Earlier this year, a developer faced a shocking revelation when a message appeared on his personal phone: “Apple detected a targeted mercenary spyware attack against your iPhone.” Jay Gibson, who requested anonymity for fear of retaliation, recounted his panic to TechCrunch. Gibson, who previously developed surveillance technologies for Trenchant, a company specializing in hacking tools for Western governments, may represent one of the first documented instances of an exploit developer being targeted by spyware.
“What the hell is going on? I really didn’t know what to think of it,” said Gibson. On that fateful day, March 5, he immediately turned off his phone and set it aside. “I went out to buy a new phone. I called my dad. It was a mess. It was a huge mess.” At Trenchant, Gibson's role involved developing iOS zero-days, which means identifying vulnerabilities and creating tools to exploit them—tools that remain unknown to the device manufacturers, such as Apple.
Gibson shared his conflicting feelings about the situation. “I have mixed feelings of how pathetic this is, and then extreme fear because once things hit this level, you never know what’s going to happen,” he told TechCrunch. His case is not isolated; sources indicate that other exploit developers have received similar notifications from Apple in recent months, suggesting a worrying trend in the targeting of individuals in this field.
The targeting of Gibson’s iPhone underscores the expanding reach of spyware and zero-day exploits. Traditionally, developers of such tools claimed their technologies were exclusively used against criminals and terrorists by vetted government clients. However, research from organizations like the University of Toronto’s Citizen Lab and Amnesty International has uncovered numerous instances where governments misused these tools to target dissidents, journalists, and human rights advocates globally.
Two days post-notification from Apple, Gibson reached out to a forensic expert experienced in investigating spyware attacks. Initially, the analysis of his phone revealed no signs of infection; however, the expert recommended a comprehensive forensic examination. Gibson expressed discomfort with providing a complete backup of his device for analysis. “Recent cases are getting tougher forensically, and some we find nothing on,” the expert noted. Without thorough analysis, it is challenging to determine the motives behind the attack or the identity of the perpetrator.
Gibson suspects that Apple’s notification may relate to his controversial exit from Trenchant, where he claims he was unfairly scapegoated for a damaging leak of internal tools. Apple specifically issues threat notifications when it has evidence that an individual has been targeted by a mercenary spyware attack. Such surveillance technologies are often silently and remotely installed on devices, exploiting software vulnerabilities that can be developed over months and valued at millions of dollars.
In the month leading up to his notification, Gibson attended a team-building event at Trenchant’s London office on February 3. He was unexpectedly called into a meeting with Peter Williams, the company’s general manager, who accused him of being double employed and subsequently suspended him. “I was in shock. I didn’t really know how to react because I couldn’t believe what I was hearing,” Gibson recounted, as an IT employee confiscated his company-issued devices for an internal investigation.
Approximately two weeks later, Gibson was informed of his termination following the investigation, with an offer for a settlement agreement. He felt compelled to accept the terms without any clear explanation of the forensic findings. Gibson later learned from former colleagues that Trenchant suspected him of leaking vulnerabilities related to Google’s Chrome browser, despite his focus solely on iOS zero-days and spyware development. “I know I was a scapegoat. I wasn’t guilty. It’s very simple,” he stated. “I didn’t do absolutely anything other than work hard for them.”
The circumstances surrounding Gibson’s suspension and firing have been independently verified by three former Trenchant employees, who confirmed knowledge of the events leading to his dismissal and the company’s suspicions regarding leaks of sensitive tools. All sources requested anonymity but maintain that Trenchant misidentified the source of the leaks.
As the landscape of spyware and zero-day vulnerabilities evolves, the implications of targeting individuals within the tech industry raise significant questions about accountability and the ethical use of surveillance technologies.
