U.S. Government Targets Russian Exploit Supply Chain
The U.S. Department of the Treasury announced sanctions on February 24, 2026 against Operation Zero, a Russian zero-day exploit brokerage, its founder Sergey Zelenyuk, and several affiliated individuals and entities. The action follows an FBI investigation that revealed Operation Zero acquired at least eight proprietary cyber tools originally developed for the exclusive use of the U.S. government and select allies — tools that were stolen from U.S. defense contractor L3Harris by a former employee and sold for millions of dollars in cryptocurrency.
The sanctions represent the first time the U.S. has formally designated a zero-day broker and its leadership for trafficking in stolen U.S. government cyber capabilities.
Incident Details
| Attribute | Value |
|---|---|
| Sanctioned Entity | Operation Zero (Russian zero-day exploit broker, est. 2021) |
| Founder | Sergey Zelenyuk |
| Affiliated Entity | Special Technology Services (UAE-based) |
| Sanctioned Individuals | Marina Evgenyevna Vasanovich, Azizjon Makhmudovich Mamashoyev, Oleg Vyacheslavovich Kucherov |
| Insider Threat | Peter Williams (former L3Harris employee) |
| Stolen Tools | 8+ proprietary U.S. government cyber tools |
| Payment Method | Millions in cryptocurrency |
| Theft Period | 2022–2025 |
| Announcing Agencies | U.S. Treasury (OFAC), U.S. Department of State, FBI |
How It Happened
The Insider Theft
Peter Williams, a former employee of U.S. defense contractor L3Harris (specifically its Trenchant division, which develops offensive cyber tools for U.S. intelligence agencies), stole several proprietary cyber tools from the company between 2022 and 2025. Williams then sold these tools to Operation Zero in exchange for millions of dollars paid in cryptocurrency.
Williams has pleaded guilty to the theft and sale of these tools. On the same day the sanctions were announced, he was sentenced for his role in the scheme.
The Broker Network
Operation Zero launched in 2021 as a Russian firm that acquires and resells zero-day exploits. According to the Treasury Department, Zelenyuk sold the stolen exploits to foreign intelligence agencies and sought to develop spyware and hacking technologies using the stolen U.S. tools as a foundation.
The company operated through an international network that included Special Technology Services, a UAE-based affiliate, suggesting a multi-jurisdictional structure designed to facilitate exploit sales to customers that U.S. export controls would normally restrict.
The Tools at Stake
The eight stolen tools were created exclusively for U.S. government and allied use — likely offensive cyber capabilities developed under classified or restricted programs. Operation Zero then sold those stolen tools to at least one unauthorized user, according to the Treasury statement, effectively providing adversary nations with capabilities designed by U.S. defense contractors.
Impact Assessment
| Impact Area | Description |
|---|---|
| National security | Proprietary U.S. offensive cyber tools now in adversary hands |
| Intelligence operations | Compromised tools may reveal U.S. cyber operational methods and targets |
| Defense industrial base | Exposes insider threat risks within classified cyber programs |
| Exploit market | First formal U.S. sanctions targeting a zero-day broker's entire operation |
| Cryptocurrency enforcement | Demonstrates traceability of crypto payments in cyber espionage cases |
| International coordination | UAE-based affiliate sanctioned, signaling cross-border enforcement |
Broader Context
The Zero-Day Broker Market
Operation Zero is part of a growing industry of companies that buy and sell zero-day exploits — vulnerabilities unknown to the software vendor. While some brokers operate in legal gray areas by selling to government clients, Operation Zero crossed a clear line by knowingly purchasing stolen U.S. government tools and reselling them to unauthorized parties.
The sanctions come amid heightened U.S. concern about the proliferation of offensive cyber capabilities, particularly to Russia and China. Previous actions have targeted commercial spyware vendors like NSO Group and Intellexa, but this marks the first action specifically against a zero-day broker accused of trafficking stolen U.S. tools.
The L3Harris Connection
L3Harris's Trenchant division (formerly Azimuth Security) is one of several U.S. defense contractors that develop offensive cyber tools for the intelligence community. The Williams case exposes the risk of insider threats within these programs, where a single employee with access can exfiltrate highly sensitive capabilities.
Key Takeaways
- Operation Zero sanctioned — First U.S. designation of a Russian zero-day broker and its full network for trafficking in stolen U.S. cyber tools
- 8+ proprietary tools stolen from L3Harris by former employee Peter Williams between 2022–2025, paid for in cryptocurrency
- Williams pleaded guilty and was sentenced on the same day sanctions were announced
- UAE affiliate also sanctioned — Special Technology Services designated alongside three associated individuals
- Exploit market disruption — Signals U.S. willingness to use financial sanctions against the zero-day trade, not just espionage charges
- Insider threat remains critical — A single employee compromised tools built exclusively for U.S. government use
Sources
- TechCrunch — Treasury Sanctions Russian Zero-Day Broker Accused of Buying Exploits Stolen from U.S. Defense Contractor
- U.S. Department of State — Designation of Russia-Based Zero-Day Exploits Broker and Affiliates for Theft of U.S. Trade Secrets
- The Record — U.S. Sanctions Russian Exploit Broker for Buying Cyber Tools Stolen from Defense Contractor
- CoinDesk — Millions in Crypto Funded Tools to Exploit U.S. Software, Treasury Says