Earlier this year, a developer received a chilling message from Apple: “Apple detected a targeted mercenary spyware attack against your iPhone.” The alert sent him into a panic. He turned off his phone, bought a new one immediately, and called his father in distress.
The man, who asked to be identified only as Jay Gibson, had an unusual background, until recently, he worked for Trenchant, a Western government contractor that develops hacking tools and exploits for iOS devices.
Gibson’s case marks one of the first known instances of someone who builds exploits and spyware being targeted by the same kind of tools they helped create. He said the experience left him torn between disbelief and fear. “Once things reach this level, you never know what’s going to happen,” he said.
At Trenchant, Gibson specialized in developing iOS zero-days, vulnerabilities unknown to Apple that can be used to compromise iPhones remotely. Exploits like these are among the most valuable assets in the cybersecurity world, often selling for millions of dollars.
Companies like Trenchant claim their technology is used by government clients for law enforcement and counterterrorism. But over the past decade, digital rights researchers have uncovered numerous cases where similar spyware was deployed against journalists, activists, and political opponents instead.
Gibson’s case appears to be part of a broader trend. According to sources familiar with the matter, other exploit developers have also received Apple notifications in recent months warning them that their iPhones were targeted by government-grade spyware. This signals that spyware proliferation is expanding beyond traditional targets, now ensnaring individuals inside the very industry that creates these tools.
Two days after receiving the alert, Gibson consulted a forensic expert specializing in spyware investigations. Initial scans of his phone revealed no visible signs of compromise, but the expert warned that modern spyware often leaves little trace and recommended a deeper forensic review.
Gibson refused, citing privacy concerns about sharing a full backup of his device. Without that deeper analysis, it’s impossible to confirm whether the attack succeeded or who was behind it.
Still, Gibson suspects a connection between the spyware alert and the events that led to his dismissal from Trenchant. A month before the Apple warning, the company had accused him of misconduct. When he arrived in London for a team event, he was abruptly called into a meeting with Trenchant’s general manager, Peter Williams, and told he was being suspended over allegations of “double employment.” His company-issued devices were confiscated for analysis.
Weeks later, Gibson said Williams informed him that he was being terminated and offered a settlement package. He was told the company’s forensic analysis was complete but was not given any details about its findings. Feeling cornered, Gibson signed the agreement and left the company.
Gibson later learned from former colleagues that Trenchant believed he had leaked vulnerabilities in Google Chrome, an accusation he flatly denies. Several of his peers backed him up, explaining that Trenchant teams work in isolated silos, and Gibson’s group had no access to Chrome-related exploits, focusing solely on iOS. “I know I was a scapegoat,” he said. “I wasn’t guilty of anything. I just worked hard for them.”
Multiple former employees corroborated Gibson’s account, including details of his London trip and the internal leak investigation. They, too, requested anonymity, saying they believed the company’s accusations were misplaced.
Apple’s threat notifications are typically sent when the company has evidence that an individual is being targeted by advanced spyware, often linked to state actors.
These attacks are stealthy, exploiting zero-day vulnerabilities to install surveillance software remotely, giving attackers access to messages, calls, and even the phone’s camera or microphone. Such capabilities are usually reserved for law enforcement or intelligence operations, not the companies that create the tools themselves.
The irony of an exploit developer falling victim to the very technology he once helped build underscores a growing concern in the cybersecurity world: as spyware and zero-day markets expand, no one, not even those inside the industry, is safe from becoming a target.
