For years, the zero-day exploit market has operated in a legal and ethical gray zone — a shadowy bazaar where governments, defense contractors, and private brokers buy and sell the digital equivalent of skeleton keys. The tools traded in this market can unlock smartphones, breach encrypted messaging apps, and compromise entire operating systems, all by exploiting software flaws that the developers themselves do not yet know exist.
On February 24 and 25, 2026, that gray zone got significantly smaller. In a coordinated action spanning three federal agencies, the United States government sentenced a former defense contractor executive to more than seven years in federal prison, sanctioned a Russian exploit brokerage and its owner, and for the first time ever invoked a relatively new law designed to punish foreign actors who profit from stealing American trade secrets. The message was unmistakable: the era of consequence-free exploit trafficking may be over.
At the center of it all is Peter Williams, a 39-year-old Australian national who once held one of the most trusted positions in the U.S. offensive cyber apparatus. His betrayal, and the elaborate network that profited from it, offers a case study in how insider threats, cryptocurrency, and geopolitical opportunism converge in the modern cyber arms trade.
The Insider: Peter Williams and Trenchant
Peter Williams was not a low-level employee who stumbled into classified systems. He was the general manager of Trenchant, a specialized cybersecurity unit within U.S. defense contractor L3Harris. Trenchant develops zero-day exploits and advanced hacking tools sold exclusively to the U.S. government and a small circle of allied intelligence agencies, primarily the Five Eyes nations: Australia, Canada, New Zealand, the United Kingdom, and the United States. Inside Trenchant, Williams went by the nickname "Doogie."
Williams himself had a background that made him ideally suited for the role. Before joining the private sector, he worked for the Australian Signals Directorate (ASD), Australia's foreign signals intelligence agency — the equivalent of the U.S. National Security Agency. He conducted cyber espionage operations and developed the kind of deep technical expertise that Trenchant valued.
Trenchant's origins are rooted in the Australian exploit development community. The unit was formed after L3 Technologies — which later became L3Harris following its 2019 merger with Harris Corporation — acquired two Australian firms, Azimuth Security and Linchpin Labs, completing the acquisition in August 2018 for approximately $200 million. Both firms were known for supplying zero-day exploits and hacking tools to allied governments. Williams rose through the ranks over the years, becoming the division's general manager in October 2024, with what court documents describe as "super-user" access to the company's internal, multi-factor authenticated secure network.
That access would prove to be the critical vulnerability.
Between 2022 and 2025, Williams systematically stole at least eight proprietary zero-day exploit components from Trenchant. According to court filings, he downloaded the tools onto a portable hard drive and his personal computer, then sold them — signing each contract under the alias "John Taylor" — to a buyer in Russia. He sold the first exploit for $240,000, with follow-on support payments built into the contract structure, and continued for three years. L3Harris ultimately traced the theft to Williams when it discovered an unauthorized vendor selling what appeared to be a component of one of its proprietary tools; the component contained company-specific vendor data embedded in the code's architecture, a kind of invisible fingerprint that L3Harris matched against its own library. The U.S. Department of Justice alleged that the tools could potentially provide access to millions of computers and devices worldwide. L3Harris estimated its financial losses at approximately $35 million.
The stolen exploits were described in a sentencing memorandum as tools that could be "used against any manner of victim, civilian or military around the world, and engage in all manner of crime from cyber fraud, theft, and ransomware, to state directed spying and offensive cyber operations against military targets."
The Buyer: Operation Zero and Sergey Zelenyuk
The buyer on the other end of Williams's scheme was Operation Zero, a St. Petersburg-based exploit brokerage formally registered as Matrix LLC. Founded in 2021 by Russian national Sergey Sergeyevich Zelenyuk, the company categorizes itself on its website as "the only official Russian zero-day purchase platform" and states that "our clients are Russian private and government organizations only."
Operation Zero made international headlines in September 2023 when it announced it was increasing its bounty payouts for mobile exploits from $200,000 to a staggering $20 million for full-chain zero-day exploits targeting Android and iOS devices. The company also later offered up to $4 million for exploits targeting the Telegram messaging platform. In public posts, the company noted that "the end user is a non-NATO country."
