ReportWire

Tag: stalkerware

  • Founder of spyware maker pcTattletale pleads guilty to hacking and advertising surveillance software | TechCrunch

    [ad_1]

    The founder of a U.S.-based spyware company, whose surveillance products allowed customers to spy on the phones and computers of unsuspecting victims, pleaded guilty to federal charges linked to his long-running operation. 

    pcTattletale founder Bryan Fleming entered a guilty plea in a San Diego federal court on Tuesday to charges of computer hacking, the sale and advertising of surveillance software for unlawful uses, and conspiracy.

    The plea follows a multi-year investigation by agents with Homeland Security Investigations (HSI), a unit within U.S. Immigration and Customs Enforcement. HSI began investigating pcTattletale in mid-2021 as part of a wider probe into the industry of consumer-grade surveillance software, also known as “stalkerware.”

    This is the first successful U.S. federal prosecution of a stalkerware operator in more than a decade, following the 2014 indictment and subsequent guilty plea of the creator of a phone surveillance app called StealthGenie. Fleming’s conviction could pave the way for further federal investigations and prosecutions against those operating spyware, but also those who simply advertise and sell covert surveillance software.

    HSI said that pcTattletale is one of several stalkerware websites under investigation.

    A spokesperson for ICE did not immediately comment when contacted by TechCrunch, nor did a representative for the U.S. Attorney’s Office for the Southern District of California, which brought the charges against Fleming.

    Fleming’s lawyer Marcus Bourassa did not respond to a request for comment Tuesday.

    pcTattletale was a remote surveillance app that had been under Fleming’s control since at least 2016. Stalkerware apps like pcTattletale allow ordinary consumers to buy software capable of tracking people and their data without their knowledge, including romantic partners and spouses, which is illegal in the United States and many other countries.

    Once physically planted on a person’s phone or computer (usually with knowledge of the victim’s passcode or login), the app would continuously upload a copy of the victim’s information, including messages, photos and location data, to pcTattletale’s servers and make the data accessible to whoever planted the spyware.

    Fleming shut down pcTattletale in 2024 following a data breach, which saw a hacker deface the company’s website and steal reams of data from its servers, including identifiable information belonging to its customers and their victims. More than 138,000 customers who had signed up to use pcTattletale had their breached information shared with data breach notification site Have I Been Pwned

    At the time, Fleming told TechCrunch that his company was “out of business and completely done,” after deleting the contents of pcTattletale’s servers.   

    Despite the shutdown, federal agents were already far into their investigation of Fleming’s illegal spyware business.

    Feds search founder’s $1.2M home

    HSI began investigating pcTattletale in June 2021 after finding over a hundred stalkerware websites offering surveillance products, many of which advertised lawful uses of the software, such as monitoring children or employees.

    pcTattletale stood out because it was specifically advertising its spyware for “surreptitiously spying on spouses and partners,” wrote HSI special agent Nick Jones in the 2022 affidavit in support of a search warrant for Fleming’s home. The affidavit was unsealed in early December 2025 ahead of Fleming’s anticipated plea hearing. 

    Crucially for investigators, Fleming was believed to be operating pcTattletale from his home in Bruce Township, Michigan, well within reach of U.S. law enforcement — unlike many overseas stalkerware operators who are not.  

    Unlike some stalkerware operators who shield their identities to avoid legal and reputational risks from working with spyware, Fleming was brazen in how he advertised pcTattletale. In videos posted on YouTube, Fleming could be seen at his home promoting pcTattletale as its creator and founder. 

    A surveillance photo taken by HSI agents outside of Bryan Fleming’s home in Michigan.Image Credits:Justice Department (affidavit)

    According to the affidavit, HSI obtained a warrant in 2022 allowing the search of Fleming’s email accounts. HSI said the emails showed that Fleming “knowingly assisted customers seeking to spy on nonconsenting, non-employee adults.” 

    Federal agents later surveilled Fleming’s home to confirm it was in fact him.

    Jones also went undercover to collect evidence, posing as an affiliate marketer under the guise of promoting the spyware in exchange for a cut of the proceeds. As a result of this operation, Jones exchanged emails with Fleming, in which the pcTattletale founder provided images intended for banner ads that promoted the spyware as a way to “catch a cheater,” which made it clear Fleming wanted to market his product for illegal purposes. 

