Russian Zero-Day Seller Offers $20 Million for Hacking Android and iPhones

A company that acquires and sells zero-day exploits -- flaws in software that are unknown to the affected developer -- is now offering to pay researchers $20 million for hacking tools that would allow its customers to hack iPhones and Android devices. From a report: On Wednesday, Operation Zero announced on its Telegram accounts and on its official account on X, formerly Twitter, that it was increasing payments for zero-days in those platforms tenfold, from $200,000 to $20 million. "By increasing the premium and providing competitive plans and bonuses for contract works, we encourage the developer teams to work with our platform," the company wrote.

Operation Zero, which is based in Russia and launched in 2021, also added that "as always, the end user is a non-NATO country." On its official website, the company says that "our clients are Russian private and government organizations only." When asked why they only sell to non-NATO countries, Operation Zero CEO Sergey Zelenyuk declined to say. "No reasons other than obvious ones," he said. Zelenyuk also said that the bounties Operation Zero offer right now may be temporary, and a reflection of a particular time in the market, and the difficulty of hacking iOS and Android.

tenfold?

[groobly]

Increase from 200,000 to 20,000,000 tenfold? Journalists!

Re:tenfold?

[war4peace]

It should be "tentenfold" :)

Re:tenfold?

[NewtonsLaw]

I see no sign of any journalist being involved here. In fact, all the journalists have left the building when it comes to news reporting these days.

All we have left are some directionless interns who paste their bylines onto press releases and some AI that plucks "facts" out of its digital backside.

Perhaps Russell Brand is right when he claims that the legacy MSM is colluding with governments to destroy true journalism and replace it with an "official line" of disinformation that favours both groups.

Re:tenfold?

[XXongo]

I see no sign of any journalist being involved here. In fact, all the journalists have left the building when it comes to news reporting these days. All we have left are some directionless interns who paste their bylines onto press releases and some AI that plucks "facts" out of its digital backside.

Turns out that's what happens when people stop subscribing to media that actually pays journalists, and instead read only news you can get free on the internet.

Re:

[awwshit]

You would pay for this crap?

Re:

[XXongo]

You would pay for this crap?

No, the internet is free and you get what you pay for.

Re:

[Bongo]

Using news as propaganda, paid by big corporations, and governments, isn't new.
What's new is the internet. But we don't know yet how it'll pan out.

Re:

[mjwx]

I see no sign of any journalist being involved here. In fact, all the journalists have left the building when it comes to news reporting these days.

All we have left are some directionless interns who paste their bylines onto press releases and some AI that plucks "facts" out of its digital backside.

Perhaps Russell Brand is right when he claims that the legacy MSM is colluding with governments to destroy true journalism and replace it with an "official line" of disinformation that favours both groups.

The thing is, it's not the Journalist's job to pick up on these errors, it's the editor (specifically, the copy editor) that was sacked long ago. Replaced with a basic spell check ignoring the fact they checked to see if an article made sense. When we talk about a severe drop in editorial standards, we mean the dearth of editors in modern publication houses.

It's all about the base...

[gavron]

They probably originally wrote "10(100) fold". You know, base 100. 10(100) is 1000. 1000x200000 is 20000000.
I'll leave the commas for the USicans and the dots for the EUicans.

Re:

[Fly Swatter]

You misspelled 'blogger'.

$200,000 USD is about $20 million Rubles

[Joe_Dragon]

$200,000 USD is about $20 million Rubles

Re:

[Midnight_Falcon]

But their business model is clear to make tenfold -- pay $20MM for really hard to find exploits, then charge 200 people (or as many as possible) $1mm for use until that exploit gets patched.

Re:

[msauve]

You should ask them for change for a $20.

Re: tenfold?

[mellowinottawa]

Itâ(TM)s because back in June or July the same company was offering $2M for a full exploit chain, now itâ(TM)s a range of $200K to $20M but presumably a full chain is the $20M. Hence 10x in the article. Itâ(TM)s all BS though, no way they are paying that much. Likely they take your exploit and run, paying out nothing, not like anyone is going to complain that a company in a sanctioned country (Russia) that it is illegal to do business with in the first place stole their money! Theyâ(TM)

Re:

[a5y]

> Corrected an earlier version of this story to remove “tenfold” from the second paragraph, this was due to an editor’s error. ZW
(From Techcrunch)

This has me wondering if an earlier draft had more detail on a series of price increases that was cut by an editor or TC are using an overworked editor or are testing to see if an LLM can make an editor redundant.

tenfold?

[TrumpShaker]

maths anyone?

Can't count, won't count ...

[CaptainOfSpray]

Whoever wrote TFA needs to go back to primary school and get their money back ....

Uplift from $200,000 to $20 million is NOT tenfold

Ya, but ...

[fahrbot-bot]

Payment is in Rubles and to collect you have to enlist in the Russian army and fight your way to the cashbox hidden somewhere in Ukraine ... :-)

Re:

[14erCleaner]

Or the payment is in crypto, and you have to give them your wallet passphrase to collect.

Russian Organizations Only

[nuckfuts]

... they only sell to non-NATO countries

Reminds me of years ago when a virus was reverse-engineered, and it was discovered that it checked the target (Windows) computer to see if the Russian language pack was installed. If it was found, the computer would not be harmed.

Re:Russian Organizations Only

[OtisSnerd]

>...when a virus was reverse-engineered, and it was discovered that it checked the target (Windows) computer to see if the
> Russian language pack was installed. If it was found, the computer would not be harmed.

That led me to enter the Russian locale code into my Wintel PC (Windows 10) with this registry entry:
-------------------snip--------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\Keyboard Layout\Preload]
"2"="00000419"

[HKEY_USERS\.DEFAULT\Keyboard Layout\Preload]
"2"="00000419"
-------------------snip--------------------

Save as "RussianKey.reg" then import into the registry.

Get rich quick

[ahziem]

1. 1. "Accidently" add bug to Android code
2. 2. Sell bug to Operation Zero
3. 3. Profit!!!

Re:

[Hodr]

I was thinking they already have found/bought an exploit and now they increase their bounty and hope manufacturers increase to match (or at least well above $200k) and then they can resell it to the manufacturers.

Re:

[n3r0.m4dski11z]

if you are willing to commit treason and espionage, then sure.

HOWTO $20M Trusted Exchange?

[laughingskeptic]

How exactly would one disclose the vulnerability and have a reasonable chance of getting paid? No one in this business is trustworthy, and the bigger the $$$ the less the trust.

Re:

[freax]

Swiss bank account?

Re:

[HBI]

More importantly, if you were in a western country and were disclosing same, how do you avoid going to prison for a long spell afterwards?

I suggest that your encryption and misdirection must be very good to avoid counterintelligence/law enforcement scrutiny, and you'd best not bring the cash onshore in a Western country, as that will make things obvious. If you check all those boxes, you should be ok dealing with this Russian front. I mean, the Russians have a pretty good record of being trustworthy in th

0MG!

[Bahbus]

Russian hackers are just as incompetent as the Russian military. Their "zero day" is worthless and useless. Bunch of scared, powerless losers.

Good news, no?

[dargaud]

I mean if they have to increase tenhundred fold the price for exploits, it means that android/iOS are getting harder to hack, no ? It's good news for everyone on a security level. When they offer a billion $ for an exploit is when we know we finally have a secure OS.

This is about the war

[doug141]

Smartphones are a new battlefield.