pcTattletale Founder Avoids Jail in Landmark U.S. Spyware Prosecution

Bryan Fleming built a surveillance empire from a 7,700-square-foot mansion in Bruce Township, Michigan, selling software that secretly captured victims' screens every few seconds, tracked their locations, and uploaded their private messages to a portal accessible to whoever planted the app. On Friday, a federal judge in San Diego sentenced him to time served and a $5,000 fine.

The sentence, confirmed by a spokesperson for the U.S. Attorney for the Southern District of California, closed the first successful federal prosecution of a spyware maker in over a decade. Fleming had pleaded guilty on January 6 to charges of computer hacking, conspiracy, and the unlawful advertising of surveillance software. Prosecutors themselves had asked the judge for no custodial sentence, setting the ceiling for what victims and privacy advocates could realistically expect.

Spyware apps like pcTattletale are referred to as "stalkerware" because paying customers often plant the software on someone else's device without their knowledge or consent. Once installed, these apps stealthily upload the contents of a victim's device, including messages, photos, and real-time location, making the data viewable to whoever planted the spyware. Fleming, in some cases, "knowingly assisted customers seeking to spy on nonconsenting, non-employee adults," according to an affidavit filed by federal investigators.

Fleming operated pcTattletale from his Michigan home and marketed the software explicitly to people wanting to "surreptitiously spy on spouses and partners," using slogans like "Catch a Cheating Husband." Unlike most stalkerware operators, who hide behind overseas shell companies and anonymous identities, Fleming appeared to be proud of his work, filming YouTube videos from his home showing how the app remained invisible on a victim's phone. Financial records seized during the investigation showed the business generated more than $600,000 by the end of 2021 alone.

The company collapsed in 2024 after a hacker exploited vulnerabilities in its infrastructure and exposed the data of 138,751 customer accounts, along with device information, IP addresses, physical addresses, phone numbers, text messages, and a significant volume of victim information. Earlier security failures had already exposed millions of screen captures, taken from victims' devices every few seconds, to the open internet. Fleming shut down operations shortly after the breach. His Michigan mansion later sold for $1.2 million.

Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and co-founder of the Coalition Against Stalkerware, noted the broader pattern the case exposed. "One of the most striking aspects of this case is the extent to which stalkware companies like pcTattletale operate out in the open," she said. "This is because the people behind these companies so rarely face consequences for selling tools that they themselves say are explicitly for monitoring other people's devices without their knowledge or consent." Galperin added: "I hope that this case changes the risk calculus for makers of stalkerware."

The prior benchmark for U.S. stalkerware prosecutions was the 2014 case against StealthGenie, making Fleming's conviction only the second such federal action in more than a decade. HSI indicated that pcTattletale is one of several stalkerware operations currently under investigation, a signal that the prosecution pipeline may be widening. But with no prison time and a fine that represents a rounding error against revenues of hundreds of thousands of dollars, the Fleming sentencing also hands the industry a data point it will study carefully: in the United States, running a stalkerware business may carry criminal liability, but it does not yet carry the certainty of incarceration. For victims whose screens, messages, and locations were streamed to strangers through Fleming's portal, a $5,000 fine is the answer the justice system provided.