30APR

OFAC turns IP law on Operation Zero

3 min read

08:16UTC

Treasury sanctioned Sergey Zelenyuk, Matrix LLC and five associates for trafficking 8+ zero-days stolen from L3Harris. The statute was not written for cyber.

← Back to FIRESTARTER puts Cisco below the patch line Jump to analysis ↓

TechnologyAssessed

Key takeaway

Treasury has built a new sanctions lane aimed specifically at the exploit-supply chain.

The US Treasury Office of Foreign Assets Control (OFAC) used the Protecting American Intellectual Property Act (PAIPA) for the first time in a cyber matter, sanctioning Sergey Sergeyevich Zelenyuk, his firm Matrix LLC trading as Operation Zero, and five associated individuals and entities for acquiring and distributing US government cyber tools ¹. PAIPA was originally drafted to punish intellectual-property theft that harms US competitiveness; applying it to a Russian exploit broker creates a new sanctions lane alongside the traditional Specially Designated Nationals (SDN) regime, one tuned specifically to the exploit-supply chain.

The underlying theft anchors the case. Per US Department of Justice (DOJ) sentencing documents, Peter Williams, a 39-year-old Australian national and former executive at Trenchant, the cyber unit inside US defence contractor L3Harris, pleaded guilty on 29 October 2025 to stealing at least eight zero-day exploits developed exclusively for US government use and selling them to Operation Zero between 2022 and 2025. A zero-day is a software vulnerability for which no patch exists, typically sold to intelligence services for espionage or to militaries for offensive cyber operations. A federal court sentenced Williams to 87 months, roughly seven years and three months, on 24 February 2026.

The secondary designations describe the broker network's plumbing: Marina Vasanovich (Zelenyuk's assistant), Special Technology Services based in the United Arab Emirates, Azizjon Mamashoyev, Oleg Kucherov (identified as a suspected Trickbot operator), and Mamashoyev's brokerage Advance Security Solutions. The UAE vehicle is the structural insight. Russian-origin exploit brokers have been routing acquisitions through Gulf shell companies to keep sanctioned Russian entities off the paperwork. Treasury's action names that routing explicitly and punishes it, which shifts the broker market's preferred jurisdictions one step further from OFAC reach.

Deep Analysis

In plain English

When governments want to hack enemy computer systems, they develop or buy software tools called exploits. These are kept secret, because once published they become useless and can be turned against the original developers. Peter Williams worked for Trenchant, a secret hacking division of the US defence company L3Harris. Between 2022 and 2025, he stole at least eight of these secret tools and sold them to Operation Zero, a Russian broker run by Sergey Zelenyuk. Williams was caught, pleaded guilty, and was sentenced to over seven years in prison. In April 2026, the US Treasury's OFAC sanctions unit used a law called the Protecting American Intellectual Property Act (PAIPA) for the first time in a hacking case. It sanctioned Zelenyuk, his company, and five associated individuals and shell companies, including some based in the United Arab Emirates. Being sanctioned means US persons and companies cannot legally do business with them.

Deep Analysis

Root Causes

US government offensive cyber tools are developed inside classified programmes by contractors under strict handling requirements. The gap exposed by Peter Williams is the insider threat at the contractor level: cleared employees with legitimate access to classified tools and the technical understanding to assess their market value. L3Harris Trenchant's toolset had sufficient value that Williams sold eight or more exploits over three years before detection.

The UAE routing structure named in the designation (Special Technology Services and Advance Security Solutions) reflects how Russian-origin exploit brokers have structured around US sanctions: Gulf incorporation provides plausible legal distance from OFAC-sanctioned Russian entities while maintaining operational continuity. Treasury's explicit naming of the UAE vehicles signals intent to close that routing in future designations.

What could happen next?

Precedent
PAIPA's first cyber use creates a legal template for sanctioning exploit brokers and their networks without requiring attribution of a specific hacking operation to the broker's customers, significantly lowering the evidentiary bar for future designations.
Short term · 0.8
Consequence
Gulf-based corporate vehicles routing Russian exploit broker transactions will face increased financial institution due-diligence scrutiny following explicit OFAC naming of UAE entities in the designation.
Short term · 0.7
Consequence
US defence contractors with offensive cyber programmes will face heightened insider-threat monitoring requirements and stronger pre-employment screening obligations for employees with access to classified offensive tools.
Medium term · 0.65

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: OFAC's 2018 designation of the Internet Research Agency and associated entities under Executive Order 13694 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities).

That action was also a first-use of a specific legal instrument against a novel cyber-adjacent target class. Like the IRA designations, the Operation Zero action is likely to be followed by additional designations in the same target class once the legal template is established.

Counter-parallel: The NSA's Shadow Brokers tool leak in 2016-2017, in which US government offensive cyber tools were published publicly, created a threat that no OFAC designation could address. The Peter Williams/Operation Zero case involves stolen tools sold to a specific buyer rather than published, which is why the PAIPA sales-based IP-theft frame is applicable here but would not have been to the Shadow Brokers.

Consensus view: The Atlantic Council's Cyber Statecraft Initiative assesses the PAIPA application as a significant legal innovation: it bypasses the need to attribute a specific hack to Zelenyuk's customers (which would require classified evidence) by instead targeting the knowingly-acquired stolen US government property, similar in structure to how the Treasury used the International Emergency Economic Powers Act against Iranian entities in the 2010s without proving specific attacks.

Counter-view: Recorded Future's analyst Andrei Barysevich argues that OFAC designations against Russia-based exploit brokers have limited operational effect because the broker market has already migrated pricing and counterparty communications to cryptocurrency and Tor-based messaging; the designation increases friction and insurance costs but does not disrupt the underlying market, particularly for Russian government buyers who are beyond OFAC's practical enforcement reach.

Key tension: Whether using an IP-theft statute to sanction an exploit broker sets a legal precedent that deters Western defence contractors' insider threat actors, or whether the Peter Williams prosecution is the operative deterrent and the PAIPA designation is largely diplomatic signalling.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

US Treasury OFAC· 17 Apr 2026

Read original →

Causes and effects

This Event

OFAC turns IP law on Operation Zero

The first cyber use of the Protecting American Intellectual Property Act creates a legal template that can now be extended to any exploit acquisition traceable to US-origin tooling.

Led to

Sixteen agencies put IOC extinction in print

The 16-agency advisory directly advances the Salt/Volt Typhoon coverage in ID:2551 by naming specific infrastructure operators and botnets.

Occurred 23 Apr 2026

Read story →

UNC6692 runs SNOW through Microsoft Teams

UNC6692 SNOW uses the same AWS/Heroku C2-masking technique as BRICKSTORM, which was disclosed as part of the ID:2551 M-Trends reporting on UNC5221.

Occurred 23 Apr 2026

Read story →

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.