Spyware maker Bryan Fleming avoids prison sentence
▼ Summary
– Bryan Fleming, founder of spyware company pcTattletale, was sentenced to time served and a $5,000 fine after pleading guilty to federal charges for making and selling spyware for unlawful use.
– His conviction is the first successful U.S. prosecution of a spyware maker since 2014, which may lead to future cases against similar illegal surveillance operations.
– Fleming’s spyware, known as “stalkerware,” was secretly planted on victims’ devices to steal messages, photos, and location data for paying customers.
– A 2024 data breach exposed that over 138,000 customers used pcTattletale, and a separate security flaw had previously leaked millions of victim screenshots to the open internet.
– The company shut down in 2024 after a hack and data breach, joining several other stalkerware makers that have closed following security lapses.
A federal court in San Diego has sentenced the first spyware maker convicted in more than a decade to time served and a fine. Bryan Fleming, who earlier this year pleaded guilty to federal charges related to his surveillance company pcTattletale, received a $5,000 penalty and no prison time. Prosecutors had recommended against incarceration or a financial penalty. This case represents the first successful prosecution of a spyware developer by the U.S. Department of Justice since 2014, a legal milestone that could pave the way for future actions against similar operations.
The charges stemmed from a years-long federal investigation into the consumer spyware industry. Investigators from Homeland Security Investigations focused on Fleming because, unlike many overseas operators, he sold and facilitated the use of his software from within the United States. In a January plea hearing, Fleming admitted to creating, marketing, and selling spyware for unlawful purposes. His attorney did not respond to a request for comment.
Products like pcTattletale are often categorized as stalkerware, software that paying customers covertly install on another person’s device, such as a spouse’s phone, without consent. Once installed, the app secretly uploads messages, photos, location data, and other private information, making it accessible to the person who planted it. According to an affidavit, Fleming in some instances knowingly assisted customers who aimed to spy on nonconsenting adults.
The full scope of pcTattletale’s surveillance is unknown, but a 2024 data breach revealed significant details about its operation. Earlier that year, a security researcher discovered a flaw that exposed millions of real-time screen captures taken from victims’ devices to the open internet. These screenshots included sensitive data from check-in computers at several U. S. hotels that had the software installed, revealing guest and reservation details. Fleming did not address the researcher’s findings or fix the vulnerability.
Shortly after that report, a separate high-profile hack led to website defacement and a major data breach, prompting Fleming to shut down pcTattletale. The hacker exploited a different security flaw to access all files in the company’s cloud storage. The breach exposed information showing that over 138,000 customers had paid to spy on countless victims. Fleming never notified those customers or their victims about the breach, stating at the time that he had deleted everything from his servers. pcTattletale joins other stalkerware makers like LetMeSpy and Spyhide that have been forced offline following security failures.
(Source: TechCrunch)
