This is a story of independent researchers following the tracks left by popular spyware developers and uncovering the multiple hidden faces this business has. We reveal every step that let us connect the semi-anonymous developers to a Kiev software company, a London venture fund with Palo Alto offices and also some carrot rockets.
On May 14th, a security blogger Brian Krebs reported a massive leak of sensitive data:
mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked.
mSpy is a spyware which works both on mobile devices and on desktops. Typically, one party would purchase it and install it on a device belonging to another party, often without the latter being aware of the fact. Hence, this leak caused the private data of hundreds of thousands of unwitting mSpy users to be publicly exposed.
The leaked data includes private emails, SMS messages, call logs and IM chat logs, along with iCloud passwords of those unlucky enough to be spied upon via the no-jailbreak version of mSpy. Typically, a mobile version of mSpy for iPhone demands jailbreaking the target iPhone prior to installation. However, mSpy also offered a no-jailbreak versionbasically, it asks you for the Apple ID and password of the target and then delivers the backup data to your user dashboard. These Apple IDs and passwords were also leaked among all the other customer data.
We became interested in the story, as we had been hearing vague rumors about mSpy for a while. This was the chance to investigate further the identity of the people behind this company. This report will detail what we have uncovered while tracing mSpy around the post-Soviet landscape, London, California and some tax havens along the way.
Lets get on the trail!
mSpys Public Face
According to Brian Krebs research based on historic domain registration records, prior to 2014 mSpy belonged to a company called MTechnology LTD. Yelp.com still shows the MTechnology LTD address at the Regus(offices for rent company) serviced offices in Palo Alto, California. Krebs adds that the directors of MTechnology LTD were listed as Aleksey Fedorchuk and Pavel Daletski. Daletski is still the registrant of the domain mspy.com according to its whois records.
The UK company database CompanyCheck lists MTechnology LTD as happily dissolved, with the last company event listed in 2013. Board members are listed as Fedorchuk and Daletski. Address given is 145157 ST JOHN STREET, LONDON about which an anti-fraud organization has an interesting thing to say:
The UK address. 145157 St John Street, London, EC1V 4PY. According to a BBC report, this is the address used by a company which sells its use as a registered office address. Because there does not seem to be an obligation to check that users of the service are legitimate companies, criminals are attracted to it. According to the BBC, the address is in common use among fake companies operating boiler room fake share scams.
In the CrunchBase, mSpy belongs to a company named Bitex Group LTD. In 2014 this company has submitted an application for the MSPY trademark in the US and, according to the application, is registered at the Seychelles, an offshore tax haven. Their given address is 306 Victoria House Victoria Mahe. This address belongs to an offshore services agent and is used by many shady companies, including a Russian cyber crime gang.
We can conclude that somewhere at the end of 2013, the mSpy operators dissolved their company MTechnology LTD and started a new oneBitex LTD, in a pattern which will become familiar. Incidentally, at the end of 2013, mSpy has unleashed a barrage of press releases which somehow made their way into such reputable publications as Forbes, The Blaze, BGR, Vocativ and others.
If this haircut and clothes belong to a rich London businessman, then were the primadonnas of Moscows Bolshoi ballet
The PR release (distributed by Shift Communications, an expensive US PR firm) described mSpys founding director as Andrei Shimanovich, and Forbes even added some charming details about Andreis roots as a Belorussian who had moved to London nine years ago. On startupbeat.com mSpy appeared in the featured pitch columnundoubtably due to their remarkable start-up qualitiesthe pitch mentions Shimanovich as a co-founder and CEO. Remember this namewe will come back to him and to his titles later in the story.
So far we have Fedorchuk, Daletski and Shimanovichall perfectly Slavic names from the former USSR area. We have the associated companies: MTechnology, a former London company located at an address associated with fake companies, and Bitex Group LTD, located at the Seychelles offshore tax haven.
This is only information from publicly available sources. Now were going to dive into details previously hidden from the public eye.
Will The Real mSpy Please Stand Up?
After the mSpy hack news got published, we have managed to locate the data dump at http://mspycomkftki3h54.onion/ (a Tor browser URLunavailable as of today, June 3rd).
The actual customer data logs were quite large, some files even being as large as 13GB (compressed). Among them was the iCloud databasea file containing the Apple Ids and passwords of mSpy targets. mSpy have made the research job very easy by storing all the data in a readable text format (JSON to be precise, the format used by their MongoDB databases).
After the first shock of seeing iCloud passwords stored in clear text(how hard would it be to encrypt them?), we have seen something very interesting in the file:
Mteam and mobiteamlooks like developers/testers account
This seemed like an obvious developers account, especially with this information being right at the beginning of the file. Further records related to this [email protected] account indicated a test email sent to [email protected] account (photo and email redacted for privacy protection)
Googling this email address led us to a LinkedIn profile of a QA engineer in a company called Mobisoft LTD. Finally, something that looked like an actual software company!
