COLD OPEN
Early in the morning of January 31, 2017, Major Josep Lluís Trapero Álvarez walked into the command center in the Barcelona headquarters of the Mossos d’Esquadra, the region’s main police force. Today, they were finally going to close the net on three suspects whom they’d been investigating for almost a year.
But this investigation was personal.
Last May, a hacker going by the name Phineas Fisher had broken into the Mossos d’Esquadra’s police union’s computer system. Then, they published the names, addresses, and personal information of more than 5,000 police officers. Many of those officers were working this very operation.
They didn’t know if Phineas Fisher was one of the three suspects, or all of them working together. But they weren’t going to treat them gently.
There were two video monitors. One was centered on an apartment on the other side of town. The other showed a different apartment in the city of Salamanca, about 500 miles to the west.
Ready when you are, boss.
Álvarez gave the nod. The tactical commander signaled the two teams.
SFX: knocks at the door.
Police! Open up!
Both doors opened. None of the suspects resisted. Álvarez had been told they were all computer engineers. Not the type to put up a fight, he thought. If anything, they seemed confused as to why the police were at their doors.
Álvarez’s teams took the trio into custody. In Barcelona, the Mossos d’Esquadra brought in a couple, ages 31 and 35. In Salamanca, they brought in a single man, age 33. Their names still haven’t been published.
All of them denied having anything to do with Phineas Fisher. The couple from Barcelona hadn’t even heard of him. The guy from Salamanca had, but all he’d done was link to Phineas’s work on social media.
They all insisted they were innocent. But police were convinced they had Phineas Fisher in custody. They took it to the press, and that afternoon the country’s leading newspaper, El Pais, published the story.
By then Major Alvarez was on site at the couple’s apartment in Barcelona, personally supervising the search for evidence.
One of his officers jogged up to him.
Hey, boss? You’d better have a look at this.
He showed Alvarez his phone. There was an article from Vice magazine, in English. The headline read:
Notorious Hacker Phineas Fisher: I’m Alive and Well.
In the article, Phineas gloated. I think the Mossos just arrested some people that retweeted the link to their personal info, Phineas wrote. Or maybe just arrested some activist-y/anarchist-y people, to pretend they’re doing something.
Álvarez wanted to smash the phone. The original hack was embarrassing enough. Now they’d arrested the wrong people. Worst of all, Phineas Fisher was still out there–and likely to hack again soon.
On this episode: hacktivism, private cybersecurity companies, government surveillance, and dinosaur puppets. I’m Keith Korneluk and this is Modem Mischief.
INTRODUCTION
You're listening to Modem Mischief. In this series we explore the darkest reaches of the internet. We'll take you into the minds of the world's most notorious hackers and the lives affected by them. We'll also show you places you won't find on Google and what goes on down there. This is the story of Phineas Fisher.
ACT ONE
SFX: busy convention crowd
The North Bethesda Marriott Hotel and Conference Center is about a 40-minute drive north of Washington D.C., depending on traffic.
One weekend in October 2011, it was hosting the annual ISS World Convention. “ISS” stood for “Intelligence Support Systems.” But critics had another name for it: “the Wiretappers Ball.
Here, representatives from 35 American law enforcement agencies, everyone from the FBI to the Fish and Wildlife Service, gathered to purchase hacking tools to use in their work.
These tools were state-of-the-art and proprietary. They sold for hundreds of thousands to millions of dollars. The kind of tools that governments everywhere possess—but that the average citizen often knows nothing about.
Obviously, the ISS World Convention was an invite-only event. Journalists were forbidden from attending. That didn’t stop them, of course—there were dozens of them skulking around the Marriott’s halls and bars, trying to pry any information out of a boozed-up cop or techie.
Jennifer–not her real name–considered posing as a journalist but quickly ruled it out. Right now, she was sipping a drink at the Marriott bar among a crowd of law enforcement professionals. They’d been chatting for almost an hour. All she wanted was for them to finish getting wasted and go back to the convention floor.
As far as they knew, she was one of them. She’d printed out business cards identifying herself as an IRS agent. She was here to peruse hacking programs to catch tax scofflaws, she said.
Finally, everyone finished their drinks and headed back to the floor.
At the entrance, the security guard noticed Jennifer’s lack of a convention badge.
Sorry, I left it in my hotel room.
Don’t worry, she’s with us, said one of her new friends from the bar, who was an FBI Agent. Knowing he was badly outranked, the security guard waved them through.
