FinSpy / FinFisher
Gamma Group / FinFisher GmbH · UK / Germany
Confidence 4/5
Technical capabilities
FinSpy is the flagship FinFisher product: a remote intrusion suite for Windows, macOS, and mobile platforms (Android, iOS). Per Citizen Lab and Privacy International documentation, FinSpy provides full device control including:
- Recording every keystroke (keylogging).
- Voice call interception and recording.
- SMS, email, calendar, instant messaging, and contacts list extraction.
- Browser history extraction.
- Photo, database, document, and video exfiltration.
- Live audio recording from device microphone.
- Live video recording from device camera.
2014 Phineas Fisher leak: a hacktivist published 40 GB of data including Gamma Group customer lists, prices, source code samples, and internal documentation.
Documented victims and deployments
- Bahrain (2011-2012): laptops of Bahraini dissidents Saeed Shehabi and Moosa Mohammed infected with FinSpy. UK Court of Appeal ruled October 2024 that they may proceed with their UK lawsuit against the Kingdom of Bahrain.
- Egypt (2011): Egyptian State Security documents recovered after the Arab Spring revealed Egyptian government acquisition of FinFisher.
- Citizen Lab 2014 study identified FinFisher use by 25 governments, expanded to 36 countries in 2015 follow-up.
- 2017: ESET research showed Internet Service Providers infecting customers with FinFisher interception tools.
- BlackOasis APT campaign documented by Kaspersky used FinSpy in Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, Netherlands, Bahrain, UK, and Angola.
Customer states
Per The Record (Recorded Future News), FinSpy was sold to the governments of Egypt, Bahrain, Bangladesh, Ethiopia, Oman, Saudi Arabia, Venezuela, Turkey, and Syria. The Turkey sale was conducted without authorization from the German Federal Office of Economics and Export Control (BAFA), which formed the basis of subsequent criminal prosecution.
Legal and sanctions status
- March 2022: FinFisher GmbH and FinFisher Labs GmbH filed for insolvency, ceasing business operations after Munich Public Prosecutor seized accounts.
- May 2023: Munich Public Prosecutor filed charges against four former CEOs for intentionally violating EU dual-use export licensing requirements.
- October 2024: UK Court of Appeal dismissed the Kingdom of Bahrain’s appeal and upheld a High Court ruling that Bahrain is not afforded sovereign immunity under the State Immunity Act 1978.
- Joint OECD complaints filed in 2013 by RSF, ECCHR, Privacy International, Bahrain Center for Human Rights, and Bahrain Watch.
- UK OECD National Contact Point ruling (February 2015): Gamma International infringed on its human rights obligations.
Technical countermeasures
- Modern operating systems have rendered most older FinSpy variants ineffective.
- Updated antivirus and EDR products detect FinSpy signatures since the 2014 leak.
- For high-risk individuals: review historical device usage 2010-2022 if you suspect targeting. Forensic preservation may still yield evidence of historical infection.
- Although FinFisher GmbH is insolvent, code and capabilities may have been transferred. Treat the spyware family as historically documented but not necessarily fully retired.
Sources
- Citizen Lab, From Bahrain With Love: FinFisher Spy Kit Exposed (July 2012)
- The Record, FinFisher declares insolvency (May 2022)
- RSF, Charges brought against former FinFisher group CEOs (May 2023)
- Leigh Day, UK Court of Appeal Bahrain sovereign immunity ruling (October 2024)
- ECCHR, Surveillance software Germany Turkey FinFisher case
Update log
February 14, 2026: Entry created. Initial sourcing through Citizen Lab, Amnesty Security Lab, Microsoft Threat Intelligence, Google TAG, Lookout, Kaspersky GReAT, US Treasury OFAC, court documents and investigative press.
There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.
