Do Recent Cryptophone Sweeps Signal Supply-Chain Coup for ‘White Hats’?

Besieged by increasingly severe supply-chain attacks, the Western cybersecurity community is on edge. Yet, three sensational law-enforcement takedowns of crime-linked, encrypted phone networks suggest the sword cuts both ways, as white hats are also PWNing communications networks favored by transnational organized crime with similar success.

This point was first raised in March by Black Hat hacker conference Review Board member Daniel Cuthbert in a since-deleted tweet following the publication of this journalist’s feature in the Diplomat that detailed “How Asian Drug-Trafficking Networks Operate in Europe”.

At the time, Cuthbert was responding to a speculative correlation made in the article linking the Sky ECC cryptophone dragnet, which was led by Belgian, Dutch, and French authorities, to the January arrest of Tse Chi Lop, the alleged billionaire kingpin of the Sam Gor Asia-Pacific drug cartel, after he was deported from Taiwan and forced to fly to Amsterdam’s Schiphol Airport.

Reputed Sam Gor kingpin Tse Chi Lop, source:shadowbanker.io

Tse’s Dutch criminal defense lawyer, André Seebregts, said links to recent encrypted phone sweeps like Sky, EncroChat, and Anom “have thus far played no role in the limited scope of Tse’s extradition case,” which was orchestrated by the Australian Federal Police. Seebregts also said Tse “denies any involvement with the Sam Gor syndicate or any criminal organization.”

But the overall gist of Cuthbert’s tweet was that Western cyber-investigators don’t get enough credit for their supply-chain exploits. In cyber, supply-chain attacks entail the malicious compromise of a trusted piece of software or hardware at the source. “By compromising a single supplier,” writes Wired, “spies or saboteurs can hijack its distribution systems to turn any application they sell, any software update they push out, even the physical equipment they ship to customers, into Trojan horses.”

A single strategically placed intrusion like the recent Kaseya ransomware attack, SolarWinds, Microsoft’s Exchange servers, or the 2017 NotPetya outbreak can thus cascade into a catastrophe that impacts the supplier’s entire customer network. The modern threat environment reveals that a single point of failure can easily create a conduit for thousands of additional infections across disparate devices, systems, and IT networks.

Highlighting the current cyber-threat landscape, security non-profit Identity Theft Resource Center reported in April that supply-chain attacks increased by 42 percent in the first quarter of this year compared to Q4 2020. Miami-based Kaseya is just the latest high-profile breach to headline this disturbing trend, with Russian ransomware gang REvil claiming credit for an exploit that infected 1,000 companies worldwide last month.

Before announcing its disbandment in late July, REvil was demanding a record-high, $70-million bitcoin ransom payment in exchange for access to the gang’s Universal Decryptor, which they said could unlock all infected computers and restore victims’ data.

White Hat COMMSpromise    

When reached for comment on his old Tweet, Cuthbert reiterated his supply-chain hack analogy. “If we look at three stellar efforts by law enforcement agencies (LEAs), namely EncroChat, Sky ECC, and Anom, all three built their minimum viable product (MVP) - a feature-stripped, surveillance -proofed phone - on a fairly complex supply chain of hardware (devices), endpoints, servers, and so on.”

“What LEAs managed to do was infiltrate the chain in order to collect intelligence and eventually smash the whole architecture down. It’s these chains that will be one of the hardest tasks we defenders have to face in years to come: How do you make such complex chains with many moving parts, more robust and secure to withstand attacks like we are seeing happening at the moment?”

Since Cuthbert first raised the point in March, the Federal Bureau of Investigation and AFP announced the most recent cryptophone sweep, a supply-chain honeypot that wrecked the Anom network and led to the arrest of some 800 suspects worldwide to date.

Codenamed operation ‘Trojan Shield’ in the U.S. and ‘Ironside’ in Australia, suspects arrested in the Anom probe are believed by law enforcement to be associated with “Italian organized crime, outlaw motorcycle gangs, and international drug trafficking organizations,” according to a Europol press release announcing the takedown.

Highlighting possible links to Tse’s case and the Sam Gor – a syndicate that reportedly mints upwards of $60 billion a year trafficking mostly synthetic drugs like meth and ketamine throughout the APCAC region - the AFP’s Ironside press release also alleged that an “Asian crime syndicate” used Anom.

Unlike the EncroChat takedown from last July and the Sky dragnet in March, which were predicated entirely on white hat cyber-espionage, Anom was a law-enforcement trap from the start, with the FBI and AFP strategically developing and covertly operating this faux-encrypted device company.

Takedown Trilogy

Operation Trojan Shield infographic, source: Europol

Since early 2020, LEAs in at least 19 countries, empowered by the support of Europol, have leveraged varying and types of supply-chain exploits to dismantle the above-mentioned encrypted communications platforms. Europol has been publicly raising concerns about criminals’ use of encryption to protect their communications since at least 2016.

In the latest cryptophone dragnets, white-hat techniques, tactics, and procedures (TTPs) used to “bypass” encryption and compromise networks reportedly ranged from controversial, over-the-air (OTA) exploits reminiscent of cyber-intelligence firm NSO Group’s controversial Pegasus software, to more “primitive” undercover work by human agents.

Primarily led by authorities in France, the Netherlands, the UK, Belgium, the U.S., and Australia, EncroChat, Sky, and Anom have collectively resulted in thousands of arrests of suspected drug traffickers, money launderers, hitmen, and corrupt officials connected to over 300 syndicates in “more than 100 countries,” according to Europol’s Anom press release.

However, it should be noted that the seminal cryptophone takedown was Ennetcom by Dutch and Canadian police in 2017. Since Ennetcom, U.S., European, and Turkish authorities have jointly or separately crushed encrypted networks like, PGP Safe, IronChat, ByLock, and Phantom Secure to name a few.

