Cyber Threat Actor: Phineas Fisher
| Actor Type | Location | Known Incidents |
Activist
|
United States of America
|
4 incidents |
|---|
Profile
Phineas Fisher is the primary alias used by a hacker or hacking collective whose known location is the United States of America. Public sources describe the actor as a politically motivated hacker or group, with no explicit statement tying the activity to a state sponsor or a formal criminal consortium. The alias has been used consistently across multiple public disclosures and communications, including manifestos and social‑media accounts attributed to the name Phineas Fisher. No additional aliases or organizational affiliations are mentioned in the provided material.
The actor’s targeting, as explicitly stated in the sources, focuses on law‑enforcement institutions, financial organizations, surveillance technology firms, and mobile‑forensics companies. Motives cited in manifestos and interviews include opposition to perceived criminal behavior by law‑enforcement activism, opposition to economic inequality, activism against surveillance capabilities used by repressive regimes, and a desire for social change rather than personal profit. The actor has framed actions such as stealing funds from a bank and giving the money away as a form of cyber‑driven activism, and has described hacking as a tool to fight economic inequality and to return wealth taken by elites.
Observed tactics, techniques and procedures include website defacement, compromise of web servers, hijacking of official Twitter accounts, and the release of tutorial videos intended to inspire other hacktivists. The actor has exfiltrated large volumes of data—such as roughly 900 GB from a Cellebrite server—including technical specifications, customer databases, legacy credentials and contact information, and has advised victims to reset passwords. In the Gamma Group/FinFisher incident, the actor exploited zero‑day vulnerabilities sourced from third‑party providers, deployed malware that evaded antivirus detection, and demonstrated the ability to bypass encryption tools such as TrueCrypt, BitLocker and Silent Circle. The actor also leaked internal technical material, pricing and customer lists to highlight the misuse of spyware by authoritarian governments and distributed stolen bank documents via the Distributed Denial of Secrets platform while publicly encouraging others to conduct similar politically motivated hacks.
Representative operations cited in the material include the 2016 breach of the Sindicat de Mossos d’Esquadra police union in Catalonia, where the website was defaced, personal officer data were leaked and a tutorial video was published; the 2016 intrusion into Cayman National Bank on the Isle of Man, in which funds and documents were taken and framed as activism against economic inequality; the 2016 compromise of an external Cellebrite web server that yielded extensive technical and customer data; the 2014 leak of Gamma Group’s FinFisher spyware materials that revealed zero‑day exploits and encryption‑bypass capabilities; and the earlier breach of the Italian surveillance firm Hacking Team, from which internal documents were released alongside ideological justification. Each of these incidents reflects the actor’s stated focus on exposing perceived abuses and encouraging activist hacking.