As the group entered the convention, Jennifer veered away. I’ll catch up with you guys later, she said over her shoulder.
She went to the nearest booth and picked up a tote bag--from some British surveillance company called Cobham. Then, she made a beeline for her destination: the booth for Gamma Group International.
With offices in Munich, Germany and Andover, England, Gamma Group International was one of the leaders in surveillance software.
At the booth was a tall, slim German man in a form-fitting tailored suit with a skinny tie. She recognized him immediately. Martin J. Muench. Thirty years old, he was Gamma’s managing director, and the creator of its flagship product, FinFisher.
She wanted to punch him. Instead, she smiled.
Hello. I’m Jennifer Martin, with the IRS. She flashed a business card. I’d love to learn more about FinFisher.
He eyed the card.
IRS, huh? Do you have an appointment?
I didn’t know I needed one…
We only demonstrate our software by appointment.
I see…Mind if I take one of these? Jennifer asked, pointing at a brochure. He thought it over, then nodded. She grabbed it and slipped it into the tote bag.
So as not to look suspicious, Jennifer repeated this process at 50 other trade booths. Finally, her task done, she fled the Marriott.
With the brochures in her possession, she would shine a light on the secretive world of private cyberwarfare companies.
But before we cover that, let’s back up a little further, and talk about where these companies came from.
In the 1980’s and 90’s, hackers were often defined by a stereotype: they were troublemakers who liked to make decent, hardworking systems administrators’ lives’ miserable.
In fact, many of them were just hungry for knowledge—and some even wanted to use their hacking abilities to make the world a better place.
They formed hacking groups. Loose collectives with names like Anonymous, which we covered in episode 28. There was also the Chaos Computer Club in Germany, or the Cult of the Dead Cow in El Paso, Texas—which we’ll be covering in future episodes.
They were idealists. They broke into companies’ and governments’ computers not to steal from them, but to expose their sins.
But everyone needs to make a living. As these teenaged hackers hit their twenties and thirties, many of them took jobs at cybersecurity companies—ones like Gamma Group.
Gamma Group was founded in 1990 in Beirut, Lebanon. It started as a trading company in general and electrical goods. The company grew until it was purchased by a British family, the Nelsons. Previously, the Nelsons had been accused of doing business with Saddam Hussein. Multiple times.
By 2007, the Gamma family of companies wanted to get into the cybersecurity business. They just needed hackers. And at the top of Gamma’s list was Martin Muench.
Martin Muench was born in a small town in northern Germany, which he refuses to identify to protect his family. He started hacking by age 13. School held little interest for him outside of classes related to computing.
In his teens, he was a member of both the Chaos Computer Club and the Cult of the Dead Cow. But Martin wasn’t satisfied with just exposing the sins of corporations and governments. He wanted his hacking to have real-world uses.
Parts of the Internet were—and still are—a cesspool of child pornography and pedophilia. Martin wanted to help law enforcement catch those who abuse children.
When Gamma Group contacted Martin in 2007, he’d already created BackTrack, a free toolkit used for computer penetration testing—essentially, probing a firewall for weaknesses a hacker might exploit.
Martin jumped at the chance to work for Gamma Group—even though he would be Gamma’s only cybersecurity employee to start, and even though he’d be working out of his apartment.
Immediately, he began developing FinFisher. It would be, he reasoned, a tool for catching the worst of the worst. Pedophiles. Terrorists. Human traffickers.
But Martin and Gamma Group also knew that a tool so powerful had to be used responsibly. Everyone agreed that Gamma Group would only sell FinFisher to democratic governments that allow freedom of expression.
The idea behind FinFisher was simple—if you’re a really smart computer hacker, anyway. FinFisher would be a suite of tools used to break into nearly any computer or device in the world.
FinFisher was a piece of malware that could be embedded within the code of a document that looked harmless. It could target all operating systems, smartphone types and even applications like Microsoft Word.
Once it was downloaded onto a target computer, the real fun would begin. It could record Internet browsing sessions, or make copies of Skype conversations. It could log keystrokes. It could even remotely switch on a webcam and record whatever the camera could see.
We’ll wait while you put a piece of duct tape over your webcam.
Best of all, FinFisher was easy to use. Even cops in their 60’s with limited computer skills could operate it. Soon, FinFisher was selling for hundreds of thousands of dollars a pop. Gamma Group grew to 30 employees, with Martin as their managing director.
