Wolf Intelligence, a Germany-based spyware company that made headlines for sending a bodyguard to Mauritania and prompting an international incident after the local government detained the bodyguard as collateral for a deal went wrong, left a trove of its own data exposed online. The leak exposed 20 gigabytes of data, including recordings of meetings with customers, a scan of a passport belonging to the company’s founder, scans of the founder’s credit cards, and surveillance targets’ data, according to researchers.

A startup that claims to sell surveillance and hacking technologies to governments around the world left nearly all its data—including information taken from infected targets and victims—exposed online, according to a security firm who found the data.

CSIS researcher Benoît Ancel told Motherboard the researchers “have many indications that it was not a reseller,” and was instead a mistake by Wolf Intelligence. To support this, he shared pictures from the servers such as a screenshot of an exposed database that shows one of Kumar’s cellphone numbers and a series of intercepted text messages, and a screenshot of a Slack conversation between Kumar and one of his employees.

“They claim wrong that it’s for hacking innocent people, and damage our image.” Kumar said, but refused to answer additional questions about who was the reseller, and who his customers are.

In an online chat, Wolf Intelligence founder Manish Kumar told me that it wasn’t his company that left the data online, but a reseller he refused to identify. He also said that he plans to sue CSIS for hacking his reseller; CSIS is adamant that it did not hack anything, as everything was exposed and open to anyone

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de , or email lorenzo@motherboard.tv

“This is a very stupid story in the sense that you would think that a company actually selling surveillance tools like this would know more about operational security,” CSIS co-founder Peter Kruse told Motherboard in an interview. “They exposed themselves—literally everything was available publicly on the internet.”

Security researchers from CSIS Security discovered the data on an unprotected command and control server and a public Google Drive folder. The researchers showed screenshots of the leaked data during a talk at the Virus Bulletin conference in Montreal, which Motherboard attended.

A slide from CSIS talk, showing Kumar’s headshot, which was stored in the exposed server.

These companies generally sell spyware that infects computers and cell phones with the goal of extracting evidence for police or intelligence operations, which can be particularly useful when authorities need to get around encryption and have a warrant to access the content of a target’s communications. But in the past, companies like Hacking Team , FinFisher , and NSO Group have all sold their malware to authoritarian regimes who have used it against human rights defenders, activists, and journalists.

Wolf Intelligence is part of the so-called “lawful intercept” industry. This is a relatively unregulated—but legal—part of the surveillance market that provides hacking and spy software to law enforcement and intelligence agencies around the world. Hacking Team , FinFisher , and NSO Group are the more well-known companies in this sector. According to a recent estimate , this market is expected to be worth $3.3 billion in 2022.

This mistake, however, may be the worst we’ve ever seen.

“Maybe they were thinking that the server was secure, I don't know, but it was definitely stupid,” Kruse said. “Everything was just floating around on the internet. That's why I thought this story was too good to be true.”

Kruse’s colleagues Benoît Ancel and Aleksejs Kuprins found the data as they were investigating a banking malware sold on the internet underground and used by several cybercriminals, the two said during a talk at the Virus Bulletin conference in Montreal in early October. They said that banking malware had shared infrastructure with a malicious Remote Access Trojan or RAT.

The researchers said they were able to find a Windows, an Android, and an iOS variant of that RAT, and figured out that it was produced by Wolf Intelligence. They also found data belonging to several victims in countries such as Egypt, Saudi Arabia, and Turkey. One of the victims, they said, is a human rights defender.

The malware itself, according to the researchers, is pretty rudimentary.

“It’s very shitty and it’s just copy paste from open source projects,” Ancel told Motherboard in a phone interview, referring specifically to Wolf Intelligence’s iOS malware. Motherboard did not independently analyze the malware, and Kumar stopped responding to Motherboard soon after I began talking to him.

During the public presentation in Montreal, Ancel said that Kumar “seems to be the kind of criminal who try to scam people with a shitty product.”