Tech

How Police Secretly Took Over a Global Phone Network for Organized Crime

Encrochat

Something wasn’t right. Starting earlier this year, police kept arresting associates of Mark, a UK-based alleged drug dealer. Mark took the security of his operation seriously, with the gang using code names to discuss business on custom, encrypted phones made by a company called Encrochat. For legal reasons, Motherboard is referring to Mark using a pseudonym.

Because the messages were encrypted on the devices themselves, police couldn’t tap the group’s phones or intercept messages as authorities normally would. On Encrochat, criminals spoke openly and negotiated their deals in granular detail, with price lists, names of customers, and explicit references to the large quantities of drugs they sold, according to documents obtained by Motherboard from sources in and around the criminal world.

Videos by VICE

Maybe it was a coincidence, but in the same time frame, police across the UK and Europe busted a wide range of criminals. In mid-June, authorities picked up an alleged member of another drug gang. A few days later, law enforcement seized millions of dollars worth of illegal drugs in Amsterdam. It was as if the police were detaining people from completely unrelated gangs simultaneously.

“[The police] all over it aren’t they,” the dealer wrote in one of the messages obtained by Motherboard. “My heads still baffled how they got on all my guys.”

Unbeknownst to Mark, or the tens of thousands of other alleged Encrochat users, their messages weren’t really secure. French authorities had penetrated the Encrochat network, leveraged that access to install a technical tool in what appears to be a mass hacking operation, and had been quietly reading the users’ communications for months. Investigators then shared those messages with agencies around Europe.

“I’ve never seen anything like this.”

Only now is the astonishing scale of the operation coming into focus: It represents one of the largest law enforcement infiltrations of a communications network predominantly used by criminals ever, with Encrochat users spreading beyond Europe to the Middle East and elsewhere. French, Dutch, and other European agencies monitored and investigated “more than a hundred million encrypted messages” sent between Encrochat users in real time, leading to arrests in the UK, Norway, Sweden, France, and the Netherlands, a team of international law enforcement agencies announced Thursday.

As dealers planned trades, money launderers washed their proceeds, and even criminals discussed their next murder, officers read their messages and started taking suspects off the street.

The messages “have given insight in an unprecedented large number of serious crimes, including large, international drug shipments and drug labs, murders, thrashing robberies, extortions, robberies, grave assaults and hostage takings. International drug and money laundering corridors have become crystal clear,” Dutch law enforcement said.

1593688533129-encrochat_cash
A photo uploaded to Twitter of an Encrochat phone. Image: Twitter/@misdaadnieuw2

The documents obtained by Motherboard detail some of the information intercepted by authorities, and lay out not only the actions of one alleged drug dealer, but show just how deeply law enforcement seems to have breached alleged criminal organizations. Codenames are identified as money launderers, ketamine, amphetamine, cannabis, and heroin suppliers, couriers, and customers.

The messages show how gangs allegedly directed members to gather money from customers, how to launder it safely, and where to hide drugs. In meticulous and timestamped sections, the Encrochat messages lay out alleged crime after crime.

“People are fucked,” one of the sources who provided the documents to Motherboard said. “People talk about murder, buying kilos, buying guns […] millions of pills” on the phones, referring to large-scale drug dealing and other crimes.

“They’re just lifting people,” another source close to criminal users of Encrochat told Motherboard as the arrests started happening. Motherboard granted multiple sources in this story anonymity to protect them from retaliation from law enforcement or violent criminals.

Do you know anything else about Encrochat? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

In the Netherlands alone, “the investigation has so far led to the arrest of more than 100 suspects, the seizure of drugs (more than 8,000 kilo cocaine and 1,200 kilo crystal meth), the dismantling of 19 synthetic drugs labs, the seizure of dozens of (automatic) fire weapons, expensive watches and 25 cars, including vehicles with hidden compartments, and almost EUR 20 million in cash,” authorities said in a press release.

“What seems to be possible only in police thrillers and movies has happened before our own eyes,” Andy Kraag, head of National Criminal Investigations Department in the Netherlands said in a press conference. “We’ve captured messages that give us a view of daily life in the criminal world.”

On one of its related websites, Encrochat says it’s an “end-to-end security solution” that can “guarantee anonymity,” and that messaging using Encrochat is “the electronic equivalent of a regular conversation between two people in an empty room” for “worry free communications.” It says that “our servers, located offshore in our datacenter, never create, store, or decrypt keys, message conversations or user data.” There are many types of people who may want secure communications, including security professionals or lawyers. The site states that Encrochat has resellers in Amsterdam, Rotterdam, Madrid, and Dubai, but the firm is highly secretive, and does not operate like a normal technology company.

1593688593290-OCP-DSC_0018
A photo of a pill mill uncovered by law enforcement. Image: OCP

In a statement sent to Motherboard by someone in control of a company email address, Encrochat positions itself as a legitimate firm with customers in 140 countries, but sources in the criminal underground say that many of Encrochat’s customers are criminals. French authorities said they estimated that more than 90 percent of the company’s French customers were “engaged in criminal activity.”

