\n<\/p>\n
Peter Williams, the former general manager of Trenchant, a division of defense contractor L3Harris that develops surveillance and hacking tools for Western governments, pleaded guilty last week to stealing some of those tools and selling them to a Russian broker<\/a>. \u00a0<\/p>\n A court document filed in the case, as well as exclusive reporting by TechCrunch and interviews with Williams\u2019 former colleagues, explained how Williams was able to steal the highly valuable and sensitive exploits from Trenchant.\u00a0<\/p>\n Williams, a 39-year-old Australian citizen who was known inside the company as \u201cDoogie,\u201d admitted to prosecutors that he stole and sold eight exploits, or \u201czero-days<\/a>,\u201d which are security flaws in software that are unknown to its maker and are extremely valuable to hack into a target\u2019s devices. Williams said some of those exploits, which he stole from his own company, Trenchant,\u00a0were worth $35 million, but he only received $1.3 million in cryptocurrency from the Russian broker. Williams sold the eight exploits over the course of several years, between 2022 and July 2025.\u00a0<\/p>\n Thanks to his position and tenure at Trenchant, according to the court document, Williams \u201cmaintained \u2018super-user\u2019 access\u201d to the company\u2019s \u201cinternal, access-controlled, multi-factor authenticated\u201d\u00a0secure network where its hacking tools were stored and to which only employees with a \u201cneed to know\u201d had access. \u00a0<\/p>\n As a \u201csuper-user,\u201d Williams could view all the activity, logs, and data associated with Trenchant\u2019s secure network, including its exploits, the court document notes. Williams\u2019 company network access gave him \u201cfull access\u201d to Trenchant\u2019s proprietary information and trade secrets.\u00a0<\/p>\n Abusing this wide-ranging access, Williams used a portable external hard drive to transfer the exploits out of the secure networks in Trenchant\u2019s offices in Sydney, Australia, and Washington, D.C., and then onto a personal device. At that point, Williams sent the stolen tools via encrypted channels to the Russian broker, per the court document. \u00a0<\/p>\n A former Trenchant employee with knowledge of the company\u2019s internal IT systems told TechCrunch that\u00a0Williams \u201cwas in the very high echelon of trust\u201d within the company as part of the senior leadership team. Williams had worked at the company for years, including prior to L3Harris\u2019 acquisition of Azimuth and <\/a>Linchpin<\/a> Labs<\/a>, two sister startups that merged into Trenchant<\/a>. \u00a0<\/p>\n \u201cHe was, in my opinion, perceived to be beyond reproach,\u201d said the former employee, who asked to remain anonymous as they were not authorized to speak about\u00a0their\u00a0work at Trenchant. \u00a0<\/p>\n \u201cNo one had any supervision over him at all. He was kind of allowed to do things the way he wanted to,\u201d they said.\u00a0<\/p>\n \t\t\tDo you have more information about this case, and the alleged leak of Trenchant hacking tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email<\/a>.<\/a> \t\t<\/div>\n Another former employee, who also asked to not be named,\u00a0said that \u201cthe general awareness is that whoever is the [general manager] would have unfettered access to everything.\u201d\u00a0<\/p>\n Before the acquisition, Williams worked at Linchpin Labs, and before then at Australian Signals Directorate, the country\u2019s intelligence agency tasked with digital and electronic eavesdropping, according to the cybersecurity podcast Risky Business<\/a>. \u00a0<\/p>\n Sara Banda, a spokesperson for L3Harris, did not respond to a request for comment. \u00a0<\/p>\n In October 2024, Trenchant \u201cwas alerted\u201d that one of its products had leaked and was in the possession of \u201can unauthorized software broker,\u201d per the court document. Williams was put in charge of the investigation into the leak, which ruled out a hack of the company\u2019s network but found that a former employee\u00a0\u201chad improperly accessed the internet from an air-gapped device,\u201d according to the court document. \u00a0<\/p>\n As TechCrunch previously and exclusively reported<\/a>, Williams fired a Trenchant developer in February 2025 after accusing him of being double employed. The fired employee later learned from some of his former colleagues that Williams accused him of stealing Chrome zero-days, which he had no access to since he worked on developing exploits for iPhones and iPads. By March, Apple notified the former employee that his iPhone had been targeted by \u201cmercenary spyware attack.\u201d \u00a0<\/p>\n In an interview with TechCrunch, the former Trenchant developer said he believed Williams framed him to cover up his own actions. It\u2019s unclear if the former developer is the same employee mentioned in the court document. \u00a0<\/p>\n In July, the FBI interviewed Williams, who told the agents that \u201cthe most likely way\u201d to steal products from the secure network would be for someone with access to that network to download the products to an \u201cair\u2011gapped device\u00a0\u2026 like a mobile telephone or external drive.\u201d (An air-gapped device is a computer or server that has no access to the internet.) \u00a0<\/p>\n As it turned out, that\u2019s exactly what Williams confessed to the FBI in August after being confronted with evidence of his crimes. Williams told the FBI that he recognized his code being used by a South Korean broker after he sold it to the Russian broker; though, it remains unclear how Trenchant\u2019s code ended up with the South Korean broker to begin with.\u00a0<\/p>\n Williams used the alias \u201cJohn Taylor,\u201d a foreign email provider, and unspecified encrypted apps when interacting with the Russian broker, likely Operation Zero. This is a Russia-based broker that offers up to $20 million<\/a> for tools to hack Android phones and iPhones, which it says it sells to \u201cRussian private and government organizations only.\u201d \u00a0<\/p>\n Wired was first to report<\/a> that Williams likely sold the stolen tools to Operation Zero, given that the court document mentions a September 2023 post on social media announcing an increase in the unnamed broker\u2019s \u201cbounty payouts from $200,000 to $20,000,000,\u201d which matches an Operation Zero post on X<\/a> at the time. \u00a0<\/p>\n Operation Zero did not respond to TechCrunch\u2019s request for comment. \u00a0<\/p>\n Williams sold the first exploit for $240,000, with the promise of additional payments after confirming the tool\u2019s performance, and for subsequent technical support to keep the tool updated. After this initial sale, Williams sold another seven exploits, agreeing to a total payment of $4 million, although he ended up only receiving $1.3 million, according to the court document. \u00a0<\/p>\n Williams\u2019 case has rocked the offensive cybersecurity community, where his rumored arrest had been a topic of conversation for weeks, according to multiple people who work in the industry. \u00a0<\/p>\n Some of these industry insiders see Williams\u2019 actions as causing grave damage.\u00a0<\/p>\n \u201cIt\u2019s a betrayal to the Western national security apparatus, and it\u2019s a betrayal towards the worst kind of threat actor that we have right now, which is Russia,\u201d the former Trenchant employee with knowledge of the company\u2019s IT systems told TechCrunch. \u00a0<\/p>\n \u201cBecause these secrets have been given to an adversary that absolutely is going to undermine our capabilities and is going to potentially even use them against other targets.\u201d\u00a0<\/p>\n<\/div>\nContact Us<\/h4>\n
\u201cGrave damage\u201d\u00a0<\/h2>\n