A backdoor into iCloud end-to-end encryption would defeat the purpose of the feature, so Apple is pulling it from the UK altogether.
Apple confirmed Friday that it “can no longer” offer a security feature that allows users in the United Kingdom to encrypt their iCloud data.
In a statement provided to TechCrunch, Apple spokesperson Fred Sainz said the company’s Advanced Data Protection feature will no longer be available to new users and current U.K. users “will eventually need to disable this security feature.”
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the U.K. given the continuing rise of data breaches and other threats to customer privacy,” the company said.
“Enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before,” the statement said.
The announcement comes after the U.K. government reportedly ordered Apple earlier this year to build a backdoor that would allow British authorities “blanket” access to users’ data stored on Apple’s cloud servers, even if it is end-to-end encrypted. This request, seen as unprecedented in a modern democracy, alarmed privacy and security experts, who argued that if the British government prevailed, the demand would set a precedent for authoritarian countries to follow.
Apple offers users the option to turn on end-to-end encrypted iCloud backups through Advanced Data Protection. This feature effectively makes it impossible for anyone, including Apple and government authorities, to view data stored in iCloud by users’ who have opted-in.
A spokesperson for the U.K. Home Office did not immediately respond to TechCrunch’s request for comment.
Apple did not immediately say how the process of disabling ADP will work for users who had already turned it on before Friday.
Apple said that some types of data, including health data, messages stored in iCloud, and payment information, which are end-to-end encrypted by default for all users, will not be affected by this change, and will remain encrypted for everyone. But U.K. users will not be able to opt-in to use end-to-end encryption for the other types of data, such as photos, notes, backups, and other data, which were encrypted under ADP.
For those who already have ADP enabled, Apple said it will give customers more guidance soon, as well as a period of time to disable the feature to keep using iCloud.
ADP is unaffected for users outside of the United Kingdom, Apple said, and end-to-end encrypted communication services like FaceTime and iMessage are not affected, either.
“As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will,” Apple said, linking to its prior statements.
BBC News reported that ADP stopped being an option for new users starting at 3 p.m. U.K. time on Friday. TechCrunch has also confirmed that ADP is no longer an option for new users in the United Kingdom.
Since the rise of encryption in the mid-1990s, governments worldwide have argued that this data-scrambling technology would allow criminals and terrorists to break the law while evading law enforcement. Over the years, authorities have always found a way, from accessing unencrypted backups to using spyware, to access data directly on people’s devices.
“If you are not in the U.K., you should turn on ADP now,” said Matthew Green, a cryptography expert and teacher at Johns Hopkins University, wrote on X in response to the news.
“The more people who use it, the harder it will be to shut off this way,” said Green.
Clarified the forms of data protected under Advanced Data Protection in the ninth paragraph.
Keep reading the article on Tech Crunch
A trove of chat logs allegedly belonging to the Black Basta ransomware group has leaked online, exposing key members of the prolific Russia-linked gang.
The chatlogs, which include over 200,000 messages spanning from September 18, 2023, to September 28, 2024, were shared with threat intelligence company Prodaft by a leaker. The cybersecurity firm says the leak comes amid “internal conflict” within the Black Basta group after some members allegedly failed to provide its victims with functional decryption tools despite paying a ransom demand.
It’s not yet known if the leaker, who uses the alias “ExploitWhispers” on Telegram, was a member of the Black Basta gang.
Black Basta is a prolific Russian-language ransomware gang, which the U.S. government has linked to hundreds of attacks on critical infrastructure and global businesses, whose publicly known victims include U.S. healthcare organization Ascension, U.K. utility company Southern Water, and British outsourcing giant Capita. The leaked chat logs give a never-before-seen look inside the ransomware gang, including some of its unreported targets.
According to a post on X by Prodaft, the leaker said that the hackers “crossed the line” by targeting Russian domestic banks.
“So we are dedicated to uncovering the truth and investigating Black Basta’s next steps,” the leaker wrote.
TechCrunch obtained a copy of the hackers’ chat logs from Prodaft, which contain details about key members of the ransomware gang.
These members include “YY” (Black Basta’s main administrator); “Lapa” (another of Black Basta’s key leaders); “Cortes” (a hacker linked to the Qakbot botnet); and “Trump” (also known as “AA” and “GG”).
The hacker “Trump” is believed to be an alias used by Oleg Nefedovaka, who Prodaft researchers describe as “the group’s main boss.” The researchers linked Nefedovaka to the now-defunct Conti ransomware group, which shut down soon after its internal chat logs leaked following the gang declaring its support for Russia’s full-scale invasion of Ukraine in 2022.
