Europol, the British National Crime Agency (NCA), as well as law enforcement agencies in France, Sweden, Norway and the Netherlands officially reported on the elimination of Encrochat's encrypted communications platform, which has been used by over 60,000 criminals around the world.
How did it work
As can be seen on archival copy of the company websiteEncrochat phones guaranteed absolute anonymity to their users, since they did not have a device or SIM card attached to the client’s account and were purchased under conditions guaranteeing the inability to track their origin. Full confidentiality was also guaranteed: the encrypted interface was securely hidden, and the device itself was modified – the camera, microphone, GPS and USB port were physically absent.
Devices were delivered immediately with two OSs: if the user wanted the device to look harmless, he downloaded normal Android. If it was necessary to use secret chats, the user switched to the Encrochat system.
According to Vice Motherboard, Encrochat phones were based on modified BQ Aquaris X2, Android smartphones released in 2018 by a Spanish electronics company.
The operators of the Encrochat platform installed their own encrypted programs on their phones for messaging and VoIP calls that routed traffic through the company's own servers. Also, the phones had the function of quickly erasing the entire device (including the remote one) if the user entered a special PIN code.
The company sold phones by subscription: a six-month contract cost about £ 1,500. Although the site says Encrochat has resellers in Amsterdam, Rotterdam, Madrid and Dubai, the company worked very secretly.
Edition Vice motherboard, who has devoted a huge article to this operation of law enforcement agencies, writes that someone controlling the email address of Encrochat told reporters that Encrochat is a law-based company with clients in 140 countries.
“We are a commercial company offering services in the field of secure communication via mobile devices. We decided to create the best technology on the market in order to provide reliable and safe service for organizations or individuals who want to protect their information, ”a company representative wrote.
At the same time, according to law enforcement authorities, 90% of Encrochat customers are criminals. Encrochat had approximately 60,000 users worldwide, and approximately 10,000 lived in the UK.
Journalists say that it was not easy to buy the Encrochat device. Own source of the publication (a former user of Encrochat is currently serving a prison term) reported that he had purchased his phone in a regular store from his owner. However, everything happened in the alley behind the building and "looked like a drug deal."
Implementation at Encrochat
Law enforcement officials say that the joint operation, called Venetic, has become one of the largest in history and has already led to the arrest of 746 people, the seizure of 54,000,000 pounds in cash (67.4 million dollars), 77 units of firearms (machine guns, pistols, four grenades and more than 1800 rounds of ammunition), 55 expensive cars and more than two tons of drugs.
For example, French law enforcement officers refused to disclose the details of their investigations and their results, but the Dutch authorities said they had liquidated 19 synthetic drug laboratories, arrested more than 100 suspects, seized more than 8,000 kilograms of cocaine, 1,200 kilograms of methamphetamine, dozens of pistols, luxury cars (including cars with hidden compartments) and watches, as well as almost 20 million euros (22.5 million dollars) in cash.
The investigation, which led to the results described above, began back in 2017 in France, code-named Emma 95. Then it spread to the Netherlands, where it was called Lamont, and eventually law enforcement officers joined forces, and the United Kingdom, Sweden and Norway joined in the case.
Investigators say they found a way to hack Encrochat without hacking the platform encryption itself. Instead, a few months ago, French law enforcers entered the Encrochat network and introduced malware into the company's devices, which allowed criminals to read messages before they were sent. As a result, European policemen examined “over a hundred million encrypted messages” and witnessed drug traffickers agreeing on wholesale deals, criminals discussed murders and money laundering.
“These reports provided an unprecedented number of serious crimes, including data on large international drug shipments and (whereabouts) drug laboratories, killings, robberies, extortion, grave assaults and hostages. The international corridors for the supply of drugs and money laundering have become completely transparent, ”the Dutch law enforcement agencies write.
“What is usually possible only in police thrillers happened before our eyes,” adds Andy Kraag, head of the Dutch National Criminal Investigation Department. “We read messages that gave us an idea of the everyday life of the criminal world.”
The panic in the criminal world
Back in May of this year, some Encrochat users noticed a problem: the reset function on their phones did not work. An anonymous Encrochat employee told Vice Motherboard that the company then considered that the user probably just forgot his PIN code, or the reset function was incorrectly configured.
But already next month Encrochat managed to track one of such “buggy” devices of the X2 model. As it turned out, the problem was neither in the user nor in the settings: they found a malware on the phone, and the device turned out to be hacked. Moreover, the malware was specially created for the X2 model. It not only interfered with the correct operation of the device’s cleaning function, but was designed in such a way as to hide itself from detection, write down the screen lock password and clone application data.
Realizing that this is an attack, over the next days, Encrochat released an update for its devices to restore their functionality and collect information about malvari that penetrated the company's phones around the world. Encrochat developers began to notify users and monitored what was happening remotely, not being able to gain physical access to devices.
However, almost immediately after the release of this patch, the attackers again struck: the malware returned, and now she could also change the password to lock the screen, and not just write it down.
Encrochat operators began to panic. They sent a message to their users informing them of the ongoing attack. The company also notified the situation of its SIM card provider, the Dutch telecommunications company KPN, and it blocked connections with attacking servers for the malware. But, apparently, by that time KPN was already cooperating with the authorities (KPN representatives are still declining to comment), so the company soon removed the firewall, which again allowed attacking servers to exchange data with Encrochat phones.
Then at Encrochat decided to completely minimize all operations. “We decided to immediately disconnect all SIM cards and the network,” says an employee of the company. The fact is that by that time the company already understood that they were opposed not by another competing company, but by the government.
“Today, our domain has been illegally seized by government agencies. They used our domain to launch an attack. <…> Due to the level of complexity of the attack and malicious code, we can no longer guarantee the security of your device. We advise you to immediately disconnect and physically destroy the device, ”Encrochat operators sent such a message to all their users on June 13, 2020.
After this message from Encrochat, many users panicked. According to the screenshots at the disposal of Vice Motherboard, some users even tried to determine if their particular phone model was affected by the attack.
But it was already too late. By this time, European law enforcement agencies had long since extracted a lot of data from Encrochat devices around the world, and they faced multimillion drug empires and criminal syndicates in the form of text messages and photos. The police had literally everything: photographs of huge piles of drugs lying on the scales; kilogram cocaine briquettes; bags full of ecstasy. Messages about planned transactions and deliveries. Photos of family members of alleged offenders and discussion of their personal files.
After that, law enforcement officers began to act: confiscated goods, raids on drug dealers, and mass arrests followed. And the common denominator of what was happening was Encrochat.
Journalists note that, according to a source close to Encrochat users, the criminal world is in turmoil, as it has lost one of the main communication methods. Many Encrochat customers are now trying to cross borders and avoid being detained. The source also noted that buying drugs in bulk has become much more difficult.
Not the first case
The elimination of EncroChat and the arrests of users is far from an unprecedented event. For example, in 2018, the executive director of the Phantom Secure company, which produced “unbreakable” phones for criminals, was arrested.
Phantom Secure hosted its servers in Panama and Hong Kong and used virtual proxies to hide their physical location. The platform also helped remotely destroy data on devices already seized by law enforcement agencies.
A subscription to the Phantom Secure service cost about 2-3 thousand dollars for six months. To protect the anonymity of customers and the activities of Phantom Secure itself, transactions were made in digital currencies, including bitcoins. For this money, a person received a device where both software and hardware were modified in such a way as to ensure anonymity and encryption of all communications. GPS navigation, a microphone, a camera, Internet access and a messenger, and even voice technology, everything was done taking into account the special needs of customers.
Phantom phones were very popular in the criminal world, including at the very top of transnational criminal groups. In particular, members of the renowned Sinaloa drug cartel in Mexico were Phantom Secure customers.
Another similar company, MPC, was created and managed an organized drug trafficking group from Scotland.
Journalists Vice Motherboard note that the competition in this area is great. So, companies regularly spread rumors about the insecurity of each other's devices and upload to YouTube videodiscrediting competitors. Or, for example, Encrochat previously generally blocked domains other firms.
Other companies offering secure communications services are already trying to fill the gap that has formed after the disappearance of Encrochat. For example, Omerta has already targeted its former Encrochat customers.
“Encrochat hacked, users burned and arrested. CORAL DIED! Have you miraculously escaped the recent "mass extinction"? Celebrate with a 10% discount. Join the Omerta family and talk with impunity, ”says the Omerta ad.
Representatives of Omerta told reporters that recently they really have seen an increase in traffic.