Operation Zero, a firm specializing in acquiring and selling zero-day vulnerabilities exclusively to Russian government entities and local companies, has announced a significant bounty for exploits targeting Telegram. The company is willing to pay up to $4 million for a full-chain exploit that could compromise the popular messaging app.
The exploit broker has set tiered rewards for different vulnerabilities:
- Up to $500,000 for a one-click remote code execution (RCE) exploit.
- Up to $1.5 million for a zero-click RCE exploit.
- Up to $4 million for a full-chain exploit, potentially allowing hackers to gain full access to a target’s device.
Operation Zero’s focus on Telegram is strategic, given its widespread use in Russia and Ukraine. The company's offer provides insight into the Russian zero-day market, which remains largely secretive.
Exploit brokers often publicize bounties for vulnerabilities when they detect high demand. This suggests that the Russian government may have specifically requested Telegram exploits, prompting Operation Zero to advertise these high-value offers.
Zero-day vulnerabilities are particularly valuable because they remain unknown to software makers, making them highly effective for cyber operations. Among them, zero-click RCE exploits are the most sought after, as they require no user interaction—unlike phishing-based attacks—making them stealthier and more powerful.
A source familiar with the exploit market suggested that Operation Zero’s prices might be on the lower side, as the company could intend to resell these vulnerabilities multiple times at a higher margin.
“I don’t think they’ll actually pay full [price]. There will be some bar the exploit doesn’t clear, and they’ll only do a partial payment,” said the source.
Another industry expert noted that pricing depends on factors like exclusivity and whether Operation Zero intends to redevelop the exploits internally or act solely as a broker.
The Ukrainian government recently banned the use of Telegram for government and military personnel due to concerns over potential exploitation by Russian state-backed hackers. Security researchers have long warned that Telegram is less secure than alternatives like Signal and WhatsApp, primarily because it does not use end-to-end encryption by default.
“The vast majority of one-on-one Telegram conversations — and literally every single group chat — are probably visible on Telegram’s servers,” said cryptography expert Matthew Green.
Despite this, Telegram spokesperson Remi Vaughn stated: “Telegram has never been vulnerable to a zero-click exploit,” while also emphasizing the company’s bug bounty program.
The zero-day market has become increasingly competitive, driving up prices. In 2023, a WhatsApp zero-day was reportedly valued at $8 million. Operation Zero has previously offered $20 million for exploits capable of fully compromising iOS and Android devices but currently caps those payouts at $2.5 million.
With cyber threats escalating, the demand for zero-days—especially for widely used platforms like Telegram—remains at an all-time high.