I hope you weren’t using Encrochat

easyDNS is pleased to sponsor Jesse Hirsh‘s “Future Fibre / Future Tools” segments of his new email list, Metaviews

Cops and robbers plus hackers


I’m kind of in holiday mode, but wanted to share and comment on this news story that dropped today.

This is an interesting episode, not just because of the technology, but also the narrative or spin that accompanies it.

The story itself has clearly been wound up in anticipation of release, and as it dropped today like a bomb, it reflects a narrative arc that is neither spontaneous nor novel.

It does feel like an episode of the Wire, only rather than Baltimore, this is Europe and beyond. However I’m not sure the hype is backed up.

The core of this story is that a technical service was infiltrated. Not broken, or cracked, but compromised. In so doing the entire network of users was exposed, many of whom have been caught up in a wave of arrests.

EncroChat was a combination of hardware and secure services. For premium fee, users could buy a handset, that came with two operating systems, one for normal use, and one for secure use. The secure system had it’s own sim card and could only connect with other users of the network.

French police first discovered the existence of this network a few years ago, and were credited with infiltrating and compromising it, enabling the arrests that were reported today.

Only now is the astonishing scale of the operation coming into focus: It represents one of the largest law enforcement infiltrations of a communications network predominantly used by criminals ever, with Encrochat users spreading beyond Europe to the Middle East and elsewhere. French, Dutch, and other European agencies monitored and investigated “more than a hundred million encrypted messages” sent between Encrochat users in real time, leading to arrests in the UK, Norway, Sweden, France, and the Netherlands, a team of international law enforcement agencies announced Thursday.

As dealers planned trades, money launderers washed their proceeds, and even criminals discussed their next murder, officers read their messages and started taking suspects off the street.

The messages “have given insight in an unprecedented large number of serious crimes, including large, international drug shipments and drug labs, murders, thrashing robberies, extortions, robberies, grave assaults and hostage takings. International drug and money laundering corridors have become crystal clear,” Dutch law enforcement said.

Unbeknownst to Mark, or the tens of thousands of other alleged Encrochat users, their messages weren’t really secure. French authorities had penetrated the Encrochat network, leveraged that access to install a technical tool in what appears to be a mass hacking operation, and had been quietly reading the users’ communications for months. Investigators then shared those messages with agencies around Europe.

More on how the device and service operated:

Encrochat’s phones are essentially modified Android devices, with some models using the “BQ Aquaris X2,” an Android handset released in 2018 by a Spanish electronics company, according to the leaked documents. Encrochat took the base unit, installed its own encrypted messaging programs which route messages through the firm’s own servers, and even physically removed the GPS, camera, and microphone functionality from the phone. Encrochat’s phones also had a feature that would quickly wipe the device if the user entered a PIN, and ran two operating systems side-by-side. If a user wanted the device to appear innocuous, they booted into normal Android. If they wanted to return to their sensitive chats, they switched over to the Encrochat system. The company sold the phones on a subscription based model, costing thousands of dollars a year per device.

Encrochat is not the only company offering these sorts of phones. So-called “secure phone” companies often don’t have public-facing executives. Instead, they hide their ownership, and some have been caught conspiring with criminals. One company, MPC, was run directly by organized criminals, as Motherboard reported last year. Vincent Ramos, the founder of another secure phone company called Phantom Secure, which started as a legitimate firm, is currently in prison in part for telling undercover agents that he created the device to help with drug trafficking. These companies regularly hire distributors based in different countries or cities, who then help sell the companies’ phones directly to customers. Encrochat allegedly had ex-military personnel selling phones to criminals in at least one case.

The industry is highly competitive, with companies constantly spreading rumours about the security of each others’ devices and uploading YouTube videos to discredit their rivals. Encrochat previously blocked web domains used by other firms’ devices, essentially segmenting their customer base from everyone else. That means dealers often need the same sort of phone as everyone else they’re working with, unless they want to be locked out of important conversations.

That’s a good question. The headlines I included above were for the UK only. Other countries are also citing hundreds of arrests.

However these are just headlines and numbers. Details of these arrests and investigations remains vague.

We can of course assume that criminal networks are adapting.

Already, other encrypted phone companies are trying to fill the void left by Encrochat. A company called Omerta has been advertising directly to Encrochat’s old customers. “ENCROCHAT HACKED, USERS EXPOSED & ARRESTS GALORE – THE KING IS DEAD,” a blog post on its site reads. Omerta told Motherboard in an email it has seen a rise in traffic recently.

“Did you narrowly escape the recent Mass Extinction Event? Celebrate with 10 percent off. Join the Omerta family and communicate with impunity.”

There’s also the significance of the timing of this event. Governments around the world are vulnerable due to the pandemic and the political economic crisis it has induced. Organized criminal networks pose an increased risk in such moments, and this particular police action seems a bit rushed.

On the one hand there’s the genuine concern that users of EncroChat could just switch to a different provider. However on the other hand, rather than allow investigations to run there course, there may have been a clear need to round up and disrupt these particular networks.

In making these busts, all these law enforcement agencies are giving up a valuable source of intelligence that came from compromising EncroChat. There’s also other criminal networks that were not using EncroChat that may be empowered by their competitors being disrupted.

Nonetheless the data and evidence gathered in this action will be substantive, and influence policing for years if not decades to come.

We’ll have to see whether we learn the truth about this story, or are left to surf the headlines.

The reasons and logic behind this action are worth knowing.

It’s symbolic value alone is considerable.

In a moment where the state is vulnerable, its ability to exercise its powers and enforce the law is crucial.

Is today’s episode more pandemic theatre, or an expression of a renewed and reinvigourated state.

Leave a Reply

Your email address will not be published. Required fields are marked *