News
Image: Christian Wiediger / Unsplash
A Russian company with close ties to the state is offering up to $4 million for a working method to hack the popular messaging app Telegram.
The St. Petersburg-based firm Operation Zero, which specializes in purchasing software vulnerabilities and reselling them to government entities and private sector organizations, has announced a reward for anyone who can provide exploits targeting Telegram. The company is offering up to $500,000 for a 1-click Remote Code Execution (RCE) — an exploit that requires the victim to click once, and up to $1.5 million for a 0-click RCE — an exploit that requires no interaction from the victim at all. These figures are comparable to bug bounty payments offered by tech giants Apple and Google for similarly critical vulnerabilities in their iOS and Android mobile operating systems.
The maximum payout — up to $4 million — is reserved for what’s known as a full chain, a complete sequence of exploits that enables an attacker to take over a Telegram account while likely also gaining access to the device’s operating system.
Operation Zero (officially LLC “Matritsa”; ООО «Матрица») is headquartered in St. Petersburg and is run by Sergey Zelenyuk, who has previously stated that his company only resells exploits to countries that are “not part of NATO.” The Operation Zero website explicitly mentions that it works with Russian state-owned companies. Unlike traditional bug bounty platforms such as HackerOne or Bugcrowd, which report discovered vulnerabilities to the affected developers so that they can repair them, Operation Zero does not notify software vendors when such issues are found.
Exploits like the ones described in Operation Zero’s announcement are typically bought by intelligence and security services or companies affiliated with them. The most famous of these is the Israeli NSO Group, known for developing Pegasus — a spyware tool built on similar exploits. Pegasus has been widely used by various governments around the world to surveil journalists, human rights activists, and political opponents. The spyware was found on the phone of Galina Timchenko, the publisher of Meduza — an independent Russian-language news outlet based in Latvia that is known for its critical coverage of the Kremlin.
In Russia, law enforcement agencies frequently use software developed by the Israeli company Cellebrite to access data from phones and computers. The company's flagship tool, UFED (Universal Forensic Extraction Device), also exploits software vulnerabilities to bypass security protections and retrieve information from targeted devices. Unlike Pegasus, UFED does not operate remotely — it must be directly connected to the device in order to extract its contents.