    By November 2022, HSI had obtained permission from a U.S. judge to search Fleming’s home, which agents raided soon after, seizing an unknown number of items. Agents also obtained records associated with Fleming’s bank and his PayPal account, which had transactions totaling more than $600,000 as of the end of 2021. 

    The search warrant was filed under seal amid concerns that Fleming could destroy or tamper with evidence. Fleming has since sold the house for $1.2 million, per public records.

    Fleming’s conviction is a win for privacy advocates and campaigners who work to counter the proliferation of stalkerware and raise awareness to its dangers.

    Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and the co-founder of the Coalition Against Stalkerware, who has investigated and fought stalkerware for years, commented on Fleming’s guilty plea when reached by TechCrunch.

    “One of the most striking aspects of this case is the extent to which stalkware companies like pcTattletale operate out in the open,” said Galperin. “This is because the people behind these companies so rarely face consequences for selling tools that they themselves say are explicitly for monitoring other people’s devices without their knowledge or consent.”

    “I hope that this case changes the risk calculus for makers of stalkerware,” said Galperin.

    Fleming is expected to be sentenced later this year.

    ——

    If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.

    [ad_2]

    Zack Whittaker

    Source link

  • Hacked, leaked, exposed: Why you should never use stalkerware apps | TechCrunch

    Hacked, leaked, exposed: Why you should never use stalkerware apps | TechCrunch

    [ad_1]

    Last week, an unknown hacker broke into the servers of the U.S.-based stalkerware maker pcTattletale. The hacker then stole and leaked the company’s internal data. They also defaced pcTattletale’s official website with the goal of embarrassing the company. 

    “This took a total of 15 minutes from reading the techcrunch article,” the hackers wrote in the defacement, referring to a recent TechCrunch article where we reported that pcTattletale was used to monitor several front desk check-in computers at Wyndham hotels across the United States.

    As a result of this hack, leak and shame operation, pcTattletale founder Bryan Fleming said he was shutting down his company.

    Consumer spyware apps like pcTattletale are commonly referred to as stalkerware because jealous spouses and partners use them to surreptitiously monitor and surveil their loved ones. These companies often explicitly market their products as solutions to catch cheating partners by encouraging illegal and unethical behavior. And there have been multiple court cases, journalistic investigations, and surveys of domestic abuse shelters that show that online stalking and monitoring can lead to cases of real-world harm and violence. 

    And that’s why hackers have repeatedly targeted some of these companies.

    According to TechCrunch’s tally, with this latest hack, pcTattletale has become the 20th stalkerware company since 2017 that is known to have been hacked or leaked customer and victims’ data online. That’s not a typo: Twenty stalkerware companies have either been hacked or had a significant data exposure in recent years. And three stalkerware companies were hacked multiple times. 

    Eva Galerpin, the director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has investigated and fought stalkerware for years, said the stalkerware industry is a “soft target.” “The people who run these companies are perhaps not the most scrupulous or really concerned about the quality of their product,” Galperin told TechCrunch.

    Given the history of stalkerware compromises, that may be an understatement. And because of the lack of care for protecting their own customers — and consequently the personal data of tens of thousands of unwitting victims — using these apps is doubly irresponsible. The stalkerware customers may be breaking the law, abusing their partners by illegally spying on them, and, on top of that, putting everyone’s data in danger. 

    A history of stalkerware hacks

    The flurry of stalkerware breaches began in 2017 when a group of hackers breached the U.S.-based Retina-X and the Thailand-based FlexiSpy back to back. Those two hacks revealed that the companies had a total number of 130,000 customers all over the world.

    At the time, the hackers who — proudly — claimed responsibility for the compromises explicitly said their motivations were to expose and hopefully help destroy an industry that they consider toxic and unethical.

    “I’m going to burn them to the ground, and leave absolutely nowhere for any of them to hide,” one of the hackers involved then told Motherboard. 

    Referring to FlexiSpy, the hacker added: “I hope they’ll fall apart and fail as a company, and have some time to reflect on what they did. However, I fear they might try and give birth to themselves again in a new form. But if they do, I’ll be there.”

    Despite the hack, and years of negative public attention, FlexiSpy is still active today. The same cannot be said about Retina-X.

