Tiffany Ng The Big Story Apr 21, 2026 6:00 AM They Built a Legendary Privacy Tool. Now They’re Sworn Enemies There’s a lot of love all over the world for GrapheneOS, the gold standard of mobile security. There’s very little love between the two guys at the center of its history. ILLUSTRATION: iain macarthur Save this story Save this story It’s difficult to find much information about Daniel Micay online. Google him and you’ll turn up an impersonal X account and a barren LinkedIn page, plus some YouTube “exposés” and flame wars on Reddit and HackerNews that characterize him as everything from a privacy advocate to a cybersecurity visionary to a despot. Meanwhile, Claude refers to him as a “formidable independent mobile security researcher” who is “widely described as socially abrasive” (for whatever that’s worth). “All I can tell you about Daniel is that he lives in Canada,” says Dave Wilson, the community manager of GrapheneOS, a world-famous privacy tool and Micay’s current project. Within the cybersecurity community, the mythology surrounding Micay goes beyond celebrity. He could be a ghost or a kind of egregore, like Satoshi Nakamoto or Ned Ludd. Fans pick apart scraps of biographical information; enemies take swipes at his technical achievements. Who is Daniel Micay? What does he really want? When I wrote to the email listed on the GrapheneOS website, I heard back the same day: “The team as a whole would be happy to take questions and answer them together in a collective fashion. As such any responses would be from the ‘GrapheneOS team’ and not directly Daniel Micay.” Interesting. Then I got in touch with Micay himself—via LinkedIn, of all places. He declined my request for an on-the-record interview, citing safety concerns. I’ve since learned he’s 28 years old. I did talk to Micay’s former business partner, James Donaldson, at length and against the wishes of Donaldson’s lawyer. I also talked to associates of Micay’s. Over many months, a portrait emerged of something less than a myth but perhaps more than a man—and one who would go to extreme lengths to protect his legacy. “He was a funny guy, ” said Donaldson. Note the past tense. Donaldson claims he first met Micay sometime between 2011 and 2013, when Micay joined Toronto Crypto, a small group that occasionally got together to talk cryptography over beers. (Through his current team, Micay disputes this. He says he met Donaldson in 2014 and never officially joined the group.) At the time, Micay was a security researcher and open source developer with an interest in the fast-growing mobile space. Micay could be, according to Donaldson, somewhat guarded. He had an off-kilter sense of humor and chimed in only when something technical came up. Donaldson recalled a time when a troll infiltrated the crypto group’s chat and gave them the seemingly impossible task of decrypting a series of messages. Micay did so eagerly and easily. “I have a knack for figuring out people very early on,” Donaldson said, “and I knew this guy was brilliant.” (Through his team, Micay claims to have no recollection of this event.) Donaldson, now 42, is a self-taught hacker who never finished school, was briefly unhoused, and spent most of his twenties in a “positive hardcore punk band.” “It’s cool being smart,” he told me. “But if you can’t pay your bills, you’re a dumbass.” He saw an opportunity to make money in Android, which then controlled 80 percent of the smartphone user base. Because the operating system was a decentralized , open source ecosystem that seemed to prioritize commercial appeal and mass adoption over security , Android—with its plethora of vulnerabilities —had been likened to Swiss cheese. (This was in noteworthy contrast to the more secure walled garden of Apple’s iOS.) Donaldson didn’t know how to plug those holes himself, but now he knew someone who could. The domain “Copperhead.co” was registered by Donaldson in 2014 and incorporated in 2015 under both Donaldson’s and Micay’s names. The idea was that shares would be split equally, with Donaldson as CEO and Micay as de facto chief technology officer. Their flagship product, CopperheadOS, was an open source operating system that focused on something called Android hardening. Like building a fortress and digging moats around a castle, “hardening” a piece of software makes it more difficult for hackers to gain access. In the case of CopperheadOS, this meant protecting mobile data by adding layers of security on top of the stock Android OS. (Micay has claimed in court filings that he was already working on Android hardening before meeting Donaldson and that he agreed to the partnership on the explicit understanding that he would retain control over the resulting OS.) CopperheadOS was an instant hit and one of the first of its kind—few others were paying attention to mobile security at the time. A year after its launch, Chris Soghoian, then a principal technologist at the American Civil Liberties Union, called