Fake passports, real bank accounts: How TheTruthSpy stalkerware made its millions

Benjamin, 44, has a place by the park in an up-and-coming area of downtown Dallas, Texas. He seems to keep to himself and eschews social media. Dulce, 42, lives nearby in a gated community lined with streets of terraced houses and grassy lawns in adjoining Fort Worth.

They look like small business owners making modest incomes working online. But the two bring in huge sums of cash by selling access to TheTruthSpy, a collection of Android so-called “stalkerware” surveillance apps, including Copy9 and MxSpy, which have compromised hundreds of thousands of people’s phones around the world.

Benjamin and Dulce are among a wider network of Americans selling the phone spyware, whose involvement helps to conceal the company behind their development, a Vietnam-based startup called 1Byte.

Other than selling the same apps and living close to each other — something that looks like an unlikely coincidence — Benjamin and Dulce share nothing else in common, except one critical thing: The two sellers exist only on paper.

For years, TheTruthSpy brought 1Byte tens of thousands of dollars in monthly PayPal transactions from customers. But its rising popularity brought new problems. Selling spyware is fraught with legal and reputational risks, especially in the United States, where the startup saw growing demand for TheTruthSpy. PayPal’s systems would periodically flag transactions and limit access to the spyware maker’s accounts and funds. Customers also wanted to pay by credit card, but that would require the startup to fill out stacks of applications and paperwork that would have outed the operation.

A TechCrunch investigation based on hundreds of leaked documents can now reveal how the spyware operation evaded detection, and for so long — details which have not been previously reported.

From its software house in Vietnam, 1Byte devised a network of fake identities with forged American passports to cash out customer payments into bank accounts they controlled. It seemed like the perfect scheme: This stateside expansion allowed the startup to keep its identity a secret while making at least $2 million in customer payments since 2016. And the fake sellers would take the heat if the authorities discovered, seized or shuttered the operation. (Not that the feds would find them, since they claimed to live at phantom addresses.)

The scheme exploited weaknesses present in tech and financial system safeguards against fraud, like “know your customer” checks for verifying a person’s identity, which are designed to block organized crime gangs and money launderers from opening fraudulent accounts or moving funds using forged or stolen documents.

Last year, TechCrunch was sent a huge cache of files that had been taken from TheTruthSpy’s servers. The files included TheTruthSpy’s master database, containing a record of every compromised device past and present — close to 400,000 victims — up to the day the database was exfiltrated. TechCrunch used the data to build a free lookup tool to allow anyone to check if their phone was compromised.

The leaked data we’ve seen also reveals the inner workings of 1Byte’s global surveillance ring. The data lays bare years of 1Byte’s financial spreadsheets and customer transactions, including the individuals who purchased the stalkerware. TechCrunch has seen completed paper applications that the startup used for applying to credit card processors, filled in with the falsified personal information of sellers who do not exist. We’ve also seen their forged government IDs — passports, driver licenses and Social Security cards — and utility bills of about a dozen or so manufactured identities.

It was through this intricate system of fake identities that the stalkerware maker funneled millions of dollars of illicit customer payments into its bank accounts.

On paper, Benjamin and Dulce look like regular Americans. TechCrunch has seen photos of their open and signed passports, utility bills with account numbers and electricity usage, and copies of their Social Security cards bearing their signatures.

But any more than a cursory look and the sellers’ identities fall apart. Benjamin’s passport photo was scraped from a Vietnamese photographer’s website. The photos in Dulce’s driver license and passport used heavily photoshopped faces of real people, perhaps to defeat any future facial recognition checks. And the number on Dulce’s signed Social Security card belongs to a man who died in 1978.

The money-makers

For almost a decade, Dulce and Benjamin were two of 1Byte’s biggest money makers, generating the spyware startup a small fortune.

In the early years, 1Byte relied on PayPal to process payments for customers buying TheTruthSpy. Customers would buy the software through the checkouts of the startup’s many branded spyware websites, and PayPal would handle the rest. The money would flow into PayPal accounts in Dulce and Benjamin’s names, which were actually under 1Byte’s control.

