Something out of the ordinary was going on. From the beginning of 2020, a series of Mark’s associates (an alias of a drug dealer in the UK) were arrested by the police. Mark always pays attention to the security of his activities, team members use aliases when discussing work, and communication is always done on tightly encrypted phones by a company called Encrochat. .
Because the messages are encrypted on the device, the police cannot penetrate their phones or intercept the sent messages as they normally do to read the contents of the conversations. With Encrochat encrypted phones, criminals can freely talk about details of deals, with quotes, customer names as well as clear references to the amount of drugs they will sell.
But it is not entirely a coincidence that at the same time, police across Europe and Britain simultaneously arrested a series of criminals. In mid-June, the authorities even arrested another drug gang member. A few days later, another multimillion dollar illegal drug shipment was seized in Amsterdam. Mark completely couldn’t understand what was going on.
The total attack on criminals
In the UK, 746 suspects were arrested after the police broke the Encrochat network.
What Mark and tens of thousands of users of Encrochat-encrypted phones didn’t know was that the messages on their phones weren’t completely secure. French authorities hacked Encrochat’s network, accessed and installed a special hacking tool of its own to quietly read messages exchanged between users for months now. The investigators then shared these messages with fellow agencies across Europe.
By penetrating the layer of security in the Encrochat network, investigators in Europe can monitor in real time “more than 100 million encrypted messages“sent among Encrochat users, including sales plans, money laundering instructions, and even murder plans.
Dutch law enforcement announced these messages “provides insight into an impossibly large number of serious crimes, including major international drug shipments and drug laboratories, murders, robberies, blackmail, serious assault and hostage. International drug trafficking and money laundering practices have become apparent. ”
Particularly in the Netherlands, “The investigation has so far resulted in the arrest of more than 100 suspects, the seizure of a large amount of drugs (more than 8,000 kg of cocaine and 1,200 kg of meth), the destruction of 19 synthetic drug laboratories, holds dozens of automatic weapons, expensive watches and 25 cars, including vehicles with hidden cabins and close to € 20 million in cash. ”
A drug dispenser was seized during the raid.
A common feature among the detainees is that they all use Encrochat encrypted phones.
Super encrypted phones
On its website, Encrochat said, this is “an end-to-end security solution” may “ensure anonymity, “and that the message using Encrochat” is equivalent to a normal conversation between two people in an empty room “.
The company said, “Our servers, located overseas in private data centers, never create, store or decrypt security keys, message content or user data.“The company website also says that Encrochat has agents in Amsterdam, Rotterdam, Madrid and even Dubai, but they are highly secure and do not operate as a conventional technology company.
Although in his email, Encrochat sees himself as a legitimate company with clients who want their conversations to be secure, such as security experts, lawyers from 140 countries, but according to many sources. Believe in the Motherboard’s underworld, many of them are criminals. The French authorities estimate that about 90% of Encrochat’s customers in France “is involved in criminal acts. ”
It is also not easy to purchase an Encrochat device. An inmate who used an Encrochat device explained how to buy it from a seller – who was introduced through another acquaintance.
“Apparently he also has an official store but I did not meet him there. I met him down the street and it looked like a drug sale. I talked to him by phone and went to that city to see him. ”
Essentially, Encrochat’s phones are custom Android devices, with some being the “BQ Aquaris X2” – an Android device released by the Spanish company BQ in 2018.
From these devices, Encrochat will install their own encrypted messaging program. The messages are then navigated through the company’s private server, and they even removed the phone’s GPS, camera and microphone functionality. Encrochat phones also have the function of quickly wiping the entire device after entering the PIN and running two operating systems in parallel.
If a user wants the device to look harmless, they can boot it into regular Android. If they want to switch to exchanging sensitive messages, they can reboot and switch to Encrochat’s operating system. The company sells these phones on a subscription model and costs thousands of dollars per year per device.
Encrochat’s agents also often run ads for these products on crime websites – a way to market the goods to the right audience they target. Gradually, Encrochat became especially popular with criminal groups in Europe.
The witness told Motherboard: “They have become the industry standard. ”
In May, some Encrochat users noticed an unusual problem: the quick wipe feature didn’t work. An Encrochat partner at the time suggested that perhaps the user had forgotten his new PIN or that the feature was not configured correctly. Nothing to worry about, just user error.
But not long after that, Encrochat obtained an Aquaris X2 model with problems with a quick wipe to find out. Turns out it wasn’t entirely due to user error. They found a malware in the device. In other words, the phone was hacked.
