Government Hacking Tools Are Now in Criminals' Hands (with Lorenzo Franceschi-Bicchierai) - The 404 Media Podcast

Summary6 min read

The 404 Media Podcast

Episode: Government Hacking Tools Are Now in Criminals' Hands (with Lorenzo Franceschi-Bicchierai)
Date: April 27, 2026
Guest: Lorenzo Franceschi-Bicchierai (TechCrunch)

Episode Overview

This episode dives deep into the alarming case of government-grade hacking tools escaping the control of a top-tier “Western” vendor and ending up with Russian security services and, eventually, Chinese cybercriminals. With expert guest Lorenzo Franceschi-Bicchierai, the hosts break down the origins of the tools, the insider betrayal, the global security implications, and what this says about the shadowy zero-day market and its evolving risks.

Main Theme

The episode explores the unprecedented breach in which cutting-edge offensive hacking tools developed by reputable Western firm Trenchant (previously Azimuth and Linchpin Labs) were stolen by an insider and sold to Russian and then Chinese actors. The discussion analyzes the origins, market, and catastrophic downstream consequences—including attacks against ordinary users—highlighting a new era of risk for both global security and personal device safety.

Key Discussion Points & Insights

1. The Origin of Trenchant and the Western Zero-Day Industry

Trenchant’s Roots:
- Azimuth and Linchpin Labs—Australian companies with global Five Eyes presence—combined under L3 (a US defense contractor) to create Trenchant.
- Seen as “the good guys,” selling exploits only to Five Eyes governments.
- “[They] were considered one of the best shops in terms of developing, finding vulnerabilities, developing exploits. And because they're part of this US based defense contractor, they only sell to the Five Eyes.” (Lorenzo, 03:09)
Market Evolution:
- Industry has become more open, with conferences and less stigma around zero-day sales, but the key story now is not their existence—but who they sell to.

2. From Secretive Reputations to Catastrophe

Historical Precedence:
- The reporting pivoted from exposing shadowy companies to highlighting misuse or mis-selling.
- “The story now is…what are they doing? Who are they selling to? Did they sell to the wrong people?” (Lorenzo, 05:37)
Trenchant’s Vulnerability:
- Unlike NSO or Hacking Team (known for selling to authoritarian regimes), Trenchant was trusted—until now.

3. The Peter Williams Scandal: Breach From the Inside

Initial Rumors & Discovery:
- Tipsters alleged a Trenchant employee had sold zero-days to hostile states.
- After tracking resignations and legal documents, the suspect was identified as Peter Williams, Trenchant's general manager.
Chain of Events (approx. 08:52–17:57):
- Peter Williams systematically stole vulnerabilities and exploits over several years by physically extracting them onto USB sticks from offices in Sydney and DC.
- Williams initially tried to scapegoat a subordinate, launching an internal investigation and causing that person to be fired.
- FBI, upon discovering the theft, initially treated Williams as a collaborator before confirming he was the perpetrator.

"He sneakily put them on USB sticks, took them out of the offices…doing this systematically over three years." (Lorenzo, 15:51)

4. What Was Stolen and Who Bought It? (21:11–26:11)

Scope and Value:
- “Eight trade secrets”—likely high-value exploits for major software (iOS, Chrome, Android, Windows).
- Trenchant estimated a $35 million loss; Williams personally made ~$1.3 million, spent partly on fake luxury watches and a house.
Buyer – Operation Zero:
- A Russian company notorious for publicizing its multi-million dollar offers for zero-day exploits (esp. for iPhone/Android).
- This happened post-Ukraine invasion and against heavy international sanctions.

5. Downstream Consequences: The Tools Go Global

Russian Government Usage Against Ukraine (29:06–32:04):
- Google detected the “Koruna” exploit kit—originally used in a targeted campaign by Russian agencies against Ukrainian iPhone users.
- Notable for its use in “watering hole” attacks—infecting visitors to specific websites en masse.
- “This stuff was probably used for really bad things ... the Russian government maybe wanted to find out the position of some Ukrainian troops ... and they could have killed them.” (Lorenzo, 00:00 and repeated at 44:37)
Spread to Chinese Cybercriminals (34:06–35:55):
- The same tools then surfaced with Chinese-language cybercriminals, used for indiscriminate mass exploitation (to steal cryptocurrency), marking a first of its kind at such scale for iPhones.
- Many iPhones globally (possibly 20–25%) were unpatched and vulnerable.

“This is literally unprecedented...there's never been a documented case of a widespread, completely indiscriminate targeting of millions of iPhones this way.” (Lorenzo, 34:47)

6. How Did the Tools Leak Further? Speculation & Industry Risks (36:54–41:03)

Likely route: After Russian government use, Operation Zero resold (or allowed resale) to Chinese cybercriminals for financial gain.
Once sold to a broker, it's hard to know or control where those tools end up—raising questions about the viability of any ethical framework in this industry.

7. Comparison to Past Leaks: EternalBlue and Vault 7 (41:03–47:10)

Parallel with NSA’s EternalBlue (leaked by the Shadow Brokers, became widespread ransomware tool) and CIA’s Vault 7 leaks (malicious insider).
But here the impact touches global consumer devices (iPhones), not just infrastructure.
The difference between these and whistleblower leaks (e.g., Snowden): This was pure profit-driven crime, not in the public interest.

“This guy was not a whistleblower. He was just trying to make money.” (Lorenzo, 47:10)

8. Industry and Policy Implications

Insider Threats: Even “trusted” insiders are risks—even those with patriotic backgrounds.
Limitations of Security Controls: Physical controls and vetting failed—highlighting the near-impossibility of perfect protection in this context.
Advocacy Arguments Vindicated: Privacy advocates’ warnings are given new weight: if it can happen to Trenchant, it can happen anywhere.

