to complete device or operating system control.
Companies such as Operation Zero specialize in the development or procurement of security weaknesses in widely used software and applications, subsequently reselling them at a profit.
Strategic Focus on Telegram
The decision to concentrate on Telegram is logical, given the app’s substantial user base in both Russia and Ukraine.
The publicly advertised price list provides a unique insight into the priorities of the zero-day market, and particularly those of Russia, a nation whose cybersecurity landscape is often characterized by opacity.
Demand-Driven Vulnerability Hunting
It is a common practice for exploit brokers to publicly solicit vulnerabilities in specific applications or systems when they anticipate strong demand.
This suggests the possibility that the Russian government has expressed a specific interest in Telegram vulnerabilities to Operation Zero, prompting the broker’s public announcement and increased reward offerings.
Lack of Response from Operation Zero
Sergey Zelenyuk, the chief executive of Operation Zero, did not respond to a request for comment from TechCrunch.
Understanding Zero-Day Vulnerabilities
Zero-days are security flaws unknown to the software or hardware developers. This characteristic makes them exceptionally valuable in the exploit broker industry – and to those seeking to acquire them.
The lack of awareness by the vendor provides attackers with a greater opportunity to exploit the target technology before defenses can be implemented.
The Value of Remote Code Execution
Remote code execution (RCE) flaws are among the most sought-after vulnerabilities, as they allow attackers to remotely gain control of an application or operating system.
Zero-click exploits are particularly valuable because they do not require any user interaction, unlike methods such as phishing.
Consequently, a zero-click RCE zero-day represents the highest tier of exploit value.
Telegram's Response
Following publication, Telegram spokesperson Remi Vaughn asserted that Telegram has “never been vulnerable” to a zero-click exploit, though no supporting evidence was provided.
Vaughn also highlighted the company’s existing bug bounty program, which incentivizes the reporting of security flaws.
Telegram as a Bug Bounty Target
A new bug bounty program has been launched by Telegram, offering rewards for discovered vulnerabilities. This initiative follows a ban imposed by the Ukrainian government last year, restricting Telegram's use on government and military devices due to concerns about potential exploitation by Russian government hackers.
Experts in security and privacy have consistently cautioned that Telegram's security profile doesn't match that of competitors such as WhatsApp and Signal. A key issue is that end-to-end encryption isn't enabled by default on Telegram.
Even when activated, the encryption methods employed by Telegram haven't undergone the same rigorous auditing as those used by other platforms. This has prompted warnings from cryptography experts, like Matthew Green, who suggest that most Telegram conversations, including all group chats, are likely accessible on Telegram’s servers.
Exploit Market Dynamics
Sources familiar with the exploit market indicate that Operation Zero’s offered prices for Telegram vulnerabilities are somewhat conservative. This could be a strategic move, anticipating higher resale values – potentially two or three times the initial offer – when the exploits are sold to other parties.
An anonymous source, lacking authorization to speak publicly, explained that Operation Zero might resell exploits multiple times to different clients. Furthermore, payment amounts could be adjusted based on specific criteria.
The source expressed skepticism about full payment, suggesting that Operation Zero might impose conditions that lead to partial compensation. They characterized this as potentially unfair business practice, but noted that anonymity reduces the incentive for ethical conduct in such transactions.
Another industry professional in the zero-day market stated that Operation Zero’s advertised prices are reasonable. However, they emphasized that factors like exclusivity and whether the price includes internal re-development or brokerage fees can significantly influence the final value.
Rising Costs of Zero-Day Exploits
Generally, the prices for zero-day vulnerabilities have increased in recent years. This trend is driven by the growing difficulty of hacking modern applications and platforms. Reports from 2023 indicated that a zero-day exploit for WhatsApp could fetch up to $8 million, reflecting the app’s widespread popularity.
Operation Zero previously garnered attention for offering a $20 million bounty for tools enabling complete control over iOS and Android devices. Currently, the reward for such vulnerabilities has been reduced to $2.5 million.
This article has been updated to incorporate statements from a Telegram spokesperson.
Related Posts
Coupang CEO Resigns After Data Breach | South Korea
Petco Vetco Data Breach: Customer Information Exposed
FTC Upholds Ban on Stalkerware Founder Scott Zuckerman
Google Details Chrome Security for Agentic Features
Petco Data Breach: SSNs, Driver's Licenses Exposed
