A massive data breach reveals the identities of half a million people who paid to secretly monitor others—proving that those who spy on others often end up exposing themselves.

🎙️ Related Podcast: EDPB 2024: Guarding EU Data Privacy in a Rapidly Changing Digital World

In one of the largest stalkerware data exposures ever recorded, a hacktivist has scraped more than 536,000 payment records from a major provider of consumer-grade phone surveillance apps, exposing the email addresses and partial payment information of customers who paid to spy on their partners, family members, and others.

The breach, reported by TechCrunch on February 9, 2026, isn’t just another data leak—it’s a stark reminder that the surveillance industry’s poor security practices put everyone at risk, including the very people who choose to use these invasive tools. When you pay to spy on someone, you’re trusting companies with notoriously bad cybersecurity practices to protect your identity. As this breach demonstrates, that’s a bet you’ll almost certainly lose.

What Is Stalkerware and How Does It Work?

Stalkerware—also known as spouseware or commercially available spyware—refers to software applications designed to secretly monitor another person’s smartphone or device without their knowledge or consent. Unlike legitimate parental monitoring tools that operate transparently, stalkerware is specifically designed to remain hidden from the device owner while transmitting their private data to whoever installed the app.

These applications are marketed, often explicitly, to jealous partners and spouses who want to “catch cheating” or monitor their significant other’s activities. Once installed on a target’s phone—which typically requires brief physical access to the device—stalkerware can capture:

  • Text messages and chat app conversations (including WhatsApp, Signal, Telegram)- Call logs and recordings of phone conversations- Real-time GPS location tracking, often with historical location data- Photos and videos stored on the device- Browsing history and bookmarks- Social media activity including private messages- Keystrokes capturing passwords and private communications- Email content both sent and received- Calendar entries and contacts

The apps run silently in the background, uploading this harvested data to servers where the person who installed the stalkerware can access it through a web dashboard or companion app. Many of these services cost between $30 and $100 per month—a price that half a million people were apparently willing to pay to invade someone else’s privacy.

The February 2026 Breach: What Happened

The latest breach targeted Struktura, a Ukrainian company operating under the U.K.-presenting front “Ersten Group.” According to TechCrunch’s investigation, the company provides infrastructure for multiple phone-tracking services, including:

  • uMobix – A popular stalkerware app explicitly marketed for monitoring partners- Geofinder – A phone location tracking service- Peekviewer (formerly Glassagram) – A service claiming to provide access to private Instagram accounts- Xnspy – A known surveillance app that previously suffered its own data exposure in 2022

A hacktivist going by the moniker “wikkid” exploited what they described as a “trivial” security bug in the vendor’s website to scrape payment records dating back years. The exposed data includes approximately 536,000 lines containing:

  • Customer email addresses- Which surveillance app or brand they paid for- Payment amounts- Payment card types (Visa, Mastercard, etc.)- Last four digits of payment cards- Unique invoice numbers

TechCrunch verified the authenticity of the data through multiple methods, including using disposable email addresses from the dataset to trigger password resets on the surveillance apps’ portals, confirming these were real customer accounts.

The hacktivist subsequently published the scraped data on a known hacking forum, making it accessible to anyone who wants to look up whether someone they know paid for these services.

The Stalkerware Industry’s Catastrophic Security Track Record

This latest breach is far from an isolated incident. According to TechCrunch’s ongoing tally, at least 27 stalkerware companies since 2017 have been hacked or have leaked customer and victim data online. At least four of these companies were breached multiple times.