How Encrochat secures conversations on the device
There is no shortage of cases in which companies providing encrypted phones have leaked user data. In 2017, someone created a website and posted all data about the users of Ciphr, another encrypted phone company, including email addresses and IMEI codes associated with each device. .
But this case of Encrochat is completely different. This malware resides in the Encrochat device itself, meaning it can read messages written down and stored on the device itself before they are encrypted and sent over the internet. This is catastrophic for a company whose primary mission is to protect the content of conversations for its highly secure customers.
They also realized that this malware was created specifically for the Aquaris X2 machines. Not only blocking the quick delete feature, this malware is also designed to avoid detection, record lock screen passwords, and duplicate app data.
Realizing that this was a purposeful attack, just 2 days later, Encrochat released an update to these Aquaris X2 devices to restore the special functions of the phone and gather information. about malware that has been installed on Encrochat phones around the world. The company also added the ability to monitor these devices to track it without having to be in person.
However, almost immediately after the update was installed, the attacks were restarted, this time even more dangerous than before. Malware is back, and now it can even change lock screen passwords, not just write them down. The hackers not only did not stop but they also escalated the attack.
By this point the situation had become urgent. Encrochat sends messages to all its users about the ongoing attack. The company also notified its SIM provider, the KPN carrier, to block the connection between the malware’s device and the server. Encrochat also blocked its own SIM service even though it was preparing to push another update to the device – they couldn’t be sure if the update brought malware.
Not long after Encrochat restored its SIM service, KPN removed the firewall to allow the hacker server to reconnect to the phone. Encrochat fell into the trap (the company argues that the carrier has partnered with the authorities to bypass its security layer, but KPN declined to comment).
This time Encrochat decided to turn off all services by himself. “We then decided to immediately turn off the SIM and network services“They believe that this is not the behavior of the rival company but more of the government.
The message showed Encrochat’s desperation to be unable to prevent the cyber attack from the functional forces
Encrochat sends a message to its customers: “Due to the sophistication of the attack and the malware’s code, we can no longer guarantee the level of security for your device. It is recommended that you turn off your device and completely destroy your device immediately. ”
But now it is too late. Law enforcement has extracted a huge amount of cache for the data in the Encrochat phone. Entire drug empires of millions of dollars are already exposed under text messages and pictures on the device.
In addition to text messages about drug orders, as well as criminal plans, there are also pictures of large piles of drugs prepared to be loaded onto vehicles. The cocaine blocks weigh to the ranks. The bags are filled with ectasy. Handles of marijuana. Even pictures of criminal family members and the content of their exchanges with other criminal organizations.
The snapshot of the message also showed how the Encrochat announcement frightened their customers. Many people try to determine if their version of Encrochat-enabled device was affected by this attack.
Screenshot of messages provided by NCA (UK National Crime Agency)
Not only are the criminal empires supported by shattered Encrochat devices, the company’s sales system is also affected. The source of the Motherboard said that Encrochat equipment dealers also cannot log into the home page to track sales and payments.
Currently, when the main means of communication are gone, the criminal world seems to be falling apart. Some people choose to go offline when there are no more devices to trust. Others tried to escape before being next time. It is now much more difficult to buy high-volume drugs than before.
Of course, this will not be the end. The market for encrypted phones still has many other players and the authorities are still unable to stop them.
Cash was confiscated at a suspect’s home after the Encrochat network went down
In 2018, the FBI arrested Vincent Ramos, the owner of Phantom Secure, a company that supplies encrypted phones, which are favored by drug gang bosses in Sinaloa, Mexico. The FBI then persuaded Ramos to install a backdoor into the device’s communications – but was denied – and the Phantom Secure’s system collapsed.
Last year, Motherboard also discovered that a high-level drug crime syndicate in Scotland set up a company called MPC, to provide encrypted phones to other gangs. And there are many other companies on the market today. The collapse of companies like Encrochat or Phantom Secure is giving them the opportunity to take this vacant market share.
A company called Omerta distributed live ads to former Encrochat customers. One of their blog posts states: “Encrochat was hacked, countless users were revealed and captured – The king is dead“In an email sent to the Motherboard, Omerta also stated:”Are you lucky enough to escape the recent Extinction Event? 10% discount to congratulate you. Join the Omerta family and get in touch comfortably. ”
Refer to Vice