Russian Operation Zero (OpZero) Specializes in Acquiring Zero-Day Exploits

Operation Zero (OpZero) is a Russian-based vulnerability brokerage firm that specializes in acquiring and distributing zero-day exploits—previously unknown software vulnerabilities that can be exploited before developers have a chance to patch them.  

Founded in Saint Petersburg, Operation Zero operates within a tightly controlled ecosystem, claiming to possess all necessary legal permits to conduct its activities under Russian jurisdiction. The firm positions itself as a legally sanctioned player in the Russian offensive cyber market, providing what it describes as lawful services to domestic entities.

While the company offers no public detail about which governmental agency provides those permits, its operational scope suggests oversight by state organs such as the Federal Security Service (FSB) or the Ministry of Digital Development, Communications and Mass Media, both of which regulate cybersecurity and defense-related technologies in Russia.  

OpZero's operations center around the exclusive acquisition of high-quality, fully functional zero-day exploits, which it sources from security researchers and vulnerability developers. The company does not accept proof-of-concept code, previously sold exploits, or vulnerabilities requiring further development.  

Submissions must meet stringent technical criteria, including exploit reliability, privilege level required, and affected software versions. Communication with researchers is handled via encrypted channels—specifically PGP—to maintain strict confidentiality.  

In return for these exploits, Operation Zero offers substantial financial rewards, with payouts ranging from hundreds of thousands to several million U.S. dollars, depending on the target platform:  

Mobile Platforms:

• Android Full Chain Zero-Click: Up to $2.5 million

• iOS Full Chain Zero-Click: Up to $2 million

• Signal RCE: $1.5 million

• WhatsApp Zero-Click RCE: $1.5 million  

Desktop Applications:

• Chrome RCE: $500,000

• MS Edge RCE: $400,000

• Windows LPE: $150,000  

Servers and Virtualization:

• Apache RCE: $500,000

• VMware ESXi RCE: $1 million

• Microsoft Hyper-V VM Escape: $1 million  

Network hardware is also included in their bounty structure, with competitive payouts aligned with the exploit’s complexity and strategic value. Operation Zero is led by Sergey Zelenyuk, a Russian hacker known for his experience in vulnerability research.  

Under his leadership, the company has not only positioned itself as a domestic supplier but has also reportedly explored opportunities for international collaboration. Still, its public-facing materials reiterate that sales are strictly confined to Russian entities.  

Its presence on platforms like LinkedIn and X (formerly Twitter) serves more to attract vulnerability sellers than buyers, emphasizing the financial incentives and legal protections available to contributors under Russian law.

Takeaway: Operation Zero isn’t just another zero-day broker, it’s a strategic cog in Russia’s offensive cyber machine. They buy high-value, unpublished exploits and feed them directly into the Russian ecosystem—government, intelligence, private-sector contractors—the whole playbook.  

They’re not helping vendors patch bugs. They’re stockpiling weapons-grade vulnerabilities to deploy against high-value targets with surgical precision. This isn’t a patch-and-protect operation, it’s spycraft.

Now, officially, Operation Zero says they only sell to Russian clients. And yeah, that probably means the usual suspects: FSB, GRU, maybe some sanctioned “private” players doing quiet work for state objectives.  

But here’s the thing—there’s no real firewall between Russian intelligence ops and ransomware crews. The overlap in TTPs, tooling, and even infrastructure is undeniable. Same loaders, same initial access methods, and the same remote management tools. Sometimes you can’t tell if you’re looking at espionage or extortion until the last payload drops.  

So, are ransomware groups buying zero-days straight from Operation Zero? Probably not directly. But are those same exploits or variations of them making their way into ransomware campaigns? Absolutely.  

Russia’s cyber landscape isn’t built on clean lines. It’s built on useful ambiguity. There’s a shared pool of tradecraft being passed around, whether it’s from a state APT crew or a ransomware gang moonlighting for a paycheck. Attribution is difficult, and this ambiguity makes it easy for Russia to blame attacks and intrusions they orchestrate on cybercriminals.

The bottom line is that Operation Zero is fueling the upper tier of Russia’s offensive cyber game, and those same tools seem to have a way of trickling down to ransomware operations. It’s strategic reuse leveraging plausible deniability.

Either way, when a zero-day shows up in a ransomware attack, don't be surprised if it came from the same arsenal that Operation Zero helped Moscow build to breach foreign ministries when running high-level espionage campaigns.

Let’s stop pretending this isn’t by design. Russia has built a cybercriminal ecosystem that thrives on specialization. It's not just tolerated, it’s enabled. You’ve got outfits like Operation Zero sourcing high-end zero-days, initial access brokers openly selling footholds in targeted organizations like it’s real estate, ransomware crews running ops like they are seasoned spies, and professional money launderers moving crypto with impunity.  

This isn’t chaos, it’s a well-developed marketplace with plenty of room for growth and outright support from the Russian government. It works because everyone knows where the line is: don’t hit Russian-aligned targets, and you’re free to operate. That’s not lawlessness, that’s state-sanctioned criminal enterprise.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.