Operation Zero [1] [2] [3] [4] [5] [6] [7] [8] [9], a Russian firm specializing in acquiring and selling zero-day exploits, has recently announced a significant increase in the rewards they offer for hacking tools that target iPhones and Android devices. This increase is attributed to the high demand for iOS and Android exploits in the market.


Operation Zero aims to attract top-tier researchers by offering lucrative rewards for critical exploits such as Remote Code Execution (RCE), Local Privilege Escalation (LPE) [1] [9], and Sandbox Escape (SBX) [1] [9], which are all part of a complete chain attack. The company operates in a niche market catering to government customers and sells the vulnerabilities instead of alerting the affected vendors. Other companies in the market [4] [5], such as Zerodium and Crowdfense [4] [5], also offer significant rewards for zero-day exploits [4]. The zero-day marketplace remains largely unregulated [5], but some countries require export licenses for selling to certain countries [4]. China [4], for example, has recently passed a law that mandates security researchers to alert the government of bugs before notifying the software makers [4], potentially enabling the Chinese government to stockpile vulnerabilities for intelligence purposes [4]. Operation Zero’s CEO [1] [2] [3] [4] [5] [6] [7] [8] [9], Sergey Zelenyuk [4], declined to explain why they only sell to non-NATO countries [4]. However, this stipulation has raised concerns within the cybersecurity community about the potential misuse of these powerful hacking tools. Mobile devices are increasingly becoming targets for both nation-state and non-nation-state actors [1], and attacks are no longer solely reliant on operating system vulnerabilities [1]. The announcement by Operation Zero has sparked debates within the cybersecurity community regarding the potential risks and implications of this increased reward program.


The increased reward program by Operation Zero has raised concerns about the potential misuse of powerful hacking tools. With mobile devices becoming prime targets for both nation-state and non-nation-state actors, the risks and implications of this market expansion are being debated within the cybersecurity community. It is important to consider the impacts and potential mitigations to ensure the responsible use of these exploits in the future.


[1] https://www.infosecurity-magazine.com/news/russian-firm-non-nato-mobile/
[2] https://cybersecurity-see.com/russian-cybercriminal-offers-20m-bounty-for-hacking-android-and-iphones/
[3] https://news.yahoo.com/stem-tools-unveiled-boys-girls-112950685.html
[4] https://www.techfocus24.com/russian-zero-day-dealer-offers-20-million-for-tools-to-hack-android-iphones/
[5] https://www.fortypoundhead.com/showcontent.asp?artid=51201
[6] https://www.yahoo.com/news/russian-zero-day-seller-offers-155913544.html
[7] https://robots.net/news/russian-cybersecurity-company-offers-20m-for-hacking-android-and-iphones/
[8] https://www.newsbytesapp.com/news/science/russian-firm-offers-20-million-for-iphone-android-zero-day-exploits/story
[9] https://flyytech.com/2023/09/30/russian-company-offers-20m-for-non-nato-mobile-exploits/