Russian company offers $20 million for non-NATO mobile exploits


Russian company Operation Zero has announced a whopping $20 million reward for hacking tools capable of compromising iPhones and Android devices.

The company unveiled this payment increase on X (formerly Twitter) on Tuesday, aiming to attract high-profile researchers and developer teams to collaborate with their platform.

Under this program, Operation Zero is willing to pay $20 million for critical exploits such as remote code execution (RCE), local privilege escalation (LPE), and bin escape. sand (SBX), which are part of a complete chain attack.

“Mobile devices are at the heart of our personal and professional lives and, as such, constitute a prime target for state and non-state actors. We’ve seen an exponential increase in attacks targeting mobile devices year over year, including the use of zero-day exploits,” explained Kern Smith, mobile security expert at Zimperium.

According to Smith, while zero-day mobile exploits for iOS and Android remain coveted tools for threat actors, there is a growing trend toward attacks that no longer rely on operating system vulnerabilities. Malware and phishing campaigns now target mobile devices, regardless of operating system.

Learn more about this trend: Record number of mobile phishing attacks in 2022

“Mobile devices represent some of the most valuable and vulnerable targets for organizations and individuals, with high return on investment and low risk for attackers, and this gray market prioritizes this accordingly,” he said. added Smith.

However, the eyebrow-raising aspect of this announcement is Operation Zero’s stipulation that the end user must belong to a non-NATO country. This geopolitical situation adds a layer of complexity to the situation, raising concerns about the possible misuse of such powerful hacking tools.

The news has sparked debate within the cybersecurity community, with some questioning the ethics and potential consequences of offering such lucrative rewards for exploits that could compromise the security and privacy of millions of users. smartphones.

“Given that Russia is sanctioned by OFAC, working with Operation Zero will constitute a violation of technology transfer sanctions, as well as financial transfer sanctions,” commented Casey Ellis, founder and CTO of Crowd of insects.

“Additionally, the $200,000 to $20 million range is incredibly wide, and $20 million is currently an irrationally high bid for a full mobile chain under this model.”

The timing of the Operation Zero announcement follows that of OpenAI. bug bounty program launched on April 11, 2023, offering hackers the opportunity to earn rewards of up to $20,000 for discovering security vulnerabilities.

Leave a comment