No reasons other than the obvious ones. — Sergey Zelenyuk, Operation Zero founder, when asked by TechCrunch why the firm restricts sales to non-NATO nations
According to the U.S. Treasury Department, Operation Zero did not simply stockpile the exploits it acquired from Williams. The agency stated that the firm sold the stolen tools to at least one unauthorized user, whose customers "could use the tools to launch ransomware attacks or engage in other malign activities." The Treasury also alleged that Zelenyuk used social media to recruit hackers and cultivate relationships with foreign intelligence agencies, and that Operation Zero was exploring the development of its own spyware and AI-based tools for extracting personal identifying information.
To circumvent U.S. sanctions on Russian financial institutions, Zelenyuk established a subsidiary called Special Technology Services LLC FZ (STS) in the United Arab Emirates. This UAE shell entity allowed Operation Zero to conduct business with partners across Asia and the Middle East, effectively routing transactions around the sanctions regime that was supposed to restrict Russian access to Western financial systems.
The Audacity: Selling Exploits While the FBI Investigated
What makes the Williams case particularly remarkable is not just the scale of the theft, but its brazenness. According to reporting by cybersecurity journalist Kim Zetter, who was first to connect the case to Operation Zero after attending the October 2025 plea hearing and who broke key details of the downstream proliferation in November 2025, Williams continued selling stolen exploits to his Russian buyer even while the FBI was actively investigating the theft of code from Trenchant.
In June 2025, while the FBI investigation was underway, Williams signed a new agreement with the Russian buyer to sell stolen code for $500,000. He transmitted the code to Operation Zero that same month — just days before sitting down with FBI agents to discuss the very investigation into code theft from his own company. He agreed to receive a bulk payment of $300,000 and two additional payments of $100,000 each, with the final payment due in September 2025.
Evidence suggests Williams may have attempted to deflect blame onto a colleague. In February 2025, a Trenchant developer was called into the company's London office under the pretense of a team-building exercise, only to be confronted on a video call by Williams, who accused the employee of stealing and leaking Chrome zero-day exploits and of working for another company simultaneously. The employee was suspended and then fired. He later told TechCrunch he had never had access to Chrome exploits at all, as his work was exclusively on iOS tools — Trenchant compartmentalizes access by platform. On March 5, 2025, he received an Apple notification informing him that his personal iPhone had been targeted with "mercenary spyware." Williams, operating under his alias "John Taylor," was at that time still actively selling stolen exploits to Operation Zero.
Williams eventually confessed in August 2025 after FBI agents confronted him during a follow-up interview — the same month he received the first $300,000 payment from his June deal and transferred it to his bank account. He subsequently resigned from Trenchant on August 21, 2025. He pleaded guilty on October 29, 2025, to two counts of theft of trade secrets. He was sentenced on February 25, 2026, to 87 months (seven years and three months) in federal prison. Although Williams received approximately $1.3 million in cryptocurrency — the amount the court ordered forfeited — the total value of contracts he signed with Operation Zero reached up to $4 million, according to U.S. Attorney Jeanine Pirro. The court also ordered him to forfeit cryptocurrency holdings, a house, a Porsche, a Tesla, luxury watches, and jewelry purchased with the proceeds of his crimes. A restitution hearing is scheduled for May 12, 2026.
The Government's Response: A First-of-Its-Kind Sanctions Action
The sentencing of Williams was only one part of a broader, coordinated federal response. On February 24, 2026 — the day before the sentencing — the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) designated Zelenyuk, Operation Zero, STS, and four additional associated individuals and entities under Executive Order 13694. Simultaneously, the U.S. State Department issued parallel designations under the Protecting American Intellectual Property Act (PAIPA).
This marked the first time PAIPA had ever been used since its enactment. The law, codified at 50 U.S.C. § 1709, authorizes sanctions against foreign persons who have knowingly engaged in, or benefited from, significant theft of trade secrets from U.S. persons, where the theft poses a significant threat to national security, foreign policy, or the economic stability of the United States.
