Peter Williams, the former general manager of Trenchant, a division of defense contractor L3Harris that develops surveillance and hacking tools for Western governments, pleaded guilty last week to stealing some of those tools and selling them to a Russian broker.
A court document filed in the case, as well as exclusive reporting by TechCrunch and interviews with Williams’ former colleagues, explained how Williams was able to steal the highly valuable and sensitive exploits from Trenchant.
Williams, a 39-year-old Australian citizen who was known inside the company as “Doogie,” admitted to prosecutors that he stole and sold eight exploits, or “zero-days,” which are security flaws in software that are unknown to its maker and are extremely valuable to hack into a target’s devices. Williams said some of those exploits, which he stole from his own company Trenchant, were worth $35 million, but he only received $1.3 million in cryptocurrency from the Russian broker. Williams sold the eight exploits over the course of several years, between 2022 and July 2025.
Thanks to his position and tenure at Trenchant, according to the court document, Williams “maintained ‘super-user’ access” to the company’s “internal, access-controlled, multi-factor authenticated” secure network where its hacking tools were stored, and to which only employees with a “need to know” had access.
As a “super-user,” Williams could view all the activity, logs, and data associated with Trenchant’s secure network, including its exploits, the court document notes. Williams’ company network access gave him “full access” to Trenchant’s proprietary information and trade secrets.
Abusing this wide-ranging access, Williams used a portable external hard drive to transfer the exploits out of the secure networks in Trenchant’s offices in Sydney, Australia and Washington D.C., and then onto a personal device. At that point, Williams sent the stolen tools via encrypted channels to the Russian broker, per the court document.
A former Trenchant employee with knowledge of the company’s internal IT systems told TechCrunch that Williams “was in the very high echelon of trust” within the company as part of the senior leadership team. Williams had worked at the company for years, including prior to L3Harris’ acquisition of Azimuth and Linchpin Labs, two sister startups that merged into Trenchant.
“He was, in my opinion, perceived to be beyond reproach,” said the former employee, who asked to remain anonymous as they were not authorized to speak about their work at Trenchant.
“No one had any supervision over him at all. He was kind of allowed to do things the way he wanted to,” they said.
Contact Us
Do you have more information about this case, and the alleged leak of Trenchant hacking tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email.
Another former employee, who also asked to not be named, said that “the general awareness is that whoever is the [general manager] would have unfettered access to everything.”
Before the acquisition, Williams worked at Linchpin Labs, and before then at Australian Signals Directorate, the country’s intelligence agency tasked with digital and electronic eavesdropping, according to the cybersecurity podcast Risky Business.
Sara Banda, a spokesperson for L3Harris did not respond to a request for comment.
‘Grave damage’
In October 2024, Trenchant “was alerted” that one of its products had leaked and was in the possession of “an unauthorized software broker,” per the court document. Williams was put in charge of the investigation into the leak, which ruled out a hack of the company’s network but found that a former employee “had improperly accessed the internet from an air-gapped device,” according to the court document.
As TechCrunch previously and exclusively reported, Williams fired a Trenchant developer in February 2025 after accusing him of being double employed. The fired employee later learned from some of his former colleagues that Williams accused him of stealing Chrome zero-days, which he had no access to since he worked on developing exploits for iPhones and iPads. By March, Apple notified the former employee that his iPhone had been targeted by “mercenary spyware attack.”
In an interview with TechCrunch, the former Trenchant developer said he believed Williams framed him to cover up his own actions. It’s unclear if the former developer is the same employee mentioned in the court document.
In July, the FBI interviewed Williams, who told the agents that “the most likely way” to steal products from the secure network would be for someone with access to that network to download the products to an “air‑gapped device […] like a mobile telephone or external drive.” (An air-gapped device is a computer or server that has no access to the internet.)
As it turned out, that’s exactly what Williams confessed to the FBI in August after being confronted with evidence of his crimes. Williams told the FBI that he recognized his code being used by a South Korean broker after he sold it to the Russian broker; though, it remains unclear how Trenchant’s code ended up with the South Korean broker to begin with.
Williams used the alias “John Taylor,” a foreign email provider, and unspecified encrypted apps when interacting with the Russian broker, likely Operation Zero. This is a Russia-based broker that offers up to $20 million for tools to hack Android phones and iPhones, which it says it sells to “Russian private and government organizations only.”
Wired was first to report that Williams likely sold the stolen tools to Operation Zero, given that the court document mentions a September 2023 post on social media announcing an increase in the unnamed broker’s “bounty payouts from $200,000 to $20,000,000,” which matches an Operation Zero post on X at the time.
Operation Zero did not respond to TechCrunch’s request for comment.
Williams sold the first exploit for $240,000, with the promise of additional payments after confirming the tool’s performance, and for subsequent technical support to keep the tool updated. After this initial sale, Williams sold another seven exploits, agreeing to a total payment of $4 million, although he ended up only receiving $1.3 million, according to the court document.
Williams’ case has rocked the offensive cybersecurity community, where his rumored arrest had been a topic of conversation for weeks, according to multiple people who work in the industry.
Some of these industry insiders see Williams’ actions as causing grave damage.
“It’s a betrayal to the Western national security apparatus, and it’s a betrayal towards the worst kind of threat actor that we have right now, which is Russia,” said the former Trenchant employee with knowledge of the company’s IT systems told TechCrunch.
“Because these secrets have been given to an adversary that absolutely is going to undermine our capabilities and is going to potentially even use them against other targets.”
