Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Peter Williams, former general manager of Trenchant, a division of defense contractor L3 Harris that makes surveillance and hacking tools for Western governments, He pleaded guilty last week to stealing some of that equipment and selling it to a Russian broker.
A court document filed in the case, as well as TechCrunch’s exclusive report and interviews with Williams’ former colleagues, explain how Williams was able to steal highly valuable and sensitive exploits from Trenchant.
Williams, a 39-year-old Australian national known inside the company as “Dougie”, admitted to prosecutors that he stole and sold eight exploits, or “day zero“, which is a security flaw in software that is unknown to its creator and is extremely valuable for hacking a target’s device. Williams said some of the exploits, which he stole from his own company, Trenchant, were worth $35 million, but he received only $1.3 million in cryptocurrency from a Russian broker. Williams sold several courses between last July 20 and eight years from 20-20. 2025.
Thanks to his position and tenure at Trenchant, according to court documents, Williams maintained “super-user” access to the company’s “internal, access-controlled, multi-factor authenticated” secure network where its hacking tools were stored and to which only employees with a “need to know” had access.
As a “super-user,” Williams could see all activity, logs and data related to Trenchant’s secure network, including its exploits, court documents note. Williams’ access to the company’s network gave him “full access” to Trenchant’s proprietary information and trade secrets.
Exploiting this broad access, Williams used a portable external hard drive to transfer exploits from secure networks to Trenchant’s offices in Sydney, Australia and Washington, DC, and then to a personal device. During that time, Williams sent the stolen equipment to Russian brokers through encrypted channels, according to court documents.
A former Trench employee with knowledge of the company’s internal IT systems told TechCrunch that Williams “held a very high level of trust” within the company as part of the senior leadership team. Williams worked at the company for several years, including before L3 was acquired by Harris Azimuth and linchpin LabsTwo sister startups that Merged into Trenchant.
“He was, in my opinion, considered above reproach,” said the former employee, who asked to remain anonymous because they were not authorized to speak about their work at Trenchant.
“Nobody had any supervision over him. He was kind of allowed to do things the way he wanted,” they said.
Contact us
Do you have more information about this case and the alleged leak of the Trenchant hacking tool? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb. by email.
Another former employee, who did not want to be named, said, “The general awareness is that anyone [general manager] There will be free access to everything.”
Prior to the acquisition, Williams worked at Linchpin Labs, and before that at the Australian Signals Directorate, the country’s intelligence agency working on digital and electronic eavesdropping. The Cyber ​​Security Podcast is Risky Business.
Sarah Banda, spokeswoman for L3 Harris, did not respond to a request for comment.
“serious harm”
In October 2024, Trenchant was “alerted” that one of its products had been leaked and was in the possession of “an unauthorized software broker,” according to court documents. Williams was put in charge of investigating the leak, which denied hacking the company’s network but found that a former employee “improperly accessed the Internet from an air-gapped device,” according to court documents.
As TechCrunch previously and exclusively reportedWilliams fired the trenchant developer in February 2025 over allegations of double hiring. The fired employee later learned from some of his former colleagues that Williams had accused him of stealing Chrome Zero-Day, which he did not have access to since he worked on exploits for iPhones and iPads. By March, Apple informed the former employee that his iPhone had been targeted by a “mercenary spyware attack.”
In an interview with TechCrunch, the former Trenchant developer said he believes Williams framed him to cover up his own actions. It’s unclear if the former developer is the same employee mentioned in court documents.
In July, the FBI interviewed Williams, who told agents that the “most likely way” to steal products from a secure network would be for someone with access to that network to download the products to an “air-gapped device … such as a mobile telephone or external drive.” (An air-gapped device is a computer or server that does not have access to the Internet.)
As it turns out, that’s exactly what Williams admitted to the FBI in August after being confronted with evidence of his guilt. Williams told the FBI that he admitted his code was used by a broker in South Korea after he sold it to a Russian broker; However, it remains unclear how Trenchant’s code originated with the South Korean broker.
Williams used the alias “John Taylor”, a foreign email provider and unspecified encrypted apps when interacting with Russian brokers, possibly Operation Zero. this A Russia based broker offering up to $20 million for Android phone and iPhone hacking tools, which it says it sells “only to Russian private and government entities.”
The Wired report was first While Williams likely sold the stolen equipment to Operation Zero, court documents state that a September 2023 post on social media announced an increase in the unnamed broker’s “bounty payout from $200,000 to $20,000,000” that matched An operation zero post at x in time
Operation Zero did not respond to TechCrunch’s request for comment.
Williams sold the first exploit for $240,000, promising additional payments after confirming the tool’s functionality, and to keep the tool updated for further technical support. After this initial sale, Williams sold seven more exploits, agreeing to a total payment of $4 million, although he received only $1.3 million, according to court documents.
Williams’ case has shaken the offensive cybersecurity community, where his rumored arrest has been a topic of conversation for weeks, according to multiple people who work in the industry.
Some industry insiders see Williams’ actions as causing serious harm.
“It’s a betrayal of the Western national security apparatus, and it’s a betrayal of the worst kind of threat actor we have right now, which is Russia,” a former Trench employee with knowledge of the company’s IT systems told TechCrunch.
“Because these secrets are given to an adversary that is absolutely going to undermine our capabilities and potentially use them against other targets as well.”
