A Spyware Maker Pleads Guilty, Avoids Prison, and the Question of Deterrence Hangs in the Air
On Friday, April 3, 2026, Bryan Fleming walked out of a San Diego federal courtroom with a $5,000 fine and no prison time. According to TechCrunch, prosecutors had asked the judge for exactly this outcome: no custodial sentence, no substantial financial penalty. Fleming, the founder of pcTattletale – a surveillance application that allowed paying customers to secretly monitor the phones and computers of spouses, partners, and others without consent – had pleaded guilty in January to federal charges including computer hacking, conspiracy, and advertising surveillance software for unlawful uses.
This was the first successful U.S. prosecution of a stalkerware maker in over a decade. And yet the sentence raises a question that policymakers, technologists, and governance scholars should sit with: What exactly did this conviction accomplish?
The Facts of the Case
The story begins in 2021, when agents from Homeland Security Investigations (HSI), a unit within U.S. Immigration and Customs Enforcement, began investigating the consumer-grade spyware industry. As TechCrunch reported in January, HSI identified over 100 stalkerware websites, many of which claimed to offer legitimate monitoring tools for children or employees.
pcTattletale stood out. Unlike competitors who maintained plausible deniability, Fleming was brazen. He appeared in YouTube videos filmed at his own home, promoting the software. He marketed it explicitly as a way to "catch a cheater." When an undercover HSI agent posed as an affiliate marketer, Fleming provided banner ads that made the intended use unmistakable.
Court documents obtained by The Register reveal that pcTattletale worked by recording victims' screens whenever their devices were unlocked, uploading the footage to an online portal where purchasers could monitor every keystroke, message, and movement. The software was marketed as "100% Undetectable" – a feature that makes sense only if the target is not supposed to know they're being watched.
Federal agents searched Fleming's Michigan home in late 2022, seizing evidence and obtaining records showing PayPal transactions totaling more than $600,000 by the end of 2021. Fleming later sold the house for $1.2 million.
The operation collapsed in 2024 – not because of law enforcement, but because of a hack. A security researcher discovered that pcTattletale had a vulnerability exposing millions of screenshots to the open internet, including images from hotel check-in computers showing guest reservation details. Fleming did not respond to the researcher or fix the flaw. A week later, a hacker exploited a different vulnerability, defaced the website, and leaked data revealing that more than 138,000 customers had paid to spy on countless victims.
Fleming shut down pcTattletale and, according to his own account, "deleted everything" from the servers. He did not notify customers or victims of the breach.
Three Disagreements Worth Naming
The Fleming case invites at least three distinct debates, and conflating them produces more heat than light.
First: Is this a facts disagreement about deterrence? The empirical question is whether prosecuting stalkerware makers reduces the prevalence of such software. The evidence is thin. As Bitdefender noted, this is only the second successful U.S. prosecution of a stalkerware operator since 2014, when the creator of StealthGenie pleaded guilty. In the intervening twelve years, the stalkerware industry has grown, not shrunk. Multiple companies – mSpy, Catwatchful, Cocospy, Spyhide, LetMeSpy – have suffered data breaches exposing hundreds of thousands of users. The market persists.
Fabio Assolini of Kaspersky's Global Research and Analysis Team, quoted by The Register, suggested that holding a founder accountable "could have a chilling effect on companies operating openly in the US market." But he also acknowledged that the global nature of stalkerware means the plea is "unlikely to have an impact on the global market for consumer snooping software."
Second: Is this a values disagreement about proportionality? Some will argue that a $5,000 fine for enabling the surveillance of potentially tens of thousands of victims is grotesquely inadequate. Others will note that Fleming cooperated with investigators, shut down his operation, and that prosecutors themselves requested leniency. The question of what punishment fits this crime depends on what the punishment is meant to achieve: retribution, deterrence, incapacitation, or rehabilitation. These are different goals with different implications.
Third: Is this an incentives disagreement about enforcement priorities? The Fleming case took nearly five years from the start of the investigation to sentencing. HSI agents went undercover, obtained search warrants, surveilled Fleming's home, and built a meticulous case. The resources required were substantial. If the outcome is a $5,000 fine and no jail time, what signal does that send to other stalkerware operators – especially those based overseas, beyond the jurisdictional reach of U.S. law enforcement?
The Structural Problem
The deeper issue is not Bryan Fleming. It is the architecture of accountability for surveillance technology.
Stalkerware occupies a legal gray zone. Many apps market themselves as "parental control" or "employee monitoring" tools, maintaining a veneer of legitimacy while knowing full well that a significant portion of their customers use the software to spy on intimate partners. As Bitdefender observed, pcTattletale's claim to be "100% Undetectable" raises an obvious question: why would legitimate monitoring software need to be invisible?
