\n<\/p>\n
Earlier this year, a developer was shocked by a message that appeared on his personal phone: \u201cApple detected a targeted mercenary spyware attack against your iPhone.\u201d\u00a0\u00a0<\/p>\n
\u201cI was panicking,\u201d Jay Gibson, who asked that we don\u2019t use his real name over fears of retaliation, told TechCrunch.\u00a0\u00a0<\/p>\n
Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.\u00a0<\/p>\n
\u201cWhat the hell is going on? I really didn\u2019t know what to think of it,\u201d said Gibson, adding that he turned off his phone and put it away on that day, March 5. \u201cI went immediately to buy a new phone. I called my dad. It was a mess. It was a huge mess.\u201d\u00a0\u00a0<\/p>\n
At Trenchant, Gibson worked on developing iOS zero-days<\/a>, meaning finding <\/strong>vulnerabilities and developing tools capable of exploiting them that are not known to the vendor who makes the affected hardware or software, such as Apple. \u00a0<\/p>\n \u201cI have mixed feelings of how pathetic this is, and then extreme fear because once things hit this level, you never know what\u2019s going to happen,\u201d he told TechCrunch.\u00a0\u00a0<\/p>\n But the ex-Trenchant employee may not be the only exploit developer targeted with spyware. According to three sources who have direct knowledge of these cases, there have been other spyware and exploit developers in the last few months who have received notifications from Apple alerting them that they were targeted with spyware.\u00a0<\/p>\n Apple did not respond to a request for comment from TechCrunch.\u00a0<\/p>\n \t\t\tDo you have more information about the alleged leak of Trenchant hacking tools? Or about this developer\u2019s story? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email<\/a>.<\/a> \t\t<\/div>\n The targeting of Gibson\u2019s iPhone shows that the proliferation of zero-days and spyware is starting to ensnare more types of victims.\u00a0\u00a0<\/p>\n Spyware and zero-day makers have historically claimed their tools are only deployed by vetted government customers against criminals and terrorists. But for the past decade, researchers at the University of Toronto\u2019s digital rights group Citizen Lab<\/a>, Amnesty International<\/a>, and other organizations<\/a>, have found dozens of cases<\/a> where governments used these tools to target dissidents<\/a>, journalists<\/a>, human rights defenders<\/a>, and political rivals<\/a> all over the world.\u00a0\u00a0\u00a0<\/p>\n The closest public cases of security researchers being targeted by hackers happened in 2021<\/a> and 2023<\/a>, when North Korean government hackers were caught targeting security researchers working in vulnerability research and development.\u00a0<\/p>\n Two days after receiving the Apple threat notification, Gibson contacted a forensic expert with extensive experience investigating spyware attacks. After performing an initial analysis of Gibson\u2019s phone, the expert did not find any signs of infection, but still recommended a deeper forensic analysis of the exploit developer\u2019s phone.\u00a0\u00a0<\/p>\n A forensic analysis would have entailed sending the expert a complete backup of the device, something Gibson said he was not comfortable with. \u00a0<\/p>\n \u201cRecent cases are getting tougher forensically, and some we find nothing on. It may also be that the attack was not actually fully sent after the initial stages, we don\u2019t know,\u201d the expert told TechCrunch.\u00a0<\/p>\n Without a full forensic analysis of Gibson\u2019s phone, ideally one where investigators found traces of the spyware and who made it, it\u2019s impossible to know why he was targeted or who targeted him.\u00a0\u00a0<\/p>\n But Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant, where he claims that the company designated him as a scapegoat for a damaging leak of internal tools.\u00a0\u00a0<\/p>\n Apple sends<\/a> out threat<\/a> notifications<\/a> specifically for when it has evidence that a person was targeted by a mercenary spyware attack<\/a>. This kind of surveillance technology is often invisibly and remotely planted on someone\u2019s phone without their knowledge by exploiting vulnerabilities in the phone\u2019s software, exploits that can be worth millions of dollars<\/a> and can take months to develop. Law enforcement and intelligence agencies typically have the legal authority to deploy spyware on targets, not the spyware makers themselves.\u00a0<\/p>\n Sara Banda, a spokesperson for Trenchant\u2019s parent company L3Harris, declined to comment for this story when reached by TechCrunch before publication. \u00a0<\/p>\n A month before he received Apple\u2019s threat notification, when Gibson was still working at Trenchant, he said he was invited to go to the company\u2019s London office for a team-building event.\u00a0\u00a0<\/p>\n When Gibson arrived February 3, he was immediately summoned into a meeting room to speak via video call with Peter Williams, Trenchant\u2019s then-general manager who was known inside the company as \u201cDoogie.\u201d (In 2018, defense contractor L3Harris acquired<\/a> zero-day makers Azimuth and Linchpin Labs, two sister startups<\/a> that merged to become Trenchant.)\u00a0<\/p>\n Williams told Gibson the company suspected he was double employed and was thus suspending him. All of Gibson\u2019s work devices would be confiscated and analyzed as part of an internal investigation into the allegations. Williams could not be reached for comment.\u00a0<\/p>\n \u201cI was in shock. I didn\u2019t really know how to react because I couldn\u2019t really believe what I was hearing,\u201d said Gibson, who explained that a Trenchant IT employee then went to his apartment to pick up his company-issued equipment.\u00a0\u00a0<\/p>\n Around two weeks later, Gibson said Williams called and told him that following the investigation, the company was firing him and offering him a settlement agreement and payment. Gibson said Williams declined to explain what the forensic analysis of his devices had found, and essentially told him he had no choice but to sign the agreement and depart the company.\u00a0<\/p>\n Feeling like he had no alternative, Gibson said he went along with the offer and signed.\u00a0\u00a0<\/p>\n Gibson told TechCrunch he later heard from former colleagues that Trenchant suspected he had leaked some unknown vulnerabilities in Google\u2019s Chrome browser, tools that Trenchant had developed. Gibson, and three former colleagues of his, however, told TechCrunch he did not have access to Trenchant\u2019s Chrome zero-days, given that he was part of the team exclusively developing iOS zero-days and spyware. Trenchant teams only have strictly compartmentalized access to tools related to the platforms they are working on, the people said.\u00a0\u00a0<\/p>\n \u201cI know I was a scapegoat. I wasn\u2019t guilty. It\u2019s very simple,\u201d said Gibson. \u201cI didn\u2019t do absolutely anything other than working my ass off for them.\u201d\u00a0\u00a0<\/p>\n The story of the accusations against Gibson\u2019 and his subsequent suspension and firing was independently corroborated by three former Trenchant employees with knowledge. \u00a0<\/p>\n Two of the other former Trenchant employees said they knew details of Gibson\u2019s London trip and were aware of suspected leaks of sensitive company tools.\u00a0<\/p>\n All of them asked not to be named but believe Trenchant got it wrong.\u00a0<\/p>\n<\/div>\nContact Us<\/h4>\n
Suspect in leak investigation<\/strong>\u00a0<\/h2>\n