But the most recent takedowns have arguably been the most disruptive to the criminal underworld. The latest ones have netted the seizure of dozens of tons of drugs, valued in the billions of dollars, along with weapons, and over a $150 million in dirty cash and cryptocurrencies, according to various law-enforcement press announcements.

Anom in particular has revealed the interconnectedness of the encrypted phone supply chain, according to an unsealed FBI search warrant from May. This search warrant was seeking access to an Anom user’s Google email account in the furtherance of an FBI probe into the export of cocaine from Carlsbad to Australia.

FBI Special Agent Nicholas Cheviron, who authored the warrant, said the “Trojan Shield investigation has unveiled how criminal organizations compartmentalize their activities with multiple brands of hardened encrypted devices. For example, some users assign different types of devices to different parts of a drug trafficking transaction.”

“I have seen conversations where Anom is used for the logistics of the drug shipments, but Ciphr or Sky were used to coordinate the concealment of the illicit proceeds,” wrote Cheviron. It is not immediately clear if law enforcement has also hacked Ciphr.

But the interconnectedness of the ecosystem “was also apparent in the increase in demand when two major platforms were dismantled during the Trojan Shield investigation,” Cheviron added. While demand for Anom devices increased after the EncroChat sweep, Cheviron noted that in the wake of Sky’s dismantlement, Anom’s active user base grew by a multiple of three to reach roughly 9,000 subscribers at its height.

For Western investigators, collective intelligence mined from the three takedowns has further illuminated how Latin American narcos are smuggling cocaine to countries outside the U.S. and delegating wholesale distribution in Europe to Dutch and Belgian smuggling networks. These port reception networks have corrupted the integrity of Europe’s largest ports: Antwerp and Rotterdam.

Super Cartel

Earlier this year, the report, “Latin American Organized Crime Study” prepared this year by Colombia-based think tank and media organization InSight Crime, for the Dutch Ministry of Foreign Affairs estimated that these local “port reception networks” were earning between €1 billion and €2.7 billion per year trafficking coke to various, ethnic criminal organizations.

These reception networks have largely been facilitating multi-kilo-and-ton shipments of coke and synthetic drugs to networked Italian, Balkan, Irish, and Moroccan organized crime groups, who then go on to pump dope across Europe and more profitable markets in the Asia-Pacific region. These ethnically diverse crime syndicates have reportedly joined forces to form a “super cartel,” according to European news reports.

Ex-Drug Enforcement Administration and Customs agent Robert Mazur, who infiltrated the Medellin and Cali cartels as an undercover money launderer back in the 80s and 90s, said the ports of “Antwerp and Rotterdam have been compromised for more than three decades that I can personally attest to.” The super cartel that has established itself is thus the legacy of metastasizing transgenerational corruption networks.

A rumored DEA dossier on this so-called “super cartel,” which narcs reportedly compiled at the Dubai wedding of Irish Kinahan Cartel kingpin Daniel Kinahan in 2017, estimated that the multi-cultural syndicate had collectively imported €23 billion worth of cocaine into Europe at the time of the nuptials, according to news reports.

Daniel Kinahan snapped at a funeral in Dublin in February 2016, source: Collins Dublin

Much of this coke was reportedly supplied by Dutch-Chilean trafficker Ricardo 'El Rico' Riquelme Vega, who was arrested in Chile and extradited to Holland in 2017, the DEA discovered. The DEA bolstered the Dutch case against El Rico after extracting and deciphering encrypted messages stored on phones secured by a German IT protection system used by many multinational financial firms, according to Irish news reports.

In June, El Rico was sentenced to 11 years in prison by a judge in Amsterdam. Neither the DEA nor the Dutch National Police responded to request for comment. Regardless, it seems that these cryptophone hacks have enabled global security services to map out drug-trafficking, money-laundering, and corruption networks from Chile to Hong Kong.

Collectively, these sweeps may ultimately transform the landscape of transnational organized crime – that is assuming LEAs can make the charges stick in court.

EncroChat’s Design  

Archived 2018 EncroChat homepage, source: Encrochat.network

The first cryptophone hack in this trilogy was EncroChat. This investigation began in France in 2017 after the French Germanderie discovered that “the phones were regularly found in operations against organized crime groups,” according to a Eurojust/Europol press release authored last July. The French led the operation, which they codenamed ‘EMMA,’ after British National Crime Agency investigating officer Emma Sweeting.  

In the UK, digital forensics expert witness and Birmingham City University Professor Peter Sommer said that prior to “Operation Venetic,” which was the British codename for their Encro-sweep, “there were at least 100 successful prosecutions of serious organized criminals who had been found in possession of Encrophones.” But at that stage, “it was not possible to read the phones encrypted contents,” Professor Sommer said.

That is to say, police, even armed with bleeding-edge digital forensics extraction tools like Cellebrite or Magnet Axiom, could not crack these phones. Professor Sommer added that he was “involved in approximately 50 of these organized crime conspiracies working on this occasion for the prosecution to explain the various types of encrypted phone and their related costs.” The professor was not involved in Operation Venetic and is now testifying as an expert witness for the defense, he said.

EncroChat’s main product was a modified “BQ Aquarius X2,” an Android handset released in 2018 by a Spanish electronics firm. The phones ran a dual operating system that enabled subscribers to either use a standard Android OS or the “secure” EncroChat OS. Designers stripped GPS, camera, and microphone functionality from EncroChat devices.  

EncroChat also operated its own encrypted messaging program. Allegedly, the app’s encryption mechanism used the Signal Protocol based on the “output of the French system, from which some reverse engineering is possible,” said Sommer. However, a cryptophone expert who requested anonymity, citing rising danger and organized criminal involvement in the encrypted phone industry, said that EncroChat actually used the far less secure Socialist Millionaire Protocol (SMP).

The encrypted phone expert also claimed to have handled a live EncroChat device in the months leading up to the sweep and that this model was still using the SMP cipher scheme.

An old EncroChat reference and features guide from 2016 also touted the platform’s use of SMP cryptography.

But this reporter was not able to find any reports or social media chatter of a protocol upgrade online. The encrypted phone expert also noted that a protocol migration would be “very technically intensive and require a change-out of foundational technology.” “I doubt they had the capability to pull it off,” added the expert.

Archived Enrochat website marketing collateral from 2018 noted that their “servers, located offshore in our datacenter, never create, store, or decrypt keys, message conversations or user data.” These phones also used SIM cards manufactured by Dutch telecom firm KPN.

Staging the Sweep  

The Germanderie’s Centre for the Fight Against Cybercrime (C3N), with assistance from the Dutch police, conducted the supply-chain exploit that hacked the EncroChat network. This joint investigative team (JIT) transferred the hacked data to Europol, which then distributed evidence to the British NCA and other investigative agencies in Germany, Sweden, Norway, and potentially over a hundred other countries.

France and Holland were optimal EU jurisdictions to lead the operation and hack EncroChat text messages because, “intercept material (classically phone tapping, but not limited to that)” in the UK and elsewhere, cannot be used in evidence in proceedings,” by law, according to a January appellate ruling from the Liverpool Crown Court.  

In the JIT countries and many other jurisdictions, however, “there is no blanket prohibition on the admission into evidence of intercept material,” noted the ruling issued by High Court of England Justice Ian Dove, who ruled against the defense in this case.

Two years after the French began their investigation, the pan-European initiative to hack the cryptophone network’s server was formed in February 2019, according to the Netherlands Forensic Institute, a Dutch government-funded research organization.  

A more recent ruling issued by Justice Dove before the Manchester Crown Court last month, and which also shot down the defense, said that “French authorities identified that an EncroChat server was located in their territory at Roubaix” in late 2019. This ruling concerned an investigation codenamed ‘Embossed.’

July, 2021 “Operation Embossed” Manchester ruling, source: Confidential

Specifically, EncroChat used cloud-hosting provider OVHCloud servers. OVH is Europe’s largest cloud hosting provider and is headquartered in Roubaix. After identifying OVH as EncroChat’s provider, the Lille Regional Court in Paris ordered OVH to modify its network so that EncroChat messages could be intercepted by C3N.

“Through an investigation supervised by a magistrate at the Lille Regional Court they were able to obtain images of these EncroChat servers for the purposes of analysis,” said the Manchester court ruling.

C3N created “71 virtual machine folders 23 across the three forensic images” mirrored from EncroChat servers, according to court testimony from Luke Shrimpton, an NCA technical officer and expert witness for the prosecution. Unlike the NCA report, the defense alleges there were 96 virtual machine folders, according to the ruling.

To facilitate the transfer of hacked data to the C3N, JIT investigators also connected a load balancer from their repository to the OVH server. Load balancers are pieces of hardware that sit between client devices and backend servers that help route network traffic more efficiently.  

In March 2020, France created the EMMA 95 national investigative unit, which enlisted 60 specialists “exclusively dedicated to data processing,” according to a follow-up Germanderie press release circulated weeks after the initial sweep on July 2. The Dutch codenamed their operation ‘Lemont.’

Multi-Stage Exploit

Prosecutors maintain that the Encro-hack occurred in two stages. According to the Liverpool court appeals ruling, the French Gendarmerie, after discovering the location of the network’s servers, “discovered a way to send an implant to all EncroChat devices in the world under cover of an apparent update.”  

This implant “caused the device to transmit to the French police all the data held on it. This was called the Stage 1 process.” Stage 1 was triggered on April 1, 2020. Just like NSO’s Pegasus exploit, this implant was thus the payload in the JIT’s OTA attack.

In stage two, the implant, or ‘infection,’ captured “all data which had not been erased, typically therefore 7 days' worth of communications. Thereafter, in the Stage 2 process, the implant collected messages which were created after Stage 1,” according to the Liverpool ruling.

The JIT’s load balancer facilitated the data transfer to C3N’s server. But “Mark,” a pseudonymous Twitter information analyst who operates the members-only blog, “The Upside Down Times”, which has become a trusted reference material for lawyers engaged in the EncroChat case, added some context to the first stage of the exploit.

The blogger noted that the implant trigger was sent at least four times. This implant also took eight days to work, according to Mark. The “Upside Down Times” blogger has further established his credibility in the EncroChat case by being a trusted recipient of sensitive court document leaks across Europe. Mark has even become a target of French authorities, who have previously complained to Twitter about his EncroChat tweets, saying they “were in violation of French Law.”    

Based on the prosecution’s explanation, Justice Dove ruled in Manchester court that EncroChat messages “were not taken after they had left the device of the sender or before they had arrived on the device of the receiver.” The ruling supported its conclusion by saying that at the point of interception, “the messages were not encrypted, and had therefore been taken before encryption on the sending device and after decryption on the receiving device.”

The prosecution argues that all data extracted from EncroChat devices were stored either on the ‘Realm’ ‘fully encrypted’ mobile database OS that these devices used or their random-access memory (RAM). RAM is a “faster and temporary type of memory which holds apps and data whilst the app is running on the device and is used for the operation of the app and supporting the activity of the CPU,” said the Liverpool ruling.

Thus, in both stages of the breach, French prosecutors have insisted that all data was intercepted from cryptophone users’ phones while it was at rest. This forms the crux of the legal controversy in the UK and beyond, as defense lawyers have argued that data was intercepted and decrypted in transit.

