Four years ago, a vigilante hacker pulled off one of the most daring hacks of all time.
The hacker, known as Phineas Fisher, broke into the servers of Hacking Team—one of the most hated companies in the cybersecurity world—and put all its data online. This was the equivalent of a museum robber breaking into the MoMA and then putting all its most valuable paintings on the sidewalk, for anyone to grab.
In this case, instead of Van Goghs, it was the source code for the spyware made by Hacking Team and used by governments that was put on the internet for all to see and download.
The thing that made this hack even more audacious is that Phineas Fisher did the same thing a year before to another unpopular company called FinFisher. Phineas Fisher’s hacks exposed the highly guarded secrets of those two spyware companies—and thus far, he’s gotten away with it.
But one big secret remains: who is Phineas Fisher?
Five years after his first public hack, nobody really knows. In June of this year, long-time cybersecurity reporter Joseph Menn wrote in his new book on hacktivism that the US government believes Phineas Fisher is likely an agent of the Russian government.
If true, this wouldn’t be the first time Russian intelligence hackers created a hacktivist persona to throw investigators off their trail.
Have a tip about a government spyware company ? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
The most well-known persona created by the Russian government is that of Guccifer 2.0, the fake Romanian hacker that claimed to be behind the Democratic National Committee hack before the 2016 US presidential elections. In 2015, hackers claiming to be the Cyber Caliphate, a mysterious ISIS-linked hacktivist group, took the French channel TV5Monde offline. As it turned out, the Cyber Caliphate was just a made up group created by Russia’s infamous government hacking group APT28, the same group that hacked the DNC. Russian hackers pulled off another successful—at least for a while—false flag when they pretended to be a patriotic hacker group called the Yemen Cyber Army.
Phineas Fisher themselves, however, denied to Motherboard that he is a Russian government hacker, dismissing Menn’s reporting as “impressive mental gymnastics.”
“Promoting a narrative (with no evidence at all) that I was acting for Russian interests and not public interest, is irresponsible and dangerous for me,” Phineas Fisher told Motherboard after reading the chapter that covers him in Menn’s book Cult of The Dead Cow. “If I ever get arrested it’ll be pretty obvious I’m not working for Russian government.”
“If I ever get arrested it’ll be pretty obvious I’m not working for Russian government.”
Obviously, we shouldn’t take Phineas Fisher’s word at face value—hackers like Guccifer 2.0 also claimed to not be associated with the Russian government. Guccifer 2.0 has now been tied to a team of Russian military intelligence agents by special counsel Bob Mueller. US investigators indicted 12 Russian officers for hacking the DNC, the Democratic Congressional Campaign Committee, and the Hillary Clinton campaign, and using personas like Guccifer 2.0 to spread the hacked data.
But when it comes to Phineas Fisher, there’s more signs that point away from the Kremlin. A source close to the US intelligence community told Motherboard that the US government is actually convinced Phineas Fisher is indeed a hacktivist.
Moreover the Italian government investigators that looked into the Hacking Team breach have reached a similar conclusion.
“The motive behind the commission of the crime was certainly of political and ideological nature,” the Italian investigators wrote in a court document obtained by Motherboard. In the document, issued at the end of last year, the prosecutors who investigated the case admitted that they had no more leads to follow. The document does not mention any leads pointing to Russia or the Russian government, and the prosecutors conclude that the motive behind the hack was to damage Hacking Team for its alleged unethical dealings with countries like Sudan.
Menn said that he is not certain Phineas Fisher is Russian, but based on what his sources connected to Western intelligence agencies, that is their assumption.
“I think it is at least as plausible that Phineas Fisher is a Russian operation maybe through a cutout than it is that he/she/it is what he/she/it purports to be, which is a politically motivated morally crusading super talented hacker,” Menn said in an interview for Motherboard’s podcast CYBER.
Part of the Russian attribution made by Menn’s sources rests on Phineas Fisher’s last public hack.
In the summer of 2016, Phineas Fisher claimed responsibility for the hack on the Turkish ruling party, the AKP. The hack resulted in the leak of thousands of internal AKP emails to WikiLeaks, which published them online. Among the leaked information, there was highly sensitive personal information about thousands of women in Turkey.
According to Menn, the hack and leak of the AKP emails fits the Russian government foreign policy agenda.
Phineas Fisher, however, said the emails and other data were published without his permission, nor the permission of activists in Rojava, a contested region between Turkey and Syria that’s effectively self-governed by an anarchist group now. The hacker, who donated 10,000 euros in Bitcoin to the Rojava government, said one of his contacts in Rojava shared the emails with WikiLeaks, and the hacker asked the leaking organization to hold off on publishing them, but Julian Assange’s organization ignored the request.
“I contacted WikiLeaks asking them not to publish, others in Rojava contacted wikileaks asking them not to publish, the person that sent the file to WikiLeaks asked them not to publish,” Phineas Fisher said. “WikiLeaks even told me they’d had a turkish person read through the emails and they knew it was all spam and crap.”
WikiLeaks did not respond to a request for comment.
A source who lives in Rojava confirmed Phineas Fisher’s version of the story. The source, who asked to remain anonymous to protect his safety, said that Phineas sent his organization around 100 gigabytes of data. He then sent the data to a contact in the UK who could pass it to WikiLeaks. The activists in Rojava asked WikiLeaks to withhold publication until they could see what was in the hacked data, but they were ignored.
“A couple of days later there was a coup attempt in Turkey so WikiLeaks decided unilaterally that it was the right time to publish. We contacted them several times and begged them not to do it,” the man in Rojava said. “It was an asshole move and a treason, and it became clear that WikILeaks has their own agenda and don’t give a shit about helping activists or democratic movements.”
One day, perhaps we’ll find out who Phineas Fisher really is. But, for now, the mystery remains.
Subscribe to our new cybersecurity podcast, CYBER.