Zero-Day Treason: How a Trenchant Executive Sold America’s Hacking Tools to Russia

A former L3Harris executive stole hacking tools capable of accessing “millions of computers and devices” and sold them to a Russian broker. He’s facing 9 years in prison. The story is a case study in insider threat gone catastrophic.

The Core Insight

Peter Williams, the former general manager of Trenchant (an L3Harris cybersecurity division), pleaded guilty to stealing eight zero-day exploits from his employer and selling them to a Russian broker for $1.3 million in cryptocurrency between 2022 and 2025.

The revelations in the DOJ’s sentencing memorandum are staggering: these weren’t narrowly-scoped tools. Prosecutors describe capabilities that could enable “government surveillance, cybercrime, and ransomware attacks across the globe.” The buyer is almost certainly Operation Zero, a Russian firm that explicitly sells only to the Russian government and offers up to $20 million for mobile device exploits.

But here’s the detail that elevates this from corporate espionage to something darker: Williams oversaw the investigation into the theft while continuing to sell secrets. He watched as another employee was blamed and fired for his crimes.

Why This Matters

The Insider Threat is the Hardest Threat

Williams wasn’t a rogue junior employee with limited access. He was the general manager—the person you’d trust to investigate a breach. He had the access, the cover, and the operational security awareness to continue selling exploits even while FBI agents were in contact with his company.

This is the nightmare scenario for any organization handling sensitive technology: the person investigating the crime IS the criminal.

Zero-Days are Strategic Weapons

The exploit market exists in a gray zone between legitimate security research and arms dealing. Companies like Trenchant sell to the U.S. government and allies—but their tools are built to compromise devices used by everyone. Once those tools leak, the entire ecosystem is at risk.

Williams’ stolen exploits could now be used for Russian state surveillance, criminal ransomware operations, or attacks on Western infrastructure. That’s not speculation—it’s what prosecutors argue in seeking maximum sentencing.

Key Takeaways

• $1.3M for 8 exploits: Williams received crypto payments for tools affecting “millions of devices”
• Internal scapegoating: An innocent employee was fired while Williams oversaw the investigation
• Continued during FBI contact: Williams sold exploits even after FBI agents engaged with Trenchant
• 9-year sentence sought: Prosecutors also want $35M restitution and $250K fine
• Likely buyer: Operation Zero, which publicly states it sells only to Russian government
• Apple spyware targeting: The scapegoated employee later received Apple notifications about government spyware targeting

Looking Ahead

The Williams case will reshape how defense contractors think about insider threat programs. The typical model assumes bad actors are peripheral—low-level employees or contractors. Williams was core leadership.

For the broader cybersecurity ecosystem, this exposes uncomfortable truths about the exploit market. Companies like Trenchant build tools nominally for defensive purposes and allied government use. But the same tools, in different hands, become offensive weapons against the very populations they’re meant to protect.

The sentenced employee will serve his time and be deported. But the exploits he sold? Those are in the wild now, permanently. The damage extends far beyond any court’s jurisdiction.

Based on analysis of DOJ says Trenchant boss sold exploits to Russian broker