The ease with which bad actors can find a worldwide market for malicious apps that spy on people’s digital devices is at the center of an Australian Federal Police case against a man who, starting at the age of 15, wrote a stalkerware application and sold it to 14,500 people in 128 countries.

Australian police last month arrested the man, now 24, and identified at least 201 of his Australian customers, in an investigation that began in 2017 and involved a dozen law enforcement agencies in Europe and Australia, and information provided by Palo Alto Networks and the FBI. The case underscores the sheer scope of the market for stalkerware—the app, costing just $35, was sold for seven years before law enforcement shut it down. Tens of thousands of victims were spied on, police said. Its customers included domestic violence perpetrators and even a child sex offender.

Stalkerware—commercially-available apps that are designed to be covertly installed on another person’s device for the purpose of monitoring their activity without their knowledge or consent—continues to be a huge threat to consumers in general and to survivors of domestic abuse in particular. Research indicates that tens of thousands of people around the world are victims of stalkerware each year; the actual number is probably much higher due to underreporting.

Media outlets reported that Australian police arrested Jacob Wayne John Keen, the creator of Imminent Monitor stalkerware, on July 24. The tool, one of thousands of commodity Remote Access Tools, or, aptly, RATs, was designed to spy on computers running Windows. The spyware could be installed remotely on a victim’s computer, without their knowledge, though phishing, where a user is duped into opening an email or text message that looks legitimate but then takes control of the computer without the user’s knowledge or consent.

Much of the focus in the discussion of stalkerware is on the malicious apps that run on mobile devices. Stalkers can use those apps to track victims’ locations, as well as other privacy-invasive uses. But stalkerware that runs on computers is also very dangerous, providing perpetrators access to a lot of sensitive user information, including all passwords and documents. Imminent Monitor, once installed on a victim’s computer, could turn on their webcam and microphone, allow perpetrators to view their documents, photographs, and other files, and record all keystrokes entered.

Imminent Monitor’s creator tried to maintain that the app was a legitimate remote desktop utility (monitoring apps are often used for spying by stalkers). But Palo Alto Networks report noted that Imminent Monitor hawked nefarious features that kept the presence of the app secret from the user and mined the victim’s computer for cryptocurrency. 

The law enforcement investigation of the app targeted both sellers and users. The Australian police were able to identify both the Australian offenders who bought the software and the victims they targeted, which they said was a first for any law enforcement agency. Two hundred and one buyers were identified in Australia alone—half of whom were identified through their PayPal records.

Australian police said that a statistically high percentage of those customers were respondents on domestic violence orders. The app was sold to buyers in 128 countries before its web page was taken down in late 2019, when 85 warrants were executed in Australia and Belgium, 434 devices seized, including the app-makers custom-built computer, and 13 of the apps most prolific users were arrested. The investigation involved actions in Colombia, Czechia, the Netherlands, Poland, Spain, Sweden and the United Kingdom.

Imminent Monitor’s creator was charged with six counts of committing computer offenses, which together carry a maximum sentence of 20 years in prison.

Every time a stalkerware app is taken down, it’s a victory for users everywhere. Unfortunately, we know that those caught are just the tip of the iceberg. Still, the Imminent Monitor investigation and takedown should serve as a deterrent and send a strong message that, while stalkerware app creators are on the hunt for customers, defenders of spyware victims are on the hunt for them.