Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Earlier this year, a developer was shocked by a message appearing on his personal phone: “Apple has detected a targeted mercenary spyware attack against your iPhone.”
“I was terrified,” Jay Gibson, who asked that we not use his real name for fear of reprisal, told TechCrunch.
Gibson, who most recently developed surveillance technology for Western government hacking equipment maker Trenchant, may be the first documented case of someone creating exploits and spyware targeting themselves with spyware.
“What’s going on? I didn’t really know what to think about it,” Gibson said, adding that he turned off his phone and put it away that day, March 5. “I immediately went to buy a new phone. I called my dad. It was a mess. It was a huge mess.”
At Trenchant, Gibson worked on iOS development day zeromeans search Vulnerabilities and developer tools capable of exploiting them are not known to the vendor that makes the affected hardware or software, such as Apple.
“I have mixed feelings about how pathetic it is and then extreme fear because once you get to this level you never know what’s going to happen,” he told TechCrunch.
But former Trenchant employees may not be the only exploit developers targeted by spyware. Other spyware and exploit developers have received notifications from Apple in the past few months that they have been targeted by spyware, according to three sources with direct knowledge of these incidents.
Apple did not respond to TechCrunch’s request for comment.
Contact us
Do you have more information about the alleged leak of the Trenchant hacking tool? Or about this developer story? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb. by email.
Gibson’s targeting of iPhones shows that zero-day proliferation and spyware are beginning to ensnare more types of victims.
Spyware and zero-day makers have historically claimed that their tools are deployed against criminals and terrorists only by vetted government customers. But over the past decade, researchers at the University of Toronto’s Digital Rights Group Citizen Lab, Amnesty InternationalAnd other organizationsfound Dozens of cases Where governments used these tools to target Dissent, journalist, Human rights defendersAnd Political rivals All over the world
The closest public incident has occurred to security researchers being targeted by hackers 2021 And 2023When North Korean government hackers were caught targeting security researchers working on vulnerability research and development.
Suspect in leak investigation
Two days after Apple received the threat notification, Gibson contacted a forensics expert with extensive experience investigating spyware attacks. After initial analysis of Gibson’s phone, the expert found no signs of infection, but still recommended an in-depth forensic analysis of the developer’s phone exploit.
A forensic analysis expert would have to send a full backup of the device, which Gibson said he wasn’t comfortable with.
“Recent cases are becoming more difficult forensically, and in some we find nothing. It could also be that the attack wasn’t actually fully sent past the initial stage, we don’t know,” the expert told TechCrunch.
Without a full forensic analysis of Gibson’s phone, ideally it would be impossible to know where investigators found traces of the spyware and who created it, why he was targeted or who targeted him.
But Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant, where he claims the company singled him out as a scapegoat for a damaging leak of internal tools.
apple sends out threat Notice Especially when there is evidence that a person was targeted by one Mercenary spyware attack. This type of surveillance technology is often installed invisibly and remotely without someone’s knowledge by exploiting a vulnerability in the phone’s software. Could be worth millions of dollars And it can take months to develop. Law enforcement and intelligence agencies typically have the legal authority to deploy spyware on targets, not the spyware creators themselves.
Sara Banda, a spokeswoman for Trenchant’s parent company L3 Harris, declined to comment for this story when reached by TechCrunch ahead of publication.
A month before receiving notice of Apple’s threat, while Gibson was still working at Trenchant, he said he was invited to visit the company’s London office for a team-building event.
When Gibson arrived on February 3, he was summoned to a meeting room via video call to speak with Trenchant’s then-general manager, Peter Williams, known inside the company as “Dougie”. (In 2018, defense contractor L3 Harris acquired Azimuth and Linchpin Labs, makers of Zero-Day, Two sister startups which are united by trenchant.).
Williams told Gibson that the company suspected he was being double-hired and was thus firing him. All of Gibson’s work devices will be seized and analyzed as part of an internal investigation into the allegations. Williams could not be reached for comment.
“I was shocked. I didn’t really know how to react because I really couldn’t believe what I was hearing,” said Gibson, who explained that the trenchant IT employee had gone to his apartment to pick up his company-issued equipment.
About two weeks later, Gibson said Williams called and told him that after an investigation, the company was firing him and offered him a settlement agreement and payment. Gibson said Williams refused to explain what the forensic analysis of his devices found and essentially told him he had no choice but to sign the contract and leave the company.
Feeling he had no choice, Gibson said he went with the offer and signed.
Gibson told TechCrunch that he later heard from former colleagues that Trenchant suspected he had leaked some unknown vulnerability in Google’s Chrome browser, tools that Trenchant developed. Gibson, and three of his former colleagues, however, told TechCrunch that he did not have access to Trenchant’s Chrome zero-day, given that he was exclusively part of the iOS zero-day and spyware development team. Trenchant teams only have strictly segmented access to tools related to the platforms they’re working on, the people said.
“I know I was the scapegoat. I wasn’t guilty. It’s that simple,” Gibson said. “I’ve done absolutely nothing but work my ass off for them.”
The story of the allegations against Gibson and his subsequent suspension and dismissal was independently corroborated by three former Trenchant employees with knowledge.
Two of Trenchant’s other former employees said they knew details of Gibson’s trip to London and were aware of the suspected leak of sensitive company equipment.
All of them have asked to remain anonymous but believe Trenchant got it wrong.