“We are [a] commercial company offering services to secure communication over mobile devices,” the statement reads. “We set out to find the best technology on the market to provide a reliable and secure service for any organization or individual that want to secure their information.”

“I’ve never seen anything like this,” the source close to criminal users of Encrochat told Motherboard, describing the law enforcement action.

***

Buying an Encrochat device is not always as simple as walking into a store. One current prison inmate who said they previously used Encrochat devices explained how they bought a phone from a specific contact recommended to them.

“He does have a legit shop but I didn’t meet him there. I met him down a side street and it looked like a drug deal,” the inmate said of how he got the phone. “I spoke to him by the phone and went to his city and met him.”

Encrochat’s phones are essentially modified Android devices, with some models using the “BQ Aquaris X2,” an Android handset released in 2018 by a Spanish electronics company, according to the leaked documents. Encrochat took the base unit, installed its own encrypted messaging programs which route messages through the firm’s own servers, and even physically removed the GPS, camera, and microphone functionality from the phone. Encrochat’s phones also had a feature that would quickly wipe the device if the user entered a PIN, and ran two operating systems side-by-side. If a user wanted the device to appear innocuous, they booted into normal Android. If they wanted to return to their sensitive chats, they switched over to the Encrochat system. The company sold the phones on a subscription based model, costing thousands of dollars a year per device.

Encrochat is not the only company offering these sorts of phones. So-called “secure phone” companies often don’t have public-facing executives. Instead, they hide their ownership, and some have been caught conspiring with criminals. One company, MPC, was run directly by organized criminals, as Motherboard reported last year. Vincent Ramos, the founder of another secure phone company called Phantom Secure, which started as a legitimate firm, is currently in prison in part for telling undercover agents that he created the device to help with drug trafficking. These companies regularly hire distributors based in different countries or cities, who then help sell the companies’ phones directly to customers. Encrochat allegedly had ex-military personnel selling phones to criminals in at least one case.

1593688641334-encrochat-phone
A screenshot of a YouTube video showing an Encrochat device. Image: YouTube

The industry is highly competitive, with companies constantly spreading rumours about the security of each others’ devices and uploading YouTube videos to discredit their rivals. Encrochat previously blocked web domains used by other firms’ devices, essentially segmenting their customer base from everyone else. That means dealers often need the same sort of phone as everyone else they’re working with, unless they want to be locked out of important conversations.

“Needs a fucking phone,” one of the incoming Encrochat messages sent to Mark’s supposed device and obtained by Motherboard reads. “What drug dealer don’t have a phone.”

Encrochat vendors have also advertised products on crime-focused websites, marketing their wares more directly to a certain type of reader. As Martin Kok, a criminal turned blogger wrote on his site Butterfly Crime in 2015, “I see on various crime sites these things [encrypted phones] are offered for sale because many of their future clients are also criminals. Advertising on a site where bicycles are offered does not make sense for this type of company.” (Motherboard previously investigated how MPC orchestrated Kok’s assassination).

This is the space Encrochat sat in, controlling a sizable chunk of communications infrastructure for organized crime in Europe and several countries further afield. While a top-level Scottish drug trafficking organization created MPC and Phantom Secure’s customers included members of the Sinaloa drug cartel, Encrochat was particularly popular with gangsters across Europe.

A British pair who assassinated another crime leader and an armed robber, with one acting as assassin and another as the lookout, used Encrochat phones. In one of the killings the hitman used a submachine gun. Violent drug gangs across the country also used Encrochat’s phones.

“They [became] the ‘industry’ standard,” the inmate told Motherboard.

***

In May, some Encrochat users noticed a problem: the much lauded wipe feature on their phones wasn’t working. An Encrochat associate told Motherboard that at the time they believed perhaps either the user had forgotten their reset PIN number, or that the wipe feature wasn’t configured properly. Nothing to be alarmed about; users make mistakes. The next month, Encrochat managed to track down one of its particular X2 model devices which had the panic wipe issue, they explained.

This wiping problem wasn’t user error though. The Encrochat associate told Motherboard they found malware on the device. The phone had been hacked.

Encrypted phone companies have faced data exposure before. In 2017, someone created a website and uploaded data belonging to users of Ciphr, another firm in the space, which included email addresses and unique IMEI codes linked to the phones. This Encrochat case was different, though. This was malware on the Encrochat device itself, meaning that it could potentially read the messages written and stored on the device before they were encrypted and sent over the internet, a devastating finding for a company whose main mandate is to protect the content of communications for highly sensitive clients.

The associate told Motherboard the malware was specifically created for the X2 model. Besides disrupting the wiping feature, the malware was also designed to conceal itself from detection, record the screen lock password, and clone application data.

Realizing this was an attack, over the next two days Encrochat pushed an update to its X2 models to restore the phone’s features and gather information about the malware installed on its devices around the world, the associate said.

