The Russian firm Operation Zero has announced a staggering $20m reward for hacking tools capable of compromising iPhones and Android devices.
The company unveiled this increased payout on X (formerly Twitter) on Tuesday, aiming to attract top-tier researchers and developer teams to collaborate with their platform.
Under this program, Operation Zero is willing to pay $20m for critical exploits such as Remote Code Execution (RCE), Local Privilege Escalation (LPE) and Sandbox Escape (SBX) that form part of a complete chain attack.
“Mobile devices are central to our personal and professional lives, and as such are a prime target for both nation-state and non-nation-state actors. We have seen an exponential increase in attacks targeting mobile devices year over year, including the use of zero-day exploits,” explained Kern Smith, mobile security expert at Zimperium.
According to Smith, while zero-day mobile exploits for iOS and Android remain coveted tools for threat actors, there is a rising trend in attacks that no longer rely on OS vulnerabilities. Malware and phishing campaigns are now targeting mobile devices, irrespective of the OS.
“Mobile devices represent some of the most valuable and vulnerable targets for organizations and individuals, with high ROI and low risk for attackers, and this grey market is prioritizing that accordingly,” Smith added.
However, the eyebrow-raising aspect of this announcement is Operation Zero’s stipulation that the end user must belong to a non-NATO country. This geopolitical condition adds a layer of complexity to the situation, raising concerns about the potential misuse of such powerful hacking tools.
The news has sparked debates within the cybersecurity community, with some questioning the ethics and potential consequences of offering such lucrative rewards for exploits that could compromise the security and privacy of millions of smartphone users.
“Given that Russia is OFAC sanctioned, working with Operation Zero will be in violation of technology transfer sanctions, as well as financial transfer sanctions,” commented Casey Ellis, founder and CTO at Bugcrowd.
“Also, the range of $200k to $20m is incredibly broad, and $20m is currently an irrationally high offer for a full mobile chain under this model.”
The timing of the Operation Zero announcement follows on the heels of OpenAI’s bug bounty program launched on April 11 2023, offering white hat hackers the opportunity to earn rewards of up to $20,000 for uncovering security vulnerabilities.