Spyware developer Bryan Fleming avoids prison despite conviction

The first spyware developer convicted in more than a decade has avoided jail time after previously pleading guilty to U.S. federal charges tied to operating his surveillance business.

Bryan Fleming was sentenced on Friday in a San Diego federal court to time already served, along with a $5,000 fine, according to a spokesperson for the U.S. Attorney for the Southern District of California, which prosecuted the case.

At a plea hearing in January, following a multi-year federal investigation into his spyware company,y pcTattletale, Fleming admitted to developing, marketing, and selling spyware intended for unlawful surveillance.

Prosecutors had earlier requested that the court impose neither a custodial sentence nor a financial penalty.

Fleming's conviction represents the first successful prosecution of a spyware developer by the U.S. Department of Justice since 20. This development could pave the way for future cases targeting similar illegal surveillance operations.

The case was brought in 2025 by investigators from Homeland Security Investigations, a division of U.S. Immigration and Customs Enforcement, as part of a broader effort to investigate the consumer spyware industry. While many spyware providers operate outside the United States, investigators noted that Fleming became a target because he sold and enabled the use of spyware within the U.S., placing him within reach of federal jurisdiction.

Spyware tools such as pcTattletale are often categorised as "stalkerware" because they are frequently used by paying customers to secretly install surveillance software on another person's device without their knowledge or consent, often in personal relationships. Once installed, these applications can covertly collect and upload sensitive data, including messages, photos, and real-time location information, allowing the purchaser to monitor the victim.

According to an affidavit filed by federal investigators seeking to search Fleming's residence, he, in some instances, "knowingly assisted customers seeking to spy on nonconsenting, non-employee adults."

The total number of individuals affected by pcTattletale remains unclear, but in 2024, a data breach revealed part of the operation's scope, which had been running for years.

Earlier reporting found that a security researcher identified a major vulnerability in the software that exposed millions of screenshots captured from victims' devices to the open internet. The spyware had been taking screenshots every few seconds, and the flaw allowed anyone to access and view those images. Among the exposed data were screenshots from check-in systems at several U.S. hotels, which revealed sensitive guest and reservation information.

Fleming did not respond to the researcher's warnings or fix the vulnerability.

Within a week of the exposure being reported, Fleming shut down pcTattletale in 2024 after the company experienced a high-profile cyberattack, website defacement, and data breach. The incident revealed that more than 138,000 customers had paid the company to monitor victims through its spyware tools.

The attacker later stated that they exploited a separate vulnerability that provided access to all files stored in pcTattletale's cloud infrastructure, including data belonging to victims.

It remains unknown how many individuals ultimately had their devices compromised. Fleming did not notify either customers or affected individuals about the breach. At the time, he said he had "deleted everything" from the company's servers following the incident.

pcTattletale is among several stalkerware providers that have shut down or gone offline after security failures, including LetMeSpy, Cocospy, and Spyhide.