Spyware Attack Notification Shocks Developer
Earlier this year, a developer received a startling message on his personal iPhone stating, “Apple detected a targeted mercenary spyware attack against your iPhone.” The developer, who requested anonymity due to fears of retaliation and identified as Jay Gibson, shared his panic with TechCrunch as he processed the alarming notification.
Gibson, previously employed by Trenchant—a company that creates surveillance technologies for Western government hacking tools—might be the first known exploit developer to have been targeted by spyware. “What the hell is going on? I really didn’t know what to think of it,” Gibson recounted, explaining that he immediately powered down his phone and decided to purchase a new one after calling his father to express his distress. “It was a mess. It was a huge mess.”
Context of the Attack
At Trenchant, Gibson specialized in developing iOS zero-day vulnerabilities, which are unknown flaws that can be exploited by attackers. “I have mixed feelings of how pathetic this is, and then extreme fear because once things hit this level, you never know what’s going to happen,” he noted.
Gibson’s situation appears to be part of a troubling trend. Sources indicate that other developers of spyware and exploits have also received similar notifications from Apple in recent months.
Apple has not provided a comment regarding these incidents to TechCrunch.
History of Targeted Attacks
The targeting of Gibson underscores an alarming expansion in the use of spyware, which has traditionally been claimed by its developers to only target vetted government agencies against criminals or terrorists. However, organizations like the University of Toronto’s Citizen Lab and Amnesty International have documented numerous instances where governments misuse these tools to surveil activists, journalists, and political adversaries worldwide.
In 2021 and 2023, there were notable instances where North Korean hackers targeted security researchers focused on vulnerability research, further emphasizing the risks associated with this line of work.
Steps Taken After Notification
Just two days after receiving the notification, Gibson reached out to a forensic expert specializing in spyware investigations. While an initial analysis revealed no signs of infection, the expert suggested a more comprehensive forensic review, which would involve transferring a complete backup of Gibson’s device—something he was hesitant to do.
The expert remarked, “Recent cases are getting tougher forensically, and some we find nothing on. It may also be that the attack was not actually fully sent after the initial stages, we don’t know.” Without a thorough forensic examination, which could potentially reveal traces of the spyware and the perpetrator, the reasons behind Gibson’s notification remain uncertain.
The Circumstances Behind the Targeting
Gibson suspects that the notification from Apple ties to his dismissal from Trenchant. He claims the company used him as a scapegoat for an internal leak involving sensitive tools. Apple issues threat notifications only when it has confirmed evidence that an individual has been targeted by mercenary spyware.
This type of invasive technology is designed to be covertly planted on devices, exploiting software vulnerabilities that can take significant time and investment to develop. In most cases, only law enforcement and intelligence agencies possess the legal authority to deploy such spyware.
Sara Banda, a spokesperson for Trenchant’s parent company L3Harris, declined to comment on the story when approached by TechCrunch.
Events Leading to Gibson’s Departure
Prior to receiving the Apple notification, Gibson was invited to attend a team-building event at Trenchant’s London office. Upon arriving on February 3, he was unexpectedly called into a meeting with then-general manager Peter Williams, known internally as “Doogie.” During the meeting, Gibson was informed that he was being suspended due to suspicions of double employment, leading to the confiscation of his work devices for further investigation.
Gibson expressed his shock, stating, “I didn’t really know how to react because I couldn’t really believe what I was hearing.” Later, Williams informed Gibson that he would be terminated following the investigation and offered a settlement package, the terms of which included an agreement for him to sign. Feeling compelled to accept, Gibson complied with the settlement, despite his lingering uncertainties.
Gibson later learned from former colleagues that Trenchant suspected he had leaked vulnerabilities in Google’s Chrome browser, which Gibson adamantly denies, asserting his focus had solely been on iOS vulnerabilities.
“I know I was a scapegoat. I wasn’t guilty. It’s very simple,” he claimed. “I didn’t do absolutely anything other than working my ass off for them.” This narrative has been corroborated by three former Trenchant employees who have knowledge of the events surrounding Gibson’s dismissal.
Two other former employees expressed familiarity with Gibson’s trip to London and the suspected leaks of proprietary information, and all preferred to remain anonymous, believing Trenchant had misjudged the situation.
