Inside the story of the US defense contractor who leaked hacking tools to Russia

A veteran cybersecurity executive who prosecutors said “betrayed” the United States will spend at least the next seven years behind bars after pleading guilty to stealing and selling hacking and surveillance tools to a Russian company.

Peter Williams, a former executive at US defense contractor L3Harris, was sentenced on Tuesday to 87 months in prison for leaking his former company’s trade secrets in exchange for $1.3 million in cryptocurrency between 2022 and 2025. Williams sold these exploits to Operation Zero, which the US government describes as “one of the most dangerous exploit brokers in the world.”

Williams’ successful conviction follows one of the most high-profile leaks of sensitive hacking tools made in the West in recent years. Even now that the case is over, there are still unanswered questions.

Williams, a 39-year-old Australian citizen based in Washington, D.C., was managing director of Trenchant, the L3Harris division that develops hacking and surveillance tools for the US government and its closest global intelligence partners. Prosecutors say Williams took “full access” to the company’s secure networks to download hacking tools onto a portable hard drive and later onto his computer. Williams contacted Operation Zero under an alias, so it is unclear whether Operation Zero knew Williams’ true identity.

Trenchant is a crew of hackers and bug hunters who delve into other popular software made by companies like Google and Apple, identify flaws in millions of lines of code, and then devise techniques to turn those flaws into workable exploits that can be used to reliably hack those products. These tools are commonly called zero-day vulnerabilities because they take advantage of software flaws unknown to their developer, which can be worth millions of dollars.

The US Department of Justice claimed that the hacking tools sold by Williams could have allowed those using them to “potentially gain access to millions of computers and devices around the world.”

Over the past few months, I’ve been speaking to sources and writing Williams’ story before news of his arrest broke. But what I heard was mixed and sometimes conflicting. I’ve heard that someone has been caught, but given the secretive nature of the work involved in developing an exploit, proving it will be difficult.

When I first heard about Williams, I wasn’t sure I got his name right. At that point, his story was a rumor, traveling through the silent grape vine of exploit developers, vendors, and people with ties to the intelligence community.

I heard he might have been called John, or maybe Dougan? Or all the different ways you can spell it in English.

Some of the first rumors I heard were contradictory. It appears that he stole the Zero Days from Trenchant, and perhaps sold them to Russia, or perhaps to another enemy of the United States and its allies, such as North Korea or China?

It took weeks just to confirm that there was someone who fit that description. (It turns out that Williams’ middle name is John, and Dougie is his nickname in hacker circles.)

Then, as the weeks of reporting went by, things started to become clearer.

Russian connection

As first revealed in October, Trenchant fired an employee after Williams, who at the time was still Trenchant’s president, accused the employee of stealing and leaking Chrome without days. The story was even more interesting because the employee told me that after he was fired, Apple informed him that someone had targeted his personal iPhone.

What I learned was just the tip of the iceberg. I’ve heard more from my sources, but we’re still piecing together pieces of the story.

Shortly after, prosecutors filed their first formal charge against a man named Peter Williams for theft of trade secrets, which first appeared in the U.S. public court system. In the first court document, prosecutors confirmed that the buyer of these trade secrets was a buyer in Russia.

However, there was no explicit reference to L3Harris nor Trenchant, nor the fact that the trade secrets stolen by Williams were zero-day. More importantly, we still can’t know for sure that it’s the same Peter Williams, who we thought would be able to pull off highly sensitive feats as Trenchant’s boss, and not some egregious case of mistaken identity.

we Still She wasn’t there.

Acting on a hunch and having nothing to lose, we contacted the Department of Justice to ask if they would confirm that the person in the document was in fact Peter Williams, the former head of L3Harris Trenchant. A spokesman confirmed.

Finally, the story came out. A week later, Williams pleaded guilty.

When I first heard his story, although I trusted my sources, I remained skeptical. Why would someone like Williams do what the rumors claim? But he did it, and he did it for the money, prosecutors allege, which Williams then used to buy a house, jewelry and luxury watches.

It was a notable downfall for Williams, who was once viewed as a brilliant and brilliant computer hacker, especially for someone who previously worked for Australia’s largest foreign spy agency and served in the Australian military.

What happened to the stolen exploits?

