Sign in Subscribe

Trenchant Exec Who Sold His Employer's Zero-Day Exploits to Russian Buyer Sentenced to 7 Years in Prison

Kim Zetter

10 min read
comment-1 Created with Sketch Beta.
Trenchant Exec Who Sold His Employer's Zero-Day Exploits to Russian Buyer Sentenced to 7 Years in Prison
A courtroom in the U.S. District Court for the District of Columbia, where Peter Williams was sentenced to selling stolen code to Operation Zero, a Russia-based buyer of zero-day exploits. (Photo: Carol M. Highsmith; from the Carol M. Highsmith Collection at the Library of Congress Prints and Photographs Division)

A former Trenchant executive who pleaded guilty last year to selling his company's software hacking tools to a zero-day broker in Russia was sentenced today to seven years and three months in federal prison.

The US Treasury Department simultaneously announced today that it was sanctioning the owner of the Russian zero-day firm that purchased the stolen tools from the executive, as well as the owner's Petersburg-based zero-day firm – Operation Zero – and several other associates and related zero-day firms.

Peter Williams, the Australian-born former executive of Trenchant, admitted last October to stealing at least eight "software trade secrets" from his former US employer over a three-year period, beginning in 2022. He also admitted to receiving millions of dollars in cryptocurrency payments in exchange for selling the stolen hacking tools.

The government had asked the court to sentence Williams to nine years in prison in addition to imposing a fine of $250,000 and mandatory restitution of $35 million for losses incurred from the theft and sale of the tools. It's not clear where this figure comes from, but when the FBI confronted Williams with his crimes during an interview with him last year, he admitted to selling the tools and estimated that at least two of the software tools he sold to the Russian buyer amounted to a loss of about $35 million for Trenchant, his employer at the time. A hearing to determine his full restitution is scheduled for later this year. Cyberscoop was the first to report the sentence today.

Williams will serve his sentence in the US, after which he will be deported to his native Australia. 

Although court records don't specify the nature of the stolen goods or who purchased them, Trenchant creates and sells zero-day exploits and other hacking tools exclusively to the US government and its allies. Previous reports had indicated that the buyer of the stolen tools was likely the Russian firm Operation Zero, and in its sanctions announcement today, the Treasury Department confirmed this. Treasury said it was sanctioning Sergey Sergeyevich Zelenyuk and his company, Matrix LLC, which does business under the name Operation Zero. The announcement also indicated that five associated individuals and entities were also being sanctioned "for their acquisition and distribution of cyber tools harmful to U.S. national security."

Officials say that after purchasing the tools from Williams, Operation Zero re-sold an unspecified number of them "to at least one unauthorized user." The Treasury announcement doesn't identify that other buyer, but it does indicate that among the other sanctioned entities is a UAE company called Special Technology Services that the government says is controlled by Zelenyuk, as well as another exploit broker called Advance Security Solutions that operates in the UAE and Uzbekistan.

Additionally, the government sanctioned Marina Evgenyevna Vasanovich, identified as Zelenyuk’s assistant; it also sanctioned Azizjon Makhmudovich Mamashoyev and Oleg Vyacheslavovich Kucherov. Mamashoyev operates Advance Security Solutions, according to the Treasury Department. Kucherov, a Russian national, is believed to be a member of the Trickbot cybercrime gang, which has been responsible for ransomware attacks against US government agencies, as well as US hospitals and healthcare centers. The government says both Mamashoyev and Kucherov "materially assisted, sponsored, or provided financial, material, or technological support for, or goods and services to or in support of, Zelenyuk."

The move represents the first time the government has sanctioned anyone under the Protecting American Intellectual Property Act. The law allows sanctions against anyone who has knowingly engaged in, or benefitted from, significant theft of trade secrets belonging to US persons, if the theft of the trade secrets "is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States."

Crimes and Sentencing

The government requested that part of Williams' sentencing hearing today be in a closed-court session not accessible to reporters or other members of the public. The government filed a last-minute motion on Sunday to seal part of today's hearing so that a representative from Williams' former employer could freely discuss the company's victim-impact statement during the session, and so that an impact statement submitted to the court by the US intelligence community could also be discussed freely. Both impact statements have already been designated Highly Sensitive Documents by the court because they "reference sensitive national-security-focused cyber and intelligence software" and Trenchant's trade secrets.

