Palm Bay, FL – This morning, in a federal courtroom in Washington, D.C., a judge sentenced Peter John Williams to 87 months in federal prison. Within hours, the U.S. Treasury Department announced sanctions against the Russian company that bought his stolen goods, becoming the first administration in history to invoke a law called the Protecting American Intellectual Property Act against anyone. By the time the business day ended on the East Coast, the State Department had issued its own designations, and the full scope of a three-year betrayal rooted in a Space Coast defense contractor had become public record.
The story of how it got to this point begins, as the best spy stories do, not with the spy but with the person he used.
On March 5, 2025, a former software developer received a notification on his iPhone. It was from Apple, a brief and clinical message: someone had targeted his device with mercenary spyware. The kind of attack that governments use.
The developer had been out of work for months. His former employer, a secretive defense division called Trenchant, had fired him the previous year after his boss accused him of stealing and leaking sensitive code. His personal devices had been seized and shipped across the world. The FBI had received them.
Now, apparently, someone with nation-state-level hacking tools had come for his personal phone.
What he did not know, and what almost no one outside a small circle of federal investigators understood at that moment, was that the man who had accused him of the theft was the actual thief. And that thief, his former boss, was at that very moment still meeting with the FBI while quietly preparing to close one last deal with Russia.
THE WORLD BEHIND THE CURTAIN
To understand what unfolded inside Trenchant’s offices, you first have to understand what a zero-day exploit is and why it is worth more than most people’s houses.
When a software company ships code, whether it is the operating system on your iPhone, the browser on your laptop, or the messaging app on your phone, that code almost certainly contains flaws. Most are minor. A handful are catastrophic. A zero-day exploit is a technique that takes advantage of a flaw the software’s developer does not yet know exists. The name comes from the fact that on the day the attack is discovered, the developer has had zero days to fix it.
These exploits are weapons. They allow intelligence agencies, militaries, and, in the wrong hands, criminals to break into phones, computers, and networks without the target ever knowing. Governments buy them. Intelligence agencies use them. In the right hands, they enable the kind of covert surveillance and offensive cyber operations that almost never make the news, and when they do, the full story almost never comes with them.
Trenchant was in the business of building those weapons. The division traces its origins to 2018, when L3Harris Technologies, the Space Coast-headquartered aerospace and defense giant, acquired two Australian cybersecurity firms: Azimuth and Linchpin Labs. Both were known within the narrow world of zero-day development as elite suppliers. Their tools went exclusively to U.S. government agencies and a small circle of allied governments. The acquisition folded their talent and their techniques into what became L3Harris Trenchant.
L3Harris is one of the Space Coast’s most prominent employers and corporate citizens. Its headquarters sits just miles from Patrick Space Force Base and the constellation of defense firms that have made Brevard County a critical node in American national security. Trenchant was one of its most sensitive operations: a small team of elite hackers hunting for vulnerabilities in software made by Apple, Google, Microsoft, and others, then turning those vulnerabilities into deployable tools. The customer list was, by design, limited. The U.S. government and a handful of close allies. The tools were not formally classified government secrets. They were treated as such.
THE MAN WHO HAD FULL ACCESS
Peter John Williams had access to all of it.
Known in the tight-knit world of exploit developers as “Doogie,” Williams was 39 years old, an Australian citizen living in Washington, D.C., and the General Manager of Trenchant. He had arrived at the role through a path that, in retrospect, made him both an ideal candidate and an extraordinary risk. Before joining the private sector, Williams had worked for the Australian Signals Directorate, Australia’s foreign intelligence and cyber agency, the rough equivalent of the National Security Agency. He had spent years in government doing precisely what Trenchant did: hunting vulnerabilities and building the tools to exploit them, but in service of a sovereign nation rather than a corporation.
He was accomplished. People who had worked alongside him described him as brilliant. He rose to General Manager of Trenchant and held what prosecutors would later describe as “full access” to the company’s secure networks, including air-gapped systems, computers physically isolated from the internet, in both Washington, D.C., and Sydney, Australia.
