techcrunch.com
Zack Whittaker
Lorenzo Franceschi-Bicchierai
8:20 AM PST · February 9, 2026
More than half-a-million people who bought access to phone surveillance and social media snooping apps had their email address and partial payment card numbers published online.
A hacktivist has scraped more than half-a-million payment records from a provider of consumer-grade “stalkerware” phone surveillance apps, exposing the email addresses and partial payment information of customers who paid to spy on others.
The transactions contain records of payments for phone-tracking services like Geofinder and uMobix, as well as services like Peekviewer (formerly Glassagram), which purport to allow access to private Instagram accounts, among several other monitoring and tracking apps provided by the same vendor, a Ukrainian company called Struktura.
The customer data also includes transaction records from Xnspy, a known phone surveillance app, which in 2022 spilled the private data from tens of thousands of unsuspecting people’s Android devices and iPhones.
This is the latest example of a surveillance vendor exposing the information of its customers due to security flaws. Over the past few years, dozens of stalkerware apps have been hacked, or have managed to lose, spill, or expose people’s private data — often the victims themselves — thanks to shoddy cybersecurity by the stalkerware operators.
Stalkerware apps like uMobix and Xnspy, once planted on someone’s phone, upload the victim’s private data, including their call records, text messages, photos, browsing history, and precise location data, which is then shared with the person who planted the app.
Apps like uMobix and Xnspy have explicitly marketed their services for people to spy on their spouses and domestic partners, which is illegal.
The data, seen by TechCrunch, included about 536,000 lines of customer email addresses, which app or brand the customer paid for, how much they paid, the payment card type (such as Visa or Mastercard), and the last four digits on the card. The customer records did not include dates of payments.
TechCrunch verified the data was authentic by taking several transaction records containing disposable email addresses with public inboxes, such as Mailinator, and running them through the various password reset portals provided by the various surveillance apps. By resetting the passwords on accounts associated with public email addresses, we determined that these were real accounts.
We also verified the data by matching each transaction’s unique invoice number from the leaked dataset with the surveillance vendor’s checkout pages. We could do this because the checkout page allowed us to retrieve the same customer and transaction data from the server without needing a password.
The hacktivist, who goes by the moniker “wikkid,” told TechCrunch they scraped the data from the stalkerware vendor thanks to a “trivial” bug in its website. The hacktivist said they “have fun targeting apps that are used to spy on people,” and subsequently published the scraped data on a known hacking forum.
The hacking forum listing lists the surveillance vendor as Ersten Group, which presents itself as a U.K.-presenting software development startup.
TechCrunch found several email addresses in the dataset used for testing and customer support instead reference Struktura, a Ukrainian company that has an identical website to Ersten Group. The earliest record in the dataset contained the email address for Struktura’s chief executive, Viktoriia Zosim, for a transaction of $1.
Representatives for Ersten Group did not respond to our requests for comment. Struktura’s Zosim did not return a request for comment.
| Cyber Security Agency of Singapore
www.csa.gov.sg
9 February 2026
The Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) shared details of a multi-agency cybersecurity operation, codenamed Operation CYBER GUARDIAN, to defend our telecommunications sector.
Press Releases
Largest Multi-Agency Cyber Operation Mounted to Counter Threat Posed by Advanced Persistent Threat (APT) Actor UNC3886 to Singapore’s Telecommunications Sector
9 February 2026
The Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) shared details of a multi-agency cybersecurity operation, codenamed Operation CYBER GUARDIAN, to defend our telecommunications sector.
Background
2 On 18 July 2025, Coordinating Minister for National Security Mr K Shanmugam shared that Advanced Persistent Threat (APT) actor UNC3886 had been detected attacking our critical infrastructure. No further details were shared then, to preserve operational security. Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector. All four of Singapore’s major telecommunications operators (“telcos”) – M1, SIMBA Telecom, Singtel and StarHub – have been the target of attacks.