Recall that intercept material cannot be used as evidence proceedings in the UK, per legal statutes set forth in the UK’s Investigatory Powers Act of 2016. While Venetic investigators only obtained a targeted equipment interference (TEI) warrant, the defense argues that they actually required an exemption for a targeted interception (TI) order.

In the wake of the takedown, which both lead investigative agencies “hailed as an earthquake for organized crime,” nearly “120 million messages and images, almost all linked to high-level organized crime, were intercepted, without the capture being detected,” according to the French press release. Intelligence shared via Europol with many countries had led to over a thousand arrests, mostly in Europe, and spectacular seizures at the time of the press statement.

But defense lawyers across Europe have made some compelling counter-arguments. In France, investigators even acknowledged in last Summer’s press release package that 10 percent of EncroChat’s users were not criminals. This means that that 6,000 non-criminals were ensnared in the dragnet and surveilled in violation of their legal rights.

Paris-based criminal defense lawyers Robin Binsard and Guillame Martine have even protested the EncroChat case all the way up to the country’s supreme court. A Computer Weekly report from last month said that this case, “which is expected to go the European Court of Human Rights, could affect prosecutions in the UK, the Netherlands and Sweden if France’s highest court finds that the operation was unlawful.”

Bisnard was not able to prepare a comment in time for the publication of this story.

Defense Arguments

Defense arguments all boil down to the lack of forensic evidence and incomplete witness statements shared by French prosecutors. While the prosecution has maintained that data was exfiltrated from devices, the defense believes that data was captured live from the OVH server and decrypted afterwards.

The primary themes here are the admissibility of evidence collected in the course of an intelligence operation and that which is captured in the furtherance of a criminal probe.

Highlighting the “evidential black hole” left by French prosecutors, who have declared the technical details of their cyber-exploit to be “covered by national defense secrecy” and thus undisclosable, are incomplete witness statements made by C3N officer Jeremy Decou, as relayed in the recent Manchester ruling.

Decou is an investigator “upon whose evidence the prosecution also rely,” according to the appeals ruling. When asked whether the technical device had enabled C3N to retrieve data from the OVH server, Decou replied he “would not answer the questions concerning the operation of the device secrecy,” per his testimony.

As a result, the court doesn’t know if or how the server and implant were subjected to external testing and quality assurance, details about any analysis of EncroChat data conducted by the JIT before its transfer to Europol, and any further review to check for contamination or errors during these processes, according to a PowerPoint presentation authored by Professor Sommer.

Because there is no “no continuity of evidence and no testable provenance before

material is delivered via Europol LFE to NCA,” there is no way to audit the chain of data custody, said Dr. Sommer. The professor also noted that “digital data is highly volatile – changes take place all the time on computers, laptops, mobile phones: we must freeze the scene at a specific date and time.”

Since prosecutors have failed to disclose any auditable data-custody chain, the EncroChat investigation violates every principle cited by British trade organization Association of Chief Police Officers for the handling of digital evidence, according to Professor Sommer’s presentation.

Regardless, Decou said the technical device enabled French investigators to retrieve EncroChat phones’ messages, notes, contacts, Wifi (SSID), passwords, and call logs. However, if the data was truly captured at rest on the device, said the “Upside Down Times” blogger, then investigators would be able to easily reveal device fingerprints like “dynamic IP address that changes with each connection made, the static wireless MAC address, and device serial numbers.”

Mark claims to have obtained a leaked JavaScript Object Notation (JSON) file from the Dutch investigation. But the largest anomaly in this device metadata file, said Mark, is the omission of cell tower data. Android devices “actually read cell tower data, including signal strength, including neighboring cell towers,” said Mark.

But according to Decou’s witness statement these identifiers were captured while the data was live and in transit. The prosecution is thus asserting that all EncroChat data was transferred separately from the metadata via two separate message packets. In this scenario, the possibility of detection by EncroChat’s IT team as a result anomalous router traffic detection and “noting double connections to different IP addresses” would be much higher, according to the Manchester ruling.

Nevertheless, Justice Dove sided with the prosecution’s account. Despite cell tower data being reported to courts in data packages other than the JSON file initially supplied by the French, “the fact they are missing in the JSON suggest that the cell data was obtained from the cell provider and not from the device itself,” said Mark. Thus, the blogger believes that all data was captured in transit.  

When asked about this JSON anomaly, Professor Sommer cited strict confidentiality restrictions imposed by the courts in the “UK and in two other European countries” where he is testifying, cautioned that he is “limited” in what he can say.

Occam’s Razor

Given the French court’s deliberate ambiguity, defense lawyers for EncroChat suspects in the UK have developed an alternative and simpler hypothesis for the hack. Even expert witnesses for the prosecution have admitted the defense’s theory is “technically feasible,” according to the Manchester ruling.

The defense believes that C3N investigators were able to replace EncroChat’s encryption mechanism, which French-submitted evidence suggests was based on the Signal Protocol, with a weakened random number generator that made the network’s future ephemeral keys predictable.

This malicious implant caused a “micro-stage 1 Realm extraction of the rachet value being used by the app in order to produce ephemeral keys for encrypted messages,” according to the defense theory. Using this master key, the JIT was able to decrypt messages as they passed through EncroChat’s server, argues the defense.

Ultimately, the defense failed to convince Justice Dove that the “the TEI warrant was unlawful” and that “EncroChat messages amounted to bulk interference,” per his ruling. Since last July, the EncroChat takedown has resulted in numerous convictions, especially in the UK.

At least 17 other criminals have been jailed on Venetic-related charges in the UK, going by NCA bulletins. An NCA spokesperson was unable to comment in time for the publication of the story.  