The leaked Black Basta chat logs also quote one member as saying they are 17-years-old, TechCrunch has seen.
By our count, the leaked chats contain 380 unique links related to company information hosted on Zoominfo, a data broker that collects and sells access to businesses and their employees, which the chatlogs show the hackers used to research the companies they targeted. The links also give some indication of the number of organizations targeted by the gang during the 12-month period.
The chat logs also reveal unprecedented insights into the group’s operations. The messages include details on Black Basta’s victims, copies of phishing templates used in their cyberattacks, some of the exploits used by the gang, cryptocurrency addresses associated with ransom payments, and details about ransom demands and victims’ negotiations with hacked organizations.
We also found chat logs of the hackers discussing a TechCrunch article about ongoing Qakbot activity, despite an earlier FBI takedown operation aimed at knocking the notorious botnet offline.
TechCrunch also found chat logs that named several previously unknown targeted organizations. This includes the failed U.S. automotive giant Fisker; healthtech provider Cerner Corp, which is now owned by Oracle; and U.K.-based travel firm Hotelplan. It is not yet known if the companies were breached, and none of the companies responded to TechCrunch’s inquiries.
The chat logs appear to show the gang’s efforts in exploiting security bugs in enterprise network devices, such as routers and firewalls that sit on the perimeter of a company’s network and act as digital gatekeepers.
The hackers boasted their ability to exploit vulnerabilities in Citrix remote access products to break into at least two company networks. The gang also talked about exploiting vulnerabilities in Ivanti, Palo Alto Networks and Fortinet software to carry out cyberattacks.
A conversation between Black Basta members also suggests that some of the group were worried about being investigated by Russian authorities in response to geopolitical pressures. While Russia has long been a safe haven for ransomware gangs, Black Basta was also concerned about actions brought by the U.S. government.
Messages sent after the group’s breach of Ascension’s systems warned that the FBI and CISA are “100% obliged” to get involved and could lead to the agencies “taking a tough stance on Black Basta.”
Black Basta’s dark web leak site, which it uses to publicly extort victims into paying the gang a ransom demand, was offline at the time of publication.
Keep reading the article on Tech Crunch
There is a whole shady industry for people who want to monitor and spy on their families. Multiple app makers market their software — sometimes referred to as stalkerware — to jealous partners who can use these apps to access their victims’ phones remotely.
Yet, despite how sensitive this data is, an increasing number of these companies are losing huge amounts of it.
According to TechCrunch’s tally, counting the latest data exposures of Cocospy and Spyic, there have been at least 23 stalkerware companies since 2017 that are known to have been hacked or that leaked customers’ and victims’ data online. That’s not a typo: At least 23 stalkerware companies have either been hacked or had a significant data exposure in recent years. And four stalkerware companies were hacked multiple times.
Cocospy and Spyic are the first stalkerware companies in 2025 to have inadvertently exposed sensitive data. The two surveillance operations left messages, photos, call logs, and other personal and sensitive data of millions of victims exposed online, according to a security researcher who found a bug that allowed them to access that data.
In the case of Cocospy, the company leaked 1.81 million customer email addresses, and Spyic leaked 880,167 customer email addresses. That’s a total of 2.65 million email addresses, after removing duplicate addresses that appeared in both breaches, according to an analysis by Troy Hunt, who runs data breach notification site Have I Been Pwned.
In 2024, there were at least four massive stalkerware hacks. The last stalkerware breach in 2024 affected Spytech, a little-known spyware maker based in Minnesota, which exposed activity logs from the phones, tablets, and computers monitored with its spyware. Before that, there was a breach at mSpy, one of the longest-running stalkerware apps, which exposed millions of customer support tickets that included the personal data of millions of its customers.
Previously, an unknown hacker broke into the servers of the U.S.-based stalkerware maker pcTattletale. The hacker then stole and leaked the company’s internal data. They also defaced pcTattletale’s official website with the goal of embarrassing the company. The hacker referred to a recent TechCrunch article where we reported pcTattletale was used to monitor several front desk check-in computers at a U.S. hotel chain.
As a result of this hack, leak and shame operation, pcTattletale founder Bryan Fleming said he was shutting down his company.
Consumer spyware apps like mSpy and pcTattletale are commonly referred to as “stalkerware” (or spouseware) because jealous spouses and partners use them to surreptitiously monitor and surveil their loved ones. These companies often explicitly market their products as solutions to catch cheating partners by encouraging illegal and unethical behavior. And there have been multiple court cases, journalistic investigations, and surveys of domestic abuse shelters that show that online stalking and monitoring can lead to cases of real-world harm and violence.
