For years, a St. Petersburg company traded in stolen US government cyber tools, paying hackers in cryptocurrency and selling the results to foreign intelligence services. It just made the Treasury’s sanctions list.
The sanctions and who is on the list
On February 24, the US Department of the Treasury’s Office of Foreign Assets Control sanctioned seven individuals and entities connected to the theft and sale of proprietary American cyber tools. The full designation is published on the Treasury’s official website, and the action was taken simultaneously with the Department of State under the Protecting American Intellectual Property Act—the first time this law has ever been used.
At the center of the network is Sergey Sergeyevich Zelenyuk, a Russian national based in St. Petersburg. Zelenyuk runs Matrix LLC, which operates publicly under the name Operation Zero. The company has functioned as an exploit broker since 2021, paying bounties to cybersecurity researchers and hackers in exchange for so-called “exploits”—pieces of code that exploit vulnerabilities in software to gain unauthorized access, steal data, or take control of devices. Operation Zero offered these rewards specifically for exploits targeting US-built operating systems and encrypted messaging applications, and in its own public materials stated it would only sell what it acquired to customers from non-NATO countries.
Among the tools Operation Zero obtained were at least eight proprietary cyber instruments created exclusively for use by the US government and its allies. Those tools were stolen by Peter Williams, an Australian national and former employee of the US company that developed them, who pleaded guilty in October 2025 to two counts of trade secret theft. Williams sold the tools to Operation Zero between 2022 and 2025 in exchange for millions of dollars paid in cryptocurrency. Operation Zero then resold them to at least one unauthorized user.
The six others designated alongside Zelenyuk are:
- Marina Evgenyevna Vasanovich, Zelenyuk’s personal assistant, designated for acting on his behalf.
- Special Technology Services LLC FZ (STS), a UAE-based technology company controlled by Zelenyuk, used as an offshore arm of the operation.
- Azizjon Makhmudovich Mamashoyev, who previously worked with Operation Zero and went on to found his own exploit brokerage.
- Advance Security Solutions, an offensive cybersecurity company founded by Mamashoyev, with operations in the UAE and Uzbekistan, which, like Operation Zero, offered bounties for exploits targeting US-built software.
- Oleg Vyacheslavovich Kucherov, a Russian national identified as a suspected member of the Trickbot cybercrime gang. Trickbot is a malware network first identified in 2016 that has carried out ransomware attacks against US government agencies, hospitals, and healthcare centers. The Treasury had already sanctioned other Trickbot members in February and September 2023. Kucherov had a prior working relationship with Operation Zero.
“If you steal US trade secrets, we will hold you accountable,” said Treasury Secretary Scott Bessent.
What the sanctions mean in practice
All property and interests in property of the designated individuals and entities within US jurisdiction are now frozen. Any transactions involving them by US individuals are prohibited unless specifically authorized by OFAC. Entities owned 50 percent or more by any of the blocked individuals are also blocked. Financial institutions and other companies risk sanctions exposure for any dealings with the designated network.
The legal dimension is significant beyond the financial impact. This is the first use of the Protecting American Intellectual Property Act, which targets those who engage in significant theft of US trade secrets when that theft poses a material threat to national security or economic stability. The fact that both Treasury and State acted simultaneously, and that the Justice Department’s investigation of Williams ran in parallel, points to a coordinated interagency effort rather than a routine designation.
The broader context
Operation Zero did not emerge in isolation. Russia’s capacity to access Western technology and cyber tools has not been eliminated by existing sanctions—it has been rerouted through brokers, intermediaries, and offshore entities, with the UAE serving as a recurring hub. As Insight News reported, Washington has sanctioned hundreds of Russian entities across the technology and defense sectors, including cybersecurity companies. And as our investigation into how Russia circumvents sanctions to procure microchips showed, the pattern is consistent: direct routes are closed, and proxy networks fill the gap.
The Operation Zero case makes the same point in the cyber domain. A St. Petersburg broker, a UAE shell company, a cryptocurrency payment trail, a former Western employee willing to sell—and at the end of the chain, stolen US government tools in the hands of foreign intelligence services that explicitly exclude NATO allies from their client list.
That is not a gap in the system. That is the system working as Russia designed it.