Singapore’s telcos targets of cyberattacks
3 APTs are sophisticated and persistent, getting past defences with advanced methods over time. UNC3886 is an APT actor with deep capabilities. UNC3886 deployed advanced tools in their campaign to gain access into our telco systems. For example:
a. In one instance, they used a zero-day exploit[1] to bypass a perimeter firewall of our telcos and gained access into our telco networks. They also managed to exfiltrate a small amount of technical data; this is believed to be primarily network-related data to advance the threat actors’ operational objectives.
b. In another instance, the threat actor utilised advanced tools and techniques such as rootkits[2] to maintain persistent access and cover their tracks and evade detection. This made it challenging for cyber defenders to detect their presence, requiring the cyber defenders to conduct comprehensive security checks across the networks.
Operation CYBER GUARDIAN mitigated serious threat posed by UNC3886
4 The threat actor’s activities were initially detected by the telcos, who then notified IMDA and CSA of the breach. CSA, IMDA and other government agencies swiftly launched a coordinated whole-of-Government response, in partnership with the telcos to contain the breach. The operation, codenamed Operation CYBER GUARDIAN, is Singapore’s largest coordinated cyber incident response effort undertaken to date, spanning more than eleven months. Over 100 cyber defenders across agencies such as CSA, IMDA, the Centre for Strategic Infocomm Technologies (CSIT), the Digital and Intelligence Service (DIS), the Government Technology Agency of Singapore (GovTech) and the Internal Security Department (ISD) were involved in the operation.
5 Under Operation CYBER GUARDIAN, the authorities worked closely with the telcos to limit UNC3886’s movement into the networks and ensure our systems remain safe to use. So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere.
a. The threat actor was able to gain unauthorised access into some parts of telco networks and systems. In one instance, they were able to gain limited access to critical systems but did not get far enough to have been able to disrupt services.
b. There is no evidence to-date that sensitive or personal data such as customer records were accessed or exfiltrated.
c. There is also no evidence that the threat actor managed to disrupt telecommunications services such as internet availability.
6 Cyber defenders have since implemented remediation measures, closed off UNC3886’s access points and expanded monitoring capabilities in the targeted telcos.
7 The close partnership between the public and private sector in Operation CYBER GUARDIAN reflects our national doctrine of cyber defence, in which government agencies, as well as the private sector come together to collectively defend our cyber space. The doctrine also guides capability development across our cyber ecosystem, sets out the roles that different parties should play in cyber defence, and the actions that should be taken during a cyber incident. This coordinated approach is a key pillar of Singapore’s cyber security.
The fight is ongoing
8 While our collective efforts have contributed to containing the attacks so far, we must be prepared that there may be future attempts to gain access into our telco infrastructure. Telcos are strategic targets for threat actors, including state-sponsored ones. They play a foundational role in powering the digital economy and transmit vast amounts of information, including sensitive data. If threat actors succeed in attacking our telcos, they have the potential to undermine our national security and our economy.
9 The Government takes a serious view of the cyberattack against our telcos. CSA and IMDA have been working closely with our telcos to strengthen their cyber defences, enhance detection capabilities, and deploy active monitoring systems to maintain vigilance against new attempts by UNC3886 to re-enter their networks. Telcos have also been putting in place interventions including joint threat hunting, penetration testing, and levelling up of capabilities. CSA will also be progressively introducing initiatives to raise the level of capabilities across our cyber ecosystem, to enable better and more timely responses against cyber threats and to strengthen Singapore’s cyber defences.
10 Speaking at an engagement event for cyber defenders involved in Operation CYBER GUARDIAN, Minister for Digital Development and Information and Minister-in-charge of Cybersecurity & Smart Nation Group, Josephine Teo, thanked the defenders for their contributions and called for continued vigilance.
11 In her address, she also highlighted the important role played by critical infrastructure operators who are at the frontlines of the battle against cyber threat actors. She said, “Your actions, or inaction, can determine whether we succeed or fail in protecting our critical infrastructure, and our national security. I urge all of you to continue investing in upgrading your systems as well as your capabilities”. In closing, Minister Teo acknowledged the need for the government and critical infrastructure owners to work together as a team, so that we can be effective against sophisticated adversaries and protect everything we care about.
| The Record from Recorded Future News
therecord.media
Alexander Martin
February 6th, 2026
Norwegian intelligence discloses country hit by Salt Typhoon campaign
Norway’s domestic security agency confirmed Friday that the Chinese state-sponsored espionage campaign tracked as Salt Typhoon compromised network devices in Norwegian organizations.
