A veteran cybersecurity executive who prosecutors say “betrayed” the United States will spend at least another seven years behind bars after pleading guilty to stealing and selling hacking and surveillance tools to a Russian firm.
Peter Williams, the former chief executive of US defense contractor L3Harris, was sentenced to 87 months in prison on Tuesday for divulging his former company’s trade secrets in exchange for $1.3 million in crypto between 2022 and 2025. Williams sold the exploits to Operation Zero, which the US government calls “one of the world’s most nefarious brokers.”
The successful conviction of Williams follows one of the most notorious leaks of sensitive Western-made hacking tools in recent years. Even now that the case is over, there are still unanswered questions.
Williams, a 39-year-old Australian citizen who lived in Washington, DC, was CEO of Trenchant, a division of L3Harris that developed hacking and surveillance tools for the US government and its closest global intelligence partners. Prosecutors say Williams used “full access” to the company’s secure networks to download hacking tools to a portable hard drive and later to his computer. However, Williams contacted Operation Zero under a pseudonym, so it is unclear whether Operation Zero never knew Williams’ true identity.
Trenchant is a group of hackers and bug hunters who dig deep into other popular software made by companies like Google and Apple, identify bugs in those millions of lines of code, and then brainstorm techniques to turn those bugs into working exploits that can be used to reliably break into those products. These tools are usually called zero-day exploits because they exploit software bugs unknown to their developer that can be worth millions of dollars.
The US Department of Justice claimed that the hacking tools Williams sold could have allowed anyone who used them to “potentially gain access to millions of computers and devices around the world”.
I spent the last few months talking to sources and reporting on Williams’ story before news broke that he had been arrested. But what I heard was convoluted and at times contradictory. I heard that someone was arrested, but due to the secretive nature of the work involved in exploit development, it would be difficult to prove.
Contact us
Do you have more information about this case and the alleged Trenchant hacking tools leak? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or email.
When I first heard about Williams, I wasn’t sure I got his name right. At that point, his story was just a rumor, moving quietly and quietly on the zero-day exploit grapevine of developers, vendors, and people with ties to the intelligence community.
I heard his name might be John or maybe Duggan? Or all the different ways you can write it in English.
Some of the early rumors I heard were conflicting. Apparently he stole the zero-days from Trenchant and maybe sold them to Russia, or maybe another enemy of the United States and its allies like North Korea or China?
It took weeks to confirm that there was indeed someone matching that description. (It turns out Williams’ middle name is John, and Doogie is his nickname in hacker circles.)
Then, as the weeks of reporting went by, things became much clearer.
Russian connection
As I first revealed in October, Trenchant fired employees after Williams, who was still Trenchant’s boss at the time, accused employees of stealing and leaking Chrome zero-days. The story was even more interesting because the employee told me that after he was fired, Apple notified him that someone had targeted his personal iPhone.
What I learned was just the tip of the iceberg. I’ve heard more from my sources, but we’re still putting the pieces of the story together.
Soon after, prosecutors filed their first formal charges against a man named Peter Williams for trade secret theft, the first in the US public court system. In this first court document, the plaintiffs confirmed that the buyer of these trade secrets was a buyer in Russia.
However, there was no express reference to L3Harris or Trenchant or the fact that the trade secrets Williams stole were zero days. Crucially, we still couldn’t confirm for sure that this was the same Peter Williams we thought would have access to highly sensitive exploits as Trenchant’s boss, and not some horrible case of mistaken identity.
We still they weren’t there.
With a hunch and nothing to lose, we contacted the Ministry of Justice to ask if they would confirm that the person in the document was in fact Peter Williams, the former boss of L3Harris Trenchant. A spokeswoman confirmed it.
Finally the story came out. A week later, Williams pleaded guilty.
When I first heard about his story, even though I trusted my sources, I remained skeptical. Why would someone like Williams do what the rumors claimed? But he did, and he did it for the money, prosecutors say, which Williams then used to buy a house, jewelry and luxury watches.
It was a remarkable fall from grace for Williams, once regarded as an accomplished and brilliant hacker, and especially for someone who previously worked for Australia’s top foreign spy agency and served in the country’s military.
What happened to the stolen exploits?
