The digital landscape has long been cautioned by cybersecurity experts regarding the dual-threat nature of stalkerware—malicious software designed to covertly monitor individuals. While the primary harm of such software is the immediate violation of a victim’s privacy by a known associate, a secondary and often more catastrophic risk involves the security of the data collected by these invasive tools. New research published this week by security investigator Jeremiah Fowler of Black Hills Information Security has brought this theoretical danger into sharp focus, detailing a massive leak of sensitive data belonging to a prominent European celebrity and their high-profile associates. The breach, facilitated by a misconfigured cloud repository, has exposed nearly 90,000 images, including private messages, intimate photos, and financial details, highlighting a systemic failure in the security infrastructure of consumer-grade spyware. The Discovery of a Vulnerable Trove The incident came to light when Jeremiah Fowler identified an unsecured cloud repository on the open internet. Unlike corporate databases that are often targeted for financial gain, this repository contained a deeply personal and concentrated collection of data. Fowler’s analysis revealed 86,859 individual screenshots, which appeared to be the chronological record of a single person’s digital life over an extended period. The repository was not protected by a password or any form of access control, meaning anyone with the URL could view, download, or distribute the contents. The data was organized in a manner consistent with automated surveillance. Fowler noted that the collection consisted entirely of the activities of one individual, capturing every interaction across multiple social media and messaging platforms. The screenshots documented conversations on Instagram, Facebook, TikTok, and WhatsApp, effectively mapping out the victim’s entire social and professional circle. Among the files were numerous "selfies," intimate images, and private photographs that were never intended for public consumption. The severity of the breach is amplified by the identity of the victim. While Fowler has declined to name the individual to protect their remaining privacy, he confirmed the target is a well-known European celebrity. Furthermore, the collateral damage extends to the celebrity’s contacts, which include models, influencers, and high-profile individuals with social media followings numbering in the millions. This "victimization by association" illustrates how a single instance of stalkerware can compromise the privacy of an entire network of people. Technical Mechanics: The Cocospy Connection The repository was identified as being linked to "Cocospy," a notorious brand of off-the-shelf spyware. Stalkerware, often marketed under the guise of "parental monitoring" or "employee tracking" software to circumvent app store regulations, is frequently used by domestic abusers or obsessive associates to track partners without their consent. Cocospy is a prominent player in this industry, offering features that allow a person with physical access to a device to install a "stealth mode" application that remains invisible to the user. According to Vangelis Stykas, a security researcher and CTO of Kumio AI who has previously analyzed the software, Cocospy’s Android iteration functions as full-blown spyware. Once installed, the application gains broad permissions to access the device’s file system, camera, and microphone. The "stealth mode" mentioned in the software’s marketing materials is particularly invasive; it is designed to take screenshots of the device’s screen at regular intervals—often every few minutes—and upload them to a remote cloud server. This allows the stalker to see exactly what the victim sees, bypassing the end-to-end encryption used by apps like WhatsApp or Signal, as the images are captured before or after the encryption process takes place. The exposed dataset discovered by Fowler spanned a timeline from mid-2024 to mid-2025, suggesting a prolonged period of surveillance. The data did not just include social interactions; it captured business invoices, personal payment details, phone numbers, and partial credit card information. This variety of data transforms a privacy violation into a significant identity theft and financial fraud risk. Chronology of Stalkerware Vulnerabilities The exposure of the Cocospy repository is not an isolated incident but rather the latest in a series of security failures within the stalkerware industry. The history of these applications is marked by a recurring pattern of data leaks and poor security practices: Early 2023: Several spyware applications sharing similar source code, including Cocospy, faced scrutiny after researchers identified flaws that exposed user information and victim data. May 2025: Reports indicated that Cocospy and related apps went offline following a significant data breach. This breach exposed the email addresses of millions of Cocospy customers—the individuals purchasing the software to spy on others—as well as the troves of data gathered from their victims. Late 2025: The discovery by Jeremiah Fowler confirms that despite previous outages and public exposure, data collected by these tools remains vulnerable on the open internet due to