That access was the architecture of the crime. Williams did not need to hack his own company. He simply walked in through the front door, day after day, and took what he needed. Prosecutors say he downloaded hacking tools from Trenchant’s secure networks onto a portable hard drive, transferred them to his personal computer, stripped out identifying information, and prepared them for delivery.
The question of why a man with his background and stature would do this remains, at its core, unanswered by the public record. What prosecutors established is considerably more concrete: he did it for money.
“JOHN TAYLOR”
In April 2022, six weeks after Vladimir Putin launched the full-scale invasion of Ukraine, Williams created an email account under the name “John Taylor.” Using encrypted communications, he reached out to a company he had identified as a buyer: a Russian zero-day acquisition firm called Operation Zero.
The timing matters. Putin’s war was already reshaping the Western security landscape. NATO was expanding. Sanctions on Russia were escalating. The global market for offensive cyber tools was tightening, and a broker like Operation Zero, which sold exclusively to non-NATO customers, was exactly the kind of buyer that would pay a premium for tools it could not otherwise reach legally. Williams knew what he was selling. He also knew, as a former Australian intelligence officer, what that war meant. He sold anyway.
He used the pseudonym throughout the entire three-year scheme. Whether Operation Zero ever learned that “John Taylor” was in fact the General Manager of one of America’s most sensitive exploit development divisions remains, to this day, an open question. Federal prosecutors have not confirmed it. The implications either way are significant.
The mechanics of the scheme were methodical. Williams would identify an exploit component from Trenchant’s secure library. He would download it to a portable hard drive, move it to his personal machine, scrub the code of anything that pointed back to L3Harris, and then transmit it to Operation Zero through encrypted channels. In return, he received payment in cryptocurrency. The contracts he signed with the Russian buyer specified upfront payments and additional fees for follow-on support, meaning he was not simply selling tools once and walking away. He was maintaining a service relationship with a foreign adversary.
“Williams took trade secrets comprised of national security software and sold them for up to $4 million in cryptocurrency. These incredibly powerful tools would have allowed Russia to access millions of digital devices.” — U.S. Attorney Jeanine Pirro
Between April 2022 and August 2025, Williams stole at least eight cyber exploit components from Trenchant. The total value of payments he was promised through his contracts reached up to $4 million. The cryptocurrency he actually received exceeded $1.3 million. He used it with no apparent concern for being noticed.
He made a down payment on a house in Washington, D.C. He purchased a 2022 Tesla Model X and a 2018 Porsche Panamera. He bought jewelry, luxury watches, high-end clothing, and $5,000 in luxury luggage. Between 2022 and 2025, he spent more than $715,000 on vacations. The house was later sold for $1.56 million.
THE BUYER IN ST. PETERSBURG
On the other side of the encrypted channel sat Sergey Sergeyevich Zelenyuk, a Russian national born in St. Petersburg on March 17, 1994. In the cybersecurity world, Zelenyuk had a modest public profile before founding Operation Zero. In November 2018, he publicly disclosed a zero-day vulnerability in VirtualBox, the widely used virtualization software, demonstrating a real and documented technical capability. He was, in the language of that world, a researcher. Then he became a businessman.
In September 2021, Zelenyuk registered a company called Matrix LLC in St. Petersburg, at an address in the Municipal District Sosnovaya Polyana. The company’s official purpose was listed as “computer programming activities.” Its operational purpose was considerably more specific: Operation Zero would buy zero-day exploits from researchers and resell them, exclusively to non-NATO country customers.
The company advertised openly. It posted bounties on its website and social media, offering payments that made Western exploit brokers look cautious by comparison. The published price list offered up to $2.5 million for mobile exploits and up to $1 million for virtualization software vulnerabilities. For a full exploitation chain targeting iOS and Android simultaneously, the company reportedly offered up to $20 million. The site declared: “We maintain continuous cooperation with over 25 governments and intelligence agencies worldwide.”