“This was done to prevent further damage while we informed affected users,” they added. Encrochat put monitoring in place to be able to keep an eye on their devices without having to physically have it in their hands.

But almost immediately after the patch, the attackers struck again, this time seemingly harder. The malware was back and now it could change the lock screen password rather than just record it. The hackers were not stopping; they were escalating.

1593688759786-NCA-cash
A photo of cash seized by law enforcement. Image: NCA

Going into full-on emergency mode, Encrochat sent a message to its users informing them of the ongoing attack. The company also informed its SIM provider, Dutch telecommunications firm KPN, which then blocked connections to the malicious servers, the associate claimed. Encrochat cut its own SIM service; it had an update scheduled to push to the phones, but it couldn’t guarantee whether that update itself wouldn’t be carrying malware too. That, and maybe KPN was working with the authorities, Encrochat’s statement suggested (KPN declined to comment). Shortly after Encrochat restored SIM service, KPN removed the firewall, allowing the hackers’ servers to communicate with the phones once again. Encrochat was trapped.

Encrochat decided to shut itself down entirely.

“We then took the decision to immediately shut down the SIMs and the network,” the associate wrote.

Encrochat suspected this wasn’t a rival company trying to mess with its infrastructure; this was likely a government.

“Due to the level of sophistication of the attack and the malware code, we can no longer guarantee the security of your device,” a message Encrochat sent to its users read. “You are advises [sic] to power off and physically dispose your device immediately,” it added.

All of this came too late. Law enforcement had already extracted an extraordinary cache of data from Encrochat devices. Entire multi-million dollar drug empires nakedly laid out in reams of text messages and photos. In a press release published Thursday, French law enforcement, which spear-headed the investigation, did not go into detail about what the operation itself entailed, but said that, “The investigation made it possible to gather elements on the technical functioning of the solution [Encrochat], and led to the establishment of a technical device thanks to which unencrypted communications from users could be obtained.”

The French authorities also pointed to the legal mechanism that allows for the capture of computer data by such a tool “without the consent of the interested parties, to access, in any places, computer data, to record it, to keep it and to transmit it.”

The authorities had everything. Images of huge piles of narcotics laying on scales. Kilogram blocks of cocaine. Bags packed with ecstasy. Fistfuls of cannabis. Messages about planned drug drops and major deals. Photos of alleged criminals’ family members and discussions of their other businesses.

Law enforcement agencies had acted against encrypted phone companies before. In 2018, the FBI arrested the owner of Phantom Secure. The FBI tried to convince the owner to install a backdoor into the communications system—he declined—before shutting the network down itself.

1593688346521-SWROCU-1-kilo-blocks-of-cocaine
A photo of kilogram blocks of cocaine seized by law enforcement. Image: SWROCU

But here, authorities had managed to break in and eavesdrop not only on what criminals were saying, but listen when the criminals felt the most secure.

“Charge him 33’500 each?” one of the messages extracted from the Encrochat device allegedly owned by Mark reads. “Take 4.5 out get 6k,” the texts continue, discussing specific large-scale drug deals step-by-step. Other documents mention shipments of drugs in Europe. The messages stretched back months, with some in the documents dating to April, months before Encrochat discovered the malware.

In one Encrochat message rather ironically obtained by investigators, one alleged gang member tells another that iPhones are not safe from police examination.

In the aftermath of Encrochat’s message, users of the network started to panic, according to other screenshots of messages obtained by Motherboard. Multiple people tried to determine whether their particular model of Encrochat phone had been impacted.

Law enforcement’s quiet coup of Encrochat was over. Over the next several days, the puzzle pieces started to fall into place: The seized shipments, the raids on drug traffickers, the mounting arrests. The common thread among all of them was Encrochat.

The encrypted phone industry source said that after the episode, Encrochat resellers couldn’t log into their portal used to manage sales, locking them out of funds.

Right now, the criminal world is in disarray, their main way of communicating ruptured. Paranoid, some people are going offline, unsure of what devices to trust. Others are trying to cross borders before they are detained, the source close to criminal Encrochat users said. The source said that buying drugs in bulk just got a lot harder.

They added, “Everybody’s going to ground.”

In the press release, French authorities wrote “Despite the findings of the criminal use of Encrochat terminals [phones],” that they hope “users claiming to be of good faith and wishing to have their personal data deleted from the legal proceedings can send their request to the investigation department.” They also invited administrators or managers of Encrochat itself to contact them if they wanted to discuss the legality of law enforcement deploying the technical tool to read messages.

Already, other encrypted phone companies are trying to fill the void left by Encrochat. A company called Omerta has been advertising directly to Encrochat’s old customers. “ENCROCHAT HACKED, USERS EXPOSED & ARRESTS GALORE – THE KING IS DEAD,” a blog post on its site reads. Omerta told Motherboard in an email it has seen a rise in traffic recently.

“Did you narrowly escape the recent Mass Extinction Event? Celebrate with 10 percent off. Join the Omerta family and communicate with impunity.”

Subscribe to our cybersecurity podcast, CYBER.