The Bulgarian server with the spyware virus Fin Fisher, detected two years ago in the Ministry of Public Administration, has an IP address belonging to DANS. This emerged from the new data published by the Canadian laboratory Citizen Lab.

The IP address of the server is and leads directly to the National Security Agency, which can be verified by anyone with basic networking skills.


13 ( 84.500 ms 125.515 ms 161.725 ms

14 ( 182.679 ms 198.671 ms 203.243 ms

Fin Fisher and Fin Spy are aggressive spyware programs that penetrate the victim’s computer and sent to agents all data that interests them, and can even track the objects of the spying through their webcam and record voice through the microphone.

The spyware server in Bulgaria was brought to light in early May 2013. Then Citizen Lab announced that a control server FinSpy, using the IP address of the former Ministry of Public Administration, has been discovered in Bulgaria. On June 15, Minister Papazov ordered an investigation, but so far it failed to produce any result. He acknowledged that “the damage can be enormous, but experts say to us that it is not possible to have such a program mounted on our computer”. If “the damage can be enormous”, it is not clear why the prosecution failed to launch a probe as well. The very existence of such a server suggests computer crimes. Unless otherwise authorized for the purposes of law enforcement, intentionally infecting someone’s computer with a virus is punishable under Article 319 of the Penal Code.

In September 2013, Bivol, in partnership with Wikileaks, published a strategic partnership agreement between Dreamlab and Gamma International from April 2011, with which the two companies allocate among themselves the markets for the sale and installation of spyware. The document reveals that Bulgaria is an exclusive market for the Swiss company Dreamlab, which specializes in network solutions for traffic monitoring and aggressively infects computers of individuals and organizations. Gamma is the publisher of spyware FinSpy.

Upon request under the Access to Public Information Act (APIA) to the Ministry of Transport, it became clear that there is no result of the probe ordered by Minister Papazov.

The current disclosure shows that the “State hackers” in DANS did not even bother to hide the IP address of the server that they “concealed” a while ago in the in the now-closed Ministry of Public Administration.

It emerged recently that there was an alleged mass spying of anti-government protesters in Bulgaria during the term of the previous cabinet and the operation had the codename “Worms”. It is entirely possible that precisely this program was used for the mass snooping on protesters. Indeed, the scale of the operation, as some media reported that it involved as many as over 2,000 people, is such that it cannot be done without the help of a complex system for monitoring Internet data, which DANS obviously has at its disposal.



Радваме се, че стигнахте дотук. Ако намирате, че статията е интересна и полезна, можете да ни подкрепите, за да продължим да правим независима разследваща журналистика.

Платете Данъкъ Биволъ!

Можете да се включите с PayPal, банкова карта (Visa или Master Card),, в брой през EasyPay, през банкомат с B-Pay или с банков трансфер. Приемаме и криптовалутен данъкъ в биткойн или друга криптовалута.

This post is also available in: Bulgarian