The additional individuals and entities sanctioned alongside Zelenyuk and Operation Zero further illustrate the breadth of the network:
- Marina Evgenyevna Vasanovich — designated as Zelenyuk's assistant.
- Oleg Vyacheslavovich Kucherov — a Russian national suspected of ties to the Trickbot ransomware gang, designated for materially supporting Zelenyuk's operations.
- Azizjon Makhmudovich Mamashoyev — identified as the founder of a UAE-based exploit brokerage called Advance Security Solutions, which had itself offered up to $20 million for smartphone exploits.
State Department Principal Deputy Spokesperson Tommy Pigott framed the action in broader economic terms, noting that theft of trade secrets in sensitive and emerging technologies "harms U.S. national security, jobs, companies, and investments, while costing U.S. industry billions of dollars each year."
The Downstream Problem: Where Did the Exploits Go?
One of the most unsettling dimensions of the Williams case is what happened to the stolen exploits after they reached Operation Zero. According to Zetter's reporting, Williams discovered that at least one exploit he had previously sold to the Russian buyer was being utilized by a South Korean broker. This indicates that the stolen tools had already entered a secondary market, passing through additional layers of the international exploit trade beyond Operation Zero's direct control.
Despite this discovery, Williams continued to sell additional exploits to the same buyer — a detail that prosecutors emphasized during sentencing as evidence of his willingness to prioritize personal profit over any concern for national security consequences.
The U.S. government confirmed that Operation Zero sold the tools it acquired from Williams to "at least one unauthorized user," but the full extent of downstream proliferation remains unclear. Court documents and government statements describe the stolen tools as targeting "commonly used software, including U.S.-built operating systems and encrypted messaging applications." Separately, evidence presented during hearings — including an Operation Zero social media post from September 2023 calling for increased payouts on mobile exploits for Android and iOS — is consistent with the types of tools Williams was stealing, strongly suggesting the stolen tools targeted mobile devices used by billions of people worldwide. That public bounty announcement was a distinct business activity, but the timing and the $2 million contract Williams signed in December 2023 — which court documents note "was consistent with a public bug bounty" the broker had advertised that September — illustrates how tightly the Williams scheme and Operation Zero's public pricing were linked.
The DOJ alleged that whoever possessed these tools could "potentially access millions of computers and devices around the world." The scope of potential harm is difficult to overstate.
What This Case Means for Cybersecurity
The Williams-Operation Zero case is significant for several reasons that extend well beyond the individual criminal prosecution.
First, it highlights the persistent and growing threat of insider access within the offensive cyber industry. Williams was not an outsider who penetrated Trenchant's defenses through a technical vulnerability. He was the person in charge — and notably, he had been stealing exploits for more than two years before he formally became general manager in October 2024. His earlier positions gave him access that was, by his own later admission to the FBI, essentially impossible to detect: the surest way to steal from Trenchant's secure network, he told agents in July 2025, was for someone with authorized access to download material and transfer it to an "air-gapped device like a mobile phone or external drive." He was describing his own method.
Second, the case exposes the limitations of a market structure in which immensely powerful offensive tools are developed by private companies with relatively small workforces. Trenchant is not a massive defense enterprise; it is a specialized team of hackers and bug hunters. The concentration of critical national security capabilities in the hands of a few individuals creates single points of failure that adversaries can exploit through recruitment, coercion, or, as in this case, simple greed.
Third, the coordinated U.S. response — criminal prosecution, Treasury sanctions, and the inaugural use of PAIPA — signals a meaningful escalation in how the government intends to address the exploit brokerage ecosystem. For years, the zero-day market has operated with minimal regulatory oversight. Brokers like Operation Zero, Zerodium, and Crowdfense have publicly advertised bounties for exploits without facing direct legal consequences from the nations whose software they target. The PAIPA designations suggest that the U.S. government is now willing to treat the acquisition of stolen American cyber tools as a sanctionable offense, regardless of whether the buyers are located in allied, neutral, or adversarial nations.
