A stalkerware maker who was banned from the surveillance industry after a data breach that exposed the personal information of its customers, as well as the people they were spying on, will not be able to go back to selling the invasive software, according the U.S. Federal Trade Commission.
The FTC denied a request to cancel that ban made by Scott Zuckerman, the founder of consumer spyware company Support King and its subsidiaries SpyFone and OneClickMonitor.
On Monday, the FTC announced the denial in a press release after Zuckerman petitioned the federal watchdog to rescind or modify the ban order in July of this year.
In 2021, the FTC banned Zuckerman from “offering, promoting, selling, or advertising any surveillance app, service, or business,” effectively preventing him from running another stalkerware business. The agency also ordered Zuckerman to delete all the data collected by SpyFone, as well as to undergo frequent audits and establish certain cybersecurity practices for his businesses.
“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” said Samuel Levine, then acting director of the FTC’s Bureau of Consumer Protection. “The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security.”
In his petition, Zuckerman claimed that the FTC order’s security requirements have made it harder for him to run his other businesses due to financial costs, despite the fact that Support King is no longer in operation and he now only runs a restaurant and plans other “tourism ventures” in Puerto Rico, according to the petition.
When reached via email, Zuckerman declined to comment and referred questions to his lawyer.
Techcrunch event
San Francisco
|
October 13-15, 2026
The FTC ban stemmed from an incident in 2018, when a security researcher found an Amazon S3 bucket belonging to SpyFone that left extremely sensitive data — including selfies, text messages, chat app messages, audio recordings, contacts, location, hashed passwords and logins, and more — exposed online for anyone to see and access.
The exposed data included 44,109 unique email addresses and, according to the researcher who found the breach, “at least 2,208 current ‘customers’ and hundreds or thousands of photos and audio in each folder” from 3,666 phones that had the SpyFone stalkerware installed on them.
Contact Us
Do you have more information about stalkerware makers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
Less than a year after the 2021 FTC order, TechCrunch reported that Zuckerman appeared to be running another stalkerware company. In 2022, TechCrunch received a trove of breached data from stalkerware app SpyTrac. The data revealed that SpyTrac was run by freelance developers with direct ties to Support King, in what appeared to be an attempt to circumvent the FTC’s ban. Furthermore, the breached data included records from SpyFone, which Zuckerman was ordered to delete, and keys to access the cloud storage of OneClickMonitor, another one of his stalkerware apps.
Eva Galperin, a prominent expert on stalkerware, celebrated the news. “Mr. Zuckerman was clearly hoping that if he laid low for a few years, everyone would forget about the reasons why the FTC issued a ban not only against the company, but against him specifically,” Galperin told TechCrunch.
TechCrunch’s revelation in 2022 that Zuckerman apparently violated the FTC ban, “suggests that Zuckerman did not learn his lesson,” added Galperin, who is the director of cybersecurity at the digital rights nonprofit Electronic Frontier Foundation.
Stalkerware apps allow their customers to surreptitiously spy on the phones and devices of their loved ones. In addition to enabling potentially illegal activities, for the last eight years, there have been at least 26 stalkerware companies that have been hacked or left sensitive data exposed online, according to TechCrunch’s tally. These repeated incidents show these companies have repeatedly failed to protect the privacy of their customers, as well as the people they spy on.
