Peter Williams, who previously led Trenchant—a branch of defense firm L3Harris specializing in surveillance and cyber intrusion tools for Western governments—admitted in court last week to taking some of these tools and selling them to a broker in Russia.
According to legal filings and exclusive TechCrunch coverage, along with interviews with Williams’ ex-colleagues, details emerged about how Williams managed to extract these highly sensitive and valuable exploits from Trenchant.
Williams, a 39-year-old Australian known internally as “Doogie,” confessed to prosecutors that he stole and sold eight so-called “zero-days”—undisclosed software vulnerabilities that are highly sought after for hacking targets’ devices. Williams claimed that some of these exploits, which he took from Trenchant, were valued at $35 million, but he only received $1.3 million in cryptocurrency from the Russian intermediary. The sales took place over several years, from 2022 until July 2025.
The court documents state that Williams’ role and long tenure at Trenchant allowed him to retain “super-user” privileges on the company’s “internal, access-controlled, multi-factor authenticated” secure network, where these hacking tools were kept and only accessible to select employees with a legitimate need.
As a “super-user,” Williams had the ability to monitor all activity, logs, and data on Trenchant’s secure network, including access to its exploits, according to the court records. This level of access granted him complete entry to Trenchant’s proprietary data and confidential information.
Taking advantage of these extensive privileges, Williams used a portable external drive to move the exploits from Trenchant’s secure networks in Sydney and Washington, D.C., onto his own device. He then transmitted the stolen tools to the Russian broker through encrypted means, as described in the court documents.
A former Trenchant staff member familiar with the company’s IT infrastructure told TechCrunch that Williams “was among the most trusted individuals” in the organization, being part of the senior management. Williams had been with the company for years, even before L3Harris acquired Azimuth and Linchpin Labs, two startups that later merged into Trenchant.
“In my view, he was seen as someone whose integrity was unquestioned,” said the ex-employee, who requested anonymity due to lack of authorization to discuss their work at Trenchant.
“He operated without oversight. He was essentially free to act as he pleased,” the person added.
Another former staff member, who also wished to remain unnamed, commented that “it’s generally understood that whoever holds the [general manager] position would have unrestricted access to everything.”
Prior to the merger, Williams worked at Linchpin Labs, and before that, he was with the Australian Signals Directorate, the nation’s intelligence agency responsible for digital surveillance, as reported by the Risky Business cybersecurity podcast.
Sara Banda, a representative for L3Harris, did not reply to requests for comment.
“Severe consequences”
In October 2024, Trenchant “became aware” that one of its products had been leaked and was in the hands of “an unauthorized software broker,” according to court records. Williams was assigned to lead the internal investigation, which determined there was no external breach but found that a former employee “had improperly accessed the internet from an air-gapped device,” as stated in the documents.
As previously reported exclusively by TechCrunch, Williams dismissed a Trenchant developer in February 2025, accusing him of holding two jobs. The dismissed employee later heard from former colleagues that Williams had accused him of stealing Chrome zero-days, even though he only worked on iPhone and iPad exploits. By March, Apple informed the ex-employee that his iPhone had been targeted by “mercenary spyware.”
In a conversation with TechCrunch, the former developer said he believed Williams set him up to hide his own misconduct. It is not clear if this developer is the same individual referenced in the court documents.
In July, the FBI interviewed Williams, who told agents that the most probable method for removing products from the secure network would be for someone with access to download them onto an “air-gapped device … such as a mobile phone or external drive.” (An air-gapped device is isolated from the internet.)
Ultimately, Williams admitted to the FBI in August, after being confronted with evidence, that this was exactly how he had stolen the tools. He also told investigators he recognized his code being used by a South Korean broker after selling it to the Russian intermediary, though it’s still unclear how the code reached the South Korean broker.
Williams used the pseudonym “John Taylor,” a foreign email service, and unspecified encrypted messaging apps to communicate with the Russian broker, believed to be Operation Zero. This Russia-based broker offers up to $20 million for hacking tools targeting Android and iOS devices, claiming to sell exclusively to “Russian private and government clients.”
Wired was the first to report that Williams likely sold the stolen exploits to Operation Zero, as the court filings reference a September 2023 social media post announcing the broker’s “bounty payouts” had increased from $200,000 to $20 million, matching a post by Operation Zero on X at that time.
Operation Zero did not reply to TechCrunch’s inquiry for comment.
Williams initially sold one exploit for $240,000, with further payments promised after the tool’s effectiveness was verified and for ongoing technical support. He later sold seven more exploits, agreeing to a total of $4 million, but ultimately received only $1.3 million, according to court records.
The revelations about Williams have sent shockwaves through the offensive cybersecurity sector, with his rumored arrest being widely discussed among industry professionals for weeks.
Many in the field believe Williams’ actions have caused significant harm.
“This is a betrayal of Western national security interests, and it empowers one of our most dangerous adversaries—Russia,” the former Trenchant employee with IT knowledge told TechCrunch.
“These confidential tools have now been handed to an opponent who will certainly use them to weaken our defenses and possibly target others as well.”