persistent misconfigurations. Historically, the stalkerware industry has been plagued by "leaky" databases. In 2021, the Federal Trade Commission (FTC) took unprecedented action against SpyFone, a similar stalkerware provider, banning it from the surveillance business for failing to secure the data it collected. The FTC noted that SpyFone had left sensitive data—including photos and real-time GPS locations—accessible to anyone on the internet. The current Cocospy leak follows this same trajectory, where the very tools used for illicit surveillance become the gateways for wider public exposure. Broader Impact and the Victimization Chain The implications of this breach extend far beyond the primary victim. In a journalistic context, the "victimization chain" refers to the secondary individuals whose data is captured through no fault of their own. When a celebrity’s phone is compromised by stalkerware, every person they communicate with is effectively being surveilled by proxy. In this specific case, Fowler highlighted that the screenshots captured private business negotiations, invoices, and sensitive personal exchanges with other high-profile figures. For influencers and models, whose livelihoods often depend on their public image and private brand partnerships, the exposure of such data can lead to professional ruin, blackmail, or harassment. The presence of nudity and intimate photos in the dataset adds a layer of "non-consensual intimate imagery" (NCII) risk, which is a criminal offense in many jurisdictions. Fowler’s decision to report the incident to local law enforcement and the cloud service provider, rather than releasing the victim’s name, underscores the ethical complexities of such discoveries. "Even though this is a very public person, even public people deserve privacy," Fowler stated. His intervention led to the cloud service provider contacting the owner of the data to secure the repository, though it remains unclear how many third parties may have accessed the files before they were taken down. Analysis of the Stalkerware Industry and Legal Landscape The existence and proliferation of tools like Cocospy represent a significant challenge for digital rights advocates. Organizations such as the Coalition Against Stalkerware, which includes members like the Electronic Frontier Foundation (EFF) and various cybersecurity firms, have worked to raise awareness and improve detection of these apps. However, the industry remains resilient, often operating in legal gray areas by incorporating in jurisdictions with lax privacy laws. From a legal perspective, the use of stalkerware is increasingly being recognized as a form of domestic abuse and a violation of federal and international wiretapping laws. In the United States, the Safe Connections Act was designed to help survivors of domestic violence cut ties with abusers who use shared phone plans and connected devices for surveillance. In Europe, the General Data Protection Regulation (GDPR) imposes strict penalties for the mishandling of personal data. However, these regulations are difficult to enforce against stalkerware developers who often mask their identities and business locations. The technical analysis of the breach suggests that the "true privacy disaster" predicted by advocates has become a reality. The risk is twofold: the immediate harm of being stalked, followed by the permanent harm of having that stalked data leaked to the public. As long as these applications prioritize the "stealth" of their software over the security of their storage, victims of stalkerware will remain at risk of secondary breaches. Conclusion and Security Recommendations The exposure of nearly 90,000 images belonging to a European celebrity serves as a stark reminder of the dangers inherent in the surveillance-for-hire market. It illustrates that the "clients" of stalkerware are not the only ones with access to the stolen data; due to systemic negligence, the entire internet can become a spectator to a victim’s most private moments. For individuals concerned about stalkerware, security experts recommend several proactive steps: Check for Unrecognized Apps: Regularly review the list of installed applications on mobile devices, looking for apps with generic names like "System Update" or "Device Health" that have extensive permissions. Monitor Battery and Data Usage: Stalkerware often runs in the background, leading to unusual battery drain or unexplained spikes in data usage. Use Hardware Security: Ensure devices are protected by strong biometric locks or passcodes that are not shared with anyone. Factory Resets: In cases where a device is suspected to be compromised, a factory reset is often the only way to ensure the removal of deep-seated stalkerware, though users should be cautious as this may also alert the person monitoring them. As the investigation into the Cocospy repository concludes, the cybersecurity community continues to call for more stringent regulations on the sale and operation of surveillance software. The incident confirms that in the world of stalkerware, there is no such thing as a "secure" breach of privacy; once the data is taken, it is only a matter of time before it is exposed. Post navigation OpenAI Launches Advanced Account Security to Safeguard High-Stakes AI Interactions and Prevent Account Takeovers
