threatintel
actor tracker
All actors

Operation Zero

operation-zero · primary source: Other · first observed 2021
RU · RussiaCybercrimeHigh confidencelast cited Feb 23, 2026 · 3mo ago

Russian exploit-acquisition firm publicly sanctioned by the U.S. Treasury OFAC in February 2026, alongside its founder Sergey Zelenyuk, for operating a market in zero-day vulnerabilities and exploit kits. Treasury's designation named Operation Zero as the buyer of eight proprietary U.S. Government cyber tools stolen by an American insider (Williams), who pleaded guilty in October 2025 and was sentenced February 2026 to 87 months. Operation Zero is publicly known as the highest-paying exploit acquisition programme in the post-2022 market — bounty offers of $20M for Android / iOS chains. The OFAC action is the first U.S. government sanctioning of a commercial exploit broker, and signals a category extension of cyber-sanctions to the offensive-tooling supply chain rather than only the operator end.

Aliases

None tracked.

Motivations

financial gain

Target sectors

technologyresearch

Target countries

USGBFRDEIL

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Operation Zero
  • Russia
  • financial gain
Capability
Infrastructure
Victim
  • technology
  • research
  • US
  • GB
  • FR

MITRE ATT&CK techniques

T1588.005T1588.006

Timeline

1 event
  1. SanctionHigh2026-02-24·U.S. Department of the Treasury

    OFAC sanctions Operation Zero and Sergey Zelenyuk for exploit-broker activity

    U.S. Treasury OFAC sanctioned Russian national Sergey Zelenyuk and his firm Operation Zero — alongside named affiliates — for operating an exploit-acquisition market that received and resold eight proprietary U.S. Government cyber tools stolen by an American insider. The insider, Williams, pleaded guilty 29 October 2025 to two counts of theft of trade secrets and was sentenced 24 February 2026 to 87 months in federal prison. The action is the **first U.S. cyber-sanctions designation of a commercial zero-day broker**, extending the cyber-sanctions regime from operators (Evil Corp, LockBit, Salt Typhoon's MSS contractor) to the offensive-tooling supply chain that feeds them.

    sanctionsexploit-brokerzero-daysupply-chain

Indicators of compromise

0 indicators
No indicators of compromise have been cataloged for this actor yet.

Related actors

shared ATT&CK techniques
No other tracked actor shares ATT&CK techniques with this one.

References

cite this page

Threat Intel Tracker. (2026-05-19). Operation Zero — actor profile. Retrieved from https://threatintel.local/actors/operation-zero

latest cited activity · 2026-02-24