A Russian exploit broker bought “at least eight” stolen proprietary hacking tools that had been made for the “exclusive use” of Five Eyes nations.

The US Treasury this week announced sanctions against Sergey Zelenyuk (Zelenyuk) and his company, known as Operation Zero and five others.

The tools “were stolen from a U.S. company,” The Treasury said. “Operation Zero then sold those stolen tools to at least one unauthorized user.”

The Treasury did not name the US company in its statement. 

But the same day (February 24), the US Department of Justice (DOJ) announced that it had sentenced Australian national Peter Williams to seven years in prison for stealing “highly sensitive cyber capabilities and [selling] them to a broker whose clients include the Russian government, putting our national security and countless potential victims at risk.”

Williams is a former general manager at defence contractor L3Harris. 

He worked there for its subsidiary Trenchant – which describes itself as a “world authority on cyber capabilities… and vulnerability research.”

(L3Harris currently has $114.8 million in contracts with the Department of Defense. Its UK subsidiary serves the British intelligence community with cryptographic tools and also creates electronic sensors for its P-8 surveillance planes, among other highly sensitive government work.) 

See also: FBI arrests Google sisters for alleged trade secret theft

Williams pled guilty to two counts of stealing US trade craft secrets in October 2025. The U.S. Attorney for the District of Columbia Jeanine Pirro said on Tuesday: “Williams took trade secrets comprised of [sic] national security software and sold them for up to $4 million in crypto currency. 

She added: “These incredibly powerful tools would have allowed Russia to access millions of digital devices.” 

The incident is arguably the biggest public breach of sensitive US cybersecurity capabilities since the 2016 Shadow Brokers leaks.  

The Treasury said it had sanctioned five others associated with Zelenyuk in a statement that also named, among others, a suspected member of the Trickbot cybercrime gang. 

Trickbot is a “highly modular malware suite” that the Treasury said has been used in ransomware attacks against the U.S. government, as well as hospitals and healthcare centers across the United States.  

Sanctions under a new trade secret act 

The sanction against the zero-day brokers buying these exploits is the first action taken under the Protecting American Intellectual Property Act to punish people “who have knowingly engaged in, or benefitted from, significant theft of trade secrets of United States persons” if the theft has or is likely to threaten national security, among other large scale risks. 

Zero day broking is a historically grey area where businesses buy and sell exploits developed by hackers to third parties  and governments. 

The US government itself has been known to buy zero day exploits. 

In 2013, the NSA released a document after a FOI request that revealed the department paid French zero day exploit service Vulpen for a 12-month subscription in 2012. (It was unclear if it was buying or tracking assets.)

See also: CIA CIO La’Naia Jones on AI and the spy agency's tech priorities

In a press release published Tuesday, the Treasury’s Office of Foreign Assets Control (OFAC) said Russian Sergey Sergeyevich Zelenyuk and his company Matrix LLC, trading as Operation Zero were designated for “acquisition and distribution of cyber tools harmful to U.S. national security,” alongside five unnamed associated people and entities. Designation means Zelenyuk is targeted with sanctions, travel bans and is barred from doing business with people in the US. 

The Russian-headquartered exploit broker has been in operation since 2021 and says it will only sell exploits to non-NATO countries. Although selling exploits isn’t itself illegal, the US has imposed sanctions on the basis of being complicit or engaging in cyber-related activities outside the US that pose a threat to “the national security, foreign policy, or economic health or financial stability of the United States.” 

The link has been copied!