Russian zero-day seller is offering up to $4 million for Telegram exploits

Topics

late

AI

Amazon

Image Credits:Bryce Durbin/TechCrunch

Apps

Biotech & Health

Climate

Cloud Computing

commercialism

Crypto

Enterprise

EVs

Fintech

fundraise

Gadgets

Gaming

Google

Government & Policy

computer hardware

Instagram

Layoffs

Media & Entertainment

Meta

Microsoft

Privacy

Robotics

Security

Social

quad

Startups

TikTok

Transportation

Venture

More from TechCrunch

Events

Startup Battlefield

StrictlyVC

Podcasts

Videos

Partner Content

TechCrunch Brand Studio

Crunchboard

Contact Us

Operation Zero , a company that acquires and sells zero - days exclusively to the Russian government and local Russian companies , herald on Thursdaythat it ’s expect for exploits for the democratic message app Telegram , and is uncoerced to propose up to $ 4 million for them .

The effort broker is offering up to $ 500,000 for a “ one - click ” outback code execution ( RCE ) exploit ; up to $ 1.5 million for a zero - click RCE exploit ; and up to $ 4 million for a “ full concatenation ” of exploits , presumably bring up to a series of bugs that allow for hackers to go from get at a target area ’s Telegram report to their whole operating system or gimmick .

Zero - day companies like Operation Zero develop or acquire security vulnerabilities in popular operating system and apps and then re - trade them for a gamy toll . For the company to focus on Telegram make sense , view the message app is especially popular with drug user in both Russia and Ukraine .

Given the exploit factor ’s customers — chiefly the Russian government — the public toll tag offer a rare glimpse into the priorities within the zero - day market , particularly that of Russia , a country and cybersecurity market often shrouded in silence .

Operation Zero ’s chief executive Sergey Zelenyuk did not respond to TechCrunch ’s request for commentary .

Zero - daysare vulnerabilities that are unsung to the package or ironware manufacturer , which makes them particularly worthful within the grow industry of exploit brokers — and those who need to grease one’s palms them — because it gives drudge a better luck to work the target technology without the maker or the target being capable to do much about it .

Join us at TechCrunch Sessions: AI

Exhibit at TechCrunch Sessions: AI

An RCE isone of the most worthful types of flawsbecause it allows hackers to remotely take control of an app or operating system . Zero - click exploitsdon’t require any fundamental interaction from the objective , as match to a phishing attack , for example , reach these bugs more valuable .

A zero - suction stop , RCE zero - day is basically the most worthful category of exploit there is .

In a command station after publication , Telegram spokesperson Remi Vaughn lay claim that Telegram has “ never been vulnerable ” to a zero - click exploit , without providing evidence for the claim . Vaughn also boast caller ’s hemipteran bounty for describe security flaws .

Targeting Telegram

The raw bounty for Telegram bugs comes as the Ukrainian governmentbanned the use of Telegramon the twist of government and military force last yr , out of care that they could be especially vulnerable to Russian government hackers .

Securityandprivacyexpertshaverepeatedlywarnedthat Telegram should not be considered as strong as rival like WhatsApp and Signal . For one , Telegram does n’t habituate end - to - last encoding by default , and even when user enable it , the app does not apply well - known and audited end - to - end encryption , which leadscrypto experts like Matthew Greento admonish that , “ the vast bulk of one - on - one Telegram conversations — and literally every undivided group chat — are probably seeable on Telegram ’s server . ”

A individual who has knowledge of the exploit marketplace said that Operation Zero ’s price for Telegram “ are a second low , ” but that could be because Operation Zero is have a bun in the oven to charge more , perhaps twice or three times as much , when it resell the exploits .

The person , who ask to remain anon. because they were n’t authorized to speak to the press , say Operation Zero could also betray them several times to unlike customers , and could also pay lower prices count on some criteria .

“ I do n’t reckon they ’ll in reality give full [ price ] . There will be some bar the exploit does n’t light and they ’ll only do a fond defrayment , ” they order . “ Which is bad business enterprise if you inquire me , but with everyone being anon. there ’s not any real incentive to not f — k over the exploit writer . ”

Another person who works in the zero - day industriousness pronounce that the prices advertised by Operation Zero are not “ wildly off . ” But they also said it depends if there are factor like exclusivity , and whether that price is taking into account the fact that Operation Zero is then going to re - rise the exploits internally , or re - betray them as a broker .

Prices of zero - days in generalhave gone up in the last few yearsas apps and platforms become harder to hack . As TechCrunch reported in 2023 , a zero - day for WhatsAppcould cost up to $ 8 million at the time , a price that also takes into account how popular the app is .

Operation Zero previouslymade headlinesfor offer $ 20 million for hack tools that would allow hackers to take full control of iOS and Android devices . The company currently only offers $ 2.5 million for those kinds of bug .