Though Williams' attorney opposed the sealing request, the court granted it, ordering that only the portion of the sentencing hearing discussing the statements would be closed. Williams' attorney revealed in his response to the government's sealing request that the government only provided a summary of losses the day before the sentencing hearing and that Williams was not being given adequate opportunity to question the reliability of the company's claims about the harms it suffered from the theft and sale of its hacking tools.

As previously reported, Williams worked for the Australian Signals Directorate during the 2010s. The ASD is Australia's equivalent to the US National Security Agency and, like the latter agency, uses software exploits to hack into computers to conduct espionage and sabotage. At some point Williams left the ASD and, beginning in at least 2016, began working for a company that later became Trenchant.

Trenchant, or L3Trenchant as it's formally known, was formed through the merging of two Australian firms – Azimuth and Linchpin Labs – after the US-based defense contractor L3Harris acquired the two companies in 2018. Azimuth was well-regarded in the intelligence community for creating valuable zero-day exploits and other hacking tools for the US and select allies.

Williams began his criminal spree in April 2022 when he created an email account under the pseudonym "John Taylor" and contacted Operation Zero through encrypted communication to negotiate a price to sell his first exploit. He signed a contract for about $240,000 to be paid in cryptocurrency for the exploit. It's not clear if the Russian buyer knew the real identify of John Taylor or the fact that he worked for Trenchant, was selling his employer's tools, and had previously worked for the Australian intelligence community.

In any case, the Russian firm agreed to make additional payments to "John Taylor" once it confirmed that the exploit he was selling worked, and agreed to make additional payments if Williams updated the software to maintain its efficacy after the initial sale. A zero-day exploit can stop working if the maker of the software the exploit attacks patches the vulnerability the exploit targets or distributes some other update to their software that impacts the efficacy of the exploit. Exploit sellers will sometimes devise a way to bypass patches that software makers create or make other adjustments to the exploit that allow it to continue to work for customers even after a vulnerability has been patched.

Between April 2022 and June 2025, Williams was in regular communication with the Russian buyer and entered into separate written contracts for each of the tools he sold, signing each contract under the name John Taylor. One contract he signed on December 4, 2023, indicated he was to be paid $2 million for one of the stolen tools. The court document notes that this amount “was consistent with a public bug bounty” the Russian buyer had advertised in September 2023. The contracts he signed generally promised an upfront payment once the buyer determined the code worked, and then additional payments if the code continued to work over time. In one case, Williams agreed to provide at least three months of follow-on support at a price of $10,000 a month.

At some point in 2023, Williams came to the US on a work visa, to work out of Trenchant's DC offices. He then became general manager of the company in October 2024. Notably, that's the same month that Trenchant learned that some of its valuable software tools had leaked or been stolen from its secure network and was in the hands of a foreign broker. The document doesn't indicate who informed the company, but it's likely it was the FBI.

Trenchant confirmed that a broker outside the US was indeed selling a component of one of its software products and immediately launched an internal investigation. The company, however, put Williams in charge of overseeing the internal person assigned with conducting the inquiry. The company's investigation concluded that Trenchant's secure network had not been compromised – "outside of a former employee who, while employed, had improperly accessed the internet from an air-gapped device.”

Trenchant keeps its sensitive code stored on a secure air-gapped network that is not connected to the internet, to prevent outsiders from breaching the network and siphoning the company's valuable assets, and apparently an employee had breached protocol by connecting a device to the internet that should not have been connected.

Investigation

In November 2024, Trenchant provided the FBI with the results of its internal inquiry. But the FBI in the meantime had started its own investigation, which included interviewing Trenchant employees – among them, Williams himself. In one interview Williams had with the FBI in July 2025, he told agents that the most likely way the code got stolen from Trenchant's secure network – without triggering any security alerts – was that someone who had access to the air-gapped network downloaded the material from the network and transferred it to another air-gapped device like an external drive. Two months later when the FBI confronted Williams with evidence of his crimes, he admitted that this was how he stole the code from Trenchant – downloading it from the company's network in DC and in Sydney, Australia to a portable hard drive, then transferring it to a personal computer where he removed any identifying information that pointed specifically to himself or to his company before transmitting it to his Russian buyer.

