FBI planned a sting against An0m cryptophone users over drinks with Australian investigators

by Joseph K. Clark

Three years ago, the FBI began planning a sophisticated sting that led to the arrests of 800 suspected organized criminals in raids worldwide. The targets were organized crime groups that had placed their trust in an encrypted phone application called An0m to arrange drug deals, kidnappings, and assassinations. Police this week carried out hundreds of searches and seized drugs, firearms, luxury vehicles, and cash in coordinated operations across multiple countries.

An informer working for the FBI sold An0m Android phones on the black market, claiming it offered users highly secure encrypted messaging services. More than 9,000 encrypted devices were circulated when law enforcement agencies pulled the plug on the network on 7 June 2021. Its users had no idea that the FBI had created An0m and that their messages were being collected and analyzed by specialists from the Australian Federal Police (AFP) in Canberra and the FBI in San Diego.

Phantom Secure

The FBI operation codenamed Trojan Shield, originated in 2017 when the FBI office in San Diego began investigating the Canadian cryptophone company Phantom Secure. The investigation revealed that Phantom Secure, run by Vincent Ramos, was supplying secure BlackBerry devices to criminal organizations offering criminals secure communications that law enforcement could not intercept. The FBI arrested Ramos in March 2018 in an operation with the Australian Federal Police and the Canadian Mounties.

The takedown left a gap in the market for encrypted phones, particularly in Australia, where there were an estimated 14,000 users of Phantom Secure involved in drug imports and money laundering.

That gap provided an opportunity for law enforcement. The Australian Federal Police hatched the idea for a follow-up operation with FBI colleagues over drinks.

The idea, said Suzanne Turner, the FBI special agent responsible for the San Diego field office, was to create a new encrypted phone network to compete with others, such as Sky ECC and EncroChat, that criminal groups used.

Australian investigators

“Realising the marketplace is a small, close-knit community, the investigative team came up with an innovative solution to exploit the criminal organizations’ vulnerabilities: to create our own closed encrypted platform to offer the criminal organizations a Trojan horse of sorts,” she told a press conference.

Confidential Human Source

The FBI’s San Deigo office recruited a Confidential Human Source (CHS) following the Phantom Secure shutdown to implement the operation.

The un-named source had previously supplied Phantom Secure phones and another secure phone, Sky ECC, to organized criminal groups.

The CHS had already begun developing “next-generation” encryption technology to compete in the market for cryptophones.

TAFP assistant commissioner Nigel Ryan said that the app modified phones  and the An0m platform had been under development for a “considerable time” before law enforcement became involved,

The FBI had developed a platform to capture encrypted communications from An0m but lacked a way of decrypting the messages.

The AFP was able to step in, said Ryan, adding: “We had a very smart individual within the Australian Federal Police who was able to produce some technology that was able to allow us to access, decrypt, and read these messages in real-time.”

The specialist, working from the living room of his home in Canberra, cracked the problem. He could send encrypted messages between two phones and display the unencrypted messages on his laptop in real time.

He filmed a 96-second clip, inadvertently capturing a picture of his bare feet, but it was enough to convince senior officers in the AFT to sign up for a joint investigation with the FBI.

According to Ryan, An0m resulted from “like-minded and passionate individuals in the AFP and FBI thinking differently to solve the common problem of using encrypted communications for criminals”.

“Those individuals did conceptualize some of this over a beer. From there, they worked on a plan that could work and was legal,” he said.

The FBI and AFP were able to influence the development of the platform to ensure it remained attractive to criminal groups.

“The developers did not know who the platform users were or that law enforcement agencies were involved in the platform’s management,” said Ryan.

The CHS agreed to offer his technology, known as An0m, to the FBI in return for the possibility of a reduced prison sentence and received payments of $160,000.

He agreed to distribute An0m phones to his trusted network of distributors who, in turn, provided the phones to organized criminal groups.

By the autumn of 2018, the US Organised Crime Drug Enforcement Taskforce (OCDETF) had identified the operation as a priority providing it with funding and resources.

The FBI’s master key

The CHS, working with the FBI and the AFP technical experts, redesigned An0m to incorporate a “master encryption key” into its software.

Every message was copied to a server outside the US, decrypted using the CHS’ master key, and re-encrypted with an FBI encryption key. From there, it was passed to an FBI-owned “iBot” server, which was again decrypted and viewed for the first time by FBI officers.

Each phone user was assigned a unique electronic signature, a Jabber identification (JID), by the covert human source or another An0m administrator. JIDs were a unique identification code made up of numbers and letters, and on more recent devices, consisted of two English words joined together.

An0m users could choose and change their usernames, but FBI officers could still track them through a database that matched their usernames with their Jabber identifications.

The sting

The AFP took on the role of pilot-testing the An0m operation. Its officers had identified distributors which could unwittingly supply compromised phones to crime groups in Australia.

The AFP has been running a covert surveillance program for 14 years to tackle criminal use of encryption and has built relationships with industry, developed techniques, and tools, and hired technical specialists.

