Treasury sanctions Russian zero-day broker after ex-L3Harris manager sold eight exploits

The U.S. Treasury announced sanctions today targeting a Russia-based zero-day exploit broker, its founder and two affiliates, and a linked broker in the United Arab Emirates, saying the organization posed a threat to U.S. national security. The action follows court filings showing a former manager at L3Harris’s exploit-development unit pleaded guilty to selling protected cyber tools to a Russia-based buyer.

Court records filed last October lay out the underlying criminal case. Peter Williams, an Australian national who rose to become general manager of L3Harris Trenchant, admitted in a plea that he sold eight sensitive and protected cyber-exploit components to a purchaser identified in the filings as “Company Three.” The filing states that “‘Company Three’ is based in Russia and advertises itself as a ‘Russian zero-day purchase platform.’” Prosecutors say the exploits were designed for exclusive use by the U.S. government and trusted allies.

The criminal record and related filings say Williams received more than $1.26 million in cryptocurrency for the sales and entered multiple written contracts that promised additional payments, potentially up to $4 million. Prosecutors allege he moved funds through anonymized transactions, spent proceeds on luxury purchases and a $1.5 million down payment on a Washington property, and continued selling through July 2025 even after learning of an FBI investigation. Prosecutors are seeking a nine-year prison term, $35 million in mandatory restitution, a $250,000 fine and three years of supervised release.

The Treasury did not in its announcement fully enumerate the names or aliases of the Russian targets in the material provided to the press. Court filings use the neutral designation “Company Three”; public reporting has publicly named an entity known as Operation Zero as a likely purchaser, but public sources differ on the degree of certainty tying that name to the documents. The filings also describe the broker’s business model: “The broker claims to buy exploits from developers and resell them to non-NATO buyers, including the Russian government.”

The case has broader implications for how governments and private firms manage offensive cyber capabilities. Williams’s career path, as laid out in court documents, included service at Australia’s signals intelligence agency and work at a succession of commercial exploit developers that later became L3Harris Trenchant. Four former Trenchant employees told investigators the company was probing “a leak of its hacking tools,” according to accounts included in the public record.

The Justice Department’s sentencing memorandum, cited in filings, says the companies involved have suffered more than $35 million in losses tied to the disclosures and misuse of the tools. The loss figure underpins the prosecutors’ restitution demand and frames Treasury’s decision to impose economic measures against the broker and affiliates.

The sanctions mark a notable policy step: Treasury’s designation links criminal insider sales to broader national security harms and aims to disrupt markets for zero-day vulnerabilities. It also raises questions for both defense contractors and allied intelligence services about controls on exploit development and the risks of commercial markets for offensive cyber tools.

Key details remain to be clarified publicly: the Treasury release as issued did not list the full legal authorities or every named individual and affiliate, and full Statement of Offense paragraphs remain the primary source for the precise admissions. Officials at L3Harris, the Justice Department and Treasury declined to provide additional comment in their public statements accompanying the filings.