A Russian exploit acquisition firm says it is willing to pay up to $4 million for full-chain exploits targeting the popular messaging service Telegram.
The firm, Operation Zero, is known for selling zero-day exploits exclusively to Russian government and private organizations.
On March 20, the exploit broker announced on X that it was offering up to $500,000 for one-click Telegram exploits leading to remote code execution (RCE), up to $1.5 million for zero-click exploits, and up to $4 million for full-chain exploits.
While the firm’s post did not include further details on what the full-chain exploit would involve, it is likely looking for chained vulnerabilities allowing the compromise of targeted systems, and not the messaging service alone.
“In the scope are exploits for Android, iOS, Windows. The prices are depending on limitations of zero-days and obtained privileges,” Operation Zero said.
Exploit brokers often advertise their interest in zero-day vulnerabilities that could be re-sold to their customers for profit, as American information security company Zerodium did multiple times in the past.
Over the past year, however, the US-based exploit broker was relatively quiet, and appears to have closed shop earlier this year, nearly a decade after its launch.
Zerodium’s posts on social media, including X and Linkedin, have been deleted, and the company’s website was apparently disabled, now displaying a single page containing its PGP key.
SecurityWeek’s attempts to contact Zerodium and its founder, Chaouki Bekrar, for a statement on the matter have remained unanswered.
Related: Apple Confirms USB Restricted Mode Exploited in ‘Extremely Sophisticated’ Attack
Related: Russian Hackers Exploited 7-Zip Zero-Day Against Ukraine
Related: CISA Issues Exploitation Warning for .NET Vulnerability
Related: Vulnerability Patched in Android Possibly Exploited by Forensic Tools