An0m phones offered attractive features for anyone who wanted to communicate securely – the app was hidden on Android phones. It could only be accessed by typing a secret pin into the calculator app.

Australian police examine an An0m phone.

An0m phones were modified so they couldn’t be used normally. They operated in a closed system, allowing users to exchange encrypted messages only with other An0m phone users.

They featured self-deleting messages but also included features that might be useful to law enforcement.

While some encrypted phone networks, such as EncroChat, deliberately disabled the phone’s camera, An0m phones allowed people to take photos, pixilated them, and send pictures to other users. Crime groups trusted the phone’s security unquestionably and had no qualms about sharing photographs of their drug hauls, providing investigators with valuable intelligence.

The phones also offered a push-to-talk feature that allowed users to change their voice – another attractive feature for crime gangs.

The target

In October 2018, the FBI’s covert source offered An0m phones to three former Phantom Secure distributors, each connected to criminal organizations in Australia.

They agreed to take 50 devices to trial in a “beta test”, unaware that the Australian Federal Police had applied court order to monitor the communications of every An0m phone user connected to Australia.

One of the targets was “a significant crime figure” in the Middle East, identified as Joseph Hakan Ayik, who police knew could exert a strong influence over the encrypted communications market.

Ayik, an Australia-born 442-year-old, was a significant figure in drug crime and was suspected of heroin trafficking. He was briefly arrested in Cyprus before skipping bail.

An investigation by 60 Minutes Australia, The Age, and the Sydney Morning Herald tracked him down in Turkey, where he allegedly leads a lavish lifestyle.

AFP’s Ryan said: “[Ayik’s] use of the device was perceived as an endorsement, and the platform grew exponentially from there.”

This week, Australian police urged Ayik to hand himself in for his safety.

The test operation allowed the AFP to penetrate two major criminal networks operating in Australia that used the phones to discuss shipping hundreds of kilograms of narcotics and orders for firearms.

Australia’s judicial order to intercept An0m communications did not allow it to share the intercepted material with foreign partners, including the FBI.

Investigators from the AFP monitored the messages and kept the FBI’s San Diego office informed of their progress.

Randy Grossman, acting US attorney general for the Southern District of California, said the criminals had no idea they had fallen into a trap.

“The criminals using these devices believe they were secretly planning crimes far beneath the radar of law enforcement. But, in reality, the criminals were not underneath the radar; they were on it. The FBI was monitoring those conversations,” he said.

The growth of An0m

An0m began spreading slowly in Australia. The phones were sold through word-of-mouth recommendations passed on by a network of criminal distributors set up by the FBI’s informant.

Sales took off during the summer of 2019, as demand increased for An0m phones inside Australia and from other countries.

According to a US indictment, European users paid a fee of around €1,000 to €1,500 for a six-month subscription. Payments were made in Bitcoin and other cryptocurrencies to protect the users’ anonymity and were laundered through shell companies to hide the proceeds.

Specialists at the AFP developed and trained software to identify criminal themes and threats to life in the messages. The software could translate communications in foreign languages and tag the content of images.

An encrypted message on An0m

“Imminent threats resulted in an automated alert to investigation teams within the AFP and law enforcement partners,” said Ryan.

The investigation team began working with an un-named third country to set up an additional iBot server outside the US to supply intercepted messages to the FBI.

This additional server acted simply as a mailbox sending messages back to the FBI without law enforcement officials in the hosting country reviewing them. By October 2019, the FBI began receiving messages from the iBot from several hundred An0m users, largely based in Australia.

Under the agreement, the iBot server delivered updates to the FBI every Monday, Wednesday, and Friday, a US search warrant application reveals.

The end of the operation was planned from the beginning. The date,7 June 2021, chosen to conduct coordinated raids worldwide, was the precise date a court order for the surveillance operation expired.

Under US law, the FBI is not permitted to monitor the communications of US citizens, meaning the FBI did not collect messages from devices identified as having US users. Instead, the Australian Federal Police agreed to watch some 15 devices identified as belonging to US users for statements showing threats to life to US citizens.

Controversial surveillance law

The Australian prime minister, Scott Morrison, confirmed that the country had used its controversial “Tola law” for the first time to gain access to encrypted communications during the operation.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 allows Australia’s law enforcement and intelligence services to order technology companies to assist government agencies in accessing the content of encrypted data.

The government has not given any details on how it used the power in the An0m operation. Morrison declined to say whether Australia’s legal regime was one reason the FBI collaborated with Australia.

“Certainly, as a government, we make no apologies for ensuring that our law enforcement authorities have the necessary powers and authorities,” he said.

Infiltration of EncroChat and Sky ECC boosts demand

Demand for An0m phones grew after police in France, working with the Netherlands and the UK, announced that they had penetrated another encrypted phone network used by criminals – EncroChat – in July 2020.

In March 2021, French and Belgian police took down a second encrypted phone network, Sky ECC, also claimed to be used by criminal groups, while the FBI issued an arrest warrant for its CEO.