The disclosure was made in the Norwegian Police Security Service’s (PST) annual threat assessment for 2026. The agency’s director general, Beate Gangås, said Norway was “facing its most serious security situation since World War II,” citing pressure from multiple foreign intelligence services.
Salt Typhoon is the name U.S. and allied authorities use for a Chinese cyber espionage campaign that has focused heavily on breaching telecommunications and other critical infrastructure. In its report, PST said the actor has exploited vulnerable network devices in Norway.
Gangås said foreign states — particularly China, Russia and Iran — are “conducting intelligence operations and employing hybrid tactics in Norway to undermine our resilience,” stressing the “vital” need for stronger protective security, intelligence and situational awareness.
The assessment said Chinese security and intelligence services have strengthened their ability to operate in Norway, including through cyber operations and human intelligence collection, adding that “the primary intelligence threat from China is in the cyber domain.”
China is described as posing a “substantial” threat and is expected to continue improving its efforts to collect intelligence and map Norwegian digital infrastructure.
PST also warned that China is “systematically” exploiting collaborative research and development projects to bolster its own military capacity and security capabilities.
Salt Typhoon has been linked to significant breaches of telecommunications providers and other critical infrastructure abroad. U.S. officials have said the campaign allowed attackers to intercept communications linked to senior political figures during the 2024 presidential race, including Donald Trump and JD Vance.
Last year, more than a dozen allied countries issued a joint advisory blaming three Chinese technology companies for enabling the espionage campaign, saying the intrusions were used to track the communications and movements of specific targets.
While China dominates the cyber threat picture, PST said Russia remains the principal overall threat to Norway’s security. The agency cited sustained espionage, mapping of critical infrastructure, pressure on Ukrainian refugees, covert intelligence operations using civilian vessels and the risk of sabotage.
Russian intelligence has been “closely monitoring military targets and allied activities and capabilities in Norway for many years,” the report said, adding that the tense geopolitical situation in Europe is likely to drive increased activity.
PST said it expects that to include more Russian cyber operations, influence campaigns and attempts to recruit sources via digital platforms in 2026, describing cyber activity as an integral part of Moscow’s broader intelligence effort alongside traditional espionage and influence work.
“The tense geopolitical situation in Europe means that Russian intelligence has several areas of interest in relation to Norway and other NATO countries. Given the increase in military targets on Norwegian soil, the stronger allied presence, and additional military exercises, we anticipate heightened activity from Russian intelligence services,” the agency added.
Iranian intelligence services are also expected to carry out intelligence and influence operations in Norway, the PST said, warning the regime may attempt to target Western interests through property damage, targeted assassinations, terrorist acts or destructive cyber operations.
The PST said the assessment underlines the need for closer cooperation between authorities and the private sector, particularly operators of critical infrastructure, as foreign intelligence services increasingly combine cyber operations with more traditional espionage and influence campaigns.
BridgePay Network Solutions's Status Page - BridgePay Gateway - Outage - Under Investigation.
Update
We are continuing to work with our internal teams and external partners to address the issue.
At this time, we do not have any new information to share. We understand the impact this disruption may have and sincerely appreciate your patience as our teams continue their work.
We will provide another status update tomorrow with any new information available.
Posted 12 hours ago. Feb 08, 2026 - 18:06 EST
Update
At this time, there is no new confirmed information to report. Our teams, along with federal authorities and cybersecurity specialists, are working diligently on forensic analysis, system security, and recovery planning. Restoration efforts are actively underway, and all work is being conducted with care to ensure systems are brought back online safely and securely. We not have an ETA on when this process will be completed. Because of the nature of attack - ransomware - we are still in the early stages of this process.
We do want to reiterate this was not a card data breach. No card data was compromised and any file that may have been accessed was encrypted.
We understand the disruption this causes and truly appreciate your continued patience, support, and understanding during this process.
We remain committed to transparent communication and will provide further updates as soon as meaningful new information becomes available.
