Ex-L3Harris Executive Charged with Selling Cyber Exploits to Russia
Former Trenchant GM Pleads Guilty to Selling Hacking Tools to Russia
Peter Williams, previously the general manager of Trenchant – a division of L3Harris specializing in surveillance and hacking technology for Western governments – has admitted to guilt regarding the theft and sale of sensitive tools to a Russian intermediary. The plea was entered last week.
Details of the Exploit Theft
Court filings and reports from TechCrunch, alongside interviews with former colleagues, illuminate the methods Williams employed to acquire and transfer the valuable exploits from Trenchant. The case details how a position of trust was exploited for illicit gain.
Williams, a 39-year-old Australian national known internally as “Doogie,” confessed to stealing and selling eight “zero-day” exploits. These represent previously unknown security vulnerabilities within software, making them exceptionally valuable for gaining unauthorized access to systems.
Value and Transaction Details
The stolen exploits were estimated to be worth $35 million collectively, yet Williams received only $1.3 million in cryptocurrency from the Russian broker. The transactions occurred over a period spanning several years, from 2022 to July 2025.
Access and Abuse of Privileges
Due to his role and length of service at Trenchant, Williams possessed “super-user” access to the company’s highly secured network. This network housed the hacking tools and was protected by multi-factor authentication, accessible only to personnel with a demonstrable “need to know.”
This elevated access granted Williams complete visibility into all activity, logs, and data associated with Trenchant’s secure systems, including the sensitive exploits. His network privileges provided “full access” to the company’s proprietary information and trade secrets.
Method of Data Transfer
Williams leveraged his extensive access to transfer the exploits from Trenchant’s secure networks in Sydney, Australia, and Washington, D.C., to a personal device using a portable external hard drive. Subsequently, he transmitted the stolen tools to the Russian broker through encrypted communication channels, as outlined in the court document.
Internal Trust and Lack of Oversight
A former Trenchant employee, familiar with the company’s IT infrastructure, stated that Williams held a position of significant trust within the senior leadership team. He had been with the company for an extended period, even before L3Harris acquired Azimuth and Linchpin Labs, which later consolidated into Trenchant.
“He was, in my opinion, considered beyond reproach,” the former employee, requesting anonymity, revealed. “No one provided any oversight of his actions; he operated with considerable autonomy.”
Another anonymous former employee corroborated this, stating that the general understanding was that the general manager had unrestricted access to all company resources.
Williams’ Prior Experience
Prior to the acquisition, Williams was employed at Linchpin Labs. Before that, he worked at the Australian Signals Directorate, the nation’s intelligence agency responsible for signals and electronic intelligence gathering, according to the Risky Business cybersecurity podcast.
L3Harris’ Response
Sara Banda, a spokesperson for L3Harris, did not provide a comment when contacted regarding this matter.
Key Takeaways
- Peter Williams pleaded guilty to stealing and selling zero-day exploits.
- He exploited his super-user access to transfer data from secure networks.
- The stolen exploits were valued at $35 million, but Williams received only $1.3 million.
- Internal sources indicate a lack of oversight contributed to the security breach.
Significant Security Breach
In October of 2024, Trenchant received notification regarding a data leak involving one of its products, which had fallen into the hands of an unauthorized software broker, as detailed in court records. An internal investigation, led by Williams, determined that the company’s network had not been compromised by external hacking.
However, the investigation revealed that a previous employee had engaged in improper internet access utilizing an air-gapped device, according to the court document. An air-gapped device is defined as a system isolated from public networks.
As previously reported by TechCrunch, Williams terminated a Trenchant developer in February 2025, alleging dual employment. The dismissed developer subsequently learned from former coworkers that Williams had accused him of theft related to Chrome zero-day vulnerabilities, despite his work focusing on iPhone and iPad exploit development.
Shortly thereafter, in March, Apple alerted the former employee to a targeted “mercenary spyware attack” against his iPhone. The developer, in a TechCrunch interview, expressed a belief that he was deliberately framed by Williams to conceal the latter’s own misconduct.
It remains unconfirmed whether this former employee is the same individual referenced in the court documentation. During a July FBI interview, Williams indicated that the most plausible method for stealing products from the secure network involved an individual with authorized access downloading them to an air-gapped device, such as a mobile phone or external storage.
Subsequently, in August, Williams confessed to the FBI after being presented with incriminating evidence. He admitted to recognizing his code being utilized by a South Korean broker, having initially sold it to a Russian broker. The pathway by which Trenchant’s code reached the South Korean broker remains unclear.
Williams operated under the pseudonym “John Taylor,” utilizing a foreign email service and encrypted communication applications when interacting with the Russian broker, believed to be Operation Zero. This Russia-based entity reportedly offers rewards of up to $20 million for hacking tools targeting Android and iOS devices.
These tools are allegedly sold exclusively to Russian governmental and private organizations. Wired first reported the likely connection between Williams and Operation Zero, citing a September 2023 social media post announcing a substantial increase in the broker’s bounty payouts – from $200,000 to $20,000,000.
This increase corresponded with a similar announcement made by Operation Zero on X (formerly Twitter). Operation Zero did not respond to requests for comment from TechCrunch. The initial exploit sold by Williams fetched $240,000, with further payments contingent on successful performance verification and ongoing technical support.
Following this initial transaction, Williams sold an additional seven exploits, securing a total agreed-upon payment of $4 million, though he ultimately received only $1.3 million, as stated in the court document. Williams’ actions have caused considerable disruption within the offensive cybersecurity sector.
Rumors of his arrest had been circulating for weeks among industry professionals. Many within the community view Williams’ conduct as inflicting grave damage.
“This represents a significant breach of trust with the Western national security infrastructure, and a betrayal to the most dangerous type of adversary we currently face – Russia,” stated the former Trenchant employee familiar with the company’s IT infrastructure, in an interview with TechCrunch.
“The compromise of these secrets will undoubtedly weaken our capabilities and potentially lead to their deployment against other targets.”
Related Posts
FTC Upholds Ban on Stalkerware Founder Scott Zuckerman
Google Details Chrome Security for Agentic Features
Petco Data Breach: SSNs, Driver's Licenses Exposed
Petco Data Breach: Customer Data Exposed - What You Need to Know
Intellexa Spyware: Direct Access to Government Espionage Victims
