Peter Williams, the former general manager of Trenchant (a division of U.S. defense contractor L3Harris), pleaded guilty to stealing and selling sensitive cyber-exploit components—including eight protected national-security-focused software tools—to a Russian broker over a three-year period. These exploits, developed exclusively for the U.S. government and Five Eyes allies (U.S., UK, Canada, Australia, New Zealand), were part of Trenchant’s spyware and zero-day vulnerability portfolio. The breach involved trade secrets worth over $35 million in losses to L3Harris, with Williams receiving $1.3 million in cryptocurrency for the sale. The stolen tools, designed for surveillance and cyber operations, were intended for Russian government-linked entities, posing a severe threat to national security and geopolitical stability. Williams exploited his secure network access to exfiltrate the data, signing contracts for ongoing support. The incident underscores a high-stakes cyber-espionage operation with potential to escalate tensions between nation-states, given the tools' capability to compromise critical infrastructure or intelligence operations.

Advanced iPhone Exploit Kit "Coruna" Traces Back to U.S. Defense Contractor, Spreads Globally A sophisticated iOS exploit toolkit called Coruna has become a focal point in cybersecurity circles after evidence linked its origins to L3Harris, a U.S. defense contractor, before falling into the hands of Russian intelligence and Chinese cybercriminals. The case underscores the risks of government-grade hacking tools leaking into broader cybercrime and espionage operations. Google’s Threat Intelligence Group revealed that Coruna leverages 23 exploits across five attack chains, targeting iPhones running iOS 13 through 17.2.1 via watering-hole attacks. A single visit to a compromised website can trigger remote code execution, sandbox escape, and kernel compromise, enabling attackers to steal data, spy on victims, and drain cryptocurrency wallets. Originally deployed in highly targeted operations by an unnamed government client of a commercial surveillance vendor, Coruna was later repurposed by Russian state hackers against Ukrainian users and, subsequently, by a Chinese cybercrime group for financial theft. This progression reflects a common pattern: elite zero-day exploits, once leaked, rapidly enter underground markets as "second-hand" tools. TechCrunch reported that two former employees of L3Harris’ hacking division, Trenchant, identified Coruna’s artifacts and internal naming conventions, suggesting the toolkit was developed in-house and sold exclusively to the U.S. government and Five Eyes allies. Separately, researchers at iVerify assessed that Coruna was likely built by a U.S. government contractor, though they did not confirm attribution. The timeline aligns with a 2023 insider theft case involving Peter Williams, Trenchant’s former general manager, who was sentenced for stealing and selling eight offensive tools including those targeting iOS to Russian exploit broker Operation Zero for $1.3 million. U.S. prosecutors warned these tools could compromise millions of devices. Operation Zero, now sanctioned by the U.S. Treasury, has ties to Russian intelligence and unauthorized buyers, facilitating Coruna’s spread to state-backed hackers and cybercriminals. Coruna’s codebase also overlaps with exploits used in Operation Triangulation, a 2023 campaign disclosed by Kaspersky that targeted iPhones, including those within Russia. Shared modules such as Photon, Gallium, and Plasma suggest a connection between the two frameworks, reinforcing concerns about the proliferation of high-end iOS exploits.

Peter Williams, a former general manager at L3Harris Trenchant (a U.S. defense contractor specializing in cyber capabilities for the Five Eyes alliance), pleaded guilty to stealing and selling eight protected cyber-exploit components—classified as national-security-focused software—to a Russian vulnerability exploit broker (allegedly Operation Zero) between 2022 and 2025. The stolen tools, valued at $35 million, were intended exclusively for the U.S. government and select allies but were sold for $1.3 million in cryptocurrency, granting Russian cyber actors a strategic advantage. Williams also signed contracts for ongoing support of these exploits, potentially enabling attacks against U.S. citizens, businesses, and critical infrastructure. The breach involved highly sensitive offensive/defensive cyber tools, including possible zero-day exploits (e.g., Chrome vulnerabilities), which could be weaponized for espionage, sabotage, or large-scale cyberattacks. The U.S. Department of Justice emphasized the direct threat to national security, as the leaked components could undermine military, intelligence, and allied operations. The incident also triggered internal investigations at Trenchant, including probes into another employee linked to iOS zero-day leaks, raising concerns about systemic insider threats and the proliferation of state-sponsored cyber weapons.