Hacktivist scrapes over 500,000 stalkerware customers’ payment records
Source: TechCrunch
A hacktivist has scraped more than half a million payment records from a provider of consumer‑grade “stalkerware” phone surveillance apps, exposing the email addresses and partial payment information of customers who paid to spy on others.
The transactions contain records of payments for phone‑tracking services like Geofinder and uMobix, as well as services like Peekviewer (formerly Glassagram), which purport to allow access to private Instagram accounts, among several other monitoring and tracking apps provided by the same vendor, a Ukrainian company called Struktura.
The customer data also includes transaction records from Xnspy, a known phone surveillance app, which in 2022 spilled the private data from tens of thousands of unsuspecting people’s Android devices and iPhones [source].
Context
This is the latest example of a surveillance vendor exposing the information of its customers due to security flaws. Over the past few years, dozens of stalkerware apps have been hacked, or have lost, spilled, or exposed people’s private data — often the victims themselves — thanks to shoddy cybersecurity by the stalkerware operators [reference].
Stalkerware apps like uMobix and Xnspy, once planted on someone’s phone, upload the victim’s private data (call records, text messages, photos, browsing history, precise location) and share it with the person who installed the app. These apps have explicitly marketed their services for spying on spouses and domestic partners, which is illegal [source].
Leak Details
- Approximately 536,000 lines of customer email addresses.
- For each record: the app or brand purchased, amount paid, payment card type (Visa, Mastercard, etc.), and the last four digits of the card.
- Payment dates were not included.
TechCrunch verified the data’s authenticity by:
- Using disposable email addresses (e.g., Mailinator) found in the dataset to reset passwords via the apps’ password‑reset portals, confirming the accounts were real.
- Matching each transaction’s unique invoice number with the vendor’s checkout pages, which exposed the same customer and transaction data without requiring a password.
Hacktivist Claims
The hacktivist, who goes by the moniker “wikkid,” told TechCrunch they scraped the data from the stalkerware vendor thanks to a “trivial” bug in its website. They said they “have fun targeting apps that are used to spy on people,” and subsequently published the scraped data on a known hacking forum.
The forum listing identifies the surveillance vendor as Ersten Group, presented as a U.K.-based software development startup. However, TechCrunch found several email addresses in the dataset used for testing and customer support that reference Struktura, a Ukrainian company with an identical website to Ersten Group. The earliest record in the dataset contains the email address of Struktura’s chief executive, Viktoriia Zosim, for a $1 transaction.
Representatives for Ersten Group did not respond to requests for comment, and Struktura’s Zosim did not return a request for comment.