Operation Zero, a company that acquires and sells zero-days exclusively to the Russian government and local Russian companies, announced on Thursday that it’s looking for exploits for the popular messaging app Telegram, and is willing to offer up to $4 million for them.

The exploit broker is offering up to $500,000 for a “one-click” remote code execution (RCE) exploit; up to $1.5 million for a zero-click RCE exploit; and up to $4 million for a “full chain” of exploits, presumably referring to a series of bugs that allow hackers to go from accessing a target’s Telegram to their whole operating system or device. 

Zero-day companies like Operation Zero develop or acquire security vulnerabilities in popular operating systems and apps and then re-sell them for a higher price. For the company to focus on Telegram makes sense, considering the messaging app is especially popular with users in both Russia and Ukraine. 

Given the exploit broker’s customers — chiefly the Russian government — the public price tag offers a rare glimpse into the priorities within the zero-day market, particularly that of Russia, a country and cybersecurity market often shrouded in secrecy.

It’s not uncommon for exploit brokers to advertise that they are looking for bugs in specific apps or systems when they know there is timely demand. This means that it’s possible that the Russian government has told Operation Zero that it is looking for Telegram bugs, which prompted the broker to publish what is essentially an advertisement, and offer higher payouts because it knows it can in turn charge the Russian government more for them.

Operation Zero’s chief executive Sergey Zelenyuk did not respond to TechCrunch’s request for comment. 

Zero-days are vulnerabilities that are unknown to the software or hardware makers, which makes them particularly valuable within the growing industry of exploit brokers — and those who want to buy them — because it gives hackers a better chance to exploit the target technology without the maker or the target being able to do much about it. 

An RCE is one of the most valuable types of flaws because it allows hackers to remotely take control of an app or operating system. Zero-click exploits don’t require any interaction from the target, as opposed to a phishing attack, for example, making these bugs more valuable. 

A zero-click, RCE zero-day is essentially the most valuable category of exploit there is.

The new bounty for Telegram bugs comes as the Ukrainian government banned the use of Telegram on the devices of government and military personnel last year, out of fear that they could be especially vulnerable to Russian government hackers.

Security and privacy experts have repeatedly warned that Telegram should not be considered as secure as competitors like WhatsApp and Signal. For one, Telegram doesn’t use end-to-end encryption by default, and even when users enable it, the app does not use well-known and audited end-to-end encryption, which leads crypto experts like Matthew Green to warn that, “the vast majority of one-on-one Telegram conversations — and literally every single group chat — are probably visible on Telegram’s servers.” 

A person who has knowledge of the exploit market said that Operation Zero’s prices for Telegram “are a bit low,” but that could be because Operation Zero is expecting to charge more, perhaps twice or three times as much, when it resells the exploits.

The person, who asked to remain anonymous because they weren’t authorized to speak to the press, said Operation Zero could also sell them several times to different customers, and could also pay lower prices depending on some criteria.

“I don’t think they’ll actually pay full [price]. There will be some bar the exploit doesn’t clear and they’ll only do a partial payment,” they said. “Which is bad business if you ask me, but with everyone being anonymous there’s not any real incentive to not f—k over the exploit writer.”

Another person who works in the zero-day industry said that the prices advertised by Operation Zero are not “wildly off.” But they also said it depends if there are factors like exclusivity, and whether that price is taking into account the fact that Operation Zero is then going to re-develop the exploits internally, or re-sell them as a broker. 

Prices of zero-days in general have gone up in the last few years as apps and platforms become harder to hack. As TechCrunch reported in 2023, a zero-day for WhatsApp could cost up to $8 million at the time, a price that also takes into account how popular the app is.  

Operation Zero previously made headlines for offering $20 million for hacking tools that would allow hackers to take full control of iOS and Android devices. The company currently only offers $2.5 million for those kinds of bugs.