CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

L3Harris Employee Pleads Guilty to Selling Zero-Day Exploits to Russian Entities

First reported
Last updated
4 unique sources, 6 articles

Summary

Hide ▲

Peter Williams, a former general manager at L3Harris cyber-division Trenchant, pleaded guilty to selling at least eight zero-day exploits to a Russian cyber broker between 2022 and 2025. The exploits, stolen from Trenchant, were sold for $1,300,000 in cryptocurrency and were intended for the exclusive use of the U.S. government and select allies. The broker's clients include the Russian government, posing a significant national security threat. Williams used his privileged access to the company's network to steal the exploits and transmitted them via encrypted channels. The FBI has emphasized the severity of the crime, highlighting the potential impact on US national security. Williams now faces up to 10 years in prison and fines of $250,000 or twice the gain or loss pertinent to the offense. The case underscores the growing concern over the trade in commercial spyware and zero-day exploits, with international efforts underway to curb this activity. Trenchant, the cyber-capabilities business unit within L3Harris Technologies, was conducting its own investigation into the potential leak of Google Chrome zero-day vulnerabilities, with another employee, Jay Gibson, at the epicenter of the accusations. Peter Williams, 39, was sentenced to a little over seven years in prison for selling eight zero-day exploits to Russian exploit broker Operation Zero. Williams was ordered to serve three years of supervised release with special conditions and forfeit illicit proceeds, including properties, clothing, jewelry, and luxury watches. The exploits could have been used against any manner of victim, civilian or military around the world, and engage in all manner of crime from cyber fraud, theft, and ransomware, to state directed spying and offensive cyber operations against military targets. Williams sold the trade secrets for up to $4 million in cryptocurrency. The actions are estimated to have incurred L3Harris $35 million in financial losses. The U.S. State Department designated Operation Zero, Sergey Sergeyevich Zelenyuk, and Special Technology Services LLC FZ (STS) under the Protecting American Intellectual Property Act (PAIPA). Zelenyuk is a Russian national and the director and owner of Operation Zero. Zelenyuk established STS in the U.A.E. to conduct business with various countries in Asia and the Middle East and likely get around U.S. sanctions imposed on Russian bank accounts. Operation Zero has offered up to $4 million in bounties for Telegram exploits and $20 million for tools that could be used to break into Android and iPhone devices. Operation Zero has sought to develop other cyber intelligence systems, including spyware and methods to extract personal identifying information and other sensitive data uploaded by users of artificial intelligence applications like large language models. The U.S. Treasury Department has sanctioned a Russian exploit broker who bought stolen hacking tools from a former executive of a U.S. defense contractor. The Department's Office of Foreign Assets Control (OFAC) designated Matrix LLC (doing business as Operation Zero and headquartered in St. Petersburg, Russia) on Tuesday, along with its owner, Sergey Sergeyevich Zelenyuk, and five associated individuals and companies. OFAC sanctioned the targets under the Protecting American Intellectual Property Act (PAIPA), a law specifically targeting intellectual property theft by foreign adversaries, the first time that law has been used since its enactment. The designations also coincide with the sentencing of Peter Williams, a 39-year-old Australian national and former general manager of Trenchant, a cybersecurity unit of U.S. defense contractor L3Harris that develops zero-day exploits and surveillance tools. Williams was sentenced Tuesday to 87 months in prison after pleading guilty in October to stealing eight zero-day exploits from Trenchant and selling them to Operation Zero for approximately $1.3 million in cryptocurrency, even though they were designed exclusively for use by the U.S. government and allied intelligence agencies. Operation Zero is offering millions of dollars in bounties to security researchers and others for the development or acquisition of exploits targeting commonly used software, including U.S.-built operating systems and encrypted messaging applications. The company, whose clients also include the Russian government, says it's selling zero-day exploits only to Russian private and government organizations. "Zelenyuk and Operation Zero trade in 'exploits'—pieces of code or techniques that take advantage of vulnerabilities in a computer program to allow users to gain unauthorized access, steal information, or take control of an electronic device'—the Department of the Treasury said. "Among the exploits that Operation Zero acquired were at least eight proprietary cyber tools, which were created for the exclusive use of the U.S. government and select allies and which were stolen from a U.S. company. Operation Zero then sold those stolen tools to at least one unauthorized user." OFAC also sanctioned Zelenyuk's UAE-based front company, Special Technology Services LLC, as well as two individuals with prior ties to Operation Zero (including Oleg Vyacheslavovich Kucherov, who is a suspected member of the Trickbot cybercrime gang) and a second exploit brokerage firm, Advance Security Solutions, with operations in the United Arab Emirates and Uzbekistan. The sanctions freeze all U.S.-held assets belonging to designated entities and individuals and expose American businesses and individuals conducting transactions with them to secondary sanctions or enforcement actions.

