A startup called Farnsworth & Co. has found a niche in the dark overlap between surveillance, malware, and civil litigation. Their product? Personal data stolen from infected computers—now available for purchase by debt collectors, divorce lawyers, and anyone with a grudge and a budget.
The company’s entire business hinges on access to data siphoned off by infostealer malware. This kind of software quietly grabs login credentials, browsing histories, cookies, emails, and contact lists from unsuspecting users. It then bundles the stolen data into searchable profiles. Farnsworth, for its part, packages this information and sells it as “intelligence services.”
What makes this disturbing is that the buyers aren’t cybercriminals on shady forums. They’re law offices, private investigators, and collection agencies—entities that, at least on the surface, operate within the legal system. But the source of the data is unquestionably illegal. The people being profiled never gave consent. They never opted in. They just happened to have a vulnerable device at the wrong time.
Screenshots from Farnsworth’s own pitch decks show sample files with data from real victims: browser histories, saved passwords, account credentials, and other sensitive records. The company claims it removes illegal materials like child abuse content or clear evidence of criminal activity. That’s hardly a comfort. What remains is still an enormous invasion of privacy.
According to the researcher who first discovered the startup’s practices, Farnsworth tries to paint itself as just another data broker. But it differs in one major way. While most data brokers buy from advertisers and marketing platforms, Farnsworth knowingly uses material stolen via malware. That puts it closer to a digital fence than a typical analytics firm.
The same researcher noted that this data could be weaponized in highly personal legal battles. A divorce attorney might gain access to someone’s private messages. A debt collector might find login details to a banking portal. Even something as simple as a dating profile or Reddit history could be spun into legal leverage. That kind of power in the wrong hands is a nightmare waiting to happen.
Farnsworth reportedly vets its clients through a basic onboarding process. But critics argue this is little more than a checkbox exercise. There’s no transparency into who uses the service or for what purpose. There’s also no real recourse for victims. You don’t get notified when your data shows up in their database. You don’t get to request removal.
The service has already caught the attention of cybersecurity professionals and privacy advocates. Some have drawn comparisons to companies like Clearview AI, which scraped faces from public websites and sold facial recognition services to law enforcement. Others see it as a new chapter in the growing data economy, where stolen personal information gets normalized as just another subscription offering.
For now, Farnsworth appears to be operating in a gray zone. Its website uses generic language to obscure its methods. Phrases like “digital profiling” and “open-source intelligence” blur the line between publicly available data and malware-sourced records. In a post on Mastodon, a researcher warned that unless regulators step in, this kind of business model could become more common.
And that’s the real concern. If Farnsworth is allowed to operate in the open, it signals that data stolen from everyday users is now fair game for monetization. Not by hackers looking for a quick payday, but by companies with logos, email lists, and payment portals.
Whether this prompts legal action remains to be seen. But the precedent is troubling. When stolen personal data becomes a subscription service for lawsuits and debt collection, the line between legal discovery and cybercrime starts to fade.
