GoKawiilStalkerware allows people to secretly spy on romantic partners, family members or other associates by infecting a target’s phone and then silently amassing their text messages, photos, location information, and other data. The malware is profoundly intrusive in and of itself, but digital rights advocates have long cautioned that on top of violating victims’ personal privacy, it also creates an additional risk that data gathered using spyware could then separately be breached by an additional, unrelated actor, creating a true privacy disaster. New research this week illustrates one such example of a true worst-case scenario.
In findings released on Thursday, a security researcher details the discovery of a cloud repository that was publicly accessible on the open internet with no access controls. It contained nearly 90,000 screenshots showing a European celebrity’s private messages, photos, and phone usage—seemingly compiled using stalkerware.
“All the selfies were one person, all the chats were one person, and it was basically everyone they chatted with divided into Instagram, Facebook, TikTok, and WhatsApp,” Jeremiah Fowler, a researcher with Black Hills Information Security who discovered the exposed data, tells WIRED. “There was a lot of nudity, there were pictures that you wouldn’t want out in the public.”
Among the 86,859 images, Fowlers’ analysis says, were ones capturing the celebrity talking privately with models, influencers, and other high-profile individuals, some of whom have millions of followers on their social media accounts. The screenshots, he says, captured business conversations with invoices and personal payment details, phone numbers, some partial credit card numbers, and huge volumes of sensitive information.
“You capture the initial victim, but you also victimize everyone they communicate with,” he says.
Fowler is not naming the apparent victim or their associates and says he reported the incident to local law enforcement. “Even though this is a very public person, even public people deserve privacy,” Fowler says.
Mistakenly exposed cloud repositories are a long-standing privacy and digital security problem, but these open data troves typically belong to companies that leave access open, exposing corporate secrets or customer information, because of misconfigurations or other oversights. In this case, though, the exposed data appeared to be owned by an individual. Based on the material in the dataset, Fowler attempted to contact the apparent victim, but ultimately notified the cloud service that was hosting the data. The company contacted the owner to have the data secured. Fowler is not publicly naming the host.
The exposed files have all of the characteristics of data collected using spyware—screenshots of particularly sensitive and intimate digital activity taken during a specific time span. And Fowler, who regularly investigates exposed datasets, specifically noticed this trove because the repository was called “Cocospy,” the name of a notorious off-the-shelf spyware tool. Fowler says the exposed data spanned mid-2024 to mid-2025.
Early last year, Cocospy and two other related apps that shared much of the same source code went offline after exposing user information. They became the latest in a long line of stalkerware apps to have suffered security breaches and exposed sensitive information. A flaw in the apps made it possible for anyone to access the huge troves of information that had been gathered from stalkerware victims and simultaneously exposed millions of Cocospy customer email addresses, TechCrunch reported at the time.
“Their malware on Android was full-blown spyware,” says Vangelis Stykas, a security researcher who has analyzed Cocospy and related apps, and is the cofounder and CTO of security firm Kumio AI. “It pretty much uploads everything from your phone to their cloud.”
... continue reading