Investigative journalist Maia Arson Crimew disclosed in a recent blog post that in February 2024, she received a significant tip-off: an exposed reporting utility containing the exhaustive purchase histories of users across a triad of surveillance platforms—SpyX, MSafely, and SpyPhone. Although the data remained unexamined for nearly two years, it was revisited during a separate investigation into a disparate breach. This subsequent analysis revealed that these seemingly inconspicuous services mask a far more formidable industrial apparatus.
It appears that operators of stalkerware frequently infiltrate the ecosystems of their competitors to conduct market research or directly misappropriate functional code. The discovery of a SpyX electronic mail address within the support database of a rival service provided a logical point of departure. Documentation indicated that an individual associated with SpyX had procured a subscription, demanded a refund, and subsequently contested the transaction by alleging credit card fraud. In retaliation, the target firm provided the payment processor with a comprehensive dossier which, despite partial redaction, preserved the cardholder’s name and banking institution. These breadcrumbs facilitated the identification of the actual personages behind the facade.
The contact interfaces for SpyX pointed to entities incorporated in Hong Kong and the United Kingdom, both operating under the Gbyte Technology brand. British corporate registries identified Xiunde Cheng as a director. Cross-referencing the firm’s Chinese nomenclature led to the Gbyte corporate portal and its profile on the recruitment platform BOSS Zhipin, which featured photographs of their Shenzhen office, including a panoramic interior view.
These sources revealed that Gbyte was established in 2022 with a strategic focus on international markets, marketing tools for mobile forensics. The company harbored ambitions of an IPO within a decade and boasted that half of its staff were dedicated to research and development, often in collaboration with academic institutions.
Subsequently, investigators exfiltrated not only user orders but also complete account databases, victim telemetry, and even plaintext credentials, including iCloud and Google passwords. Security measures were virtually non-existent; access required only the knowledge of specific API endpoints. Furthermore, a critical flaw granted unfettered access to the stalkerware’s administrative console.
Such breaches frequently unmask the architects of espionage services themselves. The datasets contained email addresses linked to Xiunde Cheng, whose profile was reconstructed via OSINT methodologies. Cheng, also operating under the pseudonym Joen Chen, was born in 1988, resides in Shenzhen, and holds a degree in computer science from Beijing Jiaotong University. Prior to founding Gbyte, he served as a chief security architect at Wondershare, specializing in the reverse engineering of mobile platforms—the very foundation upon which SpyX was constructed.
During his tenure at Wondershare, Cheng devised methods to circumvent the security protocols of iCloud and Google, gaining access to synchronized cloud data using only the user’s credentials. These techniques are employed by SpyX for remote surveillance of iOS and Android devices. Remarkably, the service remains capable of infiltrating accounts protected by two-factor authentication (2FA)—a capability that eludes most contemporary competitors.
An auxiliary risk resides in the fact that Gbyte services permit registration via Google accounts, a method utilized by approximately 60% of their user base. Should Google terminate this integration, the services would instantaneously lose a vast portion of their audience.
Data suggests Gbyte employs at least twenty individuals, yet cumulative revenue from stalkerware is estimated at a mere $500,000—a sum insufficient to sustain an enterprise of such magnitude, hinting at alternative revenue streams. Indeed, the administrative panel revealed an exposed GitHub API key, granting access to source code for a diverse portfolio of projects, including GPS spoofing apps, MMO character leveling services, an Elden Ring in-game currency store, AI-driven copywriting tools, and mobile data recovery utilities. Collectively, Gbyte’s stalkerware services claim approximately 1.5 million registered users.
While the specific code governing access to Apple and Google cloud data remained outside the scope of the leak, the accessible fragments were riddled with vulnerabilities. Order details, user profiles, and device telemetry—including plaintext passwords and real-time locations—were exposed for numerous services.
Prior to the publication of these findings, Gbyte and Xiunde Cheng were notified of these systemic failures but chose neither to respond nor to remediate the vulnerabilities. Portions of this data have already entered the Have I Been Pwned database, and updated datasets are being channeled to Apple, Google, and vetted researchers.