Renowned hacker and WikiLeaks source Phineas Fisher says organization misled people about their files

Three days before the first batch of DNC emails were unveiled in 2016, WikiLeaks released hundreds of thousands of emails in what has alternately been called the AKP Emails and the Erdogan Emails. The release of the AKP party’s emails prompted criticism for both the low quality of the emails and WikiLeaks’ choice to publish them without the source’s permission, a decision which led to the publication of an unredacted copy of the complete cache. A previously unreleased PGP signed statement from the hacker behind the release – known as Phineas Fisher – sheds new light on what happened and accuses WikiLeaks of misrepresenting the emails’ contents to the public and ignoring their direct request to not release the files.

The release was not the first time WikiLeaks had used files hacked and leaked by Phineas Fisher. In 2014, the organization took the FinFisher/Gamma Group archive which the hacker had released and repackaged it into Spy Files 4. In 2015, WikiLeaks posted a searchable version of the Hacking Team emails, which also drew from files previously released by the hacker. The 2016 release of the AKP Emails was the first and only time WikiLeaks published previously unreleased materials from Phineas Fisher.

When WikiLeaks announced the emails, Phineas Fisher was still in the AKP networks, exfiltrating files while working with locals in Rojava to analyze them. In a moment of misunderstanding, one of the locals sent a copy to WikiLeaks, instructing them not to publish them yet. According to Phineas Fisher, WikiLeaks was eager to capitalize on the attempted coup and decided to move forward with publication. In a message released at the time, the hacker said that “to be fair to WikiLeaks, they didn’t know I was still in AKP’s network downloading files at the time they announced they were publishing, but they did know that the source who had given them the file had asked them to wait.”

As a result of WikiLeaks’ announcement, AKP shut down their internal networks, locking Phineas Fisher out of the system. In response, the hacker released the full cache, along with a very brief statement. This set of files quickly spread, leading to the discovery of voter information and other PII within the files. In addition to the criticisms over the PII, which soon combined with criticisms over PII in the Saudi Cables and DNC emails, WikiLeaks faced critical reactions over the low quality of the emails. While WikiLeaks was unaware of the voter information, the emails were reportedly different story. According to the new statement claims that WikiLeaks “knew it was all spam and crap.”

Phineas Fisher was also aware of this, and saw it as motivation to look for more data. “Then the 2016 coup attempt happened, and WikiLeaks decided to leak the worthless emails, I assume wanting to take advantage of the international news around the coup to get publicity for themselves.” According to the hacker, locals in the region, the individual who sent the emails to WikiLeaks and even Phineas Fisher themself asked WikiLeaks not to publish them. The organization apparently ignored the requests, a decision which the hacker says was motivated by a desire to score easy publicity points.

In their tweets, WikiLeaks described the pending release as “100k+ docs on Turkey’s political power structure.” According to Phineas Fisher, even as they made it, the organization knew its promise wouldn’t hold up. In their new statement, the hacker says that “[WikiLeaks said] they’d had a Turkish person read through the emails and they knew it was all spam and crap. But still, I guess they figured even if Turkish journalists realised the leak was a joke, international people wouldn’t know better and they’d get their fame for leaking “Erdogan Emails” or whatever.”

The hacker’s statement goes on to criticize the reaction to the voter data, which they say ignored the prior release of the same information in an unrelated breach. It also accuses several journalists of hyperbolic reactions.

The statement is signed with a PGP key known to belong to the hacker. The public key was included in their widely covered DIY Hack Back Guide, which was released onto pastebin through an announcement on their public Twitter account. The PGP key used to sign the statement and the account used to send it are two of the primary methods used by Phineas Fisher to establish their identity.

A copy of the unedited statement can be found below. The PGP signed copy of the statement can be downloaded here (backup). A copy of the public key can be found in the pastebin link above. The 30+ GB mentioned in the statement can be downloaded here.

I thought I should clarify what happened with my hack & leak of AKP (the party of Erdogan, Turkey’s dictator), because it was a total shitshow and didn’t accomplish anything, but the public narrative of what happened is not correct.

My initial motivation was that I support the social revolution in Rojava, and the main threat to their existence is probably Turkey, which supported ISIS in their attacks on Rojava, and is currently occupying Afrin, one of Rojava’s three cantons. I got into AKP’s internal network and first downloaded everything from their mail server. I was in contact with people in Rojava, and one of them without my knowledge sent the emails to wikileaks, although they told wikileaks not to publish it yet. Within 30 minutes of reading emails with google translate, I could tell they didn’t use their email accounts for anything interesting, so I was trying to get access to other servers in their network and find the interesting stuff. Then the 2016 coup attempt happened, and wikileaks decided to leak the worthless emails, I assume wanting to take advantage of the international news around the coup to get publicity for themselves. I contacted wikileaks asking them not to publish, others in Rojava contacted wikileaks asking them not to publish, and the person that sent the file to wikileaks asked them not to publish. Wikileaks even told me they’d had a turkish person read through the emails and they knew it was all spam and crap. But still, I guess they figured even if turkish journalists realised the leak was a joke, international people wouldn’t know better and they’d get their fame for leaking “Erdogan Emails” or whatever. After wikileaks published, AKP shut down their internal network and I lost access.

Within the files I’d managed to download there was 30+ GB of scanned invoices and stuff, so I figured there’s probably evidence of corruption in there somewhere, and I’d lost access so I might as well leak what I have. Even though I hadn’t had time to go through and see what was in the files, I figured I should leak it right away, as at this point the coup had already been defeated and Erdogan was engaged in full on post-coup crackdown and repression. So it seemed like leaking data taken from AKP’s server would have the potential to help people. Since I’m not a fancy bear, just a normal person that doesn’t understand Turkish, I didn’t know much about the contents of the files and didn’t realise it had AKP’s voter database. There’s no point in leaking phone book style data on millions of turks, but several people made hyperbolic claims about the dangers for their own purposes, with Menn calling it an attack on “millions of women in a patriarchal society… just as they became uniquely at risk if exposed”, and Zeynep calling it “mass and indiscriminate dumping of ordinary people’s info just as tanks and F16s are gunning for them. *slow clap*”. Which is a little ridiculous, as again the coup had already been decisively defeated, AKP were the ones in power attacking people, and AKP obviously already had the info leaked as it was taken from their own servers.

Also it didn’t even contain any new personal info, as the turkish voter
database had already been leaked months earlier:

Disclaimer: As discussed elsewhere, I was involved in some of the events above, as WikiLeaks referred to my copy of the full set of AKP files after their release of the first batch of emails.