Martin was a rising star. While the general public might not have known his name, the cybersecurity community knew him by his initials: MJM. Many were so intimidated by him that they refused to bring wireless devices near him in case he might know some way to hack them. He was living the dream and getting paid BMW money to do it.
But then, the Arab Spring uprisings happened.
In March 2011, countries in Africa, the Middle East, and the Arabian Peninsula were revolting against decades of rule by oppressive governments.
Egypt’s president, Hosni Mubarak, had been removed from power about a month earlier. But the people of Egypt were anxious that Mubarak would escape punishment for his crimes.
On March 5th, neighbors noticed fire coming out of the headquarters of Egypt’s State Security Investigations service, its secret police. They feared the SSI was burning documents--the records of decades of detentions, tortures, executions, and more.
Soon, 3,000 protesters stormed the building to preserve the evidence. There, among the truncheons and torture equipment, two human rights activists found a proposal from Gamma Group to sell FinFisher to the Egyptian government, for about 350,000 Euros. (It’s unknown whether Egypt and Gamma Group ever made the deal.)
This was how FinFisher first became known to the general public—and the hacktivist community noticed. Who else was Gamma Group selling their spyware to?
Months later, in October, a hacktivist infiltrated the ISS World Convention at the Bethesda Marriott, where they absconded with brochures for Gamma Group and 50 other private cybersecurity companies. Then, they passed them along to the volunteer-run whistleblower organization, Wikileaks.
On December 1st 2011, Wikileaks published the brochures as well as promotional videos from Gamma Group. Collectively, Wikileaks called it “The Spy Files.”
But while the revelation was certainly interesting to the cybersecurity community, it failed to spark widespread outrage. These were just documents discussing FinFisher. Nobody had ever seen the program itself.
That would change in 2012, when Google’s incident response team received an email from a human rights group in Bahrain, the island nation of 1.3 million in the Persian Gulf.
Like Egypt, Bahrain was home to Arab Spring protests. The email contained an attachment that had been sent to Bahranian protesters. Analysis revealed that the attachment was infected with a FinFisher program called FinSpy.
Bahrain had been using FinFisher to monitor protesters and dissidents both in Bahrain and around the world. In one case, FinFisher was used to hack into the Facebook account of Moosa Abd-Ali Ali, a London-based expatriate who frequently criticized the regime. In 2012, Abd-Ali Ali discovered the Bahranian government using his account to impersonate him, trying to solicit his female acquaintances for sex—all as an attempt to discredit him.
Google’s engineers analyzed the malware for months, along with volunteer researchers at the University of Toronto’s Citizen Lab. They discovered FinFisher in eleven countries: Austria, Bahrain, Bulgaria, Hungary, Lithuania, Macedonia, Nigeria, Pakistan, Panama, Romania, South Africa, and Turkey.
For their part, Gamma Group and Martin Muench denied doing anything wrong. They claimed they only sold FinFisher to “good” governments, only to be used for catching criminals. They claimed that any or all of these copies of FinFisher could have been stolen.
And that’s as far as it would have gone—if it weren’t for a hacker who would soon be given the title “the Robin Hood of the Internet.”
In August 2014, someone created a new account on Reddit called “Phineas Fisher.” It was a play on words on Gamma Group’s most successful spyware, FinFisher.
Then on August 3rd, Phineas Fisher posted on the r/Anarchism subreddit.
Gamma International Leaked! Phineas began the post.
I hacked in and made off with 40 gigabytes of data from Gamma's networks. I have hard proof they knew they were selling to people using their software to attack Bahraini activists (and still are), along with a whole lot of other stuff in that 40 gigabytes.
Phineas included a link to a Dropbox folder that contained the 40 gigabytes of files, pleading with everyone to upvote the post and share with everyone they knew.
Next, Phineas Fisher created a parody Twitter account called @GammaGroupPR, and began firing off Tweets.
Hello! This is the official Twitter account of Gamma Group International, maker of the FinFisher suite of spyware tools. Today, we’re selling FinFisher to the general public because we’ve run out of governments to sell to!
The account went viral. Phineas continued firing off Tweets.
We also thought we’d share a bunch of internal company documents. Here you go!