Posted 2 days ago. Feb 07, 2026 - 16:14 EST
Update
We want to provide a further update regarding the cybersecurity incident affecting our systems.
It is very unfortunate that we are all facing this situation in today’s world, and we are deeply grateful for the patience, understanding, and support we have received — especially from our partners, who have offered assistance and expertise during this time.
We can now confirm that this incident was the result of a ransomware attack. As previously noted, we have engaged both local and federal authorities, along with specialized forensic and recovery teams, to assist with investigation, containment, and system restoration. We are also working closely with leading cybersecurity firms to restore operations as quickly and safely as possible.
Initial forensic findings indicate that no payment card data has been compromised, and any files that may have been accessed were encrypted. At this time, there is no evidence of usable data exposure.
We recognize that recovery may be a lengthy process, and we are working with urgency and diligence to restore systems and services in a secure and responsible manner. Our priority remains protecting our customers, partners, and operations.
We will continue to provide updates as restoration efforts progress and additional verified information becomes available.
Thank you again for your patience, trust and continued support.
Posted 2 days ago. Feb 06, 2026 - 19:08 EST
Identified
At this time, our systems are temporarily unavailable. We are actively working with the U.S. Secret Service forensic team and cybersecurity professionals to secure our environment and obtain clearance to access our systems so we can fully assess the scope of the incident. This will allow us to better understand the extent of the impact and determine the appropriate restoration and recovery process.
Please know that this matter is being treated with the highest priority, and every available resource is being dedicated to resolving the situation safely and responsibly. We do not believe there is a threat or vulnerability for our integrators at this time.
We sincerely appreciate your patience and understanding during this time. We will provide updates as soon as new information becomes available and as restoration efforts progress.
Thank you for your continued trust and support.
Posted 3 days ago. Feb 06, 2026 - 12:00 EST
Update
We are currently experiencing a system-wide service disruption. We have identified that this outage is related to a cybersecurity incident and are actively investigating with our internal teams and external specialists including the FBI.
At this time, we do not have an estimated timeframe for full restoration of services. Our teams are working diligently to assess the impact, contain the issue, and restore systems as quickly and safely as possible.
We will provide additional updates as more information becomes available. We appreciate your patience and understanding during this time.
Posted 3 days ago. Feb 06, 2026 - 06:34 EST
Investigating
BridgePay systems are currently experiencing an outage.
Our team is engaged and investigating the cause.
Expected time for resolution is unknown at this time.
Posted 3 days ago. Feb 06, 2026 - 05:48 EST
This incident affects: PathwayLink Gateway (T-Gate) - Production (Gateway.Itstgate.com - Virtual Terminal, Reporting, API, PathwayLink Boarding Portal), PathwayLink (T-Gate) UAT - Certification Environment (GatewayStage.Itstgate.com - Virtual Terminal, Reporting, API, PathwayLink UAT Boarding Portal), BridgePay Gateway - Production (BridgePay Gateway API - BridgeComm, PayGuardian Cloud API, MyBridgePay Portal - Virtual Terminal and Reporting, BridgePay Gateway WebLink 3.0 - Hosted Payment Page), BridgePay UAT - Certification Environment (BridgePay UAT API - BridgeComm, PayGuardian Cloud UAT API, MyBridgePay UAT Portal - Virtual Terminal and Reporting, BridgePay UAT WebLink 3.0 - Hosted Payment Page), and BridgePay Support (BridgePay Integration Support Portal, BridgePay Phone Support, BridgePay Email Support).
SmarterTools Derek Curtis - 03/02/2026 à 15:45
As promised, we wanted to provide additional information regarding the network breach we experienced last Thursday (January 29, 2026), along with summaries of our releases and what we have observed both on our servers and when working with SmarterMail customers who have been compromised.
Our Network Breach
Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network. Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.
We isolate our networks, as is best practice, in the event of a breach. Because of this segmentation, our website, shopping cart, My Account portal, and several other services remained online while we mitigated the issue. None of our business applications or account data were affected or compromised.
