© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

OpZero’s modus operandi: opportunity hunter, front for Kremlin, or both?


OpZero, a Russian company, is a fairly new player in the market of zero-day exploits, but it raised some eyebrows with unusually high prices for certain vulnerabilities. Cybernews contacted Sergey Zelenyuk, the founder of the firm.

OpZero, based in a Russian port city of Saint Petersburg, surprised many when, according to several cybersecurity experts, it raised its prices for Signal RCE (remote code execution) exploits so much that it now pays three times more than a much better known company, Zerodium.

Whereas Zerodium only offers up to $500,000 for a Signal RCE exploit, OpZero is now willing to pay $1.5 million.

OpZero’s founder Sergey Zelenyuk disputes that, saying:

“The price for Signal exploits weren't raised recently, it had been set for such an amount back when we started the company, which was even before the special military operation [what Zelenyuk calls Russia’s war in Ukraine.]”

New, shiny, rich, shady

Even so, all this is rather puzzling, if only because OpZero is a brand new company – with a lot of cash already at its disposal. Where is it coming from?

OpZero has been present on Twitter since July 2021, but Google only indexed their website in October 2022.

“Created by information security professionals and for professionals, the platform provides its clients unprecedented technologies for offensive and defensive operations in cyberspace,” OpZero says on its website.

It also claims it’s only working with “Russian private and government organizations,” and the company doesn’t disclose its customers.

Zelenyuk, who calls himself a vulnerability researcher, first attracted attention in 2018, when he disclosed the details of a zero-day flaw affecting Oracle’s VirtualBox virtualization software without giving the company a chance to release a patch.

To be fair, officially, OpZero is an exploit broker – basically, an intermediary. Similar companies buy out exploits found by researchers or hackers and further sell the data.

The price is high because vulnerabilities are usually purchased by governments that have an interest in stockpiling zero-day exploits and using them, for instance, for spying on their adversaries.

In this case, though, several experts say it’s quite realistic to assume OpZero is a front for the Russian government. It’s also symbolic that Zelenyuk has been spewing anti-Ukrainian tropes online.

And even if it’s not, it would be important if the company specifically raised the price for Signal exploits because this end-to-end encrypted messaging app is a go-to platform among the Ukrainian military.

Russians are probably desperate to breach into Ukrainian battlefield planning because Moscow is losing the war it started back in February, security researcher The Grugq recently wrote.

Similar to WikiLeaks?

OpZero says it has all the required permits to acquire zero-day exploits. Yet Irina Tsukerman, a geopolitical analyst specializing in information security and cybersecurity, told Cybernews this didn’t change the very real possibility that the Kremlin is behind the company.

“It is very much a front for the Russian government due to its modus operandi, which is very similar to Wikileaks, which similarly encouraged leaking of sensitive and classified information.”

She added that OpZero was specifically looking for exploits that are impossible to obtain without illegal leaks or industrial espionage. For instance, Signal has reportedly been only cracked by one Israeli company, Cellebrite, but the latter has not offered either its methods or evidence proving its success to the public.

signal-app-russia
Signal is widely used by Ukrainian military. Image by Shutterstock.

“As of today, the only real way to gain control of that chat is by taking control of the device where it is stored,” Tsukerman thinks.

“And the increase in price for such an exploit shows that the company in question understands the risks of obtaining such information, and that the only way to gain it is either via a government agency, by an insider working for Signal, or by a leak from a company which has been allegedly able to crack the code.”

The offered sum for a Signal RCE exploit – $1.5 million – just seems too large and suspicious to Tsukerman. “Even if the company is a mere private sector intermediary, why would it draw attention to itself by offering so much money?” she asks.

Zelenyuk admitted to Cybernews that the payouts were too big for a new company on the market but added that the firm had found a solution to work around the issue of low initial funds.

“When we cannot buy an expensive exploit on our own, we directly ask the customer for funds to pay the researcher,” Zelenyuk, who confirmed OpZero already has an investor, said, even though it still means the client has to be affluent enough to afford the purchase.

The Grugq wrote this week that the price raise was probably related to the hypothesis that Russia, which is waging war in Ukraine, appears to lack an Android or Signal capability and cannot gain access to Signal communications inside Ukraine. Tsukerman agrees.

“There’s clear desperation and interest in penetrating the innermost Ukrainian communications, which goes beyond mere commercial interest. It’s more likely OpZero is a subsidiary of an intelligence agency which is specifically prioritizing this issue due to the poor military performance,” the analyst told Cybernews.

History – the cracking of the German Enigma crypto-system in the 1930s, for example – shows that the value of intercepting encrypted military and government communications is immeasurable, specifically for state actors.

“So without direct state backing and order, OpZero would not have reached such a level of visibility and brazenness so quickly,” Tsukerman concludes.

Deep pockets, easy money

Tom Kellermann, Senior Vice President of cyber strategy at Contrast Security, who served on the Commission on Cybersecurity for President Obama’s administration, also thinks that OpZero is probably collaborating with Russia’s GRU military intelligence agency or with the Federal Security Service (FSB).

“The Russian dark web is an economy of scale with a myriad of miscreants offering a variety of cybercrime services. The Russian forums enjoy a protection racket with Russian intelligence,” Kellermann said.

To him, not only Ukrainian military comms are important. That’s because the Signal app is also used by most US government officials and most cybersecurity professionals for confidential exchanges.

“OpZero doesn’t have to be a Russian front company. It is just as likely that the vulnerability researcher running OpZero discovered that there was money to be made in buying and reselling zero-day exploit code to the Russian government,”

Joe Stewart, eSentire's Principal Security Researcher

However, Joe Stewart, Principal Security Researcher with eSentire’s security research team Threat Response Unit, who has been tracking Russian cyber threats since 2003, has his doubts about direct Russia’s involvement with OpZero, even if it is possible.

“OpZero doesn’t have to be a Russian front company. It is just as likely that the vulnerability researcher running OpZero discovered that there was money to be made in buying and reselling zero-day exploit code to the Russian government – as well as other parties with similar interests and deep pockets,” Stewart told Cybernews.

To his knowledge, Zelenyuk, the founder of OpZero, has been doing vulnerability research for a number of years, and he likely has connections in both arenas: the Russian government and the vulnerability research community.

Dabbling in both wouldn’t be anything new in Russia. Cybernews recently wrote about Russian volunteer hacktivist groups that are not officially backed by the state but still support Moscow’s goals. Of course, such “script kiddies” might then be noticed by the government and recruited.

“With Opzero publicly touting that they are willing to pay USD $1,500,000 for a Signal RCE exploit and that they will pay a premium for Android exploits, it strongly suggests that they have a customer who is extremely interested in successfully compromising Signal, or the phone that Signal would most likely be running on,” Stewart said.

“Since Signal and Android phones are heavily used by Ukraine, it is very plausible that Opzero is looking for these exploits on behalf of the Russian government so that they can gain an advantage over Ukraine in the ongoing war.”

Zelenyuk simply says the firm is open to communication with investors interested in the business.

“Attracting investors is the main goal for us at the moment, because it will increase our zero-day stake-holding capabilities to compete with big players on the market,” he told Cybernews.


More from Cybernews:

WhatsApp data leak: 500 million user records for sale

RansomExx joins the ranks of ransomware gangs switching to Rust

UK bans Chinese cameras on government sites

Almost a thousand arrested over global $130m cyber fraud

Why individual arrests will not shut down LockBit

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked