iPhone Targeted by Government Spyware: Apple Alerts Developer

Targeted Spyware Attack on an iPhone

A developer recently received an alarming notification on his personal mobile device: “Apple detected a targeted mercenary spyware attack against your iPhone.”

Jay Gibson, who requested anonymity due to concerns about potential repercussions, shared his experience with TechCrunch. He described feeling immediate panic upon receiving the alert.

First Documented Case

Gibson, formerly employed at Trenchant – a company creating hacking tools for Western governments – may represent the first confirmed instance of an individual involved in exploit and spyware development becoming a target themselves.

He recounted the day, March 5th, as chaotic, immediately powering off his phone and acquiring a replacement. He also contacted his father during this unsettling time.

Developing iOS Zero-Days

At Trenchant, Gibson’s work centered on discovering zero-days in iOS. These are vulnerabilities, along with the tools to exploit them, unknown to the software or hardware vendor, in this case, Apple.

Gibson expressed a complex reaction, feeling both a sense of irony and significant apprehension. He noted that once such targeting occurs, the potential consequences are unpredictable.

Other Developers Targeted

According to three informed sources, Gibson isn't alone. Several other spyware and exploit developers have received similar notifications from Apple in recent months, indicating they were also targeted.

TechCrunch reached out to Apple for a statement but did not receive a response.

Expanding Victim Pool

The targeting of Gibson’s iPhone demonstrates a broadening scope of victims affected by the spread of zero-days and spyware.

Historically, creators of these tools asserted their deployment was limited to vetted government clients, focusing on criminals and terrorists. However, over the past ten years, organizations like Citizen Lab and Amnesty International have documented numerous instances of governments utilizing these tools against dissidents, journalists, human rights advocates, and political opponents globally.

Previous Incidents

Comparable public cases involving security researchers being targeted by malicious actors occurred in 2021 and 2023. North Korean government-linked hackers were identified as targeting security researchers specializing in vulnerability research and development during those periods.

This highlights a growing trend of individuals with specialized security knowledge becoming targets themselves.

Investigation into a Potential Security Breach

Following receipt of a security alert from Apple, Gibson engaged a forensic specialist with a proven track record in spyware investigations. An initial assessment of Gibson’s phone revealed no immediate indications of compromise, however, a more comprehensive forensic examination of the exploit developer’s device was advised.

A thorough forensic analysis would necessitate providing the specialist with a complete device backup, a step Gibson expressed reluctance to take.

The expert communicated to TechCrunch that recent investigations are becoming increasingly complex, often yielding no conclusive evidence. It remains uncertain whether the attack progressed beyond its initial phases, the expert noted.

Without a complete forensic review of Gibson’s phone – ideally one uncovering traces of the spyware and its origin – determining the motivation behind the targeting or identifying the responsible party remains impossible.

Gibson conveyed to TechCrunch his belief that the Apple notification is linked to the circumstances surrounding his exit from Trenchant, where he alleges he was wrongly blamed for a damaging disclosure of internal resources.

Apple issues threat notifications when there is evidence of targeted attacks utilizing mercenary spyware. This type of surveillance technology is often deployed remotely and surreptitiously on a device, exploiting software vulnerabilities. These exploits can command prices in the millions of dollars and require significant development time. Typically, the deployment of spyware is authorized for law enforcement and intelligence agencies, not the developers themselves.

Sara Banda, a representative for Trenchant’s parent company, L3Harris, did not provide a comment for this report when contacted by TechCrunch prior to publication.

Prior to receiving the alert from Apple, while still employed at Trenchant, Gibson was invited to a team-building event at the company’s London office.

Upon arrival on February 3rd, Gibson was immediately directed to a meeting room for a video conference with Peter Williams, Trenchant’s general manager at the time, internally known as “Doogie.” (In 2018, L3Harris, a defense contractor, acquired Azimuth and Linchpin Labs, two related companies that consolidated into Trenchant.)

Williams informed Gibson that the company suspected he was simultaneously employed elsewhere and was therefore suspending him. All company-issued devices were to be seized and examined as part of an internal investigation into these allegations. Attempts to reach Williams for comment were unsuccessful.

Gibson stated he was taken aback by the news and struggled to respond. A Trenchant IT staff member subsequently visited his residence to collect his company equipment.

Approximately two weeks later, Gibson said Williams contacted him to inform him of his termination following the investigation, offering a settlement agreement and associated payment. Gibson reported that Williams refused to disclose the findings of the device analysis, stating he had no option but to accept the agreement and leave the company.

Feeling he had no viable alternative, Gibson agreed to the terms and signed the agreement.

Gibson shared with TechCrunch that he later learned from former colleagues that Trenchant suspected him of leaking vulnerabilities within Google’s Chrome browser, tools developed by the company. However, Gibson and three former coworkers asserted he did not have access to these Chrome exploits, as his team focused exclusively on iOS zero-days and spyware. Access to tools is strictly limited to teams working on specific platforms, they explained.

“I am certain I was made a scapegoat. I did nothing wrong. It’s quite straightforward,” Gibson stated. “I dedicated myself entirely to my work for them.”

The details of the accusations against Gibson, his subsequent suspension, and eventual dismissal were independently verified by three former Trenchant employees familiar with the situation.

Two of these former employees confirmed their knowledge of Gibson’s trip to London and awareness of suspected leaks of sensitive company tools.

These individuals requested anonymity but expressed their belief that Trenchant’s assessment was incorrect.