Cybersecurity Researcher Earns $250,000 for Chrome Sandbox Escape Vulnerability

Red Dog Security

13 Aug 2025 — 1 min read

A security researcher known by the alias Micky has received a record-breaking $250,000 bounty from Google for discovering a critical Chrome vulnerability that allowed attackers to bypass the browser’s sandbox.

The flaw, tracked as CVE-2025-4609, was first identified in April 2025 and patched in mid-May with the release of Chrome 136, along with updates to other Chromium-based browsers such as Microsoft Edge, Opera, Vivaldi, and Brave. Google has now disclosed the technical details.

Technical Breakdown

The vulnerability was located in Chrome’s Mojo ipcz library, which manages inter-process communication (IPC) within the browser.

Google classified the bug as high severity, describing it as a “very complex logic bug.” Micky’s report stood out for its high-quality analysis and inclusion of a working proof-of-concept (PoC) exploit that successfully demonstrated a sandbox escape.

According to the researcher, the PoC achieved a 70–80% success rate in bypassing Chrome’s sandbox and executing system commands—demonstrated by launching the Windows Calculator application. In practical terms, the exploit allowed manipulation of Chrome’s internal processes, duplication of the browser’s parent process, and execution of arbitrary code.

In a real-world attack scenario, exploitation would typically require the victim to visit a malicious website while running a vulnerable version of Chrome.

Bug Bounty Record

The $250,000 payout is the maximum reward offered under Google’s Chrome Vulnerability Reward Program for sandbox escape vulnerabilities—reserved for high-quality reports with a working remote code execution demonstration.

This is one of the largest payouts in Google’s bug bounty history, second only to the $605,000 awarded in 2022 to a researcher known as gzobqq for discovering five Android vulnerabilities.

Law Enforcement Shuts Down Fake Identity Creation Service VerifTools

The FBI and Dutch police have announced the takedown of VerifTools, an underground marketplace that specialized in producing fake identity documents. During the operation, authorities seized both physical and virtual servers located in Amsterdam. A Marketplace for Fake IDs VerifTools operated as a large-scale platform for creating and selling fraudulent

NX Falls Victim to Supply Chain Attack: Hackers Steal Thousands of Secrets

The maintainers of NX have disclosed a major supply chain attack, dubbed s1ngularity, which occurred on August 26, 2025. The compromise of a developer’s token allowed attackers to publish malicious versions of the popular npm package and related tools, enabling them to steal user data on a large scale.

Government Institutions in Nevada Closed Due to Cyberattack

The U.S. state of Nevada has suffered a large-scale cyberattack, forcing the temporary closure of government institutions and disrupting multiple state services. The incident, which began last weekend, has left authorities working for days to restore operations. Scope of the Disruption The attack affected government websites, telephone systems, and

Anthropic: Hackers Used Claude in a Large-Scale Cyber Operation

Anthropic reports that it has disrupted a large-scale malicious campaign in which attackers used its AI model, Claude, to steal personal data and extort ransoms that sometimes exceeded $500,000. In its published report, the company warns that AI-powered tools are increasingly being weaponized for cybercrime and fraud. To counter