(Shutterstock)

Editor's Note: Criminals have always been relatively quick to adopt new technology. From bootleggers assembling fleets of motorized vehicles in the 1930s for the transport of illegal alcohol to drug traffickers exploiting commercial airliners to transport cocaine from South America in the 1960s, technology has always created opportunities for criminals. The current era is no exception, and criminals are quickly adopting technology to help them communicate in secrecy, sell their illicit wares in virtual marketplaces, and send and receive payments through new forms of currency. The technologies are helping criminal organizations conduct traditional activities (such as drug trafficking) more efficiently and creating entirely new fields of criminal activity, such as ransomware attacks and off-the-shelf tools to facilitate cyberattacks. 

But with new technology comes new vulnerabilities, and law enforcement agencies around the world are demonstrating that they can also harness the efficiencies of new technology to counter criminal activity. In this three-part series on crime and technology, we will explore how criminals are adopting new forms of communication to coordinate criminal activity, new marketplaces for selling illicit wares and new ways to facilitate payments that cater to a more virtual market. Each analysis will explore how criminals use the technology in question, how it makes them vulnerable to detection and what to expect in the future. First, we consider how criminals use secure communication platforms to coordinate activity across organizations and around the world, and how those same platforms can make them vulnerable.

Secure, private communications platforms are proliferating as more people around the world seek out ways to stay connected to others while also being discreet about what information they share with whom. Every week seemingly brings new revelations about ostensibly private information being compromised in a data breach, hostile cyberattack, government surveillance operation or from private companies gleaning personal details about their users. Concern for privacy has driven demand for mainstream platforms like WhatsApp and iMessage, which allow individuals and groups to share information through encrypted channels. Encrypted messaging platforms are attractive in business and commercial dealings, allowing users to hash out details on a transaction, share invoices and arrange transfers of goods and services in a convenient and relatively secure fashion. 

The privacy provided by mainstream services like WhatsApp and iMessage is not sacrosanct. Such platforms are operated by major companies — in these cases, Facebook and Apple, respectively — that fall under U.S. legal jurisdiction. If law enforcement authorities have reason to suspect individuals are conducting illegal activity on the messaging platforms, they can file requests for information with the company in order to get details that could facilitate legal charges and arrests. While companies tout the privacy provided by their products, they also have a reputation to uphold and would not benefit from being associated with drug trafficking, child pornography, threats of violence or other illicit activities. In short, there is a limit to the privacy large companies tolerate on their services.

Just as encrypted messaging services benefit legitimate business and commercial activity, criminal and terrorist groups also stand to gain from them. Public debate over the legality of encrypted communications and secure electronic devices accelerated after the 2015 San Bernardino terrorist attack, when a husband and wife team slew 14 people before law enforcement killed them. Despite law enforcement appeals to Apple to help them unlock an iPhone belonging to one of the attackers, Apple refused, arguing that it would not compromise user privacy to help with the investigation. The FBI eventually gained access to the phone with the help of a third party. 

The San Bernardino attack and resulting investigation elevated public awareness of encryption and the limits of personal privacy on electronic devices. Even though Apple held its ground on protecting user privacy, it became clear that U.S. authorities had legal avenues to try to compel compliance and/or break the encryption that supported that privacy. This development accelerated criminals' adoption of more niche apps and services to ensure security and privacy above and beyond the encrypted messaging service apps widely used by the general public.

How Criminals Use Encrypted Communication Tech

Criminals undoubtedly continue to use mainstream communication platforms, despite the security vulnerabilities, because they are cheap, easy to access and allow them to communicate with a wide audience. As of May 2021, WhatsApp had 2.5 billion users in over 100 countries, making it the most used encrypted communications app in the world. There are an estimated 1.3 billion active iMessage users; another popular encrypted messaging app, Telegram, has 500 million users. Criminals have exploited the huge markets they can access through popular messaging services to sell their illicit products. 

  • A research group affiliated with Norton Cybersecurity published a report in 2021 outlining how criminals use Telegram to sell everything from counterfeit documents to personally identifiable information to cyber malware that facilitates online criminal activity such as distributed denial of service and ransomware attacks. 
  • A federal investigation in 2020 dismantled an opioid and fentanyl trafficking operation on the East Coast that at least partially relied on iMessages for coordination.
  • In 2019, Insight Crime reported that street gangs in Mexico were using WhatsApp to advertise drug sales, list prices, availability and arrange delivery.

