Many people think that criminals communicate through the dark web, or over secure messaging apps such as Whatsapp. Very few realize that criminal operations tend to be managed over encrypted phone networks. One such network, Encrochat, was finally shut down by European law-enforcement teams from France, the Netherlands, the UK, Sweden, and Norway, during operations revealed to the public on July 2.
An international team of law enforcement agents, including investigators from the UK’s National Crime Agency (NCA), had been trying to decrypt the platform’s communications since 2016. According to Nikki Holland, the NCA Director of Investigations, Operation Venetic was ‘the broadest and deepest ever UK operation into serious organised crime.’[1] In shutting it down, it is thought to have disrupted plans to traffic and sell drugs, launder money, and arrange the murder of rivals.
Encrochat was one of the largest encrypted communications networks in the world, with around 60,000 users worldwide.[2] It has always claimed that it is a legitimate company, with its devices being used by security professionals, lawyers, doctors, and so on. However, French authorities have said that around 90% of its customers were criminals. And using the service is nothing like going into a high street store, buying the latest handset, and signing up to a popular carrier. For a start, to use its services, users needed to purchase a specialist device that looked like a typical smartphone, but, when a pin was typed in, a separate secure operating system was enabled, from which encrypted messages could be sent and received.[3] Other modifications included the removal of a camera or microphone function and the lack of GPS capability.
Costing around £900 for a handset and £1350 for a six-month contract, Encrochat wasn’t cheap, but it was also popular because it could quickly delete all data on the phone upon the use of a special PIN number.[4] This data could also be remotely wiped if the set got into the wrong hands. On its website, the company boasted of using its own form of encryption that it asserted was many times stronger than a standard PGP program. Plus, every message sent using the Encrophone used a different set of keys, meaning that if any one key became compromised, it wouldn’t result in previously posted messages being exposed.[5] It was a system that was supposedly impenetrable.
The beginning of the end for Encrochat came when French authorities, unable to decrypt Encrochat’s code, managed to install some malware on the devices that allowed them to read messages before they were sent. An Encrochat associate, who revealed everything in an interview with Motherboard, said that the malware had been specifically designed for the handset and was created to sit on the device unnoticed, record the screen lock password, and clone application data. It also prevented the data wipe feature from being used, which was what eventually alerted Encrochat to realize that it had been compromised.[6]
In May, some customers began to complain to Encrochat that they could not wipe data from their devices. It still took a month before the company actually got hold of a handset and discovered the malware. At that point, they pushed out a software update to the handsets that reset the phones and also gathered information about the malware. But it seemed that the hackers were not going to give up that easily, and the malware was almost instantly replaced, and this time was also able to change the lock screen password. Sensing that this was a full-scale attack, Encrochat asked the Dutch supplier of its SIMs – KPN – to block connections to the servers thought to be malicious. Then Encrochat also cut its own SIM service. Now the company found itself in a dilemma as it wanted to put out another update to its devices, but it couldn’t be sure that the malware wouldn’t reinstate itself through the patch. Although not confirmed, it is possible that KPN may have been working with the Dutch authorities as, when Encrochat unblocked its own SIMS, KPN also removed its firewall, allowing the attackers back in again.
By now, Encrochat had realized that the attack was too sophisticated for rivals or criminal hackers and therefore was most likely directed by a government agency. It sent out a message to all of its customers which read:
Due to the level of sophistication of the attack and the malware code, we can no longer guarantee the security of your device. You are advises [sic] to power off and physically dispose of your device at once.[7]
On June 13, Encrochat shut itself down, but by then, the law enforcement agencies had managed to read and store enough data on which to act. Police forces mounted a series of raids across Europe on addresses used by organized criminal gangs. In the UK alone, over 746 suspects were arrested, and illegal substances and firearms seized, including:
Over £54 million of proceeds of crime
77 firearms, including an AK47 assault rifle, submachine guns, handguns, four grenades, and over 1,800 rounds of ammunition.