Operation Zero did not disclose vulnerabilities to the software developers whose products it was buying exploits against. It explicitly stated its tools went to non-NATO countries. In a market where most Western brokers at least perform due diligence on buyers, this was a notable and deliberate absence of guardrails. The U.S. Treasury would later describe the firm as a broker that “sought to sell exploits to foreign intelligence agencies” and that had developed spyware and tools for extracting sensitive data from artificial intelligence applications.
In late 2024, as U.S. scrutiny intensified, Zelenyuk established a second entity: Special Technology Services LLC FZ, incorporated on December 7, 2024, at the Meydan Grandstand in Dubai, United Arab Emirates. The move was a hedge, a way to keep the business flowing through a jurisdiction less exposed to U.S. pressure. He also worked with associates including Azizjon Mamashoyev, who ran a separate exploit brokerage called Advance Security Solutions from the UAE and Uzbekistan, and Oleg Vyacheslavovich Kucherov, who had prior relationships with Operation Zero and alleged ties to the Trickbot ransomware criminal organization.
This was the network Williams had chosen as his customer.
THE COVER-UP
By the third year of the scheme, something shifted. Perhaps Williams sensed the investigation closing in. Perhaps the internal pressure of maintaining a secret of this scale had become unsustainable. Whatever the reason, he made a decision that transformed an already serious crime into something considerably darker.
He pointed a finger at someone else.
A Trenchant developer, a colleague working on iOS exploits, became the target. Williams accused him of stealing and leaking Chrome zero-days. L3Harris launched an internal investigation, one that Williams himself reportedly oversaw. That investigation concluded that the company’s network had not been externally compromised and attributed the leak to “a former employee who, while employed, had improperly accessed the internet from an air-gapped device.” The developer was placed on administrative leave. His personal devices were seized and shipped to the United States, where they were offered to the FBI. He was then fired.
At sentencing, federal prosecutors confirmed that Williams had “stood idly by while another employee of the company was essentially blamed for [his] own conduct.” Williams’ attorneys pushed back at the hearing, arguing that the fired developer had engaged in dual employment and improper handling of company intellectual property. The argument landed poorly in a courtroom that had already heard the evidence.
The developer, who has never been publicly identified by name and whom the investigative press has referred to by the alias “Jay Gibson,” was out of work and under the shadow of an accusation he could not disprove.
Then, on March 5, 2025, his iPhone received the Apple notification about mercenary spyware.
“Williams stood idly by while another employee of the company was essentially blamed for his own conduct.” — Federal Prosecutors, U.S. District Court, District of Columbia
The timing was notable. The FBI had been “regularly interacting” with Williams since late 2024. The formal investigation into the theft of Trenchant code was well underway by the time Gibson’s phone was targeted. Whether it was the FBI itself, a U.S. intelligence agency operating alongside the investigation, or some other actor that deployed the spyware against Gibson remains unknown. No official has addressed it publicly. It is the kind of question that may never receive a formal answer.
THE DOWNSTREAM TRAIL
What Williams had set in motion extended well beyond the transaction between himself and a pseudonymous email account in St. Petersburg. The tools traveled.
During the investigation, prosecutors found evidence that Williams had recognized code he himself had written appearing in the hands of a South Korean broker. The stolen exploits had moved through at least one additional layer of the international exploit market after leaving Operation Zero. How far they went beyond that, and what they were used for, remains a matter of public uncertainty.
The U.S. Department of Justice alleged that the stolen tools could allow whoever possessed them to “potentially access millions of computers and devices around the world.” Court evidence, including the Operation Zero social media post read aloud during a hearing, strongly suggested the tools targeted mobile devices. The post called for increased payouts on “top-tier mobile exploits,” specifically Android and iOS, noting that “the end user is a non-NATO country.”
Operation Zero did not notify Apple, Google, or any other software developer that the vulnerabilities in their products were now in foreign hands. The tools were sold into a market that had no interest in patches. At time of publication, neither Apple nor Google had confirmed whether they were ever notified about the stolen Trenchant exploits, or whether the underlying vulnerabilities had been addressed. Both companies declined to respond to media inquiries. L3Harris also did not respond.
