close
close

Federal judges and ICE agents linked to use of compromised spyware

Federal judges and ICE agents linked to use of compromised spyware
Federal judges and ICE agents linked to use of compromised spyware

Sometimes the government spies on you. And sometimes it hires a poorly secured Eastern European company to do it.

Last week, hacktivists released the customer support database of Brainstack, a Ukrainian company that operates a phone surveillance service called mSpy. (It was mSpy’s third security breach in a decade.) The database contains messages from Immigration and Customs Enforcement (ICE) agents, active-duty soldiers, and a U.S. district judge interested in using mSpy for surveillance purposes.

Employees at the U.S. State Department, the Nebraska National Guard, and two federal audit offices turned to mSpy to use the service for official investigations. Many other officials and lower-ranking military personnel appeared to use mSpy to monitor people in their personal lives, but logged in using their government email address. In some cases, it was unclear whether government employees were using mSpy for official or personal purposes.

Even if the private spying served a legitimate purpose—such as parents monitoring their children’s Internet usage—it probably wasn’t the best idea to use a government email account to sign up for foreign spyware with known security issues.

Judge Kevin Newsom, a judge on the 11th Circuit Court of Appeals, logged into an mSpy customer service chat in February 2019 using his official email address. “You can’t reliably monitor Snapchat, and that’s the only reason I have it,” he complained. He sent mSpy a follow-up email requesting a refund, signed with his official title as a judge.

“Judge Newsom has used the court solely in his personal capacity to resolve a family matter,” said Kate Adams, director of labor relations for the 11th Judicial Circuit.

MSpy has already struggled with serious security issues over the past decade. June 2015hackers stole data about mSpy’s targets and offered it for sale on the dark web. When cybersecurity journalist Brian Krebs broke the story, mSpy tried to claim the data was fake, then finally admitted to the breach. In September 2018mSpy accidentally left the same data on a publicly accessible server and then removed it when Krebs noticed.

At the beginning of June 2024, the Swiss hacktivist Maia arson crimewho previously leaked the FBI information No-fly listclaimed that an “anonymous source” sent her 150 gigabytes of data from mSpy’s customer service department. “With all the stalkerware leaks in the past, it’s usually the victims’ data that gets leaked,” crimew tells Reason via encrypted voice chat. But this leak affected mSpy’s Customers– and thus essentially directs surveillance against the monitors.

Last week, the leaked customer data was published on DDoSecretsa website generally known as Successor to WikiLeaks. (DDoSecrets is also known for hosting BlueLeaksa massive leak of police records in 2020.) mSpy’s media team did not respond to an email seeking comment on the leak.

Reason checked mSpy data from several hundred American users with .gov and .mil email addresses, out of a total of 2.5 million users. Crimew wrote on her blog that she also found officials from Australia, France, Germany, Italy, Switzerland, Turkey, Israel, Thailand and Vietnam in the data.

Unlike other intelligence services, mSpy requires users to already have confidential access to the target. The software must be installed directly on the target’s phone, iCloud account, or Wi-Fi network. It then provides the user with the target’s call logs, messages, and location data. Brainstack promotes mSpy as Parental supervision toolOthers, however, call the service derogatory “Stalkerware.”

In fact, some of the customer service messages came from federal and local law enforcement officials looking for a way to send mSpy a subpoena or warrant because the service was allegedly used in a crime. A Brazos County, Texas, detective wrote that he was “investigating a case involving a cell phone belonging to our victim that had MSPY illegally installed and is likely being used to track and stalk our victim.”

The US government had previously attempted to crack down on such software. In 2014, the US Department of Justice charged the CEO of the Pakistani spyware service StealthGenie, which operates similarly to mSpy, with selling an illegal listening device. He pleaded guilty and paid a fine of $500,000.

“Spyware is an electronic surveillance tool that secretly and illegally invades the privacy of individuals,” said Assistant Attorney General Leslie R. Caldwell said at the time. “Make no mistake: Selling spyware is a federal crime, and the Criminal Division will make it a federal case.”

The mSpy Website states that the service is intended only “for use by those who have the legal right to control a device, account, application, or program on which it is installed or on which it is used for parental controls” and that it may not be used “to harass, abuse, stalk, threaten, defame, or otherwise violate or infringe the rights of others.”