More than two tons of Class A and B drugs
Over 28 million pills of street Valium (Etizolam) from an illegal laboratory
55 high-value cars, and 73 luxury watches[8]
It also reported that it had ‘prevented rival gangs carrying out kidnappings and executions on the UK’s streets by successfully mitigating over 200 threats to life.’[9]
In the Netherlands, the haul was similar – ‘the arrest of more than 100 suspects, the seizure of drugs (more than 8,000-kilo cocaine and 1,200-kilo crystal meth), the dismantling of 19 synthetic drugs labs, the seizure of dozens of (automatic) fire weapons, expensive watches and 25 cars, including vehicles with hidden compartments, and almost EUR 20 million in cash.’[10]
Although the international operation took several countries’ law enforcement agencies and four years to complete, it has thrown the criminal world into panic and disarray. The NCA’s Nikki Holland said, ‘the infiltration of this command and control communication platform for the UK’s criminal marketplace is like having an inside person in every top organised crime group in this country … we’ve protected the public by arresting middle-tier criminals and the kingpins, the so-called iconic untouchables who have evaded law enforcement for years, and now we have the evidence to prosecute them.’[11]
Even though the dust has hardly cleared from Encrochat’s massive fall, other companies selling encryption services are already elbowing each other out of the way to claim its empty throne. One of them, the appropriately named Omerta, has even capitalized on Encrochat’s fall on its website, writing, ‘ENCROCHAT HACKED, USERS EXPOSED & ARRESTS GALORE – THE KING IS DEAD.’[12] It goes further, writing small pieces about how it happened and the fallout from its rival’s misfortune. It then concludes that its products are more secure and less prone to far-reaching breaches of privacy. This illustrates that, even though the demise of Encrochat has been an enormous success for law enforcement agencies, there are others ready to step into the breach – just as other criminal gangs will also replace those who have been taken down. It is a war of attrition, where, for once, those responsible for the cyberattacks are the good guys. Maybe the criminals will soon need to look elsewhere to plan and control their empires.
——-
[1] ‘NCA and Police Smash Thousands of Criminal Conspiracies After Infiltration of Encrypted Communication in UK’s Biggest Ever Law Enforcement Operation,’ National Crime Agency, 07/02/2020, accessed at https://www.nationalcrimeagency.gov.uk/news/operation-venetic
[2] Danny Bradbury, ‘Hundreds Arrested After Cops Dismantle Encrypted Phone Network,’ Infosecurity, 07/02/2020, accessed at https://www.infosecurity-magazine.com/news/hundreds-arrested-encrypted-phone/
[3] Ellen Daniel, ‘What is Encrochat, the Encrypted Network Infiltrated by Law Enforcement?’ Verdict, 07/02/2020, accessed at https://www.verdict.co.uk/encrochat-encryption-nca/
[4] Danny Shaw, ‘Hundreds Arrested as Crime Chat Network Cracked,’ BBC, 07/02/2020, accessed at https://www.bbc.co.uk/news/uk-53263310
[5] Danny Bradbury, ‘Hundreds Arrested After Cops Dismantle Encrypted Phone Network,’ Infosecurity, 07/02/2020, accessed at https://www.infosecurity-magazine.com/news/hundreds-arrested-encrypted-phone/
[6] Joseph Cox, ‘How Police Secretly Took Over a Global Phone Network for Organized Crime,’ Motherboard, 07/02/2020, accessed at https://www.vice.com/en_us/article/3aza95/how-police-took-over-encrochat-hacked
[7] Ibid.
[8] ‘NCA and Police Smash Thousands of Criminal Conspiracies After Infiltration of Encrypted Communication in UK’s Biggest Ever Law Enforcement Operation,’ National Crime Agency, 07/02/2020, accessed at https://www.nationalcrimeagency.gov.uk/news/operation-venetic
[9] Ibid.
[10] Joseph Cox, ‘How Police Secretly Took Over a Global Phone Network for Organized Crime,’ Motherboard, 07/02/2020, accessed at https://www.vice.com/en_us/article/3aza95/how-police-took-over-encrochat-hacked
[11] ‘NCA and Police Smash Thousands of Criminal Conspiracies After Infiltration of Encrypted Communication in UK’s Biggest Ever Law Enforcement Operation,’ National Crime Agency, 07/02/2020, accessed at https://www.nationalcrimeagency.gov.uk/news/operation-venetic
[12] ‘Encrochat Hacked, users Exposed & Arrests Galore – The King is Dead,’ Omerta Blog, 06/16/2020, accessed at https://omertadigital.com/blogs/news/encrochat-hacked-users-exposed-arrests-galore-the-king-is-dead
SAYA University is the multi-lingual “netflix of cybersecurity” that produces original e-learning programming in a variety of languages. Saya University is on a global mission to ensure every employee in the world has access to the tools that will heighten cybersecurity knowledge. When a company is serious about protecting its organization against cyber-attacks, it will invest in cybersecurity learning for all its employees. With over 7 billion people on planet earth, we have a lot of work to do. Our multi-language e-Learning platform offers the world’s most cutting edge knowledge in cybersecurity, data privacy and compliance all in one place.