The legal framework struggles with this ambiguity. Prosecuting stalkerware makers requires proving not just that the software could be used for illegal purposes, but that the maker intended or knowingly facilitated such use. Fleming's brazenness made him an easy target. He advertised the illegal use case explicitly. Most stalkerware operators are more careful.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and co-founder of the Coalition Against Stalkerware, captured the dynamic in her comment to TechCrunch: "One of the most striking aspects of this case is the extent to which stalkerware companies like pcTattletale operate out in the open. This is because the people behind these companies so rarely face consequences."
The Fleming conviction does not change this calculus significantly. A single prosecution in twelve years, resulting in no prison time, is not a deterrent. It is a data point.
What Would Have to Be True
For this case to matter, several things would need to follow.
First, HSI would need to pursue additional prosecutions. The agency has indicated that pcTattletale is "one of several stalkerware websites under investigation." Whether those investigations result in charges – and whether those charges result in meaningful penalties – remains to be seen.
Second, the legal framework would need to evolve. The current approach focuses on individual bad actors. A more systemic approach might target the infrastructure that enables stalkerware: app stores that host these applications, payment processors that facilitate transactions, cloud providers that store the data. Google has banned stalkerware apps from the Android store, but enforcement has been inconsistent.
Third, the conversation would need to shift from individual culpability to market design. Stalkerware exists because there is demand for it. That demand is driven by dynamics in intimate relationships – jealousy, control, abuse – that no prosecution can address. The question is whether the supply side can be constrained enough to make the tools harder to obtain.
The Question That Lingers
Bryan Fleming claimed through his lawyer that he "genuinely had no idea the product might violate any laws." This is difficult to credit, given the marketing materials he produced. But it points to something real: the surveillance technology industry has operated for years with minimal legal accountability, creating a culture in which makers genuinely may not have internalized that what they do is wrong.
The Fleming case is a beginning, not an ending. It establishes that U.S. law enforcement can and will prosecute stalkerware makers who operate openly within its jurisdiction. But it also reveals the limits of that approach: the resources required, the time involved, the modest penalties imposed, and the vast global market that remains untouched.
For policymakers and governance scholars, the case is a prompt to ask harder questions. What regulatory architecture would actually reduce the prevalence of stalkerware? What combination of criminal enforcement, civil liability, platform responsibility, and international cooperation might shift the incentives? And what role should victims – the people whose lives were surveilled without consent – play in shaping that response?
These are not questions that a single conviction can answer. But they are questions that the Fleming case makes impossible to ignore.
The intersection of surveillance technology, privacy rights, and enforcement mechanisms will be among the working questions at Human x AI Europe on May 19 in Vienna – where the people who shape these policies will be in the room together. Details here.
Frequently Asked Questions
Q: What is stalkerware?
A: Stalkerware refers to consumer-grade spyware applications that allow one person to secretly monitor another's phone or computer without their knowledge or consent. These apps typically upload messages, photos, location data, and screen recordings to an online portal accessible to the purchaser.
Q: Who is Bryan Fleming and what did he plead guilty to?
A: Bryan Fleming is the founder of pcTattletale, a stalkerware application. In January 2026, he pleaded guilty in a San Diego federal court to charges including computer hacking, conspiracy, and advertising surveillance software for unlawful uses. He was sentenced on April 3, 2026 to time served and a $5,000 fine.
Q: When was the last successful U.S. prosecution of a stalkerware maker before Fleming?
A: The previous successful prosecution was in 2014, when Hammad Akbar pleaded guilty to distributing stalkerware called StealthGenie. The Fleming case marks only the second such conviction in over a decade.
Q: How many people were affected by pcTattletale?
A: A 2024 data breach revealed that more than 138,000 customers had paid to use pcTattletale. The exact number of victims whose devices were monitored is unknown but potentially much larger, as each customer could have targeted multiple people.
Q: Why did Bryan Fleming avoid prison time?
A: Prosecutors themselves requested no custodial sentence or fine. Fleming cooperated with investigators after his arrest and had shut down pcTattletale following the 2024 data breach. The judge followed the prosecution's recommendation.
Q: What resources exist for people who suspect they are being monitored by stalkerware?
A: The Coalition Against Stalkerware provides information and resources for potential victims. In the United States, the National Domestic Violence Hotline (1-800-799-7233) offers 24/7 confidential support, as stalkerware is frequently used in contexts of domestic abuse.