The list of compromised stalkerware providers reads like a hall of shame:

Hacked outright:

  • Retina-X (2017, 2018) – Hackers wiped their servers twice before they finally shut down- FlexiSpy (2017) – 130,000 customers exposed- SpyHuman (2018) – Text messages and call metadata stolen- Copy9 – Full victim data including messages, WhatsApp conversations, call recordings, and photos- LetMeSpy (2023) – Hackers breached and wiped servers; company shut down- WebDetetive (2023) – Brazilian company had servers deleted, then was hacked again- Spyhide (2023) – A code vulnerability exposed years of data from 60,000 victims- TheTruthSpy – Holds the record for being hacked on at least three separate occasions- pcTattletale (2024) – Hacked, data leaked, website defaced; founder later pled guilty to criminal charges- mSpy (2024) – Millions of customer support tickets exposed, affecting millions of customers- Spytech (2024) – Activity logs from monitored devices exposed- SpyX (2025) – Nearly 2 million users affected, including thousands of Apple device owners- Catwatchful (2025) – 26,000+ victims’ phone data exposed, along with customer emails and plaintext passwords

Exposed through negligence:

  • SpyFone (2018) – Left an Amazon S3 bucket completely unprotected online- FamilyOrbit – 281 GB of personal data left online protected by an easily guessed password- mSpy (2018) – Leaked over 2 million customer records- Xnore – Any customer could view other customers’ targets’ private data- MobiiSpy – Left 25,000 audio recordings and 95,000 images accessible to anyone- KidsGuard (2020) – Misconfigured server leaked victims’ content- Cocospy, Spyic, Spyzie (2025) – A security researcher discovered a bug exposing messages, photos, call logs, and customer email addresses for millions of users

Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a leading stalkerware researcher, summarized it bluntly: “The people who run these companies are perhaps not the most scrupulous or really concerned about the quality of their product.”

The Ironic Privacy Implications: Stalkers Become the Stalked

The February 2026 breach creates a deeply ironic situation: people who paid to violate others’ privacy have now had their own privacy violated. Their email addresses—often personal accounts—are now searchable by anyone, potentially including:

  • The very partners they were spying on, who might discover the betrayal through the leaked database- Family members, friends, and colleagues who may stumble upon their name- Employers who might take a dim view of such behavior- Law enforcement who now have a ready-made list of potential Computer Fraud and Abuse Act violators- Hackers and scammers who specialize in blackmail and extortion

But the privacy implications extend even further. These stalkerware apps routinely collect incredibly sensitive data from victims—and that data is only as secure as the apps collecting it. When Cocospy, Spyic, and Spyzie were found to have a vulnerability in 2025, it wasn’t just customer emails at risk—it was the complete contents of millions of victims’ phones sitting exposed on the internet.

Consider the dual victimization: an intimate partner secretly installs stalkerware on your phone. Your private messages, photos, location history, and call logs are uploaded to some company’s server. Then that company gets hacked, and now your most intimate data isn’t just in your abuser’s hands—it’s potentially in the hands of anyone on the internet.

This is the fundamental truth about the stalkerware industry: it creates two victims—the person being monitored and, ultimately, the person who paid for the monitoring.

Why Using Stalkerware Is Dangerous for the Installer

Beyond the moral and ethical issues, there are concrete reasons why installing stalkerware on someone’s device is a terrible idea—even from a purely self-interested perspective:

1. Your Identity Will Likely Be Exposed

With 27+ stalkerware companies breached in recent years, the odds that your payment information and identity remain private are approaching zero. These companies have demonstrated repeatedly that they cannot protect their customer data.

2. You’re Providing Evidence Against Yourself

Every payment record, login, and dashboard access creates a digital trail. When these companies get breached, that trail becomes public evidence of potentially criminal behavior.

3. You’re Trusting the Wrong People

Companies willing to profit from facilitating surveillance and domestic abuse are not companies that prioritize ethics, security, or customer welfare. Their entire business model is built on enabling violations of privacy and, often, the law.

4. The Data Goes Both Ways

While you’re monitoring your target, the stalkerware company is collecting data on both of you. They know your email, your payment information, your IP addresses, and exactly how you’re using their service. That’s leverage they hold over you.

