Cocospy 2025 Data Breach

Cocospy Mobile Stalkerware Breach (2025): 1.8 Million Operator Email Addresses Exposed :: Monitored Messages & Photos Also Accessible | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

n/a (anonymous researcher disclosure via TechCrunch)MisconfigurationSpywareEmail Address
High SeverityWebsite / service breach

Cocospy Mobile Stalkerware Breach (2025): 1.8 Million Operator Email Addresses Exposed :: Monitored Messages & Photos Also Accessible

Mobile device monitoring stalkerware application.

Verified by ObscureIQ Intelligence
68/100Breach Risk Index
40Data Value
25Market Recency
431dSince Breach

Breach Intelligence Summary

Entity: Cocospy · Actor: n/a (anonymous researcher disclosure via TechCrunch) · Sources: 2 references
Attack: Misconfiguration
Profile: Spyware / Stalkerware · Covert device monitoring and surveillance · Mobile spyware platform · Global
Timeline: Breach (2025-02-14) · Indexed (Feb 20, 2025) · Year (2025)
Exposure: 1.8M records · 1 fields: Email Address
Status: Confirmed

Executive Summary

Cocospy, a mobile stalkerware application sharing source code with sibling applications Spyic and Spyzie, suffered a data breach disclosed publicly on February 20, 2025 by TechCrunch. The breach was enabled by a security vulnerability shared across all three sibling applications that allowed any party to access the personal data exfiltrated from any device with the applications installed and to retrieve the email addresses of customers who had signed up to plant the spyware. The vulnerability was so trivial to exploit that TechCrunch and the involved security researcher declined to publish details to prevent further exploitation. The researcher used the vulnerability to scrape email addresses from all three applications and provided the dataset to Have I Been Pwned. Cocospy specifically was indexed on February 20, 2025. The breach affected approximately 1.81 million unique Cocospy customer email addresses based on records indexed by Have I Been Pwned, alongside approximately 880,167 Spyic customer emails (with a deduplicated combined Cocospy and Spyic count of 2.65 million unique addresses) and approximately 518,643 Spyzie customer emails (for a combined trio total of approximately 3.2 million customer emails). Compromised customer fields were limited to email addresses for purposes of HIBP indexing, but the underlying vulnerability also enabled unauthorized access to captured surveillance data including messages, photos, call logs, and real-time location data from monitored devices. Earliest Spyzie iPhone surveillance records dated back to early 2020. For surveillance targets and customers alike, the practical risk profile is exceptionally severe and varies between the two populations. For surveillance targets (the people whose devices were being monitored), the breach exposed live and historical device data captured by the spyware, with the U.S. National Domestic Violence Hotline (1-800-799-7233) and the Coalition Against Stalkerware providing resources for individuals who suspect they may have been monitored. Android users can detect Cocospy, Spyic, and Spyzie installations by entering ✱✱001✱✱ on the Android phone dialer and pressing call, which exploits a built-in backdoor feature to reveal the otherwise-hidden application (which appears as a generic-looking 'System Service' app); victims should establish a safety plan before removal because disabling the application may alert the person who installed it. For iPhone and iPad users, the spyware works by exploiting the victim's Apple Account credentials to access iCloud-stored data, and victims should ensure two-factor authentication on their Apple Account and review and remove unrecognized devices from their account. For customers, inclusion in the dataset confirms participation in a stalkerware operation that has now ceased operation, with potential employment, relationship, and legal consequences depending on the jurisdiction and the consent status of the surveillance target.

ObscureIQ assessment: Extremely sensitive. Exposure can reveal abuse relationships, target identities, and monitoring behavior, enabling stalking, coercion, and severe privacy violations.

Breach Impact

The institutional impact on Cocospy and its sibling operations was effectively terminal. All three applications ceased operation, their websites disappeared, and their AWS storage infrastructure was deleted. The case has been widely cited in stalkerware-industry coverage as illustrating the consistent pattern of consumer-grade spyware operators shutting down following breach disclosure rather than investing in security improvements. The reputational impact concentrated within the broader stalkerware industry and on the FamiSoft Limited operator group that ran the Spyzie branch (along with several additional stalkerware brands including Teensafe, Spyier, Neatspy, Fonemonitor, Spyine, and Minspy that were also taken down following the disclosure). The Coalition Against Stalkerware and Malwarebytes (which detects all three applications as Android/Monitor.CocoSpy) have been actively involved in user guidance and advocacy commentary about the case.

About Cocospy

Cocospy was a mobile stalkerware application marketed as parental control and employee-monitoring software for Android and iPhone devices. Cocospy operated as one of three near-identical sibling stalkerware applications (alongside Spyic and Spyzie) that shared substantially the same source code under different brand names. Security researchers Vangelis Stykas and Felipe Solferini linked the operation of Cocospy and Spyic to 711.icu, a China-based mobile app developer whose website is no longer accessible. Cocospy launched in approximately 2018, with sibling Spyic launching in 2019 and sibling Spyzie operating for an unknown earlier period. Capabilities included covert access to messages, photos, call logs, and real-time location data on monitored devices. As a stalkerware platform, Cocospy maintained customer accounts and exfiltrated device data captured from the monitored phones.

Why They Hold Your Data

Mobile spyware platforms collect customer records, target-device identifiers, monitoring settings, and exfiltrated activity data tied to covert surveillance of phones.

Recent Developments

Cocospy and its sibling stalkerware applications Spyic and Spyzie were taken offline in approximately May 2025 following the February 2025 disclosure of the shared security vulnerability. The Cocospy, Spyic, and Spyzie websites disappeared, the applications stopped functioning, and the operators' Amazon Web Services cloud storage was deleted. TechCrunch reported that the shutdown likely reflects an attempt to escape legal and reputational fallout rather than a genuine remediation. Operators of the three applications did not respond to TechCrunch requests for comment and have not publicly acknowledged the breach or the shutdown. The case has been counted by TechCrunch as among the 25 known stalkerware operations that have been hacked or otherwise exposed sensitive data since 2017, with at least 10 of those operations including Cocospy shutting down in the wake of breach disclosure.

Data Points Exposed

1 verified field types
Email Address

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover

Threat Actor: n/a (anonymous researcher disclosure via TechCrunch)

n/a (anonymous researcher disclosure via TechCrunch)
Misconfiguration

Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Cocospy breach?

Cocospy, a mobile stalkerware application sharing source code with sibling applications Spyic and Spyzie, suffered a data breach disclosed publicly on February 20, 2025 by TechCrunch. The breach was enabled by a security vulnerability shared across all three sibling applications that allowed any…

What data was exposed?

Verified fields include Email Address.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation