It’s difficult to find much information about Daniel Micay online. Google him and you’ll turn up an impersonal X account and a barren LinkedIn page, plus some YouTube “exposés” and flame wars on Reddit and HackerNews that characterize him as everything from a privacy advocate to a cybersecurity visionary to a despot. Meanwhile, Claude refers to him as a “formidable independent mobile security researcher” who is “widely described as socially abrasive” (for whatever that’s worth). “All I can tell you about Daniel is that he lives in Canada,” says Dave Wilson, the community manager of GrapheneOS, a world-famous privacy tool and Micay’s current project.
Within the cybersecurity community, the mythology surrounding Micay goes beyond celebrity. He could be a ghost or a kind of egregore, like Satoshi Nakamoto or Ned Ludd. Fans pick apart scraps of biographical information; enemies take swipes at his technical achievements. Who is Daniel Micay? What does he really want? When I wrote to the email listed on the GrapheneOS website, I heard back the same day: “The team as a whole would be happy to take questions and answer them together in a collective fashion. As such any responses would be from the ‘GrapheneOS team’ and not directly Daniel Micay.” Interesting. Then I got in touch with Micay himself—via LinkedIn, of all places. He declined my request for an on-the-record interview, citing safety concerns. I’ve since learned he’s 28 years old.
I did talk to Micay’s former business partner, James Donaldson, at length and against the wishes of Donaldson’s lawyer. I also talked to associates of Micay’s. Over many months, a portrait emerged of something less than a myth but perhaps more than a man—and one who would go to extreme lengths to protect his legacy.
“He was a funny guy, ” said Donaldson. Note the past tense.
Donaldson claims he first met Micay sometime between 2011 and 2013, when Micay joined Toronto Crypto, a small group that occasionally got together to talk cryptography over beers. (Through his current team, Micay disputes this. He says he met Donaldson in 2014 and never officially joined the group.) At the time, Micay was a security researcher and open source developer with an interest in the fast-growing mobile space.
Micay could be, according to Donaldson, somewhat guarded. He had an off-kilter sense of humor and chimed in only when something technical came up. Donaldson recalled a time when a troll infiltrated the crypto group’s chat and gave them the seemingly impossible task of decrypting a series of messages. Micay did so eagerly and easily. “I have a knack for figuring out people very early on,” Donaldson said, “and I knew this guy was brilliant.” (Through his team, Micay claims to have no recollection of this event.)
Donaldson, now 42, is a self-taught hacker who never finished school, was briefly unhoused, and spent most of his twenties in a “positive hardcore punk band.” “It’s cool being smart,” he told me. “But if you can’t pay your bills, you’re a dumbass.” He saw an opportunity to make money in Android, which then controlled 80 percent of the smartphone user base. Because the operating system was a decentralized, open source ecosystem that seemed to prioritize commercial appeal and mass adoption over security, Android—with its plethora of vulnerabilities—had been likened to Swiss cheese. (This was in noteworthy contrast to the more secure walled garden of Apple’s iOS.) Donaldson didn’t know how to plug those holes himself, but now he knew someone who could.
The domain “Copperhead.co” was registered by Donaldson in 2014 and incorporated in 2015 under both Donaldson’s and Micay’s names. The idea was that shares would be split equally, with Donaldson as CEO and Micay as de facto chief technology officer. Their flagship product, CopperheadOS, was an open source operating system that focused on something called Android hardening. Like building a fortress and digging moats around a castle, “hardening” a piece of software makes it more difficult for hackers to gain access. In the case of CopperheadOS, this meant protecting mobile data by adding layers of security on top of the stock Android OS. (Micay has claimed in court filings that he was already working on Android hardening before meeting Donaldson and that he agreed to the partnership on the explicit understanding that he would retain control over the resulting OS.)
