This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
Atir Raihan likes to flash his cash. Bald, bulky Raihan poses in personal photos with fine wine and cheese next to his grey feathered fedora. In another, he parties with semi-naked escorts in a nightclub while sipping liquor. A white powder and a crumpled note appear in a third. Rio de Janeiro, Bangkok, New York: this Pakistani born, British passport holding entrepreneur apparently enjoys his success.
Raihan pays for this lavish lifestyle in part by being a leader in an industry linked to domestic violence and illegal invasions of privacy. FlexiSpy, a company he founded and ran, sells potent mobile and PC malware to anyone to intercept phone calls, remotely switch on device microphones, or track a victim's GPS location, and has marketed its products to jealous or paranoid lovers.
Internal company data, stolen by a hacker and provided to Motherboard, provides new insight into FlexiSpy, its founder, and the sprawling, predatory consumer spyware market at large. The company grew from its customer base of vindictive spouses, and ended up connecting with firms which sold malware to some of the world's most oppressive regimes.
FROM THE GROUND UP
FlexiSpy came from humble beginnings. From 2004, one of Raihan's companies, Vervata, offered fairly standard mobile app development and consultancy for individuals and technology firms, according to dozens of company invoices. In one 2005 case, Vervata was tasked with making a messaging program that would allow a user to communicate with Yahoo, Google, and MSN chat simultaneously, and in 2007, Vervata was to develop a barcode scanning app for a customer, according to invoices and contracts.
But the start of the company's mobile malware offering creeped through. In 2006, the company was asked to create a sample of "Monitor Software" for $1000, according to an invoice.
FlexiSpy was created that same year.
"FlexiSpy releases the first SpyPhone for Symbian, launching a brand new industry," an internal roadmap presentation reads. For a measly $50, anyone could monitor SMS contents and call logs on a target device, as long as they had physical access to the phone to install the malware.
Other pieces of software for BlackBerry and Windows devices quickly followed, before moving onto the newly launched iPhone. Although on paper Vervata is separate from FlexiSpy the two are largely the same entity.
"They're basically building illegal software in the Kingdom of Thailand," a former employee, who asked to remain anonymous, told Motherboard.
From the very start, FlexiSpy marketed its products to jealous or paranoid lovers who may want to spy on their partners.
"Protect your children, catch cheating spouses, the possibilities are endless," the earliest archive of FlexiSpy's website from 2006 reads.
Over the years, FlexiSpy added the ability to send fake text messages, steal application passwords, snap a picture using a phone's camera, track which web pages the user viewed, and spy on Facebook, iMessage, and WhatsApp chats. The company even introduced monitoring tools for Tinder.
"Protect your children, catch cheating spouses, the possibilities are endless."
Raihan tried to launch other companies with a different focus—Digital Endpoint was geared toward monitoring employees—because the company's growth was relatively stagnant as competitors entered the market, the former employee said. But the promise of ordinary people being able to monitor their spouses has remained constant. The company may have paid for search engine optimization with phrases like "how to catch a cheating spouse," and "how to know if your husband is cheating," according to internal spreadsheets and invoices. By 2009, over 9,000 people had subscribed to FlexiSpy's mailing list to receive updates on new products.
"I am repulsed to think how much profit the company has made by blatantly marketing their product to abusers to facilitate criminal stalking in the past 11 years," Cindy Southworth, executive vice president of the National Network to End Domestic Violence, told Motherboard in an email.
FlexiSpy's marketing and SEO tricks apparently included a fake reviews website called Spy Phone Review, which is now offline. In a Google+ post, FlexiSpy described the site as "a fantastic resource for reviews that are backed by actual data." But according to online records, Spy Phone Review shared an IP address with a website affiliated with FlexiSpy. The site used to have a section at the bottom called "Learn More", filled with links to FlexiSpy.
And Raihan seems to have been very keen on expanding his malware business specifically into the Russian market. One document compares FlexiSpy's product to others available in the country; several invoices suggest FlexiSpy paid a Russian man commission fees for directing sales to the company; and a spreadsheet lays out an extensive list of potential Russian customers, including private detective agencies. One financial application form asks Raihan, "In which countries will your product be sold?"
"All," Raihan writes.
The former employee described 53-year-old Raihan as a sort of absentee landlord, spending weeks in the Philippines for likely non-work related trips. When Rahian would eventually return to the company offices in Thailand, he was allegedly erratic, undoing work completed by others.
Raihan also allegedly monitored the former employees' communications, providing a company laptop ostensibly pre-installed with snooping tools.
"That's the kind of guy he was," the former employee said.
"I am repulsed to think how much profit the company has made by blatantly marketing their product to abusers to facilitate criminal stalking in the past 11 years."
