17APR

OFAC turns IP law on Operation Zero

3 min read

13:56UTC

Treasury sanctioned Sergey Zelenyuk, Matrix LLC and five associates for trafficking 8+ zero-days stolen from L3Harris. The statute was not written for cyber.

← Back to Stryker MDM wipe exposes identity perimeter Jump to analysis ↓

TechnologyAssessed

Key takeaway

Treasury has built a new sanctions lane aimed specifically at the exploit-supply chain.

The US Treasury Office of Foreign Assets Control (OFAC) used the Protecting American Intellectual Property Act (PAIPA) for the first time in a cyber matter, sanctioning Sergey Sergeyevich Zelenyuk, his firm Matrix LLC trading as Operation Zero, and five associated individuals and entities for acquiring and distributing US government cyber tools ¹. PAIPA was originally drafted to punish intellectual-property theft that harms US competitiveness; applying it to a Russian exploit broker creates a new sanctions lane alongside the traditional Specially Designated Nationals (SDN) regime, one tuned specifically to the exploit-supply chain.

The underlying theft anchors the case. Per US Department of Justice (DOJ) sentencing documents, Peter Williams, a 39-year-old Australian national and former executive at Trenchant, the cyber unit inside US defence contractor L3Harris, pleaded guilty on 29 October 2025 to stealing at least eight zero-day exploits developed exclusively for US government use and selling them to Operation Zero between 2022 and 2025. A zero-day is a software vulnerability for which no patch exists, typically sold to intelligence services for espionage or to militaries for offensive cyber operations. A federal court sentenced Williams to 87 months, roughly seven years and three months, on 24 February 2026.

The secondary designations describe the broker network's plumbing: Marina Vasanovich (Zelenyuk's assistant), Special Technology Services based in the United Arab Emirates, Azizjon Mamashoyev, Oleg Kucherov (identified as a suspected Trickbot operator), and Mamashoyev's brokerage Advance Security Solutions. The UAE vehicle is the structural insight. Russian-origin exploit brokers have been routing acquisitions through Gulf shell companies to keep sanctioned Russian entities off the paperwork. Treasury's action names that routing explicitly and punishes it, which shifts the broker market's preferred jurisdictions one step further from OFAC reach.

Deep Analysis

In plain English

When governments want to hack enemy computer systems, they develop or buy software tools called exploits. These are kept secret, because once published they become useless and can be turned against the original developers. Peter Williams worked for Trenchant, a secret hacking division of the US defence company L3Harris. Between 2022 and 2025, he stole at least eight of these secret tools and sold them to Operation Zero, a Russian broker run by Sergey Zelenyuk. Williams was caught, pleaded guilty, and was sentenced to over seven years in prison. In April 2026, the US Treasury's OFAC sanctions unit used a law called the Protecting American Intellectual Property Act (PAIPA) for the first time in a hacking case. It sanctioned Zelenyuk, his company, and five associated individuals and shell companies, including some based in the United Arab Emirates. Being sanctioned means US persons and companies cannot legally do business with them.

Deep Analysis

Root Causes

US government offensive cyber tools are developed inside classified programmes by contractors under strict handling requirements. The gap exposed by Peter Williams is the insider threat at the contractor level: cleared employees with legitimate access to classified tools and the technical understanding to assess their market value. L3Harris Trenchant's toolset had sufficient value that Williams sold eight or more exploits over three years before detection.

The UAE routing structure named in the designation (Special Technology Services and Advance Security Solutions) reflects how Russian-origin exploit brokers have structured around US sanctions: Gulf incorporation provides plausible legal distance from OFAC-sanctioned Russian entities while maintaining operational continuity. Treasury's explicit naming of the UAE vehicles signals intent to close that routing in future designations.

What could happen next?

