Over 500,000 Stalkerware Customers Just Got Exposed Due to a “Trivial” Bug

The stalkerware industry has been operating in the shadows for years, selling phone surveillance apps that let people spy on their partners or employees. That’s not how they market their product, sure, but the fact is that these companies make most of their millions helping customers violate privacy and break wiretapping laws. Now, one of them just learned what it feels like to have your private data exposed without consent.

A hacktivist going by "wikkid" scraped and published over 536,000 customer payment records from Struktura, a company behind surveillance apps like uMobix, Xnspy, Geofinder, and Peekviewer. Emails, transaction amounts, card types, and the last four digits of payment cards all got dumped online. The whole thing happened because of a "trivial" bug in the vendor's website.

An entire industry built on secrecy just proved it can't protect its own secrets.

How a "Trivial" Bug Exposed Half a Million Spies

This was hardly some elaborate hack. According to the reports, Wikkid did nothing more than exploit a simple security flaw in Struktura's website, scraping the customer database. The leaked dataset contains roughly 536,000 lines showing which surveillance apps people bought, how much they paid, card types, and the last four digits.

TechCrunch verified the breach through password reset portals. The data's real, and it covers phone-tracking services like uMobix and Geofinder, Instagram snoopers like Peekviewer, and Xnspy, a stalkerware app that already spilled victim data from tens of thousands of devices back in 2022.

Of course, it’s not without a little twist. The hacking forum lists the vendor as "Ersten Group," a supposed U.K. software startup. But emails in the dataset reference Struktura, a Ukrainian company with an identical website. The earliest transaction record belongs to Struktura's CEO, Viktoriia Zosim – a $1 test payment. Neither company responded to requests for comment.

Wikkid published everything on a hacking forum, telling TechCrunch they "have fun targeting apps that are used to spy on people." Can't say I blame them.

The Irony of Surveillance Companies Getting Surveilled

There's something poetic about companies that profit from violating privacy getting their own customer data exposed. These vendors have been operating with impunity for years, marketing apps explicitly designed for illegal spousal surveillance, and now their customers are getting outed.

The pattern goes back years. The FTC banned SpyFone's makers in 2021 for "egregious security lapses." Xnspy's 2022 breach exposed data from over 60,000 victims' devices, and there are dozens of documentations of other stalkerware apps getting hacked over recent years. This industry consistently fails at security, affecting both victims AND perpetrators.

What makes this different is the timing. We're watching a structural shift, where traditional enforcement requires government action measured in years. But hacktivist targeting operates on different timescales, creating consequences that regulatory bodies just can’t quite deliver.

This may be a pretty gray area, but it’s hard to be mad about the surveillance industry finally learning that when you build your business on secrecy and exploitation, you become a target.

Where This Leaves the Rest of Us

The reality is simple: Companies operating unregulated surveillance infrastructure face fundamental security vulnerabilities that don't just affect their victims.

The stalkerware market operates in regulatory gray zones, where selling the software isn't technically illegal even though using it to spy on spouses absolutely is. Vendors like Struktura have thrived because there's been minimal oversight, but now they're facing both legal pressure AND systematic hacktivist targeting.

For the 536,000 people whose payment records just hit the web, this is a harsh lesson about data breaches and trusting companies with questionable ethics. Your email and partial card details might not seem like much, but they're enough for targeted extortion, doxxing, or social engineering, and, in this case, expose you to those who you were spying on in the first place.

Nobody's data is safe with companies built on exploitation. Whether you're planting stalkerware or getting monitored, you're dealing with vendors who can't secure their own infrastructure, let alone protect the sensitive information they're collecting.

Watching surveillance companies get a taste of their own medicine isn't the worst thing I've seen this week. What goes around comes around, especially when your security is held together with duct tape and can be broken down through a "trivial" bug.