How do I know if my phone was actually hacked?

Be skeptical of folk symptoms. Battery drain, heat, and data spikes are weak signals — they have a hundred mundane causes and are not evidence of spyware. The signals that warrant a real examination are different: a threat notification from Apple or a platform like WhatsApp, a credible reason to believe you are targeted because of your reporting, or specific anomalies a forensic look surfaces. The only way to move from suspicion to a defensible answer is a forensic examination, not a symptom checklist.

What does the forensic confirmation actually involve?

At a high level: we make a forensically sound acquisition of the device, then analyze it for indicators of compromise. For mobile spyware, the open standard is the Mobile Verification Toolkit, run against published indicator sets such as Amnesty International's STIX2 IOCs, and correlated with other artifacts on the device. The output is a documented finding of what is and is not present. We are candid about the limit MVT's own authors state: the absence of indicators is not proof a device is clean.

Should I factory-reset or wipe the device first?

No — preserve, do not wipe. A reset destroys exactly the artifacts an examination depends on. If you suspect compromise, the right first move is to preserve: stop changing the device, and let it be imaged first, with the evidence hash-verified at capture and a documented chain of custody (collection aligned to ISO/IEC 27037). If the device is an active danger, talk to us about containment that does not destroy evidence. Capturing the image before anything else is what keeps a later report defensible.

Can you tell me who targeted me?

We can often establish that a device shows indicators consistent with a known spyware family, and that is frequently the finding that matters. Naming the specific operator behind an attack is much harder and often not possible from the device alone — even Citizen Lab and Amnesty, who do this work at the highest level, are careful about attribution. We will tell you what the evidence supports with high confidence and where it stops. We do not guarantee attribution.

Are you Citizen Lab or Amnesty's Security Lab?

No. We are a private forensic practice that applies the same published, peer-reviewed methods those organizations have documented — MVT, the Pegasus forensic methodology, public indicator sets — to your case, with a named, credentialed examiner who can stand behind the work. We cite them as the standard, not as partners or affiliates. Where a matter heads toward litigation, we also provide expert-witness support; see our cybersecurity expert witness work.

Journalist Phone Hacked? Forensic Response

Suspicion is not confirmation — and a wipe destroys the answer

If you have a credible reason to think your device was targeted, two things matter immediately: do not act on folk symptoms alone, and do not wipe or reset the device. Battery drain and overheating are weak signals with a hundred ordinary causes. A threat notification from Apple or a platform like WhatsApp, or a specific reason to believe you are targeted because of your reporting, is a reason to get a forensic examination. The fastest way to lose the answer is to factory-reset the phone, which destroys the very artifacts an examination relies on.

Preserve, do not wipe

Forensic value lives in the device’s current state. The first move is preservation: stop changing the device and let it be imaged, with the evidence hash-verified at the moment of capture and a documented chain of custody, with collection aligned to ISO/IEC 27037. Imaging first is what makes every later conclusion defensible — in an insurance claim, a police report, or court. If the device poses an active risk, there are containment steps that do not destroy evidence; ask us before you take action.

How forensic confirmation works

Once the device is preserved, the examination follows a documented method:

Acquisition — a forensically sound copy of the device, hash-verified at capture.
Indicator analysis— for mobile spyware, the open standard is the Mobile Verification Toolkit (MVT), run against published indicator sets such as Amnesty International’s Pegasus IOCs.
Artifact correlation — cross-checking sign-ins, configuration profiles, and other on-device evidence against the indicators.
Documented findings — a plain-language report of what is and is not present, written to support admissibility.

The honest boundary, which MVT’s own authors state, is that the absence of indicators is not proof a device is clean. Our finding is “indicators of compromise found” or “no known indicators of compromise found” — never a guarantee. The 2025 confirmation of Paragon’s Graphite spyware on journalists’ devices, reported by Citizen Lab, is a reminder that this is a live, evolving threat and that careful method matters.

A direct line to Quinn, the founder — not a sales pipeline.
Worked in-house by the examiner who scoped it.
Explainable findings you can verify, with the methodology shown.

Honest attribution, and where it ends

A forensic examination can frequently establish that a device shows indicators consistent with a known spyware family — and that is often the finding that matters most. Naming the operator behind the attack is far harder and is often not possible from the device alone. Even Citizen Lab and Amnesty’s Security Lab, who do this at the highest level, are careful about attribution. We apply their published, peer-reviewed methods; we are not them, and we do not claim to be. We will tell you exactly what the evidence supports and where it stops, and we do not guarantee attribution.

Incident response and what comes after

Confirmation is the start of a response, not the end. Depending on the finding, the work includes containing further exposure, re-securing accounts the device could reach, and documenting the incident for your editor, your insurer, or law enforcement. Where a matter heads toward litigation, we provide cybersecurity expert-witness support on the methodology and findings.

What working with us means

Written scope before any work. You see a written scope — deliverables, timeline, and price — and approve it before we begin. You are never billed for work you did not authorize.
We commit to findings, not outcomes. We tell you up front what the evidence can and cannot establish. Recovery, attribution, and prosecution are decided by banks, platforms, insurers, and courts — we produce the record they act on, and we put that distinction in writing.
Every case is investigated, not just scanned. A credentialed examiner reviews every case before findings leave the practice. You get a documented investigation to court-admissible standards — not a single automated scan and a one-line answer.
We will tell you if you do not need us. If a free or simpler step — a police report, an IC3 filing, a platform's own recovery flow — would resolve your situation, we point you there first.

Related guides

To harden a device before anything goes wrong, see digital security for journalists. To protect a source or intake channel, see protecting journalistic sources. The overview is on the For Journalists hub.

Quinnlan Varcoe

Founder & CEO

With operational experience across Fortune 50 security programs and the defense industrial base, Quinnlan founded SleuthX in 2022 to provide clients with the caliber of expertise typically reserved for the largest enterprises. Her work in threat intelligence and digital forensics has earned the trust of 26,000+ cybersecurity professionals who follow her analysis.

“26,000 professionals follow my work because I say what others won't — and I can back it up technically.”

Fortune 50 BackgroundDefense IndustryThreat IntelligenceDigital PrivacyIncident Response