Dulce’s account netted $239,000 in 2016 and $886,000 in 2017 from selling TheTruthSpy through PayPal alone, according to tax documents that PayPal issued for those years. All the while, Benjamin consistently made tens of thousands of dollars every month selling the other cloned stalkerware apps — Copy9 and MxSpy — through PayPal.

These were by no means small sums, but 1Byte knew there were limitations to relying on PayPal.

A collection of notes written by the 1Byte employees running the accounts — which also leaked — show the spyware maker claimed access to at least a couple of dozen PayPal accounts to keep its money flowing. The operators would offer full-year subscriptions to customers in exchange for resolving disputes that might have otherwise caught the attention of PayPal’s human moderators. One of the notes served as a guide that outlined the different ways to avoid raising PayPal’s suspicion, such as “moving money too fast,” “taking in too much money at one time” and receiving money “through different accounts so the funds are more dispersed.”

The process largely worked. But the operators struggled to keep up with growing demand and had no way to process customer credit cards at scale.

Developing and selling spyware is a risky business; it’s no wonder that 1Byte wanted to distance its involvement from the operation it was running. Credit card processors tend to balk at allowing customers to buy goods or services that could result in the processors facing liability. Just like porn, drugs and firearms, spyware falls in a similar high-risk category. And PayPal, whose policies broadly prohibit customers from using its platform to sell software that facilitates illegal activity, could have at any time discovered and unraveled the whole operation.

Another note found in the leaked cache described the startup’s predicament. The note is a copy of an email sent by John, who presents as an American businessperson living in California and appears to be intimately involved with 1Byte and the spyware operation. Like Dulce and Benjamin, John is a manufactured identity who serves as a front for 1Byte.

In the email, John says that he has partners — meaning 1Byte — who own some websites and their customers want to pay with cards. John explains that so far the websites used PayPal to process tens of thousands of dollars in payments a month. John offered kickbacks to his contacts who could help facilitate payments by credit card instead.

Soon after, 1Byte found a way for customers to pay by credit card, and business boomed. The startup already had a dossier of forged identities with some provable success, why not use them again?

an illustration of a laptop computer and a Texas driver's license on a colorful blue, red, and teal background

Image Credits: Bryce Durbin / TechCrunch

Toward the end of 2017 into early 2018, the spyware maker had branched out from PayPal to smaller payment facilitators, like software reseller companies, which were known to work with customers selling riskier products but in exchange for charging the seller higher fees. (Credit card processors consider software a higher-risk product than something you can physically ship; such is the nature of selling intangible, digital products from developers who might have little or no reputation.) Notwithstanding the legalities of selling surveillance software, phone spyware is notoriously buggy and can draw a steady stream of customer complaints.

Success did not always last long. Some payment processors wised up to the kind of software they were being used to sell.

1Byte used Dulce’s identity to sign a contract with a small European payment processor in January 2018, according to a copy of the signed document found in the leaked cache. The payment processor told TechCrunch that the third-party company it relied on to do “know your customer” checks approved the spyware maker, since Dulce’s fake documents failed to raise any alarms.

But the payment processor grew suspicious when they identified a pattern of new account sign-ups. This prompted it to freeze the infringing accounts before booting TheTruthSpy’s money-making sock puppets from its service. Documents shared by the payment processor showed that the accounts it froze were linked to bank accounts in Vietnam run by 1Byte employees and its director Van Thieu.

When 1Byte couldn’t consistently depend on an outside checkout provider, it increasingly made efforts to rely on its own. The startup had already laid the groundwork to scale by building its own checkout website called Affiligate. By 2020, Affiligate was handling the majority of customer payments.

1Byte set up Affiligate as an ostensible marketplace for app developers to sell their software. Behind the scenes Affiligate’s sellers were largely fake identities set up by 1Byte employees to sell TheTruthSpy and its many cloned apps. The employees also created marketplace accounts using their own personal email addresses, presumably without a second thought to the poor security of the site they had themselves built since these email addresses also leaked.

Affiligate was designed to look and feel like a legitimate software reseller marketplace to outsiders, while functioning as a real checkout service that could funnel customer payments for 1Byte’s many stalkerware products into accounts it controlled. But like most businesses these days, Affiligate still had to rely on an outside company to handle the processing of credit cards for its customers.