The case of Williams is remarkable in many ways, but one of the most startling details revealed in the court documents is that Williams continued committing his crimes even while the FBI was investigating the theft, and while another employee at Trenchant was reportedly under investigation for stealing company exploits. As reported last year by Tech Crunch, in February 2025 – four months after Trenchant had learned that its tools had been stolen and had launched an internal investigation – this other worker was called into Trenchant's London office for what he thought was going to be a team-building exercise. When he arrived to the office, however, he was ushered into a meeting room for a video call with Williams. During that call, Williams told him that the company suspected the employee had been moonlighting for another company and that he was being suspended while an investigation occurred. The company then seized his electronics and he was dismissed from the meeting. He was subsequently fired from Trenchant, but he told Tech Crunch Williams never gave him a reason for his dismissal. The employee only learned later from some a colleague that the company suspected he had stolen zero-day exploits for the Chrome browser and leaked them – a crime he says he didn't commit.

The circumstances of the other worker's firing suggests the possibility that Williams may have engaged in some misdirection to pin blame on the employee for stealing exploits that he himself stole. It's not clear, however, if the trade secrets Williams sold to the Russian buyer included zero-day exploits for Chrome. And the court documents don't address the question of whether Williams tried to pin his crimes on another worker.

One other remarkable detail in the court documents reveals that at one point during the period he was selling exploits to the Russian buyer, Williams discovered that "code he wrote and sold" to that buyer was also being "utilized" by a South Korean broker. This suggests 1) that Williams himself may have been the author of some of the code he stole from Trenchant, and 2) that the Russian buyer was possibly re-selling the tools it purchased from Williams. Despite this evidence that the tools were spreading beyond his control, Williams continued to sell at least one additional Trenchant tool to his Russian buyer.

But the most startling detail in the case is that Williams continued to sell exploits to the Russian buyer last year even when he knew the FBI was investigating the code theft and was interested in speaking with him about it. In June 2025, he signed an agreement with the Russian buyer to sell stolen code for $500,000 and transmitted the code to the buyer, and days later he met with the FBI to discuss their investigation into the theft.

According to his agreement with the Russian buyer, Williams was to receive a bulk payment of $300,000 for this exploit, plus two additional payments of $100,000 each. The last payment was scheduled to arrive in September 2025. He received the first payment and transferred it to one of his bank accounts in August. But then during a second interview with the FBI that month, the agents confronted him with evidence of his crimes. Williams immediately confessed and subsequently resigned from his job at Trenchant. Between August and October, his attorneys worked out a plea agreement with prosecutors.

Williams was paid in cryptocurrency and laundered it through several cryptocurrency accounts before using a virtual currency exchange service to convert the money into fiat currency. According to the government, Williams used an exchange service that does not require users to create an account to use it, and also generally does not collect customer identity information unless a specific transaction is flagged for review. Once the money was converted into fiat currency, Williams deposited it into bank accounts he controlled in the US and Australia.

In his plea agreement, Williams acknowledged that in stealing Trenchant's software and selling it to the Russian buyer he had harmed both the intelligence community of Australia and the US.

In total, the contracts promised Williams more than $4 million, though court documents don't indicate the total amount he actually collected. They say only that he received upfront payments in cryptocurrency worth in excess of $1.3 million, raising questions about whether he actually received more than this.

He used the proceeds to put a down payment on a house in northwest Washington, DC in 2025. Though the court documents don't say when he purchased the home or for how much, online records show that the five-bedroom row house sold last June for $1.56 million shortly before Williams had his July interview with the FBI.

To cover his restitution payments, Williams agreed to forfeit the house he purchased, as well as dozens of luxury items the government says he bought with proceeds from the sale of the stolen code. This includes twenty-two watches – many of them from the luxury brands Rolex, Longines, and Tag Heuer but some of them fake replica watches – as well as several pieces of women's diamond jewelry and designer clothing. He also agreed to forfeit funds contained in more than half a dozen bank and cryptocurrency accounts he has in the US and Australia.

Share this post: