A veteran cybersecurity executive who prosecutors said “betrayed” the United States will spend at least the next seven years in prison after pleading guilty to stealing hacking and surveillance tools and selling them to a Russian company.
Peter Williams, a former executive at US defense contractor L3Harris, was sentenced on Tuesday to 87 months in prison for leaking his former company’s trade secrets in exchange for $1.3 million in virtual currency between 2022 and 2025. Williams sold the exploit to Operation Zero, which the U.S. government calls “one of the most nefarious exploit brokers in the world.”
Williams’ conviction follows one of the most high-profile leaks of classified Western-made hacking tools in recent years. Even though the case is over, there are still unanswered questions.
Mr. Williams, a 39-year-old Australian national who lives in Washington, D.C., was the general manager of Trenchint, a division of L3Harris that develops hacking and surveillance tools for the U.S. government and its closest global intelligence partners. Prosecutors said Williams used his “full access” to the company’s secure network to download hacking tools onto a portable hard drive and then onto his own computer. However, since Williams contacted Operation Zero under a false name, it is unclear whether Operation Zero knew Williams’ true identity.
Trenchant is a team of hackers and bug hunters who dig deep into other popular software created by companies like Google and Apple, identify flaws in their millions of lines of code, and devise techniques to turn those flaws into workable exploits that can be used to reliably hack those products. These tools are commonly referred to as zero-day exploits because they exploit flaws in the software that the developers are unaware of. This could be worth millions of dollars.
The US Department of Justice claimed that anyone using the hacking tools Williams sold “could potentially gain access to millions of computers and devices around the world.”
Over the past several months, I have been speaking with sources and reporting on Mr. Williams’ story, even before news broke that he had been arrested. But what I was hearing was patchy and sometimes contradictory. I had heard that someone had been arrested, but that would be difficult to prove given the secretive nature of the work involved in exploit development.
inquiry
Do you have more information about this incident and the alleged leak of Trenchint’s hacking tools? You can contact Lorenzo Franceschi-Bicchierai securely from a non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or email.
When I first heard about Williams, I couldn’t even get his name right. At that point, his story was a rumor, quietly circulating among zero-day exploit developers, sellers, and people connected to the intelligence community.
I heard he was probably called John, or Duggan. Or there are different ways to spell it in English.
Some of the initial rumors I heard were contradictory. Apparently he stole the zero-day from Trentint and sold it to Russia, or to another enemy of the US and its allies, countries like North Korea and China?
It took me weeks just to confirm that someone who even fit that description actually existed. (It turns out Williams’ middle name is John, and Dougie is his nickname in hacker circles.)
Then, as the weeks of reporting continued, the picture began to become clearer.
Connection with Russia
As I first revealed in October, Trenchint fired the employee after Mr. Williams, who was still the head of Trenchint at the time, accused the employee of stealing and leaking the Chrome zero-day. The story got even more interesting because the employee told me that after he was fired, Apple notified him that someone had targeted his personal iPhone.
What I learned is just the tip of the iceberg. I had heard more details from sources, but I was still piecing together parts of the story.
Shortly thereafter, prosecutors for the first time formally charged a man named Peter Williams with stealing trade secrets, which surfaced for the first time in a U.S. trial. In its first court document, prosecutors identified the purchaser of these trade secrets as a Russian purchaser.
However, there was no explicit reference to L3 Harris or Trentint, nor was there any evidence that the trade secrets Williams stole were zero-days. Crucially, it could not yet be confirmed with certainty that it was the same Peter Williams, who as Trenchant’s boss was thought to have access to highly sensitive exploits, and that it was not some gross case of mistaken identity.
we weren’t there yet.
Acting on a hunch that we had nothing to lose, we contacted the Department of Justice and asked if they could confirm that the person in this document was indeed Peter Williams, L3 Harris Trentent’s former boss. A spokesperson confirmed this.
The story has finally come out. A week later, Williams pleaded guilty.
When I first heard his story, I trusted the source but remained skeptical. Why would someone like Williams do what the rumors say? But he did it for the money, prosecutors say, and Williams used the money to buy a house, jewelry and a luxury watch.
It was a stunning fall from grace for Williams, who was once considered a skilled and talented hacker, especially for someone who previously worked for Australia’s top foreign intelligence agency and served in the country’s military.
