Sanctions and Stolen Secrets: U.S. Cracks Down on ‘Operation Zero’ Exploit Brokerage
Ddos 
The U.S. Department of the Treasury has taken a decisive stand against the illicit trade of digital weaponry. In a major coordinated action, the Office of Foreign Assets Control (OFAC) has designated Russian national Sergey Sergeyevich Zelenyuk and his company, Matrix LLC (operating as Operation Zero), for their roles in the acquisition and distribution of cyber tools that threaten U.S. national security.
The move marks a significant escalation in the government’s fight against “exploit brokers”—middlemen who purchase software vulnerabilities to sell them to the highest bidder, often bypassing the companies that could fix them.
At the heart of the sanctions is a discovery involving the theft of proprietary government technology. According to the Treasury, “Among the exploits that Operation Zero acquired were at least eight proprietary cyber tools, which were created for the exclusive use of the U.S. government and select allies and which were stolen from a U.S. company.”
The source of these tools was allegedly Peter Williams, an Australian national and former employee of the victimized U.S. firm. Williams pleaded guilty in October 2025 to stealing the tools between 2022 and 2025 and selling them to Operation Zero “in exchange for millions of dollars paid in cryptocurrencies.” Operation Zero then turned around and sold these stolen national security assets to at least one unauthorized user.
Headquartered in St. Petersburg, Russia, Operation Zero has been an active player in the exploit market since 2021. The firm operates by offering “millions of dollars in bounties to cybersecurity researchers and others for the development or acquisition of exploits targeting commonly used software, including U.S.-built operating systems and encrypted messaging applications.”
Unlike ethical “bug bounty” programs that report flaws to vendors for patching, Zelenyuk’s firm keeps the vulnerabilities secret. The Treasury warns that “Operation Zero does not disclose the discovered exploits to the companies developing the affected software, and Operation Zero customers could use the tools to launch ransomware attacks or engage in other malign activities.”
Furthermore, the firm has explicitly marketed its wares to “foreign intelligence agencies,” stating in public-facing materials that they “will only sell the exploits they acquire to customers from non-NATO countries.”
The sanctions reach far beyond Zelenyuk himself, targeting a web of associates across Russia, the UAE, and Uzbekistan. Among those designated is Oleg Vyacheslavovich Kucherov, a Russian national and “suspected member of the Trickbot cybercrime gang.” Trickbot is a notorious modular malware suite used to launch devastating ransomware attacks against U.S. hospitals and government centers.
Other designated entities and individuals include:
- Marina Evgenyevna Vasanovich: Zelenyuk’s personal assistant.
- Special Technology Services LLC FZ (STS): A UAE-based tech company controlled by Zelenyuk.
- Azizjon Makhmudovich Mamashoyev: An associate who worked with Operation Zero.
- Advance Security Solutions: A rival exploit brokerage firm created by Mamashoyev with operations in the UAE and Uzbekistan.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
