Hacktivist scrapes over 500,000 stalkerware customers’ payment records

A hacktivist has extracted more than half a million payment records from a company that sells consumer-focused "stalkerware" phone surveillance apps, revealing the email addresses and partial payment details of customers who purchased such tools.

The exposed transactions include payments for phone-tracking services such as Geofinder and uMobix, as well as Peekviewer — previously known as Glassagram — which claims to provide access to private Instagram accounts. The records also reference several additional monitoring and tracking applications offered by the same vendor, a Ukrainian firm operating under the name Struktura.

Among the data are transaction records linked to Xnspy, a widely known phone surveillance application that, in 2022, leaked sensitive information belonging to tens of thousands of unsuspecting Android and iPhone users.

This incident adds to a growing list of cases in which surveillance software providers have exposed customer information because of weak security practices. In recent years, numerous stalkerware operations have been breached or otherwise leaked private data—frequently affecting victims whose devices were secretly monitored—due to weak cybersecurity safeguards maintained by the companies behind these apps.

Stalkerware tools such as uMobix and Xnspy are installed on a target's device without their knowledge. Once embedded, the apps collect and transmit highly sensitive data, including call logs, text messages, photos, browsing histories, and real-time location information. That information is then made accessible to the individual who installed the software.

Some of these services, including uMobix and Xnspy, have openly promoted their products as a way to spy on spouses or domestic partners — conduct that is illegal in many jurisdictions.

The dataset reviewed contained roughly 536,000 entries listing customer email addresses, the specific app or brand purchased, the amount paid, the type of payment card used (e.g., Visa or Mastercard), and the final four digits of the card number. The records did not include transaction dates.

To confirm the dataset's authenticity, several transaction records associated with disposable email accounts with publicly accessible inboxes, such as Mailinator, were tested against password reset systems for the relevant surveillance apps. By initiating password resets for accounts associated with those public email addresses, we confirmed the accounts were active and legitimate.

Further validation was conducted by matching unique invoice numbers from the leaked data to transaction details on the vendor's checkout pages. The checkout system enabled the retrieval of customer and transaction information directly from the server without requiring account login credentials.

The individual responsible for obtaining the data, who uses the alias "wikkid," stated that the records were scraped due to a "trivial" vulnerability in the vendor's website. The hacktivist said they take satisfaction in targeting applications used to spy on people and subsequently posted the harvested data on a well-known hacking forum.

The forum listing identifies the surveillance vendor as Ersten Group, which publicly describes itself as a U.K.-based software development startup.

However, several email addresses in the database, including those used for testing and customer support, are associated with Struktura, a Ukrainian company whose website mirrors ErstenGroup's. The earliest entry in the dataset includes an email address associated with Struktura's chief executive, Viktoriia Zosim, tied to a $1 transaction.

Representatives for Ersten Group did not respond to requests for comment. Viktoriia Zosim of Struktura also did not reply to a request for comment.