Regardless, FlexiSpy has had some decent success, judging by company financial records and Raihan's lifestyle. Spreadsheets allegedly describing company expenditure mention a Mercedes-Benz and multiple BMWs, and one 2016 document suggests a sale volume of FlexiSpy products of over $400,000 per month. Another file, which appears to describe a possible sale of the company, values FlexiSpy at a perhaps unrealistic $20 million.
Unsurprisingly, the company is apparently keen to hold on to as much of that cash as possible. A presentation audaciously named "offshore" shows how finances from FlexiSpy, registered in the Seychelles with Mossack Fonseca, the firm behind the Panama Papers, could be distributed.
"Offshore entities collect revenue and hold profit," the presentation reads, pointing to FlexiSpy, while the onshore Vervata would submit expenses, and declare only a "modest profit," according to the presentation.
FlexiSpy's malware is not limited to one company, however. Instead, the firm offers a reseller program, allowing others to sell FlexiSpy's products entirely as their own.
"In response to popular demand, FlexiSPY is now available as a completely UNBRANDED and PRIVATE system, specifically for Resellers who require the utmost DISCRETION and need to protect their CUSTOMER RELATIONSHIPS," one 2007 draft document reads. In some cases, FlexiSpy may also handle the server-side infrastructure for these resellers, as well as some parts of customer support
According to internal FlexiSpy spreadsheets, this reseller program stretches all across the world, with apparent clients in Israel, India, the US, Brazil, Nigeria, Greece, and Argentina.
One document references over 40 companies and individuals in 22 countries, although not all of these appear to have entered an agreement with FlexiSpy, and some seem to no longer be in business.
Some of these alleged resellers are as explicit in their virulent marketing as FlexiSpy has been. One private investigations firm based in the United States also sells "semen detector" kits for catching cheating partners. Another called Spousebusters in Australia sells spy products including "mobile phone monitoring software," that, judging by its user interface pictured in the corresponding brochure, bares a strong resemblance to FlexiSpy.
And clearly this reseller program is a mutually beneficial relationship, both for FlexiSpy as the ultimate developers, and for companies who can just pass off the malware as their own.
"We will do much better if this product was branded in our name and we would put more emphasis on advertising it. I have sought legal advice for operating/reselling this here in Australia and will be completly [sic] protected, so bring it on!," a message seemingly from Spousebusters, and included in a FlexiSpy spreadsheet, reads. Spousebusters did not respond to a request for comment.
HOME SPIES MEET REAL SPIES
Although some of the resellers are geared toward spying on lovers or for carrying out private investigations, FlexiSpy appears to have crossed paths with another market altogether: that which provides malware for law enforcement and intelligence agencies, and which has been implicated in the targeting of journalists, activists, and political dissidents.
According to internal files, FlexiSpy has a sister company called Raysoft that deals with "lawful intercept sales," a common euphemism for government hacking. The company was incorporated in the Virgin Islands only a few years after FlexiSpy was created, in 2008. Several financial spreadsheets mark regular $45,000 deposits linked to the company throughout 2013 and 2014.
According to a 2011 document, FlexiSpy may have provided British-German company surveillance Gamma, known for its FinFisher spyware, with a piece of software called 'Cyclops', as part of Gamma's 'FinSpy' product. The software would have been related to Windows, Symbian, and BlackBerry platforms. The document also indicates that staff from the two companies may have physically worked on the same projects.
"The installation is officially executed by Gamma with specialists from FlexiSPY embedded into the installation team," the document reads, and adds that if Gamma was unable to solve a customer support question effectively, Gamma would contact FlexiSpy for assistance.
Someone familiar with the operations of FinFisher confirmed to Motherboard FinFisher was looking for Symbian capabilities around this time.
A year later, researchers found that Gamma had sold FinSpy to the Bahraini government. Shortly after, researchers uncovered servers related to the malware in Turkmenistan, Turkey, Egypt, Saudi Arabia, and a host of other countries.
As previously highlighted by Forbes, Gamma competitors allegedly found stark similarities behind FinFisher and FlexiSpy code. The hacker who breached FlexiSpy showed Motherboard alleged administrator usernames and passwords for a (currently offline) FinSpy login portal, implying that FlexiSpy employers may have had access. Another document points to a now unavailable section of Vervata's website that allegedly concerned the Gamma project. The exact contours of the relationship between FlexiSpy and Gamma remain murky, however.
Motherboard attempted to contact Raihan, but when reached through a number listed as his in the internal documents, the person on the other end initially identified as Atir, before walking that claim back. Raihan did not respond to emailed requests for comment either.
But he may still be in charge of FlexiSpy's operations: Atir was the company's official CEO as of late last year, according to a dated and signed document included in the hacked data.
"He stumbled on this scheme, and it exploded," the former employee said. "I think nobody was more surprised than he was."
Lorenzo Franceschi-Bicchierai and Max Hoppenstedt contributed reporting.
If you are concerned that consumer spyware may have been installed on your phone, here is some basic advice on what to do next.