It was developed by the UK-based Gamma Group and later sold through its German affiliate FinFisher GmbH, which filed for insolvency in 2022.

How is FinFisher different from Pegasus?

Both are government-sold commercial spyware, but Pegasus is made by Israel's NSO Group and is best known for zero-click iPhone exploits, while FinFisher historically relied more on phishing, trojanized updates, and network injection across multiple operating systems.

Is selling FinFisher legal?

Sales to government clients are legal in principle but subject to dual-use export controls under the EU regime and the Wassenaar Arrangement; unlicensed exports, such as the alleged shipment to Turkey, can trigger criminal liability.

FinFisher | Model Diplomat

FinFisher (also marketed as FinSpy) is a suite of intrusion and remote monitoring tools developed initially by the UK-based Gamma Group and later by its German affiliate FinFisher GmbH. Its components can covertly infect Windows, macOS, Linux, Android, and iOS devices, granting operators access to files, communications, microphones, cameras, and location data. Infection vectors documented by researchers include spear-phishing, fake software updates, trojanized installers, and—on at least some occasions—network injection at the ISP level.

The product is sold exclusively to governments and law-enforcement agencies, but its deployment against journalists, activists, and dissidents has driven sustained controversy. Researchers at Citizen Lab (University of Toronto) published a series of reports beginning in 2012 mapping FinFisher command-and-control servers in dozens of countries and documenting use against, among others, Bahraini activists and Ethiopian opposition figures. A 2014 hack of Gamma International leaked roughly 40 GB of internal data, including customer lists, price sheets, and support tickets.

FinFisher became a focal point in debates over export controls on cyber-surveillance. In 2015 the EU added intrusion software to its dual-use export control regime following updates to the Wassenaar Arrangement (2013). Germany tightened licensing requirements after FinFisher's headquarters moved to Munich. In 2019 the German NGOs Reporters Without Borders, the European Center for Constitutional and Human Rights (ECCHR), Netzpolitik.org, and the Society for Civil Rights filed a criminal complaint alleging FinFisher exported FinSpy to Turkey without a license; Munich prosecutors raided the company's offices in October 2020. FinFisher GmbH filed for insolvency in 2022 and ceased operations.

The case is frequently cited alongside NSO Group's Pegasus and Hacking Team as evidence that the commercial spyware market poses systemic risks to human rights, and it informs ongoing policy work at the UN Human Rights Council, the EU PEGA Committee, and under the US Commerce Department's Entity List regime.

FinFisher

Frequently asked questions