The Watchers Unmasked: Massive Leak Exposes 500,000 Users of “Stalkerware” Spy Apps

An anonymous hacktivist has disseminated over half a million payment records belonging to users of stalkerware applications. These services, which facilitate the illicit surveillance of third-party devices and accounts, have had their databases compromised, exposing client email addresses and fragmentary credit card information.

The leak encompasses approximately 536,000 transaction rows associated with applications such as Geofinder, uMobix, and Peekviewer (formerly recognized as Glassagram). These platforms offer surreptitious access to private correspondence, geographical telemetry, and restricted social media profiles. All affected products originate from a singular progenitor, identified through investigative efforts as Ersten Group, which maintains ties to a sister entity, Struktura, featuring a nearly identical digital storefront.

The exfiltrated records include the purchasers’ email addresses, the specific service acquired, transaction totals, card types, and the terminal four digits of the primary account numbers. Although transaction timestamps are absent, researchers have verified the dataset’s authenticity by cross-referencing email addresses with open mailboxes and initiating password recovery protocols on the respective platforms. Furthermore, account identifiers within the leak mirrored data exposed by a server-side vulnerability on the services’ checkout pages.

The repository also contained transaction telemetry for Xnspy, a notorious utility for clandestine mobile monitoring. This specific application previously suffered a monumental data breach in 2022, compromising information from both Android and iPhone devices.

The activist, operating under the pseudonym wikkid, asserted that the data was harvested by exploiting a rudimentary vulnerability within the provider’s web infrastructure. He explicitly declared a strategic intent to target services that facilitate the stalking of individuals. The resulting database was published on a prominent adversarial forum.

Upon installation, such software transmits call logs, messages, photographs, browsing histories, and precise GPS coordinates to the surreptitious controller. Many of these services overtly market their capabilities for monitoring spouses and domestic partners—an act that constitutes a violation of privacy statutes in numerous jurisdictions.