A stalkerware developer barred from the surveillance industry due to a data breach that exposed personal information of both customers and their targets will not be allowed to return to selling this intrusive software, according to the U.S. Federal Trade Commission (FTC).
Scott Zuckerman, the founder of consumer spyware company Support King and its subsidiaries SpyFone and OneClickMonitor, had requested the FTC lift this ban; however, the agency denied his request.
On Monday, the FTC shared a press release announcing the denial following Zuckerman’s petition in July to modify or cancel the ban. In 2021, the FTC prohibited him from “offering, promoting, selling or advertising any surveillance app, service, or business,” effectively halting any future stalkerware operations. The agency also mandated that Zuckerman delete all data collected by SpyFone and implement stringent cybersecurity measures for his remaining businesses.
“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” said Samuel Levine, then acting director of the FTC’s Bureau of Consumer Protection. He added that the stalkerware was disguised from device owners but fully vulnerable to hackers due to the company’s poor security practices.
In his petition, Zuckerman argued that the FTC’s security requirements had made running his other businesses more challenging, particularly due to financial burdens. He noted that Support King is no longer operational and that he now manages a restaurant and is looking into other “tourism ventures” in Puerto Rico.
When contacted via email, Zuckerman did not provide a comment and directed inquiries to his lawyer.
The FTC’s ban stemmed from a 2018 incident when a security researcher discovered an Amazon S3 bucket owned by SpyFone that exposed highly sensitive data—such as selfies, text messages, audio recordings, contacts, location data, and passwords—making it accessible to anyone.
This breach revealed 44,109 unique email addresses and included data from at least 2,208 customers, with potentially thousands of photos and audio files from 3,666 devices infected with SpyFone’s stalkerware.
Less than a year after the FTC’s 2021 order, TechCrunch reported that Zuckerman appeared to be involved in another stalkerware operation. In 2022, TechCrunch obtained a cache of compromised data from the stalkerware app SpyTrac, which was operated by freelance developers connected to Support King, seemingly attempting to evade the FTC’s restrictions. The leaked data also contained records linked to SpyFone, which Zuckerman was ordered to erase, along with access keys to OneClickMonitor’s cloud storage.
Eva Galperin, a noted authority on stalkerware, expressed satisfaction with the FTC’s decision. “Mr. Zuckerman was clearly hoping that if he laid low for a few years, everyone would forget about why the FTC issued a ban against him specifically,” Galperin told TechCrunch.
Galperin, who serves as the director of cybersecurity at the nonprofit Electronic Frontier Foundation, noted that TechCrunch’s 2022 findings suggest that Zuckerman “did not learn his lesson.”
Stalkerware applications facilitate covert spying on the phones of supposed loved ones. In addition to enabling potentially unlawful actions, there have been at least 26 stalkerware companies that suffered hacks or left sensitive information exposed online in the last eight years, according to TechCrunch’s estimates. These ongoing incidents reveal a troubling pattern of these companies failing to safeguard the privacy of their customers and the individuals they monitor.
