Tech Gadget Central Latest Tech News and Reviews
Benjamin, 44, lives near the park in a trendy downtown Dallas neighborhood. He avoids social media. Fort Worth neighbor Dulce, 42, lives in a gated community with terraced houses and green lawns.
They look like online entrepreneurs with modest incomes. The two make huge profits by selling access to TheTruthSpy, a collection of Android “stalkerware” surveillance apps like Copy9 and MxSpy that have compromised hundreds of thousands of phones worldwide.
Benjamin and Dulce are part of a network of Americans selling phone spyware, which hides 1Byte, a Vietnam-based startup.
Benjamin and Dulce sell the same apps and live near each other, which seems unlikely, but they have one important thing in common: they only exist on paper.
TheTruthSpy brought 1Byte tens of thousands of dollars in monthly PayPal transactions from customers for years. Its popularity caused new issues. Selling spyware is risky, especially in the US, where TheTruthSpy was in demand. PayPal would occasionally flag transactions and restrict the spyware maker’s accounts and funds. Customers wanted to pay by credit card, but the startup would have had to fill out stacks of applications and paperwork, exposing the operation.
Based on hundreds of leaked documents, can now reveal how the spyware operation evaded detection for so long.
1Byte used fake identities with forged American passports to cash out customer payments into bank accounts they controlled from its Vietnam software house. This stateside expansion allowed the startup to remain anonymous while earning at least $2 million in customer payments since 2016. If authorities found, seized, or shut down the operation, the fake sellers would be blamed. Since they gave fake addresses, the feds couldn’t find them.
The scheme exploited weaknesses in tech and financial system fraud safeguards like “know your customer” checks for identity verification, which are meant to prevent organized crime gangs and money launderers from opening fraudulent accounts or moving funds using forged or stolen documents.
Received a massive TheTruthSpy server cache last year. TheTruthSpy’s master database, containing nearly 400,000 compromised devices, was exfiltrated. Created a free lookup tool using the data.
The leaked data also shows 1Byte’s global surveillance ring. Years of 1Byte’s financial spreadsheets and customer transactions, including stalkerware buyers, are revealed. Has seen paper applications the startup submitted to credit card processors with fake seller information. We’ve seen their forged government IDs—passports, driver licenses, and Social Security cards—and utility bills of about a dozen manufactured identities.
The stalkerware maker deposited millions of dollars in illegal customer payments into its bank accounts using this complex system of fake identities.
Benjamin and Dulce appear American on paper. Has seen their open and signed passports, utility bills with account numbers and electricity usage, and signed Social Security cards.
With a closer look, the sellers’ identities fall apart. A Vietnamese photographer’s website was scraped for Benjamin’s passport photo. Dulce’s driver license and passport used heavily photoshopped faces of real people, possibly to avoid facial recognition checks. Dulce’s signed Social Security card has a 1978-deceased man’s number.
The moneymakers
Dulce and Benjamin made 1Byte millions for almost a decade.
1Byte initially processed TheTruthSpy payments through PayPal. The startup’s many spyware websites’ checkouts would sell the software, and PayPal would handle the rest. 1Byte controlled Dulce and Benjamin’s PayPal accounts, which received the money.
PayPal tax documents show that Dulce earned $239,000 in 2016 and $886,000 in 2017 from selling TheTruthSpy through PayPal alone. Benjamin sold Copy9 and MxSpy, two other cloned stalkerware apps, through PayPal for tens of thousands of dollars each month.
1Byte knew PayPal had limits, but these were large sums.
The spyware maker claimed access to at least two dozen PayPal accounts to keep its money flowing, according to leaked notes from 1Byte employees managing the accounts. Customers would receive full-year subscriptions for resolving disputes that PayPal’s human moderators might have noticed. One note advised against “moving money too fast,” “taking in too much money at once,” and “receiving money through different accounts so the funds are more dispersed” to avoid PayPal’s suspicion.
It mostly worked. But they couldn’t process credit cards fast enough to meet demand.