THE LAST DEAL
In June 2025, three years after his first encrypted message to “Operation Zero,” Williams signed a new contract with his Russian buyer. The payment was $500,000. The product was more stolen code.
He transmitted the material just days before he was scheduled to sit down with the FBI to discuss their investigation into the theft of Trenchant’s intellectual property.
The deliberateness of that sequence is difficult to fully process. Williams was, at that moment, an executive of a company that built weapons for American intelligence agencies, selling one of those weapons to a Russian broker while preparing to meet with federal investigators who were closing in on him. He went to that FBI meeting. He continued cooperating. Months later, on October 29, 2025, he appeared in U.S. District Court for the District of Columbia and pleaded guilty to two counts of theft of trade secrets.
L3Harris had found him through a detail embedded in the code itself. The company discovered that an unauthorized vendor was selling what appeared to be a component of one of their proprietary tools. The giveaway: the component contained company-specific vendor data, a kind of invisible fingerprint built into the architecture of the code. L3Harris matched it against their own library and knew. The FBI in Baltimore built the case from there.
THE RECKONING
On February 25, 2026, U.S. District Court Judge Loren L. AliKhan sentenced Peter John Williams to 87 months in federal prison. He will also serve three years of supervised release under special conditions. He forfeited $1.3 million, cryptocurrency holdings, his Washington, D.C. house, a Porsche, a Tesla, a collection of luxury watches, and the jewelry. A restitution hearing, which may produce additional financial penalties, is scheduled for May 12, 2026.
The Justice Department estimates that Williams’ actions caused $35 million in financial losses to L3Harris and its government customers. The operational damage to those customers, the intelligence agencies that relied on those tools as instruments of national security, has not been publicly quantified.
U.S. Attorney Jeanine Pirro for the District of Columbia delivered a statement that moved beyond the standard prosecutor’s rhetoric. “By betraying a position of trust and selling sensitive American technology,” she said, “Williams’ crime is not only one of theft, it is a crime of national security. Our nation’s defense capabilities are not commodities to be auctioned off.”
“Let this be a clear warning to all who consider placing greed over country: the FBI will not rest until you’re brought to justice.” — FBI Asst. Director Roman Rozhavsky
FBI Assistant Director Roman Rozhavsky, who heads the bureau’s Counterintelligence and Espionage Division, framed the case in terms aimed squarely at anyone working inside a defense contractor who might be considering something similar. His message was direct. If you betray your position of trust and sell sensitive American technology to foreign adversaries, the FBI will not stop until you face consequences.
SANCTIONING THE NETWORK
The timing of today’s coordinated government response was not accidental. As Williams stood before Judge AliKhan this morning, the machinery of two additional federal agencies was already in motion. By afternoon, the U.S. Treasury Department’s Office of Foreign Assets Control had designated Zelenyuk, Operation Zero (Matrix LLC), Special Technology Services LLC FZ, Marina Vasanovich, Azizjon Mamashoyev, Advance Security Solutions, and Oleg Kucherov. The State Department issued parallel designations within the same news cycle.
The legal instrument Treasury used is new ground. The Protecting American Intellectual Property Act, known as PAIPA, had never been used to sanction anyone since it became law. Today was the first time. The designation of Zelenyuk and Operation Zero under PAIPA represents a deliberate signal from the administration: the theft of American intellectual property by foreign-linked brokers is now a sanctions-eligible offense, and the government intends to use that authority. The choice to deploy it for the first time on the same day as the criminal sentencing was not coincidence. It was choreography.
The OFAC action confirmed publicly, for the first time, that the buyer of Williams’ stolen tools was Operation Zero specifically. It also disclosed that Operation Zero “sold those stolen tools to at least one unauthorized user.” The identity of that user has not been made public. The Trickbot connection to Kucherov raises the possibility that some portion of the stolen L3Harris capabilities moved into the infrastructure of organized ransomware. It is also possible the recipient was a foreign intelligence service. The government has said nothing further.