As we’ll discuss below, law enforcement is increasingly prosecuting stalkerware users, not just vendors. That payment record could become Exhibit A in your own criminal case.

How to Detect Stalkerware on Your Device

If you’re concerned that stalkerware may have been installed on your phone, here are the warning signs and detection methods for both Android and iOS devices:

Warning Signs

Before diving into technical detection, be aware that the most common sign of stalkerware isn’t technical at all—it’s behavioral. According to the Coalition Against Stalkerware, abusers often reveal through their behavior that they have unusual knowledge of your activities. If your partner or someone else seems to know things they shouldn’t—where you’ve been, who you’ve talked to, what you’ve discussed in private messages—that’s a major red flag.

Technical indicators may include:

  • Unusual battery drain – Stalkerware runs constantly in the background- Increased data usage – Your private data is being uploaded to remote servers- Phone running warm even when not in use- Slower performance than normal- Strange notifications or apps you don’t recognize

However, sophisticated stalkerware can operate without these obvious signs.

Android Detection Steps

  1. Check installed apps: Go to Settings > Apps and look for anything you don’t recognize. Stalkerware often uses generic or misleading names like “System Service” or “Phone Backup.”2. Review accessibility permissions: Go to Settings > Accessibility. Stalkerware often exploits accessibility features to capture screen content and keystrokes. If you don’t use accessibility features, nothing should be listed here.3. Check device admin apps: Go to Settings > Security > Device admin apps. Personal phones rarely need device admin apps—if you see something here you didn’t install, it’s suspicious.4. Review notification access: Check Settings > Apps > Special app access > Notification access. Stalkerware uses this to intercept your messages and alerts.5. Use security scanning apps: Malwarebytes for Android and other reputable security apps can detect known stalkerware. The apps will be labeled as “Android/Spyware” or “Android/Monitor.”6. Check for unknown sources: Look in Settings > Security to see if “Install unknown apps” is enabled for any apps. This is how stalkerware gets installed outside the Play Store.

iOS Detection Steps

  1. Check for jailbreaking: Most iOS stalkerware requires a jailbroken phone. Look for apps like Cydia or Sileo that indicate jailbreaking.2. Review all apps: Go to Settings > General > iPhone Storage and scroll through all installed apps. Hidden apps won’t appear on your home screen but will show here.3. Use Safety Check (iOS 16+): Go to Settings > Privacy & Security > Safety Check. This feature lets you:
  • See who you’re sharing information with- Manage devices connected to your Apple ID- Reset system privacy permissions- Review and revoke location sharing4. Check configuration profiles: Go to Settings > General > VPN & Device Management. Stalkerware may install configuration profiles to monitor your device. If you see profiles you didn’t install, remove them.5. Review Family Sharing: Check Settings > [Your Name] > Family Sharing. Abusers sometimes use legitimate features like location sharing or shared accounts for monitoring.6. Examine iCloud settings: Someone with your Apple ID credentials can track you through Find My, access your iCloud backups, read your iMessages, and more. Consider whether anyone else has access to your Apple ID.

Critical Safety Warning

Before removing stalkerware, create a safety plan. Deleting monitoring apps or changing permissions will likely alert the person who installed them. This can escalate abuse situations. Contact a domestic violence organization before taking action if you believe you’re in danger.

Installing stalkerware on someone’s device without their knowledge or consent is illegal in most jurisdictions, regardless of your relationship to them. Here are the potential legal consequences:

Federal Laws (United States)

Computer Fraud and Abuse Act (CFAA): Accessing a computer or device without authorization, or exceeding authorized access, is a federal crime. Installing stalkerware on someone else’s phone clearly qualifies. Penalties can include:

  • Up to 5 years in prison for first offenses- Up to 10 years for repeat offenders- Civil liability for damages

Federal Wiretap Act (18 U.S.C. § 2511): Intercepting electronic communications without consent is a federal crime punishable by up to 5 years in prison.

