The Hunter Hunted: Spyware Targets the Developer Who Built Its Exploits
In early 2025, a developer named Jay Gibson (name changed for security reasons) received a chilling notification on his personal iPhone: Apple had warned him that his device had been the target of a mercenary spyware attack. The message stunned the engineer, who until recently had worked at Trenchant—a subsidiary of defense contractor L3Harris, specializing in the development of government-grade hacking technologies—where he had created exploits and offensive cyber tools himself. This may be the first documented case in which an exploit developer became a victim of the very spyware he once helped enable.
According to Gibson, he was terrified. In a state of panic, he immediately turned off his phone, purchased a new one, and informed his family of the situation. He later said he could hardly believe what had happened: “The person who built iOS exploits had become the target of the same kind of attack I once helped defend against.”
Gibson’s experience reflects a broader trend—the spread of zero-day vulnerabilities and spyware now affects not only activists and journalists but also those who work on such technologies themselves. Historically, companies developing exploits and surveillance tools have claimed that their products were used exclusively by government agencies to fight criminals and terrorists. However, over the past decade, researchers from Citizen Lab, Amnesty International, and other organizations have repeatedly uncovered cases where governments deployed such tools against political opponents, human rights defenders, and journalists.
According to three sources familiar with the matter, Gibson was not the only developer to receive such a warning from Apple. In recent months, several other experts specializing in exploit and malware development have also been alerted to potential spyware targeting. Apple, as usual, has declined to comment on specific cases or disclose the criteria it uses to determine targeted attacks.
Two days after receiving the notification, Gibson contacted a digital forensics specialist to examine his device. No signs of infection were found, but the expert recommended a deeper investigation. To do so, a full device backup would be required—something Gibson refused to provide, citing privacy concerns. The investigator explained that modern cyberattacks leave fewer traces and that evidence can be extremely difficult to detect, especially if an attack is aborted midway.
Without a comprehensive forensic analysis, identifying the source or purpose of the attack remains impossible. However, Gibson believes the incident may be linked to the circumstances surrounding his dismissal from Trenchant. A month before receiving Apple’s notification, he had been summoned to the company’s London office, where General Manager Peter Williams accused him of dual employment and initiated an internal investigation. All his work devices were confiscated, and shortly thereafter he was terminated, offered a severance agreement and compensation in exchange for his cooperation.
Gibson claims he was never informed of the investigation’s findings but later learned from former colleagues that the company suspected him of leaking Chrome browser exploits. He categorically denies the accusation, emphasizing that he worked exclusively with iOS vulnerabilities, and that access to other projects was strictly compartmentalized within the company.
Several former Trenchant employees have confirmed the details of Gibson’s dismissal and his trip to London, stating they believe he was wrongly accused. In their view, Trenchant had simply made him a scapegoat amid internal turmoil over the alleged leak of proprietary hacking tools.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