Precedent
PAIPA's first cyber use creates a legal template for sanctioning exploit brokers and their networks without requiring attribution of a specific hacking operation to the broker's customers, significantly lowering the evidentiary bar for future designations.
Short term · 0.8
Consequence
Gulf-based corporate vehicles routing Russian exploit broker transactions will face increased financial institution due-diligence scrutiny following explicit OFAC naming of UAE entities in the designation.
Short term · 0.7
Consequence
US defence contractors with offensive cyber programmes will face heightened insider-threat monitoring requirements and stronger pre-employment screening obligations for employees with access to classified offensive tools.
Medium term · 0.65

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: OFAC's 2018 designation of the Internet Research Agency and associated entities under Executive Order 13694 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities).

That action was also a first-use of a specific legal instrument against a novel cyber-adjacent target class. Like the IRA designations, the Operation Zero action is likely to be followed by additional designations in the same target class once the legal template is established.

Counter-parallel: The NSA's Shadow Brokers tool leak in 2016-2017, in which US government offensive cyber tools were published publicly, created a threat that no OFAC designation could address. The Peter Williams/Operation Zero case involves stolen tools sold to a specific buyer rather than published, which is why the PAIPA sales-based IP-theft frame is applicable here but would not have been to the Shadow Brokers.

Consensus view: The Atlantic Council's Cyber Statecraft Initiative assesses the PAIPA application as a significant legal innovation: it bypasses the need to attribute a specific hack to Zelenyuk's customers (which would require classified evidence) by instead targeting the knowingly-acquired stolen US government property, similar in structure to how the Treasury used the International Emergency Economic Powers Act against Iranian entities in the 2010s without proving specific attacks.

Counter-view: Recorded Future's analyst Andrei Barysevich argues that OFAC designations against Russia-based exploit brokers have limited operational effect because the broker market has already migrated pricing and counterparty communications to cryptocurrency and Tor-based messaging; the designation increases friction and insurance costs but does not disrupt the underlying market, particularly for Russian government buyers who are beyond OFAC's practical enforcement reach.

Key tension: Whether using an IP-theft statute to sanction an exploit broker sets a legal precedent that deters Western defence contractors' insider threat actors, or whether the Peter Williams prosecution is the operative deterrent and the PAIPA designation is largely diplomatic signalling.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

US Treasury OFAC· 17 Apr 2026

Read original →

Different Perspectives

CISA and FBI (US government)

CISA added nine KEV CVEs, confirmed Volt Typhoon in US CNI, and lost its counter-ransomware initiative under prior cuts; the FY27 budget proposes a further $707m cut and 860 jobs. An FBI official confirmed Salt Typhoon at 200+ companies across 80 countries is 'still very, very much ongoing'.

NCSC (UK)

NCSC published attribution-backed advisories naming GRU Unit 26165 for SOHO router DNS hijacking and co-issued warnings with Dutch AIVD on FSB, APT31, and IRGC messaging-app targeting, in the same month the UK Cyber Security and Resilience Bill cleared its Public Bill Committee. The ICO's £14m Capita fine now treats NCSC guidance as the enforceable GDPR technical baseline.

European Commission

The Commission published draft Cyber Resilience Act implementation guidance on 3 March with manufacturer reporting obligations beginning 11 September 2026, while running infringement proceedings against EU member states that have not transposed NIS2. Only 14 of 27 states had fully transposed by mid-2025; Germany's post-transposition registration compliance sat at roughly one-third.

Russian foreign ministry (GRU posture)

The Russian foreign ministry has issued no formal response to the NCSC advisory attributing the SOHO router DNS-hijacking campaign to GRU Unit 26165; its standard position is that Western attribution claims are politically motivated fabrications. Russia denies state sponsorship of any offensive cyber operations against NATO infrastructure.

People's Republic of China

Tsinghua University's Center for International Security and Strategy characterised US Volt Typhoon 'sabotage pre-positioning' assessments as misrepresenting standard state signals intelligence, framing the attribution narrative as a US strategic communication exercise rather than a conclusion grounded in confirmed adversary intent. Beijing formally denies state involvement in Salt Typhoon and Volt Typhoon.

Handala

Handala publicly claimed the Stryker MDM wipe as retaliation for a February 2026 Iranian school missile strike, asserting 200,000 devices wiped and 50 terabytes exfiltrated. The public framing positions the operation as proportionate non-lethal retaliation, a characterisation no Western agency has formally attributed to IRGC command-and-control.