The Treasury Department sanctions a Russian intermediary accused of purchasing stolen software from a US defense contractor

The US government on Tuesday announced sanctions on two companies that acquire and resell zero-day vulnerabilities, in addition to sanctions on their founders and partners.

US Treasury Department officials told TechCrunch that the government was sanctioning “zero-day” brokers — security vulnerabilities in software that are unknown to their developers but can be abused to hack people — because they pose a threat to US national security, foreign policy, and the economy.

The first company to be sanctioned is Operation Zero, a Russian company that launched in 2021. The company made headlines in 2023 when it announced it was offering up to $20 million for zero days in Android and iPhone devices, and later announced it was offering up to $4 million for zero days in Telegram. The company claims to work exclusively with the Russian government and local organizations.

The Treasury Department’s Office of Foreign Assets Control (OFAC) said Operation Zero customers “could use the tools to launch ransomware attacks or engage in other malicious activities.”

The Treasury Department said it was also imposing sanctions on the company’s founder, Sergey Zelenyuk, who officials have accused of selling exploit software to foreign intelligence agencies and who says he sought to develop spyware and hacking techniques. The Treasury Department said Zelenyuk was involved in recruiting hackers and developing relationships with foreign intelligence agencies through social media. (Operation Zero has accounts on both X and Telegram.)

According to the Treasury Department, Operation Zero acquired “at least eight proprietary electronic tools, created for the exclusive use of the U.S. government and selected allies, that were stolen from a U.S. company,” and then “sold those stolen tools to at least one unauthorized user.”

The Treasury Department said the sanctions imposed on Operation Zero and Zelenyuk coincide with an FBI investigation into Peter Williams, who worked for US defense company L3Harris. In October, Williams pleaded guilty to selling at least eight of the company’s exploit software to an unspecified Russian intermediary.

The Treasury now says the middleman was transaction zero, something the government has not previously confirmed.

Williams was managing director of Trenchant, which develops hacking and surveillance tools for the US government and some of its top intelligence partners, including Australia, Canada, New Zealand and the UK – the so-called Five Eyes alliance.

The Treasury Department did not respond to a series of questions regarding the sanctions imposed today.

Along with taking action against Zelenyuk, the US Treasury is sanctioning a UAE-based subsidiary called Special Technology Services, as well as Zelenyuk’s associate, Marina Evgenievna Vasanovich, and two people associated with the company, Azizjon Mahmudovich Mamashev and Oleg Vyacheslavovich Kucherov, who allegedly worked on Operation Zero.

Operation Zero, Special Technology Services, and Zelenyuk are being sanctioned in parallel under a 2022 federal law that allows the US government to sanction anyone who has committed “significant thefts of trade secrets,” according to the Treasury Department.

The Treasury Department says Kucherov, a Russian national, is suspected of being a member of the prolific TrickBot ransomware gang, whose alleged members have previously been sanctioned by the US and UK.

Mamachoev is allegedly the founder of Advance Security Solutions, another UAE-based brokerage, which was also sanctioned today.

Advance Security Solutions launched last year, offering up to $20 million for zero days that can help hack into any type of smartphone using a text message. The broker also offered high-paying bounties for hacking tools in popular software and devices such as Android, iPhone, Windows, and Chrome devices.

Operation Zero and Zelenyuk did not respond to a request for comment. Kucherov, Mamashev and Vasanovic could not immediately be reached for comment.

When contacted by TechCrunch, a person who runs a chat account for Advance Security Solutions claimed, without evidence, that Mamashoyev was not the company’s founder.