Seychelles' Curious Role In Hacked Spyware Company Saga

This is a story of how we followed the tracks left by popular spyware developers and uncovering the multiple hidden faces their business has.

We reveal every step that let us connect the semi-anonymous developers to a Kiev software company, a London venture fund with Palo Alto offices and also some carrot rockets.

From Kiev to the Seychelles via London — how we uncovered the identity of the popular “mSpy” spyware.

Hacked

On May 14th, a security blogger Brian Krebs reported a massive leak of sensitive data:

mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked.”

mSpy is spyware which works both on mobile devices and on desktops. Typically, one party would purchase it and install it on a device belonging to another party, often without the latter being aware of the fact.

Hence, this leak caused the private data of hundreds of thousands of mSpy “users” (who didn't know they had it installed) to be publicly exposed.

mSpy Folders

The leaked data includes private emails, SMS messages, call logs and Instant Messaging chat logs, along with iCloud passwords of those unlucky enough to be spied upon via the “no-jailbreak” version of mSpy.

Typically, a mobile version of mSpy for iPhone demands jailbreaking the target iPhone prior to installation. However, mSpy also offered a no-jailbreak version — basically, it asks you for the Apple ID and password of the “target” and then delivers the backup data to your user dashboard. These Apple IDs and passwords were also leaked among all the other customer data.

We had been hearing vague rumors about mSpy for a while. This was the chance for us to investigate further the identity of the people behind this company.

This article will detail what we have uncovered while tracing mSpy around the post-Soviet landscape, London, California and some tax havens like Seychelles along the way.

Let’s get on the trail!

mSpy’s Public Face

According to Brian Krebs’ research based on historic domain registration records, prior to 2014 mSpy belonged to a company called MTechnology LTD. Yelp.com still shows the MTechnology LTD address at the Regus (offices for rent company) serviced offices in Palo Alto, California.

Krebs adds that the directors of MTechnology LTD were listed as Aleksey Fedorchuk and Pavel Daletski. Daletski is still the registrant of the domain mspy.com according to its whois records.

The UK company database CompanyCheck lists MTechnology LTD as happily dissolved, with the last company event listed in 2013. Board members are listed as Fedorchuk and Daletski. Address given is “145–157 ST JOHN STREET, LONDON” about which an anti-fraud organization has an interesting thing to say:

The UK address. 145–157 St John Street, London, EC1V 4PY. According to a BBC report, this is the address used by a company which sells its use as a registered office address. Because there does not seem to be an obligation to check that users of the service are legitimate companies, criminals are attracted to it. According to the BBC, the address is in common use among fake companies operating “boiler room” fake share scams."

In the CrunchBase, mSpy belongs to a company named Bitex Group. In 2014 this company has submitted an application for the “MSPY” trademark in the US and, according to the application, is registered at the Seychelles, an offshore tax haven. Their given address is “306 Victoria House Victoria Mahe”.

This address belongs to offshore services agent and is used by many shady companies, including a Russian cyber-crime gang.

We can conclude that somewhere at the end of 2013, the mSpy operators dissolved their company MTechnology LTD and started a new one — Bitex LTD, in a pattern which will become familiar. Incidentally, at the end of 2013, mSpy has unleashed a barrage of press releases which somehow made their way into such reputable publications as Forbes, The Blaze, BGR, Vocativ and others.

Shimanovich

The press release (distributed by Shift Communications, an expensive US PR firm) described mSpy’s founding director as Andrei Shimanovich, and Forbes even added some charming details about Andrei’s roots as a Belorussian who had moved to London nine years ago.

On startupbeat.com mSpy appeared in the “featured pitch” column — undoubtedly due to their remarkable start-up qualities — the pitch mentions Shimanovich as a co-founder and CEO. Remember this name — we will come back to him and to his titles later in the story.

So far we have Fedorchuk, Daletski and Shimanovich — all perfectly Slavic names from the former USSR area. We have the associated companies: MTechnology, a former London company located at an address associated with fake companies, and Bitex Group LTD, located in the Seychelles - an offshore tax haven.

This is only information from publicly available sources. Now we’re going to dive into details previously hidden from the public eye.

Will The Real mSpy Please Stand Up?

After the mSpy hack news got published, we have managed to locate the data dump at http://mspycomkftki3h54.onion/ (a Tor browser URL — unavailable as of 3 June 2015).

The actual customer data logs were quite large, some files even being as large as 13GB (compressed). Among them was the iCloud database — a file containing the Apple Ids and passwords of mSpy “targets”. mSpy have made the research job very easy by storing all the data in a readable text format (JSON to be precise, the format used by their MongoDB databases).

After the first shock of seeing iCloud passwords stored in clear text(how hard would it be to encrypt them?), we have seen something very interesting in the file:

Mteam and mobiteam — looks like developers/testers account

Mteam and mobiteam — looks like developers/testers account

This seemed like an obvious developers’ account, especially with this information being right at the beginning of the file. Further records related to this [email protected] account indicated a test email sent to “tito.@gmail.com” account (photo and email redacted for privacy protection)

Googling this email address led us to a LinkedIn profile of a QA engineer in a company called Mobisoft LTD. Finally, something that looked like an actual software company!

