Phineas Fisher

Overview

Phineas Fisher is the pseudonym of an unidentified hacktivist and anarchist whose identity remains unknown. Also known as Phineas Phisher and Subcowmandante Marcos, Fisher has conducted a series of high-profile intrusions against surveillance companies, law enforcement bodies, and political organizations since at least 2014. Each operation has typically been accompanied by a public communique — styled as a zine — containing technical documentation, ASCII art, poetry, and anarchist and leftist political content.

The alias "Phineas Fisher" is a deliberate play on the name of the FinFisher malware developed by Gamma International, one of Fisher's earliest targets. The secondary alias "Subcowmandante Marcos" references Subcomandante Marcos, the former spokesperson of the Zapatista Army of National Liberation, a movement Fisher has cited approvingly in communiques.

Notable Hacks

Gamma International (2014)

In 2014, Fisher breached Gamma International, the company behind the FinFisher surveillance malware, releasing a 40-gigabyte dump that included client lists, price lists, source code, effectiveness assessments of the malware, and user documentation. Months after the breach, Fisher published the first installment of the HackBack! series — subtitled DIY Guide for those without the patience to wait for whistleblowers — claiming responsibility and providing step-by-step instructions intended to enable others to conduct similar attacks. WikiLeaks subsequently republished the material as part of its SpyFiles 4 release.

Hacking Team (2015)

In 2015, Fisher claimed responsibility for breaching Hacking Team, an Italian company that sold offensive intrusion software to governments. According to Fisher's communique, which was released in Spanish, access was gained through a zero-day exploit in a SonicWall SSL-VPN embedded network device. SonicWall patched the vulnerability before it was publicly disclosed by security researcher Darren "Pwnsauce" Martyn, a former LulzSec member. WikiLeaks republished the Hacking Team emails following the release.

Sindicat De Mossos d'Esquadra (2016)

On May 15, 2016, Fisher breached the Sindicat De Mossos d'Esquadra (SME), the union of the Catalonian police force, leaking personal data — including names, addresses, bank account details, and telephone numbers — for more than five thousand officers. Fisher uploaded a thirty-nine-minute video to YouTube documenting the attack, which involved open-source reconnaissance tools and an SQL injection. Fisher cited the Catalan documentary Ciutat Morta, which examined a police brutality case known as the 4F case, as motivation for the attack. In early January 2017, Spanish authorities arrested at least four individuals in connection with the breach, though Fisher claimed via email to be free at the time.

AKP Hack (2016)

Also in 2016, Fisher claimed responsibility for breaching networks belonging to Turkey's ruling Justice and Development Party (AKP), stealing hundreds of thousands of emails and files. Fisher stated the action was carried out in solidarity with the Kurdish movement in Rojava and Bakur. The files, known as the AKP Emails, were archived by WikiLeaks, though Fisher publicly objected to their publication, alleging it exposed operational and personal details and that WikiLeaks had dismissed the material as "spam and crap."

Cayman National Bank and Trust (2019)

In November 2019, DDoSecrets published more than two terabytes of data from the Cayman National Bank and Trust — dubbed the Sherwood files — provided by Fisher. The files included lists of politically exposed clients and were subsequently used in studies of offshore banking by elites. The leak prompted at least one government investigation.

Hacktivist Bug Bounty Program

In the communique accompanying the Cayman National Bank hack, Fisher announced the "Hacktivist Bug Hunting Program," offering payments of up to US$100,000 in Bitcoin or Monero to hackers who carried out acts of hacktivism resulting in public document disclosures. Fisher described the program as a means for skilled hackers to earn a living by exposing material of public interest rather than working for the cybersecurity or cybercrime industries. Suggested targets included extraction industries in Latin America, private military contractors, and operators of private prisons. In 2020, Fisher claimed to have paid US$10,000 to an anonymous hacker responsible for MilicoLeaks, a cache of over two gigabytes of emails and documents from Chilean military personnel, which was confirmed as authentic by the Chilean military.

Identity and Political Orientation

Fisher's identity remains unknown. Tech journalist Joseph Menn, in his book Cult of the Dead Cow, accused Fisher of being a Russian agent, a claim Fisher strongly denied. A US government source cited by Vice Motherboard characterized Fisher as a genuine hacktivist. An Italian judge described Fisher's motives as "certainly political and ideological." Fisher has self-identified as an anarchist-revolutionary and has given interviews to CrimethInc, an anarchist media collective.