On February 24, 2026, the U.S. invoked the first-ever sanctions under the Protecting American Intellectual Property Act (PAIPA). The primary target: Russian national Sergey Zelenyuk and his exploit brokerage, Operation Zero (legally known as Matrix LLC).
Why this matters
This move marks a major pivot in U.S. strategy. By invoking PAIPA, the government is officially classifying the illicit trade of zero-day vulnerabilities as a direct threat to national security.
For the CTI community, this is a rare, high-visibility strike against the “gray market” commercial brokers who monetize government-grade flaws for foreign intelligence and criminal groups.
| PAIPA (Public Law 117-336) authorizes the President to impose aggressive sanctions on any foreign entity that steals, benefits from, or supports the theft of U.S. trade secrets. Under the International Emergency Economic Powers Act, the government can freeze assets, block all U.S. transactions, and blacklist entities from the Commerce Department’s Entity List. The February 2026 sanctions against Operation Zero mark the first operational use of these powers, signaling a new era of disruption against “exploit-as-a-service” markets and critical technology theft. |
The Operation Zero Playbook: Mercenary Exploits
Since 2021, Operation Zero has disrupted the traditional vulnerability market by operating as a pure mercenary broker. Unlike “white-hat” programs that help vendors patch bugs, this firm stockpiles flaws to weaponize them for the highest bidder—specifically courting the Russian government.
The Insider Threat: The Peter Williams Case
The firm’s rise was fueled by a massive security breach. Between 2022 and 2025, Australian national Peter Williams—a former manager at U.S. defense contractor L3Harris (Trenchant)—betrayed his position by stealing eight proprietary zero-day components.
- The Deal: Williams sold these “government-only” tools to Operation Zero for $1.3 million in cryptocurrency.
- The Fallout: Williams pleaded guilty to theft of trade secrets in October 2025. On February 24, 2026, he was sentenced to over seven years in federal prison.
Escalating the Arms Race
Operation Zero isn’t just buying exploits; they are outbidding the entire industry. In late 2023, the firm sent shockwaves through the CTI community by offering staggering bounties:
- Payouts: Up to $20 million for full-chain Android and iOS exploits.
- The Catch: The firm explicitly states that the end user must be a “non-NATO country.” By setting prices significantly higher than competitors like Zerodium or Crowdfense, Operation Zero has effectively cornered the “gray market” for state-level offensive cyber tools.
The Network: Operation Zero & Its Affiliates
The February 2026 sanctions target a sophisticated, global web of shell companies and cyber-mercenaries. By placing these names on the OFAC SDN List, the U.S. has effectively frozen their global assets and barred them from the international financial system.
Core Entities & Leadership
- Operation Zero (Matrix LLC): The St. Petersburg-based “mothership” of the network. Founded in 2021 by Sergey Zelenyuk, it functions as a full-service exploit broker, supplying high-end surveillance and espionage tools to non-NATO intelligence services.
- Sergey Sergeyevich Zelenyuk: The architect and sole owner. Zelenyuk is the primary target of this action, identified as the kingpin of this mercenary network.
- Marina Vasanovich: Zelenyuk’s personal assistant and operational lead, responsible for client logistics and coordinating the sale of stolen trade secrets.
The Infrastructure of Evasion
- Special Technology Services (STS) [UAE]: A front company Zelenyuk established in late 2024 to bypass Russian bank sanctions and facilitate “gray market” sales in Asia and the Middle East.
- Advance Security Solutions [Dubai/Uzbekistan]: A parallel brokerage founded by Azizjon Mamashoyev. It acts as a secondary sourcing arm, masking the origin of exploits before they reach Operation Zero.
The Criminal Connection
- Oleg “GABR” Kucherov: A high-level Russian national and suspected member of the notorious TrickBot cybercrime gang. Kucherov provided the technical and financial backbone that allowed Operation Zero to bridge the gap between criminal ransomware and state espionage.
Strategic Recommendations for CTI
- Financial Surveillance: Monitor OFAC-listed crypto wallets and track new addresses linked to the $20M mobile-exploit bounties.
- Exploit Fingerprinting: Integrate the eight stolen components and advertised iOS/Android chains into internal IOC repositories.
- Priority Patching: Treat Operation Zero’s “Target List” as a high-priority roadmap for vulnerability management.
- Collective Defense: Share attribution data with ISACs to flag downstream abuse of these high-value exploits.
The Final Verdict
The PAIPA sanctions against Operation Zero mark a watershed moment—a powerful new lever the U.S. is now wielding against “exploit-as-a-service” markets. This isn’t just a legal update; it’s a shift in the digital balance of power.
The invocation of PAIPA means these individuals are no longer just “brokers” in the eyes of the law—they are now official threats to national security.
“If you steal U.S. trade secrets, we will hold you accountable.”
— Treasury Secretary Scott Bessent, February 24, 2026
