Peter Williams, former general manager of Trenchent, a division of defense contractor L3Harris that develops surveillance and hacking tools for Western governments, pleaded guilty last week to stealing and selling some of those tools to Russian brokers.
Court documents filed in the case, exclusive reporting by TechCrunch, and interviews with Williams' former colleagues explain how Williams was able to steal highly valuable and sensitive exploits from Trentint.
Williams, a 39-year-old Australian national known within the company as “Doogie,” admitted to prosecutors that he stole and sold eight exploits, or “zero days.” A zero-day is a security flaw in software from an unknown manufacturer that is highly valuable for hacking a targeted device. Williams said some of these exploits he stole from his company Trenchint were worth $35 million, but he only received $1.3 million in crypto from Russian brokers. Williams sold eight exploits over several years from 2022 to July 2025.
Court documents say that because of his position and tenure at Trenchint, Williams “maintained 'superuser' access” to the company's “internally access-controlled, multi-factor authenticated” secure network where hacking tools were stored and accessed only by employees on a “need to know.”
As a “superuser,” Williams was able to view all activity, logs and data related to Torrentint's secure network, including exploits, court documents said. Williams' access to the company's network gave him “complete access” to Trentint's confidential information and trade secrets.
Exploiting this widespread access, Williams used a portable external hard drive to transport the exploit from the secure networks of Trentint's offices in Sydney, Australia, and Washington, DC, and onto his personal devices. At that point, Williams sent the stolen tools via an encrypted channel to a Russian broker, according to court documents.
A former Trenchint employee familiar with the company's internal IT systems told TechCrunch that Williams had “a very high level of trust” within the company as a member of the senior leadership team. Williams worked at the company for years, including before L3Harris acquired Azimuth and Linchpin Labs, two sister startups that merged with Trenchant.
“In my opinion, he was considered a flawless person,” said a former employee. The person requested anonymity because he was not authorized to discuss his work at Trencinto.
“No one supervised him at all; he was allowed to do things the way he wanted,” they said.
Contact Us Do you have more information about this incident and the alleged leak of Trenchint's hacking tools? You can contact Lorenzo Franceschi-Bicchierai securely from a non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or by email.
“It's common knowledge who's in charge,” said another former employee, who also requested anonymity. [general manager] You will have free access to everything. ”
Prior to the acquisition, Williams worked at Lynchpin Labs and before that at the Australian Signals Directorate, the country's intelligence agency tasked with digital and electronic eavesdropping, according to the cybersecurity podcast Risky Business.
L3Harris spokeswoman Sarah Banda did not respond to a request for comment.
“Significant damage”
In October 2024, Torrentint was “alerted” that one of its products had been compromised and was in the possession of an “unlicensed software broker,” according to court documents. Mr. Williams was in charge of investigating the breach, which denied hacking into the company's network but found that a former employee was “improperly accessing the Internet from an air-gapped device,” according to court documents.
As TechCrunch previously exclusively reported, Williams fired a Torrent developer in February 2025 after accusing him of dual employment. The fired employee later learned from some former colleagues that Williams had accused him of stealing the Chrome zero-day, but Williams did not have access to it because he was working on developing exploits for iPhones and iPads. By March, Apple notified a former employee that his iPhone had been the target of a “mercenary spyware attack.”
In an interview with TechCrunch, the former Trenchant developer said he believes Williams framed him to cover up his actions. It is unclear whether the former developer is the same employee mentioned in court documents.
In July, the FBI interviewed Williams, who told investigators that the “most likely way” to steal products from a secure network was for someone with access to that network to download the products onto an “air-gapped device.” […] Things like mobile phones and external drives. (An air-gapped device is a computer or server that does not have access to the Internet.)
As it turns out, that's exactly what Williams confessed to the FBI in August after being confronted with evidence of the crime. Williams told the FBI that after selling his code to a Russian broker, he discovered it was being used by a Korean broker. However, it remains unclear how the Trenchint code got to the Korean broker in the first place.
Mr. Williams used the alias “John Taylor,” a foreign email provider, and an unspecified encryption app when communicating with a Russian broker (possibly Operation Zero). The broker, based in Russia, is offering up to $20 million in tools to hack Android phones and iPhones, and says it sells to “Russian private and government entities only.”
Wired first reported that Williams likely sold the stolen tools to Operation Zero. Court documents describe a September 2023 social media post from an anonymous broker announcing an increase in the bounty payout “from $200,000 to $20 million,” which matches Operation Zero's posts at X at the time.
Operation Zero did not respond to TechCrunch's request for comment.
Williams sold the initial exploit for $240,000 and promised additional payments after confirming the tool's performance, as well as subsequent technical support to keep the tool up to date. After this initial sale, Williams sold seven more exploits and agreed to pay a total of $4 million, but ultimately received only $1.3 million, according to court documents.
Williams' case has rocked the offensive cybersecurity community, where rumors of his arrest have been the talk of the town for weeks, according to people working in the industry.
Some of these industry insiders see Williams' actions as causing significant harm.
“This is a betrayal of Western national security institutions and a betrayal of the worst kind of threat actor we have today: Russia,” a former Trenchint employee familiar with the company's IT systems told TechCrunch.
“Because these secrets are being passed on to our adversaries, who are absolutely trying to undermine our capabilities, and who may also use them against other targets.”