Peter Williams, the former managing director of Trenchant, a division of defense contractor L3Harris that develops surveillance and hacking tools for Western governments, pleaded guilty last week to stealing some of those tools and selling them to a Russian broker.
A court document filed in the case, as well as an exclusive report from TechCrunch and interviews with Williams’ former colleagues, explained how Williams was able to steal the highly valuable and sensitive assets from Trenchant.
Williams, a 39-year-old Australian citizen known inside the company as “Doogie,” admitted to prosecutors that he stole and sold eight exploits, or “zero-days,” which are security flaws in software that are unknown to their maker and are extremely valuable for hacking a target’s devices. Williams said some of those exploits, which he stole from his own company, Trenchant, were worth $35 million, but he only received $1.3 million in cryptocurrency from the Russian broker. Williams sold the eight exploits over several years, between 2022 and July 2025.
By virtue of his position and tenure at Trenchant, according to the court document, Williams “maintained ‘superuser’ access to the company’s ‘internal, access-controlled, multi-factor authentication’ secure network where its hacking tools were stored and to which only employees with a ‘need to know’ had access.”
As a “super-user,” Williams could see all activity, logs and data related to Trenchant’s secure network, including his exploits, the court document notes. Access to Williams’ company network gave him “full access” to Trenchant’s proprietary information and trade secrets.
Exploiting this wide range of access, Williams used a portable external hard drive to transfer the exploits from secure networks to Trenchant’s offices in Sydney, Australia and Washington, DC, and then onto a personal device. At that point, Williams sent the stolen tools through encrypted channels to the Russian broker, according to the court document.
A former Trenchant employee with knowledge of the company’s internal IT systems told TechCrunch that Williams “was at a very high level of trust” within the company as a member of the senior leadership team. Williams had worked at the company for years, even before the L3Harris acquisition Azimuth and Central lever Laboratoriestwo sister newcomers who merged into Trenchant.
“It was considered, in my opinion, to be an eyesore,” said the former employee, who asked to remain anonymous as they were not authorized to speak about their work at Trenchant.
“No one had any supervision over him at all. He was allowed to do things as he pleased,” they said.
Contact us
Do you have more information about this case and the alleged leak of Trenchant hacking tools? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
Another former employee, who also asked not to be named, said “the general perception is that whoever the [general manager] he would have unlimited access to everything.”
Before the acquisition, Williams worked at Linchpin Labs and before that at the Australian Signals Directorate, the country’s intelligence agency tasked with digital and electronic eavesdropping, according to Risky Business cyber security podcast.
Sara Banda, a spokeswoman for L3Harris, did not respond to a request for comment.
“Severe Damage”
In October 2024, Trenchant was “notified” that one of its products had been leaked and was in the possession of an “unauthorized software broker,” according to the court document. Williams was put in charge of the leak investigation, which ruled out a breach of the company’s network but found that a former employee “improperly accessed the Internet from an air-gapped device,” according to the court document.
As previously and exclusively reported by TechCrunch, Williams fired a Trenchant developer in February 2025 after accusing him of double-dealing. The fired employee later learned from some of his former colleagues that Williams accused him of stealing Chrome zero-days, which he had not had access to since he worked on developing iPhone and iPad exploits. By March, Apple notified the former employee that his iPhone had been the target of a “mercenary spyware attack.”
In an interview with TechCrunch, the former Trenchant developer said he believed Williams was framing him to cover up his own actions. It’s unclear if the former developer is the same employee listed in the court document.
In July, the FBI interviewed Williams, who told agents that “the most likely way” to steal products from the secure network would be for someone with access to that network to download the products to an “air-gapped device … like a cell phone or external drive.” (An air-gapped device is a computer or server that does not have internet access.)
As it turns out, that’s exactly what Williams confessed to the FBI in August after being confronted with evidence of his crimes. Williams told the FBI that he recognized his code was being used by a South Korean broker after he sold it to the Russian broker. However, it remains unclear how Trenchant’s code ended up on the South Korean broker.
Williams used the alias “John Taylor,” a foreign email provider, and unspecified encrypted apps when interacting with the Russian broker, possibly Operation Zero. It’s a Russia-based broker offering up to $20 million for tools to hack Android phones and iPhones, which it says it sells to “Russian private and government organizations only.”
Wired was the first to report that Williams likely sold the stolen tools to Operation Zero, since the court document cites a September 2023 social media post announcing an increase in the anonymous broker’s “grant payments from $200,000 to $20,000,000,” which fits an Operation Zero location on X at that time.
Operation Zero did not respond to TechCrunch’s request for comment.
Williams sold the first exploit for $240,000, with the promise of additional payments after the tool’s performance was confirmed and subsequent technical support to keep the tool updated. After that initial sale, Williams sold seven more exploits, agreeing to a total payment of $4 million, though he ended up receiving only $1.3 million, according to the court document.
Williams’ case has shocked the hacker cybersecurity community, where his rumored arrest has been a topic of discussion for weeks, according to several people who work in the industry.
Some of these industry insiders see Williams’ actions as causing serious damage.
“It’s a betrayal of the Western national security apparatus, and it’s a betrayal of the worst kind of threat actor we have right now, which is Russia,” the former Trenchant employee with knowledge of the company’s IT systems told TechCrunch.
“Because these secrets have been given to an adversary who is definitely going to undermine our capabilities and potentially use them against other targets as well.”
