Apple alerts exploit developer that his iPhone was targeted with gov spyware
95 comments
·October 21, 2025bink
duxup
I think by default these companies kinda filter out people with values that would impede unrestricted use of their tools. And at worse possibly attract people who think "I'd sure like to spy on other people". That's scary.
saagarjha
Maybe that was just a phase of your interview.
tptacek
You don't know how any of these could be developed in good conscience? How about: anti-proliferation intelligence work is going to happen whether it requires human intelligence or CNE, and CNE is less costly and harmful?
I get where you're probably coming from: this same technology is used all over the world to target journalists and dissidents in countries with and without the rule of law. A very real concern. I wouldn't do this kind of work either (also, it's been over a decade since I had the chops even to apprentice at it).
But there are very coherent reasons people are comfortable doing this work for NATO countries. Our reflexive distrust of law enforcement and intelligence work is a fringe belief: a lot of families are very proud to include people working in these fields.
The most important thing I guess I'd have to say here is: our opinion of this stuff doesn't matter. At current market rates every country in the world can afford CNE technology, and it's a market well served by vendors outside of NATO.
Ms-J
"our opinion of this stuff doesn't matter."
It very much does matter. If more people refuse to do this type of work, it eventually won't be done to the required standard. People would cut family ties and this would stop fast.
tptacek
That's an incredibly blinkered view of the ecosystem that assumes that the only talent capable of delivering this work is people you talk to or share cultural ties with. There are ultra-skilled people in developing countries who could not give less of a fuck about how uncomfortable this stuff makes people in the west.
neilv
I figured security researchers were always targets of multiple APT actors and random individuals. However...
> I've even caught them using their exploits on me after they made me an offer
Not only for exploit companies that eat their own dog food, nor only cybersecurity jobs, but I've heard of this happening to people interviewing for other tech area considered strategic.
The noticed ones weren't that subtle, and were presumably noticed because the attacker wasn't using the best methods, but maybe more routine SOP for lower-value targets.
I have no idea what the actors and motivations actually were. Speculation:
* the hiring company or its country, vetting the candidate by spying on them, including for corporate/national counterintelligence reasons (it's really not much different than a lot of the sneaky surveillance capitalism vetting that many companies quietly do, just unambiguously illegal in this case);
* the hiring company, spying to monitor the competitive offer situation (e.g., what counteroffers or concerns does the candidate have);
* other state, individual, and possibly corporate actors, for whom the imminent offer flagged the target as worth keeping an eye on (for, e.g., advance access to research they do individually, knowledge of attacks they do individually, possible technical entry point to the job-offering organization or others, or kompromat for getting access/actions); or
* random associated individuals acting on their own, recreationally enjoying the power over others that their cracking toys give them (which at least used to be not too uncommon, before cybersecurity was professionalized, when there were proportionally much more teens and alienated people, and they hadn't yet been told about color-coded hats for prefabricated codes of behavior from which they could choose; now, most people with skillz have the carrot of a lucrative job or respected status as researcher that they can pursue, instead of seeking power/status other ways and without guidelines).
Personally, I try not to work on strategic target areas, since I like to save my very limited guts for fighting product concepts and reliable systems into shape, not for being helplessly violated by lawless authoritarian institutions. Good luck.
Ms-J
That's outrageous that they tried to attack you like that. How exactly did it happen? Did they send a link via SMS to your phone, or some other way?
bink
I don't wanna give away too much in case they're reading, but they didn't use their stealthiest exploit. It was pretty obvious, especially if you monitor your network traffic.
cj
How obvious would it be to someone being hired as an office manager or janitor or similar?
matheusmoreira
I gotta admit I'm not in the habit of monitoring my network traffic... Gotta wonder if it's even possible to protect ourselves against this surveillance without going full OPSEC mode.
Ms-J
Ok guessing against a computer of yours and not a phone (which of course is still possible) thanks. Hope it can help all of us stay safe.
cobertos
Monitoring your network traffic on your local PC (ala Little Snitch or Open Snitch) or monitoring it at the gateway/router level?
