Russian Zero Day Exploit Seller Offers $20M For Hacking Android And IPhones

If you’re a security researcher looking to make some serious money, there’s a new opportunity on the horizon. Operation Zero, a company based in Russia, is now offering a whopping $20 million for hacking tools that can exploit vulnerabilities in iPhones and Android devices. This is a tenfold increase from their previous offering of $200,000. The company made the announcement on its Telegram accounts and on Twitter (now known as X), stating that they are encouraging developer teams to work with their platform by increasing the premium and providing competitive plans and bonuses for contract works.

Overview of Operation Zero

Operation Zero is an organization that specializes in acquiring and selling zero-day exploits. Zero-day exploits are flaws in software that are unknown to the affected developer. By finding and selling these vulnerabilities, Operation Zero provides its customers with the means to hack into targeted devices and systems. The company, which launched in 2021, is based in Russia and primarily caters to Russian private and government organizations.

Background of Operation Zero

To understand the significance of Operation Zero’s recent announcement, it’s important to delve into the background of the company. Aside from being based in Russia, little is known about the specifics of their operation. However, it is clear that they have been active in the market for zero-day exploits for several years now. They pride themselves on being a one-stop shop for their customers’ hacking needs, offering a range of services and a wide selection of exploits.

Launch and location

Operation Zero was launched in 2021 and has since gained a reputation as a reliable source for zero-day exploits. While the company does not disclose its physical location or office address, it is known that they operate out of Russia. This has raised some concerns among security experts, as Russia has been associated with cyber espionage activities in the past.

Target customers

According to Operation Zero’s official website, their clients are exclusively Russian private and government organizations. When asked about this restriction, CEO Sergey Zelenyuk declined to provide any specific reasons but simply stated that it was due to “obvious ones.” This suggests that the company may have some sort of allegiance or affiliation with Russian authorities, although the details remain unclear.

Increase in Payments for Zero-Days

The recent announcement by Operation Zero regarding the increase in payments for zero-day exploits is significant news in the cybersecurity community. This move demonstrates the company’s determination to attract talented researchers and incentivize them to work with their platform. By offering such a high payout, Operation Zero hopes to position itself as the top destination for security researchers looking to monetize their findings.

Announcement of increased payments

Operation Zero made their announcement on their Telegram accounts and on X, formerly known as Twitter. In addition to the increase in payments, the company stated that they are providing competitive plans and bonuses for contract works. This shows a strategic approach to attracting talent and building long-term partnerships within the research community.

Motivation for developers to work with Operation Zero

The motivation for developers to work with Operation Zero is clear: the opportunity to earn a significant amount of money for their skills and expertise. The increased premium and competitive plans offered by the company provide a compelling incentive for researchers to collaborate with Operation Zero. By partnering with the company, developers can benefit from the financial rewards while also gaining access to a wide range of resources and support.

Non-NATO country end users

Operation Zero emphasized in their announcement that their end users are non-NATO countries. While the reasons for this specific focus are not disclosed, it adds an additional layer of intrigue to the company’s operations. It suggests that the organization may have specific objectives or interests in mind when it comes to the entities they are willing to sell their exploits to.

Temporary nature of current bounties

It’s important to note that Operation Zero acknowledges the temporary nature of their current bounties. CEO Sergey Zelenyuk stated that the prices they offer reflect the current market conditions and the difficulty involved in hacking iOS and Android devices. Additionally, the availability of specific zero-day exploits on the market heavily influences their pricing. The most expensive products, such as full chain exploits for mobile phones, are in high demand and predominantly sought after by government actors.

Price formation and availability on the zero-day market

The market for zero-day exploits operates in a unique and often unregulated space. Prices fluctuate based on supply and demand, as well as the perceived value of the vulnerabilities being sold. In the case of Operation Zero, the prices they offer are influenced by factors such as the difficulty of the exploit, the potential impact it can have, and the market demand for such vulnerabilities. Government actors, in particular, are willing to pay a premium to obtain these exploits before they become known to other parties.

Government actors as major buyers

Government actors play a significant role in the zero-day market, particularly when it comes to high-value exploits. They are often the major buyers due to their interest in surveillance, intelligence gathering, and cyber warfare capabilities. These actors are willing to invest substantial amounts of money in acquiring zero-day exploits to maintain a competitive advantage in the digital realm. This demand from government actors further drives the prices for such vulnerabilities.

Comparison to Bug Bounty Platforms

While the concept of offering rewards for identifying and reporting vulnerabilities is not new, Operation Zero’s approach differs significantly from traditional bug bounty platforms. Bug bounty platforms, such as Hacker One and Bugcrowd, operate under the premise of responsible disclosure, where researchers are encouraged to report vulnerabilities directly to the affected vendors. The vendors then have the opportunity to patch the vulnerabilities before they can be exploited.

Operation Zero’s approach

In contrast, Operation Zero does not follow the responsible disclosure model. Instead of alerting the affected vendors, they choose to acquire and sell the exploits to government customers. This approach places Operation Zero in a gray market, where prices fluctuate, and the identity of customers is often kept secret. While this method may be controversial, it allows Operation Zero to act as an intermediary between the researchers and its clients.

Gray market fluctuation and secrecy

Operating in the gray market means that the prices and availability of zero-day exploits can fluctuate significantly. While traditional bug bounty platforms rely on transparency and open communication, the gray market operates with a level of secrecy. Prices for zero-day exploits can rise or fall depending on the demand, market conditions, and the perceived value of the vulnerabilities. This fluctuation adds an element of unpredictability to the zero-day market.

Public price lists

Despite the secrecy that surrounds the zero-day market, public price lists have emerged over the years. Operation Zero, for example, has published price lists on their official website, showcasing the costs associated with various types of exploits. These public price lists provide valuable insight into the pricing dynamics of the zero-day market and allow researchers to have an idea of the potential financial rewards they can expect.

Examples of other companies in the zero-day market

Operation Zero is not the only player in the zero-day market. Other companies, such as Zerodium and Crowdfense, also offer significant bounties for zero-day exploits.

Bounties offered by Zerodium and Crowdfense

Zerodium, a company launched in 2015, offers bounties of up to $2.5 million for a chain of bugs that allows customers to hack an Android device without any interaction from the target. For the same type of exploit on iOS, Zerodium offers up to $2 million. Crowdfense, a competitor based in the United Arab Emirates, offers up to $3 million for similar chains of bugs on Android and iOS.

Belief in the stability of Operation Zero’s prices

When asked about the bounties offered by Zerodium and Crowdfense, Operation Zero’s CEO Sergey Zelenyuk expressed his belief that their prices will not drop significantly. While the Zerodium price sheet may be outdated, Zelenyuk suggests that the zero-day business continues to thrive regardless of any price updates. This indicates that despite fluctuations in the market, the demand for zero-day exploits remains high.