This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
John* tapped out a simple text message to his wife in January 2016. "I love you," it read.
But this wasn't the only message she saw. Unbeknownst to John, his wife had bugged his smart phone. She was spying on John, eavesdropping on all of his texts and multimedia messages, and tracking his every move through the device's GPS.
She was also stealing all of John's photos. In one slightly blurred picture, John, a police officer in a small town in the southwestern United States, is knelt over a suspect, who is face down on the curb. In another photograph, John is taking a selfie wearing a dress shirt and a black tie. A third picture shows an email exchange with Facebook's law enforcement help team, revealing that John was requesting data on a target of an investigation.
These messages and pictures, including some of the couple's more intimate moments, were taken directly from John's cellphone by his wife, using a piece of consumer surveillance software made by American company Retina-X. In an ironic twist, the software is called PhoneSheriff.
John is just one of tens of thousands of individuals around the world who are unwitting targets of powerful, relatively cheap spyware that anyone can buy. Ordinary people—lawyers, teachers, construction workers, parents, jealous lovers—have bought malware to monitor mobile phones or computers, according to a large cache of hacked files from Retina-X and FlexiSpy, another spyware company.
The breaches highlight how consumer surveillance technology, which shares some of the same capabilities and sometimes even the same code as spy software used by governments, has established itself with the everyday consumer. And it would appear no small number of people are willing to use this technology on their partners, spouses, or children.
In other words, surveillance starts at home.
Morgan Marquis-Boire is a security researcher who has spent months digging into the consumer spyware industry, and has seen it used in domestic violence cases first hand. He has also spent years researching spyware used by governments. For him, the former kind of surveillance, which can be also called stalkerware or spouseware, deserves more attention because it's more common and widespread than many may think, and "the victims are everyday people," he said.
Sophisticated government malware or cyberattacks on individuals are like "a rare bloodborne pathogen," whereas consumer spyware is more like "the common cold" or flu. It's not as exotic, but "it does kill a lot of people every year," Marquis-Boire told Motherboard.
Listen to pluspluspodcast's episode about the 'Stalkerware' market.
Around 130,000 people have had an account with Retina-X or FlexiSpy, according to data provided to Motherboard by two hackers, in part via the leaking platform SecureDrop. However, the overall number of customers could be higher as the data may not be fully representative of the two companies.
The FlexiSpy account holders include a fifth grade teacher at a school in Washington, DC; a man who breeds dogs professionally in Georgia; and the president of a sunglasses distributor in New York.
"I used the service to confirm that my ex gf [girlfriend] was cheating on me. It allowed me to get a remote audio recording of her…in the act."
Depending on whether someone installs FlexiSpy or Retina X's software on a cellphone they have physical access to, users may be able to intercept calls; remotely switch on the device's microphone; monitor Facebook, WhatsApp, and iMessage chats; read text messages; track the phone's GPS location, and record the user's internet browsing history.
And Retina-X account holders include the vice-president of a commercial bank in Los Angeles, the founder of a recruiting firm in Chicago, and, of course, John's wife. On top of PhoneSheriff, Retina-X also makes SniperSpy and TeenShield.
Depending on the product, FlexiSpy and Retina-X customers may have paid only around $50 to $200 for a monthly or annual spyware subscription.
Motherboard identified account holders by using email addresses and names included in the data, and finding the individuals' respective social media profiles, websites or other details online. (In some cases it was possible to verify an address was linked to a spyware account by attempting to create a new user on the respective site, or by requesting a password reset.) Some customers of both FlexiSpy and Retina-X included in the data confirmed to Motherboard they had purchased the companies' malware.
"I bought it to see if my bf [boyfriend] was cheating," one FlexiSpy user included in the data told Motherboard in an email.
"I used the service to confirm that my ex gf [girlfriend] was cheating on me. It allowed me to get a remote audio recording of her… in the act. Best money I ever spent," another FlexiSpy customer said.
"It's normal," a third FlexiSpy customer told Motherboard.
These spyware account holders, and their victims, aren't limited to the US. The Retina-X data contains several large files of alleged GPS coordinates of infected phones across the globe. France, Spain, Israel, Brazil, Colombia, Mozambique, Nigeria, India, Vietnam, Indonesia, Australia, and many more countries are all included. The GPS logs obtained by Motherboard stretch from 2014 to late 2016, but the hacker says he only provided a sample.
A map of alleged GPS locations of surveillance victims captured using Retina-X software. Motherboard has deliberately obfuscated the GPS locations to protect individuals' privacy.
The data also includes evidence of government and law enforcement customers for FlexiSpy. FlexiSpy does have connections to the law enforcement malware market, but it is not clear whether the malware was purchased for official or personal use in each of these cases.
The Retina-X files include more screenshots and photos seemingly taken with infected devices: a man making a silly face into his phone camera; a young girl striking a pose in the mirror. Indeed, many of the images are of children. After all, consumer spyware can be used by parents or guardians to legally monitor their kids. The software can also be used to keep tabs on employees with a company-issued phone—likely with the employees' consent. Both companies advertise these use cases on their websites, and Retina-X's terms and conditions says these are the only two allowed uses of their product.
However, the vast majority of Retina-X and FlexiSpy accounts appear to be linked to personal email accounts, rather than domains for businesses, institutions, or government agencies. And FlexiSpy has also explicitly marketed its products to jealous lovers wanting to spy on their spouses.
"Many spouses cheat," FlexiSpy's website has read. "They all use cell phones. Their cell phone will tell you what they won't."
Over the past two decades, consumer spyware has been used in cases of domestic violence, and in a recent call with Motherboard, one company admitted its software could be used to monitor a spouse without their permission. A 2014 NPR investigation found that 75 percent of 70 surveyed domestic violence shelters in the US had encountered victims whose abusers had used eavesdropping apps.