Other government officials thought spyware could be useful for official investigations, especially when it came to monitoring employees. Enrique Garcerant, then an investigator for the U.S. Diplomatic Security Service in Ecuador, contacted mSpy in September 2016. “I work for a law enforcement agency in the U.S. and we urgently need the download link for the app. Please help. We are working on a time-sensitive case,” he wrote.

A spokesman for the US State Department declined to answer whether the The diplomatic security service used mSpy in an official capacity and only reported Reason that “Garcerant no longer works at the State Department.” According to his LinkedIn profile, Garcerant was working at the State Department when he contacted mSpy.

In November 2018, a sergeant with the Nebraska Army National Guard also contacted us to “discuss the pricing of your service and clarify some potential technical questions” surrounding the installation of mSpy on “40 to 70 iOS devices” – as many iPhones as a train. An mSpy sales representative then arranged a phone call with him. The Nebraska National Guard did not respond to an email asking if the purchase had actually been made.

In March 2020, the Social Security Administration’s Office of the Inspector General contacted Brainstack “to see if we could use (mSpy) in some of our criminal investigations.” However, the official noted that there were some concerns about “the storage of potentially sensitive information on your servers.” Again: The Social Security Administration did not respond to a request for comment.

In addition to the privacy and security risks, mSpy also appeared to have poor customer service. Auditors at the General Services Administration, which manages federal agencies and vehicles, purchased a copy of mSpy for “device testing” and then complained in December 2022 that mSpy was charging too much for the software. Orlando Diaz, a spokesman for the Office of the Inspector General, declined to comment.

In September 2017, an Immigration and Customs Enforcement (ICE) agent wrote that his “company” needed an invoice for the mSpy services he had purchased. He wrote again to complain that the invoice did not include a price. ICE did not respond to an email asking if this purchase was for official purposes.

Other ICE officials contacted mSpy for different reasons. One ICE officer asked in January 2023 how she could use mSpy to find her daughter who was “addicted.” ICE’s Homeland Security Investigations division, which deals with gang activity and human trafficking, asked in January 2024 where a subpoena for mSpy user data could be served.

Of course, mSpy was mostly useful to local officials who were in close contact with the people they wanted to spy on and otherwise didn’t have the resources to run an intelligence operation. In November 2020, the Honolulu Department of Environmental Services offered to buy mSpy to monitor the phones of 165 employees. It’s unclear whether the department, which did not respond to a request for comment, ever purchased the spyware.

Some law enforcement agencies have been documented using mSpy professionally. In February 2019, the Benton County Sheriff’s Office in Arkansas requested a trial version of mSpy and subsequently sent positive feedback about the app. The office did not respond to an email asking if mSpy is still being used.

Noel P. Terwilliger, an investigator with the Steuben County District Attorney’s Office in New York, purchased mSpy in December 2018 but decided the software was unnecessary “due to changes in my investigation within minutes of purchase.” A lengthy back-and-forth with mSpy over a refund ensued. Steuben County Access to Records Officer Brenda Scotchmer said she “could not say why the District Attorney’s Office purchased the software in the first place,” citing Reason to District Attorney Brooks Baker, who did not respond to an email seeking comment.

Officers from the Michigan State Police, the Huntsville Police Department in Texas and the Department of Corrections in Washington, DC, purchased mSpy, but the emails did not indicate whether they bought it for personal or official reasons. None of those agencies responded to a request for comment.

While commercial spyware may seem like a cheap method of surveillance, users got exactly the level of security and discretion they paid for, as the leaks make clear. “They pass company data directly to some random private company that is very shady,” says hacktivist crimew. “In general, the way stalkerware companies are run, they don’t care about vulnerabilities.”

And government employees who have spyware in their personal Life – the vast majority of cases that Reason checked – poses an additional security risk. The White House has warned that companies that sell Americans’ personal information pose “privacy, counterintelligence, extortion, and other national security risks.” Officials who enter a .gov or .mil address into a spyware platform are offering themselves up on a silver platter.

Ironically, one of the customer service messages to mSpy came from an army doctor who was upset because his email address had been exposed in a previous data breach.

“I checked my email address against a database of hacked websites and mspy came up. I had to google mspy since I didn’t know your company,” the doctor wrote. “This is especially disturbing since my wife recently accused me of installing spy software on her phone and computer, which I never did.”

Leave a Reply

Your email address will not be published. Required fields are marked *