What happened to the stolen exploit?
It is not yet known exactly what exploits and hacking tools Williams stole and sold. Court documents say Trenchent’s losses are estimated at $35 million. But Williams’ lawyers said the stolen tools were not classified as government secrets.
You can gain some insight based on the circumstances of the incident.
Given that the Justice Department said the stolen tools could be used to hack “millions of computers and devices,” the tools likely refer to zero-days in consumer software such as Android devices, Apple’s iPhones and iPads, and web browsers.
There is some evidence pointing in their direction. At last year’s hearing, prosecutors read out posts posted on X by Operation Zero, said Kim Zetter, an independent cybersecurity reporter who attended the hearing.
“Due to high market demand, we’re increasing the amount we pay for our top mobile exploits,” the post said, specifically mentioning Android and iOS. “As always, the end users are non-NATO countries.”
Operation Zero offers millions of dollars for details of security vulnerabilities in Android devices and iPhones, messaging apps such as Telegram, other types of software such as Microsoft Windows, and hardware vendors such as several brands of servers and routers.
Operation Zero claims to be working with the Russian government. By the time Williams sold the exploit to a Russian broker, Putin’s invasion of Ukraine had already begun in earnest.
On the same day that Williams was sentenced, the U.S. Treasury Department announced sanctions against Operation Zero and its founder Sergei Zelenyuk, calling the company a national security threat. This was the government’s first confirmation that Williams sold the exploit to Operation Zero.
The Treasury Department said in a statement that the broker “sold the stolen tools to at least one unauthorized user.” At this time, we do not know who this user is. The user could be a foreign intelligence agency or even a ransomware gang, given that the Treasury Department has also sanctioned Oleg Vyacheslavovich Kucherov, a member of the Trickbot gang who allegedly collaborated with Operation Zero.
Prosecutors said in court documents that L3Harris was able to figure out that “an unauthorized vendor was selling the component,” which was one of the stolen trade secrets, “by comparing matches to company-specific vendor data found on the stolen components.”
Prosecutors also said Williams “realized that the code he wrote and sold” to Operation Zero was being used by Korean brokers, further suggesting that both L3Harris and prosecutors knew which tools were stolen and sold to Operation Zero.
Another open question is whether, now that the exploit has been leaked, either the U.S. government or L3Harris has warned Apple, Google, or other tech companies that their products are affected by the zero-day flaw.
Every company and developer wants to know that someone may have used (or is currently using) a zero-day against a user or customer so they can fix the flaw as quickly as possible. And right now, zero-days are of no use to L3Harris and its government customers.
When we contacted Apple and Google, neither company responded. L3 Harris also did not respond.
Who hacked Scapegoat and why?
Then there’s the mystery of the scapegoat, who was fired after Williams accused him of stealing and leaking code.
At sentencing, Justice Department prosecutors acknowledged that the employee was fired and said Williams “stood by and did nothing while another employee of the company was essentially held accountable.” [his] own actions. ” Williams’ lawyers rejected the prosecution’s claims, arguing that the former employee was “terminated for misconduct,” citing allegations of dual employment and mishandling of the company’s intellectual property.
As part of L3Harris’ internal investigation, the company placed employees on leave, seized devices, transported them to the United States, and “provided them to the FBI,” according to court documents filed by Williams’ attorneys.
Asked for comment, an anonymous FBI spokesperson said the FBI had nothing to add beyond the Justice Department’s press release.
After being fired, the employee, whom we identified under the alias Jay Gibson, received a notification from Apple that his personal iPhone had been targeted in a “mercenary spyware attack.”
Apple uses tools such as those created by NSO Group and Intellexa to send these notifications to users it believes have been targeted by attacks.
Who tried to hack Gibson? He received this notice on March 5, 2025, more than six months after the FBI investigation began. The FBI was ‘in regular contact’ [Williams] “From the end of 2024 until the summer of 2025,” court documents state.
Given the nature of the leaked tools, it’s plausible that the FBI, or perhaps the U.S. intelligence community, targeted Gibson as part of their investigation into the Williams leak. But we just don’t know, and neither the public nor Gibson may ever know.
Updated to clarify paragraph 22 attributing lack of tool classification to Williams’ attorney.
