Encrochat: An Introduction
Cheap, secure and easy technology has been a major enabler in the growth and expansion of organized crime networks in the last 25 years. Criminals no longer need to loiter in public phone boxes, talking in some kind of code: instead they can get a military grade encrypted communications device in the palm of their hand for the price of a few hours work.
Back in the 1990s (and still today) PAYG burner phones became the spine of the criminal underworld: cheap and anonymous phones that could be ditched every few weeks with limited ties to the end user. Obviously the downside to this being the hassle of frequently needing a new sim/phone and then distributing the details to your criminal network contacts.
Then came the smart phone, with its feature rich options and allegedly unbreakable encryption, the IPhone becoming king with its familiar interface and 256-bit AES encryption (3Gs onwards). Apple even famously refused the American authorities a back door entry to help with anti-terror operations.
But the IPhone along with its smartphone rivals have fallen out of favour with organized criminals as companies such as Cellebrite and Grayshift actively market law enforcement agencies with products that will unlock devices, as well as offering in house services. Various countries, including the UK have specific legislation in place to force suspected criminals (in certain circumstances) to reveal their pin or face prosecution for not revealing it, which can result in prison time.
With these smartphone compromises in mind, there has been a huge increase in dedicated encrypted phones and sims: an array of companies will sell you phones with an acronym rich list of tech , encryption protocols and prices. It's a cut throat marketplace with companies regularly claiming via YouTube videos and blogs that competitors' products encryption can easily be defeated. Many of these phones use propriety software so it is difficult to analyse and test the coding behind the devices.
Through this fractured battlefield arose Encrochat, a Europe based comms network/service provider that ran from 2016 until it shut down in June 2020 after being infiltrated by law enforcement agencies. Remember for a product/service to take dominance in the marketplace it doesn’t necessarily have to be the best, it simply has to gain a good stronghold and become the go to brand. Encrochat personified this and in its four short years it gained 60,000 subscribers across the globe. The Encro phone was the organized criminals new best friend.
Encrochat came on dedicated Encro Carbon units. These were existing android (& occasionally other) handsets with key features disabled (GPS, Camera etc.) and key Encro apps installed:
Encrochat: (messaging app)
Encrotalk (voice calls)
Encronotes (encrypted private notes)
Encrochat's main party trick was its ability to dual boot into a clean Android OS if needed, so it could pass off as a normal phone and also featured a wipe feature if a specific pin was entered. This is particularly handy for the criminal who was forced to hand over their pin to the authorities, as they could disclose the pin which wiped the phone clean.
Encro devices soon became widespread amongst organized criminals but this popularity would arguably become their downfall. With the software being proprietary & devices only able to communicate with other Encro devices many criminal networks adopted Encro phones for their operatives, appreciating the fact that they were easy to use, fully encrypted and could be wiped quickly.
The French authorities started discovering Encro phones on criminals from 2017 onwards. This became a trend found by law enforcement agencies across Europe, many of whom were mystified as how to unlock the devices. Encro phones were found in raids on various organized criminal groups and believed to be key devices used to plan murders, drug deals and of course money laundering.
With assistance from EU funding and collaborations between the UK, Netherlands and France the French Gendarmerie pulled the marvelous trump card of not only taking down the network but putting a "technical tool" on Encro servers in France. An NCA official compared it to having "an inside person in every top organized group in the country" . The technical tool, which has been descried as malware, enabled investigators to read encrypted messages between users.
The chief of the Dutch National Police Force, Jannine van den Berg , compared the malware to "sitting at the table where criminals were chatting among themselves"
Initially thinking that the planted malware was a bug, Encrochat persevered with updates to try and fix the peculiarities it was seeing due to the planted malware. It then realised it was a targeted hack and on June 12th 2020 it sent the following message to all devices:
The impact of the law enforcement hack was huge: in the UK alone there were 746 arrests and the Met police were quick to capitalise on the data launching "Operation Eternal" which was described as being "the most significant operation the Metropolitan Police Service has ever launched against serious and organized crime":
There were similar arrests across Europe in respect of murders, drug importing and associated top tier organized crime. Perhaps one of the most disturbing discoveries through Encro data was a torture chamber with a soundproofed room, dentists chair and a selection of pliers.
How was Encrochat closed down ?
Let's consider these factors:
1. Amazing teamwork by several law enforcement agencies
2. Was it simply not very secure?
3. Was it a victim of its own success?
4. Did the owners cooperate with authorities?
The amazing work by the authorities was twofold: firstly the technical aspect of how they managed to infiltrate a complex encrypted communications network, but also pool resources from around the world to do so. Once the network was infiltrated data was distributed across Europe to the relevant agencies using custom written processes and specific software tools for the task.
In regards to point two, you could argue that the ends justified the means, in that ultimately as the system was infiltrated it wasn’t secure enough. Furthermore as the Encro network was proprietary it couldn’t be analysed, collaborated on and tested like open source encrypted messaging platforms such as Signal are. The Dutch experts behind the malware are not revealing any more details of how they performed the hack as presumably the same process will and can be used on future platforms.
As cited earlier, for something to become the biggest it doesn’t have to be the best, and this is true of Encrochat. It became popular through aggressive marketing, good features and relatively plentiful resellers. It became so popular law enforcement agencies could justify investing huge resources into taking it down, as opposed to trying to infiltrate hundreds of smaller encrypted phone systems that are all separate with individual networks and encryption methods. Encrochat's ecosystem meant all its eggs and subscribers were in one basket.
Finally, did the owner's cooperate with authorities? It seems quite odd that authorities were able to gain access to an encrypted network yet never find out who the owners were or bring charges against them for facilitating organized crime.
Little is known of the team behind Encro: internet sources list a Canadian tech entrepreneur (this is only alleged and could be disinformation from rivals) as the lynchpin who also runs a legitimate corporate orientated encrypted phone platform.
If this (or similar) is true could authorities have pressurised the Encrochat company owners into giving access using the threat of prosecution and/or loss of their legitimate business as leverage? Perhaps a deal was struck to access data or gain further access in exchange for immunity. The official narrative is that as soon Encrochat realised it was compromised by authorities they shut down their network and advised all users to destroy their phones, but little else has been reported or released by authorities.
Further Reading:
https://www.vice.com/en/article/3aza95/how-police-took-over-encrochat-hacked