Phineas included a link to a Dropbox folder containing the files. They continued Tweeting, highlighting the most explosive revelations. There was a full list of clients FinFisher had been sold to; a price list; instruction manuals; documents analyzing the software’s effectiveness; and there was even FinFisher’s source code.
This was a death blow. Now, anyone could write an antivirus program protecting against FinFisher.
A few months later, Phineas Fisher Tweeted one last document. This one, they wrote themselves. Titled “HackBack: A DIY Guide,” it outlined how he carried out the Gamma Group hack.
I'm writing this to demystify hacking, Phineas wrote. to show how simple it is, and to hopefully inform and inspire you to go out and hack shit.
Now, Phineas Fisher’s intentions were clear: they wanted to start a revolution—but who was Phineas Fisher? Where would they strike next? And what did they really want?
ACT TWO
SFX: Alarm clock
On July 5, 2015, an alarm clock woke up David Vincenzetti. It was 3 a.m.
The slim 48-year-old Italian stretched his long frame and got up. As always, there was a lot to do. He made espresso, switched on the financial news, and started doing push-ups
He thought about the day ahead. David was the CEO of Hacking Team. It was a Milan-based private contractor and Gamma Group’s top competitor. Their signature spyware was a nasty piece of work called “Galileo.”
Most software companies are volume businesses. Not Hacking Team. Vincenzetti had around 40 clients, all of them paying top dollar for Galileo. With so few clients, Vincenzetti had to keep them all happy. That meant constantly updating the software. That would take up most of today. When he wasn’t doing that, he’d be on the phone with clients around the world trying to make deals.
He didn’t remember the last time he’d taken a vacation. All he ever splurged on was expensive steak dinners and designer suits.
SFX: cell ringing
Suddenly, his phone rang. It was his operations manager, Daniele Milan. A 3 a.m. phone call? This couldn’t be good. What was it this time?
David, we’ve been attacked. Someone’s taken over our Twitter.
David pulled up Hacking Team’s official Twitter page. Sure enough, there was a Tweet right at the top.
Hello, followers! Since we have nothing to hide, we’re publishing all our emails, files, and source code!
Along with that was a link to a Dropbox folder. Inside were over 400 gigabytes of sensitive company data.
We’re trying to get Twitter to give us our account back, but it’s Sunday night in California Daniele continued.
Is any of that data legitimate?
Looks like it. We’ll get it taken down, but…
The reality of the situation hit him. First, the company had been hacked. Then their Twitter account had been hacked and used to distribute the results of the first hack. Worst of all, the information was now in the wild. There was no way of getting it back.
But David knew the most severe blow was the publication of the source code. Just like with Gamma Group a year earlier, this meant that antivirus software was probably now being written to protect against Galileo.
The entire premise of Galileo was that it was based on Zero Day exploits. These are flaws in software programs that are unknown even to the publishers, but can be used to penetrate computer systems.
Now that the existence of these exploits was public…they were no longer Zero Day exploits. Around the world, software companies and hell, even volunteers, were probably writing antidotes to Galileo right now.
In other words…Hacking Team was fucked.
The next day, Phineas Fisher claimed responsibility for the Hacking Team hack. Still using the @GammaGroupPR account, Phineas Tweeted: “gamma and HT down, a few more to go ”
Months later, Phineas would once again publish a document detailing the hack. It was partly a step-by-step walk through how he hacked Hacking Team. It was also partly a political manifesto inspiring other people to carry out similar hacks.
It wasn’t clear that anyone was following Phineas Fisher’s lead. But there was no doubting that Phineas Fisher severely damaged two major private software companies—and was threatening to do the same to more.
In their battle against governments and companies who use the Internet to violate people’s human rights, Phineas Fisher couldn’t have picked a better target than Hacking Team.
David Vincenzetti founded the company in 2004. At the time, he’d just developed the software program that would come to be known as Galileo. Like FinFisher, Galileo was a type of malware that could infect a target’s computer and allow a spy to learn nearly everything about them.
Once a target’s computer was infected with Galileo, a spy would take over the target’s webcam and take a photo of them. This would become their target’s profile picture in Galileo. With that, a spy could peruse every device connected to their target—smartphones, tablets, computers—and every software application they used. Email. Facebook. Skype. Contact list. Even their GPS location. Vincenzetti liked to joke with his staff that they made the most “evil technology in the world.”
Vincenzetti’s first major contract was with Spain’s Secret Service, who purchased Galileo in the months following the 2004 Madrid subway bombings that killed 193 and injured 2,000.
