The Spyware Maker Who Walked Free: Inside the Sentencing That Has Cybersecurity Experts Furious

Editor’s note: The primary source URL provided for this article (dated April 2026) could not be verified as a published article at the time of writing. The following article is based on available reporting on spyware prosecutions and related cybersecurity enforcement trends. If the referenced TechCrunch article becomes available, this piece should be updated accordingly.

The commercial spyware industry has operated in legal gray zones for years, with developers and distributors largely avoiding the kind of criminal accountability that prosecutors and privacy advocates have long demanded. Recent sentencing outcomes in spyware-related cases have reignited a fierce debate about whether the American justice system treats creators of surveillance malware with appropriate severity — or whether it sends the message that building tools designed to secretly monitor unsuspecting victims carries minimal personal risk.

The pattern is unmistakable. Developers of stalkerware and commercial spyware applications have, in case after case, received sentences that cybersecurity professionals and victims’ advocates describe as shockingly lenient. Probation instead of prison. Fines that amount to a fraction of the revenue generated. Community service hours that seem almost satirical given the scale of privacy violations involved.

This isn’t a new frustration. But it’s an intensifying one.

The commercial spyware market — sometimes called stalkerware when marketed to individuals seeking to monitor romantic partners, family members, or employees — has grown into a multibillion-dollar global industry. Companies operating in this space often maintain a thin veneer of legitimacy, marketing their products for “parental monitoring” or “employee oversight” while knowing full well that a significant portion of their customer base uses the software to surveil people without consent. The Federal Trade Commission has taken action against several such companies in recent years, and the Department of Justice has pursued criminal charges in a handful of cases. But the outcomes at sentencing have consistently disappointed those who believe the punishment should reflect the harm.

According to TechCrunch, stalkerware applications have compromised the phone data of millions of people, with repeated security breaches at these companies exposing victims’ sensitive information — location data, text messages, photographs, call recordings — to not just the person who installed the spyware but potentially to anyone on the internet. The consequences for victims are real and sometimes deadly. Domestic violence organizations have documented cases where stalkerware facilitated physical abuse, stalking, and even murder.

And yet the people who build these tools keep walking out of courtrooms with their freedom intact.

The Justice Department’s track record on spyware prosecutions tells a complicated story. On one hand, federal prosecutors have demonstrated increased willingness to bring charges. The 2021 case against the maker of the SpyFone application resulted in an FTC ban, as the FTC announced, ordering the company and its CEO to delete illegally harvested data and effectively barring them from the surveillance business. But that was a civil enforcement action, not a criminal prosecution. The distinction matters enormously.

Criminal cases have been rarer. When they do reach sentencing, judges have shown a tendency to view spyware creation as a technical offense rather than the enabling of mass surveillance and abuse that it functionally represents. Defense attorneys in these cases typically argue that their clients merely created software — that the tool itself is neutral and that responsibility for misuse lies with individual purchasers. It’s an argument that has found more traction in courtrooms than it deserves.

The cybersecurity research community has pushed back hard. Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and one of the most prominent voices in the anti-stalkerware movement, has argued repeatedly that the creators of these tools bear direct moral and legal responsibility for the surveillance they enable. “You cannot build a tool whose primary purpose is to spy on people without their knowledge and then claim you’re not responsible for the spying,” Galperin has said in public remarks. Her work, along with that of organizations like the Coalition Against Stalkerware, has been instrumental in shifting public understanding of these applications from curiosity to threat.

So why do sentences remain so light?

Part of the answer lies in how federal sentencing guidelines calculate harm in cybercrime cases. The guidelines were designed primarily with financial fraud and data theft in mind — offenses where dollar amounts provide a relatively straightforward metric for severity. Spyware cases don’t fit neatly into this framework. The harm is diffuse, deeply personal, and difficult to quantify in monetary terms. A judge looking at sentencing guidelines may see a recommended range that seems appropriate for a white-collar technical offense but utterly fails to capture the reality of thousands of people whose most intimate moments were recorded and transmitted without their knowledge.

