The discovery of a massive, unsecured cloud repository has laid bare the devastating reality of stalkerware, a category of malicious software designed to facilitate clandestine surveillance of individuals. In a report released on Thursday, security researcher Jeremiah Fowler of Black Hills Information Security detailed the exposure of nearly 90,000 screenshots belonging to a prominent European celebrity. The data, which was accessible on the open internet without any password protection or encryption, provides a harrowing look into the victim’s private life, encompassing everything from intimate messages and personal photographs to sensitive financial information. Stalkerware, often marketed under the guise of "parental control" or "employee monitoring" tools, allows an aggressor to infect a target’s device and silently harvest data. This includes text messages, real-time location tracking, call logs, and, as evidenced by this recent discovery, frequent screenshots of the device’s display. While the initial infection is a profound violation of privacy, digital rights advocates have long warned of a "secondary breach" risk: the possibility that the data collected by these invasive tools will eventually be exposed by the very companies or individuals who gathered it. This latest incident serves as a definitive example of that worst-case scenario. The Discovery and Scale of the Exposure Jeremiah Fowler, a veteran researcher known for identifying misconfigured databases, located the repository during a routine sweep of publicly accessible cloud storage. The database was named "Cocospy," a direct reference to a notorious stalkerware application that has previously been the subject of security controversies. Upon analysis, Fowler discovered 86,859 individual images, the vast majority of which were screenshots captured from a single mobile device. The contents of the repository were exhaustive. "All the selfies were one person, all the chats were one person," Fowler stated, noting that the software had categorized communications based on the platform used, including Instagram, Facebook, TikTok, and WhatsApp. The data did not merely compromise the primary victim; it effectively surveilled everyone with whom the celebrity interacted. Among the exposed files were private conversations with fashion models, social media influencers, and other high-profile figures, some of whom boast millions of followers. The sensitivity of the data cannot be overstated. Beyond personal imagery and "nudity that you wouldn’t want out in the public," the screenshots captured business negotiations, invoices, partial credit card numbers, and private phone numbers. By capturing the screen in real-time, the stalkerware bypassed the end-to-end encryption of apps like WhatsApp and Signal, as the images were taken before or after the messages were encrypted for transmission. Chronology of the Incident and Tool History The timeline of the data exposure suggests a sustained period of surveillance and a subsequent failure of the digital infrastructure used to host the stolen information. Mid-2024 to Mid-2025: Based on Fowler’s analysis, the timestamps on the screenshots indicate that the surveillance campaign was active for approximately one year, ending in mid-2025. Early 2025: Cocospy and several affiliated apps, which shared significant portions of their source code, reportedly went offline. This followed a series of reports by technical outlets like TechCrunch, which highlighted massive security vulnerabilities within the apps’ backend systems. May 2025: Reports surfaced that Cocospy had suffered a major data breach, exposing the email addresses of millions of its customers and potentially leaving the data of their victims vulnerable to third-party access. Current Week: Fowler publishes his findings regarding the specific repository containing the European celebrity’s data, confirming that the information remained exposed long after the service ostensibly ceased operations. Fowler noted that while most corporate data leaks are the result of professional oversights by IT departments, this specific repository appeared to be managed or owned by an individual user of the stalkerware. After discovering the cache, Fowler attempted to contact the victim but eventually notified the cloud service provider hosting the data. The provider subsequently contacted the account holder to secure the files. Fowler has opted not to name the celebrity, the cloud host, or the specific law enforcement agencies involved to protect the victim’s remaining shred of privacy. The Mechanics of Stalkerware: A Technical Overview To understand the gravity of this breach, one must understand how tools like Cocospy operate. Vangelis Stykas, the cofounder and CTO of Kumio AI, has performed extensive technical audits of Cocospy and similar applications. He describes the Android version of the software as "full-blown spyware." Stalkerware typically requires brief physical access to the target device for installation, though some versions can be deployed via phishing links. Once installed, the app often disguises itself using a generic name like "System Update" or "Battery Saver" and hides its icon from the home screen. It then requests broad administrative permissions, allowing it to record audio, access the camera, and track GPS coordinates. The "stealth mode" mentioned in Cocospy’s marketing materials is particularly insidious. It is programmed to take screenshots of the device’s screen at regular intervals—sometimes every few minutes—and upload them to a remote server. This creates a chronological visual record of everything the user does, including reading emails, checking bank balances, or engaging in private video calls. Stykas emphasizes that having access to a person’s phone in this manner provides "unobstructed access to all of his or her life." The Legal and Ethical Gray Market The marketing of Cocospy reflects a broader trend in the "gray market" of surveillance technology. Before being taken offline, the Cocospy website billed its services as a "remote surveillance" solution for "parental control." The site promised users the ability to "track locations, messages, calls, and apps" while remaining "100% discreet." While a disclaimer at the bottom of the site claimed the software was "FOR LEGAL USE ONLY," the features provided—such as stealth mode and the ability to read encrypted chats—are explicitly designed to facilitate non-consensual monitoring. Legal experts argue that these disclaimers are often a thin veil intended to protect the developers from liability while they profit from tools frequently used in domestic abuse and criminal harassment. Katy Brookfield, an associate professor of criminology at the University of Nottingham, notes that technology-facilitated abuse is a growing epidemic. Her research indicates that abusers will utilize any available technology to monitor and control their partners. "We know they’re accessing this data. We know they’re sometimes storing this data," Brookfield said. The transition of this data from a private "spy" account to a public-facing cloud repository compounds the trauma, moving the abuse from a localized domestic situation to a global privacy disaster. Broader Implications and the Risk of "Double Victimization" The exposure of the European celebrity’s data highlights the "double victimization" inherent in the stalkerware industry. The first victimization occurs when the software is installed and the individual’s privacy is stripped away by someone they likely know. The second victimization occurs when the stalkerware company—which often operates with lax security standards—suffers a breach, or when the stalker themselves fails to secure the harvested data. This creates a permanent digital threat. Once sensitive images or financial details are leaked onto the open internet, they can be indexed by search engines, archived by malicious actors, or sold on dark web forums. For high-profile individuals, this can lead to: Extortion and Blackmail: Threat actors may use the exposed nudes or private business invoices to demand payment from the celebrity or their associates. Identity Theft: The presence of payment details and partial credit card numbers provides a foundation for sophisticated financial fraud. Doxing and Harassment: If contact details are released, the victim and their associates may face a deluge of unsolicited messages, threats, or physical stalking. Reputational Damage: Private conversations taken out of context or intimate photos can be used to damage professional careers and personal relationships. Fowler’s research also points to a disturbing trend where communities of men online share hacking tools and doxing techniques to target women. The intersection of stalkerware and these predatory online subcultures creates an environment where personal data becomes a weapon for social and psychological warfare. Conclusion and Future Outlook The case of the 90,000 screenshots is a stark reminder that the digital age has provided new, devastating tools for old patterns of abuse. While the specific repository found by Fowler has been secured, the underlying problem remains. As long as stalkerware apps are allowed to operate under the guise of "parental monitoring," and as long as they prioritize surveillance over the security of the data they steal, more victims will find their most private moments exposed to the world. Digital security experts recommend that individuals regularly check their devices for unknown apps with broad permissions and use reputable antivirus software that can detect known stalkerware signatures. However, for many victims, the damage is done the moment the software is installed. The findings released this week underscore the urgent need for stricter regulation of the surveillance software industry and more robust legal protections for victims of digital domestic abuse. As Fowler aptly noted, "Even public people deserve privacy," and the failure to protect that privacy is a failure of the entire digital ecosystem. Post navigation The Global Crisis of AI Deepfake Abuse in Schools and the Urgent Need for Institutional Response