Timeline

  1. 30.10.2025 12:00 6 articles · 3mo ago

    L3Harris Employee Pleads Guilty to Selling Zero-Day Exploits to Russia

    The illegal activity took place between 2022 and 2025. Williams stole the exploits from Trenchant, a cyber-capabilities business unit within L3Harris Technologies. The exploits were intended for the exclusive use of the U.S. government and select allies. Williams sold the trade secrets to a Russian cyber-tools broker for $1,300,000 in cryptocurrency. The broker is suspected to be Operation Zero, a Russian-based zero-day purchase platform. Williams faces charges carrying a maximum of 10 years' imprisonment and fines of $250,000 or twice the gain or loss pertinent to the offense. Trenchant was conducting its own investigation into the potential leak of Google Chrome zero-day vulnerabilities to outsiders, with another employee, Jay Gibson, at the epicenter of the accusations. Peter Williams, 39, was sentenced to a little over seven years in prison for selling eight zero-day exploits to Russian exploit broker Operation Zero. Williams was ordered to serve three years of supervised release with special conditions and forfeit illicit proceeds, including properties, clothing, jewelry, and luxury watches. The exploits could have been used against any manner of victim, civilian or military around the world, and engage in all manner of crime from cyber fraud, theft, and ransomware, to state directed spying and offensive cyber operations against military targets. Williams sold the trade secrets for up to $4 million in cryptocurrency. The actions are estimated to have incurred L3Harris $35 million in financial losses. The U.S. State Department designated Operation Zero, Sergey Sergeyevich Zelenyuk, and Special Technology Services LLC FZ (STS) under the Protecting American Intellectual Property Act (PAIPA). Zelenyuk is a Russian national and the director and owner of Operation Zero. Zelenyuk established STS in the U.A.E. to conduct business with various countries in Asia and the Middle East and likely get around U.S. sanctions imposed on Russian bank accounts. Operation Zero has offered up to $4 million in bounties for Telegram exploits and $20 million for tools that could be used to break into Android and iPhone devices. Operation Zero has sought to develop other cyber intelligence systems, including spyware and methods to extract personal identifying information and other sensitive data uploaded by users of artificial intelligence applications like large language models. Peter Williams is an Australian national. Williams was ordered to forfeit $1.3m, cryptocurrency, a house, and luxury items including watches and jewelry. Williams admitted to providing follow-on support for the zero-day exploits he sold. The case highlights the murky world of commercial spyware, prompting the Pall Mall Process agreement. The State Department issued sanctions on Matrix LLC (aka Operation Zero), its owner Sergey Sergeyevich Zelenyuk, and four associated individuals and entities under the Protecting American Intellectual Property Act (PAIPA). Zelenyuk founded a new UAE-based company under the name Special Technology Services to evade US sanctions. The U.S. Treasury Department has sanctioned a Russian exploit broker who bought stolen hacking tools from a former executive of a U.S. defense contractor. The Department's Office of Foreign Assets Control (OFAC) designated Matrix LLC (doing business as Operation Zero and headquartered in St. Petersburg, Russia) on Tuesday, along with its owner, Sergey Sergeyevich Zelenyuk, and five associated individuals and companies. OFAC sanctioned the targets under the Protecting American Intellectual Property Act (PAIPA), a law specifically targeting intellectual property theft by foreign adversaries, the first time that law has been used since its enactment. The designations also coincide with the sentencing of Peter Williams, a 39-year-old Australian national and former general manager of Trenchant, a cybersecurity unit of U.S. defense contractor L3Harris that develops zero-day exploits and surveillance tools. Williams was sentenced Tuesday to 87 months in prison after pleading guilty in October to stealing eight zero-day exploits from Trenchant and selling them to Operation Zero for approximately $1.3 million in cryptocurrency, even though they were designed exclusively for use by the U.S. government and allied intelligence agencies. Operation Zero is offering millions of dollars in bounties to security researchers and others for the development or acquisition of exploits targeting commonly used software, including U.S.-built operating systems and encrypted messaging applications. The company, whose clients also include the Russian government, says it's selling zero-day exploits only to Russian private and government organizations. "Zelenyuk and Operation Zero trade in 'exploits'—pieces of code or techniques that take advantage of vulnerabilities in a computer program to allow users to gain unauthorized access, steal information, or take control of an electronic device'—the Department of the Treasury said. "Among the exploits that Operation Zero acquired were at least eight proprietary cyber tools, which were created for the exclusive use of the U.S. government and select allies and which were stolen from a U.S. company. Operation Zero then sold those stolen tools to at least one unauthorized user." OFAC also sanctioned Zelenyuk's UAE-based front company, Special Technology Services LLC, as well as two individuals with prior ties to Operation Zero (including Oleg Vyacheslavovich Kucherov, who is a suspected member of the Trickbot cybercrime gang) and a second exploit brokerage firm, Advance Security Solutions, with operations in the United Arab Emirates and Uzbekistan. The sanctions freeze all U.S.-held assets belonging to designated entities and individuals and expose American businesses and individuals conducting transactions with them to secondary sanctions or enforcement actions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Ex-Google Engineer Convicted for Stealing AI Trade Secrets for China

