Hacktivist scrapes over 500,000 stalkerware customers’ payment records

A hacktivist has scraped much than half-a-million outgo records from a supplier of consumer-grade “stalkerware” telephone surveillance apps, exposing the email addresses and partial outgo accusation of customers who paid to spy connected others. 

The transactions incorporate records of payments for telephone tracking services similar Geofinder and uMobix, arsenic good arsenic services similar Peekviewer (formerly Glassagram), which purport to let entree to backstage Instagram accounts, among respective different monitoring and tracking apps provided by the aforesaid vendor, a Ukrainian institution called Struktura.

The lawsuit information besides includes transaction records from Xnspy, a known telephone surveillance app, which in 2022 spilled the backstage data from tens of thousands of unsuspecting people’s Android devices and iPhones. 

This is the latest illustration of a surveillance vendor exposing the accusation of its customers owed to information flaws. Over the past fewer years, dozens of stalkerware apps person been hacked, oregon person managed to lose, spill, oregon exposure people’s backstage information — often the victims themselves — acknowledgment to shoddy cybersecurity by the stalkerware operators.

Stalkerware apps similar uMobix and Xnspy, erstwhile planted connected someone’s phone, upload the victim’s backstage data, including their telephone records, substance messages, photos, browsing history, and precise determination data, which is past shared with the idiosyncratic who planted the app.

Apps similar UMobix and Xnspy person explicitly marketed their services for radical to spy connected their spouses and home partners, which is illegal.

The data, seen by TechCrunch, included astir 536,000 lines of lawsuit email addresses, which app oregon marque the lawsuit paid for, however overmuch they paid, the outgo paper benignant (such arsenic Visa oregon Mastercard), and the past four-digits connected the card. The lawsuit records did not see dates of payments. 

TechCrunch verified the information was authentic by taking respective transaction records containing disposable email addresses with nationalist inboxes, specified arsenic Mailinator, and moving them done the assorted password reset portals provided by the assorted surveillance apps. By resetting the passwords connected accounts associated with nationalist email addresses, we determined that these were existent accounts.

We besides verified the information by matching each transaction’s unsocial invoice fig from the leaked dataset with the surveillance vendor’s checkout pages. We could bash this due to the fact that the checkout leafage allowed america to retrieve the aforesaid lawsuit and transaction information from the server without needing a password.

The hacktivist, who goes by the moniker “wikkid,” told TechCrunch they scraped the information from the stalkerware vendor acknowledgment to a “trivial” bug successful its website. The hacktivist said they “have amusive targeting apps that are utilized to spy connected people,” and subsequently published the scraped information connected a known hacking forum.

The hacking forum listing lists the surveillance vendor arsenic Ersten Group, which presents itself arsenic a U.K.-presenting bundle improvement startup. 

TechCrunch recovered respective email addresses successful the dataset utilized for investigating and lawsuit enactment alternatively notation Struktura, a Ukrainian institution that has an identical website to Ersten Group. The earliest grounds successful the dataset contained the email code for Struktura’s main executive, Viktoriia Zosim, for a transaction of $1. 

Representatives for Ersten Group did not respond to our requests for comment. Struktura’s Zosim did not instrumentality a petition for comment.