And that’s why hackers have repeatedly targeted some of these companies.
Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has investigated and fought stalkerware for years, said the stalkerware industry is a “soft target.”
“The people who run these companies are perhaps not the most scrupulous or really concerned about the quality of their product,” Galperin told TechCrunch.
Given the history of stalkerware compromises, that may be an understatement. And because of the lack of care for protecting their own customers — and consequently the personal data of tens of thousands of unwitting victims — using these apps is doubly irresponsible. The stalkerware customers may be breaking the law, abusing their partners by illegally spying on them, and, on top of that, putting everyone’s data in danger.
The flurry of stalkerware breaches began in 2017 when a group of hackers breached the U.S.-based Retina-X and the Thailand-based FlexiSpy back to back. Those two hacks revealed that the companies had a total number of 130,000 customers all over the world.
At the time, the hackers who — proudly — claimed responsibility for the compromises explicitly said their motivations were to expose and hopefully help destroy an industry that they consider toxic and unethical.
“I’m going to burn them to the ground, and leave absolutely nowhere for any of them to hide,” one of the hackers involved then told Motherboard.
Referring to FlexiSpy, the hacker added: “I hope they’ll fall apart and fail as a company, and have some time to reflect on what they did. However, I fear they might try and give birth to themselves again in a new form. But if they do, I’ll be there.”
Despite the hack, and years of negative public attention, FlexiSpy is still active today. The same cannot be said about Retina-X.
The hacker who broke into Retina-X wiped its servers with the goal of hampering its operations. The company bounced back — and then it got hacked again a year later. A couple of weeks after the second breach, Retina-X announced that it was shutting down.
Just days after the second Retina-X breach, hackers hit Mobistealth and Spymaster Pro, stealing gigabytes of customer and business records, as well as victims’ intercepted messages and precise GPS locations. Another stalkerware vendor, the India-based SpyHuman, encountered the same fate a few months later, with hackers stealing text messages and call metadata, which contained logs of who called who and when.
Weeks later, there was the first case of accidental data exposure, rather than a hack. Spy Fone left an Amazon-hosted S3 storage bucket unprotected online, which meant anyone could see and download text messages, photos, audio recordings, contacts, location, scrambled passwords and login information, Facebook messages, and more. All that data was stolen from victims, most of whom did not know they were being spied on, let alone know their most sensitive personal data was also on the internet for all to see.
Other stalkerware companies that over the years have irresponsibly left customers’ and victims’ data online are Family Orbit, which left 281 gigabytes of personal data online protected only by an easy-to-find password; mSpy, which leaked over 2 million customer records in 2018; Xnore, which let any of its customers see the personal data of other customers’ targets, which included chat messages, GPS coordinates, emails, photos, and more; MobiiSpy, which left 25,000 audio recordings and 95,000 images on a server accessible to anyone; KidsGuard, which had a misconfigured server that leaked victims’ content; pcTattletale, which prior to its hack also exposed screenshots of victims’ devices uploaded in real time to a website that anyone could access; and Xnspy, whose developers left credentials and private keys in the apps’ code, allowing anyone to access victims’ data; and now Cocospy and Spyic, which left victims’ messages, photos, call logs, and other personal data, as well as customers’ email addresses, exposed online.
As far as other stalkerware companies that actually got hacked, there was Copy9, which saw a hacker steal the data of all its surveillance targets, including text messages and WhatsApp messages, call recordings, photos, contacts, and browser history; LetMeSpy, which shut down after hackers breached and wiped its servers; the Brazil-based WebDetetive, which also got its servers wiped, and then hacked again; OwnSpy, which provides much of the back-end software for WebDetetive, also got hacked; Spyhide, which had a vulnerability in its code that allowed a hacker to access the back-end databases and years of stolen data from around 60,000 victims; Oospy, which was a rebrand of Spyhide, shut down for a second time; and the latest mSpy hack, which is unrelated to the previously mentioned leak.
Finally there is TheTruthSpy, a network of stalkerware apps, which holds the dubious record of having been hacked or having leaked data on at least three separate occasions.
Of these 23 stalkerware companies, eight have shut down, according to TechCrunch’s tally.