From there, Hacking Team’s client list had grown to include dozens of countries and governments. Like Gamma Group, it claimed only to sell to law enforcement agencies in democratic countries. In fact, Phineas Fisher’s hack exposed the truth: Hacking Team was selling to notorious human rights abusers in more than 30 countries, including Azerbaijan, Ethiopia, Bahrain, Egypt, Kazakhstan, the Sudan, and Saudi Arabia.
So now Phineas Fisher was two for two. Gamma Group and Hacking Team were exposed and ruined.
But the notoriety only brought more questions. Who was Phineas Fisher? They’d never appeared in public, and it wasn’t clear if they were one person or several. They hadn’t even made any public statements beyond the two how-to guides and a string of Tweets.
But soon, Phineas Fisher would become a lot more vocal.
In the months following the Hacking Team hack, journalists with Vice magazine and Vice Canada reached out to the @GammaGroupPR Twitter account and began a dialogue with the person controlling it. Phineas agreed to do an on-camera interview, with two conditions:
One, Phineas would provide their answers in writing, which would be read aloud by a voice-over actor.
The other condition? Phineas wanted to be portrayed by a Kermit the Frog puppet.
Unable to get around copyright restrictions, the journalists instead got a dinosaur puppet that vaguely resembled Kermit, and the interview was on.
When asked why they carried out the hacks, Phineas responded:
I just read the Citizen Lab reports on FinFisher and Hacking Team and thought "that's fucked up," and I hacked them.
Phineas explained that they did it “for the Lolz.” The answer had to be facetious, given the political nature of Phineas’ hacks. But otherwise, Phineas was coy about their motivations.
Phineas went on to highlight various takeaways from the Hacking Team publications—for example, internal emails showed that when Gamma Group was hacked, employees suggested Hacking Team upgrade its company firewall. Vincenzetti vetoed it.
The discussion ranged into philosophical. Why did companies that claimed to only sell software to democracies also sell them to dictatorships? To Phineas, it was simple: people followed the money.
The last question of the interview was probably the least clarifying.
How do we know you’re Phineas Fisher?
You don't. We're all Phineas Fisher. That's a dumb name though. Just the first play on FinFisher I could think of. And I haven't hacked them in a while. I should try out a new name.
With that, it was over. Coming out of the interview, the Vice journalists seemed to know less about Phineas Fisher and their motivations than when they started.
It wasn’t even clear if Phineas knew what was driving them.
Phineas had promised to continue hacking the world’s cybersecurity companies. But after the Hacking Team hack, Phineas appeared to lose interest. The prolific hacker needed a new target.
They found it by watching a documentary—at least according to Phineas’ version of events.
After the Hacking Team Hack, Phineas happened to catch a documentary called Ciutat Morta, or “Dead City” in English. Directed by Xapo Ortega and Xavier Artigas, the two-hour film tells the story of a series of incidents of police brutality committed by the Guardia Urbana, the municipal police in Barcelona, Spain.
In 2006, officers of the Guardia Urbana were dispatched to an abandoned theater that had been taken over by squatters, who were throwing a rave.
There, one of the police officers, who wasn’t wearing a riot helmet, was struck in the head with a flower pot. The officer fell into a coma and died.
The other Guardia Urbana officers immediately began arresting suspects who fit a racial profile, including three men from Latin America: Alex Cisternas, Rodrigo Lanza and Juan Pintos. They had nothing to do with it, but police beat them so badly they were hospitalized.
At the hospital, Guardia Urbana discovered that a young couple named Patricia Heras and Alfredo Pestana were being treated for injuries they sustained in a bicycle crash near the rave. Like Cisternas, Lanza, and Pintos, they had nothing to do with the flower pot attack. The Guardia Urbana didn’t care. They arrested them, too.
The Guardia Urbana tortured the five suspects for days. The three men from Latin America were held in custody for two years, then convicted. Alfredo Pestana was pardoned, but Patricia Heras committed suicide before her judgment was rendered.
The documentary Ciutat Morta lays out the case in exhaustive detail. Phineas Fisher was so outraged, they decided to do something about it.
On May 8, 2016, Phineas Fisher hacked into a proxy server owned by a local Barcelona couple he’d never met. Using the server to obscure his identity, Phineas then began probing the servers for the Mossos d’Esquadra.