Zelenyuk, as of this publication, remains in Russia. His UAE shell company, established just two months ago in December 2024 at the Meydan Grandstand in Dubai, is now sanctioned before it had time to fully operate. The sanctions block his assets and prohibit U.S. persons from doing business with him, but they do not reach him in St. Petersburg.
WHAT REMAINS UNKNOWN
The guilty plea and sentencing close the legal chapter of the Williams case. They do not close the story.
The specific zero-day exploits Williams sold have not been publicly identified. The companies whose products those exploits target have not confirmed whether they were ever notified. If the underlying vulnerabilities remain unpatched, the stolen tools may still work against the devices they were built to penetrate. L3Harris estimated a $35 million loss, but acknowledged the stolen tools were not formally classified. The gap between “not classified” and “genuinely safe” is an uncomfortable one.
The “unauthorized user” who received the tools from Operation Zero has not been identified. The South Korean broker who appeared in possession of Williams’ code has not been publicly named. The full downstream chain of the stolen weapons is unknown.
And then there is Gibson. A man who lost his job, his reputation within one of the most secretive industries in the world, and then found out months later that someone with government-grade spyware had come for his personal phone. His real name is still not part of the public record. No official has explained who authorized the attack on his device. No public statement has acknowledged what he went through.
He received a notification from Apple and was left to draw his own conclusions.
THE SPACE COAST DIMENSION
For most of the country, this is a federal espionage case involving arcane tradecraft and the hidden architecture of offensive cyber capabilities. For the Space Coast, it is something closer.
L3Harris Technologies is the Space Coast’s most prominent defense employer. The company employs thousands of Brevard County residents, anchors the local defense economy alongside Patrick Space Force Base, and conducts work that extends from satellite communications to electronic warfare to, through Trenchant, some of the most sensitive offensive cyber development in the Western alliance. When L3Harris wins a contract, the effects move through the local economy. When L3Harris suffers a breach of this magnitude, the effects are harder to see, but they are there.
The Williams case raises questions the company has not publicly addressed. What internal controls allowed a General Manager to walk out with eight exploit components over three years without being detected? When the company discovered the breach, what did it communicate to its government customers? And what does it mean for those customers, including the U.S. government and allied intelligence agencies, that tools built specifically for their operations were sold into the Russian exploit market and then passed to a South Korean broker and at least one other unnamed party?
L3Harris did not respond to media inquiries for this story. Neither did the Department of Justice beyond its formal sentencing announcement. The FBI’s Baltimore Field Office, which conducted the investigation, declined to add anything to the press release.
As of tonight, Peter Williams is heading to federal prison. Sergey Zelenyuk is sanctioned, blocked from U.S. financial systems, and still in St. Petersburg. A law that existed on paper for years was used for the first time today, aimed at a 31-year-old Russian hacker who built a zero-day empire in an office park near the Gulf of Finland. Somewhere, the developer Williams framed is reading the news like the rest of us, finally seeing his name, even an alias, attached to the truth.
And somewhere, in a device or a server or a foreign intelligence network that no press release will ever name, the exploits that were built on the Space Coast of Florida are still out there.
Today was the day the U.S. government drew a line. Whether that line holds is a different story, and it has not been written yet.
SOURCES
• TechCrunch — Inside the story of the US defense contractor who leaked hacking tools to Russia
• TechCrunch — Former L3Harris Trenchant boss pleads guilty (Oct. 29, 2025)
• U.S. Department of Justice — Sentencing Press Release
• U.S. Treasury / OFAC — Cyber-Related Designations, February 24, 2026
• U.S. State Department — Designation of Russia-Based Zero-Day Exploits Broker
• SecurityWeek — Ex-US Defense Contractor Executive Jailed for Selling Exploits to Russia
• Lawfare Media — Peter Williams, ex-ASD, pleads guilty to selling eight exploits to Russia
• CyberScoop — L3Harris executive Peter Williams sentenced
• ABC Australia — Australian sentenced to 7 years jail for selling US trade secrets