“Until this case, you could say, well, is it really that bad? Turns out it really can't be that bad.” (Lorenzo, 46:12)

Notable Quotes & Memorable Moments

“This stuff was probably used for really bad things...the Russian government maybe wanted to find out the position of some Ukrainian troops. They could have used this and then they could have killed them.”
—Lorenzo Franceschi-Bicchierai, [00:00, 44:37]
“A company like Trenchant...they only sell to maybe the US or the Western countries because they believe that those countries are going to take care of those exploits … what happened here is that this guy had full access...and at some point he was like, you know what? I'm just going to make some more money and I'm going to sell to the Russians.”
—Lorenzo, [42:50]
“This is literally unprecedented...there's never been a documented case of a widespread, completely indiscriminate targeting of millions of iPhones this way.”
—Lorenzo, [34:47]
“This guy was not a whistleblower. He was just trying to make money.”
—Lorenzo, [47:10]
“You cannot kill people with an iPhone exploit...but I don't think this is a crazy theory. The Russian government maybe wanted to find out the position of some Ukrainian troops that used iPhones. They could have used this and then they could have killed them.”
—Lorenzo, [44:37]

Timestamps for Key Segments

| Topic | Timestamp | |-------------------------------------------------------|---------------| | Introduction to Trenchant and its origins | 03:09 | | Evolution of the zero-day/exploit market | 05:01–07:15 | | Initial rumors about insider leak at Trenchant | 08:52 | | Discovery, investigation, and scapegoating employee | 09:31–13:20 | | The FBI's involvement and Williams’ confession | 16:56–21:11 | | Valuation and resale of exploits; Operation Zero | 21:11–26:11 | | Market for iOS/Android zero-day chains | 26:11–27:40 | | Exploits used by Russian gov’t in Ukraine | 29:06–32:04 | | Mass exploitation by Chinese cybercriminals | 34:06–35:55 | | The dangers of selling to brokers, lack of control | 36:54–41:03 | | Parallels with EternalBlue and Vault 7 | 41:03–42:50 | | Industry lessons, privacy activism vindication | 46:12 |

Tone & Style Notes

Highly conversational yet deeply analytical.
Technical but accessible—context for non-specialists is clarified.
Balanced between reporting, speculation, and ethical implications.

Summary & Takeaway

This episode delivers a sobering account of how even the most trusted institutions in the Western hacking industry are vulnerable to insider threats with devastating consequences. Government-level hacking tools meant for “the good guys” not only ended up assisting Russian military operations but also became weapons for indiscriminate cybercrime. The episode raises urgent questions about the efficacy of export controls, the fallibility of security vetting, and ultimately, whether any nation or company can fully control the power stocked in the global arms bazaar of zero-days.

For journalists, cybersecurity professionals, and anyone who owns a smartphone: this saga is both a fascinating detective story and a wake-up call about the real-world consequences of “surgical” cyber-weapons going rogue.

Loading summary

Transcript70 lines

[00:00]
Lorenzo Franceschi-Bicaro
This stuff was probably used for really bad things, and I'm speculating, but I don't think this is a crazy theory. The Russian government maybe wanted to find out the position of some Ukrainian troops. They could have used this and then they could have killed them.
[00:17]
404 Media Host
Hello and welcome to the 404 Media podcast, where we bring you unparalleled access to hidden worlds, both online and IRL. 404 Media is a journalist founding company and needs your support. To subscribe, go to 404 Media Co as well as bonus content every single week. Subscribers also get access to additional episodes where we respond to their best comments. And they get early access to our interview series too, like this episode. Gain access to that content at 404 MediaCo. This week we're joined by Lorenzo Franceschi Bicare. He is a writer from the technology website TechCrunch. I have known Lorenzo for years and years and years. Actually, all of us have at 404 Media. We all used to work with him at Motherboard, the technology section of Vice, and he really was an inspiration to me. I remember when he published an article about how the Italian government malware company Hacking team was selling its government spyware to the Drug Enforcement Administration. And I was like, wow, you can figure this stuff out by looking in contracting records and all of that sort of thing. And that got me very interested in the industry. And me and Lorenzo collaborated on a bunch of articles when we were both at Motherboard, including an investigation into the company called Azimuth Security, which you'll definitely hear about in the interview in a minute. But they sell, or rather sold a array of hacking tools to Western government agencies. They were seen as the good guys in the industry, and that's why we covered them. But as this conversation shows, the company that came after Azimuth, it had something of a problem, a guy called Peter Williams who sold a bunch of hacking technology to a Russian company. And it looks like that ended up in the hands of the Russian government and then later Chinese groups as well. There's some nuance there that you'll definitely hear in the episode, but I really, really hope you enjoy this conversation. All right, Lorenzo, welcome to the show.
[02:41]
Lorenzo Franceschi-Bicaro
Thank you. Very excited to be here.
[02:44]
404 Media Host
Yeah, it's funny doing this with a friend. I just said that in another take that we started. But we'll. We will try to keep it as professional and rigid and on point as possible. No, obviously, we're just going to change professionals. Yeah, we're going to talk about the Oday industry for a while. So just to lay some groundwork, what is Trenchant? What is this company?
[03:10]
Lorenzo Franceschi-Bicaro
Yeah, I think this is a good place to start. Trenchant is the hair Basically of the two companies that we profiled, I guess 2017 or 18 at this point, Azimuth and Linchpin Labs. They were sort of sister startups that developed Zero days out of Australia, but they had offices in all the countries that are part of the Five Eyes, which is the intelligence alliance made by the English speaking countries. Canada, Australia, New Zealand, the UK and the us. And shortly after we wrote about them, actually, they were sold to L3, a relatively large defense contractor. And they renamed Linchpin Labs and Azimuth into this division called Trenchant. And I think it's fair to say that they are considered one of the best shops in terms of developing, finding vulnerabilities, developing exploits. And because they're part of this US based defense contractor, they only sell to the five Eyes.
[04:10]
404 Media Host
Yeah, I remember going or attempting to go to the London office of Linchpin Labs because at the time, as you say, back in 2017, 2018, they were really, really secretive and the industry sort of back then was, yes, it was coming out and you had these big conferences where companies would sort of be a little more upfront with the idea that, hey, we buy zero days and we sell them to the government. These guys were not like that. They were incredibly, not underground, that wouldn't be fair. But they kept themselves to themselves. But we managed to figure out, oh, these are the best companies for selling Zero days and not just the exploits, but the malware as well to Western governments that basically no one had heard of at the time. Do you think that's why we wrote it?
[05:02]
Lorenzo Franceschi-Bicaro
Yeah, I think at the time the market was different. The cybersecurity industry was a little bit different. I think at the time there were still people that didn't want to talk about the fact that they developed Zero Days. I don't remember when the first offensive con was organized. This is like a Berlin based conference that essentially gathers zero day exploit makers, spyware makers. I think it was the first big one that was public. So yeah, at the time, Azimuth and Lynchpin Labs were great examples of where the market was. They were relatively public. Mark Daud was a very well known
[05:35]
404 Media Host
hacker and he was the CEO of
[05:37]
Lorenzo Franceschi-Bicaro
Azimuth, the founder of Azimuth. People knew what he was doing, but he wasn't like advertising it on Twitter. On Twitter, he was just another cybersecurity guy. And to answer your question more directly, yeah, that was the interest. The public interest in that story was, well, you've heard about NSO Group, you heard about Hacking Team, but here's this other company that you probably have never heard of and they're doing even more important work or even more impressive work. And since then it's become much more normalized. Now sometimes a source reaches out and says, hey, have you heard about this company? You should write about it. I'm like, well, why? The existence of a company that sells zero days is not interested anymore. The story now is. And in part it's always been. But the story is like, what are they doing? Who are they selling to? Did they sell to the wrong people? Did they break any laws? Export laws now are a thing that's much more established, although not super effective. So, yeah, now it's just more like, what are these companies doing? Who is behind them? Is there any interesting character behind them? Are they doing anything bad? But the mere existence of a company is not that interesting. And I think the conferences are a great example of that. There's Exacon, there's OffensiveCon, their talks are online. I mean, Apple's head of security research engineering, SEER Team, whatever that acronym means, went to hexacon to give a keynote and. And he finished it saying, please look at your conscience and what you're doing, because if you don't know where your work ends and you're not sure that you're contributing to the good of the world, maybe you should do another job or maybe you should work for us.
[07:16]
404 Media Host
Which was pretty crazy, I've heard. I think it was this conference, but I heard that talk from Apple made people cry. Not in a, oh, we're being insulted way, but in an inspirational way. People who then went and saw that talk, who really do believe in you shouldn't sell offensively, you should sell defensively, you should help Apple and that sort of thing. But you mentioned that. Yes, stories back then in 2017 and definitely now, as you say, it is much more about who these companies sell to. And as you said at the time, everyone heard of NSO Group and they sell to various authoritarian regimes and then loads of other companies like Hacking Team as well, selling to Sudan, whatever. Azimuth and Linchpin were interesting because they sold to Western democracies and like we'd never seen that before. So Azimuth and Linchpin Labs are now trenchant. They have this reputation for only selling to the, I'm going to say it, quote, unquote, good guys. Obviously that has radically changed in lots of different ways. That was just sort of the sentiment at the start. And if you want to be more specific, yes, they sold to the Five Eyes alliance. So they have that reputation. But something which you've done fantastic coverage of something happened which has now maybe not shattered that reputation, but has really, really harmed it. There is someone called Peter Williams who worked at Trenchant. An indictment is unsealed. Or actually, correct me if I'm wrong, you knew this before the indictment, so maybe you want to take it from there.
[08:52]
Lorenzo Franceschi-Bicaro