As for what was affected, it was the network at our office and at another data center which primarily had various labs where we do much of our QC work, etc. At the data center, we hosted our Portal as well as our Hosted SmarterTrack network, which was connected via Active Directory. We didn’t see much affected there and, out of an abundance of caution, we restored some of those servers from the most recent backup, which was six hours old.
Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts. None of the Linux servers were affected.
When we first noticed the breach, we instantly shut off all servers at the two locations and we disabled all internet until we completely evaluated all aspects of the breach and either eliminated servers and/or restored servers to be safe.
As a result of all this, our networks look very different than before. We have eliminated Windows from our networks where we could and we no longer use Active Directory services. Our policy in these scenarios is to replace passwords throughout our network as well.
Another thing to note, Sentinel One did a really good job detecting vulnerabilities and preventing servers from being encrypted. We use multiple virus vendors but we saw great results with Sentinel One and wanted to throw a shout out to them and encourage customers to take a look. Any virus scanner you do run on a SmarterMail server, please be sure to look at our knowledge base article on exclusions so you do not corrupt any files. Please review here: https://portal.smartertools.com/kb/a3249/virus-scanner-exceptions-for-smartermail.aspx#
We hope this helps customers understand the scope of the breach and what steps we took. More info on what we saw and what we are seeing on customers’ servers that have been compromised are included below.
Recent SmarterMail Releases
As mentioned in our previous emails, Build 9518 (January 15, 2026) contains all fixes related to the CVEs that were announced. Build 9526 (January 22, 2026) complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.
It remains challenging to ensure all customers keep their installations up to date. Every build we release has significance. Even smaller security updates can help prevent issues such as denial-of-service attacks that might otherwise consume excessive server memory or CPU, etc.
Email remains as critical today as ever, and threats against mail servers are as high as they have ever been. The attacks are constantly evolving and technologies are constantly changing, and SmarterTools must make changes that are not always appreciated or understood. Examples include the deprecation of TLS 1.0/1.1 in favor of TLS 1.2 and above, the enforcement of SPF, DKIM, and DMARC requirements by major email providers, and other evolving standards.
Moving forward, we are continuing to audit all of our products and we will continue working with security companies and independent researchers if/when they find bugs or other issues. We are making continual updates—no matter how small—to ensure our products are as secure and optimized as possible.
As of now, there are no major known security issues with SmarterMail.
In addition, we are making a concerted effort to improve transparency in how we communicate security updates. This situation is unprecedented in our company’s history, and we are learning a great deal from it—with the help of our customers. While we do not anticipate a recurrence, we will approach any future incident even more proactively and effectively than we have.
Malicious Behaviors We Have Seen
As you can imagine, we have been working extensively with customers whose systems were vulnerable to attack. We were compromised by a group known as the Warlock Group, and we have observed similar activity on customer machines.
Once these bad actors gain access, they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.
They often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.
Common folders used:
Public folders
AppData
ProgramData
SmarterTools \ SmarterMail directories
Common file names and programs observed:
Velociraptor
JWRapper
Remote Access
SimpleHelp
WinRAR (specifically older, vulnerable versions)
Run.exe
Run.dll
main.exe
Short, random filenames such as e0f8rM_0.ps1 or abc...
Random .aspx files
Other indicators:
Unusual local users or administrators
Suspicious startup items
Newly created or modified scheduled tasks
It is also important to note that CVEs are being discovered across many different products. Some groups install legitimate-looking applications on servers and later exploit. For example, the Warlock Group frequently targets CVE’s in SharePoint and Veeam and has now targeted SmarterMail. Recent Notepad++ update vulnerabilities are another example of how trusted applications can be leveraged to further exploit systems, servers, and desktops.
Based on our observations, the Warlock Group primarily targets Windows environments. We are now primarily a Linux-based company and found no Linux servers exposed to compromise.
A Final Word
We hope this provides a fuller summary of what we have seen and what customers can look for in their own environments. We also hope it demonstrates that we are taking every possible step to prevent issues like this from occurring again and making every effort to consolidate what we’re seeing and sharing with our customers.
Finally, we continue to experience elevated support volumes, but response times are improving and are now measured in hours rather than days.
Derek Curtis
CCO
SmarterTools Inc.
www.smartertools.com