Linwei Ding, a former Google engineer, has been convicted of stealing over 2,000 confidential documents containing AI-related trade secrets to benefit China. The theft occurred between May 2022 and April 2023, involving sensitive information about Google's supercomputing infrastructure, AI models, and custom hardware. Ding was found guilty on seven counts of economic espionage and seven counts of theft of trade secrets. Additionally, three former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from Google and other tech firms and transferring the information to unauthorized locations, including Iran. The stolen data included details about Google's Tensor Processing Unit chips, Cluster Management System software, and other proprietary technologies. Ding used deceitful methods to cover up the theft, including transferring data to his personal Google Cloud account and using an accomplice to fake his presence at work. He also applied to a Shanghai-based talent program sponsored by Beijing, aiming to enhance China's AI capabilities. Ding was originally indicted in March 2024 after lying and not cooperating with Google's internal investigation. He was secretly affiliated with two China-based technology companies and negotiated a role as CTO at one of them. Ding founded his own AI company in China (Shanghai Zhisuan Technology Co.) and served as its CEO, intending to benefit entities controlled by the government of China. Ding faces a maximum sentence of 10 years for each theft count and 15 years for each espionage count.

Open in new tab

Jordanian Cybercriminal Admits Selling Access to 50 Enterprise Networks

Feras Khalil Ahmad Albashiti, a 40-year-old Jordanian national residing in Georgia, pleaded guilty in a US court to selling unauthorized access to at least 50 compromised enterprise networks. The access was sold to an undercover agent on an underground cybercriminal forum. Albashiti, known online as 'r1z,' received payment in cryptocurrency. He faces up to 10 years in prison and a $250,000 fine, with sentencing scheduled for May 11, 2026. The Justice Department's Office of International Affairs secured Albashiti's extradition from Georgia in July 2024. Initial access brokers like Albashiti are critical middlemen in the cybercrime ecosystem, providing other threat actors with the credentials needed to breach victims' networks and drop malicious tools to steal data, deploy ransomware, or conduct espionage.

Open in new tab

US Seizes E-Note Crypto Exchange for Ransomware Laundering

The U.S. Department of Justice, led by the FBI and collaborating with international partners, has seized the E-Note cryptocurrency exchange for allegedly laundering over $70 million in ransomware and account takeover proceeds. The operation involved confiscating domains, servers, and customer databases, with an indictment unsealed against the Russian national Mykhalio Petrovich Chudnovets, believed to be the operator of E-Note. Chudnovets targeted US healthcare and critical infrastructure sectors through his money laundering services, which he began offering in 2010. This action may lead to further identification of cybercriminals involved in the laundering scheme.

Open in new tab

Sanctions imposed on Russian bulletproof hosting providers Media Land, ML.Cloud, and Aeza Group over ransomware support

The U.S., U.K., and Australia have sanctioned Russian bulletproof hosting (BPH) providers Media Land, ML.Cloud, and Aeza Group, along with their executives, for supporting ransomware gangs and cybercrime operations. Media Land's infrastructure has been used by groups like LockBit, BlackSuit, and Play, as well as in DDoS attacks against U.S. companies and critical infrastructure. The sanctions target four executives, including Aleksandr Volosovik, Kirill Zatolokin, Yulia Pankova, and Andrei Kozlov, freezing their assets and exposing transactions with them to secondary sanctions. Additionally, the UK-registered Hypercore, a front for Aeza Group, was also sanctioned. The sanctions aim to disrupt the services that enable cybercriminals to operate with impunity, targeting both the providers and their financial backers. Five Eyes agencies released joint guidance to help mitigate cybercriminal activity using BPH infrastructure, advising traffic analysis, filtering, and customer verification. The coordinated sanctions will seize property and businesses in the US, UK, and Australia, making it harder for the entities to transact with the West through legitimate banking channels.

