A veteran cybersecurity executive who prosecutors said \u201cbetrayed\u201d the United States will spend at least the next seven years behind bars, after pleading guilty to stealing and selling hacking and surveillance tools to a Russian firm.<\/p>\n
Peter Williams, a former executive at U.S. defense contractor L3Harris, was sentenced on Tuesday to 87 months in prison<\/a> for leaking his former company\u2019s trade secrets in exchange for $1.3 million in crypto between 2022 and 2025. Williams sold the exploits to Operation Zero, which the U.S. government calls \u201cone of the world\u2019s most nefarious exploit brokers.\u201d\u00a0<\/p>\n The successful conviction of Williams follows one of the most high-profile leaks of sensitive Western-made hacking tools in recent years. Even now that the case is over, there are still unanswered questions.<\/p>\n Williams, a 39-year-old Australian citizen who resided in Washington, D.C., was the general manager of Trenchant, the division of L3Harris that develops hacking and surveillance tools for the U.S. government and its closest global intelligence partners. Prosecutors say Williams took advantage of having \u201cfull access\u201d to the company\u2019s secure networks<\/a> to download the hacking tools onto a portable hard drive, and later to his computer. Williams contacted Operation Zero under a pseudonym though, so it\u2019s unclear if Operation Zero ever knew Williams\u2019 real identity.<\/p>\n Trenchant is a crew of hackers and bug hunters who dig deep into other popular software made by companies like Google and Apple, identify flaws in those millions of lines of code, then devise techniques to turn those flaws into workable exploits that can be used to reliably hack into those products. These tools are typically called zero-day<\/a> exploits because they take advantage of software flaws unknown to its developer, which can be worth millions of dollars<\/a>.<\/p>\n The U.S. Department of Justice alleged<\/a> that the hacking tools Williams sold could have allowed whoever used them to \u201cpotentially access millions of computers and devices around the world.\u201d<\/p>\n For the past few months, I have been talking to sources and reporting on Williams\u2019 story before news broke that he had been arrested<\/a>. But what I had heard was patchwork and at times conflicting. I had heard someone had been arrested, but given the secret nature of the work involved in exploit development, proving it would be challenging.<\/p>\n \t\t\tDo you have more information about this case, and the alleged leak of Trenchant hacking tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email<\/a>.<\/a> \t\t<\/div>\n When I first heard of Williams, I wasn\u2019t clear that I had even gotten his name right. At that point, his story was a rumor, moving through the hush-hush grapevine of zero-day exploit developers, sellers, and people with ties to the intelligence community.\u00a0<\/p>\n I heard that maybe he was called John, or perhaps Duggan? Or all the different ways you can spell that in English.\u00a0<\/p>\n Some of the first rumors I heard were contradictory. Apparently he stole zero-days from Trenchant, and maybe he sold them to Russia, or perhaps another enemy of the United States and its allies, like North Korea or China?\u00a0<\/p>\n It took weeks just to confirm that there was indeed someone who even fit that description. (It turned out that Williams\u2019 middle name is John, and Doogie is his nickname in hacker circles.)<\/p>\n Then, as the weeks of reporting rolled on, things started to become much clearer.\u00a0<\/p>\n As I first revealed in October<\/a>, Trenchant fired an employee after Williams, who was still at the time head of Trenchant, accused the employee of stealing and leaking Chrome zero-days. The story was even more intriguing because the employee told me that after he was fired,\u00a0Apple notified him that someone had targeted his personal iPhone.<\/p>\n What I learned was just the tip of the iceberg. I had heard more from my sources, but we were still piecing parts of the story together.\u00a0<\/p>\n Soon after, prosecutors made their first formal accusation against a man named Peter Williams for stealing trade secrets, which first surfaced in the U.S. public court system. In that first court document, prosecutors confirmed that the buyer of these trade secrets was a buyer in Russia.<\/p>\n However, there was no explicit reference to L3Harris nor Trenchant, nor the fact that the trade secrets that Williams stole were zero-days. Crucially, we still couldn\u2019t confirm for certain that it was the same Peter Williams, who we thought would have access to highly sensitive exploits as Trenchant\u2019s boss, and not some terrible case of mistaken identity.<\/p>\n We still<\/em> weren\u2019t there.<\/p>\n On a hunch and with nothing to lose, we contacted the Department of Justice to ask if they would confirm that the person in the document was in fact Peter Williams, the former boss of L3Harris Trenchant. A spokesperson confirmed.<\/p>\n Finally, the story was out<\/a>. A week later, Williams pleaded guilty.\u00a0<\/p>\n When I first heard of his story, while I trusted my sources, I remained skeptical. Why would someone like Williams do what the rumors claimed? But he did, and did so for money, prosecutors allege, which Williams then used to buy a house, jewelry, and luxury watches.\u00a0<\/p>\n It was a remarkable fall from grace for Williams, once seen as an accomplished and brilliant hacker, and especially for someone who previously worked at Australia\u2019s top foreign spy agency and served in the country\u2019s military.