Russion Broker Values Telegram Zero-Day App Exploit at $4 Million
Unfiltered Update: March 23, 2025: This story, initially published March 22, gets a fresh spin with a statement from Telegram.
When it comes to playing dirty in the digital world, hackers salivate over two piping hot treasures: messaging apps and zero-day exploits. Slap them together, and you have the perfect storm brewing on the international scene, a disaster of epic proportions. That's why an enticing offer by a Russian zero-day trader — a fellow who only peddles exploits to Russian private and government organizations — to dish out a whopping $4 million for a zero-day exploit attack against the Telegram app sendsshivers down many spines. Brace yourself, 'cause here's the lowdown.
ForbesOn Google Chrome's Password Manager: The Dastardly AI Attack## Drooling Over Telegram's Zero-Day Attack Payout Bonanza
Putting a zero-day vulnerability on the same pedestal as the Holy Grail of cyber-attack tools isn't that far-fetched. A zero-day vulnerability is an undiscovered glitch that allows an attacker to perform actions they really shouldn't be able to. The deal? Unauthorized, remote, and often no-click access to a system, a user, or the data. If a threat actor stumbles upon this before security researchers or the vendor, and they utilize it in an ongoing attack before a fix can be rolled out, it becomes a zero-day exploit. Translation: There are, quite literally, zero days left to fix that vulnerability and stop the attacks.
Now that you're up to speed on the urgency of the method, you'll understand the urgency of concern that a broker is offering such a jaw-dropping price for anyone who can deliver a full-chain zero-day attack against the Telegram messenger app. Especially when the clientele consists solely of private and government organizations in Russia itself, interested in offensive and defensive operations in cyberspace.
ForbesTread Carefully Online—Your Searches Could Cost You Dearly## Operation Zero Puts Up $6 Million for a Tech Hunt
A March 20 posting on the X social media platform saw rewards totaling $6 million offered to hackers who could sniff out zero-days in the Telegram messenger service.
FBI Warns: iPhones, Androids Targeted — Chinese Attack Rampant
Google Gaffes: User Data Erased—Who's Affected, What To Do
Google Pixel's Impressive Upgrade: Other Phones Left Choking in Dust
Operation Zero announced that it would fork over the rewards for remote code execution zero-days targeting Android, iOS, and Windows as follows:
Telegram 1-click RCE—Up to $500,000Telegram 0-click RCE—Up to $1,500,000Telegram full chain—Up to $4,000,000
I've reached out to Operation Zero for a statement and will update this article if they cough one up.
Remi Vaugh, a spokesperson for Telegram, provided me with this statement:
"Telegram has never fallen victim to a zero-click exploit. The fact that moolah is being waved around for finding one only reveals they haven't managed to yet. Telegram's open-source app code and fully documented encryption protocols have allowed numerous researchers to verify the soundness of Telegram's security. Unlike Tag-Along, Telegram is the only major messenger that has verifiable builds for both Android and iOS, allowing anyone to verify the apps published to stores are built from the same code. Compare that to WhatsApp, which has had zero-click exploits discovered at least in January 2024, December 2019, and November 2019 at least. With its closed source code, it's likely there are more to be discovered—by bad guys, not researchers."
- The enticing offer by a Russian zero-day trader for a whopping $4 million for a zero-day exploit attack against the Telegram app has sparked concern, considering the scale of potential damage such an attack could cause on the Telegram messenger app.
- Operation Zero, a group offering rewards for discovering zero-day vulnerabilities, has announced a hunt for zero-days in the Telegram messenger service, offering up to $4 million for a full-chain zero-day attack.
- Despite the potential for exploits, Telegram's open-source app code and fully documented encryption protocols have allowed numerous researchers to verify the soundness of Telegram's security, making it the only major messenger app with verifiable builds for both Android and iOS.