The most high-profile and successful prosecution so far has been the jailing of Thomas Maher, an Irish 40-year-old father-of-three and trucking company operator living in Woolston. But investigators also found that Maher was generating millions facilitating the movement of drugs across Europe for “crime gangs ranging from Colombian drug traffickers to pan-European syndicates.”

Last December, a Liverpool court sentenced Maher to nearly 15 years on drug and money laundering charges. But some EncroChat suspects are getting off too, largely because authorities are struggling with attributing devices to their actual owners.

Most recently, British media reports revealed that an alleged drug dealer in Liverpool was cleared of EncroChat-related gun and drug charges in June. Last April, police pulled over twenty-five-year-old Joseph Ventre in his BMW and arrested him. But the case was thrown out by the Liverpool Crown Court because the “relevant phone could not properly be attributed to the defendant” by prosecutors, according to a court statement.

Beyond accurate device attribution, French prosecutors’ refusal to divulge critical forensic evidence about how the hack was conducted, nor the quality control provisions that were taken in the process of the operation, could set a legal precedent for a wave of case dismissals and exonerations across Europe.

Holland & Beyond

In the Netherlands, the prosecution is also prevailing. Last month, a Dutch court approved a recusal request filed by three judges assigned to an EncroChat criminal case in Rotterdam dubbed the “Sartell file,” according to documents.

According to Dutch news reports this case concerns a large-scale “investigation into international cocaine trafficking and money laundering.” The prime suspect in this case is an alleged trafficker named Piet Costa, but other defendants are linked to the ghastly, dentist-chair torture chamber discovered by Dutch police last Summer inside a modified shipping container.  

Torture chamber discovered by EncroChat investigators, source: Dutch Police

The court allowed these judges to recuse themselves because they were exposed to an unredacted search warrant authorization form, which detailed “information about the means of capture used in France and the method of installation” of the EncroChat exploit, according to court documents.

This unredacted form is not “part of the procedural documents and can never become part of the criminal case,” said the court filing. The public prosecutor advised the judges to resign because they became privy to “more knowledge than the Public Prosecution Service and the defense in 26Sartell have and may have in view of the French state secret,” according to court documents.

But according to Mark, who said he has obtained other leaked documents from Dutch courts, these “prosecutors talking about the prosecution being unaware is a bit of a joke.  It was signed by J.J.J. Schols Recter-Commossaris (examining/investigation Magistrate/Judge on the 27th March 2020.) For this guy to go ahead requires the prosecution to request that process.”

Schols was “an investigating judge acting in a prosecution role on behalf of law enforcement that wrote the document and disclosed the method in it.  It’s like a judge doing investigating and writing up a warrant,” said Mark. A spokesperson for the Dutch Public Prosecutor’s Office declined to comment.

Still, defendants are having better luck in other EU countries. In Germany, an alleged drug dealer who was jammed up with 16 Encro-related charges was acquitted earlier this month after a judge in Berlin cited French defense-secrecy classifications on evidence.  

Evoking Professor Sommer’s PowerPoint, the judge ruled that the classified nature of the technical device meant it was “impossible to test the lawfulness of the means of investigation used on Encro users in Germany,” according to news reports. Therefore, the prosecution of the suspect would have been unconstitutional under German law.

SkyFall

“unauthorized” Sky ECC device, source: Dutch Police  

The second, clandestine cryptophone network to fall in the last year is Sky, but the investigative methods used by Belgian, Dutch, and French authorities to “unlock” its 521-bit elliptic curve cryptography and end-to-end encryption have also been the most ambiguous.

Unlike EncroChat, Sky was purely an app that users installed on Apple and Google phones, “with the latest security restrictions in place,” according to Michael Harrison, an expert witness for the prosecution cited in the Manchester ruling. Additionally, Europol noted that the EncroChat takedown pushed cryptophone refugees to use Sky, according to the press release announcing the follow-up sweep.

Belgian and Dutch authorities began investigating organized crime links to the Sky network and its resellers sometime in 2018, according to a Belgium Public Ministry press release and unsealed Dutch court documents related to the Marengo trial in Amsterdam. This sensational trial involves the prosecution of reputed Moroccan drug kingpin Ridouan Taghi and his co-conspirators.

Reputed Moroccan drug kingpin Ridouan Taghi, source: Sky News

Taghi stands accused by Dutch prosecutors of involvement in at least “nine ordered assassinations” and drug trafficking charges. The reputed kingpin has also been linked to the recent contract killing of prolific Dutch investigative journalist, and a key adviser in the Dutch case against him, Peter De Vries.

In both Belgium and the Netherlands, the primary users of the Sky platform were “made up almost exclusively of customers of Moroccan origin,” according to the Le Monde report. Presumably, these customers were affiliated with Taghi’s ethnic “Mocro Maffia” syndicate.

The Marengo trial is essential to the Dutch Sky investigation, as Dutch police allegedly set up a so-called “pen register” tap of all Sky phones in the Netherlands, according to comments made by Taghi’s attorney Inez Weski at an April pre-trial hearing. Unlike a wiretap, which intercepts the content of communications, printer taps only capture metadata about calls made.

Like the EncroChat probe, this tap is also legally controversial, as Weski said that investigators tapped all the phone traffic from people who were in the vicinity of her law office on a day that police assumed one of Taghi’s contacts would communicate with her over a Sky phone. This call reportedly never happened. Weski did not respond to multiple requests for comment.

Prosecutors in France, meanwhile, began investigating Sky in August of 2019. The Belgian operation was codenamed ‘A-Limit,’ while its Dutch counterpart was classified as ‘Argus.’

On March 9, hundreds of Belgian and Dutch special police unites raided dozens of people, seized millions of Euros, decommissioned tons of drugs, and intercepted one billion ciphered messages, according to the press announcement.