In a first and so far unique case, the Federal Trade Commission banned SpyFone and its chief executive, Scott Zuckerman, from operating in the surveillance industry following an earlier security lapse that exposed victims’ data. Another stalkerware operation linked to Zuckerman, called SpyTrac, subsequently shut down following a TechCrunch investigation.
PhoneSpector and Highster, another two companies that are not known to have been hacked, also shut down after New York’s attorney general accused the companies of explicitly encouraging customers to use their software for illegal surveillance.
But a company closing doesn’t mean it’s gone forever. As with Spyhide and SpyFone, some of the same owners and developers behind a shuttered stalkerware maker simply rebranded.
“I do think that these hacks do things. They do accomplish things, they do put a dent in it,” Galperin said. “But if you think that if you hack a stalkerware company, that they will simply shake their fists, curse your name, disappear in a puff of blue smoke and never be seen again, that has most definitely not been the case.”
“What happens most often, when you actually manage to kill a stalkerware company, is that the stalkerware company comes up like mushrooms after the rain,” Galperin added.
There is some good news. In a report last year, security firm Malwarebytes said that the use of stalkerware is declining, according to its own data of customers infected with this type of software. Also, Galperin reports seeing an increase in negative reviews of these apps, with customers or prospective customers complaining they don’t work as intended.
But, Galperin said that it’s possible that security firms aren’t as good at detecting stalkerware as they used to be, or stalkers have moved from software-based surveillance to physical surveillance enabled by AirTags and other Bluetooth-enabled trackers.
“Stalkerware does not exist in a vacuum. Stalkerware is part of a whole world of tech-enabled abuse,” Galperin said.
Using spyware to monitor your loved ones is not only unethical, it’s also illegal in most jurisdictions, as it’s considered unlawful surveillance.
That is already a significant reason not to use stalkerware. Then there is the issue that stalkerware makers have proven time and time again that they cannot keep data secure — neither data belonging to the customers nor their victims or targets.
Apart from spying on romantic partners and spouses, some people use stalkerware apps to monitor their children. While this type of use, at least in the United States, is legal, it doesn’t mean using stalkerware to snoop on your kids’ phone isn’t creepy and unethical.
Even if it’s lawful, Galperin thinks parents should not spy on their children without telling them and without their consent.
If parents do inform their children and get their go-ahead, parents should stay away from insecure and untrustworthy stalkerware apps and use parental tracking tools built into Apple phones and tablets and Android devices that are safer and operate overtly.
Here’s the complete list of stalkerware companies that have been hacked or have leaked sensitive data since 2017, in chronological order:
Updated on February 20, 2025, to include Cocospy and Spyic as the latest set of buggy stalkerware apps.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.
Keep reading the article on Tech Crunch
A security vulnerability in a pair of phone-monitoring apps is exposing the personal data of millions of people who have the apps unwittingly installed on their devices, according to a security researcher who found the flaw.
The bug allows anyone to access the personal data — messages, photos, call logs, and more — exfiltrated from any phone or tablet compromised by Cocospy and Spyic, two differently branded mobile stalkerware apps that share largely the same source code. The bug also exposes the email addresses of the people who signed up to Cocospy and Spyic with the intention of planting the app on someone’s device to covertly monitor them.
Much like other kinds of spyware, products like Cocospy and Spyic are designed to remain hidden on a victim’s device while covertly and continually uploading their device’s data to a dashboard visible by the person who planted the app. By nature of how stealthy spyware can be, the majority of phone owners are likely unaware that their devices have been compromised.
The operators of Cocospy and Spyic did not return TechCrunch’s request for comment, nor have they fixed the bug at the time of publishing.
The bug is relatively simple to exploit. As such, TechCrunch is not publishing specific details of the vulnerability so as to not help bad actors exploit it and further expose the sensitive personal data of individuals whose devices have already been compromised by Cocospy and Spyic.
The security researcher who found the bug told TechCrunch that it allows anyone to access the email address of the person who signed up for either of the two phone-monitoring apps.
The researcher collected 1.81 million email addresses of Cocospy customers and 880,167 email addresses of Spyic customers by exploiting the bug to scrape the data from the apps’ servers. The researcher provided the cache of email addresses to Troy Hunt, who runs data breach notification service Have I Been Pwned.
Hunt told TechCrunch that he loaded a combined total of 2.65 million unique email addresses registered with Cocospy and Spyic to Have I Been Pwned, after he removed duplicate email addresses that appeared in both batches of data. Hunt said that as with previous spyware-related data breaches, the Cocospy and Spyic cache is marked as “sensitive,” in Have I Been Pwned, which means that only the person with an affected email address can search to see if their information is in there.
