The two hacktivists who stole tens of thousands of customer and company records from two consumer spyware companies speak up, explaining why and how they did it.
This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
On Tuesday, Motherboard revealed that hackers had stolen a wealth of data from two companies that sell spyware to the everyday consumer. This information showed that tens of thousands of completely ordinary people had purchased malware that can snoop on mobile phones or computers.
But this wasn't some financially motivated hack, or just an accidental data breach. These two hackers, independent of each other, both decided to target the consumer spyware industry in a move to expose what they both believe is an immoral trade.
In other words, these two are hacktivists. Whether others will agree with their actions or not, their motivations are part of a swelling trend of hackers breaking into the systems of companies that sell surveillance or other hacking technology: HB Gary, FinFisher, Hacking Team, Cellebrite.
The hacker who breached FlexiSpy, one of the affected companies, used the handle Leopard Boy, and the stolen data included email addresses of customers, internal company files, a number of emails, and alleged partial credit card information. The second hacker, who did not provide a name, targeted US-based Retina-X, which makes monitoring products such as PhoneSheriff and SniperSpy. The data he stole included customer account logins, alleged GPS locations of surveillance victims, and photos and communications ripped from devices by the malware.
Motherboard is publishing longer chat logs with the hackers, so readers can get a better understanding of the hackers' motivations. Here is a lightly edited transcript of our interviews with Leopard Boy and the unnamed hacker behind the Retina-X breach.
Q&A WITH LEOPARD BOY
Motherboard: What do you think of the people who bought FlexiSpy to monitor their spouses/lovers?
Leopard Boy: Complicated issue. I suspect most of them are just terribly insecure, and don't mean to harm anyone. However, the tools can also be used to facilitate terrible abuse. They encourage a massive power imbalance between partners. As such, I feel obligated to expose the entire deal. Sure, some people might be hurt as a consequence, but overall, I feel it's necessary. I'm not really claiming the moral high ground personally, here.
What were you hoping to achieve with this hack? What's the goal?
It's the beginning of a reign of terror across this entire industry. I'm going to burn them to the ground, and leave absolutely nowhere for any of them to hide. As for the goal? Well, we've encouraged people to be excellent to one another, and that's failed. But if you can't be a good example, you'll just have to be a terrible warning.
"It's the beginning of a reign of terror across this entire industry. I'm going to burn them to the ground, and leave absolutely nowhere for any of them to hide."
How difficult was the hack itself? In general terms, how did you do it?
Not particularly difficult. It had multiple parts, as I discovered new weaknesses in their infrastructure. Over the period of about three weeks, I went from having some limited API access to having control over a server, to getting Domain Admin and root across the entire estate. It may surprise people, but I didn't need any 0days. One thing I've learnt from my years as a shadowy predatory creature on the internet is if you look long enough, you'll find people fuck up over and over, and if you can see that, you can REALLY burrow in. They tried to be tough, but their armour just wasn't hard enough.
In our chats you've mentioned Phineas Fisher. How was he an inspiration of this?
Phineas is definitely not me. I am in no way related to Phineas Fisher, and I can confirm that those raids earlier definitely were comprehensive and definitely effective. He's a charismatic guy, though, inspiring, and a competent hacker. Probably handsome. But definitely not me.
What do you think will happen to FlexiSpy now? And what do you hope will happen?
I hope they'll fall apart and fail as a company, and have some time to reflect on what they did. However, I fear they might try and give birth to themselves again in a new form. But if they do, I'll be there.
"If you can't be a good example, you'll just have to be a terrible warning."
More broadly, we've had Hacking Team, Cellebrite, and now this. Do you think hacktivism against surveillance or technology companies is its own phenomenon? Is this going to continue?
I definitely think it is. I feel like society as a whole tends to try and fight back against surveillance and power-imbalances, even if it doesn't always always seem effective. We see it with the US intelligence agencies, with Hacking Team, with HB Gary, Cellebrite, and presumably more are going to happen in the future. As far as it continuing, while I may appear to be all-powerful and all-seeing, I can only hope. But I'm certainly going to continue.
Why did you decide to wipe the company's servers and data?
We got what we needed. And this will probably put them out of business.
Q&A WITH RETINA-X HACKER
What surprised you the most of what you found?
Anonymous Retina-X hacker: Not really surprised, there's a lot of junk software like this in the world. I was more disappointed that, considering the kind of data involved, they'd clearly never had anyone look at it from a security perspective.
I dug through a bunch of containers to find the interesting stuff like Retina-X screens, and found both confidential information (like photos of job application forms) and intimate photos. [...] Other than the creepiness of it, I was kind of offended by how little they protect all this data.
So why did you decide to hack Retina-X and reveal your actions?
A few months ago I was having a conversation about this kind of spyware (targeted at parents) and I got curious about how it actually works. Over mid-to-late last year, I found something really obvious that exposed a few secrets and I decided to see how far I could go by pulling on the threads that appeared. [...] I don't want to spread the dumped files in public, but parents and employers using this software need to know that it sucks up their children/employees' private data (GPS logs, photos, SMS messages...) and stores it on pathetically insecure servers. [...] Getting the info in public is desirable if done safely. I'm not a fan of companies like this and I don't mind dragging their names through the mud, and (not really related to talking to journalists) it was just plain fun to hack stuff.
"Other than the creepiness of it, I was kind of offended by how little they protect all this data."
How did you hack them?
When I got curious, I just Googled for popular parental spyware. [Retina-X's] Teenshield was one of the first that popped up and I could easily get an APK to look at. [There were] three main stages...
1. Decompiled the publicly available teenshield APK which held both API key and user/password for the Rackspace containers [...] those containers hold screenshots and captured photos, basically.
[Retina-X's] Net-Orbit captures a screenshot every x minutes of whatever active window the victim is using. [This is] what led to step 2. Retina-X developers occasionally ran Net-Orbit while working on it so in one case it captured a screenshot of a text file called Credentials.txt. That credentials file, at least the view of it I had, gave me root on the server that runs the PhoneSheriff control panel.
"For people who have been spied on, I can only say that I'm sorry their privacy has been invaded on so many levels."
The last step [3.] was basically digging through all the info I got from that server and the Rackspace files containers to find ways into the other systems. Different screenshots I found in the containers gave away most of the passwords.
Best example might be the database server that held the data for PhoneSheriff/TeenShield/NetOrbit. I found an FTP password somewhere, don't recall exactly, and found it had access to the web files directory on that DB server. That was a Windows box running Apache as the SYSTEM user with PHP turned on, so I uploaded a PHP script somewhere to execute arbitrary commands and had it create an administrator-level account on that box. Not really any advanced techniques anywhere, just lots of digging to find useful vulnerabilities with the info I already had.
If you had a message for Retina-X, what would you tell them?
That's tough…I think they should get out of the spyware business. I think it's all they do, but it's a bad market and they do a bad job of it. I'd like to ask them if they'd trust their software to watch over their own families.
What would you tell the people who use or used Retina-X software?
For the customers, realize that when you use spyware like this, you're trusting one company or another to hold the data. For people who have been spied on, I can only say that I'm sorry their privacy has been invaded on so many levels.
If you are concerned that consumer spyware may have been installed on your phone, here is some basic advice on what to do next.