FinSpy / FinFisher

FinSpy, also marketed as FinFisher, is a commercial surveillance suite developed by the Munich-based vendor FinFisher GmbH, which filed for insolvency in 2022 following a German criminal investigation. FinSpy targets Windows, macOS, Linux, iOS, and Android, and has been documented in deployments across more than 30 countries since 2011, including Bahrain, Ethiopia, Uganda, Egypt, and Turkey. The August 2020 Amnesty International report mapped infrastructure indicators across multiple deployments.

What it means in practice

FinSpy is delivered through phishing emails, malicious websites, USB infection, and operator-installed deployment by physical access. The infection chain on each platform installs a backdoor that exfiltrates keystrokes, microphone audio, camera video, files, and credentials. The product has been continuously updated since the early 2010s, with major architectural changes including a 2017 rewrite of the iOS module. The insolvency of FinFisher GmbH in 2022 has not removed deployed infections from victim devices.

Specific things to know

FinFisher’s customer list, partially exposed through leaked documents and forensic infrastructure analysis, includes governments documented as having human rights concerns. The German criminal investigation that triggered the 2022 insolvency centred on alleged export control violations: the company is accused of selling FinSpy to Turkey without proper export licences. The insolvency proceedings closed FinFisher GmbH, but the underlying IP and engineering team have been linked to subsequent ventures in Germany and the Middle East.

Change today

Keep operating systems and applications updated. Use endpoint detection and response on Windows and macOS workstations that handle sensitive material. For mobile devices, treat any unexpected configuration prompt, profile installation request, or unknown app appearance as a potential compromise indicator. The FinSpy case demonstrates that bankruptcy does not erase the deployed footprint of a surveillance product, and that infections from 2018 through 2022 may still be active on devices that were never patched.

Related articles

See our coverage of the Amnesty FinSpy infrastructure mapping, German export control prosecution, and the historical record of European commercial surveillance vendors.