Our Criminal Complaint

German Made State Malware Company FinFisher Raided

The public prosecutor has searched multiple premises of the FinFisher company group in Munich and Romania. They are suspected of having exported state malware without the required authorization. The investigations follow a criminal complaint we filed together with other NGOs.

office building
FinFisher offices in Munich, Germany.

This is a translation of our original german reporting.

Law enforcement agencies have conducted a large-scale raid of the German state malware company group FinFisher last week. The customs authorities are investigating the suspicion „that software may have been exported without the required export license from the Federal Office of Economics and Export Control“.

The raids follow our criminal complaint, which we have written and submitted together with the Society for Freedom Rights, Reporters Without Borders and the European Center for Constitutional and Human Rights.

15 objects

A spokesperson of the responsible public prosecutor’s office in Munich comments:

In co-operation with the Customs Investigation Bureau and supported by further prosecution authorities the public prosecutor’s office Munich I searched 15 objects (business premises and private apartments) around Munich and an enterprise from the entrepreneurial group in Romania on 06.10.2020. The search lasted until the evening of 08.10.2020.

Investigations are still being conducted against managing directors and employees of FinFisher GmbH and at least two other companies on suspicion of violation of the Foreign Trade and Payments Act. The investigations were started in summer 2019 on the basis of criminal charges.

German public broadcasting first reported the raid.

3 days

FinFisher advertises its state malware as „complete IT intrusion portfolio“, both German federal police and Berlin police have purchased the powerful surveillance tool. Variants of the FinFisher suite have been found in dictatorships like Ethiopia and Bahrain, or more recently again in Egypt.

In summer 2017 a FinFisher sample was discovered in Turkey. The authors of the criminal complaint assume that FinFisher is developed and produced in Munich. If true, the group of companies needs an export license, which the German government has not issued. An export without a license would be a criminal offense.

FinFisher denies these accusations. In a statutory declaration, the CEO states in September 2019:

FinFisher Labs GmbH has developed the FinFisher software.

FinFisher GmbH has at no time sold or distributed the FinFisher software in Turkey. Against this background, FinFisher GmbH has at no time violated export regulations of the Federal Republic of Germany or the EU.

2 Countries

After our intial reporting on the criminal complaint, FinFisher took legal action with expensive lawyers and obtained a preliminary injunction against us, which was confirmed by the Berlin Regional Court. According to the court our accusations were not provable and our reporting was too one-sided and prejudicial. On the advice of our lawyer, we did not appeal the verdict any further.

The Customs Investigation Bureau and Public Prosecutors however take the accusations of criminal charges seriously enough to search 15 business premises and private apartments in Munich and Romania over a period of three days. If the investigators find enough evidence, they can bring the case to trial.

Until then the presumption of innocence applies. We have sent a number of questions to FinFisher GmbH and its partner companies for this reporting. FinFisher, as always, has not responded to our request for comments.

Eine Ergänzung

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter netzpolitik.org/kommentare. Deine E-Mail-Adresse wird nicht veröffentlicht.