Topics

More from TechCrunch

A new security flaw in TheTruthSpy phone spyware is putting victims at risk

A brief history of TheTruthSpy’s many security flaws

TheTruthSpy, still exposing data, rebrands to PhoneParental

Most Popular

Coinbase CEO explains why he fired engineers who didn’t try AI immediately

OpenAI lawyers question Meta’s role in Elon Musk’s $97B takeover bid 

YouTube Music celebrates 10 years with new features that help it compete with Spotify

Google, sorry, but that Pixel event was a cringefest

Harvard dropouts to launch ‘always on’ AI smart glasses that listen and record every conversation

Google launches a new Pixel Journal app

HR giant Workday says hackers stole personal data in recent breach

Latest

AI

Amazon

Apps

Biotech & Health

Climate

Cloud Computing

Commerce

Crypto

Enterprise

EVs

Fintech

Fundraising

Gadgets

Gaming

Google

Government & Policy

Hardware

Instagram

Layoffs

Media & Entertainment

Meta

Microsoft

Privacy

Robotics

Security

Social

Space

Startups

TikTok

Transportation

Venture

Events

Startup Battlefield

StrictlyVC

Newsletters

Podcasts

Videos

Partner Content

TechCrunch Brand Studio

Crunchboard

Contact Us

A new security flaw in TheTruthSpy phone spyware is putting victims at risk Zack Whittaker Lorenzo Franceschi-Bicchierai AM PDT · August 25, 2025 A stalkerware maker with a history of multiple data leaks and breaches now has a critical security vulnerability that allows anyone to take over any user account and steal their victim’s sensitive personal data, TechCrunch has confirmed.

Independent security researcher Swarang Wade found the vulnerability, which allows anyone to reset the password of any user of the stalkerware app TheTruthSpy and its many companion Android spyware apps, leading to the hijacking of any account on the platform. Given the nature of TheTruthSpy, it’s likely that many of its customers are operating it without the consent of their targets, who are unaware that their phone data is being siphoned off to somebody else. 

This basic flaw shows, once again, that makers of consumer spyware such as TheTruthSpy — and its many competitors — cannot be trusted with anyone’s data. These surveillance apps not only facilitate illegal spying, often

To date, TechCrunch has counted at least 26 spyware operations that’ve leaked, exposed, or otherwise spilled data in recent years.

TechCrunch verified the vulnerability

When contacted

As of publication, the vulnerability still exists and presents a significant risk to the thousands of people whose phones are believed to be unknowingly compromised

Given the risk to the general public, we’re not describing the vulnerability in more detail so as to not aid malicious actors. 

TheTruthSpy is a prolific spyware operation with roots that go back almost a decade. For a time, the spyware network was one of the largest known phone surveillance operations on the web. 

TheTruthSpy is developed

As such, the security bugs in TheTruthSpy also affect customers and victims of any branded or whitelabeled spyware app that relies on TheTruthSpy’s underlying code.

As part of an investigation into the stalkerware industry in 2021, TechCrunch found that TheTruthSpy had a security bug that was exposing the private data of its 400,000 victims to anyone on the internet. The exposed data included the victims’ most personal information, including their private messages, photos, call logs, and their historical location data.

TechCrunch later received a cache of files from TheTruthSpy’s servers, exposing the inner workings of the spyware operation. The files also contained a list of every Android device compromised

Our subsequent reporting, based on hundreds of leaked documents from 1Byte’s servers sent to TechCrunch, revealed that TheTruthSpy relied on a massive money-laundering operation that used forged documents and false identities to skirt restrictions put in place

In late 2023, TheTruthSpy had another data breach, exposing the private data on another 50,000 new victims. TechCrunch was sent a copy of this data, and we added the updated records to our lookup tool. 

As it stands, some of TheTruthSpy’s operations wound down, and other parts rebranded to escape reputational scrutiny. TheTruthSpy still exists today, and it has kept much of its buggy

Thieu continues to be involved in the development of phone monitoring software, as well as the ongoing facilitation of surveillance.

According to a recent analysis of TheTruthSpy’s current web-facing infrastructure using public internet records, the operation continues to rely on a software stack developed

In an email, Thieu said he was rebuilding the apps from scratch, including a new phone monitoring app called MyPhones.app. A network analysis test performed

TechCrunch has an explainer on how to identify and remove stalkerware from your phone. 

TheTruthSpy, much like other stalkerware operators, remains a threat to the victims whose phones are compromised

—

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has re

Topics

Zack Whittaker Security Editor

Zack Whittaker is the security editor at TechCrunch. He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him

Lorenzo Franceschi-Bicchierai Senior

Lorenzo Franceschi-Bicchierai is a Senior

You can contact or verify outreach from Lorenzo

October 27-29, 2025 San Francisco Put your brand in front of 10,000+ tech and VC leaders across all three days of Disrupt 2025. Amplify your reach, spark real connections, and lead the innovation charge. Secure your exhibit space before your competitor does.

Most Popular Coinbase CEO explains why he fired engineers who didn’t try AI immediately Julie Bort

OpenAI lawyers question Meta’s role in Elon Musk’s $97B takeover bid  Maxwell Zeff

YouTube Music celebrates 10 years with new features that help it compete with Spotify Sarah Perez

Google, sorry, but that Pixel event was a cringefest Sarah Perez

Harvard dropouts to launch ‘always on’ AI smart glasses that listen and record every conversation Lorenzo Franceschi-Bicchierai Rebecca Bellan

Google launches a new Pixel Journal app Ivan Mehta

HR giant Workday says hackers stole personal data in recent breach Zack Whittaker

X LinkedIn Facebook Instagram youTube Mastodon Threads Bluesky TechCrunchStaffContact UsAdvertiseCrunchboard JobsSite Map Terms of ServicePrivacy PolicyRSS Terms of UseCode of Conduct Pixel 10Made © 2025 TechCrunch Media LLC.