It was a seemingly ordinary day when Jay Gibson received a startling notification on his iPhone: "Apple detected a targeted mercenary spyware attack against your iPhone." Ironically, Gibson had previously worked for companies that developed the very kind of spyware capable of triggering such an alert. Yet, the personal nature of the warning left him shaken. His immediate reaction was to call his father, power down his phone, and head out to buy a new one. "I was panicking," he later told TechCrunch. "It was a mess. It was a huge mess." Gibson's experience is becoming increasingly common. A growing number of individuals are receiving similar warnings from major tech companies like Apple, Google, and WhatsApp, all of whom are stepping up efforts to alert users targeted by government-backed hackers. These sophisticated attacks often utilize advanced spyware developed by firms such as Intellexa, NSO Group (known for Pegasus), and Paragon Solutions. While these tech giants are proactive in issuing alerts, they typically do not get involved in the subsequent steps, instead directing users to external resources. So, if you receive one of these ominous warnings, what happens next?

Understanding the Warning

If you've received a notification indicating you were targeted by government hackers, the first and most crucial step is to take it seriously. These companies possess extensive telemetry data regarding user activity, device behavior, and online accounts. Their security teams have years of experience hunting, studying, and analyzing malicious activity. If they believe you've been targeted, their assessment is likely accurate. It's important to differentiate between types of notifications. For Apple and WhatsApp users, receiving an alert doesn't necessarily mean your device was successfully hacked; it could indicate a failed attempt. However, it unequivocally confirms that someone tried. Google's alerts, on the other hand, often mean the company has already blocked the attack. In such cases, Google advises users to enhance their account security by enabling multi-factor authentication (ideally with a physical security key or passkey) and activating its Advanced Protection Program, which adds further layers of security to your Google account. Essentially, Google provides guidance on strengthening your future defenses. Within the Apple ecosystem, activating Lockdown Mode is highly recommended. This feature enables a suite of security measures designed to make it significantly harder for hackers to compromise your Apple devices. Apple has previously stated that it has not observed a successful hack against a user with Lockdown Mode enabled, though no system is entirely foolproof. Mohammed Al-Maskati, director of Access Now's Digital Security Helpline—a global 24/7 team of experts investigating spyware cases against civil society members—offers comprehensive advice. This includes keeping device operating systems and apps up-to-date, enabling Apple's Lockdown Mode, and Google's Advanced Protection for both accounts and Android devices. Additionally, users should exercise caution with suspicious links and attachments, regularly restart their phones, and monitor for any unusual changes in device functionality.

Reaching Out for Help

The next steps largely depend on your identity and resources. For those with some technical expertise, open-source tools are available to detect suspected spyware attacks. The Mobile Verification Toolkit (MVT) allows users to search for forensic traces of an attack on their own devices, serving as a potential first step before seeking professional assistance. If you prefer not to use MVT or lack the technical knowledge, direct professional help is available. For journalists, dissidents, academics, or human rights activists, several organizations specialize in these cases: For individuals outside these categories, such as politicians or business executives, the path to help differs. If you work for a large company or political party, your internal security team should be the first point of contact. While they might not possess specialized spyware investigation knowledge, they can often direct you to appropriate external experts, even if civil society groups cannot assist. For others, options are more limited, but some private security firms offer specialized services. While we cannot fully endorse or vouch for these organizations, they have been suggested by trusted sources:
  • iVerify: Offers an app for Android and iOS that includes an option for in-depth forensic investigations.
  • Safety Sync Group: A startup founded by Matt Mitchell, a respected security expert known for helping vulnerable populations.
  • Hexordia: Led by forensic investigator Jessica Hyde, this startup offers suspected hack investigations.
  • Lookout: A mobile cybersecurity company with extensive experience analyzing government spyware globally. They provide an online form for reporting cyberattacks, which can lead to involvement from their threat intelligence and forensics teams.
  • TLPBLACK: Headed by Costin Raiu, a former leader of Kaspersky's Global Research and Analysis Group (GReAT), this small team of security researchers has discovered sophisticated cyberattacks from elite government hacking teams worldwide. Raiu can be contacted directly via email.

The Investigation Process

Once you reach out for help, the investigation process will vary depending on the organization. Generally, the initial step involves a remote forensic check. Investigators may ask you to generate a diagnostic report file from your device and share it with them. This allows for an initial assessment without requiring you to hand over your physical device. This preliminary check might reveal signs of targeting or even infection. Alternatively, it might yield no immediate findings. In either scenario, investigators may recommend a deeper dive, which typically involves sending a full backup of your device, or even the device itself, for thorough analysis. This process can take time, as modern government spyware is designed to hide and delete its tracks. Eventually, the investigators will provide a report on what they uncovered. A significant challenge in these investigations is the sophisticated nature of modern spyware, which often leaves minimal to no traces. According to Hassan Selmi, who leads the incident response team at Access Now's Digital Security Helpline, the current modus operandi is a "smash and grab" strategy. This means that once spyware infects a target device, it rapidly exfiltrates as much data as possible, then attempts to erase all evidence and uninstall itself. This tactic is believed to be an effort by spyware makers to protect their product and conceal its activities from researchers and investigators. For journalists, dissidents, academics, or human rights activists, the groups assisting you may inquire if you wish to publicize the attack. While you are never obligated to do so, there can be compelling reasons to go public: to denounce government targeting, which can warn others of similar dangers, or to expose spyware companies by demonstrating how their technology is being abused. We sincerely hope you never receive one of these unsettling notifications. However, should you find yourself in such a situation, we hope this guide proves to be a valuable resource. Stay safe.