1Byte wanted to distance itself from its spyware business, which is risky. Credit card processors avoid selling products or services that could put them at risk. Spyware is risky like porn, drugs, and guns. PayPal, which prohibits customers from selling software that facilitates illegal activity, could have discovered and shut down the operation at any time.
Another note in the leaked cache described the startup’s situation. John, a California-based American businessman, appears to be deeply involved with 1Byte and the spyware operation. The note is a copy of his email. John, like Dulce and Benjamin, is a 1Byte sock puppet.
John writes in the email that his partners, 1Byte, own websites and want card payments. John says PayPal has processed tens of thousands of dollars a month for the websites. John gave his contacts kickbacks for credit card payments.
Business boomed after 1Byte allowed credit card payments. Why not reuse the startup’s successful forged identities?
In late 2017 and early 2018, the spyware maker switched from PayPal to smaller payment facilitators like software reseller companies, which worked with riskier sellers but charged higher fees. Selling intangible, digital products from unknown developers is riskier for credit card processors than shipping physical goods. Phone spyware is notoriously buggy and can generate many customer complaints, regardless of its legality.
Success was fleeting. Some payment processors realized they were selling software.
In January 2018, 1Byte signed a contract with a small European payment processor using Dulce’s identity. Since Dulce’s fake documents didn’t raise any red flags, the payment processor told that its third-party “know your customer” checker approved the spyware maker.
The payment processor noticed a pattern of new account sign-ups and became suspicious. It froze the infringing accounts before removing TheTruthSpy’s money-making sock puppets. The payment processor’s documents showed that 1Byte employees and director Van Thieu had Vietnamese bank accounts linked to the accounts it froze.
When 1Byte couldn’t rely on an outside checkout provider, it started using its own. The startup built Affiligate, its own checkout website, to scale. By 2020, Affiligate processed most customer payments.
Affiligate was created by 1Byte to sell apps. 1Byte employees used Affiligate to sell TheTruthSpy and its many clones. Since their personal email addresses also leaked, employees created marketplace accounts without considering the site’s poor security.
Affiligate appeared to outsiders as a software reseller marketplace, but it was actually a checkout service that funneled customer payments for 1Byte’s many stalkerware products into accounts it controlled. Affiligate, like most companies today, still outsourced credit card processing.
1Byte, like millions of other small businesses worldwide, used Stripe to process most customer payments, which continued as we reported this story. Stripe’s ability to integrate its payment technology with a few lines of code helped it become one of the world’s largest and most ubiquitous payment processors, peaking at $95 billion.
1Byte scaled credit card processing by creating accounts and integrating Stripe’s checkout code.
1Byte meticulously recorded customer transactions despite its many flaws. Leaked logs show over 55,000 customer transactions between September 2017 and November 2022, totaling over $2 million in spyware sales. Copy9 and MxSpy trailed TheTruthSpy, which generated almost 90% of 1Byte’s revenue.
Stripe processed most spyware operation transactions, according to logs. Customers can still view their receipts on Stripe’s website using the web addresses in the logs. The logs indicate that PayPal and other smaller processors processed the remaining transactions.
After contacting Stripe for comment, Affiligate’s customer checkouts stopped working. Company policy prevented Stripe from commenting on specific accounts.
PayPal stated: “We regularly assess activity against our policies and carefully review actions reported to us, and will discontinue our relationship with account holders who violate our policies. We cannot discuss specific accounts for privacy reasons.”
Dulce and Benjamin were two of many false American identities in 1Byte’s dossier of identities that helped prop up the operation over the years: John in California; Alex in New York; Brian in Los Angeles; and Angelica, who shares a surname with Dulce and whose forged documents list an address nearby in Fort Worth, but does not exist.
1Byte forged passports, driver licenses, and U.S. residency documents like utility bills to do it. The spyware maker created dedicated email addresses for merchant account setup and “burner” disposable U.S. phone numbers to fool U.S. companies into thinking they were dealing with real Americans.
1Byte kept copies of the original passports, driver licenses, state IDs, and a fake U.K. driver license, which were forged.
