This page is lawful personal testimony, a copy of a formal communication to Apple Security, and accompanying civic-education commentary on commercial/military-grade iOS spyware as documented in public sources (Citizen Lab, Amnesty Tech, Google Project Zero, Apple's own threat-notification disclosures, court filings). It does not incite, instruct, glorify, recruit for, or advocate any criminal offence whatsoever — including unauthorised access to computer systems, hacking, harassment, sedition, or violence. It is a request that the manufacturer of the device review its own server-side records and respond.
The Letter — As Sent
I am writing to report what I believe to be a serious, ongoing compromise of my iOS device by sophisticated, potentially military-grade spyware. I am requesting Apple's assistance in obtaining verbose, server-side logs to document and prove the extent of the tampering, as local device logs cannot be trusted given the level of access the malware appears to have.
Observed malicious activity includes:
- System modification and shared memory interference
- Highly detailed device statistics being exfiltrated
- Remote recording of audio and video without consent
- Screenshots, screen recording, mirroring, and virtual monitor activity
- Call monitoring: voice call listening, conference and multi-way interception, impersonation, call redirection, and termination
- SMS, FaceTime, and iMessage interception and impersonation
- Sophisticated location monitoring, with evidence of CarPlay or vehicle integration
- File system tampering: browsing, copying, modifying, and deleting files in protected folders
- Injection of binary data and executables into existing and new files
- Contact address book monitoring, with apparent lateral spread to close contacts' devices
- Email hijacking: monitoring, impersonation, interception, removal, and rerouting of emails through an unauthorised third-party server
- Pasteboard hijacking
- Bluetooth and Wi-Fi hijacking
- Overriding of user settings
- Modification of installed applications
It is in both the interest of Apple to protect its users from spyware or military-grade malware and in my interest to enable verbose logs on x@humblebr.ag.
Because the malware appears to operate at a deep system level — and because any locally captured evidence may itself be compromised or deleted — I believe the only reliable evidence will be found in Apple's own server-side infrastructure: iCloud logs, push-notification records, FaceTime / iMessage relay logs, and any anomalous API or MDM activity associated with my Apple ID.
I am therefore formally requesting that Apple Security:
- Enable verbose, server-side logging on my Apple ID and associated devices for the purpose of this investigation.
- Preserve any existing logs that may capture the anomalous activity described above before they are rotated or deleted.
- Review for indicators of compromise consistent with known commercial or military-grade spyware (e.g. Pegasus, or similar exploit chains targeting XNU / iOS).
- Where possible, share findings that could help prevent this spyware from being used to compromise other users' devices in future.
I have Lockdown Mode enabled on my device; however I believe the compromise may predate its activation, or that the attacker has found a method to circumvent it.
I also believe an MDM (Mobile Device Management) profile may be in use. After downloading the App Privacy Report and reviewing the activity logs, I noted that the system process "Photo Slideshow" — a feature I have never used — was recorded browsing my photo library in the background for approximately 35 minutes. This is deeply concerning and is the kind of anomalous, low-visibility access I would expect Apple's server-side records to be able to corroborate or refute.
I would be grateful for any assistance Apple can provide. I am happy to cooperate fully with any verification process Apple's security team needs to undertake.
Why This Letter Exists On A Public Page
Capability Map — What Each Item Actually Means
Each item in the letter corresponds to a documented capability of commercial-grade iOS implants. The list below is not speculation about what could be done; it is a description of what has been done in the wild against iOS devices, as documented by Citizen Lab, Amnesty Tech, and Apple itself in its threat notifications to journalists, activists and dissidents since 2021.
System modification & shared memory
Implants like Pegasus and Predator have repeatedly demonstrated kernel-level execution on iOS, allowing modification of system state and access to memory regions normally isolated between processes. Citizen Lab has documented this across iOS 14, 15, 16 and 17 exploit chains.
Remote audio / video recording
Activation of microphone and camera without indicator-LED equivalents (on iOS, without the indicator dot) has been a published capability of Pegasus since at least the 2016 Citizen Lab "Million Dollar Dissident" report and re-confirmed in every major Pegasus disclosure since.
Screenshots, screen recording, mirroring
Periodic screen capture — including of secure-input fields and end-to-end-encrypted messengers after decryption on the device — defeats the protection model of every secure app installed on the phone. The exfiltration happens upstream of any application-level encryption.
Call interception & impersonation
FaceTime and standard voice-call hijacking has been observed in commercial implants. Multi-way interception (silent conferencing) and call redirection require integration with the baseband and call-routing stack — the kind of integration only a sophisticated implant can achieve.
iMessage / SMS interception
iMessage exploit chains (notably FORCEDENTRY and BLASTPASS, documented by Citizen Lab in 2021 and 2023) demonstrate zero-click installation via crafted messages. Once installed, interception of plaintext messages and impersonation are trivial.
Location & CarPlay integration
Continuous high-precision location, plus integration with vehicle systems via CarPlay, gives the operator a near-complete movement profile and the ability to correlate device presence with vehicle telemetry. See Spyware & Spatial.
File system tampering & binary injection
Browsing, copying, modifying and deleting files in protected folders requires breaking the iOS sandbox. Injection of binaries into existing files is the foundation for persistence, lateral movement, and evidence-destruction by the implant itself.
Lateral spread to contacts
Contact-address-book exfiltration is universal among commercial implants; targeted re-infection of close contacts via messages from the compromised device is a documented spreading technique used to map social graphs.
Email hijacking
Interception, removal and rerouting of email through an unauthorised relay is consistent with either implant-level mail-app hooking or with malicious server-side rules silently added to the account. The latter is detectable in Apple / mail-provider server logs.
Pasteboard hijacking
Copy / paste data is a known high-value collection channel — especially for passwords, 2FA codes, and crypto-wallet addresses. iOS now restricts cross-app pasteboard access, but a kernel-level implant operates below that restriction.
Bluetooth / Wi-Fi hijacking
Active control of the radio stack allows MITM of nearby devices, forced association with attacker-controlled access points, and exfiltration over uncommon channels designed to bypass cellular logging.
App modification & setting override
Tampering with installed apps and silently overriding user settings is the persistence layer — ensuring the user cannot meaningfully harden the device once compromised. Lockdown Mode is meant to address this, but a sufficiently deep implant predating its activation can persist beneath it.
The Photo Slideshow Anomaly
When I downloaded the iOS App Privacy Report logs — the on-device record of which system processes accessed which sensors / data sources — I observed an entry for "Photo Slideshow" showing background access to my photo library for approximately 35 continuous minutes.
I have never manually run the Photo Slideshow feature. It has never been opened by me, intentionally or accidentally. There is no legitimate user-initiated event that would produce 35 minutes of background access to the photo library by that subsystem.
This is either: (a) a genuine implant or compromised process using Slideshow's framework permissions as a cover for bulk exfiltration of my photo library; (b) an MDM-driven sweep using a system-trusted process to read photos without triggering a user-facing prompt; or (c) an artefact of legitimate iOS background indexing whose logging makes it look anomalous. Apple is uniquely positioned to determine which.
Why I Believe MDM May Be Involved
- Persistence beneath Lockdown Mode. Lockdown Mode restricts the iOS attack surface significantly; persistence beneath it is more consistent with a configuration-profile-level compromise than with an app-level exploit alone.
- Setting overrides without user prompt. Some of the setting changes I have observed do not trigger the user-confirmation prompts that would normally accompany a user-initiated change — consistent with an MDM payload that has been granted such authority by an enrolled profile.
- System-process activity in the App Privacy Report. Background activity attributed to first-party processes — rather than third-party apps — is exactly what MDM-driven access would surface in those logs.
- Lateral access to close contacts' devices. Lateral spread via an MDM-enrolled supervisor relationship is operationally cleaner than per-device exploitation, and matches the observed pattern of family-member device anomalies.
What I Am Asking For — In One Sentence
I am asking Apple to look at its own server-side records for my Apple ID, tell me whether the activity I have described is reflected there, and either confirm a compromise so we can both act on it, or rule one out so I can move on.
Public Context — Why This Request Is Reasonable
- Apple has, since November 2021, issued State-Sponsored Spyware Threat Notifications to users in over 150 countries believed to have been targeted by mercenary spyware. The framework for "Apple believes a sophisticated attacker is targeting your account" already exists internally.
- Apple sued NSO Group in 2021 over Pegasus. The litigation explicitly identified Apple's interest in protecting its users from this category of threat.
- Citizen Lab, Amnesty Tech and Google Project Zero have repeatedly published technical confirmations of iOS implants attributed to commercial vendors — FORCEDENTRY (2021), BLASTPASS (2023), and follow-on chains throughout 2024–2025.
- UK and EU regulators have begun to formally engage with the commercial-spyware industry as a discrete policy area — including the European Parliament's PEGA Committee report and subsequent recommendations.
This letter is not asking Apple to do anything outside its existing operational scope. It is asking the company to apply, on my account, the same forensic posture it has already applied to dozens of high-profile cases since 2021.
This letter, with this exact list of observed capabilities, has been sent to Apple Security. This page is the public mirror of that communication. If anyone — Apple, security researchers, journalists, or fellow targets — has information that bears on any of the capabilities listed here, please contact me via x@humblebr.ag or via the channels listed on My Experience.