This sweep eventually led to seizure of at least 28 tons of cocaine in Belgium alone. On the day of the raids, Sky ECC Technologies, the cryptophone network’s parent company, also authored a French-language press release saying it “experienced temporary interruptions related to its servers on March 8, 2021 from 8:00 PM PST to 4:00 AM PST,” just less than 24-hours before the commandos stormed into suspects’ homes.

Additionally, the parent company’s press statement also discredited Dutch publicity blast for the sweep, featuring a photo of a counterfeit “SKYECC.EU” phone that was not authorized by the cryptophone network, according to Sky. This could be indicative of Anom-like tradecraft was used to introduce compromised phones into resellers’ supply chain.

Last month French news outlet Le Monde cited a March 26 report made by a “divisional commissioner in charge of the French investigation,” who reportedly said more than “503-million decrypted Sky messages confirmed the exclusively criminal use of the Sky ECC solution."

Simon Piel, one of the Le Monde reporters who co-authored the above story, said he was unable to provide the divisional commissioner’s report for independent corroboration. The  Belgian Federal Police Sky press release reported that a quarter of Sky’s 70,000 monthly active phones were located in the Low Countries, with an emphasis on Antwerp.

Weak Encryption

Shrimpton’s expert witness testimony from the July Manchester ruling may shed some light on how the Sky sweep was conducted. The NCA technical officer said he had previously reverse engineered the Sky app and that it was possible to decrypt its messages. Shrimpton also said his method of exploitation was “consistent with the announcements of the Belgian police in March 2021.”

Shrimpton further testified that while the “SkyECC app used Diffie-Hellman elliptical curve encryption, it did not have perfect forward security.” Perfect forward security “ensures that even if the most recent key is hacked, a minimal amount of sensitive data is exposed,” according to load-balancing specialists Avi Networks.

“The vulnerability of the SkyECC system was that it used a single long-term key, and once the long-term or master key was worked out then it could be used to decrypt future messages,” said the Manchester ruling. Shrimpton testified that this is likely how “vulnerability was designed into the SkyECC system.”

In fact, as far back as 2016, a trio of Israeli encryption researchers had published a paper that explained how elliptic curve Diffie-Hellman (ECDH) encryption could be cracked via a so-called “side channel” attack rooted in electromagnetic wave detection. Apparent overlap in the geo-locations of EncroChat’s and Sky’s provide further insight into the TTPs deployed by investigators.

The French Connection

A barely publicized Sky takedown press release authored by Paris Public Prosecutor, Rémy Heitz, said  “it emerged” from the French investigation “that this communication solution, not declared in France” was actually “hosted on servers installed on the national territory.”

Recall that the French discovered the location of the EncroChat servers in late 2019 at the OVH data center in Roubaix, per the Manchester court ruling. Additionally, both the EncroChat and Sky investigations were initiated by the Specialized Interregional Jurisdiction (JIRS) of Lille.

However, while C3N is noted in the EncroChat press release, there is no mention of them in the Sky announcement. Instead, three other French LEAs “identified the technical structure of the device and its financing,” according to the French press release.

Once investigators blueprinted the device and its networks, the press release also notes that the “major technical investigations carried out within the framework of European legal and technical cooperation in which Eurojust and Europol took an active part ultimately made it possible to thwart the encryption strategy implemented by SKY ECC and hamper its activities.”

Belgian Federal Prosecutor’s Office Magistrate Ann Lukowiak denied that Sky stored data on OVH servers. “In the on-going joint investigation there is no evidence or any intelligence so far that SKY ECC hosted its messaging data at the OVH data centre in France,” said the judge.

Discrepancies

But this is where official narratives get complicated. In the March 26 French police report cited by Le Monde, the divisional commissioner also said the live phase of the operation “ended on March 9, 2021, the date on which the Belgian authorities unilaterally carried out a day of action causing the decommissioning of the communication solution, forcing the French and Dutch investigators to seize the same day the servers located in Roubaix [North].”

The anonymous cryptophone expert who said EncroChat used the deficient SMP protocol also said they traced Sky data back to OVH servers in France. Specifically, they traced Sky’s IP addresses back to OVH servers as recently as a “couple months before” authorities dismantled the encrypted network and arrested dozens of suspects throughout Europe.

Some of Sky’s autonomous system number (ASN) records, a unique number assigned to IP address blocks that are administered by a single organization and, which have a distinct policy for accessing external networks, “pointed directly to OVH servers,” said the source. The source was unable to provide documentation, citing confidentiality restrictions.

Magistrate Lukowiak did not immediately respond to a request for comment, regarding this discrepancy in the Le Monde report, nor the source’s claims. But could the French technical device used in EncroChat sweep have been repurposed to enable another devastating, cryptophone supply-chain hack?

Delving deeper into the nature and distinctions between secrecy classifications that apply to technical investigations and devices used in the Sky and EncroChat probes, Paris Prosecutor’s Office spokesperson Vincent Plumas was unable to provide a clear answer.

While the broader cryptophone investigations were both subject to the “general secrecy, which covers French penal procedures,” said Plumas, he also said he didn’t “know the technical issues about the technical devices.”

This is an important discrepancy because the technical device used in the EncroChat is guarded by specific defense secrecy statutes in France. Plumas also did not immediately respond to a request for comment, regarding the French police report cited by Le Monde.

Cédric Leux, a spokesperson for the Public Prosecution Office of the Lille court, did not immediately respond to comment on the Le Monde report nor inquiries regarding overlaps in the cryptophone networks’ server locations and the technical devices used to hack them.

The ‘Colombians of Europe’

Mask-compliant Serbian gang leader Veljko Belivuk, source: AFP

The official Sky narrative is also impacted by the issue of chronology. While press releases published by Europol and Belgium’s Public Ministry point to mid-February as the timeline when Sky texts were “made legible” and “read live,” the takedown of Partizan Red Star soccer hooligans linked to the Belgrade-based “Janjicari” gang by Serbian police happened roughly two weeks earlier.