Elle Armageddon, an activist and operational security expert, said that while it's hard to tell exactly how many women in an abusive relationship get targeted with spyware, its use could prevent women—or men—from escaping the relationship as abusers might find out about their partners' plans to get away.
"Those peddling spouseware are willing to trade the agency of others for profit, considering some loss of life to be an acceptable cost of doing business," Armageddon told Motherboard in an email. "Spyware is spyware, and is a violation of the privacy rights of those targeted by it, regardless of whether they're dissidents being targeted by a state actor, or women being targeted by their abusive partners."
Jessica* was a victim of domestic violence. Her then-husband used spyware to keep tabs on her while the couple was separated. Initially he used a keystroke logger on her laptop, and then malware for her cellphone.
"Oh shit, he knows exactly what I was texting all day long," Jessica previously told Motherboard. "If I was going somewhere and I wasn't where I said I was going to be, he would text me: 'I see you.' It was sort of this creepy chilling feeling; like he always knew what I was doing and where I was going."
"If I was going somewhere and I wasn't where I said I was going to be, he would text me: 'I see you.'"
This business of spying on spouses is part of the reason the two hackers decided to target FlexiSpy and Retina-X. But the tens of thousands of accounts the pair provided to Motherboard only represent a slice of the consumer spyware market. A slew of other, similar companies exist, offering malware to anyone for a relatively cheap price. One of the largest, called mSpy, allegedly has around two million users. (Hackers reportedly targeted mSpy back in 2015.)
"Unfortunately most domestic violence victims never know which surreptitious 'stalkerware' product is being used by their abuser to monitor their every move," Cindy Southworth, executive vice president of the National Network to End Domestic Violence, told Motherboard in an email.
In the United States, intercepting someone's private communications is generally illegal, and a potential wiretapping crime unless the person doing it is a parent keeping tabs on their child, or an employer monitoring their employee's company-issued device. Installing spyware on someone's smartphone without consent can, and has led to prison—unless it's done by a law enforcement agent with a warrant.
Explaining their motivation, the Retina-X hacker also pointed to parents who might use this sort of software to monitor their children.
"99% of the people being spied on with these things don't deserve to have their lives invaded so much," the hacker who broke into Retina-X, who didn't provide any name to identify themselves, told Motherboard in an online chat.
The hacker criticized this use not just because of ethical reasons, but because by using this software on their kids, the parents aren't the only ones getting access to their data. The companies providing the service do as well. And if the spyware companies don't take care of that highly sensitive data, a third party may be able to get hold of it.
"It's impossible to know that you're the only one looking," the hacker added. "I want parents to think twice about unleashing this kind of stuff on their kids [...] I wanted to damage those spying mechanisms because I think it's almost entirely a bad category of software."
"I think they're a bunch of unethical assholes who prey on insecure people in order to line their own pockets."
The hacker behind the FlexiSpy breach went by the handle Leopard Boy, a reference to the 1995 cult film Hackers. Leopard Boy said that what FlexiSpy allows people to do is "fucking seedy and skin-crawlingly revolting."
"I think they're a bunch of unethical assholes who prey on insecure people in order to line their own pockets," the hacker said. The goal of hacking FlexiSpy, Leopard Boy said, was to send a warning to this sort of industry as a whole.
"As good old Phineas once said, leaking isn't an end in itself; it's all about the message," Leopard Boy added, referring to hacker Phineas Fisher. (Phineas has become a sort of folk hero in the hacking community for breaking into the servers of FinFisher and Hacking Team, two companies that sell spyware exclusively to governments.)
Both hackers claimed that each consumer spyware companies' systems were not particularly difficult to breach.
The Retina-X hacker said he despised the company so much, he decided to wipe all of the data from the company's servers at the end of February. That explains why the login portals of PhoneSheriff and other Retina-X products stated that they had suffered downtime due to a "hardware failure" recently.
"I wouldn't want other people finding those selfies on [cloud storage provider] Rackspace, and if I can interrupt those parents etc from spying, that also seems like a good thing," he wrote.
Leopard Boy said he and another hacker did something similar to FlexiSpy on Monday.
"Goodbye, Flexispy," Leopard Boy told Motherboard. "Hello, Flexidie." The pair took over one of FlexiSpy's related Twitter accounts on April 18, and taunted the company.
"Do you… feel secure?" one of the tweets reads. The pair also tweaked the website of FlexiSpy's parent company to automatically redirect to UK-based activist group Privacy International, and wiped a number of servers.
"Goodbye, Flexispy. Hello, Flexidie."
Motherboard attempted to contact FlexiSpy's founder Atir Raihan. When reached by phone, a person on the other end identified as Raihan, but then claimed they were someone else when asked about FlexiSpy. No one replied to emails sent to FlexiSpy's press address. Apparent customers have noticed the disruption, however, and in reply to one comment on FlexiSpy's Facebook group, the company wrote on Tuesday, "FlexiSPY is currently experiencing a temporary technical issue, which means that you will not be able to login to access your portal. We expect this issue to be resolved within 48 hours."
Retina-X did not immediately respond to a request for comment.
These data breaches may not stop people from spying on their children or partners. But perhaps it will shine a light on just how common, and powerful, consumer spyware has become. Even in small-town southwestern United States.
John's wife monitored his phone communications for around three months, according to the hacked data. And the SMS logs of their text messages play out in a way that suggests John didn't know his spouse was spying on him. To that I love you text he'd sent her in early 2016, his wife sent a reassuring response.
"I love you too," it read.
*Some names have been changed to protect the person's privacy.
If you are concerned that consumer spyware may have been installed on your phone, here is some basic advice on what to do next.