Law enforcement agencies have been selling encrypted phones to organised crime gangs for years, monitoring their conversations in what is being called the biggest law enforcement sting ever.
The FBI & Australian law enforcement set up the encrypted chat service & ran it for over 3 years, seizing weapons, drugs & over $48m in cash.
Since 2018, agencies have been overseeing the distribution of hardened, encrypted devices that have enabled them to eavesdrop on crooks. The monitoring of the devices, which are called Anøm, Anom or An0m, has led to a deluge of actions.
On Mon., law enforcement agencies from the US, Australia & Europe announced that the massive global operation – called Operation Ironside by Australian Federal Police (AFP) & Trojan Shield by the FBI & Europol – resulted in these moves, carried out in 16 countries over the preceding few days:
- 700+ house searches
- 800+ arrests
- Seizure of 8+ tons of cocaine, 22 tons of cannabis & cannabis resin
- Seizure of 2 tons of amphetamine & methamphetamine, 6 tons of synthetic drugs precursors
- Seizure of 250 firearms, 55 luxury vehicles & over $48 million in various worldwide currencies & cryptocurrencies
As the AFP outlined, for more than a decade, many organised crime syndicates have been dark. They have been using end-to-end encryption platforms enabled by customised phones that scramble sent messages which are then unscrambled when a recipient opens them.
However, in 2018, the FBI seized Phantom Secure: A chat service that sold encrypted phones to drug traffickers, murderers-for-hire & other organised crime leaders. The Canada-based enterprise purchased smartphones and stripped the devices’ GPS, calling, texting & internet access.
Then, Phantom Secure installed an encrypted email system, thereby placing the phones in closed-loop communication where they could only talk with each other. You couldn’t even begin a conversation to get one of the customised phones unless you had a connection to a distributor, as described in court documents (PDF) filed on Mon.
As FBI Special Agent Nicholas I. Cheviron wrote in the affidavit in support of a search warrant, while the FBI might have dented the supply of encrypted messaging devices, the demand did not go away.
“The continued for these encrypted device platforms by criminals is significant,” he wrote. “[Transnational criminal organisations, or TCOs] are the target market for this technology because the entire success of their illicit activity is premised on avoiding law enforcement detection.”
Following the Phantom Secure takedown, the FBI tracked the developer of a next-generation hardened device – one used only for encrypted messaging, having been stripped of its texting, calling, GPS, & internet functions.
The app that the insider developed was called Anom. Next, the insider – the bureau referred to the person as its Confidential Human Resource (CHS) – basically handed the FBI a company that had a next-generation encrypted device under development.
The insider not only handed Anom over to the FBI: The CHS also agreed to distribute the devices within the existing network of distributors of encrypted chat devices, all of them linked to organised crime. Then began more than 3 years of the distribution of encrypted devices that law enforcement agencies worldwide were listening to.
Before the Anom device was distributed, the CHS, the FBI, & the AFP built a master key into its encryption system: One that surreptitiously attached to each message and enabled law enforcement to decrypt & store the message as it was transmitted.
Anom devices located outside the US sent blind carbon copies (BCCs) of the messages to a 3rd-party XMPP bot, which the FBI refers to as an “iBot” server located outside of the country.
That is where the bot would decrypt the messages & then re-encrypt them using keys that the bureau managed.
That enabled the FBI to intercept the communication of gangs, including details of drug movements or murder plots, photos of bulk cash proceeds of illegal transactions, GPS locations of narcotics shipments, & more.
Due to jurisdiction issues, the bulk of messages were reviewed by Australian authorities, who passed the information to the US 3 times a week. Initial uptake of the Anom devices was slow in the world of organised crime, but it picked up speed by 2019. In fact, a 3rd, unnamed country ended up hosting another iBot server & helping to sift more than 26m encrypted messages.
By 2020, demand had grown so strong that officials did not need to rely on undercover agents to promote the Anom devices anymore. The supply of hardened, encrypted devices had shrunken further after the Phantom Secure closure, with subsequent takedowns of competing platforms including EncroChat & Sky ECC.
Those takedowns led to a massive demand for Anom devices. Before Sky’s dismantling, Anom had about 3,000 active users. Since Mar. 12, 2021, in what officials called a direct result of the Sky Global takedown, there were close to 9,000 active Anom users.
As the affidavit details, the FBI, along with a task force at Europol, identified more than 300 distinct TCOs using Anom. Those organised crime gangs included Italian organized crime; outlaw motorcycle gangs; & international narcotics source, transportation, & distribution cells.
Officials shut down the sting operation when the search warrant expired yesterday, on Mon., June 7. But as The Record reported, some criminal groups apparently figured out that the An0m app was leaking their conversations to 3rd-party XMPP servers a few months ago, in March.
Rick Holland, Chief Information Security Officer & VP of Strategy at digital risk protection firm Digital Shadows, noted that this is not the 1st time we have seen law enforcement agencies run this type of deception.
He pointed to Operation Bayonet: In July 2017, Europol & the US Department of Justice seized the most popular English language dark web market, Alpha Bay.
“Cyber-criminal buyers & sellers flocked to an alternative market: Hansa,” Holland pointed out on Tues. “These criminals didn’t know that the Dutch police had taken over the market, & for the next month, they collected intelligence & evidence on the criminal activities. International law enforcement was able to disrupt cyber-crime.
But as is always the case after law enforcement actions, he observed, “Cyber-crime finds a way. Other criminals & services rise from the ashes.”
While it is not the 1st man-in-the-middle sting, it is unique in incorporating purpose-built encryption devices.
Tyler Shields, CMO at Jupiter One, provider of cyber asset management & governance solution, stressed that this is the 1st we have seen hardware devices having been distributed & used to facilitate a man-in-the middle attack against more than 300 criminal organisations. “
Typically, software-based attacks targeting a specific person or group of people are used,” he explained Tues. “The fact that this targeted literally the entire underworld is of huge importance. This was a really big deal”
Christoph Hebeisen, Director of Security Intelligence Research at mobile security provider Lookout, stated that Anom enabled law enforcement to monitor criminal activity on a network that the criminals themselves assumed to be completely secure – at least, up until a few months ago. That makes the operation a “seemingly very successful campaign,” he explained on Tues.
So, what comes next? It is going to be something, he explained: “As we have seen in the past, the end of 1 encrypted chat service popular with criminals usually leads to a shift to a new one,” he wrote.
That, in turn, could teach the crooks a valuable lesson that law enforcement probably do not want them to learn, Hebelsen observed: “Since there has now been a string of such takedowns, each leading to a large number of arrests, criminals might become more careful,” he concluded.
“This could lead them to use legitimate end-to-end encrypted chat services where they can hide among innocent users.”