Earlier this year, a developer was shocked by a message that appeared on his personal phone: “Apple has detected a targeted mercenary spyware attack against your iPhone.”
“I panicked,” Jay Gibson, who asked that his real name not be used for fear of retaliation, told TechCrunch.
Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone creating exploits and spyware that is itself targeted with spyware.
“What the hell is going on? I really didn’t know what to think about it,” Gibson said, adding that he turned off his phone and put it away that day, March 5. “I immediately went to buy a new phone. I called my dad. It was a mess. It was a huge mess.”
At Trenchant, Gibson worked on developing iOS zero-days, which means finding vulnerabilities and development of tools capable of exploiting them that are not known to the vendor that makes the affected hardware or software, such as Apple.
“I have mixed feelings about how pathetic this is and then extreme fear because once things get to this level, you never know what’s going to happen,” he told TechCrunch.
However, the former Trenchant employee may not be the only exploit developer targeted with spyware. According to three sources with direct knowledge of these cases, there have been other spyware and exploit developers in recent months who received notifications from Apple notifying them that they had been targeted with spyware.
Apple did not respond to a request for comment from TechCrunch.
Contact us
Do you have more information about the alleged Trenchant hacking tools leak? Or about this developer’s story? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
Gibson’s targeting of the iPhone shows that the proliferation of zero-days and spyware is beginning to ensnare more types of victims.
Spyware and zero-day makers have historically claimed that their tools are only developed by vetted government customers against criminals and terrorists. But over the past decade, researchers at the digital rights group Citizen Lab at the University of Toronto, Amnesty International and other organizations have found dozens of cases where governments have used these tools to target dissidents, journalists, human rights defenders and political opponents around the world.
The closest public cases of security researchers being targeted by hackers occurred in 2021 and 2023when North Korean government hackers were caught targeting security researchers working on vulnerability research and development.
Suspect in leak investigation
Two days after receiving notification of Apple’s threat, Gibson contacted a forensics expert who has extensive experience investigating spyware attacks. After performing an initial analysis of Gibson’s phone, the expert found no signs of infection, but recommended a deeper forensic analysis of the exploit developer’s phone.
A forensic analysis would involve sending the expert a full backup of the device, something Gibson said he was not comfortable with.
“Recent cases are getting tougher from a forensics point of view, and in some we find nothing. It could also be that the attack wasn’t fully sent past the initial stages, we don’t know,” the expert told TechCrunch.
Without a full forensic analysis of Gibson’s phone, ideally where investigators found traces of the spyware and who made it, it’s impossible to know why it was targeted or who targeted it.
However, Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant, where he claims the company scapegoated him for a damaging leak of internal tools.
Apple sends threat alerts specifically for when it has evidence that a person has been targeted by a mercenary spyware attack. This type of surveillance technology is often placed invisibly and remotely on someone’s phone without their knowledge, exploiting vulnerabilities in the phone’s software, exploits that can be worth millions of dollars and can take months to develop. Law enforcement and intelligence agencies usually have the legal authority to deploy spyware on targets, not the spyware makers themselves.
Sara Banda, a spokeswoman for Trenchant’s parent company L3Harris, declined to comment for this story when reached by TechCrunch ahead of publication.
A month before he received Apple’s threat notification, when Gibson was still working at Trenchant, he said he was invited to the company’s London office for a team-building event.
When Gibson arrived on February 3, he was immediately called into a conference room to speak via video call with Peter Williams, then Trenchant’s general manager, who was known within the company as “Doogie”. (In 2018, defense contractor L3Harris acquired zero-day makers Azimuth and Linchpin Labs, two sister startups which merged to become Trenchant.)
Williams told Gibson that the company suspected he was a double-dealer and so suspended him. All of Gibson’s work devices will be seized and analyzed as part of an internal investigation into the allegations. Williams could not be reached for comment.
“I was shocked. I didn’t really know how to react because I couldn’t really believe what I was hearing,” said Gibson, who explained that a Trenchant IT employee went to his apartment to pick up his company’s equipment.
About two weeks later, Gibson said Williams called and told him that after the investigation, the company was firing him and offered him a settlement agreement and payment. Gibson said Williams refused to explain what the forensic analysis of his devices had found and essentially told him he had no choice but to sign the deal and leave the company.
Feeling he had no alternative, Gibson said he accepted the offer and signed.
Gibson told TechCrunch that he later heard from former colleagues that Trenchant suspected unknown vulnerabilities in Google’s Chrome browser, tools Trenchant had developed. Gibson and three former colleagues, however, told TechCrunch that he did not have access to Trenchant’s Chrome zero-days, since he was part of the team that exclusively developed iOS zero-days and spyware. Trenchant teams only have strictly segmented access to tools specific to the platforms they work on, the people said.
“I know I was scapegoated. I wasn’t guilty. It’s as simple as that,” Gibson said. “I did absolutely nothing but kick their ass.”
The story of the allegations against Gibson and his subsequent suspension and firing was independently confirmed by three former Trenchant employees with knowledge.
Two of Trenchant’s other former employees said they knew details of Gibson’s trip to London and were aware of suspected leaks of sensitive company tools.
They all asked not to be named, but believe Trenchant was wrong.
