Operation Zero, an exploit broker that exclusively deals with the Russian government and local Russian companies, has recently announced its interest in acquiring exploits for the popular messaging app Telegram, with a maximum offer of $4 million.

The company is willing to pay up to $500,000 for a “one-click” remote code execution (RCE) exploit, up to $1.5 million for a zero-click RCE exploit, and up to $4 million for a “full chain” of exploits, which refers to a series of bugs that enable hackers to gain access to a target’s entire operating system or device from their Telegram account.

Companies like Operation Zero specialize in developing or acquiring security vulnerabilities in popular operating systems and apps, which they then resell at a higher price. The focus on Telegram is not surprising, given the app’s popularity among users in Russia and Ukraine.

The public price tag offered by Operation Zero provides a rare insight into the priorities of the zero-day market, particularly in Russia, a country with a cybersecurity market that is often shrouded in secrecy. The fact that Operation Zero is advertising its interest in Telegram bugs suggests that the Russian government may have expressed interest in acquiring such exploits.

It is not uncommon for exploit brokers to advertise their interest in specific apps or systems when they know there is a timely demand. This could mean that Operation Zero is expecting to charge the Russian government a higher price for the Telegram exploits, which would explain the higher payouts being offered.

Operation Zero’s chief executive, Sergey Zelenyuk, did not respond to TechCrunch’s request for comment.

Zero-days are vulnerabilities that are unknown to the software or hardware makers, making them highly valuable in the industry of exploit brokers. This is because they give hackers a better chance to exploit the target technology without the maker or target being able to take action.

A remote code execution (RCE) exploit is one of the most valuable types of flaws, as it allows hackers to remotely take control of an app or operating system. Zero-click exploits are particularly valuable, as they do not require any interaction from the target.

A zero-click, RCE zero-day is essentially the most valuable category of exploit available.

Targeting Telegram

The new bounty for Telegram bugs comes as the Ukrainian government banned the use of Telegram on government and military personnel devices last year, citing concerns about Russian government hacking.

Security and privacy experts have repeatedly warned that Telegram should not be considered as secure as competitors like WhatsApp and Signal. One reason for this is that Telegram does not use end-to-end encryption by default, and even when users enable it, the app does not use well-known and audited end-to-end encryption.

A person familiar with the exploit market stated that Operation Zero’s prices for Telegram exploits “are a bit low,” but this could be because the company is expecting to charge more, possibly twice or three times as much, when it resells the exploits.

The same person, who wished to remain anonymous, said that Operation Zero could also sell the exploits several times to different customers and might pay lower prices depending on certain criteria.

“I don’t think they’ll actually pay the full price. There will be some condition that the exploit doesn’t meet, and they’ll only make a partial payment,” the person said. “This is bad business, but with everyone being anonymous, there’s no real incentive not to take advantage of the exploit writer.”

Another person working in the zero-day industry stated that the prices advertised by Operation Zero are not “wildly off.” However, the price depends on factors like exclusivity and whether Operation Zero plans to re-develop the exploits internally or re-sell them as a broker.

In general, the prices of zero-days have increased in recent years as apps and platforms become harder to hack. As reported by TechCrunch in 2023, a zero-day for WhatsApp could cost up to $8 million, taking into account the app’s popularity.

Operation Zero previously made headlines for offering $20 million for hacking tools that would allow hackers to take full control of iOS and Android devices. Currently, the company is offering $2.5 million for such bugs.