Criminal groups began looking for another safe communications device, and many turned to An0m. The number of active users of An0m grew from 3,000 before the closure of Sky ECC to 9,000 by the end of the operation.

Europe joins the sting.

AS THE INVESTIGATIONS PROGRESSED, the FBI and AFP widened their collaboration to law enforcement operations in other countries.

Sweden’s police were among the first in Europe to join the FBI investigation in September 2019 as part of a European operation coordinated by Europol.

Europol set up an operational task force to work with the FBI and the AFP in March 2021.

Dutch technical specialists developed technical tools to analyze and interpret millions of messages. The Dutch software could map connections between criminal groups, adding to a wealth of data the Dutch had previously gathered from criminals using the EncroChat-encrypted phone network.

The Dutch shared the tools with Europol, which analyzed the data and shared the results with other European countries.

Reviewing the data

An FBI team reviewed and translated messages from the iBot server, cataloging 20 million letters from 11,800 devices.

The phones were used extensively in Germany, the Netherlands, Spain, Austria, and Serbia but were found in over 90 countries.

In addition to messages, the FBI intercepted 450,000 images showing discussions on other encrypted platforms, cash, police documents, and cryptocurrency transactions.

The FBI’s special agent Turner said each of the An0m devices intercepted was used for criminal purposes. The users are the “upper echelon of command and control” of “transnational criminal organizations and their various international illegal transportation and distribution networks”, she said.

FBI analysts translated and assessed the intercepted messages before sharing them with law enforcement agencies in 40 countries.

Europol’s task force identified 300 organized crime gangs using An0m. They included Italian organized crime groups and motorcycle gangs in Australia.

Cocaine was hidden in cans of tuna discovered in a shipping container

In one exchange, Australian Domenico Catanzariti, an An0m network administrator, discussed selling 160 boxes of cocaine marked with a distinctive Batman logo for AUD 160,000 a kilogram.

In another case, Baris Tukel, an Australian citizen living in Turkey, offered to sell cocaine hidden inside French diplomatic envelopes from a supplier in Columbia.

Other messages revealed plans by a crime group to ship cocaine, hidden in cans of tuna, from Ecuador to Belgium in a shipping container. Belgian police intercepted the consignment, and a second container was seized by police in Ecuador.

Another drug shipment from Costa Rica to Spain was concealed in hollowed-out pineapples. Spanish police intercepted the shipment in May 2020, recovering a tonne of cocaine.

The exercise also identified corrupt law enforcement officers who had passed information to organized crime groups. Six law enforcement officers were arrested on 7 June, and a dozen investigations into corrupt officers were opened during the study.

800 people arrested in raids

On 7 June, when the surveillance warrant expired, 9,000 police across Europe and Australia raided hundreds of premises and arrested more than 800 suspects.

The operation in Europe – codenamed Greenlight – led to the seizure of more than 30 tonnes of drugs, hundreds of firearms, luxury vehicles, and $48m in cash and cryptocurrencies.

Sweden’s Polisen searched 100 homes and made 70 arrests. A day later, Spanish police arrested another five Swedish suspects in Spain.

By 8 June, the number of arrests had grown to 155 in Sweden, with further arrests expected to follow.

Dutch police arrested 49 suspects on the first day of the operation, seizing large quantities of drugs, firearms, and €2.3m.

In Germany, police arrested 70 people after conducting 150 searches. Many of them were in the Hesse region.

Money seized by Australian authorities

More than 300 police in New Zealand completed 37 search warrants and made 35 arrests, seizing drugs including methamphetamine, firearms, marine vessels, and more than $1m in cash.

In Australia, more than 4,000 state and federal police arrested over 200 offenders nationwide in Operation Ironside – shutting down six clandestine drug factories.

The offenders were linked to Australian-based Italian mafia, outlaw motorcycle gangs and Asian and Albanian crime syndicates.

“We have arrested the alleged kingmakers behind these crimes, prevented mass shootings in the suburbs, and frustrated serious and organized crime by seizing their ill-gotten wealth,” said Australian Federal Police Commissioner Reece Kershaw.

“Organised crime syndicates target Australia because, sadly, the drug market is so lucrative. Australians are among the world’s biggest drug takers,” he said.

Which network is next?

Kershaw hinted that further police operations against encrypted phone networks might follow.

He said that despite the takedown of An0m, even bigger encrypted platforms are being used by organized criminals targeting Australia.

“They are almost certainly using those encrypted platforms to flood Australia with drugs, guns and undermine our economy by laundering billions of dollars of illicit profit,” he added.

Australian Prime minister Morrison used the occasion to press for new surveillance powers, which he said were delayed because of a lack of bipartisan support.

A surveillance legislation amendment would give the AFP and the Australian Criminal Intelligence Commission powers to combat serious crime online and overcome anonymizing technology.

“We have la aw in the Parliament at the moment, which does not have bipartisan support, which we need support for to give them powers to do that,” he said.


Source link

Related Posts