Like we said, the Mossos d’Esquadra is Catalonia’s top law enforcement body. It wasn’t involved in the Ciutat Morta case—that was the local police, the Guardia Urbana. But the Mossos did release a statement calling the Ciutat Morta film a total fantasy. That was good enough for Phineas.
On May 15, Phineas again used the proxy to hack into the Mossos servers. Using Kali Linux, an operating system used by hackers and penetration testers, he probed the system for vulnerabilities to a particular type of SQLi injection. As he did, he recorded a video of himself doing the hack. He would later release the video online, accompanied by NWA’s “Fuck the Police.”
The Mossos security wasn’t robust, and soon Phineas was in. Hehe, Mossos are probably too busy tear-gassing protesters right now to pay attention to their server log, Phineas captioned the video.
Once inside, Phineas began stripping as much data as he could about the members of the police union. Names and badge numbers. Bank account information. Home addresses. Altogether, he collected the data for 5,540 current and former cops.
By then it was about 11 p.m. Time for the second phase of the plan. Phineas pulled up the Mossos d’Esquadra Twitter account, which he’d previously hacked into and gained control of, and fired off a message
Mossos on strike! He wrote. We are tired of serving the powerful and fighting against the people!
Then, he defaced the union’s website. We have decided to stop doing the dirty work as ordinary soldiers of capitalism!
Then he fired off another Tweet. In accordance with the transparency law, we publish the list with our members. Included in that Tweet was a link to a file containing the cops’ personal information
Phineas had doxed them. Now, every criminal they’d ever arrested would know exactly where they lived.
The Mossos d’Esquadra began receiving complaints about the Tweets at about half past midnight. It took eight more hours to regain control of their Twitter, and take down the personal information, but by then the damage was done.
The Mossos’ Central Computer Crime Unit opened an investigation into this mysterious Phineas Fisher, but the hacker was already several steps ahead.
Months later, Phineas Fisher released the video detailing how they hacked into the Mossos d’ Esquadra. Like their previous how-to documents, this was both a hacking guide as well as a political manifesto.
This time, Phineas urged would-be hacktivists to take their hacktivism one step further. Simply exposing companies and governments was no longer enough. They should also hack into banks and other financial institutions, steal money, and funnel it to human rights activists.
After exposing two cybersecurity companies, Phineas Fisher had now doxed Catalonia’s top police union. There was no telling who they would target next.
To many in the hacktivist community, Phineas Fisher was a hero—the sort of hacktivist that Martin Muesnch and David Vincenzetti had once aspired to be before selling out
But others were puzzled. Why was this anonymous hacker changing tactics? Why start off by hacking private cybersecurity companies in England, Germany, and Italy, and then hack the police in Spain? Was Phineas Fisher really the good-hearted hacktivist they claimed to be? Or was someone else pulling the strings?
ACT THREE
In the days after the Mossos d’ Esquadra hack, Phineas Fisher found their next target—but this time, Phineas would learn that interfering in international politics can easily backfire.
In April 2016, a group of police officers was manning a security checkpoint in Qamishli. It’s a small town in northern Syria home. The officers were Kurdish, like the majority of the city’s population
The officers held assault rifles and stood behind piles of sandbags. A long line of people stretched around the block, waiting for their turn to pass through.
Next, an officer said, both bored and alert.
A man stepped up to the checkpoint.
Papers, please.
The man said nothing. He reached his hand into his jacket. But he didn’t pull out any papers.
The officer realized what was happening, but it was already too late.
SFX: explosion.
The suicide bomber killed six Kurdish police officers and wounded five more. Later, the Islamic State, or ISIS, would take credit for the attack.
It was the latest act of violence that had rocked the region. Qamishli is in the Rojava region. It’s a territory the size of Connecticut, between the borders of Syria and Turkey. Its name means “The Land Where the Sun Sets.”
Since 2014, the Rojava region had declared itself independent from Syria. But it wasn’t just a chance for Syria’s Kurdish population to grant themselves freedom. The Democratic Union Party wanted to completely reshape society. It wanted to get rid of capitalism entirely.
The Syrian government opposed the move. But the Syrian government had its hands full trying to stop an Arab Spring-inspired revolt that began in 2011. It was also trying to contain the Islamic State, which had been threatening Syria since 2014.
The bigger problem for Rojava was Turkey. Also home to a large Kurdish population, Turkey has long opposed the creation of a Kurdish homeland. Turkey saw Rojava’s breakaway as a thinly veiled attempt to do just that. Turkey hit Rojava with severe economic sanctions, preventing the import of food and medical supplies.