Yeah. So this must have been July or August. And somebody told me he, hey, have you heard of this John Dugan or John something? Apparently he sold zero days to people he shouldn't. He works at Trenchant. He sold them to some bad guys. I'm not sure if it was North Korea or China or Russia. And I mean, my first reaction was, I don't believe you. I think this sounds crazy, but the sources that I had were relatively. They were credible. There were people I knew. And so I was like, all right, let's. Let's see if this is true. And the big problem at the beginning was that I didn't have the name. It was like John Dugan, John something.
[09:32]
404 Media Host
So you weren't sure sort of thing?
[09:34]
Lorenzo Franceschi-Bicaro
Yeah, I wasn't sure who this person was other than the fact that apparently, allegedly they work at Trenchant. Then I got the name and it was Peter Williams, which was good to have a name, but it was a very generic name. You know, a lot of people are called Peter Williams. I think what actually at the time made me and more convinced that there was a story there was that there was a UK business records website that showed that he had just resigned from Trenchant. This was like 13 of August, something like that, mid August. And my sources were saying, well, he didn't just resign, he was basically fired because of this. And at some point I heard sort of like a side quest. Somebody told me, well, actually there was another story that involves Peter Williams and it's that he tried to scapegoat one of his employees. At this point, what I heard was that this Peter Williams had stolen some zero days or some exploits, some malware from Trenchant and sold it to someone he should not have sold it. His other story was basically that at some point Peter Williams tried to frame one of his employees and he launched an internal investigation. They eventually fired his employee. And the other interesting thing about this story was that the employee got a notification from Apple saying, we believe you have been a target of mercenary spyware.
[10:49]
404 Media Host
Just Briefly on that, maybe, because you've covered those notifications a lot. And they're also quite recent in that Apple will now notify users of its products that they suspect have been targeted by government spyware. What's the deal? Sort of there. What's happening there?
[11:06]
Lorenzo Franceschi-Bicaro
Yeah, this is a huge development in the last few years. What Apple is doing essentially is, yeah, when they detect some sort of a spyware campaign, they investigate. And when they determine that it was a NSO group or one of these companies, they send notifications to the people they believe were targeted. And, well, first of all, this shows you how much Apple can see from a device, which I think it's good. I don't want Apple to tell me if they believe I've been hacked. People on the other side of the fence, meaning the citizen labs of the world, the Access Nows of the world, say that this has really changed the game. You know, back 10 years ago, these people, these researchers needed, you know, a random Ethiopian journalist, so to speak. You know, like somebody that they didn't even know to reach out to them, saying, hey, I think I've been hacked. And that's like, you know, that. That doesn't scale. It's very hard to do that kind of work. Now people receive these notifications. Apple actually tells them, please go to Access now. They can help you. And that has led to so many investigations, and it's led to even investigations that we don't know about. So Citizen Lab doesn't write about all the investigations that they do. Maybe because the victim doesn't want to, maybe because they. I don't know. It's not that interesting to be a public story. Same with Appnesty International. But yeah, in the last few years, because of these notifications, we've heard of so many cases and we don't know how many notifications Apple sends, but we can get an idea by the fact that they say they send to more than 150 countries and usually they do in batches. So if somebody receives a notification, it means that likely they're part of a group. Maybe they're like Catalan politicians and Spain has targeted them or Hungarian journalists and something like that. So, yeah, so this transient employee had gotten one of these notifications and it was kind of unclear why. Although now in hindsight, we can imagine.
[12:57]
404 Media Host
Yeah, it's like a complicated wrinkle to the story. So you have this person inside Trenchant Peter Williams, who you're hearing about that, well, they've stolen malware and maybe they've given it to the bad guys. And they're trying to cover it up by blaming this other employee at the company. What do you do with that information and what do you publish before we get to the next bit?
[13:20]
Lorenzo Franceschi-Bicaro
Yeah, so once we could confirm the case of the scapegoat, so to speak, we reported that story. And honestly, at that point was kind of a strategy. We didn't have the other story. We had the name, but we had no concrete information. There was no indictment. I heard this from multiple sources. But you can't write an article saying Peter Williams from Trenchant committed a crime based on anonymous sources, like, you're gonna get sued, rightfully. So. So we published the story. And actually. And this is my fault. I'm not super diligent about checking court records. So I hadn't checked for a while. And again, one of the challenges was that, you know, there's a lot of Peter Williamses. So after I publish the story, I think the same day or maybe the next morning, I go to pacer, I check, and there's a. There it is. A very recent case involving a Peter Williams. I go. There's like a. It's not an indictment. It was a very short document. It identified as Peter Williams, didn't say where he worked. It said he worked at Company 1 or Company A, and it said that he had stolen eight trade secrets. So there was no reference to Trenchant, There was no reference to L3 Aries, didn't say what the trade secrets were. I was pretty sure it was him. But again, there's a lot of Peter Williamses. So that was very frustrating also, because at that point, I had reached out to pretty much everyone who could know. You know, doj, FBI, the Australian signals intelligence, embassies. I reached out to everyone. Nobody answered. But the document was there. It was sitting there. And at that point, I knew that other people, other journalists were gonna see it. Right. And, yeah, then a week later, more or less, we reached out again to doj. And this time, DOJ was like, yeah, on background, blah, blah, blah, this is him. This is a L3Eris employee.
[14:58]
404 Media Host
So on background, DOJ confirmed that, yes, the Peter Williams you're talking about from Trenchant is the one in the same Peter Williams in this court record, which is just saying sort of vaguely, he allegedly stole eight trade secrets or whatever.
[15:13]
Lorenzo Franceschi-Bicaro
Yeah, now that I think about it, I think actually that document, the most interesting detail was that I think they said that he sold to a Russian buyer. And that was definitely the most interesting part of that document. Even though we didn't know who that Peter Williams was. But once we confirmed that that was that Peter Williams, we knew that it sold to Russia, which is pretty bad on its own. And that was before we knew actually what happened, which is even worse.
[15:36]
404 Media Host
And we'll talk about that now. So that court record comes out, you're building up the reporting, the usual cybersecurity press start looking at this as well. But then we get more information. So what does he do? Because he's convicted now.
[15:50]
Lorenzo Franceschi-Bicaro
Right.
[15:50]
404 Media Host
So what did Peter Williams do?
[15:52]
Lorenzo Franceschi-Bicaro
Yeah, I think a few days after the document, more documents dropped and there was even a hearing that I did not attend, but Patrick o' Neill attended it from Bloomberg. And between the court documents, the new court documents and the hearing, we started finding out exactly what happened. And what happened was even worse than what I heard. Essentially what the DOJ was alleging and then he admitted to. So that's what he did, is that at some point in around 2022, when he was already, I think he was already the general manager at Trenchant, so essentially the head of the whole hacking unit, he started taking some trade secrets, which in this case were vulnerabilities, exploits, maybe even full fledged products that you could just plug in and deploy. And he sneakily put them on USB sticks, took them out of the offices. I think he took them out of both the office in Sydney and in the US in dc. So he was doing this systematically over three years. At some point, the FBI got wind of something, that something was happening at Trenchant, that some secrets were getting out.
[16:57]
404 Media Host
We'd love to know how they came across that.
[16:59]
Lorenzo Franceschi-Bicaro