Open in new tab

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

The North Korea-linked threat actor Kimsuky has been linked to a new campaign distributing a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics. The attack involved a ZIP file containing a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. The article also highlights the advanced obfuscation techniques used by HttpTroy to evade detection and the broader campaign by North Korean state-sponsored groups targeting various sectors. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection. Additionally, Kimsuky is targeting organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S. The group is using QR codes in phishing campaigns, a technique known as 'quishing,' to redirect victims to malicious locations disguised as questionnaires, secure drives, or fake login pages. The FBI has warned about Kimsuky's use of malicious QR codes in spear-phishing campaigns targeting entities in the U.S., highlighting the group's history of subverting email authentication protocols and exploiting improperly configured DMARC record policies. Cybersecurity researchers have uncovered a new phishing campaign that exploits social media private messages to propagate malicious payloads, likely with the intent to deploy a remote access trojan (RAT). The activity delivers "weaponized files via Dynamic Link Library (DLL) sideloading, combined with a legitimate, open-source Python pen-testing script." The attack involves approaching high-value individuals through messages sent on LinkedIn, establishing trust, and deceiving them into downloading a malicious WinRAR self-extracting archive (SFX). Once launched, the archive extracts four different components: a legitimate open-source PDF reader application, a malicious DLL that's sideloaded by the PDF reader, a portable executable (PE) of the Python interpreter, and a RAR file that likely serves as a decoy. The infection chain gets activated when the PDF reader application is run, causing the rogue DLL to be sideloaded. The use of DLL side-loading has become an increasingly common technique adopted by threat actors to evade detection and conceal signs of malicious activity by taking advantage of legitimate processes. Over the past week, at least three documented campaigns have leveraged DLL side-loading to deliver malware families tracked as LOTUSLITE and PDFSIDER, along with other commodity trojans and information stealers. In the campaign observed by ReliaQuest, the sideloaded DLL is used to drop the Python interpreter onto the system and create a Windows Registry Run key that makes sure that the Python interpreter is automatically executed upon every login. The interpreter's primary responsibility is to execute a Base64-encoded open-source shellcode that's directly executed in memory to avoid leaving forensic artifacts on disk. The final payload attempts to communicate with an external server, granting the attackers persistent remote access to the compromised host and exfiltrating data of interest. The abuse of legitimate open-source tools, coupled with the use of phishing messages sent on social media platforms, shows that phishing attacks are not confined to emails alone and that alternative delivery methods can exploit security gaps to increase the odds of success and break into corporate environments. ReliaQuest told The Hacker News that the campaign appears to be broad and opportunistic, with activity spanning various sectors and regions. "That said, because this activity plays out in direct messages, and social media platforms are typically less monitored than email, it's difficult to quantify the full scale," it added. "This approach allows attackers to bypass detection and scale their operations with minimal effort while maintaining persistent control over compromised systems," the cybersecurity company said. "Once inside, they can escalate privileges, move laterally across networks, and exfiltrate data." This is not the first time LinkedIn has been misused for targeted attacks. In recent years, multiple North Korean threat actors, including those linked to the CryptoCore and Contagious Interview campaigns, have singled out victims by contacting them on LinkedIn under the pretext of a job opportunity and convincing them to run a malicious project as part of a supposed assessment or code review. In March 2025, Cofense also detailed a LinkedIn-themed phishing campaign that employs lures related to LinkedIn InMail notifications to get recipients to click on a "Read More" or "Reply To" button and download the remote desktop software developed by ConnectWise for gaining complete control over victim hosts. "Social media platforms commonly used by businesses represent a gap in most organizations' security posture," ReliaQuest said. "Unlike email, where organizations tend to have security monitoring tools, social media private messages lack visibility and security controls, making them an attractive delivery channel for phishing campaigns." "Organizations must recognize social media as a critical attack surface for initial access and extend their defenses beyond email-centric controls."

Open in new tab