Banks, credit card providers, software resellers, and payment merchants must screen customers to prevent identity fraud and money laundering. However, convincing forgeries will pass.
1Byte was messy too. Two Social Security numbers assigned to forged identities were deceased. The Social Security Death Index, a commercially available list of Social Security numbers whose deaths were reported to the U.S. government until early 2014, lists the two cards as sequential. The Social Security Administration does not reuse deceased Social Security numbers.
Some utility bills had nonexistent home addresses. Several forged government documents had minor typos.
Due to a mistake, 1Byte employees signed several merchant and payment processor agreements using the forged identities of Dulce and Benjamin.
Employees may not have noticed that the agreements they signed, photographed, and submitted contained hidden metadata that revealed the exact location and timestamp of the photos. The metadata showed 1Byte in Vietnam signed and photographed the agreements.
Another photo showed 1Byte’s director Van Thieu’s Vietnamese identity card with similar metadata.
Thieu said he left the operation “because I know it [spyware] is illegal in some countries” when contacted. Thieu did not discuss his 2016 involvement with the operation or how his personal information leaked. “This kind of this product is not allowed in most countries, so we have decided not to sell this product anymore,” TheTruthSpy’s website stated shortly after.
The handlers
The startup kept a spreadsheet of all its handlers and fake identities.
Unlike Dulce and Benjamin, whose photos were scraped from the internet and sometimes modified, these real-world handlers are shown holding up their passports to their faces, a common “know your customer” request used by a human verifier to verify a person’s documents. These photos are harder to fake. One photo shows a handler’s older relative holding her passport with the same surname.
Another handler, whose passport was stored on 1Byte servers, reviews stalkerware apps like TheTruthSpy on YouTube. After installing the location-grabbing app on his phone, the handler accidentally revealed his home address in one of his spyware demonstration videos.
Poor security and leaky servers exposed 1Byte’s role in the operation.
1Byte had other security issues. TheTruthSpy’s server was ransomware-attacked in August 2020. Someone had hacked the spyware maker’s servers or stolen the massive phone data cache.
The dossier of forged identities, broken financial system checks, and handlers were not the only reasons 1Byte made millions selling phone spyware. For years, US authorities overlooked TheTruthSpy’s servers.
1Byte hosted tens of terabytes of phone data, much of it from American victims, in Texas web hosting data centers.
Codero hosted TheTruthSpy’s infrastructure and massive data banks in 2017. TheTruthSpy was a paying customer until February 2023, when Codero abruptly removed it from its network and the internet. A Codero executive told that the web host terminated TheTruthSpy for violating its terms of service, but that a federal investigation prevented it from doing so sooner.
1Byte moved to Hostwinds, a nearby web hosting company, to recover from its backups. The Codero executive emailed Hostwinds CEO Peter Holden to inform him that “bad actors” had moved to his network. Holden told that Hostwinds terminated the client after discovering their operation.
—
Phone and stalkerware are notoriously buggy. TheTruthSpy, even as a family of stalkerware, is one of many spyware apps that have been hacked, leaked, or otherwise compromised in recent years. TheTruthSpy became one of the largest clandestine phone networks due to its ability to operate freely and for so long.
At BSides London, security researchers Vangelis Stykas and Felipe Solferini found TheTruthSpy was still exposing hundreds of thousands of active accounts. Stykas and Solferini’s research—some of it unpublished and shared, which helped report this story—confirmed that 1Byte is the ultimate developer and reseller of TheTruthSpy stalkerware network.
Spyware is legal to own, but recording calls and private conversations without consent violates federal and state laws. In recent years, U.S. federal and state authorities have increased enforcement action against stalkerware actors, including banning SpyFone and requiring spyware makers to notify victims, but overseas operators remain outside U.S. jurisdiction.
The Federal Trade Commission declined to comment on whether it is investigating a matter before publication.
TheTruthSpy remains a threat to victims’ phones as long as it’s online. Because it can’t protect the data it steals from thousands of victims’ phones without their consent.
