Peter Williams, the former general manager of Trenchant, a division of defense contractor L3Harris that develops surveillance and hacking tools for Western governments, pleaded guilty last week to stealing some of those tools and selling them to a Russian broker. A court document filed in the case, along with exclusive reporting and interviews with Williams’ former colleagues, explained how he was able to steal the highly valuable and sensitive exploits from his own company.
Williams, a 39-year-old Australian citizen known inside the company as “Doogie,” admitted to prosecutors that he stole and sold eight exploits, or “zero-days.” These are security flaws in software that are unknown to its maker and are extremely valuable for hacking into a target’s devices. Williams stated that some of the exploits he stole from Trenchant were worth thirty-five million dollars, but he only received one point three million dollars in cryptocurrency from the Russian broker. He sold the eight exploits over several years, between 2022 and July 2025.
Thanks to his position and tenure at Trenchant, Williams maintained super-user access to the company’s internal, access-controlled, multi-factor authenticated secure network where its hacking tools were stored. This network was only accessible to employees with a need to know. As a super-user, Williams could view all activity, logs, and data associated with Trenchant’s secure network, including its exploits. This access gave him full control over Trenchant’s proprietary information and trade secrets.
Abusing this wide-ranging access, Williams used a portable external hard drive to transfer the exploits out of the secure networks in Trenchant’s offices in Sydney, Australia, and Washington, D.C., and then onto a personal device. He then sent the stolen tools via encrypted channels to the Russian broker.
A former Trenchant employee with knowledge of the company’s internal IT systems said that Williams was in the very high echelon of trust within the company as part of the senior leadership team. The former employee stated that Williams was perceived to be beyond reproach and had no supervision over him at all, allowing him to operate as he wished. Williams had worked at the company for years, including prior to L3Harris’s acquisition of Azimuth and Linchpin Labs, two sister startups that merged into Trenchant.
Another former employee said that the general awareness was that whoever is the general manager would have unfettered access to everything. Before the acquisition, Williams worked at Linchpin Labs, and before that at the Australian Signals Directorate, the country’s intelligence agency for digital and electronic eavesdropping.
In October 2024, Trenchant was alerted that one of its products had leaked and was in the possession of an unauthorized software broker. Williams was put in charge of the investigation into the leak. The investigation ruled out a hack of the company’s network but found that a former employee had improperly accessed the internet from an air-gapped device.
As previously reported, Williams fired a Trenchant developer in February 2025 after accusing him of being double employed. The fired employee later learned from former colleagues that Williams accused him of stealing Chrome zero-days, which he had no access to since he worked on developing exploits for iPhones and iPads. By March, Apple notified the former employee that his iPhone had been targeted by a mercenary spyware attack. In an interview, the former developer said he believed Williams framed him to cover up his own actions.
In July, the FBI interviewed Williams. He told the agents that the most likely way to steal products from the secure network would be for someone with access to download them to an air-gapped device like a mobile telephone or external drive. An air-gapped device is a computer with no internet access. Williams later confessed to the FBI in August after being confronted with evidence. He admitted that was exactly how he committed the crime.
Williams told the FBI that he recognized his code being used by a South Korean broker after he sold it to the Russian broker, though it remains unclear how the code ended up with the South Korean broker. Williams used the alias John Taylor, a foreign email provider, and unspecified encrypted apps when interacting with the Russian broker, which is likely Operation Zero. This is a Russia-based broker that offers up to twenty million dollars for tools to hack Android phones and iPhones, which it says it sells to Russian private and government organizations only. Reporting indicates Williams likely sold the stolen tools to Operation Zero, as the court document mentions a social media post announcing an increase in the unnamed broker’s bounty payouts, which matches a post from Operation Zero at the time.
Williams sold the first exploit for two hundred and forty thousand dollars, with a promise of additional payments after confirming the tool’s performance and for subsequent technical support. After this initial sale, he sold another seven exploits, agreeing to a total payment of four million dollars, although he ultimately received only one point three million.
Williams’ case has rocked the offensive cybersecurity community, where his rumored arrest had been a topic of conversation for weeks. Some industry insiders see Williams’ actions as causing grave damage. One former Trenchant employee stated it was a betrayal to the Western national security apparatus and a betrayal towards the worst kind of threat actor, Russia. The employee explained that these secrets were given to an adversary that will absolutely undermine Western capabilities and potentially use them against other targets.