Like millions of other small businesses around the world, 1Byte relied on payments giant Stripe to facilitate the majority of its customer payments over the operation’s lifespan, which continued as we reported this story. Stripe famously allows businesses to integrate its payment technology using just a few lines of code, which helped propel Stripe to become one of the world’s biggest and ubiquitous global payments processors, peaking at a $95 billion valuation.

By setting up accounts and integrating Stripe’s checkout code, 1Byte was able to process credit cards at scale.

For its many flaws, 1Byte was diligent in its record keeping and kept detailed customer transaction logs. The leaked logs reveal over 55,000 total customer transactions between September 2017 and November 2022, accounting for more than $2 million in spyware sales. TheTruthSpy was by far its biggest seller, bringing in almost 90% of 1Byte’s revenue, with Copy9 and MxSpy trailing behind.

According to the logs, Stripe processed the majority of the spyware operation’s total transactions. The logs also included the web addresses for customers to view their receipts online after paying; those receipts are still viewable on Stripe’s website to anyone with the web addresses. PayPal and the other smaller processors handled the fraction of remaining transactions, the logs show.

Affiligate’s customer checkouts stopped working shortly after we contacted Stripe for comment. Stripe declined to comment on specific accounts, citing company policy.

PayPal said in a statement: “We regularly assess activity against our policies and carefully review actions reported to us, and will discontinue our relationship with account holders who are found to violate our policies. For privacy reasons, we cannot comment on specific accounts.”

The Americans

Dulce and Benjamin were just two of many false American personas in 1Byte’s dossier of identities that helped prop up the operation over the years: John in California; Alex in New York; Brian in Los Angeles; and Angelica, who shares a surname with Dulce and whose forged documents list an address nearby in Fort Worth, but nevertheless does not exist.

To pull it off, 1Byte used forged passports and driver licenses — and falsified proof of U.S. residency, like utility bills. The spyware maker also spun up dedicated and single-purpose email addresses that were used solely for establishing their merchant accounts, and set up “burner” disposable U.S. phone numbers, allowing the operators to trick U.S. companies into thinking they were dealing with real Americans.

We know that other identity documents, such as the U.S. passports, driver licenses, state IDs and a fake U.K. driver license, are forged because 1Byte kept copies of the original documents, and the forged replica, which has similar personal information but with an entirely different person’s photo.

Banks, credit card providers, software resellers and payment merchants are all responsible for performing due diligence on their customers to weed out identity fraud and money laundering on their networks. Yet forgeries that are good enough to fool a human are still bound to make it through.

But 1Byte was also sloppy. At least two of the Social Security numbers assigned to forged identities belonged to dead people. The two Social Security cards look numerically sequential but are both listed on the Social Security Death Index, a commercially available list of Social Security numbers whose deaths were reported to the U.S. government until early 2014. The Social Security Administration does not reuse Social Security numbers after a person dies.

Of the other documents, some of the utility bills listed home addresses that do not physically exist. Several forged government documents had small but noticeable typos.

We also know that several of the merchant and payment processor agreements were signed by 1Byte employees using the names of the forged identities that they had created, including Dulce and Benjamin, thanks to a mistake the employees made.

The employees may not have noticed that the agreements they signed, photographed and submitted contained hidden metadata that revealed the precise location and timestamp of where and when the photos were taken. The metadata showed the agreements were signed and photographed at 1Byte’s location in Vietnam.

Another photo showed a Vietnamese identity card belonging to 1Byte’s director Van Thieu, which contained similar metadata showing it had been photographed from the same location in Vietnam.

When reached for comment, Thieu acknowledged his past work with the operation but said he was no longer involved “because I know it [spyware] is illegal in some countries.” Thieu did not address his involvement with the operation since 2016 or how his personal information leaked. A short time later, TheTruthSpy’s website displayed a notice saying it was no longer taking customers: “This kind of this product is not allowed in most countries, so we have decided not to sell this product anymore.”

The handlers

The startup’s obsessive documenting and meticulous note-taking also included one spreadsheet, a master list of who’s who in the operation, both the real-world handlers and the fake identities they control.

