TL;DR: A hacktivist going by "wikkid" scraped 536,000 payment records from Struktura, a Ukrainian company running stalkerware apps under the UK brand Ersten Group. The exposed data includes customer emails, which spy app they bought, how much they paid, and partial credit card details. Apps affected include uMobix, Xnspy, Geofinder, and Peekviewer. The company's own CEO appeared in the leaked data. Neither Struktura nor its CEO Viktoriia Zosim responded to press inquiries.
The Hunters Become the Hunted
On February 9, 2026, half a million people who paid to secretly spy on their partners got a taste of their own medicine.
A hacktivist using the alias "wikkid" exploited what they called a "trivial" bug in a stalkerware vendor's website to scrape 536,000 customer payment records. The data landed on a hacking forum within hours. Names aren't in the dump, but email addresses are, and for anyone buying spouse-monitoring software, that's plenty identifying.
The company behind the apps is Struktura, a Ukrainian operation that hid behind a UK-facing brand called Ersten Group. CEO Viktoriia Zosim ran the show. Her name turned up in the leaked data too: early transaction records linked directly to her.
When TechCrunch reached out for comment, neither Struktura nor Zosim said a word.
The Apps People Were Buying
Struktura wasn't running one stalkerware app. It was running a whole portfolio:
- uMobix: Phone tracker. Monitors calls, texts, photos, browsing history, and GPS location. Marketed for "parental monitoring." Used overwhelmingly by jealous partners.
- Xnspy: Full-spectrum stalkerware. Records calls, reads messages, tracks location, accesses social media accounts. Already leaked victim data once before, in 2022. Kept operating.
- Geofinder: GPS tracking by phone number. Find anyone's location without installing software on their device.
- Peekviewer (formerly Glassagram): Claims to let you view private Instagram accounts. Whether it actually works or just takes your money is debatable.
The leaked records show exactly which app each customer bought, how much they paid, what type of card they used (Visa, Mastercard), and the last four digits. Years of transaction history, all scraped through one bug.
How It Happened
The security was as bad as you'd expect from companies that sell illegal surveillance tools.
The hacktivist told TechCrunch they found a "trivial" vulnerability in Struktura's website. That alone was enough to pull the entire customer database. But there was more: the company's checkout pages let anyone retrieve complete customer and transaction details using nothing but an invoice number. No login required. No authentication at all.
TechCrunch independently verified the breach by testing email addresses against the company's password reset system and matching invoice numbers through the unsecured checkout pages. The data was real.
When asked about motivation, wikkid kept it simple: they "have fun targeting apps that are used to spy on people."
27 Stalkerware Companies Breached Since 2017
This isn't an anomaly. It's a pattern so consistent it's basically a rule: if you build stalkerware, you will get hacked.
TechCrunch has tracked at least 27 stalkerware companies that have been breached or had customer data exposed since 2017. The list reads like a graveyard:
- pcTattletale: 138,000 customer accounts exposed in 2024. Founder Bryan Fleming pleaded guilty in January 2026, faces 15 years.
- SpyX: Breached in 2025, customer and victim data leaked.
- Cocospy, Spyic: Both breached in 2025, surveillance data exposed.
- Xnspy: Leaked victim data in 2022. Kept operating. Now its parent company got breached again.
- LetMeSpy: Breached so badly it shut down entirely.
Companies that can't even build a secure login page are selling tools to intercept your partner's most private communications. The irony writes itself.
The Shell Game
Struktura's corporate structure tells you everything about how the stalkerware industry works. Ukrainian company. UK-facing brand (Ersten Group). Multiple apps under different names. Same infrastructure, same checkout system, same trivial bugs.
The layered corporate structure exists for one reason: to make it harder to hold anyone accountable. When one app gets shut down, the rest keep running. When regulators come knocking in one country, the company is technically headquartered somewhere else.
That CEO Viktoriia Zosim's own transactions appear in the leaked database suggests either she was testing the products herself or the company's record-keeping was as sloppy as its security. Possibly both.
What This Means for the 536,000
The exposed customers are in an awkward position. Their emails are now public, tied to specific stalkerware purchases. Anyone with the dump can search for a specific email and find out:
- Which spy app they bought
- When they bought it
- How much they spent
- Whether they're a repeat customer
For people using these apps to stalk partners or exes, this is evidence. Divorce lawyers, prosecutors, and domestic violence organizations can now cross-reference this data.
There's a reason stalkerware companies promise anonymity to their customers. The buyers know what they're doing is wrong. Many know it's illegal. That's why they were willing to hand credit card details to a Ukrainian company with a fake UK storefront and zero security.
Enforcement Is Catching Up
The stalkerware industry operated with near-total impunity for a decade. That's changing, slowly.
In January 2026, pcTattletale founder Bryan Fleming pleaded guilty to federal hacking charges. He faces 15 years. It was only the second federal stalkerware prosecution in over a decade, but combined with this hacktivist exposure, the industry is facing pressure from both sides: law enforcement and vigilante hackers.
Payment processors are another chokepoint. When customer data gets dumped publicly, Visa and Mastercard tend to notice. Stalkerware vendors are already having trouble finding payment processors willing to work with them. This dump makes that problem much worse.
Struktura's entire product line (uMobix, Xnspy, Geofinder, Peekviewer) may face payment processing shutdowns. No payments, no business.
The Bigger Picture
Stalkerware occupies a specific, ugly niche in the surveillance ecosystem. These aren't government agencies buying Pegasus. They're not corporations tracking employees. They're individuals (overwhelmingly men) paying $30 to $80 a month to secretly read their partner's texts, track their location, and access their photos.
The apps are marketed with language like "catch a cheater" and "monitor your children." Everyone involved knows what they're actually used for. The buyers know. The sellers know. And now, thanks to wikkid, the rest of us know who the buyers are.
536,000 people decided that secretly surveilling someone was worth the risk of handing their credit card to an anonymous Ukrainian company. Every single one of them just learned what the people they were spying on already knew: privacy violations cut both ways.
References
- TechCrunch - Hacktivist scrapes over 500,000 stalkerware customers' payment records (February 2026)
- TechCrunch - Hacked, leaked, exposed: Why you should never use stalkerware apps (February 2026)
- TechBuzz - Hacktivist Exposes 536,000 Stalkerware Buyers in Security Breach (February 2026)
- NewsBytes - Hacker leaked data of 536,000 stalkerware customers (February 2026)
- The Meridiem - Stalkerware Market Hits Inflection as Hacktivists Expose 500K Customer Records (February 2026)