A notorious Russian exploit broker, Operation Zero, has made headlines again after offering up to $4 million for hacking tools targeting the popular messaging app Telegram.
The company, known for acquiring and selling zero-day vulnerabilities exclusively to the Russian government and local businesses, announced the bounty last Thursday. The move offers a rare glimpse into Russia’s cybersecurity priorities — and its growing interest in penetrating Telegram’s defenses.
Telegram in the Crosshairs as Zero-Day Market Heats Up
According to Operation Zero’s new offer, hackers can earn up to $500,000 for a “one-click” remote code execution (RCE) exploit. However, the stakes rise dramatically for more dangerous vulnerabilities. A zero-click RCE fetches up to $1.5 million, while a complete “full chain” of exploits. Allowing attackers to seize control of both a target’s Telegram account and their entire device — is worth a staggering $4 million.
While details on potential buyers remain secret, Operation Zero’s clientele is no mystery. The firm works directly with Russian government agencies, positioning itself as a go-to broker in one of the world’s most secretive cyber markets.
For Russia, focusing on Telegram is hardly surprising. The app remains widely used across Russia and Ukraine — making it an attractive target for state-sponsored surveillance or cyber-espionage operations.
Why Telegram Exploits Command High Prices
Zero-days, by definition, are security flaws unknown to software makers, which makes them highly valuable. Once discovered, these vulnerabilities give attackers a powerful advantage — the ability to strike without warning while the target remains defenseless.
Among these, remote code execution (RCE) exploits are considered some of the most prized. They enable attackers to run malicious code from afar, taking over apps or even entire operating systems. Zero-click RCE exploits, which require no action from the victim, are even more dangerous — and lucrative. Just one of these flaws can provide seamless access to a target’s device without the victim ever knowing.
“Zero-click, remote code execution exploits sit at the top of the market,” a source familiar with the industry shared anonymously. “That’s why you’re seeing million-dollar price tags.”
Yet, some industry insiders question Operation Zero’s pricing. One source told TechCrunch that the rates seem low — hinting the broker could resell the exploits multiple times or drive down the actual payout based on their own criteria.
“I doubt they’ll pay the full price. They’ll probably find a reason to cut the deal,” the source added. “It’s shady business, but anonymity protects them.”
Another expert pointed out that factors like exclusivity or in-house redevelopment could explain the pricing. Still, the general trend is clear — zero-day exploits are becoming increasingly expensive as apps and devices improve their defenses.
Telegram’s Security Woes Resurface
Telegram’s popularity has also made it a repeated target of criticism from security experts. Despite its wide use, especially in Russia and Ukraine, Telegram’s default encryption settings leave users vulnerable. Private chats aren’t end-to-end encrypted by default, and even when encryption is enabled, the protocol used isn’t widely audited.
“This means that most one-on-one Telegram conversations — and every group chat — could be accessible on Telegram’s servers,” warns cryptography expert Matthew Green.
Concerns over security prompted Ukraine’s government last year to ban Telegram on devices used by military and government officials, citing the risk of Russian hacking attempts.
Operation Zero’s latest bounty reflects a broader trend — the surging value of zero-day vulnerabilities in the global cyber market. Just last year, reports indicated a WhatsApp zero-day exploit was valued at up to $8 million, driven by the app’s vast user base and strong security features.
Operation Zero itself made waves previously by offering $20 million for hacking tools capable of fully compromising both iOS and Android devices. Their current bounty for such exploits stands at $2.5 million, showing just how dynamic and lucrative this market has become.
As global cyber tensions grow, especially between Russia and Western nations, the demand for these digital weapons continues to soar. Operation Zero’s open call for Telegram exploits signals a strategic push and a willingness to pay top dollar to maintain dominance in the murky world of cyber warfare.
