Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
30APR

OFAC turns IP law on Operation Zero

3 min read
08:16UTC

Treasury sanctioned Sergey Zelenyuk, Matrix LLC and five associates for trafficking 8+ zero-days stolen from L3Harris. The statute was not written for cyber.

TechnologyAssessed
Key takeaway

Treasury has built a new sanctions lane aimed specifically at the exploit-supply chain.

The US Treasury Office of Foreign Assets Control (OFAC) used the Protecting American Intellectual Property Act (PAIPA) for the first time in a cyber matter, sanctioning Sergey Sergeyevich Zelenyuk, his firm Matrix LLC trading as Operation Zero, and five associated individuals and entities for acquiring and distributing US government cyber tools 1. PAIPA was originally drafted to punish intellectual-property theft that harms US competitiveness; applying it to a Russian exploit broker creates a new sanctions lane alongside the traditional Specially Designated Nationals (SDN) regime, one tuned specifically to the exploit-supply chain.

The underlying theft anchors the case. Per US Department of Justice (DOJ) sentencing documents, Peter Williams, a 39-year-old Australian national and former executive at Trenchant, the cyber unit inside US defence contractor L3Harris, pleaded guilty on 29 October 2025 to stealing at least eight zero-day exploits developed exclusively for US government use and selling them to Operation Zero between 2022 and 2025. A zero-day is a software vulnerability for which no patch exists, typically sold to intelligence services for espionage or to militaries for offensive cyber operations. A federal court sentenced Williams to 87 months, roughly seven years and three months, on 24 February 2026.

The secondary designations describe the broker network's plumbing: Marina Vasanovich (Zelenyuk's assistant), Special Technology Services based in the United Arab Emirates, Azizjon Mamashoyev, Oleg Kucherov (identified as a suspected Trickbot operator), and Mamashoyev's brokerage Advance Security Solutions. The UAE vehicle is the structural insight. Russian-origin exploit brokers have been routing acquisitions through Gulf shell companies to keep sanctioned Russian entities off the paperwork. Treasury's action names that routing explicitly and punishes it, which shifts the broker market's preferred jurisdictions one step further from OFAC reach.

Deep Analysis

In plain English

When governments want to hack enemy computer systems, they develop or buy software tools called exploits. These are kept secret, because once published they become useless and can be turned against the original developers. Peter Williams worked for Trenchant, a secret hacking division of the US defence company L3Harris. Between 2022 and 2025, he stole at least eight of these secret tools and sold them to Operation Zero, a Russian broker run by Sergey Zelenyuk. Williams was caught, pleaded guilty, and was sentenced to over seven years in prison. In April 2026, the US Treasury's OFAC sanctions unit used a law called the Protecting American Intellectual Property Act (PAIPA) for the first time in a hacking case. It sanctioned Zelenyuk, his company, and five associated individuals and shell companies, including some based in the United Arab Emirates. Being sanctioned means US persons and companies cannot legally do business with them.

Deep Analysis
Root Causes

US government offensive cyber tools are developed inside classified programmes by contractors under strict handling requirements. The gap exposed by Peter Williams is the insider threat at the contractor level: cleared employees with legitimate access to classified tools and the technical understanding to assess their market value. L3Harris Trenchant's toolset had sufficient value that Williams sold eight or more exploits over three years before detection.

The UAE routing structure named in the designation (Special Technology Services and Advance Security Solutions) reflects how Russian-origin exploit brokers have structured around US sanctions: Gulf incorporation provides plausible legal distance from OFAC-sanctioned Russian entities while maintaining operational continuity. Treasury's explicit naming of the UAE vehicles signals intent to close that routing in future designations.

What could happen next?
  • Precedent

    PAIPA's first cyber use creates a legal template for sanctioning exploit brokers and their networks without requiring attribution of a specific hacking operation to the broker's customers, significantly lowering the evidentiary bar for future designations.

    Short term · 0.8
  • Consequence

    Gulf-based corporate vehicles routing Russian exploit broker transactions will face increased financial institution due-diligence scrutiny following explicit OFAC naming of UAE entities in the designation.

    Short term · 0.7
  • Consequence

    US defence contractors with offensive cyber programmes will face heightened insider-threat monitoring requirements and stronger pre-employment screening obligations for employees with access to classified offensive tools.

    Medium term · 0.65
First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

US Treasury OFAC· 17 Apr 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.