A prolific Balkan hacker who requested anonymity, and who is crazy or stupid enough to ‘card’ the cryptophone companies and scam them out of free devices for fun, tipped this journalist off to Serbian news reports that suggest Sky messages could be read live at least two weeks earlier than what the Belgian and Dutch narrative alleges.

In a private conversation, the hacker called the Serbs the “Colombians of Europe” – and the grisly evidence revealed in this investigation helps promote this discriminatory ethnic stereotype. In early February, Serbian law enforcement arrested 17 members of a vicious, soccer hooligan gang reportedly led by Veljko “The Trouble” Belivuk and seized 44 Sky phones belonging to the suspects, according to local coverage.  

Serbian news reported that “Minister of Police Aleksandar Vulin pointed out, as a guest on TV Prva, that the investigators managed to decode the seized phones, in which numerous pieces of evidence of brutal crimes were found.” Pieces of evidence reported by investigators included the grotesquely tortured and mutilated corpse of Milan Ljepoja, a former leader of the notorious ‘Pink Panthers’ international jewel- theft crew.

Ljepoja was allegedly murdered as a result of a bitter war between feuding Montenegrin cocaine clans, with Belivuk’s gang and Ljepoja allying themselves with opposing trafficking groups. Serbian police reportedly deciphered the gruesome contents of these encrypted texts using equipment they had “borrowed from friends,” said Serbian President Aleksandar Vucic at the press conference.

Police reportedly found the Sky “app hidden behind the calculator interface” on suspects’ phones, according to a Balkan Insight report. It’s unclear who exactly the Serbian police’s friends were, but after the Anom takedown in June, the U.S. Embassy in Serbia authored a press release titled “FBI Partners with Serbian Law Enforcement in Worldwide Operation Against Organized Crime”.

The FBI declined to comment on their collaboration with Serbian law enforcement. Regardless, the Sky-enabled sweep of Veljko “The Trouble” and his gang at the beginning of February suggests some LEAs were able to crack Sky encryption earlier than Europol and the Belgian claim they were able to.  

So how and when exactly did authorities get into Sky’s network? The answer is unclear and a combination of TTPs may have been used by investigators to pull off this exploit. There is also the odd timing of the OVH fire to consider.

Fire in the Sky

March 10, 2021 OVHCloud fire, source: Bas – Rhine Fire Department

Just after Midnight on March 10, a massive fire engulfed OVH data centers in Strausbourg, France less than 24 hours after the Sky raids. The blaze completely destroyed OVH’s Strasbourg 2 (SBG2) datacenter and caused significant damage to the SBG1 location.

This inferno was so devastating that British Internet security firm Netcraft discovered that the disaster knocked “3.6 million websites across 464,000 distinct domains” offline and rendered over 18 percent of IP addresses attributed to OVH unresponsive by the following morning.

A malfunctioning inverter that had just been repaired earlier in the afternoon was reportedly the cause of the blaze, according to a video recorded by OVH chief executive Octave Klaba shortly after the disaster. But an official investigation into the fire will not be made public until 2022, with an OVH spokesperson saying in May that the company will be dealing with French authorities and insurance companies for the foreseeable future.

The FBI declined to comment on any Sky-related suspicions surrounding the fire. An email address listed on Sky ECC’s March release was no longer functional. But if the anonymous cryptophone source is correct, the other question that emerges is whether that data was stored natively on OVH servers or if it was somehow re-routed there, said the “Upside Down Times” blogger.

On the other hand, if the cipher scheme was as weak as the NCA technical expert described in his testimony before the Manchester court, the operationalization of a cyber-enabled national defense secret may not have even been needed. Perhaps investigators cracked Sky’s ECDH encryption with exploits that had been disclosed years earlier.

Third Act

 

Anom handset, source: OLIVIER MORIN/AFP via Getty Images

The final cryptophone takedown to date occurred in June, when the FBI, AFP, and 15 “other countries of the international coalition, supported by Europol and in coordination” with the DEA smashed the faux-encrypted ANOM network.

Anom is likely to be the least controversial of the three sweeps legally speaking, because it was largely enabled by a confidential human source (CHS) that the FBI flipped presumably to help them shave time off their six-year prison sentence. The CHS is a black-hat developer who had also previously worked as a distributor for cryptophone manufacturer Phantom Secure, which the FBI smashed in 2018.

The feds tasked the CHS with building a “master key into the existing encryption system which surreptitiously attaches to each message and enables law enforcement to decrypt and store the message as it is transmitted,” according to the search warrant.

For devices located outside of the U.S., the warrant said, “an encrypted ‘BCC’ of the message is routed to an ‘iBot’ server located outside of the United States, where it is decrypted from the CHS’s encryption code and then immediately re-encrypted with FBI encryption code.”

The fed-ciphered message then passed to a “second FBI-owned iBot server, where it is decrypted and its content available for viewing in the first instance.” Regardless, it’s a miracle the feds pulled this off, given that anonymous security researcher and blogger ‘Canyouguess67’ exposed the Trojan Shield “scam” three months earlier.

In an archived March blog post titled, “ANOM ENCRYPTED SCAM EXPOSED”, the researcher wrote about discovering their remote offshore Romanian server in Bucharest, which would presumably be what Agent Cheviron labeled the FBI’s iBot server located outside the U.S.

More troubling, wrote the blogger, was “the amount of IP addresses relating to many corporations within the 5 eyes Governments (Australia, USA, Canada, UK, NZ who share information with one another) and to make matters worse they were direct connections to the actual proxy servers.”