We know they are real people because, unlike Dulce and Benjamin whose photos were scraped from the internet and sometimes modified, these real-world handlers are seen in photos holding up their passports to their faces — the common “know your customer” request used by a human verifier to determine if a person’s documents are real or not, since these photos are generally more difficult to fake. One of the photos shows a handler’s older relative holding up her passport bearing the same surname.

Another handler, whose passport was stored on 1Byte’s servers, has a YouTube channel with videos reviewing various stalkerware apps, including TheTruthSpy. One of the videos published by the handler demonstrating the spyware’s capabilities inadvertently disclosed his home address after installing the location-grabbing app on a phone he owned.

Thanks to 1Byte’s poor security practices and leaky servers, their role in the operation was exposed.

a photo of a keyboard on a colorful red and blue background with map shape outlines

Image Credits: Bryce Durbin / TechCrunch

But this was not 1Byte’s only security lapse. A ransom note left on TheTruthSpy’s server in August 2020 suggests the spyware operation was compromised by a ransomware attack. Either someone had accessed the spyware maker’s servers, or worse, siphoned a copy of the vast trove of phone data for themselves.

How 1Byte made its millions from selling phone spyware was not just because of the dossier of forged identities, the broken financial system checks that failed to catch their fake documents or the handlers keeping the money flowing. TheTruthSpy was allowed to operate unimpeded for years from servers hosted under the noses of authorities in the United States.

Whether by coincidence or convenience, just as the spyware maker had operated Dulce and Benjamin as if they lived in Texas, 1Byte also hosted the tens of terabytes of phone data — much of it derived from American victims — in Texas web hosting data centers.

A web host called Codero housed TheTruthSpy’s infrastructure and its huge banks of data as far back as 2017. Codero kept TheTruthSpy as a paying customer until February 2023, when Codero unceremoniously booted TheTruthSpy from its network, and for a time, off the internet. A Codero executive later told TechCrunch that the web host terminated TheTruthSpy for violations of its terms of service, but that it was prohibited from removing the spyware maker sooner, citing an ongoing federal investigation.

1Byte scrambled to get back online from whatever backups it could use to recover, setting up shop at Hostwinds, another web hosting company with a nearby data center. At that point, the Codero executive emailed Hostwinds CEO Peter Holden to warn him that the “bad actors” had moved to his network. When reached by TechCrunch, Holden said Hostwinds terminated the client once it became aware of their operation.

Stalkerware and phone spyware is notoriously buggy. TheTruthSpy, even as an entire family of stalkerware, is just one of many spyware apps that have in recent years been hacked, spilled or otherwise compromised the masses of phone data that they collect. But TheTruthSpy’s ability to find cover to operate freely, and for so long, allowed it to become one of the biggest known clandestine networks of compromised phones.

Security researchers Vangelis Stykas and Felipe Solferini, who presented their research into several stalkerware networks at BSides London, found TheTruthSpy was still exposing hundreds of thousands of active accounts at the time of their talk in December 2022. Stykas and Solferini’s research — some of it unpublished and shared with TechCrunch, which proved crucial in reporting this story — confirmed that TheTruthSpy stalkerware network drains down to 1Byte as its ultimate developer and reseller.

While the possession of spyware is not illegal, using it to record calls and private conversations of people without their consent violates both federal and several state laws. U.S. federal and state authorities have ramped up enforcement action against stalkerware actors in recent years, including banning notorious stalkerware app SpyFone and ordering spyware makers to notify their victims, yet overseas operators find themselves largely out of the jurisdictional reach of U.S. law enforcement.

When reached before publication, the Federal Trade Commission said it does not comment on whether it is investigating a particular matter.

But for as long as TheTruthSpy stays on the internet, it poses a real and constant threat to the victims whose phones its spyware apps have compromised. Not just because of the data that it collects from thousands of victims’ phones without their knowledge, but because it cannot keep that data from falling into the wrong hands.

You can use our free lookup tool to check if a phone was compromised by TheTruthSpy. We also have a guide on how to remove the spyware from your phone, if you believe it is safe to do so. Do note that removing the spyware may alert the person who planted it.

Source link