At 3:15 a.m. local Italian time on July 5, 2015, the usually quiet Twitter account of the infamous spyware company Hacking Team posted a confusing message: “Since we have nothing to hide, we’re publishing our emails, files, and source code.”

The Weakest Link is Motherboard's third, annual theme week dedicated to the future of hacking and cybersecurity. Follow along here .

More than three years after Hacking Team got owned, we still don’t know who really was behind the keyboard. After inspiring a new generation of vigilante hackers , Phineas Phisher went into hiding and hasn’t done a public hack in more than two years. We now know, however, more about how they got into Hacking Team’s systems. Hacking Team’s founder and CEO, David Vincenzetti, did not want to update his software, which meant that Phineas Fisher was able to attack an outdated system. Keeping software up-to-date is considered by many security experts to be among the most basic tips to prevent a hack.

Phineas Fisher seemed amused, reacting to that description in an online chat with me: “lol what's that even mean, that I let out some sort of mad-scientist cackle every time I open up Tor Browser?”

For the investigators, the hacker’s evasion techniques showed that they were part of “an organization that has scientifically and maniacally used techniques to evade identification.”

CYBER is Motherboard’s new podcast about cybersecurity. Subscribe on Apple Podcasts or any podcast app.

In July of this year, an Italian judge ruled that the investigation into who hacked Hacking Team should be shut down, arguing that there are no more leads to follow.

And they got away with it.

A vigilante hacker who goes by the name Phineas Fisher, who was infamous for breaching Hacking Team’s main competitor FinFisher in 2014, claimed responsibility for the attack . Months later, Phineas Fisher revealed how they did it in a detailed step-by-step post-mortem.

The tweet included a link to a 400-gigabyte torrent file that contained all sorts of sensitive internal files: company emails, documents, contracts, spreadsheets, and spyware source code. Even at first sight, it was a devastating breach—and that was before journalists started digging into the cache, revealing Hacking Team’s list of questionable customers , its hacking techniques , and its sometimes rocky relationship with law enforcement agencies .

A screenshot of Hacking Team’s Twitter account when Phineas Fisher was in control of it.

“I'm glad to hear they've stopped their pointless investigation that was mostly just being used as a tool by Vincenzetti to harass ex-employees that he didn't like,” Phineas Fisher told Motherboard, referring to Hacking Team’s attempts to frame former employees in the aftermath of the hack, which are detailed in the court documents.

In December of last year, prosecutors asked for the case to be dropped , arguing that they followed all the leads and could not solve the mystery of Phineas Fisher’s identity. In early July, an Italian judge responded, ruling to shut down the investigation into the Hacking Team data breach.

Another former employee said that the VPN and firewall was still up “literally because [Vincenzetti] couldn’t be bothered to install a software update.”

“Only one user was still using it, and that’s why it had not been turned off. [...] Vincenzetti has the ultimate responsibility,” said a former Hacking Team employee, who was still at the company on the day of the hack and who spoke on condition of anonymity.

They also reveal that the initial entry point into the Hacking Team network, the proverbial broken window that let the robbers in, was an out of date firewall and virtual private network system. According to sources close to the company, that firewall was still up despite the fact that the system administrators had already installed a newer one because Vincenzetti refused to upgrade. (A leaked email confirms that the VPN was left up for “a couple of exceptions.”)

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de , or email lorenzo@motherboard.tv

Sealed court documents obtained by Motherboard tell the never-told tale of the digital manhunt, providing a fascinating look into how cybercriminals can stay anonymous and walk away scot-free even after embarrassing a company that provided surveillance technology to more than twenty government agencies around the world. The documents fill in some details left out by Phineas Fisher’s own account of their attack , and clear the names of the former Hacking Team employees who Vincenzetti accused of betraying the company.

The first former employee also said that one of Hacking Team’s systems administrators was caught by Phineas Fisher playing video games such as World of Warcraft, and did not notice the hack for weeks.

“The system administrators deserve most of the blame,” the first former employee told me.

THE ATTACK

Phineas Fisher’s initial break-in was on May 22, 2015, around six weeks before they dumped the stolen files online. From there, the hacker moved stealthily through Hacking Team’s network, breaching the computers of the two system administrators on June 6, the same day they stole 290 gigabytes of information, which was the majority of the files.

On June 21, Phineas Fisher was able to get to the source code, which was inside the development network—the more sensitive area of the company—thanks to a “bridge” system installed between the dev network and the sales or commercial network, according to the court documents.

That bridge, according to people who worked at Hacking Team at the time, was installed because the administrators did not want to physically go to another office floor to manage it. With the bridge, the sources and court documents said, they could manage the dev network remotely.

“If it wasn’t for that system [Phineas Fisher] would have never arrived at the internal dev network,” the former employee told me.

To avoid getting caught, Phineas Fisher used all the tricks experienced hackers use: they made their connections anonymous by using Tor or other proxies, they hacked using penetration testing software, and they rented out the infrastructure they used to launch the attacks paying in Bitcoin.

“I'm glad to hear they've stopped their pointless investigation.“

And given that Bitcoin is, by design, relatively easy to trace, they used funds stolen from other people to pay for the servers. That was the key step that allowed Phineas Fisher to remain at large, according to the court documents analyzed by Motherboard.