By rssfeeds-admin 
This marks the first-ever use of the Protecting American Intellectual Property Act (PAIPA) to impose sanctions, signaling a new enforcement posture against foreign entities that profit from the theft of American intellectual property.
At the heart of the case is Peter Williams, 39, an Australian national and former executive at Trenchant, a specialized cybersecurity unit owned by U.S. defense contractor L3Harris.
Between 2022 and 2025, Williams exploited his privileged access to steal at least eight zero-day exploits hacking tools developed exclusively for the U.S. government and select allied partners and sold them to Operation Zero in exchange for $1.3 million in cryptocurrency payments. The Justice Department estimates the theft caused approximately $35 million in losses to Trenchant.
Williams pleaded guilty on October 29, 2025, to two counts of theft of trade secrets and was sentenced on February 24, 2026, to 87 months (7 years, 3 months) in federal prison.
Operation Zero’s Exploit Brokerage
Operation Zero has operated as an exploit broker since 2021, openly offering millions of dollars in bounties to cybersecurity researchers and hackers for zero-day exploits targeting widely used software, including U.S.-built operating systems and encrypted messaging applications such as Telegram.
Critically, Operation Zero does not disclose discovered vulnerabilities to the affected software vendors, and it explicitly restricts its clientele to non-NATO countries, including the Russian government.
Beyond exploit brokering, Zelenyuk and Operation Zero have pursued the development of spyware and techniques for extracting sensitive personal data from AI large language model applications, and have actively recruited hackers through social media to support their operations.
The stolen tools acquired from Trenchant were sold to at least one unauthorized user, and prosecutors warned they could have allowed an end customer to potentially access millions of computers and devices worldwide.
Sanctioned Individuals and Entities
| Designated Person / Entity | Role | Basis |
|---|---|---|
| Sergey Zelenyuk | Founder, Operation Zero | Cyber-enabled activities threatening U.S. national security. |
| Matrix LLC (Operation Zero) | Russian exploit brokerage | Acquisition and sale of stolen U.S. cyber tools. |
| Marina Evgenyevna Vasanovich | Zelenyuk’s assistant | Acting on behalf of Zelenyuk. |
| Special Technology Services LLC FZ (STS) | UAE-based affiliate | Controlled by Zelenyuk; sanctioned under PAIPA. |
| Oleg Vyacheslavovich Kucherov | Suspected TrickBot member | Material support to Zelenyuk. |
| Azizjon Makhmudovich Mamashoyev | Operator, Advance Security Solutions | Material support to Zelenyuk. |
| Advance Security Solutions | UAE/Uzbekistan exploit brokerage | Owned and controlled by Mamashoyev. |
Notably, Oleg Kucherov is a suspected member of the TrickBot cybercrime gang, a highly modular malware suite first identified in 2016 that has previously been used to conduct ransomware attacks against U.S. government agencies, hospitals, and healthcare centers. OFAC had previously designated TrickBot members in February and September 2023.
As a result of the designations, all U.S.-held property and interests of these entities are immediately blocked and must be reported to OFAC. Any entity owned 50% or more by a designated person is similarly blocked, and U.S. persons are prohibited from engaging in any transactions with those on the Specially Designated Nationals (SDN) list.
The Department of State issued parallel designations under PAIPA, making this the first application of that 2022 law against foreign exploit traders.
“If you steal U.S. trade secrets, we will hold you accountable,” said Treasury Secretary Scott Bessent, underscoring the administration’s intent to use every available legal instrument to protect American intellectual property and national security infrastructure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post US Sanctions Network of Exploit Brokers That Stole US Government Cyber Tools appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.