A hacktivist has scraped more than half-a-million payment records from a provider of consumer-grade “stalkerware” phone surveillance apps, exposing the email addresses and partial payment information of customers who paid to spy on others. 

The transactions contain records of payments for phone-tracking services like Geofinder and uMobix, as well as services like Peekviewer (formerly Glassagram), which purport to allow access to private Instagram accounts, among several other monitoring and tracking apps provided by the same vendor, a Ukrainian company called Struktura.

The customer data also includes transaction records from Xnspy, a known phone surveillance app, which in 2022 spilled the private data from tens of thousands of unsuspecting people’s Android devices and iPhones. 

This is the latest example of a surveillance vendor exposing the information of its customers due to security flaws. Over the past few years, dozens of stalkerware apps have been hacked, or have managed to lose, spill, or expose people’s private data — often the victims themselves — thanks to shoddy cybersecurity by the stalkerware operators.

Stalkerware apps like uMobix and Xnspy, once planted on someone’s phone, upload the victim’s private data, including their call records, text messages, photos, browsing history, and precise location data, which is then shared with the person who planted the app.

Apps like uMobix and Xnspy have explicitly marketed their services for people to spy on their spouses and domestic partners, which is illegal.

The data, seen by TechCrunch, included about 536,000 lines of customer email addresses, which app or brand the customer paid for, how much they paid, the payment card type (such as Visa or Mastercard), and the last four digits on the card. The customer records did not include dates of payments. 

TechCrunch verified the data was authentic by taking several transaction records containing disposable email addresses with public inboxes, such as Mailinator, and running them through the various password reset portals provided by the various surveillance apps. By resetting the passwords on accounts associated with public email addresses, we determined that these were real accounts.

We also verified the data by matching each transaction’s unique invoice number from the leaked dataset with the surveillance vendor’s checkout pages. We could do this because the checkout page allowed us to retrieve the same customer and transaction data from the server without needing a password.

The hacktivist, who goes by the moniker “wikkid,” told TechCrunch they scraped the data from the stalkerware vendor thanks to a “trivial” bug in its website. The hacktivist said they “have fun targeting apps that are used to spy on people,” and subsequently published the scraped data on a known hacking forum.

The hacking forum listing lists the surveillance vendor as Ersten Group, which presents itself as a U.K.-presenting software development startup. 

TechCrunch found several email addresses in the dataset used for testing and customer support instead reference Struktura, a Ukrainian company that has an identical website to Ersten Group. The earliest record in the dataset contained the email address for Struktura’s chief executive, Viktoriia Zosim, for a transaction of $1. 

Representatives for Ersten Group did not respond to our requests for comment. Struktura’s Zosim did not return a request for comment.