Executive Summary

Publication Date: February 24, 2026

On February 24, 2026, the United States Department of the Treasury and Department of State announced sweeping sanctions against the Russian exploit broker Operation Zero and its principal, Sergey Sergeyevich Zelenyuk, under the Protecting American Intellectual Property Act (PAIPA). This unprecedented action targets the illicit trade in zero-day vulnerabilities and the theft of proprietary US cyber tools, marking the first time PAIPA has been used to sanction a foreign exploit broker. The sanctions also extend to Matrix LLC (the legal entity behind Operation Zero), the UAE-based Special Technology Services LLC FZ (STS), and several associated individuals. The US government alleges that Operation Zero purchased and resold zero-day exploits, including those stolen from the US defense contractor Trenchant (a subsidiary of L3Harris), to non-NATO customers, including the Russian government. This advisory provides a comprehensive technical analysis of the Operation Zero case, its threat landscape, and actionable recommendations for organizations seeking to mitigate the risks posed by advanced exploit brokers.

Technical Information

The US sanctions against Operation Zero represent a watershed moment in the global fight against the proliferation of zero-day vulnerabilities and the commoditization of offensive cyber capabilities. The technical details of this case reveal a sophisticated, multi-year operation involving insider threat, advanced exploit development, cryptocurrency laundering, and the international brokerage of highly sensitive cyber weapons.

Key Actors and Infrastructure

Sergey Sergeyevich Zelenyuk is identified as the director and sole owner of Matrix LLC, operating under the trade name Operation Zero. This St. Petersburg-based entity has established itself as a public marketplace for zero-day vulnerabilities, offering multimillion-dollar bounties for exploits targeting widely used operating systems and encrypted messaging platforms. In an apparent effort to circumvent Western sanctions and expand its customer base, Zelenyuk also established Special Technology Services LLC FZ (STS) in the United Arab Emirates, providing a legal and financial conduit for transactions with clients in Asia and the Middle East.

The US government’s investigation revealed that Peter Williams, a former executive at Trenchant (a subsidiary of L3Harris), abused his privileged access between 2022 and 2025 to steal at least eight proprietary zero-day exploits. These exploits, intended for exclusive use by the US government and its allies, were sold to Operation Zero for $1.3 million in cryptocurrency. Blockchain analysis traced these payments, although specific wallet addresses have not been publicly disclosed.

Nature of the Exploits

The exploits trafficked by Operation Zero are described as zero-day vulnerabilities affecting "commonly used software, including US-built operating systems and encrypted messaging applications." Due to the classified nature of the tools and ongoing investigations, no specific CVEs, vendor advisories, or technical indicators have been released. However, the public bounty programs and marketing materials from Operation Zero indicate a focus on high-value targets such as Microsoft Windows, Apple iOS, Android, and secure messaging platforms like Signal and Telegram.

The technical sophistication of these exploits is underscored by their intended use in offensive cyber operations by nation-state actors. The ability to compromise up-to-date, fully patched systems without user interaction places these tools at the apex of the cyber threat landscape. The theft and subsequent resale of such capabilities exponentially increase the risk of widespread exploitation, particularly by adversarial governments and advanced persistent threat (APT) groups.

Tactics, Techniques, and Procedures (TTPs)

Analysis of the Operation Zero case aligns with several MITRE ATT&CK techniques:

T1190 (Exploit Public-Facing Application): The stolen exploits are designed to target vulnerabilities in internet-facing services and applications, enabling initial access without user interaction.

T1203 (Exploitation for Client Execution): Several exploits facilitate remote code execution on client systems, often via malicious documents, drive-by downloads, or compromised update mechanisms.

T1078 (Valid Accounts): The insider threat component, exemplified by Peter Williams, highlights the abuse of legitimate credentials and privileged access to exfiltrate sensitive cyber tools.

T1588.006 (Obtain Capabilities: Vulnerabilities): Operation Zero’s business model revolves around acquiring, weaponizing, and reselling zero-day vulnerabilities to state and non-state actors.

Threat Landscape and Impact

The exposure of proprietary US cyber tools to hostile actors represents a severe escalation in the cyber arms race. The US government has explicitly stated that the stolen exploits could enable threat actors to compromise millions of systems worldwide, with particular risk to national security, defense, government, and critical infrastructure sectors. The involvement of a UAE-based front company (STS) suggests a deliberate strategy to expand the reach of these capabilities to clients in Asia and the Middle East, further complicating attribution and response efforts.

While no specific APT group has been publicly named in connection with Operation Zero, Russian government-affiliated actors are known to leverage exploit brokers for offensive cyber operations. The public nature of Operation Zero’s marketplace, combined with its willingness to transact with non-NATO customers, increases the likelihood of these tools being used in targeted attacks, espionage campaigns, and potentially destructive operations.

