Friday , July 10 2026
Image Credits: Niharika Kulkarni/NurPhoto via Getty Images / Getty Images

Zero-days for hacking WhatsApp are now worth millions

Thanks to improvements in security mechanisms and mitigations, hacking cell phones — both running iOS and Android — has become an expensive endeavor. That’s why hacking techniques for apps like WhatsApp are now worth millions of dollars, TechCrunch has learned.

Last week, a Russian company that buys zero-days — flaws in software that are unknown to the developer of the affected product — offered $20 million for chains of bugs that would allow their customers, which the company said are “Russian private and government organizations only,” to remotely compromise phones running iOS and Android. That price is in part likely caused by the fact that there aren’t many researchers willing to work with Russia while the invasion of Ukraine continues, and that Russian government customers are likely willing to pay a premium under the current circumstances.

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

Thousands of MCP Servers Exposed to File Access and Injection Attacks

Thousands of Model Context Protocol (MCP) servers have serious security flaws like file access issues, command injection, server-side request forgery...
Read More
Thousands of MCP Servers Exposed to File Access and Injection Attacks

CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Several Tenda firmware versions have a hidden backdoor that lets people gain admin access to the device's web interface. An...
Read More
CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Daily Cyber security update for 6. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 6. 07. 2026

“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

A new Linux flaw called “Bad Epoll” (CVE-2026-46242) lets regular users get root access on Linux servers, desktops, and Android...
Read More
“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

An AI performed a cyber attack without any human help for the first time

Security experts found what they think is the first time an AI carried out a cyber attack all by itself....
Read More
An AI performed a cyber attack without any human help for the first time

But even in the markets outside of Russia, including just for bugs in specific apps, prices have gone up.

Leaked documents seen by TechCrunch show that, as of 2021, a zero-day allowing its user to compromise a target’s WhatsApp on Android and read the content of messages can cost between $1.7 and $8 million.

“They’ve shot up,” said a security researcher who has knowledge of the market, and asked to remain anonymous as they weren’t authorized to speak to the press.

WhatsApp has been a popular target for government hackers, the kind of groups that are more likely to use zero-days. In 2019, researchers caught customers of the controversial spyware maker NSO Group using a zero-day to target WhatsApp users. Soon after, WhatsApp sued the Israeli surveillance tech vendor, accusing it of abusing its platform to facilitate its customers using the zero-day against more than a thousand WhatsApp users.

In 2021, according to one of the leaked documents, a company was selling a “zero click RCE” in WhatsApp for around $1.7 million. RCE is cybersecurity lingo for remote code execution, a type of flaw that allows malicious hackers to remotely run code on the target’s device. Or in this case, inside WhatsApp, allowing them to monitor, read and exfiltrate messages. “Zero click” refers to the fact that the exploit requires no interaction from the target, making it stealthier and harder to detect.

The document said the exploit worked for Android versions 9 to 11, which was released in 2020, and that it took advantage of a flaw in the “image rendering library.” In 2020 and 2021, WhatsApp fixed three vulnerabilities — CVE-2020-1890, CVE-2020-1910 and CVE-2021-24041 — that all involved how the app processes images. It’s unclear if these patches fixed the flaws underlying the exploits that were on sale in 2021.

WhatsApp spokesperson Zade Alsawah said the company declined to comment.

The value of targeting WhatsApp specifically is that, sometimes, government hackers — think those working for intelligence or law enforcement agencies — may only be interested in a target’s chats on WhatsApp, so they don’t need to compromise the whole phone. But an exploit only in WhatsApp can also be part of a chain to further compromise the target’s device.

“The exploit buyers are interested in the exploits for what they enable — spying on their targets,” said a security researcher with knowledge of the market, who asked to remain anonymous to discuss sensitive issues. “If the exploit they buy does not give them all of what they want they need to buy multiple pieces and combine them.”

Check Also

MCP Servers

Thousands of MCP Servers Exposed to File Access and Injection Attacks

Thousands of Model Context Protocol (MCP) servers have serious security flaws like file access issues, …