Ex-L3Harris Trenchant executive jailed as US sanctions Russian zero-day broker Operation Zero
A former L3Harris executive, Peter Williams, was sentenced to 87 months (about seven years) in U.S. federal prison after pleading guilty to theft of trade secrets tied to the removal and sale of at least eight zero-day exploit components/cyber tools from Trenchant (L3Harris’ specialized unit supplying exploits to the U.S. government and select allies). Prosecutors said the stolen materials were intended for restricted government use; Williams allegedly leveraged his access over several years, received about $1.3 million in cryptocurrency, and the theft was estimated to have caused $35 million in losses to the contractor. Court reporting also noted Williams’ prior service with Australia’s signals intelligence community and that Trenchant traces back to L3Harris’ acquisition of Australian exploit-focused firms.
The U.S. Treasury’s OFAC simultaneously imposed sanctions on Operation Zero—a St. Petersburg-based Russian exploit brokerage—and its founder Sergey Zelenyuk, citing national security risks from acquiring and reselling zero-days and related tooling that could enable ransomware or other malicious activity. U.S. officials said Operation Zero obtained the stolen Trenchant tools and then resold them to unauthorized users, and multiple reports linked the sanctions action to the Williams case (where the buyer was previously anonymized in court as “Company 3”). Reporting also described Operation Zero’s public market for high-value mobile and app exploits (including past offers for Android, iOS, and Telegram), its marketing toward non-NATO customers and foreign intelligence services, and additional U.S. measures including State Department sanctions and action under the Protecting American Intellectual Property Act, plus sanctions on an affiliated UAE entity Special Technology Services (STS) and other associated parties.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Restitution hearing in Williams case is scheduled
Court reporting said a further hearing on restitution in the Peter Williams case was set for May 12, 2026, to address financial recovery tied to the theft and sale of the stolen cyber tools.
Peter Williams is sentenced to 87 months in prison
On February 24, 2026, a U.S. court sentenced former L3Harris/Trenchant executive Peter Williams to 87 months in prison for stealing and selling eight trade-secret exploit tools to Operation Zero. The court also ordered forfeiture of proceeds and assets, and prosecutors said the theft caused about $35 million in losses.
U.S. sanctions Operation Zero and affiliated network
On February 24, 2026, the U.S. Treasury sanctioned Sergey Zelenyuk, Operation Zero/Matrix LLC, and associated individuals and entities, while the State Department designated Zelenyuk, Operation Zero, and UAE-based Special Technology Services. Officials described it as the first use of PAIPA sanctions tied to theft of U.S. trade-secret cyber tools.
Williams pleads guilty to theft of trade secrets
Peter Williams pleaded guilty to two counts of theft of trade secrets after U.S. investigators tied him to the theft and sale of at least eight exploit components from his employer to the Russian broker.
Williams sells stolen exploits to Operation Zero for cryptocurrency
During 2022 to 2025, Williams sold at least eight stolen trade-secret exploit tools to Operation Zero under multiple arrangements, receiving about $1.3 million in cryptocurrency. U.S. authorities later said some of the tools were resold to at least one unauthorized user.
Peter Williams starts stealing Trenchant cyber tools
Between 2022 and 2025, Peter Williams allegedly stole proprietary zero-day exploit components and other cyber tools from Trenchant, an L3Harris unit whose capabilities were intended for U.S. government and allied use.
Operation Zero begins operating as a Russian exploit broker
U.S. authorities said Matrix LLC, publicly operating as Operation Zero, began operating in 2021 as a St. Petersburg-based broker buying and reselling zero-days and spyware to non-NATO customers, including Russian government-linked buyers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
17 references tracked. Mallory keeps watching after this page renders.
