Surveillance

Federal Judge, ICE Agents Linked to Compromised Spyware Use

The surveillance company mSpy just suffered its third data breach in a decade, exposing government officials snooping for both official and unofficial reasons.

|

Sometimes the government spies on you. And sometimes they hire a poorly secured Eastern European firm to do it for them.

Last week, hacktivists published the customer support database for Brainstack, a Ukrainian company that runs a phone tracking service called mSpy. (It was the third mSpy security breach in a decade.) The database includes messages from Immigrations and Customs Enforcement (ICE) agents, active-duty troops, and a U.S. circuit court judge interested in using mSpy to conduct surveillance.

Employees at the U.S. State Department, the Nebraska National Guard, and two federal auditing offices reached out to mSpy about using the service in official investigations. Many more low-level officials and service members seemed to be using mSpy to monitor people in their private lives, but signed up through their government emails. In some cases, it was unclear whether government employees were using mSpy for official or personal business. 

Even if the private spying was for a legitimate purpose—such as parents monitoring their children's internet usage—it was probably not the best idea to sign up for foreign spyware with known security issues from a government email account.

Judge Kevin Newsom, the circuit judge of the United States Court of Appeals for the 11th Circuit, used his government email address to log into an mSpy customer service chat in February 2019. "You can't reliably monitor Snapchat, which is the only reason I got it," he complained. He sent mSpy a follow-up email asking for a refund, signed with his official title as a judge.

"Judge Newsom's use was entirely in his personal capacity to address a family matter," says Kate Adams, director of workplace relations at the 11th Circuit.

MSpy has previously suffered serious security problems over the past decade. In May 2015, hackers stole data on mSpy's targets and offered it for sale on the dark web. When cybersecurity journalist Brian Krebs broke the story, mSpy tried to claim the data was fake, then eventually admitted to the breach. In September 2018, mSpy accidentally left that same type of data on a public-facing server, then removed it when Krebs noticed.

In early June 2024, the Swiss hacktivist maia arson crimew, who had previously leaked the FBI's No Fly List, claimed that an "anonymous source" had sent her 150 gigabytes of data from mSpy's customer service branch. "From all the past stalkerware leaks, usually what leaks is victim data," crimew tells Reason via encrypted voice chat. But this leak was about mSpy's clients—essentially turning the surveillance back against the surveilers.

Last week, the leaked client data was published on DDoSecrets, a website widely considered to be WikiLeaks' successor. (DDoSecrets is also famous for hosting BlueLeaks, a massive 2020 leak of police files.) The mSpy media team did not respond to an email asking for comment on the leak.

Reason reviewed mSpy data from several hundred American users with .gov and .mil email addresses, out of 2.5 million users in total. Crimew wrote on her blog that she also found officials from Australia, France, Germany, Italy, Switzerland, Turkey, Israel, Thailand, and Vietnam in the data.

Unlike other intelligence-for-hire services, mSpy requires users to have intimate access to the target already. The software must be installed directly on the target's phone, iCloud account, or WiFi network. Afterwards, it provides the user with the target's call logs, messages, and location data. Brainstack advertises mSpy as a parental guidance tool, but others pejoratively call the service "stalkerware."

Indeed, a few of the customer service messages came from federal and local law enforcement officials looking for a way to send mSpy a subpoena or warrant because the service was allegedly used in a crime. A detective in Brazos County, Texas, wrote that he was "investigating a case that involves a cellular phone belonging to our victim who [sic] phone illegally had MSPY installed on it and is likely being used to track our victim in a stalking manner."

The U.S. government had previously tried to crack down on this kind of software. In 2014, the U.S. Department of Justice indicted the CEO of Pakistani spyware service StealthGenie, which operates similarly to mSpy, for selling an illegal wiretapping device. He pleaded guilty and paid a $500,000 fine.

"Spyware is an electronic eavesdropping tool that secretly and illegally invades individual privacy," Assistant Attorney General Leslie R. Caldwell said at the time. "Make no mistake: selling spyware is a federal crime, and the Criminal Division will make a federal case out of it."

The mSpy website states that the service is only "designed for use by those who have the legal right to control a device, account, application, or program on which it is installed, or on which it is used for parental control," and that it may not be used "to harass, abuse, stalk, threaten, defame or otherwise infringe or violate the rights of any other person."