Indicators of Compromise (IOCs)

Although technical IOCs such as malware hashes, C2 infrastructure, or exploit kit signatures have not been released, organizations should be alert to the following entities and individuals:

Matrix LLC (Operation Zero) and Special Technology Services LLC FZ (STS) are the primary corporate vehicles for the exploit brokerage operation. Sergey Sergeyevich Zelenyuk is the principal operator, while Peter Williams (now in custody) is the identified insider responsible for the initial theft. Cryptocurrency transactions totaling $1.3 million have been traced between Williams and Operation Zero, though wallet addresses remain classified.

Mitigation Strategies

Given the advanced nature of the threats posed by Operation Zero, organizations must adopt a multi-layered defense strategy:

Continuous monitoring for TTPs associated with zero-day exploitation is essential. Security teams should focus on detecting anomalous behavior indicative of exploitation attempts, such as unexpected process launches, memory corruption events, and privilege escalation.

Integration of high-fidelity threat intelligence feeds is critical for early warning of emerging threats linked to Operation Zero and similar brokers. Organizations should ensure their security operations centers (SOCs) are equipped to ingest and act upon indicators related to sanctioned entities.

Incident response plans must be regularly tested and updated to address scenarios involving zero-day exploitation and insider threats. This includes tabletop exercises, red team engagements, and rapid containment protocols.

Supply chain security is paramount. Organizations, especially in defense and critical infrastructure sectors, should rigorously review access controls for sensitive cyber tools, enforce least-privilege principles, and monitor for unauthorized data exfiltration.

Adoption of zero trust architectures, including continuous authentication, privileged access management, and network segmentation, can significantly reduce the blast radius of successful exploit attempts.

Deployment of advanced endpoint detection and response (EDR), extended detection and response (XDR), and behavioral analytics solutions enhances the ability to detect and respond to sophisticated attacks that bypass traditional signature-based defenses.

Attack surface reduction measures, such as hardening systems, disabling unnecessary services, and applying secure configuration baselines, limit the opportunities for exploitation.

Robust patch management remains essential, even in the face of zero-day threats. While immediate fixes may not be available for unknown vulnerabilities, compensating controls such as virtual patching, intrusion prevention systems (IPS), and web application firewalls (WAF) can provide interim protection.

Finally, resilience planning—including microsegmentation, immutable backups, and tested recovery procedures—ensures that organizations can rapidly recover from successful attacks and minimize operational impact.

Strategic Implications

The US government’s action against Operation Zero signals a new era of proactive measures against exploit brokers and the illicit trade in cyber weapons. By leveraging financial sanctions, legal action, and international cooperation, the US aims to disrupt the business models that enable the proliferation of zero-day vulnerabilities. Organizations must recognize that the threat landscape is increasingly shaped by the intersection of cybercrime, nation-state activity, and the commoditization of offensive capabilities.

References

US State Department: Designation of Russia-Based Zero-Day Exploits Broker and Affiliates for Theft of U.S. Trade Secrets (https://www.state.gov/releases/office-of-the-spokesperson/2026/02/designation-of-russia-based-zero-day-exploits-broker-and-affiliates-for-theft-of-u-s-trade-secrets)

US Treasury: Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools (https://home.treasury.gov/news/press-releases/sb0404)

SecurityWeek: US Sanctions Russian Exploit Broker Operation Zero (https://www.securityweek.com/us-sanctions-russian-exploit-broker-operation-zero/)

eSecurity Planet: Treasury Sanctions Russian Exploit Brokerage (https://www.esecurityplanet.com/threats/treasury-sanctions-russian-exploit-brokerage/)

BleepingComputer: US sanctions Russian broker for buying stolen zero-day exploits (https://www.bleepingcomputer.com/news/security/us-sanctions-russian-exploit-broker-for-buying-stolen-zero-days/)

OFAC Sanctions List (https://ofac.treasury.gov/recent-actions/20260224)

Reddit: US Sanctions Target Russian Exploit Broker Operation Zero (https://www.reddit.com/r/pwnhub/comments/1rfcooh/us_sanctions_target_russian_exploit_broker/)

X (Twitter): The Cyber News (https://x.com/The_Cyber_News/status/2026489456719704264)

Rescana is here for you

Rescana empowers organizations to proactively manage third-party risk and strengthen their cybersecurity posture through our advanced TPRM platform. Our solutions provide continuous monitoring, actionable intelligence, and automated workflows to help you identify, assess, and mitigate risks across your extended supply chain. We are committed to supporting your organization in navigating the evolving threat landscape and ensuring resilience against sophisticated cyber adversaries. For any questions or further guidance, please contact us at ops@rescana.com.