Police infiltrate encrypted phones, arrest hundreds in organized crime bust
Almost 750 individuals in the UK have been arrested so far after an international coalition of law enforcement agencies infiltrated an encrypted chat platform in which the suspects openly discussed murder, arranged hits, illegal drug purchases, gun sales, and other alleged crimes.
The UK’s National Crime Agency (NCA) today announced the results of an investigation it dubbed Operation Venetic. UK agencies, taken together, have to date arrested 746 suspects and seized 77 guns, two metric tons of drugs, 28 million illicit pills, 55 “high value” cars, and more than £54 million ($67.4 million) in cash.
The arrests followed a breakthrough into an encrypted communications platform, Encrochat, used widely in the European underground. “The infiltration of this command and control communication platform for the UK’s criminal marketplace is like having an inside person in every top organized crime group in the country,” NCA Director of Investigations Nikki Holland said in a written statement. “This is the broadest and deepest ever UK operation into serious organized crime.”
The investigation began in France, where it eventually was called “Emma 95,” in 2017, according to Europol, the joint European Union law enforcement agency. It then spread to the Netherlands under the code name “Lamont” and eventually came to the UK. Users in Sweden and Norway were also implicated in drug trafficking and other organized crime, Europol said.
French authorities declined to disclose publicly the details of their investigations or the results so far, but Dutch authorities said they have arrested more than 100 suspects and seized more than 8,000kg of cocaine, 1,200kg of crystal meth, dozens of guns and luxury cars, and almost €20 million ($22.5 million) in cash.
No backdoor needed
The suspects were all communicating through Encrochat, an encrypted service requiring specialized phones to operate. As Europol described it:
Encrochat phones were presented to customers as guaranteeing perfect anonymity (no device or SIM card association on the customer’s account, acquisition under conditions guaranteeing the absence of traceability) and perfect discretion both of the encrypted interface (dual operating system, the encrypted interface being hidden so as not to be detectable) and the terminal itself (removal of the camera, microphone, GPS and USB port)
The investigators who found a way in to the platform didn’t try to break the encryption in any way. Instead, they went for the devices, installing malware to allow them to read messages before they were sent. Vice Motherboard reviewed a trove of leaked documents and spoke with law enforcement, Encrochat, and criminals to report in depth what happened.
Encrochat “is highly secretive and does not operate like a normal technology company,” Motherboard observed. While “someone in control of a company email address” told the site that it is a legitimate firm with customers in 140 nations, criminal-affiliated sources said that a whole lot of Encrochat customers are doing something illegal.
The phones themselves are modified Android devices, Motherboard explains, including a model called the BQ Aquaris X2 that’s made by a Spanish firm. Encrochat physically removed GPS, camera, and microphone capabilities from the handsets, so users could not be recorded or traced through them. The company also installed dual operating systems on each device (standard Android as well as the Encrochat system) so the phone could masquerade as a normal device. The devices also boasted a feature allowing them to be wiped completely if the user entered a certain PIN.
Not user error
In May, Motherboard reports, some Encrochat users started to have problems with that wipe feature. At first, Encrochat assumed it was user error or a rogue bug. In May, the company got its hands on one of the X2 devices with the problem and discovered the issue was not user error. Instead, it was malware that not only prevented the wipe but also recorded screen lock passcodes and cloned application data.
Encrochat pushed an update, but the devices were almost immediately struck again, and the new malware could not only record lock screen passcodes—it could also alter them. After attempting several ways to work around the attack by halting SIM service, Encrochat determined the attack was likely from law enforcement and decided to shut down. On June 13, it warned customers: “Today we had our domain seized illegally by government entities(s). They repurposed our domain to launch an attack to compromise the carbon units.”
The company estimated about 50 percent of units in Europe were affected. “Due to the level of sophistication of the attack and the malware code, we can no longer guarantee the security of your device,” Encrochat added, advising users to power off and physically dispose of their phones.
As has become clear, though, the shutdown came too late, and law enforcement agencies already had access to an enormous trove of data.
One source told Motherboard the mass arrests seem to have had their desired effect and told the site that bulk purchases of drugs had become significantly harder because “everybody’s going to ground.” Still, the quiet may not last: competitors are not only moving to fill the space, but they’re offering discounts to onetime Encrochat users who may now be looking for a new platform.
https://arstechnica.com/?p=1689071