Yeah, that's not clear from the court documents and it would be great to know. So the FBI finds out, they go to Trenchant and they actually go to him and say, hey, we would like to ask you some questions. I think at this point they didn't know it was him or they didn't even suspect. But he's the general manager, he's the person to ask and to ask for collaboration. Because at this point, maybe Trenchen got hacked. Maybe he got hacked or somebody got hacked and these things were getting stolen by China or Russia. So the FBI approaches Peter Williams, he collaborates, and that's when we get to the scapegoat. This is like March of last year, more or less a year ago, Trenchen opens an internal investigation. They end up firing this guy, but the FBI is still asking questions. And in the summer of last year, they go back to Peter Williams and say, we know it was you.
[17:57]
Shopify Advertiser
I don't think People talk enough about how messy it is to actually run an online business, or at least how messy it can be. You start with a simple idea and suddenly you've got one tool for your website, another for payments, something else for email, another thing for analytics, and none of them really talk to each other. It gets chaotic really fast. That's why Shopify exists. Shopify is the commerce platform behind millions of businesses worldwide and about 10% of all E commerce in the US from huge brands, to people just starting from scratch, to 404 Media's merch store. Instead of juggling a bunch of different tools, Shopify brings everything into one place. You can build your store with ready to use templates that actually look good, manage inventory, process, payments, track analytics, all from one dashboard. And when it comes to actually getting customers, Shopify makes that easier too. You can run email and social campaigns right from the platform so you're not duct taping together five different services and it feels like they all talk to Shopify. If you ever get stuck, they've got 24. 7 support, which is huge when you're trying to figure things out on your own. Shopify just simplifies everything so you can focus on actually growing your business instead of managing tools. Start your business today with the industry's best business partner, Shopify, and start hearing. Sign up for your $1 per month trial today at shopify.com media. Go to shopify.com media. That's shopify.com media.
[19:20]
BetterHelp Advertiser
This episode is sponsored by BetterHelp. You know, financial stress can really affect you more than you're thinking. Maybe you're pushing it down. It's tax season. No one wants to deal with it. No one wants to face it. Look, I get it. I've been a contract employee for almost my entire career. Brief stints with W2S. No one understands the stress of tax season more than me. But if you're worried about it and it's hitting you on an emotional level, that's normal. And sometimes we just need the right kind of support. And that's where BetterHelp comes in. So you know, BetterHelp is this place where you can get quality therapists that work according to a strict code of conduct and they are fully licensed in the United States. BetterHelp does internal matching work for you so you can focus on therapy. The short questionnaire helps identify your needs and preferences and then their 12 plus years of experience and industry leading match fulfillment rate kicks in. And that means typically you've got the right person the first time. But if they don't work out, you get somebody else. No harm, no foul. And you can do it at any time based on their tailored recommendations. So if you're feeling that strain this month as I am, you know, get some better help. When life feels overwhelming, therapy can help. Sign up and get 10% off@betterhelp.com 404media that's B E T T E R H E L P dot four zero four media.
[21:12]
Lorenzo Franceschi-Bicaro
And at that point, Peter Williams realizes there's nothing else he can do but confess and collaborate and hope for, you know, maybe a deal or a more lenient sentence. So, yeah, he admits that actually it was him. He stole a bunch of trade secrets. He gets indicted for eight. But my guess is that he may have stolen more. I don't know if the FBI didn't have enough evidence or eight was enough to get the sentence that they wanted. We also don't know exactly what these eight trade secrets are. We guessed that they were vulnerabilities or even exploits. We don't know for what products. We can get an idea of what they were from some language in both press release and some court documents where the DOJ says that this could have been used to hack millions of people around the world. So we're probably talking about iPhone nowadays, Android, Chrome, Windows. So essentially systems that are widely used. These were not like router exploits. So yeah, Peter Williams confesses, the core documents become public and some more details come out. And some of them are very interesting. For example, who did you sell to? You know, at the beginning it was like Russian buyer. Turns out this Russian buyer was a company called Operation Zero. And when they launched, they did kind of a stunt. You know, they said, we're looking for zero days for iPhones and Android and we're willing to pay $20 million, which
[22:35]
404 Media Host
is a big figure at the time. It's still a big figure, but it was like a big attention seeking stunt.
[22:41]
Lorenzo Franceschi-Bicaro
Were they willing to pay that?
[22:43]
404 Media Host
Maybe, Yeah, I don't know. But they said it.
[22:45]
Lorenzo Franceschi-Bicaro
Yeah, they said, I think the context here is that it's already the, you know, the Ukraine invasion is full, full, fully ongoing. Russia is more isolated than ever. And essentially I think the rationale was we need to really offer a lot of money because the researchers that may sell to us are maybe not as many as before because there's sanctions. You're not allowed to sell to companies in Russia, anything. So you need to really incentivize people to do something that potentially will get them in trouble, which is what happened with Peter Williams. And I think actually the dates of when Peter Williams reached out around the time when Operation Zero announced this. So he probably saw the news and realized, well that sounds like somebody I could go to.
[23:30]
404 Media Host
Speaking of money, he made 1.3 million, something like that. So he didn't make 20, but he made some sort of financial benefit. But trenchant later estimated a loss of 35 million. I guess that's like their value of the tooling. And then Peter Williams made just over a million which he then used to buy. What like luxury watches and that sort of thing?
[23:55]
Lorenzo Franceschi-Bicaro
Yeah, some luxury watches. Some watch people realized that some of them were fake.
[24:00]
404 Media Host
Oh, that's good.
[24:00]
Lorenzo Franceschi-Bicaro
Some vacations, a big house outside of Washington D.C. but yeah, the numbers are interesting because as you say like you didn't get 20 million but you know, that's maybe because you didn't have the full chain and you know, that's something we can get into. But you know, these days to hack an iPhone or even an Android phone you need like multiple vulnerabilities and you need to essentially make them all work together. It's like a multi step process and the 20 million or the highest rewards these days are for something that works end to end. They call it end to end, an end to end exploit or an end to end chain or whatever. So essentially something that you can press a button and it goes from targeting you to now I can see everything on your phone, but for that you need multiple products. So it's possible that Peter Williams only sold a few, only where maybe it was only able to steal some of that. A piece here, a piece there, maybe something was from Chrome, maybe something was for iOS so for some reason it didn't get paid as much as maybe you would have thought. I think the estimated loss, we need to look at it a little bit skeptically in the sense that I think they probably also counting the time, the development time that they need to essentially find new vulnerabilities. So I don't know if they were worth 35 million but. But it's possible that they were close.
[25:20]
404 Media Host
Yeah, it requires whole teams of people, like back when I was covering this more there could be a team of 4, 5, 6, up to 10 people just focused on an iOS chain or something like that. And as you say, yeah, if you want to hack an iPhone, let's say it's a browser vulnerability or something, you go to a malicious website and it hacks your iPhone, you're going to need a Safari exploit, you're going to need something to get out of the sandbox of Safari. You're going to need something to get persistence on the iPhone, which as far as I can remember is kind of non existent nowadays, where if you just turn off your iPhone and reboot it, they can't get persistence, basically. Right. But even then they will still pay so much money even to get something that's essentially temporary because who turns off their mobile phone? No one does that.
[26:11]
Lorenzo Franceschi-Bicaro
Yeah. And also I think another important context to all this is that timing and circumstances matter. I'm sure a lot of the listeners here remember the case of the FBI going after Apple because Apple didn't want to help hack the iPhone of the San Bernardino terrorists. That was a very important case because the FBI actually went to court and tried to compel Apple to help and in the end they ended up going to Azimuth and they got Azimuth to help. What I'm trying to say is that in a situation like that, the FBI may be willing to pay more than market rate because it's urgent. They need to get into these iPhones for whatever reason. You know, imagine, you know, this may sound like a crazy example, but it's, it probably happens all the time. You know, there's a terrorist and the NSA needs to know what this terrorist is doing or they want to hack, I don't know, Vladimir Putin's assistant and they need to do it now. So that's, that's going to, that's going to be worth more than, let's just get this iOS zero day in case we need it. And yeah, and so Operation Zero's prices seem crazy, but they're not that crazy. I think the company that is kind of like the bellwether, so to speak these days is Crowdfence, because they've been around for a long time and they're relatively serious and their prices go up to 7 million for a full chain for iOS. And also you have to remember these are brokers. So I go to Crowdfence, I give them what they need, I get 7 million and then they have to sell it. So they have to make some money too. So the end customer will pay more
[27:41]
404 Media Host
and they make it into a product, Right. And they make it to something and give it to them. I mean, I remember back when
[27:49]
Lorenzo Franceschi-Bicaro
I
[27:49]
404 Media Host
think you started writing these and then occasionally I would write one, then you would write one. But back at Motherboard it was like, whoa, the hackers are offering a million dollars for an iPhone exploit chain. Then it was free, then it was five. I remember going to a conference in Singapore that was attended by a lot of people who sell iPhone zero days. And I think the figure I got from that conference at the time was, yes, 5 million for a full chain. And that was around 7. And it's almost kind of what you said earlier about, well, we don't just cover companies now for the hell of it. There has to be something to it. I feel like we don't really cover the prices unless it's particularly outrageous, you know what I mean? Or there's some sort of interesting factor, but that happens. Peter Williams is convicted, and then I believe he was sentenced recently as well. That sounds like the end of the story, but if anything, it's kind of just the start. But I will spoil it a little bit. Your reporting has shown that this is connected very, very likely connected to trenchant in some form. Looking at all this other activity, I believe it was Google who finds that there is some sort of iPhone, malware or iPhone exploitation kit being used in the wild. Tell us about this part first.
[29:06]
Lorenzo Franceschi-Bicaro
Yeah, so last year, around this time last year, maybe early 2025, Google finds some sort of hacking campaign targeting iPhones. And they start investigating and they realize that they found something that is kind of unusual, at least unusual to find in the wild. And the way it was used was unusual. So what was unusual about this exploit kit or hacking tool, whatever you want to call it. It was codenamed Koruna, and essentially Koruna was like an exploit chain. So a product that included various vulnerabilities, various exploits that could target at the time, I think at the beginning they could target up to date iPhones. So those were zero days. And at the beginning, the first campaign that Google found was launched by some Russian government group. They didn't name it. They used one of those very boring names. Now that it's like UNC, Uncategorized6358, whatever.
[29:58]
404 Media Host
I have to very briefly say that I hate that Google calls it unc or unk now, because whenever I'm looking at it, I'm like, okay, unk. And it's like, shit, that's what the fucking gen alphas are saying. And they're ruining our naming conventions for the hackers.
[30:11]
Lorenzo Franceschi-Bicaro
Yeah, I mean, we got used to this stupid charming kitten and fancy panda bear or something. Can you just come up with a name? Just come up with a new name. I know there's a lot of names already, but it's like these numbers just don't make any sense. But they say it's the Russian government. Very likely Russian government, Russian espionage and they were using it in Ukraine. They essentially deployed it on a few websites that you would only get exploited if you were in Ukraine. And I think it's likely Google doesn't say this and they probably don't know because at this point you really need to, you probably would need to look at the devices themselves. But I think the implication was that these Russian spies planted it on some websites and they probably were interested only in a subset of Ukrainian users. Because usually these exploit kits work in phases. They infect you initially and then they look at who you are, they collect some data on your device, are the person that they're interested in, then they deploy the second stage. So I think that's what was happening here. But it was widespread enough that it was on website so God knows how many people visited it.
[31:15]
404 Media Host
I mean, that's still crazy, right? Because usually when we think of iPhone attacks, it will be, oh, NSO Group sent something through the WhatsApp client. I'm just speaking generally, I'm not talking about a specific attack or Paragon did something in iMessage or FaceTime or something like that. And it's very targeted. And yes, although you send somebody a link, they click it or maybe they just go to a website, maybe relatively few people would do that, but maybe not. And that is a watering hole attack, right, where you have all these people gather to a website for whatever reason and they get infected. That is nuts to happen on an iPhone because that just is not supposed to happen. Basically.
[31:56]
Lorenzo Franceschi-Bicaro
Yeah, it's almost unprecedented. I think you wrote about one of the first cases, which was in 2019, I think.
[32:01]
404 Media Host
I can't remember that. Literally don't know what you're talking about.
[32:04]
Lorenzo Franceschi-Bicaro
I honestly I forgot too, because the other day I was going to call this unprecedented and I was like, is it really? And then yeah, I found some coverage. This was when the Chinese government deployed also warring all attack against iPhones against the Uyghur Muslim minority. But you know, they're very rare. I think before Corona there were like two documented cases, one among the Uyghur community and one in Hong Kong. Obviously in both cases probably China. But yeah, this is already kind of crazy because it's like, wow, the Russians had just an exploit kit that also they were willing to kind of burn because if you use it like that, you're probably going to get caught. Especially now in Ukraine. Ukrainians have great cybersecurity people. They also get help from this international cybersecurity community. You're probably going to get caught. And that's what happened. Google caught you. And this is where the story gets even crazier because then Google keeps tracks these exploits. At this point they're not publishing anything, which I think it's interesting for a couple reasons. I mean the first one, it makes sense. It's like they don't want to lose visibility. I think maybe at some point they realized that Truncheon was involved and somebody at the US government told them, please don't say anything. This is my theory. I'm speculating, but I think it's possible. But anyway, Google does its job, keeps tracking this campaign, and then it turns out that some of the same tools get used in China by a cybercriminal group. And in this case they just put it on random websites targeting probably millions of people to steal cryptocurrency. So this thing that went from being a very relatively targeted, although you're right, they were not. Or at least we don't know. But at the point when Google detects it, it's not like only targeting a few people, it's targeting all the visitors of these websites goes to China and it gets used to steal cryptocurrency. And at this point they're not zero days anymore. Apple was probably aware of this campaign. They patched some of them. At this point they're what the industry calls N days, which means exploits that used to be zero days, but they still work because some people have not patched their iPhones.
[34:07]
404 Media Host
I'm going to beef ever so slightly that definition. And I knew we were going to do this because we always disagreed on these definitions. I would say. And N day is not about whether the user has updated their device or not. It's end day, as in maybe Apple learned about the exploit four days ago and Apple hasn't pushed the patch yet. But your point stands that it's like it's probably already been fixed or it is being fixed, so it should work on fewer devices. But it's fucking landed in the hands of these Chinese language cybercriminals and they're pulling it on fucking websites that's going to infect anybody that visits them, which is somehow even crazier than the previous one.
[34:47]
Lorenzo Franceschi-Bicaro
Yeah, I mean this is literally unprecedented. It may have happened before and we don't know about it. And some companies have never published that report, but there's never been a documented case of a widespread, completely indiscriminate targeting of millions of iPhones this way, even though they were not up to their iPhones. But this is something that I Had no idea about. I just assumed that a lot of iOS devices, or most iOS devices, if not all of them, were up to date. But it turns out that there's like 20, 25% of people that still have the previous iOS, which to me is crazy. I thought it was much lower than that.
[35:20]
404 Media Host
Those annoying messages of restart your phone to update it, that sort of thing. I mean, a lot of ordinary people find that really, really annoying, and they're not going to do it. I mean, they're not ideal. But if it's like 80% adoption rate for the latest update, hey, pretty good. But we're also talking at true global scale of the iPhone. So 20% is like an insane number of devices.
[35:45]
Lorenzo Franceschi-Bicaro
Yeah, this was unprecedented and kind of crazy that they were burning this, even though at that point it was not zero days, but they were just like, okay, yolo, we need some cryptocurrency. Let's see how much we can get.
[35:55]
404 Media Host
Yeah, I'm going to come back to the trenchant connection because that's the reporting you did to sort of link all of this together, but briefly on the Chinese stuff and, and look for listeners and for us as well. This is going to be speculation because we don't know this, but I'm just curious what you think. So there is a line between somehow this Russian government agency or authorities or whatever have this exploit kit for relatively modern or very modern iPhones. It then ends up with Chinese cybercriminals who are not officially arms of the state. Who knows if they were a group that sometimes does state operations and now they're doing the financial stuff, who knows? How on earth do we completely speculate? How on earth do we think that iPhone chain ended up with a Chinese? Maybe it went from the Russians to the Chinese. Maybe the Chinese somehow got it independently. I think the timing would indicate it probably came from the Russians. Just like. Do you have any wild theories about that?
[36:54]
Lorenzo Franceschi-Bicaro
Yeah, I don't think they're that wild because Google and then Lookout, a mobile cybersecurity firm, and then Iverify, another mobile cybersecurity firm, also analyze some of this stuff. And they concluded that most of the code that the Chinese cybercriminals were using was the same that the Russians were using. So it just looks like it exchanged hands. We just don't know exactly how. And this is where we can speculate. But I think the Russian government acquired it from Operation Zero. And then even though Operation Zero on its website says that they only work with Russian companies and Russian organizations, it's possible that they were like, you know what? Why don't we get some more money from this? We don't have to just sell it to the Russians.
[37:35]
404 Media Host
Or they had their own Peter Williams in there as well.
[37:37]
Lorenzo Franceschi-Bicaro
Yeah, or at some point, when the Russians. Where the Russian customers are like, you know, we've used this. Do whatever you want with it. Or the owner of Operation Zero felt like he gave his friends at the Kremlin enough time to use these tools, decided to sell again because essentially you're selling the same product twice so you can make more money. And yeah, so it ended up in the hands of the Chinese. But as you say, I think it could be that, I don't know, somebody intercepted this somehow and took it and wanted to use it for their own goals. I don't think we can. I don't think it was like an independent people finding the same vulnerabilities because some of the code is exactly the same and it was an English language and things like that. And then the Chinese cybercriminals added some components to target cryptocurrency wallets and cryptocurrency companies or cryptocurrency users that add a certain kind of wallet, et cetera. So, yeah, we don't know how it went from Russia to China. And yeah, we can get into the Peter Williams angle of this at this point because essentially what we found out is that based on talking to some former trenchant employees, some of whom were at Trenchant when this happened, or rather they were working on some of this, essentially when Google published the code and showed some of the code snippets in their public report, some trenchant employees looked at that and said, oh, I worked on that. I recognized that. I recognized the code names. I recognized some of the code. And so they were basically telling us, yeah, this came from trenchant and presumably came from the Peter Williams lick, because the circumstances line up. There's a Russian government hacking group using it. Operation Zero sells to Russia. But then, yeah, we don't know how we ended up elsewhere. One small detail from the court documents that hasn't been really looked at too much, mostly because I don't know how to go further there. But the DOJ says that at some point they found some transient tools being used in South Korea or by a South Korean group. Group or maybe used against South Korean users. So there's another country where you're like, how did it end up there? I mean, it's possible that a Chinese hacking group targets South Koreans for both espionage and cryptocurrency. Stealing goals. But essentially it seems like at some point it just got out of control. And it could very well be because Operation Zero, while claiming to only work with Russia, was working with God knows how many people and how many customers or their, or their own customers then sold it because reasons, you know, maybe the Russians at some point were like, okay, we don't need this anymore. It's getting caught, it's getting detected. Can we make some money on the side? Who knows? I mean, once these things get out of hands, and especially once you start selling them to these, you know, sketchy maybe it's a strong word, but kind of, you know, when you go to like even crowdfence, which is a legitimate company in Dubai with, with, you know, it's been open for a few years, you just don't know where they end up. As a researcher, you go to them, you give them the tools, they can promise you it's only going to be used by governments or countries or whatever. Do you trust them? I mean, that is the big question when you go to these companies. You just don't know where it's going to end up.
[41:03]
404 Media Host
It is really, really crazy. And the only parallel I can really think of is EternalBlue and sort of those sort of leaks or data exposures which for those who don't know, there was this fascinating entity called the Shadow Brokers, which are widely just sort of believed to be Russian, although we never really got to the bottom of any of that. Right. I briefly spoke to them over some encrypted messaging apps. I can't even remember. It was a pain in the ass to install and like use and do all that. It was just like a few emails or whatever, or a few messages or whatever. But they somehow got all of this NSA material and there was a lot of like NSA leaks at the time as well. Maybe it came from those from leakers as well. It then gets out onto the Internet and there's these very, very powerful Windows exploits. They are then picked up by North Korean hackers, right. And they are incorporated into a piece of ransomware malware, which is then spread all over the place and it causes all of this damage that's obviously much more high profile, much more destructive, and it was probably a much bigger news event. But frankly I am much more interested in this stuff and the iPhone stuff because I don't know, there's way more unanswered questions and it is very much a consumer device, obviously Windows as well.
[42:33]
Lorenzo Franceschi-Bicaro
Right.
[42:33]
404 Media Host
But the attacks there were focused more on Infrastructure and that sort of thing. I think this is the case where once all of those pieces are together in one go, it's really going to blow people away. And it already has. You know what I mean? I just think there are still questions to be answered.
[42:51]
Lorenzo Franceschi-Bicaro
Yeah. And this goes back to the beginning of our conversation when we were talking about companies that only sell to certain governance. This is what is not supposed to happen. Like a company like Trenchant and other Western exploit makers and developers, they only sell to maybe the US or the Western countries because they believe that those countries are going to take care of those exploits and not. Well, first of all, they probably don't believe that they're going to be used against innocent people. If you're patriotic, you believe that. But also they probably have to use skiffs or some sort of special devices to send these exploits over. And there's all these security clearance things and security processes. And the whole idea is that these are very precious, they're very useful and you don't want them to fall into the wrong hands. And what happened here is that this guy had full access to internal networks by design because he's the boss. And he was also a technical person. He used to work at the Australian Signals Directorate. He was a hacker. He wasn't just like a manager, like a business person. So he probably helped develop or sometimes he looked at the code and he just took it out. And I think a lot of people have made fun of Trenchant on Twitter and things like that. And I mean, this is really bad for the reputation, but to be honest, it's very, very hard to protect against something like this. This guy was a very well trusted. It was a former spook. He was a guy that worked for the Australian government probably because he believed in the mission. It was patriotic. He wanted to do good and turned that career into the private sector. Still working for spies and governments who probably believe were the good guys. And at some point he was like, you know what? I'm just going to make some more money. I'm going to try to make some more money and I'm going to sell to the Russians and the context that we haven't spelled out or maybe we briefly did, but this is. While the Ukraine war goes on, this stuff was probably used for really bad things. You cannot kill people with an iPhone exploit. And I'm speculating, but I don't think this is a crazy theory. The Russian government maybe wanted to find out the position of some Ukrainian troops that used iPhones. They could have used this and Then they could have killed them or spies
[45:07]
404 Media Host
or informants or anything that's sensitive in the war, because it's not just the soldiers on the front line. There's all of, you know, tons of other people in infrastructure as well, of course, that they could use this sort of thing to target.
[45:20]
Lorenzo Franceschi-Bicaro
And he should have known that he was selling to Operation Zero, which explicitly says only works with Russian government and Russian corporations. So he knew that this could be used for bad. But at the same time, from the trenchant perspective, it's hard to stop these things. He had to use USB keys inside the office. He couldn't just take stuff out of the network. So it's very hard to defend against this. But at the same time, it does kind of give credence to the criticism from some of the privacy advocates and activists like Citizen Lab, which obviously I respect a lot. But sometimes they push the narrative that nobody developing these things can be trusted. And there is a reason they do it. It's part of their mission, and it's okay. But until this case, you could say, well, is it really that bad? Turns out it really can't be that bad.
[46:12]
404 Media Host
Yeah, it can be so bad that someone not only steals the technology, but also it ends up in the hand of the Russians and it ends up in the hands of the Chinese, and it infects basically random people on the Internet. The only parallel I mentioned, the eternal blue one, but There was also Vault 7, right. From WikiLeaks, which was a collection of CIA hacking tools, or I guess, hacking related material. And that was a malicious insider who leaked that information. Now, of course, I'm sure some people are also thinking about Snowden and they would draw a parallel there. I guess so. But I would say that was in the public interest. And you may, of course, disagree with the scope of the material that he took, but I think there was great public interest in a ton of that material, and it did lead to reform. It was very important to be revealed there isn't a public interest in stealing hacking tools and then selling them basically to the Russian government via this Russian company. They're totally different.
[47:10]
Lorenzo Franceschi-Bicaro
Yeah, this guy was not a whistleblower. He was just trying to make money. One thing that. It's hard to understand that. And only Peter Williams could answer these questions, like, why didn't he just go work in Dubai? The money that he made for this stuff is not that much in the grand scheme of things.
[47:26]
404 Media Host
Yeah, a million.
[47:27]
Lorenzo Franceschi-Bicaro
Yeah, you could probably get a salary close to that working for Crowdfence or some other company in Dubai like that. And in that case, you don't even have to completely sell your conscience because maybe they only work with good guys or whatever. So it is really. We don't know why he did it, you know, it's unclear, but that he had some sort of financial hardship. You know, he bought watches. So it doesn't look like he had to, I don't know, had to pay a mortgage or his stocks went down. I don't know. It doesn't seem like that was the motivation. It just seems like he wanted to make some extra money and he chose pretty much the worst people to sell it to because there's also other exploit brokers. I think my theory here is that I was just thinking about it as I was talking is that it would have been harder for him to go to some sort of a Western broker because they probably knew him or they knew people that worked with him. So he needed to go outside of the circles where he was known because also the offensive cybersecurity industry is very small, relatively small. Everyone knows each other, everyone talks to each other. So he couldn't just go to a friend of his at, I don't know, a German company or an Italian company, whatever. He needed to go to someone that. Someone that was willing to do this and also willing not to ask questions because he approached them under an alias with a. I don't know if they said PGP or something, but yeah, he used like an alias and got paid in cryptocurrency. So he thought that, you know, he thought that nobody was going to catch him. It's still crazy. Even now that the story's out, I still kind of don't believe that it happened because it's just like, how do you, how do you go from working to, you know, with the Australian government to selling to the Russian government during the Ukraine war? It just seems so crazy.
[49:07]
404 Media Host
Yeah, yeah. And I still almost don't believe it even when you lay it out like that. But that was and is a fascinating story. We'll leave it there for the moment. Lorenzo, of course we'll have you back in the future to talk about more zero days in the hacking industry when the opportunity arises. But thank you so much for joining us.
[49:26]
Lorenzo Franceschi-Bicaro
Thank you. This is fun. Appreciate it.
[49:29]
404 Media Host
As, As a reminder, 404 Media is journalist founded and supported by subscribers. If you do wish to subscribe to 404 Media and directly support our work, please go to 404 Media co. You'll get unlimited access to our articles and an ad free version of this podcast. You also get to listen to the subscribers only section where we talk about a bonus story each week. This podcast is made in partnership with Kaleidoscope Analysis Midcalf. Another way to support us is by leaving a five star rating and review for the podcast. That stuff really does help us out. This has been forward for media. We'll see you again next time.
[50:19]
Lorenzo Franceschi-Bicaro
Putting off replacing your window treatments because you think it's complicated? @blinds.com We've spent 30 years proving it doesn't have to be and today is your last chance to save big on Spring Black Friday deals. Whether you want to DIY it or have a pro to handle everything from measure to install, we've got you free samples, real design experts and zero pressure. Just help when you need it. Shop up to 45% off with minimum purchase plus get a free professional measure during the blinds.com spring Black Friday Last Chance sale rules and restrictions apply.