The Weakest Link is Motherboard's third, annual theme week dedicated to the future of hacking and cybersecurity. Follow along here.Listen to Motherboard’s new hacking podcast, CYBER, here.
At 3:15 a.m. local Italian time on July 5, 2015, the usually quiet Twitter account of the infamous spyware company Hacking Team posted a confusing message: “Since we have nothing to hide, we’re publishing our emails, files, and source code.”
For the investigators, the hacker’s evasion techniques showed that they were part of “an organization that has scientifically and maniacally used techniques to evade identification.”Phineas Fisher seemed amused, reacting to that description in an online chat with me: “lol what's that even mean, that I let out some sort of mad-scientist cackle every time I open up Tor Browser?”CYBER is Motherboard’s new podcast about cybersecurity. Subscribe on Apple Podcasts or any podcast app.
A screenshot of Hacking Team’s Twitter account when Phineas Fisher was in control of it.
They also reveal that the initial entry point into the Hacking Team network, the proverbial broken window that let the robbers in, was an out of date firewall and virtual private network system. According to sources close to the company, that firewall was still up despite the fact that the system administrators had already installed a newer one because Vincenzetti refused to upgrade. (A leaked email confirms that the VPN was left up for “a couple of exceptions.”)“Only one user was still using it, and that’s why it had not been turned off. […] Vincenzetti has the ultimate responsibility,” said a former Hacking Team employee, who was still at the company on the day of the hack and who spoke on condition of anonymity.Another former employee said that the VPN and firewall was still up “literally because [Vincenzetti] couldn’t be bothered to install a software update.”The first former employee also said that one of Hacking Team’s systems administrators was caught by Phineas Fisher playing video games such as World of Warcraft, and did not notice the hack for weeks.“The system administrators deserve most of the blame,” the first former employee told me.Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv
THE ATTACK
And given that Bitcoin is, by design, relatively easy to trace, they used funds stolen from other people to pay for the servers. That was the key step that allowed Phineas Fisher to remain at large, according to the court documents analyzed by Motherboard.“I'm ready to go to jail if I have to, but I'd rather stay free and active. It's not surprising they don't catch me,” Phineas Fisher told me. “With some basic precautions it's possible to stay anonymous on the internet.”Some of the bitcoins Phineas Fisher used, the documents reveal, came from scratch cards bought on the website Buybitcoins.com, a site that allowed people to buy physical scratch cards that had a code on it that could then be redeemed on the site. The cryptocurrency was owned by an American citizen named Jon Davachi, who claimed to be innocent when reporters reached out to him after his name was published in the Italian press in December. Phineas Phisher told me that they stole Davachi’s bitcoins by hacking into the Buybitcoins website. The hacker’s account appears to be real given that they provided Motherboard with other non-public details that were contained in the court documents. The owner of Buybitcoins could not confirm whether his site had been hacked, but said that would explain how Phineas Fisher got the codes.“I'm glad to hear they've stopped their pointless investigation.“
“Vincenzetti has the ultimate responsibility.”
Former Hacking Team developer Alberto Pelliccione in his old office in Malta. Image: Lorenzo Franceschi-Bicchierai/Motherboard
