Threats

Former L3Harris Cyber Executive Sold Eight Zero-Day Exploit Kits to Russian Broker, DoJ Reveals

Zero Day Wire

16 Feb 2026 — 2 min read

A former senior executive at L3Harris's cyber subsidiary Trenchant sold eight zero-day exploit kits to a broker who regularly provided exploits to the Russian government, according to a sentencing memorandum published by the US Department of Justice.

Peter Williams, the former General Manager of Trenchant, pleaded guilty to two counts of theft of trade secrets in October 2025. The newly published sentencing memorandum reveals for the first time the full scope of his actions and their national security implications.

Eight Zero-Day Exploit Kits

Williams provided eight zero-day exploit kits to a Russian broker, giving the broker's clients — which the DoJ alleges included the Russian government — access to powerful offensive cyber capabilities that could be deployed against civilian and military targets worldwide.

"Williams made it possible for the Russian Broker to arm its clients with powerful cyber exploits that could be used against any manner of victim, civilian or military around the world," the DoJ stated.

The actions resulted in more than $35 million in losses for L3Harris and Trenchant, reflecting both the direct value of the stolen exploits and the broader damage to the company's operations.

Sentencing

The DoJ is seeking the maximum sentence under federal guidelines — up to 108 months (nine years) of incarceration followed by three years of supervised release. Williams, an Australian citizen, has agreed to deportation to Australia upon completion of his prison term.

Prosecutors have also requested $35 million in restitution along with forfeiture of assets linked to the crimes.

Context

The case highlights the persistent threat posed by insider access within the exploit development industry. Trenchant, operating under L3Harris's defense contracting umbrella, developed offensive cyber tools — the same category of capabilities sold by firms like NSO Group and Candiru. Williams' ability to exfiltrate eight complete zero-day exploit kits underscores the difficulty of protecting offensive tooling even within classified or tightly controlled environments.

The prosecution also reflects the US government's increasing willingness to pursue criminal cases against individuals who facilitate the transfer of offensive cyber capabilities to adversary nations, particularly Russia and China.

Recommendation

Organisations involved in vulnerability research and exploit development should review insider threat controls, particularly around access to finished exploit tooling. Compartmentalisation of access, robust data loss prevention monitoring, and strict export control compliance remain critical for any entity handling offensive cyber capabilities.

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

PayPal has confirmed a data exposure incident affecting its Working Capital (PPWC) business loan service, where a software code change left sensitive customer information accessible for nearly six months before being detected. The exposure ran from 1 July 2025 to 12 December 2025, when the error was finally discovered and

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

A financially motivated Russian-speaking cybercrime group compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, using off-the-shelf generative AI tools to scale an operation that would traditionally require a well-resourced team, according to a new incident report from AWS. The campaign, which ran from

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors