Peter Williams, a veteran cybersecurity executive who was the head of the hacking and surveillance tech division of U.S. defense contractor L3Harris, has been ordered to pay $10 million to his former employer. Williams was the central figure in one of the worst leaks of advanced hacking tools in the history of the United States and its closest allies.

On Wednesday, a judge ordered Williams to pay that amount in restitution on top of the $1.3 million he had already been ordered to pay to L3Harris. Williams, a 39-year-old Australian citizen who previously worked in one of Australia’s intelligence agencies, was until last year the general manager of Trenchant. Born out of the acquisition of two sister startups, Trenchant is L3Harris’ division that develops advanced spyware and hacking tools and sells them to the U.S. government and its allies in the Five Eyes intelligence alliance, a coalition of five English-speaking nations that share classified intelligence with one another. In addition to the U.S., the alliance includes Australia, Canada, New Zealand, and the United Kingdom.

Veteran cybersecurity reporter Kim Zetter first reported the new order to pay restitution in her newsletter. 

Williams’ lawyers did not respond to a request for comment.

Last year, Williams was arrested and accused of stealing seven unspecified trade secrets — almost certainly cyber exploits, which is code that hijacks software vulnerabilities, and surveillance technology — from Trenchant and then selling them to Operation Zero. The Russian firm acts as a broker, buying and selling hacking tools, and it says it works exclusively with the Russian government and local companies.

Williams pleaded guilty and was sentenced to more than seven years in prison. 

Williams made $1.3 million selling the trade secrets, which he used to buy luxury watches, a house near Washington, D.C., and family vacations. Trenchant told prosecutors that it suffered losses of up to $35 million due to Williams’ theft. 

U.S. prosecutors said Williams “betrayed” the United States and its allies by giving Operation Zero, which the U.S. government calls “one of the world’s most nefarious exploit brokers,” tools that could have been used to hack “millions of computers and devices around the world.” 

As TechCrunch previously reported, Williams took advantage of his privileged “full access” to Trenchant’s internal network to siphon the tools out of the company’s offices. After Williams sold the hacking tools to Operation Zero, some of them ended up being used by Russian government spies in Ukraine, and later Chinese cybercriminals, according to former L3Harris employees who recognized the stolen code in cybersecurity research that Google published after investigating the cyberattacks in which those tools were deployed.

Williams also tried to frame one of his employees for the theft.

Poland’s intelligence service said it detected attacks on five water treatment plants where hackers could have taken control of the industrial equipment inside, including, in the worst case, tampering with the safety of the water supply.

The story is relevant beyond Poland’s borders: U.S. water infrastructure has faced similar threats in recent years. In 2021, a hacker briefly gained access to a water treatment plant in Oldsmar, Florida and attempted to increase the level of sodium hydroxide — a caustic chemical — to dangerous levels. The FBI and the U.S. Cybersecurity and Infrastructure Security Agency have since warned that water utilities remain a soft target for foreign hackers.

On Friday, Poland’s Internal Security Agency, the country’s top intelligence agency, published a report covering the last two years of the agency’s operations and threats the country faced. The report said Polish intelligence thwarted multiple acts of sabotage from Russian government spies and hackers, who targeted military facilities, critical infrastructure (essential systems such as power grids, water supplies, and transportation networks), as well as civilian targets. These attacks, according to the report, may have resulted in fatalities.  

“The most serious challenge remains the sabotage activity against Poland, inspired and organized by Russian intelligence services. This threat was (and is) real and immediate. It requires full mobilization,” read the report.

The report did not specify whether the hackers behind the attacks on the water treatment facilities were Russian government spies. But Poland has recently been the target of several attempts by Russian government hackers to attack its infrastructure, including a failed attempt to bring down the country’s energy grid. That breach was later attributed to poor security controls at the targeted facilities.

