ConceptUS

Office of Foreign Assets Control

US Treasury enforcement arm that sanctioned Operation Zero and its network under PAIPA in the first-ever use of the law on a cyber matter.

Last refreshed: 17 April 2026

Key Question

What makes the OFAC Operation Zero action legally different from previous cyber sanctions?

Timeline for Office of Foreign Assets Control

#117 Apr

Mentioned in: OFAC turns IP law on Operation Zero

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What is OFAC and what did it do to Operation Zero?: OFAC is the US Treasury's sanctions enforcement arm. In April 2026 it sanctioned Operation Zero and seven associated individuals and entities under PAIPA, the first-ever use of the law in a cyber matter, for acquiring and distributing US government hacking tools stolen from L3Harris.Source: OFAC designation
What is the PAIPA law and how does it apply to hackers?: The Protecting American Intellectual Property Act (PAIPA) requires OFAC to impose mandatory sanctions on foreign persons who significantly steal US trade secrets, including government-developed software tools. The April 2026 Operation Zero action was the first cyber-sector use of its mandatory-sanctions provision.Source: OFAC / US Treasury

Background

The Office of Foreign Assets Control (OFAC) used the Protecting American Intellectual Property Act (PAIPA) for the first time in a cyber-related sanctions action in April 2026, designating Sergey Zelenyuk, his firm Matrix LLC (trading as Operation Zero) and five associated individuals and entities for acquiring and distributing US government cyber tools stolen by former L3Harris Trenchant executive Peter Williams.

OFAC administers US economic and trade sanctions on behalf of the US Treasury. Its designations freeze assets and prohibit US persons from transacting with designated parties. The Protecting American Intellectual Property Act, enacted in 2022, created a mandatory sanctions framework for foreign persons who engage in significant theft of US trade secrets, including software tools. The April 2026 action is the first application of PAIPA's mandatory-sanctions provision to a cyber-sector case.

For the wider exploit-broker market, the PAIPA action creates a new legal framework risk: acquiring US government-developed tools, even through intermediaries and shell companies, now falls within a mandatory sanctions trigger rather than discretionary executive action. The action's simultaneous targeting of the Russian principal, a UAE shell company, a Trickbot-linked operator and satellite brokerages demonstrates OFAC's intention to map and sanction the full transactional network, not only the visible operator.

How the World Sees Them

Allied agencies

OFAC's network-mapping approach in the action is a signal to allied financial intelligence units to scrutinise correspondent-banking relationships with the designated entities.

US Treasury / OFAC

The first PAIPA cyber designation sets a template: future exploit-broker actions can proceed under mandatory rather than discretionary sanctions authority.

International exploit brokers

PAIPA's mandatory trigger removes Treasury's need to build a discretionary case; any demonstrable acquisition or distribution of US government tools now carries mandatory sanctions exposure.