This story is over 5 years old.


You Can Now Get Paid to Hack Spyware Vendor FlexiSpy

Even though FlexiSpy has announced a bug bounty program, the company still hasn't commented on the hack itself.

Last week, Motherboard revealed that hackers had targeted two companies in the consumer spyware industry, making off with large sets of customer and company data.

One of those companies was FlexiSpy, which has directly marketed its malware to jealous lovers wanting to spy on their spouses. Now, the firm is apparently trying to make its systems much more secure by offering a bug bounty program.

"Put your technical skills up against our developers and find security flaws that we have created or missed—and get paid for your time," the announcement posted on Medium reads.


Bug bounties are increasingly common nowadays. In short, companies offer various sized payments to hackers or researchers who discover security issues with the company's product or services. For example, one freelance bug hunter received $350 from Medium for finding a vulnerability in that site.

FlexiSpy, meanwhile, is offering $500 to $5000 in rewards. The scope of the program is fairly broad too, encompassing the vendor's Android and iOS malware, FlexiSpy's customer login portal, and other FlexiSpy-affiliated sites (including its fake reviews website).

A screenshot of FlexiSpy's Twitter account. Image: Joseph Cox

Perhaps not coincidentally, the hackers behind the FlexiSpy breach released alleged source code for the firm's malware over the weekend—the hackers have taken over a number of FlexiSpy accounts, and posted links to alleged company files from there.

On Monday, the official FlexiSpy Twitter account tweeted that the released files date from 2011, and mentioned that links to more up to date versions of the malware are included in the Medium post.

The FlexiSpy hackers, who call themselves The Decepticons and one of which goes by the handle Leopard Boy, in reference to the 1995 cult film Hackers, said the tweet announcing the bug bounty didn't come from them.

"It's definitely not [us]," Leopard Boy told Motherboard in an online chat, as the hackers were allegedly unable to gain access to FlexiSpy's main Twitter account.

The company has still not commented on the data breach, apart from the tweet stating that the dumped files are out of date. Various employees have ignored or declined requests for comment over the past week.

"The Decepticons are also planning on opening a bug bounty against FlexiSpy; stay tuned for our next release," Leopard Boy told Motherboard.

Update: This piece has been updated to include another tweet from FlexiSpy.

Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.