Russian zero-day firm offers $1.5m for a Signal RCE exploit


OpZero, a Russian zero-day company, has raised its prices for Signal RCE (remote code execution) exploits so much that it now pays three times more than Zerodium, its closest competitor. Why?

Both OpZero and Zerodium are simply intermediaries. After buying out exploits found by researchers or hackers, they further sell the data to governments, supposedly for a good, if vague, cause – like protecting national security.

However, the country in this specific case is Russia, which has been waging war against neighboring Ukraine for nine months already.

ADVERTISEMENT

The campaign has not been successful, to say the least, and the security researchers now say that OpZero’s willingness to pay hackers much more than its competitors signals Russia’s desperation to access Signal, a go-to communications platform among the Ukrainian military.

Ukrainian troops – as does the general population – tend to use Android devices much more (77.42%) than iOS phones (22.19%). That’s why BitZero is willing to buy exploits of either Android phones or the Signal app itself.

The use of the end-to-end encrypted messaging app Signal, widely held to be the most secure platform of this kind, has exploded in Ukraine since the beginning of the war.

In March alone, there were two million installs, and the majority of Ukrainian battlefield planning takes place on Signal on Android.

“Android phones with Signal are robust security platforms. They’re not military equipment, but they’re perfectly capable of providing protection against a wide range of security threats. Including nation state level threat actors,” security researcher The Grugq recently wrote.

According to the expert, Russia appears to lack an Android or Signal capability and so cannot gain access to Signal communications. Thus, the price has been raised: OpZero is now offering $1.5 million for a Signal RCE exploit, whereas Zerodium only offers up to $500,000.

“There is no reason to offer significantly more money than your competitors for a capability unless you truly need to attract exploit developers,” wrote The Grugq.

ADVERTISEMENT

The analyst thinks that Russia feels its cyberespionage capabilities in Ukraine are too limited. The problem is supposedly so urgent that Russia even decided to show its desperation by announcing a huge payment through OpZero, an intermediary.

OpZero’s history is quite shady – the company, based in Russia, has been present on Twitter since July 2021, but Google only indexed their website in October 2022. The company’s supposed founder, Sergey Zelenyuk, has been spewing anti-Ukrainian tropes online.

It is already difficult for Moscow to breach Windows or email – even if the Ukrainian military is not really using these services for communications.

That’s because Microsoft, the technology corporation, has been providing massive tech assistance to Kyiv and has disbursed the country’s digital infrastructure into the secure public cloud. The company has also ceased work in and with Russia.

Still, even if Russia ultimately gained access to the Ukrainian military communications on Signal, there’s no reason to think it would try to disrupt them. Governments usually do not rush to use the zero-day exploits to avoid detection, which are typically stockpiled and used, for example, for spying.