Other government workers thought that spyware could be useful for official investigations, especially when it came to monitoring staff. Enrique Garcerant, then an investigator for the U.S. Diplomatic Security Service in Ecuador, reached out to mSpy in September 2016. "I work for a law enforcement agency in the US and we have urgency to obtain the download link for the app. Please assist. We are working on a time sensitive case," he wrote.

A spokesperson for the U.S. Department of State would not answer whether the Diplomatic Security Service was using mSpy in an official capacity, only telling Reason that "Garcerant no longer works at the State Department." According to his LinkedIn profile, Garcerant was working at the State Department when he reached out to mSpy.

In November 2018, a sergeant in the Nebraska Army National Guard also reached out to "discuss pricing of your service and talk through some potential technical questions" for installing mSpy on "40-70 iOS devices"—in other words, a platoon's worth of iPhones. A sales representative from mSpy then scheduled a phone call with him. The Nebraska National Guard did not respond to an email asking whether it went through with the purchase.

In March 2020, the Social Security Administration's Office of the Inspector General contacted Brainstack "to see if we could utilize [mSpy] with some of our criminal investigations." The official noted, however, that there were some concerns with "the storage of potentially sensitive information on your servers." Again, the Social Security Administration did not respond to a request for comment.

In addition to the privacy and security risks, mSpy also seemed to have poor customer service. Auditors at the General Services Administration, which manages federal offices and vehicles, bought a copy of mSpy for "device testing," then complained in December 2022 that mSpy overcharged for the software. Orlando Diaz, a spokesman for the inspector general's office, declined to comment.

In September 2017, an Immigration and Customs Enforcement (ICE) official wrote that his "company" needed an invoice for the mSpy services he bought. He wrote again to complain that the invoice did not include a price. ICE did not respond to an email asking whether this purchase was for official purposes.

Other ICE officials contacted mSpy for different reasons. One ICE official asked in January 2023 how she could use mSpy to find her daughter, who "is an addict." ICE Homeland Security Investigations, which deals with gang activity and trafficking, reached out in January 2024 asking where to serve a subpoena for mSpy user data.

Of course, mSpy was most useful to local officials who were in close contact with the people they wanted to spy on, and otherwise didn't have the resources to run an intelligence operation. In November 2020, the Honolulu Department of Environmental Services reached out about buying mSpy to track 165 employee phones. It's unclear whether the department, which did not respond to a request for comment, ever bought the spyware.

Some law enforcement agencies are confirmed to have used mSpy professionally. In February 2019, the Benton County Sheriff's Office in Arkansas asked for a trial copy of mSpy, then sent positive feedback about the app. The office did not respond to an email asking whether it continues to use mSpy.

Noel P. Terwilliger, an investigator at the Steuben County District Attorney's Office in New York, purchased mSpy in December 2018, then decided that the software was unnecessary "due to the changes in my investigation minutes after I made the purchase." A lengthy back-and-forth with mSpy over getting a refund followed. Steuben County records access officer Brenda Scotchmer said that she "cannot speak as to why the DA's Office purchased the software in the first place" and pointed Reason to District Attorney Brooks Baker who did not respond to an email asking for comment.

Officials from the Michigan State Police, the Huntsville Police Department in Texas, and the Department of Corrections in Washington, D.C., purchased mSpy, but the emails did not indicate whether they were buying it for personal or official reasons. None of these agencies responded to a request for comment, either.

While commercial spyware may have seemed like a cheap way to conduct surveillance, users got exactly the level of security and discretion they paid for, as the leaks make clear. "You are directly siphoning company data to some random private company that is very shady," says crimew, the hacktivist. "In general, the way stalkerware companies are run just doesn't include giving a shit about vulnerabilities."

And government employees using spyware in their personal lives—the vast majority of cases that Reason reviewed—creates an additional security risk. The White House has warned that companies selling Americans' personal data present "privacy, counterintelligence, blackmail risks and other national security risks." Officials who enter a .gov or .mil address into a spyware platform are offering themselves up on a silver platter.

Ironically, one of the customer support messages to mSpy came from an Army doctor angry that his email address had appeared in an earlier data breach.

"I cross checked my email address against a database for hacked websites and mspy showed up. I had to google MSpy as I had no knowledge of your company," the doctor wrote. "This is particularly disturbing as my spouse recently accused me of putting spying software on her cell phone and computer, which I have never done."