Apple alerts exploit developer that its iPhone was targeted by government spyware

Earlier this year, a developer was shocked by a message that appeared on his home phone: “Apple has detected a targeted mercenary spyware attack against your iPhone. »

“I was panicking,” Jay Gibson, who asked that we not use his real name for fear of retaliation, told TechCrunch.

Gibson, who until recently developed surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who creates exploits and spyware being targeted by spyware themselves.

“What the hell is going on? I really didn’t know what to think about it,” Gibson said, adding that he turned off his phone and put it away that day, March 5. “I immediately went and bought a new phone. I called my dad. It was a disaster. It was a huge disaster.”

At Trenchant, Gibson worked on developing iOS zero-days, which means finding vulnerabilities and develop tools capable of exploiting them that are not known to the vendor that makes the affected hardware or software, such as Apple.

“I have mixed feelings about how pathetic this situation is, and then extreme fear, because once things reach this level, you never know what’s going to happen,” he told TechCrunch.

But the former Tranchant employee may not be the only exploit developer targeted by spyware. According to three sources with direct knowledge of the cases, other spyware and exploit developers have received notices from Apple in recent months alerting them that they were being targeted by spyware.

Apple did not respond to a request for comment from TechCrunch.

The targeting of Gibson’s iPhone shows that the proliferation of spyware and spyware is starting to attract more types of victims.

The creators of spyware and zero-day software have always claimed that their tools are only deployed by approved government clients against criminals and terrorists. But over the past decade, researchers at Citizen Lab, a digital rights group at the University of Toronto, Amnesty International and other organizations, have uncovered dozens of cases where governments have used these tools to target dissidents, journalists, human rights defenders and political rivals around the world.

The closest public cases of security researchers being targeted by hackers occurred in 2021 and 2023, when North Korean government hackers were caught targeting security researchers working in vulnerability research and development.

Suspect in leak investigation

Two days after receiving Apple’s threat notification, Gibson contacted a forensic expert with extensive experience investigating spyware attacks. After performing an initial scan of Gibson’s phone, the expert found no signs of infection, but still recommended a more in-depth forensic analysis of the exploit developer’s phone.

A forensic analysis would have required sending the expert a full backup of the device, something Gibson said he wasn’t comfortable with.

“Recent cases are becoming more forensically difficult, and in some cases we find nothing. It could also be that the attack was not fully launched after the initial stages, we don’t know,” the expert told TechCrunch.

Without a full forensic analysis of Gibson’s phone, ideally one in which investigators found traces of the spyware and who created it, it is impossible to know why he was targeted or who targeted him.

But Gibson told TechCrunch that he believed the threat notification he received from Apple was related to the circumstances of his departure from Trenchant, where he claimed the company scapegoated him for a damaging leak of internal tools.

Apple sends threat notifications specifically when it has proof that someone has been targeted by a mercenary spyware attack. This type of surveillance technology is often invisibly and remotely planted on a person’s phone without their knowledge by exploiting vulnerabilities in the phone’s software, exploits that can be worth millions of dollars and take months to develop. Law enforcement and intelligence agencies typically have the legal authority to deploy spyware on targets, not the creators themselves.

Sara Banda, a spokesperson for Trenchant’s parent company L3Harris, declined to comment for this story when contacted by TechCrunch ahead of publication.

A month before receiving Apple’s threat notification, while Gibson was still working at Trenchant, he said he was invited to come to the company’s London office for a team-building event.

When Gibson arrived on February 3, he was immediately called into a meeting room to speak via video call with Peter Williams, then Trenchant’s chief executive, known within the company as “Doogie.” (In 2018, defense contractor L3Harris acquired zero-day creators Azimuth and Linchpin Labs, two sister startups that merged to become Trenchant.)

Williams told Gibson that the company suspected he was duplicating work and was therefore suspending him. All of Gibson’s work devices would be confiscated and analyzed as part of an internal investigation into the allegations. Williams could not be reached for comment.

“I was in shock. I didn’t really know how to react because I couldn’t really believe what I was hearing,” said Gibson, who explained that a Trenchant IT employee then went to his apartment to pick up his company-issued equipment.

About two weeks later, Gibson said Williams called him and told him that as a result of the investigation, the company was firing him and offering him a settlement agreement and payment. Gibson said Williams refused to explain what forensic analysis of his devices revealed and essentially told him he had no choice but to sign the deal and leave the company.

Feeling he had no alternative, Gibson said he accepted the offer and signed.

Gibson told TechCrunch that he later heard from former colleagues that Trenchant suspected of disclosing some unknown vulnerabilities in Google’s Chrome browser, tools that Trenchant had developed. However, Gibson and three of his former colleagues told TechCrunch that he did not have access to Trenchant’s Zero Days in Chrome, given that he was part of the team exclusively developing Zero Days and iOS spyware. Trenchant teams only have strictly compartmentalized access to tools related to the platforms they work on, the sources said.

“I know I was a scapegoat. I wasn’t guilty. It’s very simple,” Gibson said. “I did absolutely nothing but work hard for them.”

The story of Gibson’s accusations and his suspension and firing was independently corroborated by three knowledgeable former Trenchant employees.

Two of Trenchant’s other former employees said they knew details of Gibson’s trip to London and were aware of alleged leaks of sensitive company tools.

All asked not to be named, but believe Trenchant was wrong.