Treasury Sanctions Exploit Broker Network for Cyber Tools Theft

Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools

Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Sergey Sergeyevich Zelenyuk and his company, Matrix LLC (doing business as Operation Zero), along with five associated individuals and entities, for their acquisition and distribution of cyber tools harmful to U.S. national security. Zelenyuk and Operation Zero trade in exploits—pieces of code or techniques that take advantage of vulnerabilities in a computer program to allow users to gain unauthorized access, steal information, or take control of an electronic device. They have offered rewards to anyone who provides them with exploits for U.S.-built software. Among the exploits that Operation Zero acquired were at least eight proprietary cyber tools, which were created for the exclusive use of the U.S. government and select allies and which were stolen from a U.S. company. Operation Zero then sold those stolen tools to at least one unauthorized user. 🚨

“If you steal U.S. trade secrets, we will hold you accountable,” said Secretary of the Treasury Scott Bessent. This action coincides with an investigation by the Department of Justice and the Federal Bureau of Investigation of Peter Williams, an Australian national and a former employee of the aforementioned U.S. company who pleaded guilty on October 29, 2025, to two counts of theft of trade secrets. Williams stole several proprietary cyber tools from the company between 2022 and 2025 and sold them to Operation Zero in exchange for millions of dollars paid in cryptocurrencies. 💰

In parallel with this action, the Department of State is sanctioning Zelenyuk, Operation Zero, and an affiliated UAE company, Special Technology Services LLC FZ (STS) pursuant to the Protecting American Intellectual Property Act (PAIPA). These are the first persons sanctioned under this law.

Russian national Zelenyuk, through his St. Petersburg, Russia-headquartered company Operation Zero, has been active as an exploit broker since 2021. Operation Zero has offered millions of dollars in bounties to cybersecurity researchers and others for the development or acquisition of exploits targeting commonly used software, including U.S.-built operating systems and encrypted messaging applications. Operation Zero does not disclose the discovered exploits to the companies developing the affected software, and their customers could use the tools to launch ransomware attacks or engage in other malign activities. Zelenyuk and Operation Zero have stated that they will only sell the exploits they acquire to customers from non-NATO countries, and Zelenyuk has sought to sell exploits to foreign intelligence agencies. 🌍

Beyond Zelenyuk and Operation Zero, OFAC is imposing sanctions on individuals and companies associated with them. OFAC is also designating Azizjon Makhmudovich Mamashoyev and Oleg Vyacheslavovich Kucherov. Kucherov is a Russian national and a suspected member of the Trickbot cybercrime gang. Trickbot, first identified in 2016, is a highly modular malware suite that allows the Trickbot cybercrime gang to conduct a variety of malicious cyber activities, including ransomware attacks against the U.S. government, as well as hospitals and healthcare centers across the United States. Kucherov and Mamashoyev have previously had work relationships with Operation Zero. Additionally, OFAC is sanctioning Advance Security Solutions, another exploit brokerage firm that, like Operation Zero, offers bounties for exploits for U.S.-built software.

As a result of today’s action, all property and interests in property of the designated or blocked persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Unless authorized by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked persons.

For more details, see the complete article: Read full article