Taking over 60k spyware user accounts with SQL injection

From sqlmap

> Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"

I don't know the legal footing these spyware apps stand on, but this blog post seems like exhibit A if Catwatchful ever decided to sue the author, or press criminal charges. Hacking, even for reasons that seem morally justified, is still illegal.

Yeah this whole exercise was completely illegal and I'm surprised this person publicly (and proudly) blogged about it like this.

They probably need to engage an attorney now.

Author is in Canada, not sure if/how that changes things.

The server they compromised is essentially a command and control server for an illegal botnet.

Are there documented cases of botnet owners trying to sue or get law enforcement to prosecute someone for infiltrating their botnet?

I'd be more concerned about extralegal retaliation from people in the malware ecosystem.

That would be an amusing exercise in self-incrimination & discovery pain for Catwatchful. They would also have to quantify business losses, which requires admitting the value of an illicit enterprise. But YOLO am I right? LFG!

Your theory is that Daigle is at risk of a Canadian prosecutor hauling him into court based on the criminal complaint of a Uruguayan purveyor of stalkerware? That's novel.

About half of hacking articles are just fake things people claim to have done but didn’t actually happen and no one checks on it, and conveniently by the time they publish the exploit was “fixed”. So you can’t verify for yourself anyway.

Without hard proof that the author did what they said they did, you have no real case. This particular story already sounds far fetched but makes good fantasy.

I think the theory is that Daigle has publicly professed to committing a crime sharing all their steps and receipts. It'll be unheard of of course if a Uruguayan purveyor of stalkerware take him to court.

However, next time he talks about emulating Nintendo games or whatever, I'm sure Nintendo lawyers would love to bring it up and point "how the defendant brazenly defies law and order with predetermination malice".

Not to begin to even mention now some shady criminal might hold a grudge against Daigle. I hope his security is air tight.

There is a reason these reports are usually anonymous or follow responsible disclosure.

Hey, that's my server, and is totally 100% legit. I was unaware that I was pwnd and someone was using it as a C&C server. I'm now suing you for hacking my server, as you could be the person that installed the C&C server. After all, you are an admitted hacker.

Stranger things have won in court

Just preface the story with "last night I had a dream that I..." Now, it is a work of fiction.

Pretty sure that has never stood in court and it can only hurt you. It shows to the jury that you're trying to be dishonest.

FWIW, this story has been verified by a reporter at TechCrunch, who says he used the dumped database to identify the spyware admin in Uruguay.

https://techcrunch.com/2025/07/02/data-breach-reveals-catwat...

Rest easy, Daigle is legally immune from concern trolling.

good for him

Class action lawsuit from a group of stalkers?

> next time he talks about emulating Nintendo games or whatever

This seems like a straw man, though? What if they just... continue to not do that? (I think this is what the other commenter meant with "concern trolling".)

> Not to begin to even mention now some shady criminal might hold a grudge against Daigle.

This is 1) not a problem a lawyer will help you with and 2) not a practical concern for most people in the US and Canada. For example, Brian Krebs continues to (read: he's not dead or otherwise intimidated into silence) put his name behind many similar reports of illegal activity. There is a reason law enforcement investigates and prosecutes violent crime.

I don't really see a practical reason for this person to avoid putting their name behind this report. The only reason that seems to make sense is if this group is not a criminal enterprise. Then they might be at all inclined to file a lawsuit.

Doesn’t change what I said

>For example, Brian Krebs continues to (read: he's not dead or otherwise intimidated into silence) put his name behind many similar reports of illegal activity. There is a reason law enforcement investigates and prosecutes violent crime.

Brian Krebs invests a huge amount into keeping his home address a secret and has extensive surveillance at his home to keep intruders out. He was once SWATed and another time someone ordered heroin to his home and called the police to frame him for drug trafficking.[0]

It's a bit of a miracle that Krebs continues his reporting. Krebs' courage and opsec is not very easy to achieve, especially for a 23 year old blogger like OP.

[0] https://news.ycombinator.com/item?id=42354602

Considering that it the db isn't public and the disclosures are listed at the bottom, before the publication, this is mostly white hat and helps the company they target. More and more businesses are accepting the help when they are given it, such as their response to put a WAF in place. I do agree you shouldn't use your Christian name in these sorts of situations since priors have not been established with the targetted company; however Catwatchful has no impetuous to pursue meaningless charges for a stalker app as there are most likely no damages unless the service providers actually respond, which they most likely won't. Nothing ever happens to these people and do you think datacenters/hosts/providers really care about anything other than DMCA complaints? (report illicit/illegal content to a host provider that isn't copyright protected and wait.. you will be waiting long after your teeth have fallen out)

Do you really think that the users of a stalker app care if the app got "hacked" once or twice? Do you also think that the app makers themselves really want to remind the legal world that this stuff is legal when i bet you >50% of their users probably installed it on devices that aren't theirs? IDK, personally I would avoid the law at all costs if I released something this shady.

These points are not convincing. That paragraph says that he expends effort to keep his home address secret but then admits that those efforts are in vain because he’s been mailed things maliciously (to his home address) and SWATed (at his home address). It’s also not likely that surveillance will keep intruders out; it would help the criminal investigation after his house is burned down, except that hasn’t happened.

I agree that he’s courageous but only because he receives many threats, not because he faces imminent dangers. His protection comes from the fact that a criminal enterprise will only bring attention to themselves by purchasing his murder, which is true because law enforcement investigates and prosecutes violent crime.

>That paragraph says that he expends effort to keep his home address secret but then admits that those efforts are in vain because he’s been mailed things maliciously (to his home address) and SWATed (at his home address). It’s also not likely that surveillance will keep intruders out; it would help the criminal investigation after his house is burned down, except that hasn’t happened.

The article says that he moved to a new home because of these incidents and now takes extreme measures to keep his address a secret.

I don't understand how you can make the argument that retribution from criminals is "not a practical concern" because Krebs still does his reporting in spite of the risks. SWATing and attempts to frame him for a serious crime aren't just threats - they occurred. He could have died or been imprisoned.

As someone noted, there is the issue of jurisdiction.

But Daigle probably did consider being liable and what would be morally justified.

It must have been tempting to try to use the Catwatchful app to notify the victims that they are being stalked. E.g., by getting phone numbers or social media handles and then SMS/DM the victims (if the app reveals the victims handles in the recorded conversations)

Or getting the IMEI numbers and handing them over to network operators or local authorities who could do the notification.

It would probably help many victims, but it could go wrong in some cases.

ah yes the bulletproof "in Minecraft" defense

I'm interested people are talking about suing, unauthorised access of a computer system is usually illegal, you don't need to rely on tort. States like to be in control of who is allowed to access computer systems; a key component of projection of power.