TechCrunch has learned that Spytech, a little-known spyware maker based in Minnesota, has been hacked, exposing sensitive data from thousands of devices worldwide.
The breach has unveiled the covert surveillance activities of the company, which has compromised over 10,000 devices since 2013, including Android devices, Chromebooks, Macs, and Windows PCs.
A person with knowledge of the breach provided TechCrunch with a cache of files taken from Spytech’s servers, containing detailed device activity logs from phones, tablets, and computers monitored by Spytech’s software. Some of the files were dated as recently as early June.
TechCrunch verified the authenticity of the data by analyzing some of the exfiltrated device activity logs, including those related to the company’s chief executive, Nathan Polencheck, who had installed the spyware on one of his own devices.
Spytech’s Stealthy Surveillance Exposed
Spytech’s spyware products, such as Realtime-Spy and SpyAgent, are marketed as allowing parents to monitor their children’s activities. However, they are also advertised for spousal surveillance, promising to “keep tabs on your spouse’s suspicious behavior.”
While monitoring the activity of children or employees is not illegal, tracking a device without the owner’s consent is unlawful. Both spyware operators and customers have faced prosecution for selling and using such software.
Stalkerware apps like those from Spytech are typically planted by someone with physical access to a person’s device, often with knowledge of their passcode. These apps can stay hidden from view and are difficult to detect and remove.
Once installed, the spyware sends keystrokes, screen taps, web browsing history, device activity usage, and, in the case of Android devices, granular location data to a dashboard controlled by whoever planted the app.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
The breached data contains logs of all the devices under Spytech’s control, including records of each device’s activity. Most compromised devices are Windows PCs, followed by Android devices, Macs, and Chromebooks.
Notably, the device activity logs were not encrypted, raising further concerns about data security practices at Spytech.
Global Reach of the Breach
TechCrunch’s analysis of the location data derived from the hundreds of compromised Android phones shows significant clusters of devices monitored across Europe and the United States, with localized devices in Africa, Asia, Australia, and the Middle East.
One of the records associated with Polencheck’s administrator account includes the precise geolocation of his house in Red Wing, Minnesota.
While the data contains reams of sensitive information obtained from individuals’ devices, it does not contain enough identifiable information about each compromised device to notify victims of the breach.
When asked by TechCrunch, Spytech’s CEO did not confirm whether the company plans to notify its customers, the people whose devices were monitored, or U.S. state authorities as required by data breach notification laws. A Minnesota attorney general spokesperson did not respond to a request for comment.
A Troubling Trend in the Spyware Industry
According to TechCrunch’s running tally, Spytech is the latest spyware maker to be compromised and the fourth known to have been hacked this year alone.
In May, Michigan-based pcTattletale was hacked, leading to its website’s defacement and the company’s subsequent shutdown.
The breached data from pcTattletale was later listed by the data breach notification service Have I Been Pwned, which reported 138,000 customers as having signed up for the service.
Spytech’s history dates back to at least 1998. It operated largely under the radar until 2009 when an Ohio man was convicted of using Spytech’s spyware to infect the computer systems of a nearby children’s hospital.
The spyware collected sensitive health information, leading to the perpetrator’s guilty plea for the illegal interception of electronic communications.
As the spyware industry faces increased scrutiny and legal challenges, the recent breach at Spytech underscores the urgent need for more robust data security measures and regulatory oversight to protect individuals’ privacy and prevent misuse of surveillance technology.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo