Trenchant Exec Who Sold His Employer's Zero-Day Exploits to Russian Buyer Sentenced to 7 Years in Prison
A former Trenchant executive who pleaded guilty last year to selling his company's software hacking tools to a zero-day broker in Russia was sentenced today to seven years and three months in federal prison.
The US Treasury Department simultaneously announced today that it was sanctioning the owner of the Russian zero-day firm that purchased the stolen tools from the executive, as well as the owner's Petersburg-based zero-day firm – Operation Zero – and several other associates and related zero day firms.
Peter Williams, the Australian-born former executive of Trenchant, admitted last October to stealing at least eight "software trade secrets" from his former US employer over a three-year period, beginning in 2022. He also admitted to receiving millions of dollars in cryptocurrency payments in exchange for selling the stolen hacking tools.
The government had asked the court to sentence Williams to nine years in prison in addition to imposing a fine of $250,000 and mandatory restitution of $35 million for losses incurred by the theft and sale of the tools. When the FBI confronted Williams with his crimes during an interview with him last year, he admitted to the sale of the tools and estimated to the bureau that at least two of the software tools he sold to the Russian buyer amounted to a loss of about $35 million for Trenchant. A hearing to determine his full restitution is scheduled for later this year. Cyberscoop was the first to report the sentence today.
Williams will serve his sentence in the US, after which he will be deported to his native Australia.
Although court records don't specify the nature of the stolen goods or who purchased them, Trenchant creates and sells zero-day exploits and other hacking tools exclusively to the US government and its allies. Previous reports had indicated that the buyer of those tools was likely the Russian firm Operation Zero, and in its sanctions announcement today, the Treasury Department confirmed this. Treasury said it was sanctioning Sergey Sergeyevich Zelenyuk and his company, Matrix LLC, which does business under the name Operation Zero, as well as five associated individuals and entities "for their acquisition and distribution of cyber tools harmful to U.S. national security."
Officials say that Operation Zero in re-sold the stolen tools "to at least one unauthorized user." The Treasury announcement doesn't identify the other buyer, but it does indicate that among the other sanctioned entities is a UAE company called Special Technology Services that the government says is controlled by Zelenyuk as well as another exploit broker called Advance Security Solutions that operates in the UAE and Uzbekistan.
Additionally, the government sanctioned Marina Evgenyevna Vasanovich, identified as Zelenyuk’s assistant; as well as Azizjon Makhmudovich Mamashoyev and Oleg Vyacheslavovich Kucherov. Mamashoyev operates Advance Security Solutions, according to the Treasury Department announcement, and Kucherov, a Russian national, is believed to be a member of the Trickbot cybercrime gang, which has been responsible for ransomware attacks against US government agencies, as well as US hospitals and healthcare centers. The government says both Mamashoyev and Kucherov "materially assisted, sponsored, or provided financial, material, or technological support for, or goods and services to or in support of, Zelenyuk."
The sanctions represent the first time the government has sanctioned anyone under the Protecting American Intellectual Property Act. The law allows sanctions against anyone who has knowingly engaged in, or benefitted from, significant theft of trade secrets belonging to US persons "if the theft of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States."
Crimes and Sentencing
The government requested that part of Williams' sentencing hearing today be in a closed-court session not accessible to reporters or other members of the public. The government filed a last-minute motion to seal the court on Sunday so that a representative from Williams' former company could freely discuss the company's victim-impact statement during the session, and so that an impact statement provided by the US intelligence community could also be discussed freely. Both impact statements have already been designated as Highly Sensitive Documents by the court because they "reference sensitive national-security-focused cyber and intelligence software" as well as the company's trade secrets.
Though Williams' attorney opposed the sealing request, the court granted it, ordering that only this portion of the sentencing hearing would be closed. Williams' attorney revealed in his response to the government's sealing request that the government had only provided a summary of the claimed losses the day before the sentencing hearing and that his client was not being given adequate opportunity to question the reliability of the company's claims about the harms it suffered from the theft and sale of its hacking tools.
As previously reported, Williams had worked for the Australian Signals Directorate, during the 2010s. The ASD is Australia's equivalent to the US National Security Agency and, like the latter agency, uses software exploits to hack into computers to conduct espionage and sabotage. At some point he left the ASD and beginning in at least 2016 began working for a company that later became Trenchant.
Trenchant, or L3Trenchant as it's formally known, was formed through the merging of two Australian firms – Azimuth and Linchpin Labs – after the US-based defense contractor L3Harris acquired the two companies in 2018. Azimuth was well-regarded in the intelligence community for creating valuable zero-day exploits and other hacking tools for the US and select allies.
Williams began his criminal spree in April 2022 when he created an email account under the pseudonym "John Taylor" and contacted Operation Zero through encrypted communication to negotiate a price to sell his first exploit. He signed a contract for about $240,000 to be paid in cryptocurrency.
It's not clear if the buyer knew the real identify of John Taylor and his circumstances – that he worked for a company that makes zero-day exploits and was stealing from his employer, and that he had previously worked for the Australian intelligence community.
The Russian firm agreed to make additional payments once it confirmed that the exploit worked as well as more payments if Williams updated the software to maintain its efficacy after the initial sale. A zero-day exploit can stop working if the maker of the software the exploit attacks patches the vulnerability the exploit targets or distributes some other update to the software that impacts the efficacy of the exploit. Exploit sellers will sometimes devise a way to bypass the patch or make some adjustments to the exploit to allow it to continue to work for the customer.
