Inside the story of the US defense contractor who leaked hacking tools to Russia

A seasoned cybersecurity enforcement who prosecutors said “betrayed” the United States volition walk astatine slightest the adjacent 7 years down bars, aft pleading blameworthy to stealing and selling hacking and surveillance tools to a Russian firm.

Peter Williams, a erstwhile enforcement astatine U.S. defence contractor L3Harris, was sentenced connected Tuesday to 87 months successful prison for leaking his erstwhile company’s commercialized secrets successful speech for $1.3 cardinal successful crypto betwixt 2022 and 2025. Williams sold the exploits to Operation Zero, which the U.S. authorities calls “one of the world’s astir nefarious exploit brokers.” 

The palmy condemnation of Williams follows 1 of the astir high-profile leaks of delicate Western-made hacking tools successful caller years. Even present that the lawsuit is over, determination are inactive unanswered questions.

Williams, a 39-year-old Australian national who resided successful Washington, D.C., was the wide manager of Trenchant, the part of L3Harris that develops hacking and surveillance tools for the U.S. authorities and its closest planetary quality partners. Prosecutors accidental Williams took vantage of having “full access” to the company’s unafraid networks to download the hacking tools onto a portable hard drive, and aboriginal to his computer. Williams contacted Operation Zero nether a pseudonym though, truthful it’s unclear if Operation Zero ever knew Williams’ existent identity.

Trenchant is simply a unit of hackers and bug hunters who excavation heavy into different fashionable bundle made by companies similar Google and Apple, place flaws successful those millions of lines of code, past devise techniques to crook those flaws into workable exploits that tin beryllium utilized to reliably hack into those products. These tools are typically called zero-day exploits due to the fact that they instrumentality vantage of bundle flaws chartless to its developer, which can beryllium worthy millions of dollars.

The U.S. Department of Justice alleged that the hacking tools Williams sold could person allowed whoever utilized them to “potentially entree millions of computers and devices astir the world.”

For the past fewer months, I person been talking to sources and reporting connected Williams’ communicative earlier quality broke that he had been arrested. But what I had heard was patchwork and astatine times conflicting. We had heard idiosyncratic had been arrested, but fixed the concealed quality of the enactment progressive successful exploit development, proving it would beryllium challenging.

When I archetypal heard of Williams, I wasn’t wide that I had adjacent gotten his sanction right. At that point, his communicative was a rumor, moving done the hush-hush grapevine of zero-day exploit developers, sellers, and radical with ties with the quality community. 

I heard that possibly helium was called John, oregon possibly Duggan? Or each the antithetic ways you tin spell that successful English. 

Some of the archetypal rumors I heard were contradictory. Apparently helium stole zero-days from Trenchant, and possibly helium sold them to Russia, oregon possibly different force of the United States and its allies, similar North Korea oregon China? 

It took weeks conscionable to corroborate that determination was so idiosyncratic who adjacent acceptable that description. (It turned retired that Williams’ mediate sanction is John, and Doogie is his nickname successful hacker circles.)

Then, arsenic the weeks of reporting rolled on, things started to go overmuch clearer. 

The Russian connection

As I archetypal revealed successful October, Trenchant fired an worker aft Williams, who was inactive astatine the clip caput of Trenchant, accused the worker of stealing and leaking Chrome zero-days. The communicative was adjacent much intriguing due to the fact that the worker told maine that aft helium was fired, Apple notified him that idiosyncratic had targeted his idiosyncratic iPhone.

What I learned was conscionable the extremity of the iceberg. I had heard much from my sources, but we were inactive piecing parts of the communicative together. 

Soon after, prosecutors made their archetypal ceremonial accusation against a antheral named Peter Williams for stealing commercialized secrets, which archetypal surfaced successful the U.S. nationalist tribunal system. In that archetypal tribunal document, prosecutors confirmed that the purchaser of these commercialized secrets was a purchaser successful Russia.

However, determination was nary explicit notation to L3Harris nor Trenchant, nor the information that the commercialized secrets that Williams stole were zero-days. Crucially, we inactive couldn’t corroborate for definite that it was the aforesaid Peter Williams, who we thought would person entree to highly delicate exploits arsenic Trenchant’s boss, and not immoderate unspeakable lawsuit of mistaken identity.

We still weren’t there.

On a hunch and with thing to lose, we contacted the Department of Justice to inquire if they would corroborate that the idiosyncratic successful the papers was successful information Peter Williams, the erstwhile brag of L3Harris Trenchant. A spokesperson confirmed.

Finally, the communicative was out. A week later, Williams pleaded guilty. 

When I archetypal heard of his story, portion I trusted my sources, I remained skeptical. Why would idiosyncratic similar Williams bash what the rumors claimed? But helium did, and did truthful for money, prosecutors allege, which Williams past utilized to bargain a house, jewelry, and luxury watches. 

It was a singular autumn from grace for Williams, erstwhile seen arsenic an accomplished and superb hacker, and particularly for idiosyncratic who antecedently worked astatine Australia’s apical overseas spy bureau and served successful the country’s military. 

the L3Harris gathering successful Burlington, Canada. (IMAGE: JHVEPhoto/Getty Images

What happened to the stolen exploits?

We inactive don’t cognize specifically what exploits and hacking tools Williams stole and sold. Trenchant estimated a nonaccomplishment of $35 million, per tribunal documents, but said the stolen tools were not classified arsenic a authorities secret.

We tin glean immoderate penetration based connected the circumstances of the case. 

Given that the Justice Department said the stolen tools could beryllium utilized to hack “millions of computers and devices,” it’s apt the tools notation to zero-days successful fashionable user software, specified arsenic Android devices, Apple’s iPhones and iPads, and web browsers.

There is immoderate grounds pointing successful their direction. During a proceeding past year, prosecutors work retired large a station published connected X by Operation Zero, according to autarkic cybersecurity newsman Kim Zetter, who attended the hearing. 

“Due to precocious request connected the market, we’re expanding payouts for top-tier mobile exploits,” work the post, which specifically mentioned Android and iOS. “As always, the extremity idiosyncratic is simply a non-NATO country.”

Operation Zero offers millions of dollars for details of information vulnerabilities successful Android devices and iPhones, messaging apps like Telegram, arsenic good arsenic other kinds of software, specified arsenic Microsoft Windows, and hardware vendors, specified arsenic respective brands of servers and routers. 

Operation Zero claims to enactment with the Russian government. At the clip Williams sold the exploits to the Russian broker, Putin’s afloat standard penetration of Ukraine was already underway.

On the aforesaid time that Williams was sentenced, the U.S. Treasury announced it had imposed sanctions against Operation Zero and its laminitis Sergey Zelenyuk, calling the institution a nationalist information threat. This was the government’s archetypal confirmation that Williams had sold the exploits to Operation Zero. 

In its statement, the Treasury said the broker “sold those stolen tools to astatine slightest 1 unauthorized user.” At this constituent we don’t cognize who this idiosyncratic is. The idiosyncratic could beryllium a overseas quality service, oregon it could beryllium a ransomware gang, fixed that the Treasury besides sanctioned Oleg Vyacheslavovich Kucherov, an alleged subordinate of the Trickbot gang, who besides allegedly worked with Operation Zero.

In a tribunal document, prosecutors said that L3Harris was capable to fig retired that “an unauthorized vendor was selling a component” of 1 of the stolen commercialized secrets “by comparing company-specific vendor information recovered connected a stolen constituent that matched.” 

Prosecutors besides said that Williams “recognized codification helium wrote and sold” to Operation Zero “being utilized by a South Korean broker,” further suggesting that some L3Harris and prosecutors cognize what tools were stolen and sold to Operation Zero. 

Another unanswered question is: Did anyone, either the U.S. authorities oregon L3Harris, alert Apple, Google, oregon whichever tech company’s products were affected by the zero-day flaws, present that the exploits had leaked?

Any institution oregon developer would privation to cognize that idiosyncratic could person utilized (or could inactive use) a zero-day against their users and customers truthful that they tin spot the flaws arsenic soon arsenic possible. And astatine this point, the zero-days are of nary usage for L3Harris and its authorities customers.  

When I asked Apple and Google, neither institution responded to my inquiries. L3Harris did not respond either. 

Who hacked the scapegoat, and why?

Then there’s the enigma of the scapegoat, who was fired aft Williams accused him of stealing and leaking code.

At sentencing, Justice Department prosecutors confirmed that the worker was fired, saying Williams “stood idly by portion different worker of the institution was fundamentally blamed for [his] ain conduct.” In response, Williams’ lawyer rebuffed prosecutors, claiming that the erstwhile worker “was fired for misconduct,” citing claims of dual-employment and improper handling of the company’s intelligence property.

According to a tribunal papers submitted by Williams’ lawyers, arsenic portion of the L3Harris interior investigation, the institution placed the worker connected leave, seized his devices, transferred them to the U.S., and “offered them to the FBI.” 

When reached for comment, an unnamed FBI spokesperson said the bureau had thing to adhd isolated from the Justice Department’s press release. 

After being fired, that employee, whom we identified with the alias Jay Gibson, received a notification from Apple that his idiosyncratic iPhone was targeted “with a mercenary spyware attack.”

Apple sends these notifications to users it thinks were the people of attacks utilizing tools similar those made by NSO Group oregon Intellexa.

Who tried to hack Gibson? He received the notification connected March 5, 2025, much than six months aft the FBI probe had already begun. The FBI “regularly interacted with [Williams] successful precocious 2024 done the summertime of 2025,” according to a tribunal document.

Given the quality of the leaked tools, it is plausible that the FBI, oregon possibly adjacent a U.S. quality agency, targeted Gibson arsenic portion of the probe into Williams’ leaks. But we conscionable don’t know, and there’s a accidental that neither the public, nor Gibson, volition ever find out.