He built a tool to spy on spouses. The court gave him a $5,000 fine.
Short answer
On April 6, 2026, Bryan Fleming, founder of stalkerware company pcTattletale, was sentenced in a San Diego federal court to time served and a $5,000 fine. It was the first successful federal prosecution of a stalkerware operator in the United States since 2014. His PayPal account alone showed over $600,000 in transactions, 138,000 customers had paid to spy on people without their consent, and the fine is the clearest signal you will find about how seriously the legal system currently treats non-consensual surveillance in domestic relationships.
What pcTattletale was
pcTattletale was a remote surveillance application that Bryan Fleming operated from his home in Bruce Township, Michigan, for at least nine years. Once physically installed on a target’s phone or computer, the app ran silently in the background and uploaded a continuous stream of screenshots, messages, photos, location data, and browsing history to Fleming’s servers, where the person who had installed it could view everything in real time.
Fleming marketed the product openly. His website described it as employee and child monitoring software. His YouTube videos, filmed at his own home, described it as a way to “catch a cheater.” His banner ads, documented in a federal affidavit, promoted “surreptitiously spying on spouses and partners.” The word surreptitiously was his own.
Homeland Security Investigations opened their probe into Fleming in June 2021, after identifying more than 100 stalkerware operations in the US market. pcTattletale stood out because it was the only one explicitly advertising its product for non-consensual surveillance of adult partners, without attempting to disguise the purpose behind child safety or employee monitoring language.
The scale of the operation
A 2024 data breach at pcTattletale, caused by a security researcher who found an exposed API allowing access to the entire backend infrastructure, revealed the scope of what Fleming had built. More than 138,000 customers had paid for access. The breach exposed screenshots taken from victims’ devices every few seconds, uploaded to an unsecured server visible to anyone who knew where to look. Hotel check-in computers had pcTattletale installed on them, exposing guest data. Victims had no idea.
Fleming did not notify his customers about the breach. He did not notify the victims whose data had been exposed. He told TechCrunch he had “deleted everything” from his servers. He then shut pcTattletale down.
By that point, Homeland Security Investigations had been building their case for three years.
The sentence
Fleming pleaded guilty on January 6, 2026 to one count of manufacturing, distributing, possessing, and advertising wire, oral, or electronic communication intercepting devices. Prosecutors asked the judge for no custodial sentence. The judge complied. Time served, which was one day. A $5,000 fine.
The previous benchmark for US stalkerware prosecutions was the 2014 case against StealthGenie, whose founder received a $500,000 fine and also served no prison time.
Fleming had sold his Michigan house for $1.2 million. His PayPal account documented over $600,000 in transactions, a figure that likely represents a fraction of total revenue given that it covered only one payment processor through one date.
The fine was $5,000.
What the sentence signals
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and co-founder of the Coalition Against Stalkerware, was direct in her response: “I hope that this case changes the risk calculus for makers of stalkerware.” The implicit concern in that statement is that it may not.
HSI confirmed that pcTattletale was one of more than 100 stalkerware operations under investigation as of 2021. Fleming’s prosecution took five years from the start of the investigation to sentencing. The result was a fine that amounts to less than one percent of his documented PayPal revenue.
The industry now has a data point. Running a stalkerware business in the United States can lead to a federal conviction. It does not yet lead to prison. For an operator running their business from a country outside US jurisdiction, the data point is even simpler: the risk is effectively zero.
If you are separating
The legal deterrent against installing surveillance software on a partner’s device is real but limited. In the United States, installing stalkerware without consent violates the federal Computer Fraud and Abuse Act and state wiretapping statutes. Convictions can carry felony charges and significant fines. Evidence obtained through stalkerware is typically inadmissible in family court and can expose the person who installed it to civil liability.
In practice, prosecutions are rare. The Fleming case was the second federal prosecution in twelve years. The first resulted in no prison time. The second resulted in no prison time.
This does not mean the threat is hypothetical. It means the threat is real and the deterrent is weak. The working assumption that devices have been compromised during divorce is not paranoia. It is the only assumption that survives contact with how cheaply this software is sold.
If you are contemplating or going through a divorce, the devices you have been sharing with your partner for years are a liability. Not because your partner is necessarily malicious. Because access, habit, and opportunity are enough.
A shared Apple ID means your partner receives your iMessages on their devices. A shared Google account means your location history, your searches, and your Gmail are visible. A partner who has ever had physical access to your unlocked phone had the opportunity to install something that runs silently and uploads continuously. pcTattletale required no technical expertise to deploy. It required a moment of access and a credit card. The patterns of a spouse already reading your messages tend to show up in conversation long before they show up in the device list.
What to check first
On iPhone: Settings, then your name at the top, then check which devices are signed into your Apple ID. Any device you do not recognise has access to your iMessages, your iCloud photos, your location if Find My is enabled, and your backups. Remove it. Check Settings, Privacy, Location Services, Share My Location. If location sharing is active with someone you are separating from, it is sending your GPS coordinates in real time. Review any apps with location access under Settings, Privacy, Location Services. Any app set to Always is logging your movements continuously.
On Android: Settings, Google, Manage your Google account, Security, Your devices. Review and remove anything unrecognised. Check installed apps for anything you do not recognise. Stalkerware is typically listed under a generic name. It may appear as a system utility, a file manager, or a service update.
The standard signs of a phone under unauthorised monitoring are unusually high battery drain, unexpected data usage, and a phone that runs warm when idle. None of them are conclusive on their own. All three together are a strong indicator.
If you find something, do not delete it immediately. Removal alerts the person who installed it that you found it. Document first. The full privacy checklist to run before separation proceedings start is worth working through in order. Speak to a lawyer or a domestic violence advocate before acting.
Frequently asked questions
Is installing stalkerware on a partner’s phone illegal?
Yes, in most jurisdictions. In the United States, non-consensual installation of surveillance software violates the federal Computer Fraud and Abuse Act and state wiretapping laws. It is illegal regardless of marital status. Evidence obtained through stalkerware is typically excluded from family court proceedings and can expose the person who installed it to criminal charges and civil liability.
If it is illegal, why does it still happen?
Prosecutions are rare. The Fleming case was only the second federal stalkerware conviction in twelve years. Both resulted in no prison time. Law enforcement resources for digital surveillance cases at the domestic level are limited. Many victims do not know they are being monitored. Many who suspect it do not know how to document it or who to contact.
What should I do if I think stalkerware is on my device?
Do not remove it immediately. Removal notifies the person who installed it. Contact a domestic violence advocate or a lawyer first. The Coalition Against Stalkerware provides step-by-step guidance and a directory of vetted resources. A forensic examination by a professional can document exactly what was installed, when, and what data was captured, in a format admissible in court.
Does a factory reset remove stalkerware?
Usually yes, but it also destroys forensic evidence. Back up your own data first, using a method your partner does not have access to. If the matter may go to court, consult a professional before resetting the device. A reset that destroys evidence can weaken your position in a custody or financial proceeding more than the stalkerware itself.
He spent nine years building a product explicitly designed to help people spy on their spouses without consent. He was fined $5,000. The risk calculus for the next person who installs something similar on their partner’s phone is not meaningfully different today than it was before his conviction. That is the operational reality. Plan accordingly.
There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.