\u00a0<\/p>\n We still don\u2019t know specifically which exploits and hacking tools Williams stole and sold. Trenchant estimated a loss of $35 million, per court documents. But Williams\u2019 lawyers said the stolen tools were not classified as a government secret.<\/p>\n We can glean some insight based on the circumstances of the case.\u00a0<\/p>\n Given that the Justice Department said the stolen tools could be used to hack \u201cmillions of computers and devices,\u201d it\u2019s likely the tools refer to zero-days in popular consumer software, such as Android devices, Apple\u2019s iPhones and iPads, and web browsers.<\/p>\n There is some evidence pointing in their direction. During a hearing last year, prosecutors read out loud a post published on X<\/a> by Operation Zero, according to independent cybersecurity reporter Kim Zetter<\/a>, who attended the hearing.\u00a0<\/p>\n \u201cDue to high demand on the market, we\u2019re increasing payouts for top-tier mobile exploits,\u201d read the post, which specifically mentioned Android and iOS. \u201cAs always, the end user is a non-NATO country.\u201d<\/p>\n Operation Zero offers millions of dollars<\/a> for details of security vulnerabilities in Android devices and iPhones, messaging apps like Telegram<\/a>, as well as other kinds of software<\/a>, such as Microsoft Windows, and hardware vendors, such as several brands of servers and routers.\u00a0<\/p>\n Operation Zero claims<\/a> to work with the Russian government. At the time Williams sold the exploits to the Russian broker, Putin\u2019s full-scale invasion of Ukraine was already underway.<\/p>\n On the same day that Williams was sentenced, the U.S. Treasury announced it had imposed sanctions<\/a> against Operation Zero and its founder Sergey Zelenyuk, calling the company a national security threat. This was the government\u2019s first confirmation that Williams had sold the exploits to Operation Zero.\u00a0<\/p>\n In its statement, the Treasury said the broker \u201csold those stolen tools to at least one unauthorized user.\u201d At this point we don\u2019t know who this user is. The user could be a foreign intelligence service, or it could be a ransomware gang, given that the Treasury also sanctioned Oleg Vyacheslavovich Kucherov, an alleged member of the Trickbot gang, who also allegedly worked with Operation Zero.<\/p>\n In a court document, prosecutors said that L3Harris was able to figure out that \u201can unauthorized vendor was selling a component\u201d of one of the stolen trade secrets \u201cby comparing company-specific vendor data found on a stolen component that matched.\u201d\u00a0<\/p>\n Prosecutors also said that Williams \u201crecognized code he wrote and sold\u201d to Operation Zero \u201cbeing utilized by a South Korean broker,\u201d further suggesting that both L3Harris and prosecutors know which tools were stolen and sold to Operation Zero.\u00a0<\/p>\n Another unanswered question is: Did anyone, either the U.S. government or L3Harris, alert Apple, Google, or whichever tech company\u2019s products were affected by the zero-day flaws, now that the exploits had leaked?<\/p>\n Any company or developer would want to know that someone could have used (or could still use) a zero-day against their users and customers so that they can patch the flaws as soon as possible. And at this point, the zero-days are of no use for L3Harris and its government customers.\u00a0\u00a0<\/p>\n When I asked Apple and Google, neither company responded to my inquiries. L3Harris did not respond either.\u00a0<\/p>\n Then there\u2019s the mystery of the scapegoat, who was fired after Williams accused him of stealing and leaking code.<\/p>\n At sentencing, Justice Department prosecutors confirmed<\/a> that the employee was fired, saying Williams \u201cstood idly by while another employee of the company was essentially blamed for [his] own conduct.\u201d In response, Williams\u2019 attorney rebuffed prosecutors, claiming that the former employee \u201cwas fired for misconduct,\u201d citing claims of dual-employment and improper handling of the company\u2019s intellectual property.<\/p>\n According to a court document submitted by Williams\u2019 lawyers, as part of the L3Harris internal investigation, the company placed the employee on leave, seized his devices, transferred them to the U.S., and \u201coffered them to the FBI.\u201d\u00a0<\/p>\n When reached for comment, an unnamed FBI spokesperson said the bureau had nothing to add apart from the Justice Department\u2019s press release<\/a>.\u00a0<\/p>\n After being fired, that employee, whom we identified with the alias Jay Gibson, received a notification from Apple that his personal iPhone was targeted \u201cwith a mercenary spyware attack.\u201d<\/p>\n Apple sends<\/a> these<\/a> notifications<\/a> to users it thinks were the target of attacks using tools like those made by NSO Group or Intellexa.<\/p>\n Who tried to hack Gibson? He received the notification on March 5, 2025, more than six months after the FBI investigation had begun. The FBI \u201cregularly interacted with [Williams] in late 2024 through the summer of 2025,\u201d according to a court document<\/a>.<\/p>\n Given the nature of the leaked tools, it is plausible that the FBI, or perhaps even a U.S. intelligence agency, targeted Gibson as part of the investigation into Williams\u2019 leaks. But we just don\u2019t know, and there\u2019s a chance that neither the public, nor Gibson, will ever find out.<\/p>\nContact Us<\/h4>\n
The Russian connection<\/h2>\n
![\"\"](\"https:\/\/techcrunch.com\/wp-content\/uploads\/2026\/02\/l3harris-logo-canada.jpg?w=680\"){kind=logo}
What happened to the stolen exploits?<\/h2>\n
Who hacked the scapegoat, and why?<\/h2>\n