Cybersecurity Researcher Exposes 86,000-Image Stalkerware Leak Targeting European Celebrity
A hidden trove of 86,859 private phone screenshots has been uncovered, exposing a high‑profile European entrepreneur to an unprecedented privacy breach.
Jeremiah Fowler, a cybersecurity researcher, found a publicly accessible database named "Cocospy"—a name linked to a commercial spyware tool—containing mid‑2024 to mid‑2025 screenshots from a victim’s device. The collection, which logged activity on Facebook, WhatsApp, Instagram, and TikTok, was not password protected, allowing anyone with an internet connection to view the material.
The victim, a prominent European entrepreneur and media personality, had his personal communications with models, influencers, and other celebrities captured in the images. The screenshots also revealed intimate exchanges, phone numbers, email addresses, invoices, receipts, and identification documents. Fowler’s investigation showed that the database was created by an individual who had installed the stalkerware on the victim’s phone and misconfigured its access controls, rather than by the spyware provider.
Fowler promptly notified law enforcement and the victim and shared his findings with ExpressVPN. The VPN company is publishing the report as part of its ongoing effort to make the web safer.
Stalkerware is spyware that can secretly monitor a target’s location, read messages, record calls, and access photos and social‑media activity. While some vendors market the software as a harmless monitoring tool, it is widely used for unauthorized surveillance. In many jurisdictions—including the European Union, the United States, Canada, and Australia—installing or using stalkerware without the target’s consent is a criminal offense that can carry significant fines and prison terms.
ExpressVPN’s report contains anonymized screenshots that illustrate the breadth of data the spyware can collect. In addition to text messages, the images show captured video calls, demonstrating that the software can record audio, video, and screen activity. The report also offers guidance on detecting and removing spyware, such as checking for unfamiliar apps, reviewing device administrator settings, and performing a factory reset.
Industry experts say the leak underscores the need for tighter security controls on third‑party cloud storage and better user awareness of the risks posed by monitoring apps. The incident also highlights how easily personal data can be exposed when a device is compromised, even for high‑profile individuals.
Fowler stated that his goal in publishing the findings is to raise awareness about the risks posed by stalkerware while protecting the identities of those involved. He added that the same tools used in this case are commonly deployed in broader cybercrime, harassment, and stalking situations.
ExpressVPN’s release of the report is intended to inform the public and encourage users to review their device security practices. The company has not announced any direct legal action against the individual who uploaded the database.
At this time, the victim’s identity remains undisclosed, and no further public statements have been made by law enforcement. The ExpressVPN report will remain available on the company’s website, and the data leak has been reported to relevant regulatory bodies.
The incident serves as a reminder that the proliferation of monitoring software can create significant privacy risks for anyone who falls victim to unauthorized surveillance.
