A Hacktivist Just Exposed 536,000 People Who Paid to Spy on Someone’s Phone

The Hunters Became the Hunted

On February 9, 2026, a hacktivist operating under the alias "wikkid" published 536,000 lines of scraped payment data from a Ukrainian company called Struktura. The company operates multiple consumer surveillance apps, including the phone tracking services Geofinder and uMobix, and the Instagram monitoring tool Peekviewer (formerly Glassagram).

The hacktivist told TechCrunch they exploited a "trivial" bug in the vendor's website to access a payment processing system. The scraped data includes customer email addresses, which app or brand they purchased, how much they paid, whether they used Visa or Mastercard, and the last four digits of their payment card.

The motivation was blunt. "I have fun targeting apps that are used to spy on people," the hacktivist said. The data was subsequently posted on a known hacking forum for anyone to download.

What Stalkerware Actually Does

Stalkerware is commercial surveillance software designed to be installed on someone's phone without their knowledge. Once running, these apps can silently record text messages, track GPS location, capture screenshots, log keystrokes, and even activate the microphone and camera.

The apps are marketed using euphemisms like "parental monitoring" or "employee oversight." But domestic abuse organizations and cybersecurity researchers have documented their overwhelming use in intimate partner surveillance, stalking, and harassment.

uMobix alone advertises capabilities including real time location tracking, call and message monitoring, social media surveillance, and browser history logging. Geofinder offers phone number based location tracking. Peekviewer promises access to private Instagram accounts.

A Pattern of Catastrophic Security Failures

This breach is not an isolated incident. According to TechCrunch's ongoing tracking, at least 27 stalkerware companies have been hacked, breached, or have leaked data since 2017. The pattern reveals a fundamental irony: companies that sell surveillance tools consistently fail to secure the very data they collect.

The consequences extend far beyond embarrassing the buyers. When stalkerware companies get breached, the victims' data gets exposed too. Location histories, private messages, photos, and keystroke logs from the people being surveilled end up on hacking forums alongside the buyers' payment records.

Previous stalkerware breaches have exposed millions of people. In 2024, the mSpy stalkerware operation leaked 2.4 million customer email addresses. In 2023, the Polish stalkerware app LetMeSpy shut down entirely after hackers stole its database containing years of victims' messages and location data.

Why Stalkerware Companies Keep Getting Hacked

Stalkerware vendors operate in a legal gray area, often from jurisdictions with minimal cybersecurity regulation. They have no incentive to invest in security infrastructure because their business model depends on secrecy, not trust. Their customers cannot publicly complain about breaches without admitting they paid to surveil someone.

This creates a perverse dynamic. The vendors store enormous quantities of sensitive data, including the most intimate details of their targets' lives, with minimal security protections. The "trivial" bug that wikkid exploited at Struktura is characteristic of the industry: basic vulnerabilities that any competent security audit would catch.

Hacktivists and security researchers have increasingly targeted these companies, viewing the exposure of stalkerware operators and their customers as a form of accountability for an industry that enables abuse.

The Legal Landscape

Installing surveillance software on someone's device without their knowledge is illegal in most jurisdictions. In the United States, the Federal Trade Commission has taken action against stalkerware companies under the Computer Fraud and Abuse Act. In 2021, the FTC banned SpyFone from the surveillance industry after it secretly harvested and shared data on people's physical movements, phone use, and online activities.

Despite this, the industry persists. New apps appear as fast as others get shut down, and payment processors continue to facilitate transactions for these services. The 536,000 payment records exposed by wikkid represent just one vendor's customer base over an unknown time period.

What This Means for You

If you suspect stalkerware may be installed on your device, look for unusual battery drain, unexpected data usage, or apps you do not recognize. The Coalition Against Stalkerware (stopstalkerware.org) provides resources for identifying and removing surveillance apps safely.

This breach is a reminder that surveillance tools are inherently risky for everyone involved. The people being monitored lose their privacy. The people doing the monitoring expose themselves to data breaches, legal liability, and public exposure. And the companies building these tools have demonstrated, 27 times and counting, that they cannot be trusted to protect anyone's data.