Apple alerts developer that his iPhone has been targeted by government spyware

Earlier this year, a developer was shocked by a message that appeared on his personal phone: “Apple has detected a targeted mercenary spyware attack against your iPhone.”

“I was panicking,” Jay Gibson, who asked that his real name not be used due to fears of retaliation, told TechCrunch.

Gibson, who until recently built surveillance technologies for Western government hacking tool maker Trenchant, may be the first documented case of someone building exploit and spyware being targeted by spyware.

“What the hell was going on? I didn’t really know what to think,” Gibson said, adding that he turned off his phone and put it away that day, March 5. “I immediately went to buy a new phone. I called my parents. It was a mess. It was a complete mess.”

At Trenchant, Gibson worked on iOS Zero-Days, which means finding data Vulnerabilities and the development of tools capable of exploiting them that are not known to the vendor making the affected hardware or software, such as Apple.

“I have mixed feelings about how pathetic this is, and then very scary because once things get to this level, you never know what’s going to happen,” he told TechCrunch.

But the former Trenchant employee may not be the only vulnerability developer targeted by spyware. According to three sources with direct knowledge of these cases, there have been developers of spyware and other exploits in the past few months who have received notifications from Apple alerting them that they have been targeted with spyware.

Apple did not respond to a request for comment from TechCrunch.

The targeting of Gibson’s iPhone shows that the spread of spyware and zero-days is beginning to claim more types of victims.

Spyware and zero-day software makers have historically claimed that their tools are only deployed by government agents who have been vetted against criminals and terrorists. But over the past decade, researchers at the University of Toronto’s digital rights group Citizen Lab, Amnesty International, and other organizations have discovered dozens of cases in which governments have used these tools to target dissidents, journalists, human rights defenders, and political rivals around the world.

The closest public instances of security researchers being targeted by hackers occurred in 2021 and 2023, when North Korean government hackers were caught targeting security researchers working on vulnerability research and development.

Suspect in leak investigation

Two days after receiving the threat notification from Apple, Gibson contacted a forensics expert with extensive experience investigating spyware attacks. After conducting a preliminary analysis of Gibson’s phone, the expert found no signs of infection, but recommended a deeper forensic analysis of the exploit developer’s phone.

The forensic analysis would have required sending a complete backup of the device to the expert, something Gibson said he was not comfortable with.

“Recent cases have become more forensically stringent, and some of them we have found nothing. It may also be that the attack was not fully transmitted after the initial stages, we don’t know,” the expert told TechCrunch.

Without a full forensic analysis of Gibson’s phone, in which investigators would ideally find traces of the spyware and who made it, it is impossible to know why or by whom he was targeted.

But Gibson told TechCrunch that he believes the threat notice he received from Apple is related to the circumstances of his departure from Trenchant, in which he claims the company appointed him as a scapegoat for a malicious leak of internal tools.

Apple specifically sends out threat notifications when it has evidence that someone has been targeted by a mercenary spyware attack. This type of surveillance technology is often planted invisibly and remotely on someone’s phone without their knowledge by exploiting vulnerabilities in the phone’s software, exploits that can be worth millions of dollars and can take months to develop. Law enforcement and intelligence agencies typically have the legal authority to deploy spyware on targets, not the spyware makers themselves.

Sarah Panda, a spokeswoman for Trenchant’s parent company L3Harris, declined to comment for this story when contacted by TechCrunch prior to publication.

A month before he received the threat notice from Apple, when Gibson was still working at Trenchant, he said he was invited to go to the company’s London office for a team-building event.

When Gibson arrived on February 3, he was immediately called into a conference room to speak via video call with Peter Williams, the then managing director of Trenchant who was known within the company as “Doggie”. (In 2018, defense contractor L3Harris acquired Azimuth and Linchpin Labs, two sister startups that merged to become Trenchant.)

Williams told Gibson that the company suspected he was a dual employee and therefore suspended him. All Gibson business equipment will be seized and analyzed as part of an internal investigation into these allegations. Williams could not be reached for comment.

“I was in shock. I didn’t really know how to react because I didn’t really believe what I was hearing,” said Gibson, who explained that a Trenchant IT employee then went to his apartment to pick up equipment issued by his company.

About two weeks later, Gibson said Williams called him and told him that after the investigation, the company had fired him and offered him a settlement and payment agreement. Gibson said Williams refused to explain what the forensic analysis of his devices found, telling him he had no choice but to sign the agreement and leave the company.

Feeling he had no alternative, Gibson said he accepted the offer and signed.

Gibson told TechCrunch that he later heard from his former colleagues that Trenchant was suspected of leaking some unknown vulnerabilities in the Google Chrome browser, tools developed by Trenchant. However, Gibson and three former colleagues told TechCrunch that he did not have access to Trenchant’s Chrome Zero-days software, since he was part of the team that exclusively developed iOS Zero-Days and spyware. Trenchant teams only have strictly fragmented access to tools related to the platforms they run on, the people said.

“I know I was the scapegoat. I wasn’t guilty. It’s very simple,” Gibson said. “I never did anything but work for them.”

The story of the accusations, suspension and firing against Gibson was independently confirmed by three former Trenchant employees with knowledge.

Two former Trenchant employees said they knew details of Gibson’s trip to London and were aware of suspected leaks of sensitive company tools.

They all asked to remain anonymous but believe Trenchant got it wrong.