“State Hackers” from Bulgarian National Security Agency Caught with Pants Down by Canadian Lab

The spyware server of the Ministry of Public Administration belonged to the State Agency for National Security (DANS)
Екип на Биволъ

The Bulgarian server with the spyware virus Fin Fisher, detected two years ago in the Ministry of Public Administration, has an IP address belonging to DANS. This emerged from the new data published by the Canadian laboratory Citizen Lab.

The IP address of the server is and leads directly to the National Security Agency, which can be verified by anyone with basic networking skills.


13 sp2mc-int.spnet.net ( 84.500 ms 125.515 ms 161.725 ms

14 mail.dans.bg ( 182.679 ms 198.671 ms 203.243 ms

Fin Fisher and Fin Spy are aggressive spyware programs that penetrate the victim’s computer and sent to agents all data that interests them, and can even track the objects of the spying through their webcam and record voice through the microphone.

The spyware server in Bulgaria was brought to light in early May 2013. Then Citizen Lab announced that a control server FinSpy, using the IP address of the former Ministry of Public Administration, has been discovered in Bulgaria. On June 15, Minister Papazov ordered an investigation, but so far it failed to produce any result. He acknowledged that “the damage can be enormous, but experts say to us that it is not possible to have such a program mounted on our computer”. If “the damage can be enormous”, it is not clear why the prosecution failed to launch a probe as well. The very existence of such a server suggests computer crimes. Unless otherwise authorized for the purposes of law enforcement, intentionally infecting someone’s computer with a virus is punishable under Article 319 of the Penal Code.

In September 2013, Bivol, in partnership with Wikileaks, published a strategic partnership agreement between Dreamlab and Gamma International from April 2011, with which the two companies allocate among themselves the markets for the sale and installation of spyware. The document reveals that Bulgaria is an exclusive market for the Swiss company Dreamlab, which specializes in network solutions for traffic monitoring and aggressively infects computers of individuals and organizations. Gamma is the publisher of spyware FinSpy.

Upon request under the Access to Public Information Act (APIA) to the Ministry of Transport, it became clear that there is no result of the probe ordered by Minister Papazov.

The current disclosure shows that the “State hackers” in DANS did not even bother to hide the IP address of the server that they “concealed” a while ago in the in the now-closed Ministry of Public Administration.

It emerged recently that there was an alleged mass spying of anti-government protesters in Bulgaria during the term of the previous cabinet and the operation had the codename “Worms”. It is entirely possible that precisely this program was used for the mass snooping on protesters. Indeed, the scale of the operation, as some media reported that it involved as many as over 2,000 people, is such that it cannot be done without the help of a complex system for monitoring Internet data, which DANS obviously has at its disposal.



If you find this article useful, support our work with a small donation.

Pay a Bivol Tax!

We will highly appreciate if you decide to support us with monthly donations keeping the option Make this donation monthly.

Select Payment Method
Personal Info

Credit Card Info
This is a secure SSL encrypted payment.

Donation Total: 5€

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

This post is also available in: Bulgarian

Вижте също / Read Also