    The hacker who broke into Retina-X wiped its servers with the goal of hampering its operations. The company bounced back — and then it got hacked again a year later. A couple of weeks after the second breach, Retina-X announced that it was shutting down

    Just days after the second Retina-X breach, hackers hit Mobistealth and Spy Master Pro, stealing gigabytes of customer and business records, as well as victims’ intercepted messages and precise GPS locations. Another stalkerware vendor, the India-based SpyHuman, encountered the same fate a few months later, with hackers stealing text messages and call metadata, which contained logs of who called who and when. 

    Weeks later, there was the first case of accidental data exposure, rather than a hack. SpyFone left an Amazon-hosted S3 storage bucket unprotected online, which meant anyone could see and download text messages, photos, audio recordings, contacts, location, scrambled passwords and login information, Facebook messages and more. All that data was stolen from victims, most of whom did not know they were being spied on, let alone know their most sensitive personal data was also on the internet for all to see. 

    Other stalkerware companies that over the years have irresponsibly left customer and victims’ data online are FamilyOrbit, which left 281 gigabytes of personal data online protected only by an easy-to-find password; mSpy, which leaked over 2 million customer records; Xnore, which let any of its customers see the personal data of other customers’ targets, which included chat messages, GPS coordinates, emails, photos and more; Mobiispy, which left 25,000 audio recordings and 95,000 images on a server accessible to anyone; KidsGuard, which had a misconfigured server that leaked victims’ content; pcTattletale, which prior to its hack also exposed screenshots of victims’ devices uploaded in real-time to a website that anyone could access; and Xnspy, whose developers left credentials and private keys left in the apps’ code, allowing anyone to access victims’ data.

    As far as other stalkerware companies that actually got hacked, there was Copy9, which saw a hacker steal the data of all its surveillance targets, including text messages and WhatsApp messages, call recordings, photos, contacts, and brows history; LetMeSpy, which shut down after hackers breached and wiped its servers; the Brazil-based WebDetetive, which also got its servers wiped, and then hacked again; OwnSpy, which provides much of the backend software for WebDetetive, also got hacked; Spyhide, which had a vulnerability in its code that allowed a hacker to access the back-end databases and years of stolen around 60,000 victims’ data; and Oospy, which was a rebrand of Spyhide, shut down for a second time.

    Finally there is TheTruthSpy, a network of stalkerware apps, which holds the dubious record of having been hacked or having leaked data on at least three separate occasions

    Hacked, but unrepented

    Of these 20 stalkerware companies, eight have shut down, according to TechCrunch’s tally. 

    In a first and so far unique case, the Federal Trade Commission banned SpyFone and its chief executive, Scott Zuckerman, from operating in the surveillance industry following an earlier security lapse that exposed victims’ data. Another stalkerware operation linked to Zuckerman, called SpyTrac, subsequently shut down following a TechCrunch investigation. 

    PhoneSpector and Highster, another two companies that are not known to have been hacked, also shut down after New York’s attorney general accused the companies of explicitly encouraging customers to use their software for illegal surveillance. 

    But a company closing doesn’t mean it’s gone forever. As with Spyhide and SpyFone, some of the same owners and developers behind a shuttered stalkerware maker simply rebranded. 

    “I do think that these hacks do things. They do accomplish things, they do put a dent in it,” Galperin said. “But if you think that if you hack a stalkerware company, that they will simply shake their fists, curse your name, disappear in a puff of blue smoke and never be seen again, that has most definitely not been the case.”

    “What happens most often, when you actually manage to kill a stalkerware company, is that the stalkerware company comes up like mushrooms after the rain,” Galperin added. 

    There is some good news. In a report last year, security firm Malwarebytes said that the use of stalkerware is declining, according to its own data of customers infected with this type of software. Also, Galperin reports seeing an increase in negative reviews of these apps, with customers or prospective customers complaining they don’t work as intended.

    But, Galperin said that it’s possible that security firms aren’t as good at detecting stalkerware as they used to be, or stalkers have moved from software-based surveillance to physical surveillance enabled by AirTags and other Bluetooth-enabled trackers.

    “Stalkerware does not exist in a vacuum. Stalkerware is part of a whole world of tech enabled abuse,” Galperin said.

    Say no to stalkerware

    Using spyware to monitor your loved ones is not only unethical, it’s also illegal in most jurisdictions, as it’s considered unlawful surveillance. 

