Earlier this year, a developer was shocked to see a message on his personal phone that read, “Apple has detected a targeted spyware attack on your iPhone.”
“I was panicking,” Jay Gibson, who asked that his real name not be used for fear of retaliation, told TechCrunch.
Mr. Gibson, who until recently was building surveillance technology for Western government hacking tools maker Trenchint, may be the first documented case of someone building exploits and spyware themselves becoming the target of spyware.
“What the hell is going on? I really didn't know what to think,” Gibson said, adding that she turned off her cell phone and put it away that day, March 5. “I immediately went to buy a new cell phone. I called my dad. It was a mess. It was a huge mess.”
At Trenchant, Gibson worked on iOS zero-day development. This means finding vulnerabilities and developing tools that can exploit them that are unknown to the vendors that make the affected hardware and software, such as Apple.
“I have mixed feelings about how pathetic this is, and I'm extremely scared, because when things get to this level, you never know what's going to happen,” he told TechCrunch.
But former Trenchant employees may not be the only exploit developers targeted by spyware. In the past few months, other spyware and exploit developers have also received notices from Apple warning them that they have been targeted by spyware, according to three sources with direct knowledge of the incidents.
Apple did not respond to TechCrunch's request for comment.
Contact Us Do you have more information about the alleged leak of the Trenchant hacking tool? Or are you talking about this developer? You can contact Lorenzo Franceschi-Bicchierai securely from any non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or email.
The targeting of Gibson's iPhone shows that the prevalence of zero-days and spyware is ensnaring more types of victims.
Spyware and zero-day makers have long maintained that their tools are only deployed by vetted government customers against criminals and terrorists. But researchers at the University of Toronto's digital rights group Citizen Lab and Amnesty International have uncovered dozens of cases over the past decade in which governments have used these tools to target dissidents, journalists, human rights activists and political opponents around the world.
The closest public incidents in which security researchers were targeted by hackers occurred in 2021 and 2023, when North Korean government hackers were arrested for targeting security researchers working on vulnerability research and development.
Suspect in leak investigation
Two days after receiving Apple's threat notification, Gibson contacted a forensic expert with extensive experience investigating spyware attacks. After conducting an initial analysis of Gibson's phone, experts found no signs of infection, but still recommended a more in-depth forensic analysis of the exploit developer's phone.
Forensic analysis would have required sending a complete backup of the device to experts, which Gibson said he was not satisfied with.
“Recent cases have become more forensically rigorous, and some don't find anything. It's also possible that the attack was actually not transmitted completely after the initial stages, but we don't know,” the expert told TechCrunch.
Without a full forensic analysis of Mr. Gibson's cellphone, ideally one in which investigators discovered traces of spyware and the author of the spyware, it will be impossible to know why he was targeted or who targeted him.
However, Gibson told TechCrunch that he believes the threat notification he received from Apple is related to how he left Trenchint, alleging that the company named him a scapegoat for a damaging leak of internal tools.
Apple only sends threat notifications when there is evidence that an individual has been the target of a mercenary spyware attack. This type of surveillance technology is often implanted into a cell phone remotely and unseen without someone's knowledge by exploiting vulnerabilities in the phone's software, which can be worth millions of dollars and take months to develop. Typically, law enforcement and intelligence agencies have the legal authority to deploy spyware to targets, not the spyware creators themselves.
Sara Banda, a spokesperson for Trenchant's parent company L3Harris, declined to comment for this article when contacted by TechCrunch before publication.
A month before receiving Apple's threat notification, while still working at Trenchent, Gibson was invited to go to the company's London office for a team-building event, he said.
When Gibson arrived on February 3, he was immediately summoned to a conference room to speak via video call with Peter Williams, Trencinto's general manager at the time and known within the company as “Doggie.” (In 2018, defense contractor L3Harris acquired zero-day manufacturers Azimuth and Linchpin Labs. The two sister startups merged to become Trenchant.)
Mr. Williams told Mr. Gibson that the company was suspending Mr. Gibson due to suspicions of dual employment. All of Mr. Gibson's work devices will be seized and analyzed as part of an internal investigation into the allegations. Williams could not be reached for comment.
“I was in shock. I didn't really know how to react because I just couldn't believe what I was hearing,” Mr Gibson said. Later, Trencinto's IT employee explained that he went to the apartment to retrieve company-issued equipment.
About two weeks later, Gibson said Williams called him and told him that after an investigation, the company had fired him and offered him a settlement and payment. Gibson said Williams refused to explain what a forensic analysis of his devices revealed, effectively telling him he had no choice but to sign the contract and leave the company.
Gibson said he accepted the offer and signed because he felt he had no other options.
Gibson told TechCrunch that he later learned from a former colleague that Trentint was suspected of leaking an unknown vulnerability in Google's Chrome browser, a tool he developed. However, Gibson and three of his former colleagues told TechCrunch that Gibson did not have access to Trenchent's Chrome zero-day because he was part of a team that only developed iOS zero-days and spyware. Officials said the Torrent team has strictly segmented access only to tools related to the platform it is developing.
“I know I was the scapegoat. I was innocent. It's that simple,” Gibson said. “I didn't do anything but work hard for them.”
The story of the accusations against Gibson and his subsequent suspension and firing was independently corroborated by three knowledgeable former Trenchant employees.
Two other former Trenchant employees said they knew details of Mr. Gibson's trip to London and were aware of the alleged leak of sensitive company tools.
All asked to remain anonymous, but believe Mr. Trentinto made the wrong decision.