Threats

US Sanctions Russian Exploit Broker Operation Zero for Acquiring Stolen Zero-Days From Jailed L3Harris Executive

Zero Day Wire

26 Feb 2026 — 2 min read

The US government has sanctioned Russian exploit broker Operation Zero (Matrix LLC), its owner Sergey Sergeyevich Zelenyuk, and six associated individuals and entities for acquiring and distributing cyber exploits that harmed national security.

The sanctions directly follow the sentencing of Peter Williams, the former L3Harris/Trenchant cyber executive who was jailed for 87 months after selling eight zero-day exploits that were restricted for use by the US government and allied entities. Operation Zero paid $1.3 million in cryptocurrency for those stolen tools.

Operation Zero's Business Model

According to the Department of State and Treasury's Office of Foreign Assets Control (OFAC), Operation Zero operates as an exploit broker that has offered millions of dollars for zero-day vulnerabilities and sold them exclusively to customers in non-NATO countries — some of which used the exploits in ransomware attacks and other malicious operations.

Through Operation Zero, Zelenyuk sought to:

Sell exploits to foreign intelligence agencies outside NATO
Develop cyber intelligence systems including spyware
Recruit hackers to support offensive operations

Zelenyuk also established Special Technology Services LLC FZ (STS) in the UAE specifically to circumvent US sanctions on Russian bank accounts and conduct business with entities across Asia and the Middle East.

Sanctioned Individuals and Entities

The coordinated action by the State Department and OFAC targets seven individuals and organizations:

Sergey Sergeyevich Zelenyuk — owner and director of Operation Zero
Operation Zero (Matrix LLC) — Russian exploit broker
Special Technology Services LLC FZ (STS) — UAE-based front company
Marina Evgenyevna Vasanovich — Zelenyuk's assistant
Oleg Vyacheslavovich Kucherov — suspected Trickbot hacking group member
Azizjon Makhmudovich Mamashoyev — former Operation Zero associate
Advance Security Solutions — exploit broker and offensive cyber company established by Mamashoyev, operating in the UAE and Uzbekistan

The inclusion of a suspected Trickbot member in the sanctions package suggests deeper connections between Operation Zero's client network and organized cybercrime operations beyond state-sponsored espionage.

The Exploit Supply Chain Exposed

The Williams-to-Operation Zero pipeline illustrates the lifecycle of stolen offensive cyber tools: developed under government contract, stolen by a trusted insider, sold to a foreign broker for cryptocurrency, and ultimately distributed to intelligence agencies and cybercriminals who weaponized them against targets the tools were originally designed to protect.

The $1.3 million Operation Zero paid for eight exploits represents a fraction of their operational value — zero-days restricted to US government use carry significant intelligence value when redirected to adversary nations.

Defender Implications

Exploit provenance matters — organizations should assume that sophisticated zero-day exploitation may involve tools originally developed for allied intelligence use
UAE as an offensive cyber hub — both STS and Advance Security Solutions operated from the UAE, reinforcing the region's growing role as a base for exploit brokers and offensive cyber companies
Cryptocurrency as the payment rail — the $1.3 million transaction underscores why blockchain analysis capabilities are increasingly critical for tracking the exploit trade

Google Attributes Axios npm Supply Chain Attack to North Korean UNC1069, Links Backdoor to WAVESHAPER Evolution

Google has formally attributed the Axios npm supply chain attack to UNC1069, a North Korean threat cluster tracked by Mandiant and Google's Threat Intelligence Group since 2018. The attribution, confirmed by GTIG chief analyst John Hultquist, links the compromise of the JavaScript ecosystem's most popular HTTP

CISA Orders Emergency Patch for Actively Exploited Citrix NetScaler Flaw Resembling CitrixBleed (CVE-2026-3055)

CISA has issued an emergency patching directive for a critical Citrix NetScaler vulnerability that is already being exploited in the wild to hijack administrator sessions on exposed appliances. The agency added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog on Monday and ordered all Federal Civilian Executive Branch agencies to secure

Axios Supply Chain Attack Delivers Cross-Platform RAT to Millions After npm Maintainer Account Hijacked

A coordinated supply chain attack targeting the Axios npm package has delivered a cross-platform remote access trojan to developer workstations and CI/CD environments worldwide, after an attacker hijacked the lead maintainer's npm credentials and published two backdoored releases to the official registry. The attack, executed in the

RedLine Infostealer Administrator Extradited to US, Faces Up to 20 Years for Running MaaS Infrastructure

Armenian national Hambardzum Minasyan has been extradited to the United States for his alleged role in maintaining RedLine's command-and-control infrastructure, managing affiliate payments, and distributing the infostealer — one of the most prolific credential-stealing operations since 2020.