OrganisationRU

Operation Zero

Russian exploit brokerage operating as Matrix LLC; OFAC-sanctioned April 2026 for acquiring stolen US government zero-days.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

How did a Russian exploit broker buy US government zero-days from a defence contractor insider?

Timeline for Operation Zero

#117 Apr

OFAC turns IP law on Operation Zero

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is Operation Zero exploit broker?: Operation Zero is the trading name of Russian company Matrix LLC, operated by Sergey Zelenyuk. It bought and sold zero-day exploits, including at least eight stolen from US government contractor L3Harris by insider Peter Williams between 2022 and 2025.Source: OFAC sanction / DOJ
How was Operation Zero sanctioned by OFAC?: OFAC designated Sergey Zelenyuk, Matrix LLC and five associated entities on 14 April 2026 using the Protecting American Intellectual Property Act (PAIPA), the first time PAIPA has been used in a cyber enforcement action.Source: OFAC designation April 2026
How much does Operation Zero pay for iPhone zero-days?: Operation Zero published a price list in 2023 offering up to $20 million for full iOS exploit chains with Remote Code Execution capability. Android and Windows exploits were priced lower in the same list.Source: Operation Zero public price list 2023

Background

Operation Zero is the trading name of Matrix LLC, a Russian exploit brokerage operated by Sergey Zelenyuk that acquired and distributed zero-day exploits developed by US government contractors. On 14 April 2026, OFAC used the Protecting American Intellectual Property Act (PAIPA) for the first time in a cyber matter to sanction Zelenyuk, Matrix LLC and five associated individuals and entities, including UAE-based Special Technology Services and Oleg Kucherov's brokerage Advance Security Solutions.

The brokerage's supply was grounded in a documented insider theft: Peter Williams, a 39-year-old Australian national and former executive at Trenchant, the cyber unit of defence contractor L3Harris, pleaded guilty on 29 October 2025 to stealing at least eight zero-day exploits developed exclusively for US government use and selling them to Operation Zero between 2022 and 2025. A federal court sentenced Williams to 87 months on 24 February 2026. Operation Zero's stated market prices for iOS, Android and Windows exploits in 2023 ranged up to $20 million per exploit chain.

The OFAC sanction is structurally notable because it uses IP law rather than sanctions law as the primary legal basis, and because it names the UAE-based shell vehicle used to route acquisitions through Gulf corporate structures to avoid direct Russian entity paper trails. Treasury explicitly framed the action as targeting the supply-chain infrastructure of state-adjacent exploit brokering rather than only the end user of the exploits.

How the World Sees Them

UAE

Special Technology Services, a UAE-based Operation Zero node, was designated. The UAE has not commented; Gulf shell vehicles are a recurring pattern in Russian sanctions-evasion structures.

Russia

Russia has not commented on the OFAC designation. The Matrix LLC structure is consistent with Russian state-adjacent commercial vehicles used in other GRU and FSB-adjacent operations.

United States

OFAC's use of PAIPA sets a template for sanctioning exploit brokers via IP law. DOJ's Williams prosecution anchors the civil sanction in a criminal conviction.

Cybersecurity market

Operation Zero's published pricing for government-grade exploits established public market benchmarks. The OFAC action creates legal risk for any broker or buyer in the same ecosystem.