7JUN

OFAC turns IP law on Operation Zero

3 min read

10:08UTC

Treasury sanctioned Sergey Zelenyuk, Matrix LLC and five associates for trafficking 8+ zero-days stolen from L3Harris. The statute was not written for cyber.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyAssessed

Key takeaway

Treasury has built a new sanctions lane aimed specifically at the exploit-supply chain.

The US Treasury Office of Foreign Assets Control (OFAC) used the Protecting American Intellectual Property Act (PAIPA) for the first time in a cyber matter, sanctioning Sergey Sergeyevich Zelenyuk, his firm Matrix LLC trading as Operation Zero, and five associated individuals and entities for acquiring and distributing US government cyber tools ¹. PAIPA was originally drafted to punish intellectual-property theft that harms US competitiveness; applying it to a Russian exploit broker creates a new sanctions lane alongside the traditional Specially Designated Nationals (SDN) regime, one tuned specifically to the exploit-supply chain.

The underlying theft anchors the case. Per US Department of Justice (DOJ) sentencing documents, Peter Williams, a 39-year-old Australian national and former executive at Trenchant, the cyber unit inside US defence contractor L3Harris, pleaded guilty on 29 October 2025 to stealing at least eight zero-day exploits developed exclusively for US government use and selling them to Operation Zero between 2022 and 2025. A zero-day is a software vulnerability for which no patch exists, typically sold to intelligence services for espionage or to militaries for offensive cyber operations. A federal court sentenced Williams to 87 months, roughly seven years and three months, on 24 February 2026.

The secondary designations describe the broker network's plumbing: Marina Vasanovich (Zelenyuk's assistant), Special Technology Services based in the United Arab Emirates, Azizjon Mamashoyev, Oleg Kucherov (identified as a suspected Trickbot operator), and Mamashoyev's brokerage Advance Security Solutions. The UAE vehicle is the structural insight. Russian-origin exploit brokers have been routing acquisitions through Gulf shell companies to keep sanctioned Russian entities off the paperwork. Treasury's action names that routing explicitly and punishes it, which shifts the broker market's preferred jurisdictions one step further from OFAC reach.

Deep Analysis

In plain English

When governments want to hack enemy computer systems, they develop or buy software tools called exploits. These are kept secret, because once published they become useless and can be turned against the original developers. Peter Williams worked for Trenchant, a secret hacking division of the US defence company L3Harris. Between 2022 and 2025, he stole at least eight of these secret tools and sold them to Operation Zero, a Russian broker run by Sergey Zelenyuk. Williams was caught, pleaded guilty, and was sentenced to over seven years in prison. In April 2026, the US Treasury's OFAC sanctions unit used a law called the Protecting American Intellectual Property Act (PAIPA) for the first time in a hacking case. It sanctioned Zelenyuk, his company, and five associated individuals and shell companies, including some based in the United Arab Emirates. Being sanctioned means US persons and companies cannot legally do business with them.

Deep Analysis

Root Causes

US government offensive cyber tools are developed inside classified programmes by contractors under strict handling requirements. The gap exposed by Peter Williams is the insider threat at the contractor level: cleared employees with legitimate access to classified tools and the technical understanding to assess their market value. L3Harris Trenchant's toolset had sufficient value that Williams sold eight or more exploits over three years before detection.

The UAE routing structure named in the designation (Special Technology Services and Advance Security Solutions) reflects how Russian-origin exploit brokers have structured around US sanctions: Gulf incorporation provides plausible legal distance from OFAC-sanctioned Russian entities while maintaining operational continuity. Treasury's explicit naming of the UAE vehicles signals intent to close that routing in future designations.

What could happen next?

Precedent
PAIPA's first cyber use creates a legal template for sanctioning exploit brokers and their networks without requiring attribution of a specific hacking operation to the broker's customers, significantly lowering the evidentiary bar for future designations.
Short term · 0.8
Consequence
Gulf-based corporate vehicles routing Russian exploit broker transactions will face increased financial institution due-diligence scrutiny following explicit OFAC naming of UAE entities in the designation.
Short term · 0.7
Consequence
US defence contractors with offensive cyber programmes will face heightened insider-threat monitoring requirements and stronger pre-employment screening obligations for employees with access to classified offensive tools.
Medium term · 0.65

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: OFAC's 2018 designation of the Internet Research Agency and associated entities under Executive Order 13694 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities).

That action was also a first-use of a specific legal instrument against a novel cyber-adjacent target class. Like the IRA designations, the Operation Zero action is likely to be followed by additional designations in the same target class once the legal template is established.

Counter-parallel: The NSA's Shadow Brokers tool leak in 2016-2017, in which US government offensive cyber tools were published publicly, created a threat that no OFAC designation could address. The Peter Williams/Operation Zero case involves stolen tools sold to a specific buyer rather than published, which is why the PAIPA sales-based IP-theft frame is applicable here but would not have been to the Shadow Brokers.

Consensus view: The Atlantic Council's Cyber Statecraft Initiative assesses the PAIPA application as a significant legal innovation: it bypasses the need to attribute a specific hack to Zelenyuk's customers (which would require classified evidence) by instead targeting the knowingly-acquired stolen US government property, similar in structure to how the Treasury used the International Emergency Economic Powers Act against Iranian entities in the 2010s without proving specific attacks.

Counter-view: Recorded Future's analyst Andrei Barysevich argues that OFAC designations against Russia-based exploit brokers have limited operational effect because the broker market has already migrated pricing and counterparty communications to cryptocurrency and Tor-based messaging; the designation increases friction and insurance costs but does not disrupt the underlying market, particularly for Russian government buyers who are beyond OFAC's practical enforcement reach.

Key tension: Whether using an IP-theft statute to sanction an exploit broker sets a legal precedent that deters Western defence contractors' insider threat actors, or whether the Peter Williams prosecution is the operative deterrent and the PAIPA designation is largely diplomatic signalling.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

US Treasury OFAC· 17 Apr 2026

Read original →

Causes and effects

This Event

OFAC turns IP law on Operation Zero

The first cyber use of the Protecting American Intellectual Property Act creates a legal template that can now be extended to any exploit acquisition traceable to US-origin tooling.

Led to

Sixteen agencies put IOC extinction in print

The 16-agency advisory directly advances the Salt/Volt Typhoon coverage in ID:2551 by naming specific infrastructure operators and botnets.

Occurred 23 Apr 2026

Read story →

UNC6692 runs SNOW through Microsoft Teams

UNC6692 SNOW uses the same AWS/Heroku C2-masking technique as BRICKSTORM, which was disclosed as part of the ID:2551 M-Trends reporting on UNC5221.

Occurred 23 Apr 2026

Read story →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.