Cocospy and Spyic are the latest in a long list of surveillance products that have experienced security mishaps in recent years, often as a result of bugs or poor security practices. By TechCrunch’s running count, Cocospy and Spyic are now among the 23 known surveillance operations since 2017 that have been hacked, breached, or otherwise exposed customers’ and victims’ highly sensitive data online.
Phone-monitoring apps like Cocospy and Spyic are typically sold as parental control or employee-monitoring apps but are often referred to as stalkerware (or spouseware), as some of these products expressly promote their apps online as a means of spying on a person’s spouse or romantic partner without their knowledge, which is illegal. Even in the case of mobile surveillance apps that are not explicitly marketed for nefarious activity, often the customers still use these apps for ostensibly illegal purposes.
Stalkerware apps are banned from app stores and so are usually downloaded directly from the stalkerware provider. As a result, stalkerware apps usually require physical access to someone’s Android device to be planted, often with prior knowledge of the victim’s device passcode. In the case of iPhones and iPads, stalkerware can tap into a person’s device’s data stored in Apple’s cloud storage service iCloud, which requires using their stolen Apple account credentials.
Little else is known about these two spyware operations, including who runs Cocospy and Spyic. Stalkerware operators often try to eschew public attention, given the reputational and legal risks that go with running surveillance operations.
Cocospy and Spyic launched in 2018 and 2019, respectively. From the number of registered users alone, Cocospy is one of the largest-known stalkerware operations going today.
Security researchers Vangelis Stykas and Felipe Solferini, who analyzed several stalkerware families as part of a 2022 research project, found evidence linking the operation of Cocospy and Spyic to 711.icu, a China-based mobile app developer, whose website no longer loads.
This week, TechCrunch installed the Cocospy and Spyic apps on a virtual device (which allows us to run the apps in a safe sandbox without giving either of the spy services any real-world data, such as our location). Both of the stalkerware apps masquerade as a nondescript-looking “System Service” app for Android, which appears to evade detection by blending in with Android’s built-in apps.
We used a network analysis tool to watch data flowing in and out of the app to understand how the spyware operations work, what data is shared, and where the servers are located.
Our traffic analysis found the app was sending our virtual device’s data via Cloudflare, a network security provider that obfuscates the true real-world location and web host of the spyware operations. But some of the web traffic showed the two stalkerware apps were uploading some victims’ data, like photos, to a cloud storage server hosted on Amazon Web Services.
Neither Amazon nor Cloudflare responded to TechCrunch’s inquiries about the stalkerware operations.
The analysis also showed that while using the app, the server would occasionally respond with status or error messages in Chinese, suggesting the apps are developed by someone with a nexus to China.
The email addresses scraped from Cocospy and Spyic allow anyone who planted the apps to determine if their information (and their victim’s data) was compromised. But the data does not contain enough identifiable information to notify individuals whose phones are compromised.
However, there are things you can do to check if your phone is compromised by Cocospy and Spyic. Like most stalkerware, both of these apps rely on a person deliberately weakening the security settings on an Android device to plant the apps — or in the case of iPhones and iPads, accessing a person’s Apple account with knowledge of their username and password.
Even though both Cocospy and Spyic try to hide by appearing as a generic-looking app called “System Service,” there are ways to spot them.
With Cocospy and Spyic, you can usually enter ✱✱001✱✱ on your Android phone app’s keypad and then press the “call” button to make the stalkerware apps appear on-screen — if they are installed. This is a feature built into Cocospy and Spyic to allow the person who planted the app on the victim’s device to regain access. In this case, the feature can also be used by the victim to determine if the app is installed.
You can also check your installed apps through the apps menu in the Android Settings menu, even if the app is hidden from view.
TechCrunch has a general Android spyware removal guide that can help you identify and remove common types of phone stalkerware. Remember to have a safety plan in place, given that switching off spyware may alert the person who planted it.
For Android users, switching on Google Play Protect is a helpful safeguard that can protect against malicious Android apps, including stalkerware. You can enable it from Google Play’s settings menu if it isn’t already enabled.
And for iPhone and iPad users who think you may be compromised, you should check that your Apple Account uses a long and unique password (ideally saved in a password manager) and that your account also has two-factor authentication switched on. You should also check and remove any devices from your account that you don’t recognize.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.
Contact Zack Whittaker securely on Signal and WhatsApp at +1 646-755-8849. You can also share documents securely with TechCrunch viaSecureDrop.
Keep reading the article on Tech Crunch