Data breach exposes US spyware maker behind Windows, Mac, Android and Chromebook malware

Zack Whittaker
Updated ·4 min read

A little-known spyware maker based in Minnesota has been hacked, TechCrunch has learned, revealing thousands of devices around the world under its stealthy remote surveillance.

A person with knowledge of the breach provided TechCrunch with a cache of files taken from the company's servers containing detailed device activity logs from the phones, tablets, and computers that Spytech monitors, with some of the files dated as recently as early June.

TechCrunch verified the data as authentic in part by analyzing some of the exfiltrated device activity logs that pertain to the company's chief executive, who installed the spyware on one of his own devices.

The data shows that Spytech's spyware — Realtime-Spy and SpyAgent, among others — has been used to compromise more than 10,000 devices since the earliest-dated leaked records from 2013, including Android devices, Chromebooks, Macs, and Windows PCs worldwide.

Spytech is the latest spyware maker in recent years to have itself been compromised, and the fourth spyware maker known to have been hacked this year alone, according to TechCrunch's running tally.

When reached for comment, Spytech chief executive Nathan Polencheck said TechCrunch's email "was the first I have heard of the breach and have not seen the data you have seen so at this time all I can really say is that I am investigating everything and will take the appropriate actions."

Spytech is a maker of remote access apps, often referred to as "stalkerware," which are sold under the guise of allowing parents to monitor their children's activities but are also marketed for spying on the devices of spouses and domestic partners. Spytech's website openly advertises its products for spousal surveillance, promising to "keep tabs on your spouse's suspicious behavior."

While monitoring the activity of children or employees is not illegal, monitoring a device without the owner's consent is unlawful, and spyware operators and spyware customers both have faced prosecution for selling and using spyware.

Stalkerware apps are typically planted by someone with physical access to a person’s device, often with knowledge of their passcode. By nature, these apps can stay hidden from view and are difficult to detect and remove. Once installed, the spyware sends keystrokes and screen taps, web browsing history, device activity usage, and, in the case of Android devices, granular location data to a dashboard controlled by whoever planted the app.

The breached data, seen by TechCrunch, contains logs of all the devices under Spytech's control, including records of each device's activity. Most of the devices compromised by the spyware are Windows PCs, and to a lesser degree Android devices, Macs and Chromebooks.

The device activity logs we have seen were not encrypted.

TechCrunch analyzed the location data derived from the hundreds of compromised Android phones, and plotted the coordinates in an offline mapping tool to preserve the privacy of the victims. The location data provides some idea, though not completely, where at least a proportion of Spytech's victims are located.

A world map showing hundreds of Android devices compromised by Spytech's spyware plotted on a world map, with large clusters in the U.S. and across Europe, and scattered dots throughout the rest of the world.
Hundreds of Android devices compromised by Spytech's spyware plotted on a world map.

Our analysis of the mobile-only data shows Spytech has significant clusters of devices monitored across Europe and the United States, as well as localized devices across Africa, Asia and Australia, and the Middle East.

One of the records associated with Polencheck's administrator account includes the precise geolocation of his house in Red Wing, Minnesota.

While the data contains reams of sensitive data and personal information obtained from the devices of individuals — some of whom will have no idea their devices are being monitored — the data does not contain enough identifiable information about each compromised device for TechCrunch to notify victims of the breach.

When asked by TechCrunch, Spytech's CEO would not say if the company plans to notify its customers, the people whose devices were monitored, or U.S. state authorities as required by data breach notification laws.

A spokesperson for Minnesota's attorney general did not respond to a request for comment.

Spytech dates back to at least 1998. The company operated largely under the radar until 2009, when an Ohio man was convicted of using Spytech's spyware to infect the computer systems of a nearby children's hospital, targeting the email account of his ex-partner who worked there.

Local news media reported at the time, and TechCrunch verified from court records, that the spyware infected the children hospital's systems as soon as his ex-partner opened the attached spyware, which prosecutors say collected sensitive health information. The person who sent the spyware pleaded guilty to the illegal interception of electronic communications.

Spytech is the second U.S.-based spyware maker in recent months to have experienced a data breach. In May, Michigan-based pcTattletale was hacked and its website defaced, and the company subsequently shut down and deleted his company's banks of victim's device data rather than notify affected individuals.

Data breach notification service Have I Been Pwned later obtained a copy of the breached data and listed 138,000 customers as having signed up for the service.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.