Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil CompaniesNovember 17, 2019
An infamous vigilante hacker known for their hits on surveillance companies is launching a new kind of bug bounty to reward hacktivists who do public interest hacks and leaks.
The hacker, known as Phineas Fisher, published a new manifesto on Friday, offering to pay hackers up to $100,000 in what they called the ‘Hacktivist Bug Hunting Program.” The idea is to pay other hackers who carry out politically motivated hacks against companies that could lead to the disclosure of documents in the public interest. The hacker said he will pay in cryptocurrency, such as Bitcoin or Monero. As an example of targets, the hacker mentioned mining and livestock companies in South America, Israeli spyware vendor NSO Group, and oil company Halliburton.
“Hacking to obtain and leak documents with public interest is one of the best ways for hackers to use their abilities to benefit society,” Phineas Fisher wrote in the manifesto. “I’m not trying to make anyone rich. I’m just trying to provide enough funds so that hackers can make a decent living doing a good job.”
To be clear, this is basically a bug bounty that incentivizes criminal activity. Most bug bounty programs are run by companies to encourage security researchers to find bugs in their software that they can then patch to make their services safer. Other bug bounty programs are run by third-party companies like Zerodium, which pay hackers for bugs in software like iOS, Android, or Chrome that can then be re-sold to governments.
Phineas Fisher is one of the most influential and well-known hacktivists since the days of Anonymous and LulzSec. In 2014, the hacker stole internal data from the British-German surveillance vendor Gamma Group, which makes the controversial spyware FinFisher. A year later, Phineas Fisher came back and broke into the servers of Hacking Team, an Italian company that made hacking and surveillance software for police and intelligence agencies around the world, exposing all the company’s secrets. Then, the hacktivist hit a Spanish police union and Turkey’s ruling party in 2016. Their identity has never been made public—even after an extensive investigation into the Hacking Team hack, Italian authorities admitted they have no idea who PhineasPhisher is.
After those hacks, Phineas Fisher published manifestos on how they carried them out in an attempt to inspire other hackers to launch politically motivated attacks. Then, they announced they were taking a break to deal with stress, and did not resurface online until this year.
Their motivation appears to have not changed in the last few years: hack for good, and inspire others to follow their example.
“I think hacking is a powerful tool, and hacktivism has only been used to a fraction of its potential,” Phineas Fisher told Motherboard. “And a little investment can help to develop that, the golden years [of hacktivism] are yet to come.”
In their new manifesto, Phineas Fisher also claimed to have hacked an offshore bank and called on other hacktivists to join in the fight against inequality and capitalism. The hacker said that in 2016 they hacked the Cayman Bank and Trust Company from the Isle of Man, an island between the UK and Northern Island. The hacker said they were able to steal money, documents, and emails from the bank. They declined to reveal how much money they stole, but said it was “a few hundred thousand” dollars.
“I robbed a bank and gave the money away,” Phineas Fisher wrote in the manifesto. “Computer hacking is a powerful tool to fight economic inequality.”
The hacker shared the stolen documents and emails from the bank to the leaking website Distributed Denial of Secrets, run by journalist and activist Emma Best, who said she uploaded 640,000 emails, in what is “the most detailed look at international banking that the public will have ever had access to.”
Arguing why it was justified to leak the bank’s internal emails, Phineas Fisher wrote that “privacy for the powerful is not the same, when it allows them to evade the limits of a system itself designed to give them privileges; and privacy for the weak, which protects them from a system conceived to exploit them.”
The Cayman Bank and Trust Company, did not immediately respond to a request for comment.
The hack against the bank in the Isle of Man is the fifth data breach that Phineas Fisher has publicly claimed as their own. Much like they did for their previous hacks, the hacker wrote a detailed how-to on how they broke in to teach others how to carry out similar attacks, and show that it’s possible to use hacking techniques to rob banks.
“In the digital era, robbing a bank is a non-violent act, less risky, and the reward is higher than ever,” they wrote. “None of the financial hacks I’ve done, or that I’ve known of, has been reported. This is going to be the first, and not because the bank wanted, but because I decided to publish it.”
Phineas Fisher said that they already gave away all the money they stole from the Isle of Man bank, but that they have more money from recent, undisclosed hacks to pay the bug bounty. The hacker also explained that they got into The Cayman Bank and Trust Company using the same exploit they used against Hacking Team: targeting a vulnerable virtual private network and firewall appliance. After breaking into the spyware vendor, Phineas Fisher said they scanned the internet for other vulnerable VPNs and found several banks that were using it. The name of the bank, Cayman, caught their attention, according to the manifesto.
That was enough to make an example out of it.
“The global financial elite are oppressors, not victims [...] Hacking that elite and returning the tiniest fraction of the wealth that they've stolen doesn't make them victims,” Phineas Fisher told me. “It is cybercrime. It's also activism. It's motivated by a desire for social change, I'm not personally profiting or benefiting from it.”
Have a tip about a hack or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Subscribe to our new cybersecurity podcast, CYBER .