Treasury Sanctions Russian ‘Exploit’ Broker Over Stolen US Cyber Tools

In brief

• Treasury sanctions alleged Sergey Sergeyevich Zelenyuk and Operation Zero operated as a Russian exploit broker network.
• According to Regulators, the sanctions are the first actions under the new trade secrets sanctions law.
• The stolen “tools” were built for exclusive U.S. government use.

The U.S. Treasury Department on Tuesday said it has sanctioned a Russian broker dealing in exploits, accused of selling stolen U.S. government cyber tools. The sanctions targeted Sergey Sergeyevich Zelenyuk and his St. Petersburg-based firm, Matrix LLC, also known as “Operation Zero.” The sanctions mark the first use of the Protecting American Intellectual Property Act to address the theft and sale of digital trade secrets, according to the Office of Foreign Assets Control. 

“Zelenyuk and Operation Zero trade in 'exploits,’ pieces of code or techniques that take advantage of vulnerabilities in a computer program to allow users to gain unauthorized access, steal information, or take control of an electronic device,” OFAC said in a statement on Tuesday. Operation Zero would then offer bounties to anyone who provided exploits for U.S.-built software, OFAC added. Treasury also sanctioned Oleg Vyacheslavovich Kucherov, a suspected member of the Trickbot cybercrime gang, and Marina Evgenyevna Vasanovich, described as Zelenyuk’s assistant. Launched in 2021, the St. Petersburg-based Operation Zero has offered multimillion-dollar bounties for vulnerabilities in operating systems and encrypted messaging applications.

Operation Zero did not hide its bounties, many of which were openly published on X. One bounty post in November offered up to $500,000 for an exploit targeting Apple’s iOS 26. A bounty from March 2025 offered up to $4 million for Telegram “full chain” exploits. Operation Zero’s clients are “Russian private and government organizations only,” for those seeking to purchase “research, products, and software code in the field of offensive security,” according to a rough translation of the company’s website. “Zero-day acquisition is a popular and common practice in many countries nowadays,” the company said in its FAQ. “It’s not only much more lucrative than working with bug bounties and vendors but more safe as well,” adding that a researcher who works with Operation Zero should not have to trade privacy and safety for money. Operation Zero has stolen at least eight proprietary “cyber tools” developed for the exclusive use of the U.S. government and select allies, according to the Treasury Department. The U.S. State Department said Tuesday in a separate statement that the action follows a Justice Department and FBI investigation into Peter Williams, an Australian national and former employee of a U.S. defense contractor, who allegedly stole “eight trade secret zero-day exploits” from 2022 through to 2025. “Those components were meant to be sold exclusively to the U.S. government and select allies, the state department said. “He sold these exploits to Operation Zero in exchange for $1.3 million in crypto payments.” Williams pleaded guilty in October of last year to two counts of theft of trade secrets. Treasury said the Russian company has also worked to develop spyware and AI-based tools to extract personal identifying information and other sensitive data. It has also used social media to recruit hackers and build relationships with foreign intelligence agencies. The Treasury Department and Operation Zero did not immediately respond to Decrypt’s requests for comment.