Above Photo: From Unicornriot.ninja
Isle of Man, UK – A blast of sunshine has hit a secretive banking network used by global ultra-wealthy figures following a massive hack by “Phineas Fisher“, a notorious self-described “hacktivist”, of Cayman National Bank and Trust, which serves nearly 1,500 accounts in Isle of Man. Transparency collective Distributed Denial of Secrets has began publishing copies of the bank’s servers, a cache of documents as well as communications among bankers and others. Journalists around the world are investigating and have begun releasing stories.
Following the hack, a manifesto was uploaded to the Internet addressing the motivation for hacking financial services companies. Unicorn Riot has embedded the manifesto below which includes previously unpublished code which the author claims was used to break into “Hacking Team” an Italian surveillance company. Hacking Team was an elite corporation that specialized in developing malware until Phineas Fisher hacked them and published their code online. The malware developed by Hacking Team was often used to attack journalists and activists on behalf of repressive governments .
Unicorn Riot has obtained the small HackBack announcement text released exclusively in Spanish, described as “Desde las montañas del Sureste Cibernético” (‘From the mountains of the Cyber Southeast’). It bills itself as a “HackBack” DIY guide for “Una guía DIY para robar bancos” (‘A DIY guide for robbing banks.’) The announcement begins with a tongue-in-cheek dedication to “Subcowmandante Marcos” with an ASCII text-styled pipe-smoking cow referring to former Zapatista spokesperson Subcomandante Marcos.
Also included in the announcement were introductions to common information security tools such as Metasploit and observations about previous major bank hacks, suspicious activities on SWIFT (an international financial network), and art such as a skeleton saying “Be Gay, Do Crimes” in Spanish.
The manifesto also includes a political analysis on how financial institutions serve as key enforcers for the global class structure. Among the poetic interludes are statements like “Privacidad para los débiles, transparencia para los poderosos” (‘Privacy for the weak, transparency for the powerful’.) The message also includes an Easter egg: a large block of computer text shaped like a star that when executed returns a Zapatista text, the Sixth Declaration from the Lacandon Jungle.
Who is “Phineas Fisher”?
A self-described libertarian socialist “Phineas Fisher” lays claim to the hack. (Editorial note: all places in the world except parts of the U.S. use “libertarian socialism” interchangeably with anarchism.) The nickname “Phineas Fisher” (sometimes “Phineas Phisher”, “Hack Back” or “Gamma Group PR”) became public following a hack to Gamma Group, a corporation that developed the malicious “FinFisher” software that has been used to target civil society and journalists by governments around the world.
Phineas Fisher’s first public hack was against Gamma Group before moving on to exposing Hacking Team. In 2016, Fisher gave an interview using a puppet and voice actor reading chat messages. In 2018, Fisher discussed with Crimethinc the strategy behind fighting surveillance corporations.
The HackBack document also cites fellow hacker Jeremy Hammond’s work as an inspiration. Hammond previously pleaded guilty to hacking Stratfor and exposing the corporation’s work to gather intelligence on activist and civil society groups. Unicorn Riot has reported Hammond is being held under detention as a coercive tactic to compel his testimony to a grand jury in the Eastern District of Virginia which is believed to be investigating Wikileaks.
Unicorn Riot has also been told the mid-November date of this release is in reference to Tupac Katari, a key figure in Andean South American Indigenous history who led a siege of La Paz (currently the capital of Bolivia) and was executed by Spanish colonial forces on November 15, 1781. (Bolivia’s first satellite is also named after Katari.)
Fisher has previously released other documents that explain the motives and methods around “hacktivism”-style campaigns in Spanish and English, as well as a video showing step-by-step how to take advantage of certain vulnerabilities and break into a Spanish police network.
What is Cayman National Bank and Trust Offshore Bank?
Cayman National has a branch on the Isle of Man, a small British island dominion between England and Northern Ireland which specializes in offshore banking, a section of the global financial services industry which assists customers, often ultra-wealthy, to move and invest large sums of money with anonymity while avoiding tax liability.
Today’s leak is similar to an earlier offshore banking leak dubbed “the Panama Papers“. In 2016, Unicorn Riot covered how Mossack Fonseca, the law firm at the center of that leak, had certain misconfigurations on their client web portal.
The transparency collective Distributed Denial of Secrets (DDoS) obtained the cache in two tranches of roughly a terabyte each, for a total of about 2.21 Terabytes. DDoS has begun publishing the release, which it calls Sherwood, soon to be available through “Hunter”, a new modern document cache search engine that facilitates research by indexing emails, databases and other items. (Update: Hunter is not yet available. A torrent file has been released here and mirrored by archive.org, with more info at Pastebin.)
From the entire data set, an analysis of the locations of over 1,400 client accounts was released to Unicorn Riot including 780 from Isle of Man, 272 from Cyprus, 153 from the UK, 107 from the Cayman Islands, 51 from the British Virgin Islands, 12 from the Seychelles, 11 from the United States, 7 from Belize, 7 from Ireland, and a small number from other jurisdictions involved in offshore banking including Gibraltar, Jersey, Saint Kitts and Nevis, Barbados, Guernsey, Malta, and Mauritius.
The XLS spreadsheet file, on its additional tabs, also includes detailed financial information about more than 3800 companies, trusts and individual accounts managed by Cayman National for clients around the world, including account balances.
A July 2016 index of 22 “politically exposed persons” (PEPs) was provided to Unicorn Riot, which includes some prominent business-people involved in controversies and their families. According to the France-based Financial Action Task Force, a PEP is an “individual who is or has been entrusted with a prominent public function. […] [M]any PEPs are in positions that potentially can be abused,” including higher risks for money laundering, corruption, terrorism financing and bribery.
The former head of a Russian bank, Andrey Borodin and his wife and mother are among those listed. Borodin has been granted asylum in the UK.
Ariel “Ari” Emanuel, a high-profile entertainment agent in Hollywood and sibling of former Chicago Mayor Rahm Emanuel is also among the PEP roster, under the “linked entity” of Progressive Games Partners LLC.
Journalists at media organizations around the world have been investigating the data in this leak, and a publishing embargo has been lifted on November 16 around 10pm Eastern. Similar to the disclosure of the Panama Papers, the exposure of corporate entities designed to conceal ownership and avoid tax burdens may cause political fallout in multiple countries.