techcrunch.com
Lorenzo Franceschi-Bicchierai
7:45 AM PDT · October 21, 2025
A developer at Trenchant, a leading Western spyware and zero-day maker, was suspected of leaking company tools and was fired. Weeks later, Apple notified him that his personal iPhone was targeted with spyware.
Earlier this year, a developer was shocked by a message that appeared on his personal phone: “Apple detected a targeted mercenary spyware attack against your iPhone.”
“I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch.
Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.
“What the hell is going on? I really didn’t know what to think of it,” said Gibson, adding that he turned off his phone and put it away on that day, March 5. “I went immediately to buy a new phone. I called my dad. It was a mess. It was a huge mess.”
At Trenchant, Gibson worked on developing iOS zero-days, meaning finding vulnerabilities and developing tools capable of exploiting them that are not known to the vendor who makes the affected hardware or software, such as Apple.
“I have mixed feelings of how pathetic this is, and then extreme fear because once things hit this level, you never know what’s going to happen,” he told TechCrunch.
But the ex-Trenchant employee may not be the only exploit developer targeted with spyware. According to three sources who have direct knowledge of these cases, there have been other spyware and exploit developers in the last few months who have received notifications from Apple alerting them that they were targeted with spyware.
Apple did not respond to a request for comment from TechCrunch.
The targeting of Gibson’s iPhone shows that the proliferation of zero-days and spyware is starting to ensnare more types of victims.
Spyware and zero-day makers have historically claimed their tools are only deployed by vetted government customers against criminals and terrorists. But for the past decade, researchers at the University of Toronto’s digital rights group Citizen Lab, Amnesty International, and other organizations have found dozens of cases where governments used these tools to target dissidents, journalists, human rights defenders, and political rivals all over the world.
The closest public cases of security researchers being targeted by hackers happened in 2021 and 2023, when North Korean government hackers were caught targeting security researchers working in vulnerability research and development.
Suspect in leak investigation
Two days after receiving the Apple threat notification, Gibson contacted a forensic expert who has extensive experience investigating spyware attacks. After performing an initial analysis of Gibson’s phone, the expert did not find any signs of infection, but still recommended a deeper forensic analysis of the exploit developer’s phone.
A forensic analysis would have entailed sending the expert a complete backup of the device, something Gibson said he was not comfortable with.
“Recent cases are getting tougher forensically, and some we find nothing on. It may also be that the attack was not actually fully sent after the initial stages, we don’t know,” the expert told TechCrunch.
Without a full forensic analysis of Gibson’s phone, ideally one where investigators found traces of the spyware and who made it, it’s impossible to know why he was targeted or who targeted him.
But Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant, where he claims the company designated him as a scapegoat for a damaging leak of internal tools.
Apple sends out threat notifications specifically for when it has evidence that a person was targeted by a mercenary spyware attack. This kind of surveillance technology is often invisibly and remotely planted on someone’s phone without their knowledge by exploiting vulnerabilities in the phone’s software, exploits that can be worth millions of dollars and can take months to develop. Law enforcement and intelligence agencies typically have the legal authority to deploy spyware on targets, not the spyware makers themselves.
Sara Banda, a spokesperson for Trenchant’s parent company L3Harris, declined to comment for this story when reached by TechCrunch before publication.
A month before he received Apple’s threat notification, when Gibson was still working at Trenchant, he said he was invited to go to the company’s London office for a team-building event.
When Gibson arrived on February 3, he was immediately summoned into a meeting room to speak via video call with Peter Williams, Trenchant’s then-general manager who was known inside the company as “Doogie.” (In 2018, defense contractor L3Harris acquired zero-day makers Azimuth and Linchpin Labs, two sister startups that merged to become Trenchant.)
Williams told Gibson the company suspected he was double employed and was thus suspending him. All of Gibson’s work devices would be confiscated and analyzed as part of an internal investigation into the allegations. Williams could not be reached for comment.
“I was in shock. I didn’t really know how to react because I couldn’t really believe what I was hearing,” said Gibson, who explained that a Trenchant IT employee then went to his apartment to pick up his company-issued equipment.
Around two weeks later, Gibson said Williams called and told him that following the investigation, the company was firing him and offering him a settlement agreement and payment. Gibson said Williams declined to explain what the forensic analysis of his devices had found, and essentially told him he had no choice but to sign the agreement and depart the company.
Feeling like he had no alternative, Gibson said he went along with the offer and signed.
Gibson told TechCrunch he later heard from former colleagues that Trenchant suspected he had leaked some unknown vulnerabilities in Google’s Chrome browser, tools that Trenchant had developed. Gibson, and three former colleagues of his, however, told TechCrunch he did not have access to Trenchant’s Chrome zero-days, given that he was part of the team exclusively developing iOS zero-days and spyware. Trenchant teams only have strictly compartmentalized access to tools related to the platforms they are working on, the people said.
