Digital Karma: Hacktivist Exposes 500,000 Stalkerware Customers
In a twist of poetic justice, a hacktivist has turned the tables on surveillance vendors by scraping half a million payment records from companies that profit from helping people spy on their partners and loved ones.
The Core Insight
A hacktivist going by “wikkid” exploited what they described as a “trivial” bug to extract 536,000 customer payment records from Struktura, a Ukrainian company operating multiple consumer surveillance apps including Geofinder, uMobix, Peekviewer (for spying on private Instagram accounts), and the notorious Xnspy—which had already leaked private data from tens of thousands of victims in 2022.
The exposed data includes customer email addresses, the specific surveillance app they purchased, payment amounts, card types, and partial card numbers. The hacktivist published the data on a known hacking forum, explaining they “have fun targeting apps that are used to spy on people.”
Why This Matters
This breach continues an embarrassing pattern for the stalkerware industry. Over the past few years, dozens of stalkerware apps have been hacked or have managed to leak, spill, or expose private data. The irony is thick: companies that market tools to violate others’ privacy consistently demonstrate terrible cybersecurity practices themselves.
The implications extend beyond immediate privacy concerns:
For stalkerware customers: The exposure creates documentation of intent. These apps are explicitly marketed for spying on spouses and domestic partners—which is illegal. Having your email associated with such purchases creates a permanent record of potentially criminal behavior.
For the surveillance industry: Each breach erodes the false sense of security these vendors promise their customers. If you can’t trust them to protect your data, why trust them with your target’s data?
For the broader ecosystem: The breach reveals Struktura operates multiple surveillance brands through a U.K.-presenting front company (Ersten Group), demonstrating how surveillance vendors obscure their operations across jurisdictions.
Key Takeaways
Stalkerware vendors are repeatedly proving themselves incompetent at security—the very expertise they should excel at given their business model.
The verification methodology is instructive: TechCrunch confirmed the data’s authenticity by using disposable email addresses found in the dataset to trigger password resets on the surveillance platforms.
Infrastructure obscurity is common: A Ukrainian company (Struktura) operates behind a U.K.-facing entity (Ersten Group), complicating accountability.
The leak exposed transaction details but not dates, making it harder to determine the timeframe of exposure.
Marketplace trust is fragile: When your product requires customers to trust you with intimate surveillance data, repeated security failures are existentially threatening.
Looking Ahead
The stalkerware industry exists in an uncomfortable legal and ethical gray zone. While explicitly illegal when used for domestic surveillance, these apps continue to operate openly. Each data breach creates both accountability (exposing customers) and liability (for vendors).
We’re seeing a pattern emerge: hacktivists and security researchers are increasingly treating surveillance vendors as legitimate targets. Unlike attacks on critical infrastructure or innocent companies, exposing stalkerware operations carries a certain moral clarity that attracts attention from those with the skills to do it.
For anyone considering using such services: your payment data, email, and purchasing history are only as secure as the vendor’s weakest security practice—and this industry has repeatedly demonstrated that’s not very secure at all.
The surveillance business model depends on asymmetric information advantage. Breaches like this flip that asymmetry, exposing the watchers to the watched.
Based on analysis of TechCrunch reporting on the Struktura/stalkerware breach