Operation Zero, an exploit broker known for supplying security vulnerabilities to the Russian government and local entities, has launched a lucrative bounty program targeting the Telegram messaging app. As of this Thursday, the firm is offering up to $4 million for sophisticated exploits capable of compromising the platform.
The Price of Digital Infiltration
The bounty structure reveals the high market value placed on Telegram-specific vulnerabilities:
- Up to $500,000 for a “one-click” remote code execution (RCE) exploit.
- Up to $1.5 million for a “zero-click” RCE exploit.
- Up to $4 million for a “full chain” of exploits, allowing a complete takeover of a target’s device or operating system.
By publicly advertising these specific targets, Operation Zero is likely responding to direct demand from state-sponsored clients. Industry insiders suggest that the broker intends to resell these findings at a significant markup, potentially doubling or tripling the initial payout.
The Strategic Value of Telegram
Telegram’s massive user base in Russia and Ukraine makes it a high-priority target for state surveillance. This announcement follows Ukraine’s recent official ban of Telegram on military and government devices, citing severe concerns over Russian espionage.
Security experts have long cautioned that Telegram lacks the robust, default end-to-end encryption found in competitors like Signal or WhatsApp. Cryptography researchers, including Matthew Green, have warned that the majority of Telegram conversations—and all group chats—remain accessible on the company’s servers.
Industry Skepticism and Market Dynamics
While the $4 million price tag is significant, some experts in the zero-day market argue it is relatively low given the potential for re-sale and internal development. There is also skepticism regarding the payout process; sources familiar with the trade note that anonymous brokers often use strict criteria to withhold full payments from exploit developers.
When reached for comment, a Telegram spokesperson claimed that the app has “never been vulnerable” to a zero-click exploit, though the company provided no technical evidence to support this assertion. Sergey Zelenyuk, CEO of Operation Zero, did not respond to requests for comment.
Evolution of the Exploit Market
The cost of zero-day vulnerabilities has surged globally as software security matures. While Operation Zero previously made headlines for a $20 million offer for iOS and Android exploits, current market fluctuations have seen those specific bounties drop to $2.5 million. The pivot toward Telegram underscores the shifting geopolitical focus of the cyber-arms trade, where messaging apps have become central to modern intelligence operations.