Phineas Fisher
Quick Facts
Biography
Phineas Fisher (also known as Phineas Phisher, Subcowmandante Marcos) is an unidentified hacktivist and self-proclaimed anarchist revolutionary. Notable hacks include the surveillance company Gamma International, Hacking Team, the Sindicat De Mossos d'Esquadra (SME, union of the Catalonian police force) and the ruling Turkish Justice and Development Party three of which were later made searchable by WikiLeaks.
Typically, each public attack is followed by a communique containing information about the breach, technical information in a how-to format, ASCII art, poetry and leftist and anarchist propaganda. In 2019, Fisher offered hackers a bounty of up to US$100,000 for successful hacktivism and the following year claimed to have paid out US$10,000.
Hacks
Gamma International attack
In 2014, Gamma International, most known for the FinFisher malware was hacked and a 40 gigabyte dump of information was released detailing Gamma's client lists, price lists, source code, details about the effectiveness of the FinFisher malware, user and support documentation and a list of classes/tutorials. Months later Fisher released the first document of the HackBack! series named HackBack!: DIY Guide for those without the patience to wait for whistleblowers which claimed responsibility for the Gamma International hack as well as giving detailed instructions aimed at beginners of how to repeat a similar attacks, intending to "Inform and inspire you to go out and hack shit".
After the release, WikiLeaks rereleased it as part of SpyFiles 4.
Hacking Team attack
Fisher in 2015 claimed to have successfully breached Hacking Team. In the communique, which was this time released in Spanish, Fisher claimed to have breached the network through a 0-day exploit from a bug found in a SonicWall SSL-VPN embedded network device. The exploit was subsequently patched by SonicWall before it was made public by security researcher and ex LulzSec member Darren 'Pwnsauce' Martyn who claimed "if you use these products is to unplug them, douse them in kerosene, and set them on fire. It is the only way to be safe from something seemingly developed with this level of negligence."
After the release of the files, WikiLeaks rereleased the Hacking Team emails.
Mossos D'Esquadra union attack
On May 15, 2016, Phineas Fisher breached and leaked data from Sindicat De Mossos d'Esquadra (SME), the police union of the Catalonian police force. Fisher uploaded a video to YouTube of the attack and a link to a cache of personal data of officers such as full names, addresses, bank accounts and telephone numbers for more than five thousand officers, a quarter of the total force. The Minister of the Interior, Jordi Jané i Guasch stated that the leak "does not compromise the work or investigations of the agents, but does compromise their privacy". Fisher claimed that Ciutat Morta, a Catalan documentary investigating the 4F case, inspired her to commit the attack.
Fisher uploaded a thirty-nine minute video after the attack to YouTube. The video consists of the attacker probing an SME website with publicly available open-source tools before using an SQL injection to dump the data. Whilst the attacker waits they show the viewer images of people who have allegedly been victim to police brutality at the hands of Mossos, a woman blinded at the 2012 Barcelona General Strike. The video is set to a soundtrack themed around anti-police and overtly 'revolutionary' English and Spanish language hip-hop.
Arrests
In early January 2017 the mossos in conjunction with the Policía Nacional raided and arrested at least four people, including a person in Salamanca, Spain and two in the Sants district of Barcelona under suspicion of the SME attack. A few hours after the raids were reported in the Spanish press Vice Motherboard claimed that they had been in contact with an email address previously associated with Fisher who claimed to be free at the time of contact.
AKP hack
In 2016, Fisher claimed responsibility for breaching networks belonging to the Turkish ruling Justice and Development Party (AKP) and stealing hundreds of thousands of emails and other files In solidarity with the Kurdish movement in Rojava and Bakur. The trove which became known as The AKP Emails are archived at WikiLeaks. Wikileaks caused issues with Fisher after the organization published the AKP emails despite Fisher directing them not to, potentially leaving operational and personal details vulnerable. Fisher also accused Wikileaks of saying they knew the emails were "all spam and crap."
On July 21, WikiLeaks tweeted a link to a database which contained sensitive information, such as the Turkish Identification Number, of approximately 50 million Turkish citizens. The information was not in the files uploaded by WikiLeaks, but in files described by WikiLeaks as "the full data for the Turkey AKP emails and more" which was archived by Emma Best, who then removed it when the personal data was discovered.
Most experts and commentators agree that Fisher was behind the attack.
Cayman Island National Bank and Trust hack
In November 2019, DDoSecrets published over 2 terabytes of data from the Cayman Island National Bank and Trust, dubbed the Sherwood files. The files were provided by Phineas Fisher, who was previously responsible for the hack and subsequent release of Gamma Group and Hacking Team documents and emails. The files included lists of the bank's politically exposed clients and was used for studies of how elites use offshore banking. The leak led to at least one government investigation.
Bug bounty
In Fisher's 2019 Cayman Bank hack communique, Hackback! Una guía DIY para robar bancos (Hackback! A DIY guide to robbing banks), Fisher offered hackers up to US$100,000 in either of the Bitcoin or Monero cryptocurrencies to carry out acts of hacktivism that lead to public disclosure of documents, naming it the "Hacktivist Bug Hunting Program". In the communique, Fisher states that "this program is my attempt to make it possible for good hackers to earn a living in an honest way by revealing material of public interest, instead of having to go selling their work to the cybersecurity, cybercrime or business industries", going on to cite examples of companies to target such as extraction industries in Latin America, Private Military Contractors including Blackwater and Halliburton and operators of private prisons such as GEO Group and CoreCivic.
MilicoLeaks
In 2020, Fisher claimed to have paid US$10,000 out of the "Hacktivist Bug Hunting Program" to an anonymous hacker who leaked over two gigabytes of emails and documents from several email accounts belonging to Chilean military personnel. The archive was named MilicoLeaks by Distributed Denial of Secrets. The cache of documents included over three thousand emails and one thousand documents, some related to "intelligence, finance and international relations". The Chilean military confirmed the breach in an official document via Twitter.
Identity
The identity of Phineas Fisher is currently unknown. Fisher has been accused of being a Russian agent by tech journalist Joseph Menn in his book Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World. The book also claims that this is also the assumption of the state department, quoting James Lewis, claims which Fisher strongly denied as well as Vice Motherboard claiming from a source that "US government is actually convinced Phineas Fisher is indeed a hacktivist." An Italian judge echoed this claim, saying "[Phineas Fisher’s motives were] certainly political and ideological.”
Fisher has issued communiques which reference Anarchism and anarchist related content such as the Zapatista Army of National Liberation as well as labeling herself an 'anarchist-revolutionary'. Phineas has also done an interview with Blackbird of the CrimethInc Ex-Workers Collective, an anarchist media collective based mostly in the Americas. The name "Phineas Fisher" is a play on the name of the FinFisher malware developed by Gamma International. "Subcowmandante Marcos" is a word play on the former Zapatista Army of National Liberation spokesperson Subcomandante Marcos. The Cayman National Bank hack communique featured ASCII art of a cow with a pipe reminiscent of a famous image of Marcos and used the well-known Zapatista slogan "Para que nos vieran, nos tapamos el rostro" ("In order to be seen, we covered our faces").