Active Incident? 24/7 Response →
SleuthX

Read this first

Are you on a device or network the person can see?

  • If they might be able to see this device, use one they can’t access — a friend’s phone, a library or public computer, or a domestic-violence shelter’s safe device. If you continue here, your visit may be visible on a synced iCloud, Google account, or shared family plan.
  • If you think spyware or stalkerware is on this device, removing it can alert the person monitoring you and can destroy evidence. Make a safety plan — ideally with a domestic-violence advocate — before you remove anything, and use a device they can’t access in the meantime.
  • The Quick Exit button(top right) replaces this page with weather.com immediately — but it does noterase this visit from your history, and private/incognito mode doesn’t fully hide it either. To be safe, use a device the person can’t access.
  • If you’re in immediate danger, call 911. If you have a few quiet minutes, keep reading.

National Domestic Violence Hotline: 1-800-799-7233 · text START to 88788 · thehotline.org — 24/7, free, confidential.

988 Suicide & Crisis Lifeline: call or text 988 · 988lifeline.org — free, confidential crisis and emotional support, 24/7.

NNEDV Safety Net: techsafety.org — technology-safety help for survivors.

Device Safety

How a Journalist Checks a Phone for Spyware

There is a safe order of operations for checking a phone you think might be compromised. The wrong move — wiping it, or acting on the device itself — can destroy evidence and warn whoever is watching. Here's how to do it carefully.

If you suspect targeted spyware, the instinct is to scan, reset, or delete the first suspicious thing you see. Resist it. The goal is to learn the truth withoutlosing the evidence that proves it — and the order you do things in decides whether that is still possible.

Step 1 — Preserve before you touch anything

Stop using the phone for anything sensitive. Do not factory-reset it, do not uninstall apps, and do not “clean it up.” A reset wipes the forensic traces a real check depends on, and visible changes can tip off an operator who is monitoring you. If you can, keep the device powered and move sensitive conversations to a separate, trusted device in the meantime.

Step 2 — Lower your risk on a safer device

While the suspect phone is set aside, harden the device you are actually using: update the OS, turn on the strongest account protections, and consider Apple Lockdown Mode if you are on iPhone and high-risk. This reduces the chance of a fresh compromise while you sort out the first one.

Step 3 — Run a methodical check, not a random app

Skip the app-store “spyware detector” apps; they cannot see what matters. The credible self-check path is Amnesty International’s Mobile Verification Toolkit (MVT), which examines a backup of the device against publishedindicators of compromise. It is a technical tool — comfortable for a security-minded reporter, worth handing to a helper if not. The free research labs in the sources below can also advise.

What a result actually tells you

Be precise about what you can conclude. A self-check can only say “no known indicators of compromise were found” — never “your phone is clean.” MVT and similar tools match against spyware that has already been studied and published. A newer or self-erasing exploit can leave nothing detectable. A clean result lowers the odds; it does not certify safety.

When to escalate to an examiner

If indicators turn up, if the stakes are high, or if you simply need certainty you can stand behind, hand it to a credentialed examiner. They can image the device without changing it, correlate against the latest indicators, and produce a court-ready account of the findings — honest about attribution limits. See newsroom device-compromise response for that step, and where to get free expert help first.

Primary sources

  1. Amnesty International Security Lab, Mobile Verification Toolkit (MVT) and the published forensic methodology for Pegasus. https://securitylab.amnesty.org/
  2. The Citizen Lab (University of Toronto), Targeted-threat research and device-forensics guidance. https://citizenlab.ca/
  3. Electronic Frontier Foundation, Surveillance Self-Defense — how-to guides for higher-risk users. https://ssd.eff.org/

Meet Your Practitioner

Quinnlan Varcoe

Founder & CEO

GIAC-certified · 15 industry certifications

With operational experience across Fortune 50 security programs and the defense industrial base, Quinnlan founded SleuthX in 2022 to provide clients with the caliber of expertise typically reserved for the largest enterprises. Her work in threat intelligence and digital forensics has earned the trust of 26,000+ cybersecurity professionals who follow her analysis.

“26,000 professionals follow my work because I say what others won't — and I can back it up technically.”

Fortune 50 BackgroundDefense IndustryThreat IntelligenceDigital PrivacyIncident Response
Quinnlan Varcoe, Founder & CEO

Certified Expertise

GIAC · AWS · Splunk · CompTIA

Transparent pricing

Trusted by partners across the practice

DAS Health
Exhibit A Cyber
Ally Security
KIRO Group
Black Mirage
Kalles Group
Gridware
CQR
Archstone Security
Cyvergence
Sentinel Cyber
Cloud Underground
Seron Security
Hexen
Koru Risk Management
DAS Health
Exhibit A Cyber
Ally Security
KIRO Group
Black Mirage
Kalles Group
Gridware
CQR
Archstone Security
Cyvergence
Sentinel Cyber
Cloud Underground
Seron Security
Hexen
Koru Risk Management