Mobisoft LTD has a website at http://mobisoftua.com/. Compare the remarkable similarity of Mobisoft LTD and mSpy logos:
Researching more former Mobisoft LTD employees on LinkedIn revealed a few of them who had explicitly mentioned mSpy on their profiles.
Mobisoft = mSpy
The email/LinkedIn evidence plus the logo similarity convinced us beyond a shadow of a doubt that Mobisoft LTD is the development company behind mSpy. The next step was learning more details about Mobisoft LTD.
The Spyware Origins
Mobisoft Ltd boasts 1M+ customersexactly the same number mentioned in mSpys PR releases. It is located in Kiev, Ukraine and all of their employees found on LinkedIn have Ukrainian names. Their job ads are always written in Englishto select for the English-speaking candidates. The current jobs page describes Mobisoft as follows:
Mobisoftis a high-tech production company operating in the mobile industry and developing its own mobile (iPhone, Android, Blackberry, Symbian) and desktop (Windows, MacOS) product that focuses on English-speaking target audience and successfully sells the software in Western markets.
LinkedIn lists 51 employees of Mobisoft LTD.
One of the interesting employees was a PHP senior developer Oleg B., who linked to his CV from his personal website (link redacted for privacy):
It wasn't that robust after all
This resume snippet shows that mSpy has transferred their infrastructure from Amazon to its own cloud platform and it happened most probably in 2014.
This point is supported by the fact, that the leaked mSpy logs start from November 23rd, 2014.
Mr. Akbar, the convicted CEO of another spyware company Stealth Genie
Why would mSpy move their data from Amazon, which is cheap, reliable and close to the majority of their customers (in the US)? Incidentally, in September 2014, the FBI has arrested a CEO of another spyware company called Stealth Genie. The data center of Stealth Genie was hosted on Amazon. Could the ease with which the US authorities were able to take down Stealth Genie has caused the Ukrainian company to move to an alternative infrastructure? We believe that the compelling answer to this question is obvious. Yes.
According to the data revealed in the data leak, mSpy has moved to the Germany-based Hetzner hosting for their back-end.
Unfortunately, mSpys new infrastructure was more vulnerable than the one on Amazon. By running away from the FBI they fell into the hands of an anonymous hacker.
What Is The Carrot Rocket?
Better familiarity with the real company that has been developing mSpy allowed us to trace more interesting connections.
On LinkedIn (link redacted), a former PM for Mobisoft appears to be a PM for a new company called Carrot Rocketbuilding mobile appsand he uses the name mTeam which is familiar to us from mSpys iCloud test account:
We have identified about 10 Mobisoft former employees who list their current employer as Carrot Rocket Ltd.
Naturally we were curious to find out more about this new entity. Luckily, the UK company database came to the rescue and revealed the following: the company was incorporated on March 13th 2015, the address was at 2022 Wenlock Road, London(a mail forwarding address) and the director was listed as D. Kolechenko.
March 2015 is a particularly interesting time for mSpy. The anonymous hacker who broke into their servers, claimed the company knew about the data leak two months ago. The data leak became public on May 14thmaking March 13th the time when mSpy learned about their data leak.
Since the incorporation of a new company and discovering a data leak potentially lethal for the business cannot be a pure coincidence, there are two possible scenarios here:
Carrot And Rabbits
Lets get back to D. Kolechenko, the listed director of Carrot Rocket. According to DueDil, a private company research tool, Mr. Kolechenko is a director of Seranking Ltd in addition to his Carrot Rocket position. On another British business database, Mr. Kolechenko appears to be a director of IntellectSoft Ltd as well.
Searching for those companies reveals that both of them are connected to WeRocks management firm called. WeRocks is somewhat of a mysterious entity, luckily its founder is listed on LinkedIn:
And who else should it be if not our old friend Andrey Shymanovich, the mSpy co-founder and CEO from multiple former press releases.
Finally, we can come to some conclusions.
mSpy is a spyware product developed by a Kiev-based company called Mobisoft Ltd and owned by an investment fund called WeRocks, along with other IT companies like Seranking, IntellectSoft and others. The owners hide their identity and the public face of mSpy are local Ukrainian support and marketing managers who use fake American names like Amelie Ross. Their rationale for concealing the real ownership is probably the separation between the shady business practices of mSpy and the more legitimate dealing of their other companies: Seranking, HelpCrunch, Pixellent, IntellectSoft and other companies owned by Werocks.com.
mSpy completely ignores the safety of their users and the security of their data. The founders treat it as a cash cow, trying to squeeze every last dollar possible without any concern for the well-being of neither those who use the software to monitor, nor of the monitored parties. mSpys founders are post-Soviet IT businessmen who not only have the access to the private data of hundreds of thousands of their American customers, but also dont protect it from being leaked online. Those businessmen use fake names, fake photos and fake tax haven-based companies to conduct shady practices and put the information of private citizens at risk.
We will be happy to provide any additional evidence to the claims posted in this article.
Contact us at [email protected] or twitter DM. This research may be used for any legitimate purpose as long as the original is credited.