A hacktivist has dug up more than half a million payment records from a provider of consumer-grade “stalkerware” phone monitoring apps, exposing the email addresses and partial payment details of customers who paid to spy on others.
The transactions contain records of payments for phone tracking services such as Geofinder and uMobix, as well as services such as Peekviewer (formerly Glassagram), which purport to allow access to private Instagram accounts, among many other monitoring and tracking applications provided by the same vendor, a Ukrainian company called Struktura.
The customer data also includes transaction records from Xnspy, a well-known phone tracking app that in 2022 leaked private data from tens of thousands of unsuspecting Android and iPhone devices.
This is the latest example of a surveillance vendor exposing its customers’ information due to security flaws. In recent years, dozens of stalkerware apps have been hacked or managed to lose, leak or expose people’s personal data—often the victims themselves—thanks to poor cybersecurity by stalkerware operators.
Contact us
To contact Zack Whittaker securely, contact via Signal username zackwhittaker.1337. Contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
Stalkerware apps like uMobix and Xnspy, once installed on someone’s phone, upload the victim’s personal data, including call logs, text messages, photos, browsing history and precise location data, which are then shared with the person who installed the app.
Apps like uMobix and Xnspy have explicitly marketed their services to spy on spouses and domestic partners, which is illegal.
The data, seen by TechCrunch, included about 536,000 rows of customer email addresses, which app or brand the customer paid for, how much they paid, the type of payment card (such as Visa or Mastercard) and the last four digits on the card. Client records did not include payment dates.
TechCrunch verified that the data was authentic by taking several transaction files containing disposable email addresses with public inboxes, such as Mailinator, and running them through the various password reset portals provided by the various monitoring applications. By resetting passwords to accounts associated with public email addresses, we’ve determined that these are real accounts.
We also verified the data by matching each transaction’s unique invoice number from the leaked data set with the surveillance vendor’s checkout pages. We could do this because the checkout page allowed us to retrieve the same customer and transaction data from the server without requiring a password.
The hacktivist, who goes by the name “wikkid,” told TechCrunch that the data was leaked from the stalkerware vendor thanks to a “trivial” bug on its website. The hacktivist said they were “having fun targeting apps used to spy on people” and then posted the scraped data on a well-known hacking forum.
The hacking forum listing lists the tracking vendor as Ersten Group, which presents itself as a UK-based software development startup.
TechCrunch found several email addresses in the data set used for testing and customer support instead refer to Struktura, a Ukrainian company that has an identical website to Ersten Group. The oldest record in the dataset contained the email address for Struktura CEO Viktoriia Zosim for a $1 transaction.
Representatives for Ersten Group did not respond to our requests for comment. Struktura’s Zosim did not respond to a request for comment.