CaptainOfCoit
> Gibson .. may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.
> But the ex-Trenchant employee may not be the only exploit developer targeted with spyware .. there have been other spyware and exploit developers in the last few months
stego-tech
I can kinda sympathize with the guy, as I got fucked over in Defense contracting in a not-dissimilar fashion a lifetime ago. These companies reel you in with decently-sized (or even outrageously-large) pay packages and promises of doing “good work”, bleed you of your energy and time for their profits, then shove you out the door and blame you for anything that went wrong (especially if you try to act honestly and report wrongdoing - that’s a one-way ticket out the fucking door and into blackball territory).
Nobody should be doing work for these scumbags, but people will always fall for their spiels and grifts, unfortunately, out of some naive sense of “doing good” or “getting the bad guys”. It’s always just “leopards ate my face”, though.
cindyllm
[dead]
duxup
>Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.
Leopards ate my face moment?
They're not developing these tools to NOT use them...
tptacek
For at least 2 decades now exploit developers have been rather infamously prime targets for spyware, so whoever wrote this piece isn't read in at all to the industry.
jsonBorn
"..if you are a state or federal enforcement authority, and you have suspicion of any criminal activity of `Jay Gibson', be encouraged to immediately contact: Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email.
runjake
"Leopards ate my face" reference for others not in the know: https://knowyourmeme.com/memes/leopards-eating-peoples-faces...
throw0101c
The original tweet just had its tenth anniversary (2015-10-16):
> 'I never thought leopards would eat MY face,' sobs woman who voted for the Leopards Eating People's Faces Party.
CaptainOfCoit
What happened with "reap what one sows", did it go out of fashion? Seems the same.
svnt
Leopards ate my face is only negative, and has been more political, typically someone voting to weaponize the government against their peer-level enemies but hypocritically, only to later realize they are not a party to the benefits, only the consequences.
It is really about a perceptual flaw in pre-fascist democratic behavior: people believing themselves to be a part of the protected class because they voted for it.
It seems to apply here because someone profiting from the creation of tools used on others by people with money/power has them used on him by the government.
tldr; it is a subset of you reap what you sow, with more specificity and punch
tgv
Too biblical and old-fashioned, probably. I would say that at least half the people who've used "leopards ate my face" don't even know the meaning of reap. The simplicity and visual character of the modern expression make it memier.
alephnerd
Based on the article, it sounds like a bit of a "he said - she said" article after Gibson was terminated at Trenchant/L3Harris.
altairprime
To clarify with the final paragraphs of context, “He said, Corp said, 3 of 3 coworkers asked corroborated what He said”.
duxup
I'm not entirely sure how that applies to my post.
alephnerd
What I mean is:
1. Most of us in this segment of the industry recognize the risks
2. He is absolutely not the first person targeted by this
3. This article sounds like it's part of a wrongful termination suit by Gibson based on the context provided
rs186
> “I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch.
And later,
> Without a full forensic analysis of Gibson’s phone ... it’s impossible to know why he was targeted or who targeted him.
> But Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant ...
I find it funny that (1) this guy never thought this would happen to him (2) this guy has the balls to talk to media about this but fears retaliation
I mean, seriously, those who want to know your real name already know it.
ActorNightly
This honestly smells really strong like made up shit. Or the guy is very much a low key player.
Generally, if you develop exploits, you should be completely aware of every single possible attack vector. If you are working for a company like Trenchant, and you know what you are doing, the last thing you do is use Apple devices (at least fully, most of the time you have a public phone and much more secure private phone)
The reason is, when you take an Apple phone, connect it to a router that proxies through a computer so you can inspect traffic, you can see the vast amounts of shit being sent back to Apple which you have no control of.