Between April 2022 and June 2025, Williams was in regular communication with the Russian buyer and entered into separate written contracts for each of the tools he sold, signing each contract under the name John Taylor. The contracts promised an upfront payment once the buyer determined the code worked, and then additional payments if the code continued to work over time. Williams agreed to provide at least three months of follow-on support at a price of $10,000 a month. In another example, Williams signed a contract on December 4, 2023 that would pay him $2 million for one of the stolen trade secrets. The court document notes that this amount “was consistent with a public bug bounty” that the company had advertised in September 2023.
At some point in 2023, Williams came to the US on a work visa, to work out of Trenchant's DC offices, and he became general manager of the company in October 2024. Notably, that's the same month that Trenchant learned that some of its valuable software tools had leaked from its secure network and was in the hands of a foreign broker. The document doesn't indicate who informed the company, but it's likely it was the FBI.
Trenchant confirmed that a broker outside the US was selling a component of one of its software products and immediately launched an internal investigation, with Williams overseeing a trusted company investigator who was conducting the inquiry. The investigation concluded that Trenchant's secure network had not been compromised – "outside of a former employee who, while employed, had improperly accessed the internet from an air-gapped device.”
Trenchant keeps its sensitive code stored on a secure air-gapped network that is not connected to the internet, to prevent outsiders from breaching the network and siphoning the company's valuable assets.
Investigation
In November 2024, Trenchant provided the FBI with the results of its internal inquiry. But the FBI in the meantime had started its own investigation, which included interviews with Trenchant employees. In one interview that Williams had with the FBI in July 2025, he said the most probable way for someone to steal code from Trenchant's secure network without triggering internal indications of compromise was for someone with access to the secure network to download material from the network and transfer it to an air-gapped device like a mobile phone or external drive. Two months later when the FBI confronted Williams with evidence of his crimes, he admitted that this was how he stole the code from Trenchant – downloading it from the company's network in DC and in Sydney, Australia, using a portable hard drive, then transferring it to a personal computer where he removed any identifying information that pointed specifically to himself or to his company before transmitting it to his Russian buyer.
Remarkably, Williams continued his crimes even while the FBI was investigating the theft, and while another employee at Trenchant was reportedly fired for stealing zero-day exploits for the Chrome browser from Trenchant and leaking them – a crime he says he didn't commit. As reported last year by Tech Crunch, in February 2025 the worker says he was called into Trenchant's London office for a team-building exercise, but when he arrived he was ushered into a meeting room for a video call with Williams. Williams said the company suspected the employee of moonlighting for another company and seized his electronics and suspended him. He was subsequently fired, though Williams did not give a reason. The employee only learned from other workers later that they company suspected he had stolen the zero-day exploits.
It's not clear if the trade secrets Williams sold to the Russian buyer were zero-day exploits for Chrome, but the details and timing of the events suggest the possibility that Williams may have engaged in some misdirection to pin blame on the employee for stealing exploits that he himself stole.
Williams admitted to the FBI that "even after he recognized code he wrote and sold" to the Russian buyer was being "utilized" by a South Korean broker, he still sold at least one other Trenchant tool to the Russian buyer. This suggests that Williams may have written some of the code he stole from Trenchant, though the document doesn't elaborate on this.
But the most remarkable part of the case was Williams' continued sale of exploits to the Russian buyer last year even when he knew the FBI was investigating the theft of code from Trenchant. In June 2025, he signed an agreement with the Russian buyer to sell stolen code for $500,000 and transmitted the code to the buyer just days before he met with the FBI to discuss their investigation in to the theft of Trenchant's code.
He agreed to receive a bulk payment of $300,000 and two additional payments of $100,000 each, with the last payment being scheduled to arrive in September 2025. According to the court document, after he received the first payment, he transferred it to one of his bank accounts in August. It was that month, during another interview with the FBI, that agents confronted him with evidence of his crimes, leading him to confess. Williams subsequently resigned from his job at Trenchant.
Each time the Russian buyer paid Williams in cryptocurrency, he laundered it through several cryptocurrency accounts before using a virtual currency exchange to convert it into fiat currency. According to the government, Williams used an exchange service that does not require users to create an account to use it, and also generally does not collect customer identity information unless a specific transaction is flagged for further review. Once the money was converted into fiat currency, Williams deposited into accounts that he had in the US and Australia.
In total, the contracts promised Williams more than $4 million, though court documents don't indicate the total amount he actually collected. They say only that he received upfront payments in cryptocurrency worth in excess of $1.3 million, raising questions about whether he actually received more than this.
He used the proceeds to put a down payment on a house in northwest Washington, DC earlier this year. Though the court document doesn't say when he purchased the home or for how much, online records show that the five-bedroom row house sold in June this year – shortly before Williams' July interview with the FBI – for $1.56 million.
To cover his restitution payments, Williams agreed to forfeit the house he purchased as well as dozens of luxury items that the government says he bought with proceeds from the sale of the stolen software. This includes twenty-two watches – many of them from the luxury brands Rolex, Longines, and Tag Heuer but some of them fake replica watches – several pieces of women's diamond jewelry and designer clothing. He has also agreed to forfeit funds contained in more than half a dozen bank and cryptocurrency accounts he has in the US and Australia.
In his plea agreement, Williams acknowledged that in stealing Trenchant's software and selling it to the Russian buyer he had harmed both the intelligence community of Australia and the US.