A United States federal court sentenced a former cybersecurity executive to federal prison after convicting him of selling a critical software vulnerability to buyers acting on behalf of the Russian government, prosecutors said. The defendant’s actions involved a zero-day exploit that authorities said was used to compromise computer systems.
The court handed down the sentence following a guilty plea in which the executive admitted trading the previously unknown software exploit to intermediaries believed to represent Russian intelligence interests. Prosecutors said the exploit targeted widely used networking software and could allow remote attackers to execute code and take control of affected systems without detection.
In sentencing the defendant, the judge cited the serious national security implications of transferring a powerful cyber vulnerability to a foreign adversary. The term of imprisonment ordered by the court was within federal sentencing guidelines for offences involving the export of malware and illicit cyber tools.
The zero-day exploit in question had not been publicly disclosed at the time it was sold, meaning that software developers and defenders were unaware of its existence and could not patch affected products. Prosecutors told the court that the defendant understood the exploit’s potential impact and willingly engaged in its sale to representatives connected with Russian state actors.
Federal authorities said the investigation involved cooperation between multiple US law enforcement agencies, including the Federal Bureau of Investigation and the Department of Justice. The case was brought under US laws that prohibit exporting cyber weapons or vulnerabilities to designated foreign governments without a license.
The defendant’s legal team argued for a lesser sentence, citing his prior professional experience and contributions to defensive cybersecurity research. The court acknowledged these factors but determined that the deliberate sale of a zero-day exploit to agents of a foreign government warranted a custodial sentence.
Officials did not release detailed information about how the exploit was subsequently used in cyber operations, but prosecutors said that transferring the vulnerability to hostile actors hindered broader global efforts to defend networks and protect critical infrastructure.