Meanwhile, if you do the same with my custom rooted, de-googled android phone that I take overseas, you will see only ntp traffic, and that is only so I don't have to deal with cert issues because my clock is wrong.
saagarjha
Trenchant employees use iPhones just like everyone else. What else would they use?
scheeseman486
You swim with sharks...
r_lee
This guy is pretty naive if he thinks they (or their biggest customers) won't verify whether he really was leaking something or not if they've got the tools to do that lol and to maybe send a message to not think about it
freehorse
> I have mixed feelings of how pathetic this is, and then extreme fear because once things hit this level, you never know what’s going to happen
Interesting kind of payback. What does he think happens to the people whom the exploits he develops target?
thesuitonym
Sounds like he naively believes only governments use these, and only against legitimate criminals.
eimrine
I would like to see the screenshot or the photo of display with that kind of alert.
runjake
Here's what it looks like: https://c.ndtvimg.com/2024-04/30p8264g_apple-notification_62...
veeti
> Apple detected a targeted mercenary spyware attack against your iPhone
Not going to lie, this subject line would fit right in with the phishing messages and 419 scams in my Spam folder.
internetter
Indeed, however the notification also comes via iMessage and appears at the top of your Apple account, plus contains no external links
hsbauauvhabzb
An email? If they can breach your phone, surely email is the least trustworthy mechanism you can use - it’s high latency, shared across systems, etc
A better mechanism would surely be a push notification to the device, or one of the alert-based notifications used for earthquakes etc
saagarjha
A push notification that you receive…on the phone? There isn’t really a good solution here.
null
null
yachad
Live by the sword, die by the sword.
tptacek
I know people involved at Trenchant and have trouble believing that anybody who worked there was shocked by this threat. Maybe things have changed post-L3Harris but "it" (it's more than one company) was an incredibly paranoid IT shop prior to the acquisition.
antonymoose
If an engineer at Ford dies in a car crash does he really deserve it?
We live in a world full of threat-actors. We need exploits just like we need firearms and tanks and fighters and jets.
To mock the guy is just naive.
kuhsaft
An engineer at Ford isn’t developing cars that actively harms passengers.
If you develop weapons, physical or digital, don’t be surprised if you end up on the receiving end.
at-fates-hands
> An engineer at Ford isn’t developing cars that actively harms passengers.
Maybe not at Ford?
https://www.popsci.com/technology/tesla-lock-issue/
Firefighters recently resorted to breaking a Tesla’s window to free a 20-month-old child locked inside after one of the vehicle’s batteries died. The emergency rescue is the second of such incidents reported on this week by Arizona CBS news affiliate KPHO and reiterates the potential dangers of the EV company’s ongoing, under-addressed battery issues in extreme heat.
In July 2023, a 73-year-old man was reportedly forced to kick out a window in his Model Y after becoming trapped. A similar emergency occurred for a mother and her daughter in Illinois a few weeks later after renting a Tesla, while a California driver last month claimed she found herself stuck in her EV while waiting on an over-the-air software update that shut down her car. In the 40 minutes it took to complete the update, outside temperatures rose to 115-degrees Fahrenheit.
And yeah, if you know how, and can go through multiple steps: The only other workaround to battery issues appears to be a step-by-step solution in the owner’s manual that only opens a dead Tesla’s front hood by ostensibly hotwiring the car using external jumper cables. If this is the case, then people who find themselves locked out of their EV may need to continue relying on EMS—and their axes—until Tesla decides to address the glaring safety hazard.
just_steve_h
Well, they’re certainly developing cars that kill and maim pedestrians, disperse clouds of microplastics, and contribute excess CO2 to our atmosphere…
lawlessone
Not the best analogy, more like a man who develops car mounted harpoons being hit by a car mounted harpoon.
2OEH8eoCRo0
Why is it not computer crime? It wasn't done by the govt, they suspect it was done clandestinely by Trenchant.
Sue them!
null
I've interviewed with these types of companies (not the ones in the article). I've even caught them using their exploits on me after they made me an offer and that seems to be the most likely explanation for what happened here. I don't know how anyone can develop exploits for resale in good conscience.
If these companies have no qualms using their exploits against their own employees they'll have absolutely no problem using them against members of Congress, the Courts, investment banks, tech leaders, and anyone with any sort of power. This gives them the ability to blackmail some of the most powerful people in the world.
edit: And that's not even mentioning their reported "intended use" against dissidents and journalists.