The U.S. Department of the Treasury has taken significant action against a Russian exploit brokerage network accused of acquiring stolen U.S. government cyber tools for resale to unauthorized buyers, marking the first application of new authorities established under the Protecting American Intellectual Property Act. In an announcement on Tuesday, the Treasury’s Office of Foreign Assets Control (OFAC) designated Sergey Sergeyevich Zelenyuk, a Russian national, and his company, Operation Zero, along with several associates and affiliated firms.
This move effectively blocks any property or interests belonging to the designated parties that fall under U.S. jurisdiction, preventing U.S. persons from engaging in transactions with them. The Treasury alleges that Zelenyuk, based in St. Petersburg, developed a business around the acquisition and distribution of “exploits”—tools designed to exploit software vulnerabilities for unauthorized access or data extraction.
Operation Zero reportedly obtained multiple proprietary cyber tools, including at least eight that were originally developed by a U.S. defense contractor for exclusive use by the U.S. government and its allies. These tools were stolen by Peter Williams, an Australian national and former employee of the contractor. Williams, who took the trade secrets over the course of three years, sold the stolen tools to Operation Zero in exchange for millions of dollars in cryptocurrency. He pleaded guilty to two counts of theft of trade secrets following an investigation by the Justice Department and the Federal Bureau of Investigation.
Treasury Secretary Scott Bessent emphasized the U.S. government’s commitment to holding accountable those who seek to steal American trade secrets. “If you steal U.S. trade secrets, we will hold you accountable,” he stated. The sanctions were implemented under Executive Order 13694, aimed at countering malicious cyber-enabled activities that threaten U.S. national security, foreign policy, or economic stability.
In tandem with the Treasury’s actions, the State Department also imposed sanctions under the Protecting American Intellectual Property Act, which allows for penalties against foreign individuals or entities that engage in or benefit from significant theft of U.S. trade secrets posing a threat to national security or economic interests. Zelenyuk and Operation Zero are the first individuals to be sanctioned under this statute.
Additional associates linked to the network were also designated for sanctions, including Marina Evgenyevna Vasanovich, identified as Zelenyuk’s assistant, and Special Technology Services LLC FZ, a technology firm based in the United Arab Emirates and controlled by Zelenyuk. Moreover, two other individuals, Azizjon Makhmudovich Mamashoyev and Oleg Vyacheslavovich Kucherov, were sanctioned for providing material support to the operation. Kucherov is suspected of being a member of the Trickbot cybercrime group, which has been linked to numerous ransomware attacks targeting U.S. government agencies and healthcare providers.
Operation Zero was noted for advertising bounties worth millions of dollars in cryptocurrency for exploits that targeted commonly used U.S.-built operating systems and encrypted messaging platforms. The firm reportedly chose not to disclose any discovered vulnerabilities to the relevant software companies, opting instead to sell the information to customers in non-NATO countries, including foreign intelligence services. While the Treasury highlighted the role of cryptocurrency in facilitating transactions for these stolen tools, it has not released specific cryptocurrency wallet addresses or imposed blockchain-specific designations related to these activities.