CopperheadOS “the most exciting thing happening in the world of Android security.” Open source advocacy groups like the Guardian Project, as well as the Google Play store alternative F-Droid, started inquiring about partnerships. In 2018, CopperheadOS was featured in 2600: The Hacker Quarterly. In true startup fashion, Donaldson picked up all sorts of eclectic IT jobs in the company’s infancy—fixing printers, recovering hacked WordPress websites—to help fund Micay’s work on the operating system. “I keep Daniel away from the normal world so he can sit around and hack on Android,” Donaldson said in a 2017 interview with Crypto Tech Solutions. “I know when to get out of the way.” In the same interview, Donaldson jokingly compared himself to Erlich Bachman, the cavalier incubator from HBO’s Silicon Valley . He believed that his ability to bridge the gap between the technically versed and the business-minded was what would make Copperhead successful. While Donaldson was out doing interviews as the face of the operation, Micay was often locked away in what Donaldson referred to as the “wizard tower,” hunting vulnerabilities in Android and patching them in CopperheadOS. Micay also spent time troubleshooting for the user base. As an open source purist—he was a longtime contributor to projects like Arch Linux and Mozilla’s Rust programming language—Micay seemed to feel a duty to support anyone interested in the project. Even if it was at the expense of his own well-being. It was critical to him that everyone had free access to mobile security. But those values began to diverge from Donaldson’s. On the one hand, Donaldson still considered himself a kind of hacker rebel. At one point, he even sent me “ The Conscience of a Hacker ,” a poetic manifesto written in 1986 by someone called the Mentor. (“This is our world now … the world of the electron and the switch,” it reads. “Yes, I am a criminal. My crime is that of curiosity.”) On the other hand, he was running a business. “We were all hacker rebels trying to make money,” he said. For the first year or so of CopperheadOS’s operation, everything you needed to download, install, or modify it was available online. The hope was to make money from selling tech support that prioritized paying users. But the proliferation of CopperheadOS dupes, combined with round-the-clock troubleshooting, meant that everyone but the Copperhead team was getting their fair share of the Android hardening pie. “We had to do something about it,” Donaldson said. In October 2016, Copperhead moved from being open source to having a noncommercial license, a decision Donaldson insists he made with Micay. (Micay’s lawyer said that Micay merely “placated” Donaldson.) Now, most users would have to purchase a Copperhead phone to access the OS. “I don’t like begging for donations,” said Donaldson, and he felt it was about time the operating system started generating revenue. Once Copperhead relicensed, Donaldson said, the project immediately started signing agreements with Fortune 500 companies. While Copperhead worked with nonprofits, Donaldson had his eye on defense contractors. “That’s the holy grail, to be honest,” he said. “The idea that I could work in the defense industry doing things Copperhead-related was awesome.” He clarified that Copperhead’s technology would only be used to protect these clients from adversaries, not for them to somehow weaponize it in turn. He assured me that Copperhead wasn’t selling out; it was being pragmatic, and security should go to those who value it. In a 2017 interview with Vice, Donaldson was asked whether he was ever tempted to use his powers for evil. “That depends,” he said, “on your definition of evil.” Micay likely had a definition. Between licensing the OS and the possibility of doing business with defense contractors, he seemed to feel the integrity of his code was eroding as quickly as his agency in the Copperhead partnership. Not only was CopperheadOS no longer available to the masses, it was starting to serve the very people Micay wanted to protect users from. Above all else, his partner seemed to be determining the fate of the system he had built. By the spring of 2018—two and a half years after officially launching Copperhead—the last bit of control Micay seemed to have left was CopperheadOS’s signing keys. If hardening is building a fortress, signing keys get you into the castle: They determine what software a device will trust and which changes can be made to every device running the operating system. At larger-scale institutions like Linux, elaborate safeguards are put in place to limit the influence that any one member can have over the operating system. But in Copperhead’s case, the company didn’t have a large network of developers. Micay was in sole possession of the keys. And he was about to do something almost entirely unheard of in the world of cybersecurity. ILLUSTRATION: Iain MacArthur Tensions went from passive to aggressive when Donaldson ap