> So it's entirely feasible if you have access to any cloud vendor then.

At around $0.50 per hour, and assuming "many many years" means 10 years, then the attack needs to be worth those $43800.

That's... less than I expected? Certainly more expensive that a normal person could afford, but with the levels of income disparity in the US, that's frighteningly affordable for a large corporation and within reach for highly motivated rich individual. If you own a cloud (aka Amazon wants to break into your VPN), they get major discounts on time on their fleet. If, instead, it costs $0.01/hr due to using unused capacity during quiet times of day, that's works out to be like $1000 to crack it.

As to what makes it worth it. $50k is too expensive to attack all users of this particular VPN software, but there's way more than $50k worth of information companies want to keep secret (call it competitive intelligence) being protected by VPN software the world over.

Many many means 512 in the article. But that's with lots of room for optimizations.

In addition to the compute power, you also need som other things:

"An attacker would need to hijack the address for a peer that has been offline for 30 days or communicate only with other peers that do not have a cached identity for the hijacked address."

If you have access to the victim's ZeroTier dashboard (or API calls), that's trivial to get. Even if there are currently no disclosed vulns in the dashboard, that doesn't mean that none exist.