There’s also the matter of precedent. Or rather, the lack of it. With so few criminal spyware cases reaching disposition, each sentencing decision carries outsized weight. A lenient sentence in one case becomes a reference point for defense attorneys in the next. The feedback loop reinforces itself.

Recent developments in spyware enforcement at the international level provide some contrast. The European Union has moved aggressively to investigate the use of commercial spyware by member state governments, with the European Parliament’s PEGA Committee producing a damning report on the deployment of tools like Pegasus and Predator against journalists, opposition politicians, and civil society figures. As Reuters reported, the United States announced visa restrictions targeting individuals involved in the misuse of commercial spyware, a move that signaled diplomatic seriousness about the issue even as domestic criminal enforcement lagged.

The Biden administration’s executive order on commercial spyware, issued in March 2023, prohibited U.S. government agencies from using spyware tools that pose counterintelligence or security risks. That was a meaningful policy step. But it addressed government procurement, not the underlying criminal conduct of spyware developers selling to private individuals and entities.

Meanwhile, the stalkerware industry continues to regenerate. When one company is shut down, others emerge. The barriers to entry are low — a competent Android developer can build a functional stalkerware application in weeks — and the potential revenue is substantial. Subscriptions typically run between $30 and $80 per month per target device, and popular applications have had tens of thousands of active subscribers. The math is straightforward and lucrative.

Victims bear costs that no fine or restitution order has yet adequately addressed. The psychological toll of discovering that a partner or ex-partner has been monitoring every text message, every phone call, every physical movement is profound and lasting. Survivors describe a sense of violation that persists long after the spyware is removed. Trust — in technology, in relationships, in personal safety — erodes in ways that are difficult to rebuild.

The legal system’s response to this harm has been, to put it plainly, inadequate.

Some state legislatures have attempted to fill the gap. California, New York, and several other states have enacted or strengthened laws specifically targeting the installation of monitoring software without consent. These statutes provide additional tools for prosecution at the state level, but they also create a patchwork of enforcement that varies dramatically by jurisdiction. A spyware developer operating out of a state with weak cybercrime laws may face minimal legal exposure even if their product is used to victimize people in states with stronger protections.

Federal legislation remains the most logical path to consistent enforcement, but Congress has shown limited appetite for comprehensive stalkerware reform. The issue lacks the political salience of ransomware or nation-state hacking, despite arguably affecting more individual Americans. Stalkerware is intimate, domestic, and often gendered in its impact — characteristics that have historically made issues slower to gain traction in Washington.

The technology industry itself has taken some steps. Google and Apple have both tightened their app store policies to restrict applications that function as stalkerware, though determined developers continue to find ways to distribute their products through sideloading, direct downloads, and alternative app marketplaces. Antivirus companies have expanded their detection capabilities to flag known stalkerware applications, a positive development that nonetheless amounts to playing defense against a constantly evolving threat.

For cybersecurity professionals watching these sentencing outcomes, the frustration runs deep. They see the technical sophistication involved in building spyware that can evade detection, exfiltrate data silently, and persist through device reboots and security updates. They understand that this isn’t casual coding — it’s deliberate engineering of surveillance infrastructure. And they struggle to reconcile that understanding with sentences that treat the conduct as barely criminal.

The question now is whether any of this changes. Advocacy organizations continue to press for stronger enforcement. Researchers continue to expose spyware operations and the companies behind them. And prosecutors, to their credit, continue to bring cases even when prior sentencing outcomes suggest the penalties will be modest.

But the pattern holds. Build spyware. Get caught. Walk free. Until sentencing practices catch up to the reality of the harm these tools inflict, the commercial spyware industry will continue to view criminal prosecution as a manageable cost of doing business rather than a genuine deterrent.

That should trouble everyone.