“I know I was a scapegoat. I wasn’t guilty. It’s very simple,” said Gibson. “I didn’t do absolutely anything other than working my ass off for them.”
The story of the accusations against Gibson and his subsequent suspension and firing was independently corroborated by three former Trenchant employees with knowledge.
Two of the other former Trenchant employees said they knew details of Gibson’s London trip and were aware of suspected leaks of sensitive company tools.
All of them asked not to be named but believe Trenchant got it wrong.
www.nsb.gov.tw
In recent years, the international community has shown growing concerns over cybersecurity issues deriving from China-developed mobile applications (apps). Governments and independent research institutions worldwide have already issued warnings concerning data breaches in users’ communication security. To prevent China from illegally acquiring personal data of Taiwan’s nationals, National Security Bureau (NSB) has reviewed cybersecurity reports from countries around the world and organized relevant information, as per the National Intelligence Work Act. Subsequently, the NSB informed and coordinated with the Ministry of Justice Investigation Bureau (MJIB) and the Criminal Investigation Bureau (CIB) under the National Police Agency to conduct random inspection on several China-developed mobile apps. The results indicate the existence of security issues, including excessive data collection and privacy infringement. The public is advised to exercise caution when choosing mobile apps.
The 5 China-developed apps selected for inspection, consisting of rednote, Weibo, TikTok, WeChat, and Baidu Cloud, are widely used by Taiwanese nationals. The MJIB and CIB adopted the Basic Information Security Testing Standard for Mobile Applications v4.0 announced by the Ministry of Digital Affairs, and evaluated the apps against 15 indicators under 5 categories of violation, consisting of personal data collection, excessive permission usage, data transmission and sharing, system information extraction, and biometric data access.
All 5 apps have shown serious violations across multiple inspection indicators. Notably, the rednote fails to meet all 15 inspection standards. Weibo and TikTok violate 13 indicators, separately, as well as 10 for WeChat and 9 for Baidu Cloud. These findings suggest that the said China-made apps present cybersecurity risks far beyond the reasonable expectations for data-collection requirement taken by ordinary apps.
All 5 China-made apps are found to have security issues of excessively collecting personal data and abusing system permissions. The violations include unauthorized access to facial recognition data, screenshots, clipboard contents, contact lists, and location information. As to the category of system information extraction, all apps were found to collect data such as application lists and device parameters. Furthermore, as far as biometric data are concerned, users’ facial features may be deliberately harvested and stored by those apps.
With regard to data transmission and sharing, the said 5 apps were found to send packets back to servers located in China. This type of transmission has raised serious concerns over the potential misuse of personal data by third parties. Under China’s Cybersecurity Law and National Intelligence Law, Chinese enterprises are obligated to turn over user data to competent authorities concerning national security, public security, and intelligence. Such a practice would pose a significant security breach to the privacy of Taiwanese users, which could lead to data collection by specific Chinese agencies.
A wide range of countries, such as the US, Canada, the UK, and India, have already publicly issued warnings against or bans on specific China-developed apps. The European Union has also launched investigations under the General Data Protection Regulation framework into suspected data theft involving certain China-made apps. Substantial amount of fines are imposed in those cases. In response to the cybersecurity threats, the Taiwanese government has prohibited the use of Chinese-brand products regarding computer and communications technology within official institutions. Both software and hardware are included.
The NSB coordinates with the MJIB and CIB to test the 5 inspected China-developed apps, and confirms that widespread cybersecurity vulnerabilities indeed exist. The NSB strongly advises the public to remain vigilant regarding mobile device security and avoid downloading China-made apps that pose cybersecurity risks, so as to protect personal data privacy and corporate business secrets.
Apple has issued a new round of threat notifications to iPhone users across 98 countries, warning them of potential mercenary spyware attacks. It's the Apple issued threat notifications to iPhone users across 98 countries, warning them of spyware attacks.
Over 5,300 internet-exposed GitLab instances are vulnerable to CVE-2023-7028, a zero-click account takeover flaw GitLab warned about earlier this month.
macOS may alert you when you’re trying to open or run a file, with an alert informing you that malware was detected. But what about in scans?
Actions to take today to mitigate cyber threats from ransomware: • Install updates for operating systems, software, and firmware as soon as they are released. • Require phishing-resistant MFA for as many services as possible. • Train users to recognize and report phishing attempts.
Best Practices • Apply patches as soon as possible • Disable unnecessary ports and protocols • Replace end-of-life infrastructure • Implement a centralized patch management system
Actions to Take Today: • Set antivirus and antimalware programs to conduct regular scans. • Enable strong spam filters to prevent phishing emails from reaching end users. • Filter network traffic. • Update software. • Require multifactor authentication. Leading up to Russia’s unprovoked attack against Ukraine, threat actors deployed destructive malware against organizations in Ukraine to destroy computer systems and render them inoperable.
