Earlier this year, a developer was stunned when a notification appeared on his personal device: “Apple has identified a mercenary spyware attack targeting your iPhone.”
“I started to panic,” said Jay Gibson, who requested anonymity due to concerns about possible repercussions, in a conversation with TechCrunch.
Gibson, who until recently developed surveillance tools for the Western government hacking contractor Trenchant, may be the first known instance of a spyware and exploit creator becoming a target of such attacks themselves.
“What is happening? I honestly had no idea how to process it,” Gibson recalled, explaining that he immediately powered down his phone and set it aside on March 5. “I went out and bought a replacement right away. I called my father. Everything was chaotic. It was a total disaster.”
While at Trenchant, Gibson’s work involved discovering iOS zero-day vulnerabilities and crafting tools to exploit them—flaws that remain unknown to the manufacturer, such as Apple, of the affected devices or software.
“I’m torn between feeling this is just sad and being extremely frightened, because once things escalate to this point, there’s no telling what could come next,” he told TechCrunch.
However, Gibson may not be the only exploit engineer who has been targeted. Three individuals familiar with these incidents told TechCrunch that other spyware and exploit developers have also received Apple notifications in recent months, warning them of spyware targeting.
Apple did not reply to TechCrunch’s request for comment.
The attack on Gibson’s iPhone highlights how the spread of zero-day exploits and spyware is beginning to affect a broader range of individuals.
Makers of spyware and zero-days have long insisted their products are used solely by authorized government clients against criminals or terrorists. Yet, over the last ten years, researchers from Citizen Lab at the University of Toronto, Amnesty International, and other groups have documented numerous cases in which governments used these tools to surveil activists, journalists, human rights advocates, and political opponents worldwide.
The most comparable public incidents of hackers targeting security researchers occurred in 2021 and 2023, when North Korean state hackers were found to be going after vulnerability researchers.
Suspect in leak investigation
Two days after receiving Apple’s warning, Gibson reached out to a forensic specialist with significant experience in spyware investigations. The expert’s preliminary review of Gibson’s phone found no evidence of compromise, but still advised a more thorough forensic examination of the device.
A comprehensive forensic review would have required Gibson to send a full backup of his device to the expert, something he was unwilling to do.
“Lately, forensic investigations are getting more challenging, and sometimes we find nothing. It’s possible the attack didn’t fully proceed after the initial stage, but we can’t be sure,” the expert told TechCrunch.
Without a complete forensic analysis—ideally one that uncovers traces of the spyware and its creator—it remains unclear why Gibson was targeted or who was behind it.
Still, Gibson told TechCrunch he suspects the Apple alert is linked to the circumstances surrounding his exit from Trenchant, where he claims he was blamed for a damaging internal leak.
Apple issues threat notifications when it has credible evidence that an individual has been targeted by mercenary spyware. Such surveillance tools are often secretly and remotely installed on a victim’s device by exploiting software vulnerabilities, which can be extremely valuable and take months to create. Typically, only law enforcement or intelligence agencies have the legal authority to use spyware, not the companies that develop it.
Sara Banda, a representative for Trenchant’s parent company L3Harris, declined to comment when contacted by TechCrunch prior to publication.
Roughly a month before receiving Apple’s notification, while still employed at Trenchant, Gibson said he was invited to the company’s London office for a team-building gathering.
Upon arriving on February 3, Gibson was promptly called into a meeting room for a video conference with Peter Williams, then Trenchant’s general manager, known internally as “Doogie.” (In 2018, defense contractor L3Harris acquired Azimuth and Linchpin Labs, two zero-day startups that merged to form Trenchant.)
Williams informed Gibson that the company suspected him of holding a second job and was therefore suspending him. All of Gibson’s work-related devices would be seized and examined as part of an internal probe into these claims. Williams could not be reached for comment.
“I was stunned. I didn’t know how to respond because I couldn’t quite believe what I was hearing,” Gibson said, adding that a Trenchant IT staffer later went to his home to collect his company equipment.
About two weeks later, Gibson said Williams called to inform him that, following the investigation, the company was terminating his employment and offering a settlement and payment. Gibson said Williams refused to disclose what the forensic review of his devices had revealed, and essentially told him he had no option but to accept the agreement and leave.
Feeling he had little choice, Gibson said he agreed and signed the documents.
Gibson told TechCrunch that he later heard from ex-colleagues that Trenchant believed he had leaked undisclosed vulnerabilities in Google’s Chrome browser—tools developed by Trenchant. However, Gibson and three former coworkers told TechCrunch he never had access to the company’s Chrome zero-days, as he was solely part of the iOS zero-day and spyware development team. According to them, Trenchant teams only have access to tools relevant to their specific platform.
“I know I was made a scapegoat. I wasn’t at fault. It’s that straightforward,” Gibson said. “All I did was work hard for them.”
Three former Trenchant staffers with direct knowledge independently confirmed the events surrounding Gibson’s suspension and dismissal.
Two of these ex-employees said they were aware of the details of Gibson’s trip to London and the suspicions regarding leaks of sensitive company tools.
All requested anonymity but believe Trenchant’s conclusion was mistaken.