US Sanctions Russian Exploit Broker Over Stolen US Cyber Tools
hackread.com
Open sourceFormer U.S. Defense contractor executive sentenced for selling zero-day exploits to Russian broker Operation Zero
securityaffairs.com
Open sourceDefense Contractor Employee Jailed for Selling 8 Zero-Days to Russian Broker
thehackernews.com
Open sourceZero-Day Exploits Theft Case Exposes Cyber Exploit Market
thecyberexpress.com
Open sourceTreasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools | U.S. Department of the Treasury
home.treasury.gov
Open sourceTreasury sanctions Russian zero-day broker accused of buying exploits stolen from U.S. defense contractor | TechCrunch
techcrunch.com
Open sourceUS sanctions Russian exploit broker for buying cyber tools stolen from defense contractor | The Record from Recorded Future News
therecord.media
Open sourceFormer L3Harris Trenchant boss jailed for selling hacking tools to Russian broker | TechCrunch
techcrunch.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ex-L3Harris Executive Pleads Guilty to Selling Zero-Day Exploits to Russian Broker
Peter Williams, a former executive at L3Harris subsidiary Trenchant, pleaded guilty in U.S. federal court to two counts of theft of trade secrets after admitting to selling at least eight sensitive cyber-exploit components, including zero-day vulnerabilities, to a Russian software broker. The stolen materials, intended exclusively for the U.S. government and its allies, were sold over a three-year period from 2022 to 2025 in exchange for millions of dollars in cryptocurrency. U.S. prosecutors stated that Williams signed multiple contracts with the Russian broker, which publicly advertises itself as a reseller of cyber exploits to clients including the Russian government, and that the offenses cost L3Harris $35 million in damages. Williams, who previously worked for the Australian Signals Directorate, used encrypted communications to facilitate the transactions and used the proceeds to purchase luxury items. The Russian broker, identified in court as "Company 3" and believed to be Operation Zero, is known for seeking mobile exploits for non-NATO clients. Williams faces a potential prison sentence of 87 to 108 months, fines up to $300,000, and restitution of $1.3 million, and is currently under house arrest pending sentencing. Authorities highlighted the national security risks posed by the sale of these sophisticated cyber tools to foreign actors outside the U.S. and its allies.
Mar 21, 2026
Peter Williams Sells U.S. Cyber Exploits to Russian Broker
Peter Williams, a former general manager at U.S. defense contractor L3Harris Trenchant and ex-employee of Australia's ASD, pleaded guilty to stealing and selling eight sensitive cyber-exploit components to a Russian 0day broker known as Operation Zero. The exploits, which were intended for exclusive use by the U.S. government and select allies, were sold over a three-year period from 2022 to 2025, netting Williams approximately $1.3 million. The Russian broker, Operation Zero, is known for reselling exploits to non-NATO buyers, including the Russian government. The U.S. Department of Justice did not specify which exploits were stolen, but reports indicate that L3Harris Trenchant had teams working on Google Chrome and iOS 0days, and the company was already investigating a possible leak of its tools prior to Williams' arrest. Williams was reportedly in charge of the internal investigation into the leaks and had fired a security researcher suspected of involvement, though the researcher denied access to the relevant vulnerabilities. The case highlights the significant insider threat posed by trusted individuals with access to sensitive cyber capabilities, and underscores the risks of advanced cyber weapons falling into the hands of adversarial nation-states. The incident has raised concerns about the security of exploit development programs and the potential for further leaks or misuse of advanced cyber tools by hostile actors.
Mar 21, 2026
DOJ: Former Trenchant executive sold stolen hacking tools to Russian government-linked broker
U.S. prosecutors said **Peter Williams**, a former executive at *Trenchant* (a hacking and surveillance tools unit of U.S. defense contractor **L3Harris**), stole and sold **eight hacking tools/exploits** to a **Russian company** that counts the Russian government among its customers. The Department of Justice said the sales **directly harmed the U.S. intelligence community** and that the tools could have been used to enable **indiscriminate government surveillance**, **cybercrime**, and **ransomware** at global scale, potentially affecting **millions of computers and devices**, including in the United States. Williams, an Australian national, pleaded guilty in October to trade secret theft tied to the sales, which prosecutors said generated **more than $1.3 million in cryptocurrency** between 2022 and 2025. Ahead of his expected Feb. 24 sentencing in Washington, D.C., prosecutors filed a sentencing memorandum seeking **nine years in prison**, **three years of supervised release**, **$35 million in restitution**, and a **$250,000 fine**; the filing also indicates Williams is expected to be **deported to Australia** after serving his sentence, and notes he submitted a letter expressing regret.
Mar 21, 2026