Finally, the case raises uncomfortable questions about the broader zero-day ecosystem itself. The tools Williams stole were developed by an American defense contractor to be sold exclusively to the U.S. government and its allies. But the underlying business model — discovering vulnerabilities in consumer software used by billions of people, then weaponizing those flaws rather than reporting them to vendors for patching — carries inherent risks. When those weapons escape their intended custody, as they did here, the consequences fall not on governments or defense contractors, but on the ordinary users whose devices become vulnerable.
Key Takeaways
- Insider access is the most dangerous attack vector: The most sophisticated network defenses cannot stop a trusted executive who walks out with a hard drive full of zero-days. Personnel vetting and behavioral monitoring in high-trust roles are not optional.
- The exploit brokerage market now has legal consequences: The first-ever use of PAIPA signals that the U.S. government is prepared to sanction foreign brokers who acquire stolen American cyber tools, regardless of where they operate.
- Secondary markets multiply the risk: Once stolen exploits enter the brokerage ecosystem, proliferation is rapid and largely untrackable. A single insider betrayal can seed tools across multiple nations and threat actors within months.
- The weaponized vulnerability model has systemic costs: When offensive tools built on unpatched consumer software vulnerabilities leak, it is ordinary users — not governments or contractors — who bear the exposure.
What Comes Next
The immediate legal proceedings are not yet complete. A restitution hearing for the $35 million in losses claimed by Trenchant is scheduled for May 12, 2026. It remains unknown whether Apple, Google, or other affected technology companies have been alerted about the specific zero-day vulnerabilities that were compromised, or whether those flaws have since been patched. Neither Trenchant nor L3Harris has been accused of wrongdoing in the criminal case.
For the cybersecurity industry, the Williams case serves as a stark reminder that the greatest vulnerabilities are not always technical. The most sophisticated firewall in the world cannot protect against a trusted insider who decides to walk out the door with a hard drive full of zero-day exploits and a cryptocurrency wallet address in his pocket.
The U.S. government has drawn a clear line. Whether that line holds — and whether the exploit brokerage market adapts, retreats, or simply finds new ways to operate in the shadows — will be one of the defining cybersecurity stories of the years ahead.
sources
- U.S. Department of the Treasury, "Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools," Feb. 24, 2026. home.treasury.gov
- U.S. Department of State, "Designation of Russia-Based Zero-Day Exploits Broker and Affiliates for Theft of U.S. Trade Secrets," Feb. 24, 2026. state.gov
- U.S. Department of Justice, Sentencing Announcement for Peter Williams, Feb. 24, 2026.
- Kim Zetter, "Trenchant Exec Who Sold His Employer's Zero-Day Exploits to Russian Buyer Sentenced to 7 Years in Prison," ZERO DAY (Substack), Feb. 24, 2026. zetter-zeroday.com
- Kim Zetter, "Former Trenchant Exec Sold Stolen Code to Russian Buyer Even After Learning that Other Code He Sold Was Being 'Utilized' by Different Broker in South Korea," ZERO DAY (Substack), Nov. 11, 2025. zetter-zeroday.com
- Lorenzo Franceschi-Bicchierai, "Inside the Story of the US Defense Contractor Who Leaked Hacking Tools to Russia," TechCrunch, Feb. 25, 2026. techcrunch.com
- Lorenzo Franceschi-Bicchierai, "How an ex-L3Harris Trenchant Boss Stole and Sold Cyber Exploits to Russia," TechCrunch, Nov. 3, 2025. techcrunch.com
- Lorenzo Franceschi-Bicchierai, "Treasury Sanctions Russian Zero-Day Broker Accused of Buying Exploits Stolen from US Defense Contractor," TechCrunch, Feb. 24, 2026. techcrunch.com
- Derek B. Johnson, "Ex-L3Harris Executive Sentenced to 87 Months in Prison for Selling Zero-Day Exploits to Russian Broker," CyberScoop, Feb. 24, 2026. cyberscoop.com
- SecurityWeek, "Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits," Sept. 28, 2023. securityweek.com