The situation in Rojava was becoming desperate. And Phineas Fisher wanted to help.
Phineas read an interview with Deniz Tarî, a spokesperson for a Rojava-based nonprofit called the Rojava Plan. In it, Tarî begged the international community to donate money so Rojava could purchase farming equipment and fertilizer. Basic necessities it needed to feed itself.
Phineas was inspired. In early May 2016, Phineas made an announcement on Reddit.
Rojava is one of the most inspiring revolutionary projects in the world today. I just donated 10000€ in bitcoin, Phineas Tweeted.
Phineas never specified which bank they stole from. But Deniz Tarî confirmed that Plan Rojava did indeed receive a donation of 10,000 Euros from an individual named Phineas Fisher.
On Twitter, Phineas reiterated that hackers who wanted to help the cause should also expropriate money from banks and funnel it to human rights groups. They even suggested running a credit card skimming operation, for those less technically savvy.
But Phineas was just getting started.
On July 8, 2016, Phineas hacked into the servers for Turkey’s ruling party, the AK Party, or the Justice and Development Party. It was led by Turkey’s right-wing president, Recep Tayyip Erdogan. There, Phineas began downloading hundreds of thousands of internal emails. Phineas hoped that they might contain something that would help Rojava in its conflict with Turkey.
Then, Phineas reached out to Deniz Tarî.
I’ve hacked into the AK Party, Phineas wrote. Downloading a shit ton of emails. Don’t know if there’s anything incriminating, but this could be huge. Here’s a link to what I’ve found.
Phineas passed along the link.
Amazing!!! Tarî wrote back. Just shared them with Wikileaks. Hopefully this will take those bastards down.
Phineas paused. They’d just wanted to give Tarî a cheering up. They hadn’t expected this.
Well…just ask Wikileaks not to publish until I’m done downloading the files. We don’t even know what’s in them.
I’m sure it won’t be a problem.
Tarî passed along the request to Wikileaks, and Phineas was satisfied.
But then, the situation in Turkey changed.
In July 2016, Turkish soldiers suddenly began blocking access to the presidential palace. Turkish citizens noticed an increase in military patrols and flybys from the country’s air force.
The people of Turkey knew what was happening. The country had endured six military coups since 1960. And they weren’t about to take the seventh lying down.
Thousands of Turkish civilians took to the streets and resisted the coup. Along with the help of loyalist soldiers, they prevented their country from its seventh coup.
Wikileaks and its founder Julian Assange saw an opportunity. The coup attempt brought international attention to Turkey. Wikileaks was sitting on nearly 300,000 emails from the Turkish regime. Who cares if they didn’t have time to examine those emails before publishing them? Wikileaks needed all the support it could get, and this was a potential scoop.
So, against Phineas’ wishes, Wikileaks began publishing the emails—before Phineas was even finished downloading them.
Dubbed “the Erdogan Emails,” the publication…didn’t make an impression.
As analysts and activists began combing through them, they realized that there was nothing newsworthy. Most of the emails were the mundane, day-to-day business of running a country. Filling potholes and finding lost pets. A large chunk of the emails weren’t even government related. They were just downloaded from Google Groups.
If anything, the emails were more damaging than they were helpful. Wikileaks inadvertently published the voter registration information for all of the AK Party’s female voters in 79 of Turkey’s 81 provinces. More than 20 million women’s addresses and cell phone numbers were now live on the Internet—in a country where hundreds of women are murdered each year by ex-boyfriends and husbands.
Sure, Wikileaks had published them. But Phineas also held responsibility. Innocent people were being harmed.
And not just in Turkey.
In January 2017, Spanish police arrested three computer engineers they thought were responsible for the Mossos d’Esquadra hacks. Two were a couple who owned a proxy server Phineas commandeered for the hack. The other was a Phineas Fisher sympathizer. They would later arrest a fourth computer engineer. But none of them had anything to do with the Spanish police hacks. Now, four more innocent people were in trouble—all because of Phineas.
Around this time, Phineas began losing their will to fight.
In early February, Phineas gave another interview to Vice magazine—this time without the dinosaur puppet. In it, they announced they’d be taking a break from hacking.
It's not so healthy, Phineas said. You have a double life you have to hide from everyone around you. That causes depression and stress.