We still don’t know exactly which exploits and hacking tools Williams stole and sold. Trenchant estimated the loss at $35 million, according to court documents. But Williams’ lawyers said the stolen tools were not classified as government secrets.
Based on the circumstances of the case, we can gain certain insights.
Since the Justice Department said the stolen tools could be used to hack “millions of computers and devices,” it’s likely the tools refer to zero-days in popular consumer software such as Android devices, Apple iPhones and iPads, and web browsers.
There is some evidence pointing in their direction. According to freelance cybersecurity reporter Kim Zetter, who attended the hearing, prosecutors read aloud a post published on X by Operation Zero during last year’s hearing.
“Due to high market demand, we are increasing payouts for top mobile exploits,” the post said, specifically mentioning Android and iOS. “As always, the end user is a non-NATO country.”
Operation Zero is offering millions of dollars for details of security vulnerabilities in Android devices and iPhones, messaging apps like Telegram, as well as other kinds of software like Microsoft Windows, and hardware vendors like several brands of servers and routers.
Operation Zero claims to be working with the Russian government. By the time Williams sold the exploits to a Russian broker, Putin’s full-scale invasion of Ukraine was already underway.
On the same day that Williams was sentenced, the US Treasury Department announced that it had imposed sanctions on Operation Zero and its founder, Sergey Zelenyuk, calling the company a national security threat. This was the government’s first confirmation that Williams had sold loot to Operation Zero.
In a statement, the Treasury Department said the broker “sold these stolen instruments to at least one unauthorized user.” We do not know who this user is at this time. The user could have been a foreign intelligence service, or it could have been a ransomware gang, given that the Treasury Department also sanctioned Oleg Vyacheslavovich Kucherov, an alleged member of the Trickbot gang who also allegedly collaborated on Operation Zero.
In a brief document, prosecutors said L3Harris was able to determine that “an unauthorized vendor was selling a component” of one of the stolen trade secrets “by comparing company-specific vendor information found on the stolen component that matched.”
Prosecutors also said Williams “recognized the code he wrote and sold” to Operation Zero “being used by a South Korean broker,” further suggesting that both L3Harris and prosecutors knew which tools were stolen and sold to Operation Zero.
Another unanswered question is: Did anyone, either the US government or L3Harris, Apple, Google, or any tech company’s products that were affected by zero-day bugs alert them when these exploits were leaked?
Every company or developer would like to know that someone could have used (or still can use) a zero-day against their users and customers so that they can fix the flaws as soon as possible. And at this point, zero days are useless to L3Harris and its customers.
When I asked Apple and Google, neither company answered my questions. L3Harris also did not respond.
Who hacked the scapegoat and why?
Then there’s the mystery of the scapegoat who was fired after Williams accused him of stealing and leaking the code.
At the sentencing, DOJ prosecutors confirmed that the employee had been fired, saying that Williams “stood idly by while another company employee was essentially blamed for (his) own conduct. In response, Williams’ attorney rebuffed the plaintiffs, arguing that the former employee “was fired for misconduct,” citing claims of dual employment and mishandling of the company’s intellectual property.
According to a brief document filed by Williams’ lawyers, as part of an internal investigation into L3Harris, the company put employees on leave, confiscated their devices, transported them to the US and “offered them to the FBI.”
When reached for comment, an unnamed FBI spokesman said the bureau had nothing to add beyond a Justice Department press release.
After being fired, the employee, who we’ve identified as Jay Gibson, received notification from Apple that his personal iPhone had been targeted by a “mercenary spyware attack.”
Apple sends these alerts to users it believes have been targeted by attacks using tools such as those from NSO Group or Intellexa.
Who tried to hack Gibson? He received the notice on March 5, 2025, more than six months after the FBI’s investigation began. The FBI “communicated with (Williams) on a regular basis from late 2024 through the summer of 2025,” according to the short document.
Given the nature of the leaked tools, it is likely that the FBI, or perhaps even a US intelligence agency, targeted Gibson as part of their investigation into the Williams leaks. But we just don’t know, and there’s a chance neither the public nor Gibson will ever know.
Updated to clarify paragraph 22 attributing lack of instrument classification to Williams’ attorneys.