This story is part of When Spies Come Home , a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
When you think of someone selling a hacking tool that can remotely switch on a cellphone's mic, or sweep up all of a target's emails, governments and tight-lipped contractors may come to mind. But people trying to sell malware with these sort of these capabilities have an unlikely advertising platform.
"All of a sudden, I had access—without him knowing—to all his texts, calls he made or received, all the photos made or received, his email and social media accounts," one woman says in a clearly scripted, and poorly acted, YouTube video. The video is advertising FlexiSpy, a piece of malware that anyone can buy for as little as $69 to spy on mobile phones or computers, and these YouTubers typically direct potential customers to a spyware vendor in exchange for a cut of the sale.
The myriad of videos available online highlight the ease at which anyone can buy spyware, and the audacity of the industry's' advertising. But they also point to one of the target audiences for the software—paranoid lovers wanting to illegally spy on their spouse.
In this video, the woman suggests she was suspicious of her boyfriend, worried that he might be sleeping with someone else. Thanks to FlexiSpy, apparently, she was able to uncover the adultery, and she couldn't be happier.
"If you want to feel the same I did, safe and without any fear, check the link in the description," she adds.
The link is ostensibly for a blog reviewing different pieces of consumer spyware, but it redirects the visitor to FlexiSpy's website. The URL includes a referral code, letting FlexiSpy track which of its advertisers has helped with a sale. (While working on this article, someone changed the destination of the redirect; it now sends visitors to another spyware vendor entirely, and one of FlexiSpy's competitors, called mSpy).
"Catch a Cheater Fast with FlexiSpy," is another video from the same YouTuber. Other clips, such as "Is FlexiSPY A Scam? My Opinion," and a Spanish video explaining how to install the software all redirect to FlexiSpy's website, along with a referral link. Dozens of videos explain or advertise what this sort of consumer malware can do for you, and although some mention monitoring children or employees, many are focused on spying on spouses.
"Hi Help My Spouse Is Cheating! How do I get in contact with you?" a comment left on a video about catching lovers reads.
One YouTuber, who runs a channel and gadget review site called Steve Hackdotcom, told Motherboard over Skype he doesn't actually appear in the videos. Instead, he paid a freelance content creator to talk about FlexiSpy and walk viewers through it.
Including traffic coming from places like Google and Bing, Steve said he could make up to $2,000 to $3,000 a month promoting FlexiSpy. That is, until the search engines allegedly introduced a change about six months ago leading to fewer referrals, dramatically decreasing his income. Microsoft did not respond to a request for comment.
Naturally, viewers who watch YouTube videos recommending people spy on their lovers with malware may go on to do just that, likely breaking the law in the process.
"I'm not worried about that," Steve told Motherboard, although he came across more as indifferent than malicious.
There are connections between individual YouTube channels too; many link to the same site that then funnels customers to the official mSpy website, and some of the clips include the same blonde actress as in the first video (although in a few cases it's unclear whether others have simply ripped the video and used it for their own money-making scheme).
A few of the YouTubers are apparently scammers though, with commenters complaining of dodgy Western Union transfers and never receiving their product. It's not clear how much cash these fraudsters may be raking in, but one shortened bit.ly link from an alleged scammer has been clicked over 9,000 times.
According to an internal FlexiSpy document, stolen by a hacker and provided to Motherboard, around 20 percent of the company's sales come from affiliates. FlexiSpy also verifies that affiliate marketing websites comply with the company's term of service, according to the document.
While Motherboard exchanged several emails with a YouTube representative about its policies regarding advertising illegal uses for spyware, the company ultimately did not provide any official comment on the matter. YouTube has recently faced criticism for running adverts on controversial videos.
If you are concerned that consumer spyware may have been installed on your phone, here is some basic advice on what to do next.