would have unfettered access to everything.”
Before the acquisition, Williams worked at Linchpin Labs, and before then at Australian Signals Directorate, the country’s intelligence agency tasked with digital and electronic eavesdropping, according to the cybersecurity podcast Risky Business.
Sara Banda, a spokesperson for L3Harris, did not respond to a request for comment.
“Grave damage”
In October 2024, Trenchant “was alerted” that one of its products had leaked and was in the possession of “an unauthorized software broker,” per the court document. Williams was put in charge of the investigation into the leak, which ruled out a hack of the company’s network but found that a former employee “had improperly accessed the internet from an air-gapped device,” according to the court document.
As TechCrunch previously and exclusively reported, Williams fired a Trenchant developer in February 2025 after accusing him of being double employed. The fired employee later learned from some of his former colleagues that Williams accused him of stealing Chrome zero-days, which he had no access to since he worked on developing exploits for iPhones and iPads. By March, Apple notified the former employee that his iPhone had been targeted by “mercenary spyware attack.”
In an interview with TechCrunch, the former Trenchant developer said he believed Williams framed him to cover up his own actions. It’s unclear if the former developer is the same employee mentioned in the court document.
In July, the FBI interviewed Williams, who told the agents that “the most likely way” to steal products from the secure network would be for someone with access to that network to download the products to an “air‑gapped device … like a mobile telephone or external drive.” (An air-gapped device is a computer or server that has no access to the internet.)
As it turned out, that’s exactly what Williams confessed to the FBI in August after being confronted with evidence of his crimes. Williams told the FBI that he recognized his code being used by a South Korean broker after he sold it to the Russian broker; though, it remains unclear how Trenchant’s code ended up with the South Korean broker to begin with.
Williams used the alias “John Taylor,” a foreign email provider, and unspecified encrypted apps when interacting with the Russian broker, likely Operation Zero. This is a Russia-based broker that offers up to $20 million for tools to hack Android phones and iPhones, which it says it sells to “Russian private and government organizations only.”
Wired was first to report that Williams likely sold the stolen tools to Operation Zero, given that the court document mentions a September 2023 post on social media announcing an increase in the unnamed broker’s “bounty payouts from $200,000 to $20,000,000,” which matches an Operation Zero post on X at the time.
Operation Zero did not respond to TechCrunch’s request for comment.
Williams sold the first exploit for $240,000, with the promise of additional payments after confirming the tool’s performance, and for subsequent technical support to keep the tool updated. After this initial sale, Williams sold another seven exploits, agreeing to a total payment of $4 million, although he ended up only receiving $1.3 million, according to the court document.
Williams’ case has rocked the offensive cybersecurity community, where his rumored arrest had been a topic of conversation for weeks, according to multiple people who work in the industry.
Some of these industry insiders see Williams’ actions as causing grave damage.
“It’s a betrayal to the Western national security apparatus, and it’s a betrayal towards the worst kind of threat actor that we have right now, which is Russia,” the former Trenchant employee with knowledge of the company’s IT systems told TechCrunch.
“Because these secrets have been given to an adversary that absolutely is going to undermine our capabilities and is going to potentially even use them against other targets.”