“This setup used by ANOM gives Google the ability to fingerprint their device and monitor it remotely in a DIRECT way with no safeguards in place at all via the internet. The ANOM device I tested professionally was actually in constant contact with Google servers which was quite concerning. The following IP’s 216.58.200.99 & 142.250.70.196 both lead back to Google servers in both NSW, Australia and California, USA,” wrote the blogger.

Canyouguess67 was not able to elaborate on the details of his forensic investigation in time for the publication of this story. But the blogger did say: “If it wasn't due to my sheer workload, I would have exposed Anom three months prior to the date that I actually did.” The blogger also claimed that the Ciphr cryptophone network is “officially compromised,” which would make it the fourth encrypted communications to platform to fall, if they are right again.  

Returning to the search warrant, Agent Cheviron also noted that the CHS had previously distributed both Phantom Secure and Sky devices to transnational criminal organizations, which gave him credibility with underworld centers of influence. Agent Cheviron noted in his warrant that the “distribution of cryptophones is predicated on trust.”

Bonafides

“To prevent law enforcement from obtaining devices,” wrote Cheviron, “the Phantom Secure investigation revealed that oftentimes, a distributor must vet would-be purchasers of these devices.” “This vetting process comes from either a personal relationship or reputational access with a purchaser premised on prior/current criminal dealings,” wrote Cheviron.

The CHS also agreed to distribute ANOM devices to some of their existing network of cryptophone distributors and resellers, “all of whom have direct links to TCOs,” according to the warrant. Beyond this informant, the FBI and the AFP also benefited from the unwitting complicity of fugitive Australian biker gang member Joseph Hakan Ayik, who is listed as ‘Defendant 1’ in the Department of Justice’s Anom indictment.

FBI’s Useful Idiot Hakan “the Facebook Gangster” Ayik, source: Facebook

Dubbed the “Facebook gangster” in the Aussie press a decade ago “for flashing his expensive lifestyle online amid a number of alleged links to gangs and drug networks,” according to BBC reporting, Ayik has been on the lam since jumping his bail in 2010, after being arrested in Cyprus in 2010 on drug charges.

The FBI and AFP allege that Ayik has continued his illegal activity while living abroad. The Australian media alleges that Ayik is one of several major crime figures that have formed an enterprise called the Aussie cartel which is smuggling upwards of $1.5 billion worth of drugs into Australia annually, according to the BBC.

But  Ayik was duped by Trojan Shield investigators into becoming a key influencer for their Anom honeypot, co-signing on a platform that would lead to hundreds of arrests globally. But unlike the EncroChat and Sky probes, the “information and services provided by the CHS in this case are considered reliable because in part, they have been corroborated by recorded communications, interviews, and business records,” according to the Anom search warrant.

“Given the assertions made by Agent Cheviron in his affidavit in support of the warrant,” said ex-U.S. undercover agent Mazur “charges against suspects in the Anom case have a far better chance of sticking in court.”

But ultimately, what these takedowns collectively reveal is that “the criminal fraternity consistently prove that they are terrible in academic computing matters,” said Craig Buchan, the director of military-grade encrypted phone maker Omerta Digital.

Yet, with the European Court of Human Rights recently ruling that “allegations of active use of non-exclusive encrypted messaging for terrorist organization, insufficient to justify plausible suspicion of membership” in a case related to the Turkish ByLock crackdown, there is now a legal precedent that can subvert the basis for EncroChat prosecutions and its secrecy classifications at a minimum.

Supply-Chain Risks Will Prevail

While legal controversies permeate at least two of these, whit-hat cryptophone exploits, lawful organizations in the West continues to face growing supply-chain risks from even more sophisticated cyber-adversaries, some of which are state-sponsored.

Highlighting these concerns is the keynote briefing for this year’s American Black Hat conference in Las Vegas, titled “Supply Chain Infections and the Future of Contactless Deliveries”, that was presented by Corellium chief operating officer Matt Tait.

On the bright side, white hats in the U.S. are getting better at attributing attacks to the most sophisticated threat actors. A recent cybersecurity advisory published by the National Security Agency, the Cybersecurity & Infrastructure Security Agency, the FBI, and the GCHQ’s National Cyber Security Centre recently attributed a “global brute force campaign to compromise enterprise and cloud environments” with uncommon precision.

July 1, 2021 NSA, CISA, FBI, GCHQ Cybersecurity Advisory, source: defense.gov

The advisory attributed the use of a “Kubernetes® cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide” to the exact regiment and unit of the Russian General Staff Main Intelligence Directorate (GRU).

The advisory specifically blamed the GRU’s “85th Main Special Service Center (GTsSS), military unit 26165.” It’s extremely rare to see this degree of confidence and accuracy in cyber-attack attribution.

Recent supply-chain casualty Kaseya, meanwhile, announced last month that it obtained REvil’s universal decryptor from a trusted third party and was in the process of helping customers recover their encrypted data.

But on the topic of secure cryptophone networks, the Australian Criminal Intelligence Commission noted in its review of a “Surveillance Legislation Amendment” that encrypted communications platforms serve no legitimate purpose for “a law-abiding member of the community.”

These platforms are “used almost exclusively by SOC [serious organized crime] groups and are developed specifically to obscure the identities of the involved criminal entities and enable avoidance of detection by law enforcement.”

Yet with the global Pegasus Project investigation revealing that NSO’s zero-click mobile exploit was abused by governments to spy on journalists, human rights activists, and even world leaders, it appears that anti-surveillance platforms may be the only way for some law-abiding citizens to protect their most fundamental human rights.

But with Apple announcing last week that it was planning to update its operating system to proactively use artificial intelligence to scan device messages and iCloud accounts for child sexual abuse material (CSAM),preserving user privacy online is becoming increasingly impossible.    

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

SUBSCRIBE NOW: 60 Day Free Trial

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.