Treasury Sanctions Russian Exploit Brokerage

The U.S. government has imposed sanctions on a foreign exploit brokerage accused of purchasing and reselling stolen government cyber tools under the Protecting American Intellectual Property Act (PAIPA). 

This action targets Operation Zero, a Russia-linked exploit broker, and signals a tougher stance against markets that monetize zero-day vulnerabilities tied to national security systems. 

“If you steal U.S. trade secrets, we will hold you accountable,” said Secretary of the Treasury Scott Bessent in the press release.

Inside the Operation Zero Sanctions

On Feb. 24, 2026, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Russian national Sergey Sergeyevich Zelenyuk. 

OFAC also sanctioned his St. Petersburg-based company, Matrix LLC, which operates publicly as Operation Zero. 

In addition, five associated individuals and entities were designated for their role in acquiring and distributing cyber tools deemed harmful to U.S. national security.

The U.S. Department of State issued parallel designations under the Protecting American Intellectual Property Act (PAIPA), marking the first time the law has been used to sanction foreign exploit brokers.

According to Treasury officials, Operation Zero purchased zero-day exploits stolen from a U.S. defense contractor and resold them to unauthorized buyers. 

At the center of the case is Peter Williams, a former executive at Trenchant, a specialized cybersecurity unit owned by U.S. defense contractor L3Harris. 

Between 2022 and 2025, Williams abused his privileged access to steal at least eight zero-day exploits developed exclusively for U.S. government and allied use. 

Federal prosecutors allege he sold the stolen tools to Operation Zero in exchange for approximately $1.3 million in cryptocurrency. 

The Justice Department estimated the theft caused tens of millions of dollars in losses and posed national security risks.

Since 2021, Operation Zero has operated as a public exploit broker, offering multimillion-dollar bounties for zero-day vulnerabilities in operating systems and encrypted messaging platforms. 

The group sells to customers in non-NATO countries, including the Russian government, positioning itself as a marketplace for offensive cyber capabilities.

Prosecutors warned that the stolen tools could have enabled threat actors to potentially compromise millions of systems worldwide.  

How to Mitigate Zero-Day Risk

Zero-day vulnerabilities are difficult to defend against because they can be exploited before patches or detection signatures exist. 

To reduce risk, organizations should rely on layered security controls, behavioral monitoring, and strong operational resilience rather than reactive patching alone.

• Use zero trust principles by enforcing continuous authentication, least-privilege access, privileged access management, and strong network segmentation to limit lateral movement.
• Deploy detection capabilities such as EDR, XDR, behavioral analytics, memory-based exploit protections, and integrated threat intelligence feeds to identify suspicious activity and exploitation patterns.
• Reduce attack surface by hardening systems, disabling unnecessary services, applying secure configuration baselines, and continuously managing external and cloud attack surfaces.
• Implement continuous monitoring of endpoint, network, and outbound traffic activity, leveraging threat intelligence tools to detect command-and-control infrastructure, exploit kit activity, and data exfiltration attempts.
• Maintain patch management processes for known CVEs and use compensating controls such as virtual patching or IPS/WAF rules when immediate fixes are not available.
• Protect critical assets with microsegmentation, immutable backups, and strong recovery procedures to contain blast radius and ensure operational resilience if exploitation occurs.
• Regularly test incident response plans through tabletop exercises and simulations focused on zero-day exploitation scenarios.

Collectively, these steps help limit the blast radius of a successful exploit while strengthening overall organizational resilience.

Sanctions Target Zero-Day Brokers

The sanctions against Operation Zero reflect the growing overlap between cybercrime, exploit brokerage markets, and national security concerns. 

As governments increase scrutiny of foreign entities trading in stolen zero-days, organizations should recognize how quickly advanced exploits can circulate beyond their original environments. 

The case reinforces the need to prioritize visibility, segmentation, and resilience rather than relying solely on reactive defenses.

In response to zero-day risks, organizations are exploring zero trust solutions to strengthen segmentation, reduce implicit trust, and better contain exploit attempts.