In a landmark enforcement action, the U.S. Department of the Treasury’s OFAC has sanctioned a network of foreign exploit brokers responsible for stealing sensitive U.S. government cyber tools. The operation targeted Russian national Sergey Zelenyuk and his company Matrix LLC, publicly operating as Operation Zero, along with five associated individuals and entities.
This case, announced on February 24, 2026, represents the first-ever use of the Protecting American Intellectual Property Act (PAIPA) to impose sanctions, signaling a strong shift in U.S. policy against foreign actors profiting from the theft of critical cybersecurity assets.
In this article, we’ll examine the attack chain, the role of Operation Zero, legal and regulatory implications, and best practices for safeguarding sensitive cyber tools and intellectual property.
Background: The Theft of Government Cyber Tools
At the center of the case is Peter Williams, a 39-year-old Australian and former executive at Trenchant, a specialized cybersecurity unit owned by U.S. defense contractor L3Harris.
Between 2022 and 2025, Williams exploited his privileged access to steal at least eight zero-day exploits and hacking tools developed exclusively for U.S. government use and allied partners. These tools were sold to Operation Zero for $1.3 million in cryptocurrency, causing an estimated $35 million in losses to Trenchant.
Williams pleaded guilty to two counts of theft of trade secrets on October 29, 2025, and was sentenced on February 24, 2026, to 87 months (7 years, 3 months) in federal prison.
Operation Zero: Exploit Brokerage Network
Operation Zero has been operating as an exploit broker since 2021, offering millions of dollars in bounties for zero-day vulnerabilities in widely used software, including:
- U.S.-built operating systems
- Encrypted messaging apps such as Telegram
Key characteristics of Operation Zero’s operations:
- Does not disclose vulnerabilities to affected vendors.
- Explicitly limits its clientele to non-NATO countries, including Russia.
- Develops spyware and techniques for exfiltrating sensitive data from AI applications.
- Actively recruits hackers via social media.
The stolen cyber tools acquired from Trenchant could have given end users access to millions of computers and devices globally, amplifying the risk to both national security and private systems.
Sanctioned Individuals and Entities
| Person/Entity | Role | Basis for Sanctions |
|---|---|---|
| Sergey Zelenyuk | Founder, Operation Zero | Cyber activities threatening U.S. national security |
| Matrix LLC (Operation Zero) | Russian exploit brokerage | Acquisition and sale of stolen U.S. cyber tools |
| Marina Evgenyevna Vasanovich | Assistant to Zelenyuk | Acting on behalf of Zelenyuk |
| Special Technology Services LLC FZ (STS) | UAE-based affiliate | Controlled by Zelenyuk; sanctioned under PAIPA |
| Oleg Vyacheslavovich Kucherov | Suspected TrickBot member | Material support to Zelenyuk |
| Azizjon Makhmudovich Mamashoyev | Operator, Advance Security Solutions | Material support to Zelenyuk |
| Advance Security Solutions | UAE/Uzbekistan exploit brokerage | Owned/controlled by Mamashoyev |
Notable connections:
- Oleg Kucherov is suspected of affiliation with TrickBot, a modular malware gang responsible for ransomware attacks against U.S. agencies, hospitals, and healthcare centers. OFAC had designated other TrickBot members in 2023.
Legal and Regulatory Implications
As a result of these designations:
- All U.S.-held property and interests of the sanctioned entities are blocked.
- U.S. persons are prohibited from engaging in transactions with these entities.
- Any entity 50% or more owned by a designated person is similarly blocked.
- The Department of State issued parallel designations under PAIPA, marking the first application of the 2022 law against foreign exploit traders.
Treasury Secretary Scott Bessent stated:
“If you steal U.S. trade secrets, we will hold you accountable,” emphasizing the administration’s commitment to protecting American intellectual property and national security infrastructure.
Key Takeaways
- PAIPA enforcement is a new tool for national security:
Sanctions can now target foreign exploit brokers profiting from stolen cyber tools. - Privileged insiders are high-risk:
Peter Williams’ actions highlight the potential damage from insider threats in cybersecurity units. - Exploit brokers amplify risk globally:
Operation Zero’s business model demonstrates how stolen tools can reach unauthorized actors worldwide. - Legal penalties are severe:
Criminal prosecution and sanctions provide both financial and operational deterrents against theft of sensitive cyber tools.
Lessons for Organizations
- Protect insider access: Monitor and restrict privileged accounts with access to zero-day tools or sensitive cyber infrastructure.
- Supply chain vigilance: Ensure third-party vendors follow strict security protocols to prevent exfiltration of proprietary tools.
- Incident response planning: Maintain procedures for immediate response if sensitive tools are compromised.
- Collaboration with regulators: Be aware of evolving laws such as PAIPA that could impact foreign operations and compliance requirements.
FAQs
Q1: What is Operation Zero?
A: A Russian exploit brokerage that buys and sells zero-day vulnerabilities and cyber tools without disclosing them to affected vendors.
Q2: What is PAIPA?
A: The Protecting American Intellectual Property Act (2022) allows the U.S. to sanction foreign entities that profit from stolen trade secrets, including cybersecurity tools.
Q3: Who was Peter Williams?
A: An Australian ex-L3Harris executive who stole U.S. government zero-day tools and sold them to Operation Zero for $1.3 million in cryptocurrency.
Q4: What are the risks of exploit broker networks?
A: Stolen tools can reach unauthorized actors, potentially affecting millions of devices and critical national security systems.
Q5: What measures can organizations take?
A: Restrict insider access, monitor for suspicious activity, enforce supply chain security, and comply with emerging regulatory requirements.
Conclusion
The Operation Zero sanctions highlight the growing threat of foreign exploit brokers and the potential impact of insider threats. With the first-ever application of PAIPA, the U.S. demonstrates a strong stance against cyber-enabled theft of intellectual property.
Organizations handling sensitive cyber tools must implement insider threat detection, supply chain security, and regulatory compliance strategies to prevent similar compromises.
