The Betrayal: Defense Exec Stole 8 Zero-Days Valued at $35M, Sold to Foreign Broker

Peter Williams, former chief executive of Trenchant—a division within the defense contractor L3Harris—has recently pleaded guilty to stealing and selling classified cyber-espionage tools to a foreign intermediary. Court documents and a TechCrunch investigation have revealed how the head of a company specializing in exploit development and cyber operations for Western governments covertly exfiltrated and resold internal technologies over the course of three years.

According to investigators, the 39-year-old Australian citizen, known among colleagues by the nickname “Doogie,” stole eight zero-day vulnerabilities capable of compromising modern devices and operating systems. These highly valuable tools were intended solely for use by U.S. government agencies and their allies. Williams valued the exploits at a combined $35 million, yet received only about $1.3 million in cryptocurrency from a broker. The transactions occurred between 2022 and July 2025 via encrypted communication channels.

Internal L3Harris records show that Williams held “super-user” status, granting him full access to Trenchant’s secure, multi-factor–protected network, which contained source code, operational tools, and activity logs. Access to this infrastructure was restricted to a small number of specialists under the principle of “need to know.” With administrative privileges, he could monitor all traffic, developer activity, and internal projects without limitation. Colleagues described him as a figure of “the highest level of trust,” exempt from routine oversight.

Williams exploited that trust. He copied exploits and related materials onto external hard drives, removed them from company offices in Sydney and Washington, and transferred them to personal devices. The stolen data was then passed to an intermediary through encrypted messengers and anonymous email services under the alias “John Taylor.”

Court records indicate that the first buyer was a broker identified as “Company No. 3.” Prosecutors later clarified that this codename referred to Operation Zero—a platform offering up to $20 million for iOS and Android exploits. In September 2023, Operation Zero announced a dramatic increase in payouts from $200,000 to $20 million for exclusive zero-day tools—an announcement later found to coincide with evidence from Williams’s encrypted correspondence.

His first transaction earned him $240,000, including a maintenance and code-update bonus. Although the total deal was set at $4 million, he ultimately received only $1.3 million. After transferring the exploits, Williams noted that part of his code appeared to have been reused by a South Korean broker, even though he had officially sold it to another nation—an anomaly that remains unexplained.

In October 2024, Trenchant discovered that one of its software components had surfaced in the hands of an unauthorized intermediary. Williams, appointed to lead the internal investigation, concluded there were “no signs of intrusion,” attributing the breach instead to a “former employee” who had allegedly connected an air-gapped system to the internet. In February 2025, he dismissed a developer, accusing him of “moonlighting” and stealing Chrome exploits—though the employee had worked exclusively on iOS vulnerabilities. Later, the developer received a notification from Apple warning that his iPhone had been targeted with mercenary spyware. In interviews, he claimed he suspected Williams had deliberately framed him to cover his own tracks.

The FBI identified Williams as a suspect in the summer of 2025. During questioning, he speculated that data could be removed from the secure network by transferring it to an “air-gapped” device—a computer without internet connectivity. As subsequent evidence confirmed, that was precisely how he had done it. In August, confronted with proof, Williams confessed to stealing and transferring the tools to a third party.

The U.S. Department of Justice estimated L3Harris’s losses at $35 million, emphasizing that the dissemination of such sophisticated capabilities could enable foreign governments to conduct cyberattacks against “numerous unsuspecting victims.” Each charge carries a potential sentence of up to ten years in prison and fines of up to $250,000—or double the amount of illicit profit. Under federal guidelines, the judge is expected to impose a sentence ranging from seven years and three months to nine years of imprisonment. Williams must also pay fines of up to $300,000 and reimburse $1.3 million in restitution. He remains under house arrest until January 2026, when sentencing is scheduled to be announced.

Former Trenchant employees described his actions as a betrayal of U.S. national interests and a blow to the industry’s foundation of trust. One engineer remarked that selling such tools to another nation “undermines the very pillars of Western cybersecurity and could be turned against the same institutions they were designed to protect.”

Williams’s story has sent shockwaves through the entire offensive-security community. Many experts acknowledge that the incident exposed deep flaws in internal-access controls for classified projects and demonstrated that even the highest levels of trust offer no safeguard against insider threats.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy