Former Trenchant Executive Admitted Selling Eight Zero‑Day Exploits to Russian Broker, DOJ Says

A U.S. Department of Justice filing lays out a troubling case in which a senior manager at Trenchant, a division of defense contractor L3Harris, admitted to selling a cache of offensive cyber tools to an exploit broker that counts Russian state actors among its clients. The defendant, an Australian national, acknowledged transferring eight distinct exploits between 2022 and 2025 in exchange for roughly $1.3 million in crypto. Prosecutors warned the technical capabilities of those tools were broad enough to facilitate mass surveillance, cybercrime and ransomware activity, potentially exposing millions of machines worldwide. The memorandum paints the sales as a direct blow to U.S. intelligence and allied security, and asks the court to impose a nine‑year custodial term, three years of supervised release, mandatory restitution of $35 million and statutory fines. The timeline in court papers shows that federal agents engaged with the suspect starting in late 2024 while he was still involved in the firm's internal probe, and later executed search warrants that uncovered payment receipts and communications with the buyer. Defense filings emphasize a lack of classified information among the stolen assets and assert the defendant did not knowingly place the tools into state hands; prosecutors dispute that account and highlight corroborating evidence. The broker named implicitly in filings resembles high‑value exploit marketplaces that openly trade for large sums and maintain ties to state purchasers. Compounding the operational harm, company insiders report internal fallout and questions about how the theft was handled, including claims that a subordinate was wrongly blamed. The Justice Department characterizes the transaction as motivated by greed and argues that the defendant prioritized personal enrichment over obligations to colleagues and national security. The case underscores persistent vulnerabilities in the stewardship of offensive cyber capabilities inside private contractors and the downstream risks when those capabilities escape controlled channels. Sentencing is scheduled for February 24 in federal court in Washington, D.C., and the prosecution’s recommendations reflect an effort to set a punitive precedent for insider abuse of sensitive cyber tools. Beyond the individual punishment, the episode is likely to prompt renewed scrutiny from government customers, tighter internal controls at defense contractors, and fresh debate about how to monitor and secure zero‑day inventories.