A Russian cybersecurity firm has sparked concern across the tech world after offering a staggering $4 million bounty for full-chain exploits targeting Telegram, the popular encrypted messaging app. Known as Operation Zero, the company specializes in acquiring zero-day vulnerabilities, primarily serving Russian government agencies and private clients.
In an announcement shared on X (formerly Twitter) on March 20, Operation Zero laid out its latest offer. The firm revealed a tiered reward system, with payouts depending on the complexity and impact of the exploit. They’re offering up to $500,000 for one-click remote code execution (RCE) exploits, $1.5 million for zero-click exploits, and up to $4 million for full-chain exploits capable of fully compromising a device or system.
While the firm did not specify exactly what the full-chain exploit should achieve, security experts believe they are seeking a combination of vulnerabilities that, when linked together, give an attacker complete control over a target’s system—far beyond just breaching Telegram itself. The offer specifically targets Android, iOS, and Windows platforms, with final payouts varying based on the level of system access and limitations of the exploit.
“Prices depend on the scope of the zero-day and the level of privileges obtained,” Operation Zero noted, signaling just how valuable such exploits are in today’s cyber landscape.
The exploit market, often operating in the shadows, has long been a playground for government-backed groups, private intelligence firms, and high-stakes cybercriminals. Companies like Operation Zero typically acquire these powerful zero-days with the intent to resell them to select clients for surveillance, espionage, or even offensive cyber operations.
In the past, U.S.-based firm Zerodium dominated this controversial market, offering millions for high-impact exploits targeting widely used platforms such as iOS, Android, and messaging apps. However, over the past year, Zerodium has gone quiet. The once-prominent firm seemingly shut down its operations earlier this year after nearly a decade in business. Its website now displays only a PGP encryption key, while all its social media accounts, including LinkedIn and X, have been wiped clean.
This sudden disappearance of a major player like Zerodium has left a noticeable gap in the exploit acquisition market. Operation Zero’s latest million-dollar bounty appears to capitalize on that void, further highlighting Russia’s growing presence and influence in the global cyberweapons trade.
Telegram, often promoted as a secure communication platform, now finds itself the latest high-profile target. With over 700 million active users worldwide, the app is a common choice for journalists, activists, and even government officials who rely on its encryption features to keep conversations private. However, a successful full-chain exploit would place all that sensitive data at extreme risk.
This latest development is a stark reminder of how valuable messaging apps have become in cyber warfare and surveillance. It also raises fresh concerns about the growing demand for sophisticated exploits that can pierce even the strongest digital defenses.