We still don’t know specifically what exploit kits and hacking tools Williams stole and sold. Trenchant estimated a loss of $35 million, according to court documents. But Williams’ lawyers said the stolen tools were not classified as a government secret.

We can draw some insights based on the circumstances of the case.

Given that the Justice Department said the stolen tools could be used to compromise “millions of computers and devices,” the tools likely signal “zero-day” in popular consumer software, such as Android devices, Apple’s iPhones and iPads, and web browsers.

There is some evidence pointing in their direction. During a hearing last year, prosecutors read aloud a post published by Operation Zero on X, according to freelance cybersecurity reporter Kim Zetter, who attended the hearing.

“Due to high market demand, we are increasing payouts for top-tier mobile exploits,” the post said, which specifically mentioned Android and iOS. “As always, the end user is a non-NATO country.”

Operation Zero is offering millions of dollars for details about vulnerabilities in Android and iPhone devices, messaging apps like Telegram, as well as other types of software, like Microsoft Windows, and hardware vendors, like many brands of servers and routers.

Operation Zero claims to be working with the Russian government. By the time Williams sold these exploits to the Russian intermediary, Putin’s all-out invasion of Ukraine was already underway.

On the same day that Williams was sentenced, the US Treasury Department announced that it had imposed sanctions on Operation Zero and its founder Sergei Zelenyuk, calling the company a national security threat. This was the first confirmation from the government that Williams had sold these vulnerabilities to Operation Zero.

The Treasury Department said in its statement that the broker “sold those stolen tools to at least one unauthorized user.” At this point we don’t know who this user is. The user could be a foreign intelligence service, or it could be a ransomware gang, since the Treasury Department also sanctioned Oleg Vyacheslavovich Kucherov, an alleged member of the Trickbot gang, who also allegedly worked with Operation Zero.

In a court document, prosecutors said L3Harris was able to discover that “an unauthorized reseller was selling a component” of one of the stolen trade secrets “by comparing the company’s vendor data found on a matching stolen component.”

Prosecutors also said that Williams “recognized the code he wrote and sold” to Operation Zero “used by a South Korean intermediary,” which also suggested that both L3Harris and prosecutors knew which tools were stolen and sold to Operation Zero.

Another unanswered question is: Has anyone, whether the US government or L3Harris, alerted Apple, Google, or any other tech company whose products were affected by the zero-day vulnerability, now that the vulnerabilities have been leaked?

Any company or developer would want to know that someone could have used (or could still be using) zero-day against their users and customers so that they can patch the flaws as quickly as possible. At this point, zero days will be of no use to L3Harris and its government clients.

When I asked Apple and Google, neither company responded to my inquiries. L3Harris did not respond either.

Who hacked the scapegoat, and why?

Then there is the mystery of the scapegoat who was fired after Williams accused him of stealing and leaking tokens.

At sentencing, Justice Department prosecutors confirmed that the employee was fired, saying Williams “stood by idly while the blame was essentially placed on another employee at the company.” [his] Private conduct.” In response, Williams’ attorney dismissed the claim, claiming that the former employee was “terminated for misconduct,” citing allegations of double employment and improper handling of the company’s intellectual property.

According to a court document filed by Williams’ attorneys, as part of the internal investigation into the L3Harris case, the company furloughed the employee, confiscated his devices, transported them to the United States, and “offered them to the FBI.”

When reached for comment, an unnamed FBI spokesman said the bureau had nothing to add other than the Justice Department press release.

After he was fired, that employee, who we knew by the pseudonym Jay Gibson, received a notification from Apple that his personal iPhone had been targeted by a “mercenary spyware attack.”

Apple sends these notifications to users it believes have been the target of attacks using tools like those done by NSO Group or Intellexa.

Who tried to hack Gibson? He received the notification on March 5, 2025, more than six months after the FBI investigation began. The FBI “regularly interacts with… [Williams] In late 2024 through summer 2025, according to the court document.

Given the nature of the leaked tools, it is plausible that the FBI, or perhaps even a US intelligence agency, targeted Gibson as part of the investigation into Williams’ leaks. But we don’t know, and there’s a chance neither the audience nor Gibson ever will.

Updated to clarify paragraph 22 attributing the failure to classify the tools to Williams’ attorneys.