Operation Zero Offers up to US$4 Million for Telegram Exploits

Operation Zero, a Russian exploit broker specializing in zero-day vulnerabilities, has announced on its X account a bounty of up to US$4 million for exploits targeting the Telegram messaging app. The company, which sells exclusively to the Russian government and local entities, is looking for click and non-click remote code execution (RCE) exploits, as well as full-chain vulnerabilities that could give access to a target's entire device.

"The vast majority of individual Telegram conversations-and literally all group chats-are likely visible on the app's own servers," says Matthew Green, a cryptography expert. This vulnerability has made Telegram a prime target for exploit brokers such as Operation Zero, especially given its widespread use in Russia and Ukraine.

Zero-day vulnerabilities are undisclosed software flaws that remain unpatched, making them highly valuable to hackers and governments. Operation Zero's focus on Telegram aligns with the app's popularity in Russia and Ukraine, where it serves as a key communication tool. According to TechCrunch, the Russian government's interest in Telegram exploits is likely motivated by geopolitical tensions, particularly its ongoing conflict with Ukraine. The Ukrainian government banned Telegram on government and military devices last year in September 2024, citing concerns about Russian cyber espionage.

"I have always defended and continue to defend freedom of speech, but the Telegram issue is not a freedom of speech issue; it is a national security issue," says Kyrylo Budanov, chief of the Main Directorate of Intelligence of the Ministry of Defense of Ukraine in an official statement.

Telegram's security model has long been criticized by experts. Unlike competitors such as WhatsApp and Signal, Telegram does not use end-to-end encryption by default, and even its optional encryption feature lacks the rigorous auditing of the most secure platforms. This makes the app an easier target for exploit developers and a lucrative opportunity for intermediaries like Operation Zero.

"By not having end-to-end encryption by default, the app stores user data and conversations, which may be susceptible to interception by the Police as part of a judicial investigation," reports New Tral.

Operation Zero Rewards

Operation Zero's bounty structure reflects the growing value of zero-day exploits in the cybersecurity market. On an X post, the company is offering up to US$500,000 for a one-click RCE exploit, US$1.5 million for a zero-click RCE, and US$4 million for a full-chain exploit.

These prices are considered relatively low compared to the overall market. For example, TechCrunch reports that a zero-day exploit for WhatsApp would cost up to US$8 million in 2023.

The bounty also underscores the present difficulty of hacking modern apps and platforms. TechCrunch notes that as software developers implement tighter security measures, the cost of discovering and exploiting vulnerabilities has risen sharply. However, it also demonstrates a fluctuating nature. In 2023, Operation Zero offered a US$20 million reward for iOS and Android hacking tools, which has now been cut to US$2.5 million.

The Telegram hack also highlights the intersection of cybersecurity and geopolitics. Given the app's widespread use in conflict zones, its vulnerabilities could have far-reaching implications for national security and individual privacy. As Operation Zero continues to search for exploits for Telegram, it is expected that the broader cybersecurity community will likely intensify its scrutiny of the app's security model.