The U.S. Treasury said that it sanctioned a Russia-based exploit brokerage known as Operation Zero, its principal operator Sergey Sergeyevich Zelenyuk, and multiple affiliates for activity tied to the theft and sale of U.S. government cyber tools. Treasury characterized the action as the first enforcement under the Protecting American Intellectual Property Act (PAIPA), targeting a pipeline that blended insider theft, exploit brokerage, and cryptocurrency-based payments.
Treasury’s designations named Operation Zero (also identified as Matrix LLC), Zelenyuk, and affiliated individuals and entities that it says acquired and distributed at least eight proprietary zero-day exploits developed for exclusive U.S. government use. In Treasury’s framing, Operation Zero operated as an exploit broker starting in 2021, offering bounties to obtain vulnerabilities and selling them rather than facilitating disclosure to vendors.
What Treasury says the network did
Treasury described the alleged brokerage model as deliberately commercialization-first, prioritizing resale of high-end offensive tools to non-NATO customers and foreign intelligence services rather than responsible reporting. The enforcement narrative centers on the idea that zero-day capabilities were treated as private inventory to be monetized, not as defects to be remediated.
The designations also highlighted specific actors in the alleged chain, including Zelenyuk and an assistant, Marina Evgenyevna Vasanovich, alongside other named persons and firms. Treasury identified entities such as Special Technology Services LLC FZ (a UAE-registered firm alleged to be controlled by Zelenyuk), Azizjon Makhmudovich Mamashoyev, Oleg Vyacheslavovich Kucherov (linked to Trickbot), and Advance Security Solutions as part of the broader ecosystem it targeted.
Treasury linked the case to Peter Williams, described as an Australian national and former employee of a U.S. defense contractor, who was sentenced to 87 months for selling eight proprietary zero-day exploits between 2022 and 2025 in exchange for millions of dollars in cryptocurrency. By foregrounding the Williams episode, Treasury framed the brokerage as dependent on insider access and theft of highly sensitive capabilities.
Compliance impact for crypto intermediaries
Treasury emphasized that the tools were specialized zero-day exploits capable of unauthorized access and data exfiltration, including against U.S.-built operating systems and encrypted messaging platforms. The department also underscored cryptocurrency as the payment channel in the transactions and positioned the designations as a deterrent message for would-be brokers and sellers.
For CASP operators, exchanges, and custodians, the immediate operational expectation is to treat the designations as a high-priority screening and monitoring trigger, including validation of sanctions controls against newly designated persons and linked entities. In practical compliance terms, this is a forcing function for tighter counterparty due diligence, faster sanctions escalation paths, and recordkeeping that can support rapid responses to designation updates.
Beyond sanctions screening, the episode reinforces the need for stronger insider-risk controls, access governance, and vulnerability-handling discipline for firms that touch high-value security tooling or sensitive data. Treasury’s use of PAIPA in a targeted sanctions action signals a broader enforcement posture that regulated digital-asset intermediaries should assume will persist and expand as the policy toolkit is applied.