It feels most appropriate to set the scene ahead of sharing this week’s newsletter.

A few years ago, I read This Is How They Tell Me the World Ends by Nicole Perlroth.

The book explores how software vulnerabilities called “zero-day exploits” evolved into strategic commodities traded between governments, contractors, intelligence agencies, and brokers.

Any given tech device, such as your computer or phone, might have them. And that’s precisely the reason why your device is automatically updating itself every now and then, with security being one of the key considerations.

But is it always the case though? Are software vulnerabilities always meant to be fixed?

Well, not really.

The same vulnerability can also be:

In other words, a strategic asset that any capable actor can acquire and deploy as it sees fit.

Interestingly, once such a vulnerability is discovered, governments have often faced a dilemma: disclose the vulnerability to protect its own infrastructure, or retain it to preserve a strategic advantage.

Often, retention prevails, contributing to the normalisation of offensive cyber capability.

Now back to this week’s newsletter.

On 24 February 2026, the U.S. Department of State and the U.S. Department of the Treasury announced coordinated designations targeting a Russia-based zero-day exploits broker and affiliated entities for theft of U.S. trade secrets and enabling malicious cyber activity.

This marks the first use of the U.S. sanctions regime under the Protecting American Intellectual Property Act (PAIPA). The action reflects an evolution in how governments conceptualise cyber risk: the focus is no longer limited to actors launching attacks. It now extends to the commercial infrastructure that makes those attacks possible.

In other words, the market for vulnerabilities is being pulled firmly into the sanctions and national security perimeter.

Sources: Zero-day Exploit Designations and Broker Network

Why did the State Department get involved?

The announcement emphasized theft of U.S. trade secrets, shifting the lens towards the national security domain. Think of intellectual property, advanced research, proprietary manufacturing processes. And in sectors such as semiconductors, advanced materials, biotechnology, and AI, compromise of trade secrets can alter competitive positioning for years.

Therefore, cyber intrusion becomes economic leverage.

The Treasury designation reinforces a broader trend: offensive cyber capability is now treated similarly to proliferation-sensitive technology or restricted financial networks.

Just as export controls seek to limit access to advanced semiconductor manufacturing equipment, sanctions are now targeting those who broker digital intrusion tools.

The common thread is capability control.

Governments are not only reacting to cyber incidents. They are attempting to constrain the supply side of strategic tools, whether physical or digital.

For financial institutions and multinational firms, several implications follow.

First, cyber risk does not sit exclusively within IT. It intersects with sanctions compliance, export controls, third-party risk management, and geopolitical exposure.

Second, counterparties involved in cybersecurity services, vulnerability research, or exploit markets may now fall within enhanced sanctions scrutiny. Due diligence expectations are expanding accordingly.

Third, trade secret protection is increasingly a board-level issue. Intellectual property loss carries strategic consequences beyond immediate reputational damage.

Finally, enforcement tools are converging. Sanctions, export controls, and cyber policy are operating in concert.

When I first read This Is How They Tell Me the World Ends, it described a world where vulnerabilities were quietly traded and weaponised. Recent designations suggest that this market is being formally integrated into the national security framework.

It feels like information security, once regarded as a purely technical domain within the conscripts of technical world, will be viewed as a strategic asset and increasingly, a sanctionable one.

As always, I am happy to compare notes if these developments intersect with your organisation’s exposure, particularly around sanctions screening, third-party cyber vendors, or intellectual property protection.

Thanks for reading,
Alexey