Amazon Still Hosting Stalkerware Victims’ Data Despite Warnings

Amazon Web Services (AWS) is under scrutiny for continuing to host stolen data from victims of three stalkerware apps — Cocospy, Spyic, and Spyzie — weeks after being alerted to its presence. These apps, designed for covert surveillance, secretly extract and upload victims' personal data to AWS-hosted storage “buckets.” Despite being notified in February 2025, Amazon has not taken steps to remove the compromised data.

According to TechCrunch’s investigation, the spyware operations have exposed sensitive data from 3.1 million individuals, many of whom are unaware their devices have been compromised. Security researchers discovered that these apps, which share the same codebase and vulnerabilities, were storing stolen data and photos on Amazon buckets.

Amazon was provided with specific details of the spyware campaigns, including the exact locations of the stored data, yet it has failed to act.

Amazon spokesperson Ryan Walsh stated that AWS enforces strict policies prohibiting illegal activity and provided a link to its abuse reporting form. However, when pressed on whether AWS would act against the storage buckets in question, Amazon refused to confirm any action. A second spokesperson claimed that the email alerts from TechCrunch did not qualify as official abuse reports, further delaying intervention.

Amazon’s $39.8 billion in profit across 2024 suggests it has the resources to enforce its policies, and its reluctance to act raises ethical concerns. Experts argue that cloud providers must take responsibility for preventing illegal activity rather than relying on third parties to report violations.

This is not the first AWS-related controversy. In a separate case, the Venezuelan government blocked access to AWS CloudFront, affecting numerous websites.

Privacy advocates warn that Amazon’s failure to remove stolen data could set a dangerous precedent, highlighting the need for tighter regulations on cloud hosting services.