As demonstrated in the examples above, despite these apps' heightened privacy settings due to encryption, criminal activity is still fairly easily discoverable — by both independent researchers and legal authorities. Because apps like WhatsApp and iMessage are widely available, criminal actors conducting illegal activities over the platforms can never really be sure of who they are dealing with: police officers can pose as buyers or business partners on messaging apps more easily than they can in the physical world. 

In order to provide a deeper level of security, a new group of encrypted messaging services has emerged over the past five years. Such services do not aim to be the next WhatsApp, iMessage or even Telegram, but instead, they work to remain unknown except to the small number of people who use them. Since 2018, law enforcement agencies have taken down three such services: Phantom Secure, EncroChat and Sky Global. They have all followed similar strategies to provide next-level security in electronic communications. Services used widely available electronic devices, stripped them down to only the most essential components (removing cameras, microphones, GPS devices or other components that could jeopardize the user's security) and installed a single app on the phone that only allowed the user to communicate with people who also had access to that app. The encryption technology behind the app itself wasn't necessarily new, but rather the single-purpose nature of the app and the device that hosted it that ensured communications remained isolated from other services that could compromise the user's security. The services also offered a feature that would destroy past messages and even shut down individual devices should they be seized or otherwise compromised. By sandboxing the service on a dedicated device and only allowing users to communicate with other users, these encrypted messaging platforms provided increased operational security. 

While the services ostensibly helped business executives and celebrities ensure discretion in business dealings and/or personal matters, they were immensely popular with criminals. The messaging services' aggressive security features offered criminals a sense of comfort, leading them to discuss details of drug sales and shipments in plain terms instead of code. For example, British investigators charged a former Royal Marine with drug trafficking after intercepting messages from his EncroChat account openly discussing the price and delivery methods of marijuana, MDMA, heroin and other drugs, as well as pictures of the shipments to offer potential buyers proof of quality. The criminal activity wasn't just limited to drug trafficking — police accused Phantom Secure users of attempting to organize murders on the platform. Based on investigations into the services mentioned above, police were able to identify dozens of drug labs, interdict tons of drugs, seize illegal weapons and ultimately arrest thousands of criminals. 

It is important to note that the enhanced security messaging platforms were primarily used to facilitate wholesale drug sales and shipments between criminal organizations. They are not practical when it comes to retail drug sales due to the limited number of users. Compared to the billions of users on mainstream messaging services such as WhatsApp, iMessage and Telegram, niche platforms like Phantom Secure, EncroChat and Sky Global measured their users in the tens of thousands. They were still, however, very successful financially. Each device cost several thousand dollars and access to the niche encrypted messaging services cost upward of $1,000 per month. One of the first companies discovered to be involved in such a business, Phantom Secure, earned an estimated $80 million in revenue over 10 years in business. When it comes to encrypted communications platforms, bigger is not always better. And based on the financial success of past companies in the market, more are sure to follow. 

How Encrypted Communication Tech Has Made Criminals Vulnerable to Detection

All of the advantages of niche encrypted communications platforms have come at the price of increased police scrutiny and surveillance. The fact that the public is aware of companies like Phantom Secure, EncroChat and Sky Global is the first indication that their encrypted messaging platforms were not as secure as advertised. Phantom Secure collapsed after the FBI arrested its owner, Vincent Ramos, in 2018 for knowingly facilitating criminal activity. EncroChat shut down its services in 2020 after learning that French police were monitoring its servers and collecting intelligence on criminal communications on the platform. In early 2021, European authorities gained access to Sky Global's secure network and monitored the activity of 70,000 users before shutting the operation down. 

The key vulnerability of these services is that they depended on servers to handle the encrypted traffic and make sure messages go where they are supposed to go. In all three cases, police found out about the services when they noticed suspected criminals carrying unusual electronic devices. Collecting evidence on individuals typically gives law enforcement agencies leverage over them that they use to turn suspects into informants, which can lead to further evidence and arrests. Investigators were eventually able to trace down the servers that supported those devices. When those servers are physically located in a law enforcement agency's jurisdiction — or that of a partner country — authorities can get legal approval to search or monitor those servers. Once investigators have access to the servers, they can intercept messages and start collecting evidence to make arrests. As demonstrated in the 2015 San Bernardino case, it is possible to break encryption, and law enforcement agencies appear to have been able to do that based on their access to plain text messages and images shared on the platforms. 