But Phineas emphasized that their cause wasn’t dead. They hoped that other hacktivists would be inspired by their “Hack Back” manifestos, and would continue the fight.
Two years went by, with no word from Phineas.
Then, in 2019, journalist Joseph Menn published a book about the history of the Cult of the Dead Cow. In it, he argued that Phineas Fisher was actually an intelligence operative—working for Russia.
All of Phineas’s attacks fit a pattern, Menn argued.
Since 2015, Russia and Turkey had an adversarial relationship. The hack on the AKP could be seen as an attempt to weaken President Erdogan.
Then there was Spain. Russia has a long track record of interfering in western democracies. Spain has repeatedly accused Russia of spreading misinformation in Catalonia in order to destabilize the region. Could the attack on the Mossos d’Esquadra have a similar motivation?
But what about the Gamma Group and Hacking Team hacks? According to Mann, both companies primarily sold their software to western governments and law enforcement agencies—but not countries like Russia, China, and North Korea. By hacking these companies, Russia was taking a powerful weapon away from the west.
Above all, Phineas Fisher’s attacks fit a pattern. In recent years, Russia had been caught repeatedly hacking into rival countries, using military hackers who posed as hacktivists. The Mossos d’ Esquadra and AKP hacks occurred around the same time as the hacks by Guccifer 2.0, a hacker who stole the DNC emails and who was later found to be a Russian asset.
But Phineas Fisher strongly denied it. In another interview with Vice, Phineas said, Promoting a narrative (with no evidence at all) that I was acting for Russian interests and not public interest, is irresponsible and dangerous for me. If I ever get arrested it'll be pretty obvious I'm not working for Russian government.
But the incident seemed to awaken something in Phineas. Maybe they weren’t quite done after all.
ACT FOUR
In November 2019, Phineas Fisher did what they do best: they published another manifesto. This one was titled Hack Back: a guide to robbing banks
I hacked into a bank, Phineas wrote. I didn't do anything complicated. I only saw the injustice in this world, I felt love for all beings, and I expressed that love in the best way I could, through the tools that I know how to use. I am not moved by hatred of banks, nor of the rich, but a love for life, and the desire for a world where everyone can realize their potential and live a full life.
As the manifesto continued, Phineas railed against capitalism and economic inequality, then detailed exactly what they’d done. They’d hacked into the Cayman Island National Bank and Trust’s branch office in the Isle of Man.
Phineas claimed to have stolen thousands of dollars from the bank, as well as two terabytes worth of customers’ private information. The bank would later confirm that the data had been stolen, but not the money.
But this manifesto had a third component: Phineas Fisher offered a $100,000 bounty to other hacktivists who could make a similar score. He suggested they might hack mining and livestock companies in South America, the oil company Halliburton, or the Israeli spyware vendor NSO Group.
Once again, it’s unknown if anyone took Phineas up on their offer. So far, Phineas Fisher hasn’t ignited the revolution they’ve wanted to—but they’ve accomplished nearly everything they set out to do.
Gamma Group dissolved its FinFisher group in 2014, shortly after the hacks. The program continued to be sold by various German companies until March 2022, when FinFisher finally declared bankruptcy.
Similarly, the publication of Hacking Team’s source code proved to be devastating for David Vincenzetti’s company. In 2020, he told Vice that Hacking Team was officially “dead.”
So far, the legal investigations into Phineas Fisher’s identity have gone nowhere. In 2018, an Italian court ruled that Phineas Fisher’s identity couldn’t be proven, and dropped the investigation into him.
In Spain, the case against the four computer engineers dragged on for years. They’ve never been charged with a crime, but the ordeal has completely disrupted their lives.
Some continue to believe that Phineas Fisher is a Russian asset. However, a source within the US intelligence community told Vice that it believes Phineas Fisher is who they say they are: a hacktivist who wants to fight injustice around the world.
Is Phineas Fisher a hacktivist? Are they a Russian spy? Could they have another nationality, like Spanish, Italian, or American? Are they one person, or are they several people? We don’t know, because so far Phineas Fisher hasn’t made a mistake.
Most likely Phineas Fisher is still out there. So if you’re an oppressive government, a corrupt company, or a brutal law enforcement agency, watch out.
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon. For as little as $5 a month you’ll receive an ad-free version of the show plus bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka The Guy who Calls his Johnson “Little Phineas”. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!