When your laptop is infected with infostealing malware, its not just hackers that might get your passwords, billing and email addresses, and a list of sites or services youve created accounts on, potentially including some embarrassing ones. A private intelligence company run by a young founder is now taking that hacked data from what it says are more than 50 million computers, and reselling it for profit to a wide range of different industries, including debt collectors; couples in divorce proceedings; and even companies looking to poach their rivals customers. Essentially, the company is presenting itself as a legitimate, legal business, but is selling the same sort of data that was previously typically sold by anonymous criminals on shady forums or underground channels.Multiple experts 404 Media spoke to called the practice deeply unethical, and in some cases the use of that data probably illegal. The company is also selling access to a subset of the data to anyone for as little as $50, and 404 Media used it to uncover unsuspecting victims addresses.The activities of the company, called Farnsworth Intelligence, show a dramatic shift in the bevvy of companies that collect and sell access to so-called open source intelligence, or OSINT. Historically, OSINT has included things like public social media profiles or flight data. Now, companies increasingly see data extracted from peoples personal or corporate machines and then posted online as fair game not just to use in their own investigations, but to repackage and sell too.To put it plainly this company is profiting off of selling stolen data, re-victimizing people who have already had their personal devices compromised and their data stolen, Cooper Quintin, senior public interest technologist at the Electronic Frontier Foundation (EFF), told 404 Media. This data will likely be used to further harm people by police using it for surveillance without a warrant, stalkers using it to gather information on their targets, high level scams, and other damaging motives.Do you know anything else about people selling data to debt collectors or these other industries? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.Infostealers are pieces of malware, often stealthily bundled in a piece of pirated software, that steal a victims cookies, login credentials, and often more information stored in their browser too. On its website, Farnsworth lays out several potential uses for that stolen data. This includes skip tacing, presumably a typo of skip tracing, which is where a private individual or company tracks someone down who owes a debt. The website says users can find debtors up-to-date addresses. Another use case is to Find high impact evidence that can make/break the case of million dollar lawsuits, high value divorce cases, etc. A third is to generate lead lists of customers/users from competitors [sic] companies, because the data could show which competing products they have login credentials for, and, presumably, use.Calli Schroeder, senior counsel at the Electronic Privacy Information Center (EPIC), told 404 Media that the use cases Farnsworth offers are not only morally questionable [...] but may not be legal or usable in some cases. For the litigation one, courts are split on using stolen information as evidence in legal proceedings. When hackers targeted the dating site Ashley Madison, for example, a judge ruled that despite the data being publicly published it was still confidential and stolen and couldnt be used. Most judges will not allow illegally obtained evidence in divorce proceedings either, Schroeder said.Then for using the data to build a list of customers of competitors, Schroeder said that may very well fall under corporate espionage and trade secrets violations, depending on what information is taken.This is so gross and predatory. They are facilitating and enabling further exploitation of victims of a crime and bragging about how multiple criminal acts make their business better. Moral bankruptcy is common in this industry, but I rarely see a company so proud of it, Schroeder added.Farnsworth did not respond to multiple requests for comment. Aidan Raney, the companys 23 year-old founder, did not respond to multiple Signal messages sent to an account he has previously used to communicate with 404 Media.Farnsworth offers two infostealer related products. The first is Farnsworths Infostealer Data Platform, which lists those above use cases. This can display hacking victims full text passwords, and requires potential users to contact Farnsworth for access. The company asks applicants to explain their use case, and can include private investigations, intelligence, journalism, law enforcement, cyber security, compliance, IP/brand protection, and several others, according to its website.The second product is infostealers.info, a publicly available service that requires no due diligence to enter. It only asks for a minimum of $50 to search through the results. These dont include victims full passwords, but the platform still includes a wide range of sensitive information. Recently infostealers.info introduced the ability to search for data stored in a hacking victims autofill. That is, data stored in the browser for convenience that can automatically populate when filling out a form, such as a billing address. Using this tool, 404 Media was able to extract multiple peoples billing addresses. One was in Staten Island, New York, which appeared to be someones private residence. Another address was in India.Inside the Massive Crime Industry That is Hacking Billion Dollar CompaniesWhen you download that piece of pirated software, you might be also getting a piece of infostealer malware, and entering a highly complex hacking ecosystem that is fueling some of the biggest breaches on the planet.404 MediaJoseph CoxIn other words, these people had been hacked, and now anyone with $50 was able to search through data stolen from their computer.This should also be an example of how once your data is lost in a breach you can't control what will happen to it. It can be used by law enforcement, stalkers, scammers, advertisers, or anyone with access to it. It's a stark reminder of why digital security is important even if you think you have nothing to hide, Quintin from the EFF added.Hackers running infostealer operations often create Telegram channels where they upload personal data their malware has stolen. Other criminals can then pay to access this stolen data. The administrator of one prolific infostealer campaign previously told 404 Media this brings us good income, but I am not ready to disclose specific amounts. Infostealers operators often then publish stolen credentials on Telegram for free, likely as a way to advertise their paid offerings. Farnsworth did not respond when asked if it is buying this stolen data from hackers to then put into its product.Cybersecurity researchers have used infostealer data to unmask criminals. Hudson Rock, another company that sells infostealer-related services, used it to uncover information on two alleged fraudsters on the FBIs Most Wanted List. Last year cybersecurity firm RecordedFuture said it found 3,334 unique credentials used to access child abuse imagery websites. It says it used that data to identify two individuals. In a LinkedIn post on Tuesday, Raney said the company has explored its own dataset in a similar way.But those are different use cases to selling infostealer data on the open market or for potentially illegal use cases.Quintin said It would be illegal and unethical to sell stolen cell phones even if you didn't steal them yourself, and I don't see how this is any different.