A hacktivist has scraped more than half-a million payment records from a provider of consumer-grade “stalkerware” phone surveillance apps. This exposure reveals the email addresses and partial payment information of customers who paid to spy on others. The transactions include records of payments for phone-tracking services like Geofinder and uMobix, as well as services like Peekviewer, formerly known as Glassagram, which claims to allow access to private Instagram accounts. These are among several other monitoring and tracking apps provided by the same vendor, a Ukrainian company called Struktura.
The customer data also includes transaction records from Xnspy, a known phone surveillance app. In 2022, Xnspy spilled the private data from tens of thousands of unsuspecting people’s Android devices and iPhones. This incident is the latest example of a surveillance vendor exposing its customers’ information due to security flaws. Over the past few years, dozens of stalkerware apps have been hacked, or have managed to lose, spill, or expose people’s private data—often the data of the victims themselves—thanks to shoddy cybersecurity by the stalkerware operators.
Stalkerware apps like uMobix and Xnspy, once planted on someone’s phone, upload the victim’s private data. This includes their call records, text messages, photos, browsing history, and precise location data, which is then shared with the person who planted the app. Apps like uMobix and Xnspy have explicitly marketed their services for people to spy on their spouses and domestic partners, which is illegal.
The data, seen by TechCrunch, included about 536,000 lines of customer email addresses. It also showed which app or brand the customer paid for, how much they paid, the payment card type, such as Visa or Mastercard, and the last four digits on the card. The customer records did not include dates of payments.
TechCrunch verified the data was authentic by taking several transaction records containing disposable email addresses with public inboxes, such as Mailinator, and running them through the various password reset portals provided by the surveillance apps. By resetting the passwords on accounts associated with public email addresses, they determined these were real accounts. The verification also involved matching each transaction’s unique invoice number from the leaked dataset with the surveillance vendor’s checkout pages. This was possible because the checkout page allowed retrieval of the same customer and transaction data from the server without needing a password.
The hacktivist, who goes by the moniker “wikkid,” told TechCrunch they scraped the data from the stalkerware vendor thanks to a “trivial” bug in its website. The hacktivist said they “have fun targeting apps that are used to spy on people,” and subsequently published the scraped data on a known hacking forum. The hacking forum listing identifies the surveillance vendor as Ersten Group, which presents itself as a U.K.-based software development startup.
TechCrunch found several email addresses in the dataset used for testing and customer support instead reference Struktura, a Ukrainian company that has an identical website to Ersten Group. The earliest record in the dataset contained the email address for Struktura’s chief executive, Viktoriia Zosim, for a transaction of one dollar. Representatives for Ersten Group did not respond to requests for comment. Struktura’s Zosim did not return a request for comment.