Founder of spyware maker pcTattletale pleads guilty to hacking and advertising surveillance software

The founder of a U.S.-based spyware company, whose surveillance products allowed customers to spy on the phones and computers of unsuspecting victims, pleaded guilty to federal charges linked to his long-running operation. pcTattletale founder Bryan Fleming entered a guilty plea in a San Diego federal court on Tuesday to charges of computer hacking, the sale and advertising of surveillance software for unlawful uses, and conspiracy. HSI said that pcTattletale is one of several stalkerware websites under investigation. A spokesperson for ICE did not immediately comment when contacted by TechCrunch. Kelly Thornton, a spokesperson for the U.S. Attorney’s Office for the Southern District of California, which brought the charges against Fleming, declined to comment. In a statement provided to TechCrunch by his lawyer, Marcus Bourassa, Fleming claimed he “genuinely had no idea the product might violate any laws,” and that, “the moment I learned there was an issue, I shut everything down and fully cooperated with investigators.” Fleming did not respond to follow-up questions about his unlawful activity. Once physically planted on a person’s phone or computer (usually with knowledge of the victim’s passcode or login), the app would continuously upload a copy of the victim’s information, including messages, photos, and location data, to pcTattletale’s servers and make the data accessible to whoever planted the spyware. At the time, Fleming told TechCrunch that his company was “out of business and completely done,” after deleting the contents of pcTattletale’s servers. Despite the shutdown, federal agents were already far into their investigation of Fleming’s illegal spyware business. HSI began investigating pcTattletale in June 2021 after finding over 100 stalkerware websites offering surveillance products, many of which advertised lawful uses of the software, such as monitoring children or employees. Crucially for investigators, Fleming was believed to be operating pcTattletale from his home in Bruce Township, Michigan, well within reach of U.S. law enforcement — unlike many overseas stalkerware operators who are not. According to the affidavit, HSI obtained a warrant in 2022 allowing the search of Fleming’s email accounts. HSI said the emails showed that Fleming “knowingly assisted customers seeking to spy on nonconsenting, non-employee adults.” Federal agents later surveilled Fleming’s home to confirm it was in fact him. Jones also went undercover to collect evidence, posing as an affiliate marketer under the guise of promoting the spyware in exchange for a cut of the proceeds. As a result of this operation, Jones exchanged emails with Fleming, in which the pcTattletale founder provided images intended for banner ads that promoted the spyware as a way to “catch a cheater,” which made it clear Fleming wanted to market his product for illegal purposes. By November 2022, HSI had obtained permission from a U.S. judge to search Fleming’s home, which agents raided soon after, seizing an unknown number of items. Agents also obtained records associated with Fleming’s bank and his PayPal account, which had transactions totaling more than $600,000 as of the end of 2021. Fleming’s conviction is a win for privacy advocates and campaigners who work to counter the proliferation of stalkerware and raise awareness to its dangers. Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and the co-founder of the Coalition Against Stalkerware, who has investigated and fought stalkerware for years, commented on Fleming’s guilty plea when reached by TechCrunch. “One of the most striking aspects of this case is the extent to which stalkware companies like pcTattletale operate out in the open,” said Galperin. “This is because the people behind these companies so rarely face consequences for selling tools that they themselves say are explicitly for monitoring other people’s devices without their knowledge or consent.” “I hope that this case changes the risk calculus for makers of stalkerware,” said Galperin. Fleming is expected to be sentenced later this year. —— Updated with comment from Fleming.