    That is already a significant reason not to use stalkerware. Then there is the issue that stalkerware makers have proven time and time again that they cannot keep data secure — neither data belonging to the customers nor their victims or targets.

    Apart from spying on romantic partners and spouses, some people use stalkerware apps to monitor their children. While this type of use, at least in the United States, is legal, it doesn’t mean using stalkerware to snoop on your kids’ phone isn’t creepy and unethical. 

    Even if it’s lawful, Galperin thinks parents should not spy on their children without telling them, and without their consent. 

    If parents do inform their children and get their go-ahead, parents should stay away from insecure and untrustworthy stalkerware apps, and use parental tracking tools built into Apple phones and tablets and Android devices that are safer and operate overtly. 

    If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.

    [ad_2]

    Lorenzo Franceschi-Bicchierai

    Source link

  • Stalkerware apps PhoneSpector and Highster appear to shut down | TechCrunch

    Stalkerware apps PhoneSpector and Highster appear to shut down | TechCrunch

    [ad_1]

    The makers of two phone surveillance services appear to have shuttered after the owner agreed to settle state accusations of illegally promoting spyware that his companies developed.

    PhoneSpector and Highster were consumer-grade phone monitoring apps that facilitated the covert surveillance of a person’s smartphone. Commonly dubbed stalkerware (or spouseware), these apps are typically planted on a person’s phone, often by a spouse or domestic partner and usually with knowledge of the device passcode. These apps are designed to stay hidden from home screens, making them difficult to find and remove, all the while continuously uploading the phone’s messages, photos and real-time location data to a dashboard viewable by the abuser.

    In February 2023, Patrick Hinchy, whose consortium of New York and Florida-based tech companies developed PhoneSpector and Highster, agreed to pay $410,000 in penalties to settle accusations that Hinchy’s companies advertised and “aggressively promoted” spyware that allowed the secret phone surveillance of individuals living in New York state.

    New York Attorney General Letitia James said at the time that Hinchy’s companies used blog posts that explicitly encouraged prospective customers to use the spyware to monitor their spouses’ devices without their knowledge. As part of the deal, Hinchy’s companies agreed to modify the apps to alert device owners that their phones had been monitored.

    Since the settlement, both PhoneSpector and Highster have dropped offline.

    PhoneSpector’s website stopped loading in the weeks after the settlement. Its domain now redirects to an Indonesian lottery website. Highster’s website stopped loading several months later.

    The domains, servers and back-end infrastructure known to be used by PhoneSpector and Highster are also no longer online.

    TechCrunch called phone numbers associated with PhoneSpector and Highster customer service but an automated message said that the numbers had been disconnected. The office space in the New York village of Port Jefferson registered to Hinchy’s companies is currently occupied by a construction firm.

    Nearly all of Hinchy’s registered companies in New York and Florida remain active, according to public records searches by TechCrunch, but the companies have not filed paperwork with the states for several years and are designated “past due” for updates. Companies are typically required to file paperwork every two years or face dissolution by state authorities.

    Hinchy did not respond to multiple requests for comment from TechCrunch. Michael Weinstein, who represented Hinchy as part of the settlement, deferred comment to the New York attorney general’s office.

    Delaney Kempner, director of communications for the New York attorney general’s office, did not answer TechCrunch’s questions about the settlement by email, including whether Hinchy’s companies paid the $410,000 penalty as agreed. Kempner would not agree to TechCrunch’s request for an on-the-record call. In response to specific questions about the case, Kempner told TechCrunch by email that unspecified recent filings would answer some of our questions. “Hopefully you know how to find them :)” said Kempner.

    PhoneSpector and Highster are the latest stalkerware apps to have fallen offline in recent years following regulatory action.

    In 2019, the Federal Trade Commission brought charges against phone monitoring app maker Retina-X, accusing the company of failing to ensure its app was used for legitimate consensual purposes, and failing to adequately secure the sensitive phone data it siphoned from the phones of unknowing device owners after experiencing several data breaches. Retina-X eventually shut down.

    A year later, the FTC banned the stalkerware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry, also accusing the company of failing to protect the data it secretly harvested from the phones of unwitting victims. A TechCrunch investigation later found Zuckerman returned with a new stalkerware app called SpyTrac, which shut down soon after TechCrunch contacted Zuckerman for comment.

    [ad_2]

    Zack Whittaker

    Source link