Stored Communications Act: Unauthorized access to stored electronic communications (like emails and messages) is also federally prohibited.

Recent Prosecutions

The pcTattletale case demonstrates that law enforcement is increasingly willing to prosecute. In January 2026, founder Bryan Fleming pled guilty to:

  • Computer hacking- Sale and advertising of surveillance software for unlawful uses- Conspiracy

The Federal Trade Commission has also taken action, banning SpyFone and its CEO Scott Zuckerman from the surveillance industry entirely following a security lapse that exposed victims’ data.

In 2024, New York’s attorney general forced PhoneSpector and Highster to shut down after accusing them of explicitly encouraging customers to use their software for illegal surveillance.

State Laws

Many states have additional laws criminalizing:

  • Stalking and cyberstalking- Unauthorized computer access- Invasion of privacy- Harassment

Depending on your state, installing stalkerware could result in felony charges carrying years in prison.

Civil Liability

Beyond criminal penalties, stalkerware users can face civil lawsuits from their victims for:

  • Invasion of privacy- Intentional infliction of emotional distress- Violations of state privacy statutes- Damages resulting from the surveillance

The breach of stalkerware companies provides victims with evidence they might not otherwise have had—a list of people who paid to spy on others.

Resources for Domestic Violence Victims

If you are experiencing domestic abuse, intimate partner violence, or technology-facilitated abuse, help is available:

Crisis Hotlines

  • National Domestic Violence Hotline: 1-800-799-7233 (1-800-799-SAFE)Available 24/7, confidential, multilingual- Also available via online chat at thehotline.org Crisis Text Line: Text HOME to 741741National Sexual Assault Hotline: 1-800-656-4673

Technology Safety Resources

  • Coalition Against Stalkerware: stopstalkerware.orgInformation about stalkerware detection- Resources for survivors- Country-specific assistance organizations Safety Net Project (NNEDV): techsafety.org
  • Focus on technology and intimate partner violence- Survivor resources and toolkits- Information for advocates Clinic to End Tech Abuse (Cornell University): ceta.tech.cornell.edu
  • Detailed guides for securing devices- Resources for identifying and removing stalkerware- Materials for support workers and technologists WomensLaw.org
  • Legal information (serves all genders, not just women)- Email hotline for legal questions about domestic violence

Important Safety Considerations

  • Access resources from a safe device that isn’t being monitored- Create a safety plan before changing passwords or removing apps- Document evidence if you plan to involve law enforcement- Contact an advocate who can help you navigate your specific situation safely

Conclusion: The Watchers Cannot Escape Being Watched

The exposure of 536,000 stalkerware customers is more than a data breach—it’s a case study in ironic justice. People who paid to secretly monitor others are now the ones being exposed, their identities searchable by anyone with internet access.

But beyond the schadenfreude, this breach carries serious lessons:

For potential stalkerware users: The industry’s security is catastrophically poor. Your identity will almost certainly be exposed, creating evidence of potentially criminal behavior that could result in prosecution, civil liability, and the destruction of your relationships and reputation.

For potential victims: These tools exist, and they’re being used on millions of people. Learn the warning signs, use the detection methods described above, and know that resources are available to help you.

For everyone else: This industry thrives because people buy these products. Every breach exposes the human cost—not just in abstract privacy violations, but in real domestic abuse enabled by surveillance technology. Supporting legislative efforts to ban stalkerware and holding app stores accountable for distributing these apps matters.

As Eva Galperin of the EFF has noted, stalkerware companies are “soft targets” run by unscrupulous operators who don’t care about the quality of their products or the security of their customers. This latest breach proves her point emphatically.

Those who choose to spy on others have learned—or will soon learn—a valuable lesson: in the world of stalkerware, everyone eventually becomes a victim.

If you believe stalkerware is installed on your device, please contact the National Domestic Violence Hotline at 1-800-799-7233 or visit stopstalkerware.org for assistance before taking any action that might alert your abuser.