A hacktivist just turned the tables on half a million people who paid to spy on others. More than 536,000 payment records from customers of phone surveillance apps like uMobix, Xnspy, and Geofinder hit the open web this week, exposing email addresses and partial card numbers of people who bought access to stalk spouses, partners, and family members. The breach highlights how stalkerware vendors - companies that profit from illegal surveillance - can't even secure their own customer data.
The surveillance industry just got surveilled. A hacktivist going by 'wikkid' published more than 536,000 customer payment records from a network of stalkerware apps, exposing the people who paid to spy on others through phone tracking and social media monitoring services.
The leaked data comes from Struktura, a Ukrainian company operating behind the U.K.-facing brand Ersten Group. The company runs a portfolio of surveillance products including uMobix and Geofinder for phone tracking, Peekviewer for accessing private Instagram accounts, and Xnspy - a notorious stalkerware app that already spilled data from tens of thousands of victims' phones back in 2022.
According to the hacktivist who spoke with TechCrunch, they exploited a 'trivial' bug in the vendor's website to scrape the entire customer database. "I have fun targeting apps that are used to spy on people," wikkid told reporters before dumping the data on a known hacking forum.
The exposed records contain customer email addresses, which specific surveillance app they purchased, payment amounts, card types like Visa or Mastercard, and the last four digits of payment cards. While the dataset doesn't include transaction dates, it represents years of customer activity from people who paid to secretly monitor others' phones and social media accounts.
TechCrunch verified the authenticity of the breach through multiple methods. Reporters tested disposable email addresses from the dataset using public inbox services like Mailinator, then ran them through password reset portals for the various surveillance apps. All tested accounts were real and active.