Poland’s experience is part of a growing global pattern of attacks on water and energy infrastructure. As recently as last month, a joint advisory from the Cybersecurity and Infrastructure Security Agency, the FBI, the NSA, and several other federal agencies warned that Iranian-backed hackers are actively targeting programmable logic controllers — the industrial computers that run water and energy facilities — at U.S. utilities. The same Iranian hacking group, CyberAv3ngers, previously broke into digital control panels at multiple U.S. water treatment plants in Pennsylvania in 2023, in attacks that federal agencies linked to escalating hostilities in the Middle East.

In other words, the attacks against Poland are not unique, they follow a strategy that the Russian government is applying both in war zones such as Ukraine, as well as against Western countries that it sees as longstanding enemies. The plan, according to Polish intelligence, is to destabilize and weaken the West, and cyberattacks and cyberespionage are just tools in a larger toolkit for Putin’s regime.

The National Highway Traffic Safety Administration (NHTSA) has opened an investigation into Avride, a robotaxi company that has partnered with Uber, after identifying more than a dozen crashes and one minor injury.

The safety regulator’s Office of Defects Investigation (ODI) said all 16 crashes that it has identified have to do with “the competence of” Avride’s self-driving system, which has apparently struggled with changing lanes, responding to other vehicles in the same lane, and responding to stationary objects.

All of the crashes have come while the Avride vehicles were under the supervision of a safety monitor in the driver’s seat. Reached for comment, Avride declined to explain why the safety monitors did not intervene in these crashes. The company pointed out that it reported these crashes to the NHTSA as required by the agency’s 2021 Standing General Order on automated driving.

“We have implemented targeted technical and operational mitigations to address our findings from each reported incident between December 2025 and March 2026, and have further enhanced overall system capabilities,” the company said in a statement. “Our total operations have continued to grow, while the frequency of incidents relative to our mileage has steadily declined.”

Uber did not immediately respond to a request for comment.

Avride, best known for its sidewalk delivery robots, is a subsidiary of Nebius, formerly Yandex NV, the Netherlands-based company that sold off its Russian business in 2024. The company has also spent years developing and testing self-driving cars, and struck a partnership with Uber in 2024. The following year, Uber and its parent company Nebius agreed to make “strategic investments and other commitments” to Avride worth up to $375 million.

The investigation comes just a few months after Uber started offering rides in Avride robotaxis in Dallas, Texas, which is where “many of the reported crashes have occurred,” according to the ODI. Some of the crashes also occurred in Austin, Texas. At least one of the reported crashes involved a robotaxi carrying a passenger.

The probe arrives amid expanded testing, deployment, and scaling of autonomous vehicle technologies by numerous companies across the United States, drawing increased scrutiny.

Waymo is currently being investigated by both NHTSA and the National Transportation Safety Board for illegal behavior around school buses, and for a January crash in which one of the Alphabet-owned company’s robotaxis struck a child.

The ODI said on Friday that it completed a preliminary review of videos of each Avride crash. These videos, according to the office, show “instances of the AVs changing lanes into the path of or directly into other vehicles traveling in an adjacent lane and in close proximity to an AV; failing to slow or stop for slow-moving or stopped vehicles in the lane and path ahead; failing to slow for or avoid vehicles entering the lane and path ahead; and striking stationary objects partially obstructing the lane and path ahead.”

The crash that caused a minor injury happened in December 2025 in Dallas, according to data filed with the NHTSA. It involved an Avride-equipped Hyundai Ioniq 5 that clipped the open driver’s side door of a parked pickup truck. One of the truck’s occupants sustained a minor injury that did not require hospitalization.

Another December crash in Dallas involved an Avride robotaxi that tried to change lanes to avoid a parked pickup truck, according to data filed with the NHTSA. The Avride vehicle turned into a van that was beside it, resulting in damage to both vehicles.

Multiple crashes involved other vehicles turning into the Avride robotaxis, though it’s unclear from the descriptions if there was a chance for the robotaxis to avoid those collisions. At least one crash involved an Avride vehicle crashing into a dumpster. Only one of the reported crashes describes the safety monitor attempting to intervene.