Techcrunch
A hacktivist has obtained payment records for over 500,000 customers of a stalkerware provider, exposing their email addresses and partial payment details. This incident highlights ongoing security vulnerabilities in surveillance software vendors.
AI 生成摘要
一名駭客活動人士竊取了超過50萬名監控軟體供應商客戶的付款記錄,暴露了他們的電子郵件地址和部分付款詳細資訊。此事件凸顯了監控軟體供應商持續存在的安全漏洞。
Latest
AI
Amazon
Apps
Biotech & Health
Climate
Cloud Computing
Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
Gadgets
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
Security
Social
Space
Startups
TikTok
Transportation
Venture
Staff
Events
Startup Battlefield
StrictlyVC
Newsletters
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
A hacktivist has scraped more than half-a-million payment records from a provider of consumer-grade “stalkerware” phone surveillance apps, exposing the email addresses and partial payment information of customers who paid to spy on others.
The transactions contain records of payments for phone tracking services like Geofinder and uMobix, as well as services like Peekviewer (formerly Glassagram), which purport to allow access to private Instagram accounts, among several other monitoring and tracking apps provided by the same vendor, a Ukrainian company called Struktura.
The customer data also includes transaction records from Xnspy, a known phone surveillance app, which in 2022 spilled the private data from tens of thousands of unsuspecting people’s Android devices and iPhones.
This is the latest example of a surveillance vendor exposing the information of its customers due to security flaws. Over the past few years, dozens of stalkerware apps have been hacked, or have managed to lose, spill, or expose people’s private data — often the victims themselves — thanks to shoddy cybersecurity by the stalkerware operators.
Stalkerware apps like uMobix and Xnspy, once planted on someone’s phone, upload the victim’s private data, including their call records, text messages, photos, browsing history, and precise location data, which is then shared with the person who planted the app.
Apps like UMobix and Xnspy have explicitly marketed their services for people to spy on their spouses and domestic partners, which is illegal.
The data, seen by TechCrunch, included about 536,000 lines of customer email addresses, which app or brand the customer paid for, how much they paid, the payment card type (such as Visa or Mastercard), and the last four-digits on the card. The customer records did not include dates of payments.
TechCrunch verified the data was authentic by taking several transaction records containing disposable email addresses with public inboxes, such as Mailinator, and running them through the various password reset portals provided by the various surveillance apps. By resetting the passwords on accounts associated with public email addresses, we determined that these were real accounts.
We also verified the data by matching each transaction’s unique invoice number from the leaked dataset with the surveillance vendor’s checkout pages. We could do this because the checkout page allowed us to retrieve the same customer and transaction data from the server without needing a password.
The hacktivist, who goes by the moniker “wikkid,” told TechCrunch they scraped the data from the stalkerware vendor thanks to a “trivial” bug in its website. The hacktivist said they “have fun targeting apps that are used to spy on people,” and subsequently published the scraped data on a known hacking forum.
The hacking forum listing lists the surveillance vendor as Ersten Group, which presents itself as a U.K.-presenting software development startup.
TechCrunch found several email addresses in the dataset used for testing and customer support instead reference Struktura, a Ukrainian company that has an identical website to Ersten Group. The earliest record in the dataset contained the email address for Struktura’s chief executive, Viktoriia Zosim, for a transaction of $1.
Representatives for Ersten Group did not respond to our requests for comment. Struktura’s Zosim did not return a request for comment.
Topics
Security Editor
Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security.
He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at [email protected].
Senior Reporter, Cybersecurity
Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy.
You can contact or verify outreach from Lorenzo by emailing [email protected], via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.
Tickets are live at the lowest rates of the year. Save up to $680 on your pass now.Meet investors. Discover your next portfolio company. Hear from 250+ tech leaders, dive into 200+ sessions, and explore 300+ startups building what’s next. Don’t miss these one-time savings.
Senator, who has repeatedly warned about secret US government surveillance, sounds new alarm over ‘CIA activities’
The backlash over OpenAI’s decision to retire GPT-4o shows how dangerous AI companions can be
OpenAI launches new agentic coding model only minutes after Anthropic drops its own
Anthropic releases Opus 4.6 with new ‘agent teams’
Sam Altman got exceptionally testy over Claude Super Bowl ads
Homeland Security is trying to force tech companies to hand over data about Trump critics
Fintech CEO and Forbes 30 Under 30 alum has been charged for alleged fraud
© 2025 TechCrunch Media LLC.