90,000 Screenshots: Stalkerware Breach Exposes Intimate Details of Celebrity Surveillance

Security researcher Jeremiah Fowler with Black Hills Information Security discovered a publicly accessible cloud repository containing nearly 90,000 screenshots of a European celebrity's private data compiled using stalkerware. The exposed repository was labeled 'Cocospy', identified as a notorious off-the-shelf spyware tool.

The breach exposed private conversations with models, influencers, and high-profile individuals, partial credit card numbers, and screenshots documenting intimate digital activity. Fowler reported the stalkerware data exposure incident to local law enforcement and attempted to contact the apparent victim.

The Broader Stalkerware Landscape

This celebrity surveillance case emerges against a backdrop of escalating stalkerware incidents. A separate stalkerware data breach in June 2024 potentially affected over 2 million users, including thousands of Apple devices. Neither the targets of the spyware nor the customers of the software were notified of that breach.

Kaspersky's 2023 detection data revealed 31,031 people affected by stalkerware globally, up almost six percent from the prior year. In Europe specifically, Kaspersky detected 2,645 unique cases, with Germany leading at 577 cases, followed by France with 332 and the United Kingdom with 271.

The stalkerware ecosystem continues to evolve despite enforcement actions. The LetMeSpy stalkerware service shut down in 2023 following a data breach in June that exposed user data, yet new services continue to emerge and existing ones persist.

Technical Infrastructure and Attack Vectors

The Cocospy incident illustrates the technical sophistication of modern stalkerware operations. These tools typically operate as mobile applications that provide remote access to target devices, capturing screenshots, keystrokes, messages, location data, and camera feeds. The exposed repository structure suggests automated data collection and storage systems designed for large-scale surveillance operations.

Commercial stalkerware services often market themselves as employee monitoring or parental control solutions, occupying a legal gray area that complicates enforcement. The technical implementation frequently involves legitimate app store distribution, administrative permissions abuse, and cloud infrastructure for data aggregation and client access.

The celebrity surveillance case demonstrates how these tools scale from individual harassment to systematic data collection. The volume—90,000 screenshots—suggests sustained monitoring over an extended period, likely months or years of continuous surveillance.

Privacy Architecture Failures

The public exposure of this surveillance data highlights fundamental security failures within the stalkerware industry itself. Cloud repositories containing sensitive surveillance data should implement access controls, encryption, and audit logging as basic operational security measures. The public accessibility of this particular repository suggests either misconfiguration or deliberate exposure.

For targets of stalkerware, this double breach creates compounded privacy violations. The original surveillance violates personal privacy and potentially criminal statutes, while the subsequent data exposure amplifies the harm through potential distribution and misuse by third parties.

The inclusion of partial credit card numbers in the exposed data suggests the surveillance extended to financial applications and web browsing, indicating comprehensive device compromise rather than targeted application monitoring.

Enforcement and Detection Challenges

The cross-border nature of stalkerware operations complicates law enforcement response. Surveillance targets, perpetrators, stalkerware services, and cloud infrastructure often span multiple jurisdictions, creating enforcement gaps and delayed response times.

From my experience covering cybersecurity incidents over three decades, we have seen this pattern before with other privacy-invasive technologies—from early keyloggers to modern tracking apps. The fundamental challenge remains consistent: the technical barrier to deployment is low, the detection barrier is high, and the legal framework struggles to keep pace with the technology.

Mobile operating system vendors have implemented various anti-stalkerware measures, including app store vetting, runtime permission models, and notification systems for potentially unwanted applications. However, these defenses often rely on user awareness and technical sophistication that many stalkerware targets may lack.

Detection and Mitigation Strategies

For organizations and individuals concerned about stalkerware exposure, detection requires both technical and behavioral indicators. Unusual battery drain, data usage spikes, device performance degradation, and unfamiliar applications can signal compromise. More sophisticated detection involves network traffic analysis and endpoint detection and response tools that can identify suspicious communication patterns.

Mobile device management solutions in enterprise environments can provide additional visibility into installed applications and network communications, though personal device monitoring raises its own privacy considerations.

The technical community continues to develop open-source detection tools and maintain threat intelligence feeds specifically focused on stalkerware indicators of compromise. These resources provide actionable detection signatures for security teams and researchers.

The exposure of the celebrity surveillance data serves as a stark reminder that even sophisticated surveillance operations remain vulnerable to basic security failures. This incident illuminates both the technical capabilities of modern stalkerware and the persistent security gaps that enable large-scale privacy violations to continue operating in plain sight.