US spyware maker Spytech's data breach exposes surveillance of over 10,000 devices globally
"Data breach exposes US spyware maker behind Windows, Mac, Android and Chromebook malware", 25 July 2024
A little-known spyware maker based in Minnesota has been hacked, TechCrunch has learned, revealing thousands of devices around the world under its stealthy remote surveillance.
A person with knowledge of the breach provided TechCrunch with a cache of files taken from the company’s servers containing detailed device activity logs from the phones, tablets, and computers that Spytech monitors, with some of the files dated as recently as early June.
TechCrunch verified the data as authentic in part by analyzing some of the exfiltrated device activity logs that pertain to the company’s chief executive, who installed the spyware on one of his own devices.
The data shows that Spytech’s spyware — Realtime-Spy and SpyAgent, among others — has been used to compromise more than 10,000 devices since the earliest-dated leaked records from 2013, including Android devices, Chromebooks, Macs, and Windows PCs worldwide.
Spytech is the latest spyware maker in recent years to have itself been compromised, and the fourth spyware maker known to have been hacked this year alone, according to TechCrunch’s running tally.
When reached for comment, Spytech chief executive Nathan Polencheck said TechCrunch’s email “was the first I have heard of the breach and have not seen the data you have seen so at this time all I can really say is that I am investigating everything and will take the appropriate actions.”
Spytech is a maker of remote access apps, often referred to as “stalkerware,” which are sold under the guise of allowing parents to monitor their children’s activities but are also marketed for spying on the devices of spouses and domestic partners.
While monitoring the activity of children or employees is not illegal, monitoring a device without the owner’s consent is unlawful, and spyware operators and spyware customers both have faced prosecution for selling and using spyware.
The breached data, seen by TechCrunch, contains logs of all the devices under Spytech’s control, including records of each device’s activity. Most of the devices compromised by the spyware are Windows PCs, and to a lesser degree Android devices, Macs and Chromebooks.
The device activity logs we have seen were not encrypted.
Our analysis of the mobile-only data shows Spytech has significant clusters of devices monitored across Europe and the United States, as well as localized devices across Africa, Asia and Australia, and the Middle East.
One of the records associated with Polencheck’s administrator account includes the precise geolocation of his house in Red Wing, Minnesota.
While the data contains reams of sensitive data and personal information obtained from the devices of individuals — some of whom will have no idea their devices are being monitored — the data does not contain enough identifiable information about each compromised device for TechCrunch to notify victims of the breach.
When asked by TechCrunch, Spytech’s CEO would not say if the company plans to notify its customers, the people whose devices were monitored, or U.S. state authorities as required by data breach notification laws.
A spokesperson for Minnesota’s attorney general did not respond to a request for comment.