The Federal Bureau of Investigation created a company that sold encrypted devices to hundreds of organized crime syndicates, resulting in 800 arrests in 16 countries, law-enforcement authorities announced today. The FBI and agencies in other countries intercepted 27 million messages over 18 months before making the arrests in recent days, and more arrests are planned.
The FBI teamed up with Australian Federal Police to target drug trafficking and money laundering. They “strategically developed and covertly operated an encrypted device company, called ANOM, which grew to service more than 12,000 encrypted devices to over 300 criminal syndicates operating in more than 100 countries, including Italian organized crime, outlaw motorcycle gangs, and international drug trafficking organizations,” Europol said today.
Distribution of the devices began in October 2018. The cellphones sold by the FBI-run company were “procured on the black market” and “performed a single function hidden behind a calculator app: sending encrypted messages and photos,” The New York Times wrote today. The cellphones were “stripped of all normal functions,” with the faux calculator being the only working app. Once users entered a code, they could use the app to send messages that they thought were protected by end-to-end encryption.
“For years, organized crime figures around the globe relied on the devices to orchestrate international drug shipments, coordinate the trafficking of arms and explosives, and discuss contract killings, law enforcement officials said,” the Times wrote. “Users trusted the devices’ security so much that they often laid out their plans not in code, but in plain language.”
Unbeknownst to users, messages were routed to an FBI-owned server and decrypted with a master key controlled by the FBI.
Criminals sought extra security features
The operation was given the names “Trojan Shield” and “Greenlight.” Europol called it “one of the largest and most sophisticated law enforcement operations to date in the fight against encrypted criminal activities.”
But instead of getting backdoors installed into commonly used products—a step that Apple and other companies resisted because it would undermine security for all users—the FBI simply made and sold encrypted devices and monitored the devices’ communications. This was possible in part because criminal syndicates sought specific security features the FBI-run company provided, including remote wipe and duress passwords, Europol said.
FBI monitored messages and attachments
Anom’s website currently has a message saying, “This domain has been seized” and that “[l]aw enforcement has been monitoring messages and attachments from the ANØM platform. A number of investigations have been initiated and are ongoing.”
Here are more details on the operation from Europol’s announcement:
The goal of the new platform was to target global organized crime, drug trafficking, and money laundering organizations, regardless of where they operated, and offer an encrypted device with features sought by the organized crime networks, such as remote wipe and duress passwords, to persuade criminal networks to pivot to the device.
The FBI and the 16 other countries of the international coalition, supported by Europol and in coordination with the US Drug Enforcement Administration, then exploited the intelligence from the 27 million messages obtained and reviewed them over 18 months while Anom’s criminal users discussed their criminal activities.
This culminated in a “series of large-scale law enforcement actions [that] were executed over the past days across 16 countries resulting in more than 700 house searches, more than 800 arrests and the seizure of over 8 tons of cocaine, 22 tons of cannabis and cannabis resin, 2 tons of synthetic drugs (amphetamine and methamphetamine), 6 tons of synthetic drugs precursors, 250 firearms, 55 luxury vehicles and over $48 million in various worldwide currencies and cryptocurrencies,” Europol wrote. “Countless spin-off operations will be carried out in the weeks to come.”
Takedowns of other services helped Anom gain customers
Europol noted that there is “a huge demand for encrypted communication platforms” among criminal networks but that the market for encrypted devices is “volatile.” Law-enforcement takedowns of the EncroChat encrypted platform in July 2020 and the Sky ECC communication service tool in March 2021 helped agencies steer criminals toward the FBI’s own encrypted devices, Europol wrote:
Both operations provided invaluable insights into an unprecedented amount of information exchanged between criminals. After the takedown of Sky ECC in March 2021, many organized crime networks sought a quick encrypted replacement for a communication platform that would allow them to evade law enforcement detection. This was a deliberate and strategic aspect of OTF [Operational Task Force] Greenlight/Operation Trojan Shield resulting in the migration of some of the criminal Sky ECC customer base to the FBI-managed platform ANOM.
Secret master key
Vice published an in-depth story on Trojan Shield that draws from an unsealed court document containing an FBI affidavit and application for a search warrant. The 2018 arrest of Phantom Secure CEO Vincent Ramos, who sold encrypted phones to criminals, helped lead to the FBI operation. “In the wake of that arrest, a confidential human source (CHS) who previously sold phones on behalf of Phantom and another firm called Sky Global, was developing their own encrypted communications product,” Vice wrote.
As the court document states, the “CHS offered this next generation device, named ‘Anom,’ to the FBI to use in ongoing and new investigations.” The document also says that a master key was added to the encryption system used on each message:
Before the device could be put to use, however, the FBI, AFP [Australian Federal Police], and the CHS built a master key into the existing encryption system which surreptitiously attaches to each message and enables law enforcement to decrypt and store the message as it is transmitted. A user of Anom is unaware of this capability. By design, as part of the Trojan Shield investigation, for devices located outside of the United States, an encrypted “BCC” of the message is routed to an “iBot” server located outside of the United States, where it is decrypted from the CHS’s encryption code and then immediately re-encrypted with FBI encryption code. The newly encrypted message then passes to a second FBI-owned iBot server, where it is decrypted and its content available for viewing in the first instance.
The FBI paid the confidential source $120,000 for services and $59,508 for living and travel expenses, the document said.
FBI “push[es] the envelope” to fight encryption
The FBI has complained about encryption in consumer products for years, with one FBI official in 2018 reportedly calling Apple “jerks.” Today’s announcement demonstrates again that law enforcement has the ability to target criminals’ use of encrypted communications without making mass-market devices less secure.
“Encrypted criminal communications platforms have traditionally been a tool to evade law enforcement and facilitate transnational organized crime,” FBI Criminal Investigative Division Assistant Director Calvin Shivers said in the Europol announcement. “The FBI and our international partners continue to push the envelope and develop innovative ways to overcome these challenges and bring criminals to justice.”