Earlier this year, a developer was shocked by a message that appeared on his personal phone. The message stated that Apple had detected a targeted mercenary spyware attack against his iPhone. He described panicking upon seeing the alert. The developer, Jay Gibson, who asked that his real name not be used for fear of retaliation, spoke about the incident. Until recently, Gibson built surveillance technologies for Trenchant, a Western government hacking tools maker. His case may be the first documented instance of someone who builds exploits and spyware being targeted with spyware themselves.
He recalled his reaction, stating he did not know what to think. He turned off his phone and put it away on March 5. He immediately went to buy a new phone and called his father, describing the situation as a huge mess. At Trenchant, Gibson worked on developing iOS zero-days. This involved finding vulnerabilities and creating tools to exploit them that were unknown to the vendor, such as Apple. He expressed mixed feelings of finding the situation pathetic and experiencing extreme fear, noting that once things reach this level, you never know what will happen.
The former Trenchant employee may not be the only exploit developer targeted with spyware. According to three sources with direct knowledge, there have been other spyware and exploit developers in recent months who received similar notifications from Apple alerting them they were targeted. Apple did not respond to a request for comment.
The targeting of Gibson’s iPhone indicates that the proliferation of zero-days and spyware is starting to ensnare more types of victims. Spyware and zero-day makers have historically claimed their tools are only deployed by vetted government customers against criminals and terrorists. However, for the past decade, researchers at the University of Toronto’s Citizen Lab, Amnesty International, and other organizations have found dozens of cases where governments used these tools to target dissidents, journalists, human rights defenders, and political rivals all over the world.
The closest public cases of security researchers being targeted by hackers occurred in 2021 and 2023, when North Korean government hackers were caught targeting security researchers working in vulnerability research and development.
Two days after receiving the Apple threat notification, Gibson contacted a forensic expert with extensive experience investigating spyware attacks. After an initial analysis of the phone, the expert found no signs of infection but recommended a deeper forensic analysis. This would have required sending a complete backup of the device, which Gibson said he was not comfortable doing. The expert explained that recent cases are getting tougher forensically, and sometimes they find nothing. It is also possible the attack was not fully sent after the initial stages.
Without a full forensic analysis where investigators find traces of the spyware and its maker, it is impossible to know why he was targeted or who was responsible. Gibson believes the threat notification is connected to the circumstances of his departure from Trenchant. He claims the company designated him as a scapegoat for a damaging leak of internal tools.
Apple sends out threat notifications specifically when it has evidence a person was targeted by a mercenary spyware attack. This surveillance technology is often invisibly and remotely planted on a phone without the user’s knowledge by exploiting software vulnerabilities. These exploits can be worth millions of dollars and take months to develop. Law enforcement and intelligence agencies typically have the legal authority to deploy spyware, not the spyware makers themselves.
A spokesperson for Trenchant’s parent company, L3Harris, declined to comment for this story.
A month before he received the Apple threat notification, while still working at Trenchant, Gibson was invited to the company’s London office for a team-building event. When he arrived on February 3, he was immediately summoned to a meeting room for a video call with Peter Williams, Trenchant’s then-general manager. Williams told Gibson the company suspected he was double employed and was suspending him. All of Gibson’s work devices would be confiscated and analyzed as part of an internal investigation. A Trenchant IT employee then went to his apartment to pick up his company-issued equipment.
Around two weeks later, Gibson said Williams called and told him that following the investigation, the company was firing him and offering a settlement agreement and payment. Gibson said Williams declined to explain what the forensic analysis had found and essentially told him he had no choice but to sign the agreement and depart. Feeling he had no alternative, Gibson said he signed.
Gibson later heard from former colleagues that Trenchant suspected he had leaked some unknown vulnerabilities in Google’s Chrome browser, tools that Trenchant had developed. However, Gibson and three former colleagues told TechCrunch that he did not have access to Trenchant’s Chrome zero-days. They stated he was part of the team exclusively developing iOS zero-days and spyware, and that Trenchant teams have strictly compartmentalized access to tools related to their specific platforms.
Gibson stated he knows he was a scapegoat and that he is not guilty, saying he did nothing other than work very hard for the company. The story of the accusations against Gibson and his subsequent suspension and firing was independently corroborated by three former Trenchant employees with knowledge of the events. Two of them knew details of the London trip and were aware of suspected leaks of sensitive company tools. All of them asked not to be named and believe Trenchant got it wrong.