Mobisoft

Researching more former Mobisoft LTD employees on LinkedIn revealed a few of them who had explicitly mentioned mSpy on their profiles.

Android Developer at Mobisoft

The email/LinkedIn evidence plus the logo similarity convinced us beyond a shadow of a doubt that Mobisoft LTD is the development company behind mSpy. The next step was learning more details about Mobisoft LTD.

Logos

Spyware Origins

Mobisoft Ltd boasts 1M+ customers — exactly the same number mentioned in mSpy’s press releases. It is located in Kiev, Ukraine and all of their employees found on LinkedIn have Ukrainian names. Their job ads are always written in English.

"Mobisoft — is a high-tech production company operating in the mobile industry and developing its own mobile (iPhone, Android, Blackberry, Symbian) and desktop (Windows, MacOS) product that focuses on English-speaking target audience and successfully sells the software in Western markets.

LinkedIn lists 51 employees of Mobisoft LTD.

One of the interesting employees was a PHP senior developer Oleg B., who linked to his CV from his personal website (link redacted for privacy):

Oleg B.

This resume snippet shows that mSpy has transferred their infrastructure from Amazon to its own cloud platform and it happened most probably in 2014.

This point is supported by the fact, that the leaked mSpy logs start from November 23rd, 2014.

Mr. Akbar, the convicted CEO of another spyware company Stealth Genie Mr. Akbar, the convicted CEO of another spyware company Stealth Genie

Why would mSpy move their data from Amazon, which is cheap, reliable and close to the majority of their customers (in the US)? Incidentally, in September 2014, the FBI has arrested a CEO of another spyware company called Stealth Genie. The data center of Stealth Genie was hosted on… Amazon. Could the ease with which the US authorities were able to take down Stealth Genie has caused the Ukrainian company to move to an alternative infrastructure? We believe that the compelling answer to this question is obvious. Y

Yes.

According to the data revealed in the data leak, mSpy has moved to the Germany-based Hetzner hosting for their back-end.

Unfortunately, mSpy’s new infrastructure was more vulnerable than the one on Amazon. By running away from the FBI they fell into the hands of an anonymous hacker.

What Is The Carrot Rocket?

Better familiarity with the real company that has been developing mSpy allowed us to trace more interesting connections.

On LinkedIn (link redacted), a former PM for Mobisoft appears to be a PM for a new company called Carrot Rocket — building mobile apps — and he uses the name mTeam which is familiar to us from mSpy’s iCloud test account.

We have identified about 10 Mobisoft former employees who list their current employer as Carrot Rocket Ltd.

Naturally we were curious to find out more about this new entity. Luckily, the UK company database came to the rescue and revealed the following: the company was incorporated on March 13th 2015, the address was at “20–22 Wenlock Road, London”(a mail forwarding address) and the director was listed as D. Kolechenko.

March 2015 is a particularly interesting time for mSpy. The anonymous hacker who broke into their servers, claimed the company knew about the data leak two months ago. The data leak became public on May 14th — making March 13th the time when mSpy learned about their data leak.

Since the incorporation of a new company and discovering a data leak potentially lethal for the business cannot be a pure coincidence, there are two possible scenarios here:

  • mSpy learns about the data leak and opens a new company in London, in order to have an alternative landing strip in case things go south
  • mSpy has been hacked by an insider as a part of some internal power struggle in the top management — and this party now is developing new products under a new name

Carrot And Rabbits

Let’s get back to D. Kolechenko, the listed director of Carrot Rocket. According to DueDil, a private company research tool, Mr. Kolechenko is a director of Seranking Ltd in addition to his Carrot Rocket position. On another British business database, Mr. Kolechenko appears to be a director of IntellectSoft Ltd as well.

Searching for those companies reveals that both of them are connected to WeRocks management firm called . WeRocks is somewhat of a mysterious entity, luckily its founder is listed on LinkedIn:

And who else should it be if not our old friend Andrey Shymanovich, the “mSpy co-founder and CEO” from multiple former press releases.

Finally, we can come to some conclusions.

mSpy is a spyware product developed by a Kiev-based company called Mobisoft Ltd and owned by an investment fund called WeRocks, along with other IT companies like Seranking, IntellectSoft and others. The owners hide their identity and the public face of mSpy are local Ukrainian support and marketing managers who use fake American names like “Amelie Ross”. Their rationale for concealing the real ownership is probably the separation between the shady business practices of mSpy and the more legitimate dealing of their other companies: Seranking, HelpCrunch, Pixellent, IntellectSoft and other companies owned by Werocks.com.

mSpy completely ignores the safety of their “users” and the security of their data. The founders treat it as a cash cow, trying to squeeze every last dollar possible without any concern for the well-being of neither those who use the software to “monitor”, nor of the “monitored” parties. mSpy’s founders are post-Soviet IT businessmen who not only have the access to the private data of hundreds of thousands of their American customers, but also don’t protect it from being leaked online.

Those businessmen use fake names, fake photos and fake tax haven-based companies to conduct shady practices and put the information of private citizens at risk.

We will be happy to provide any additional evidence to the claims posted in this article.

Cover Image: iPhone Selfie | Gabrielle Barni

Comments