A Timeline of Operation Trojan Shield

In the most recent case of police targeting criminal communication networks, authorities expanded their access from the servers to the devices themselves. In early June, police agencies around the world started announcing arrests linked to Operation Trojan Shield, a two-yearslong sting operation that tricked criminals into using supposedly the latest and greatest encrypted messaging service, called "Anom." While the devices followed similar protocols as their predecessors — stripped down handsets whose sole function was to send and receive secure texts through an app disguised as a calculator — there was one major, critical difference: Law enforcement authorities had inserted code into the messaging program that forwarded an unencrypted copy of all messages to a server they controlled. Over two years, the devices acted as honey pots to attract nearly 12,000 criminal actors around the world, yielding 20 million individual messages that authorities used to eventually arrest 800 people and counting. 

The success of the operation relied on access to networks of criminals just as much as the piece of code that forwarded copies of all the messages. The FBI was able to carry out the operation by recruiting a confidential human source who had worked on the development of the Phantom Secure service. After the arrest of Vincent Ramos and the collapse of Phantom Secure in 2018, the CHS began developing the next-generation niche encrypted messaging service when the FBI arrested him. They worked out an arrangement whereby the confidential human source would continue with his plans to launch a new encrypted messaging service, but he would include the tracking code on devices and ship them out to criminals in order to help police monitor criminal activity. Having been closely involved in the success of Phantom Secure, the confidential human source not only had the technical expertise, but also the reputation and credibility within criminal organizations around the world so that when he sent out a device, they trusted him. As mentioned above, niche encrypted messaging services cannot become successful the same way mainstream services can through market saturation and scale. Instead, discretion and exclusivity are essential, and the confidential human source was able to convince his contacts that the devices he provided were secure and private.

A Chart Comparing Criminal-Linked Encrypted Messaging Services

While Operation Trojan Shield posted impressive figures when it comes to geographic scope, number of arrests, and seized criminal assets, perhaps its largest impact was on the credibility of niche encrypted messaging services — at least in the immediate future. In announcing the culmination of Operation Trojan Shield in early June, the FBI specifically noted that one of the objectives of the effort was to "shake the confidence in" messaging services catering to criminal actors. The success of this sting operation means that at least some criminal actors will be more cautious when it comes to adopting encrypted communications services moving forward. The next generations of service providers will face a considerable challenge in convincing users that their devices are secure following Operation Trojan Shield. Creating mistrust in the criminal world will make it that much harder to organize drug shipments, share intelligence or discuss other criminal matters openly. Any degradation in criminal communication networks makes them less efficient, less profitable and less able to expand operations in the near future. That said, at some point, this disruptive impact will wear off and, in the long run, Operation Trojan Shield and other similar law enforcement efforts targeting encrypted messaging services are unlikely to severely hamper global criminal activities as criminals adapt and adopt new communications practices. 

What Lies Ahead for Secure Criminal Communications

The demand for secure communications reaches far beyond just criminal organizations and, given the success (albeit short term) of previous niche encrypted messaging platforms, more will certainly come. Legitimate businesses and multinational corporations want to be able to communicate without jeopardizing key technology or business decisions, celebrities and high-profile individuals similarly want to be able to discuss personal matters without it leaking to the public, and security-conscious individuals, in general, want to be able to communicate without having their information harvested and sold to marketers. To that end, researchers are constantly working on new technology and companies are constantly providing new services that offer secure, encrypted communications.

An Explainer of Block Chain Technology

One of those emerging technologies is blockchain messaging, which uses the same technology behind cryptocurrencies to send and receive secure messages. Proposed designs would mean that only users of the devices sending and receiving the messages would be able to view them. Network administrators, the messaging company providing the service and outside law enforcement investigators would not be able to intercept messages outside of the devices approved to view the messages — at least not without tipping off the author and recipient of the message.

An Explainer on Validating Blockchain Requests

The challenge of offering such a service in the long term is figuring out how to prevent it from becoming corrupted by criminals or terrorists. Police will eventually find out about communication services that facilitate criminal activity and the moment of truth would arrive for any such company when put in the position of either cooperating with authorities or resisting. Cooperating with authorities would cost a company its criminal clientele and resisting would likely result in criminal charges and a service shutdown. 

One outcome could be that state-backed criminals facilitate encrypted communication platforms by hosting servers and other critical infrastructure in more permissive environments out of reach of foreign law enforcement agencies. This outcome would acknowledge that communication security is not so much a question of encryption technology, but the physical location of servers that support the service. Countries like Russia and North Korea have been known to tolerate and even support criminal activity so long as it targets their internal political rivals or external enemies and does not challenge their own political power. 

Another outcome might be just to continue the cat-and-mouse game with police, where criminals and service providers accept a high rate of turnover in the development of new encrypted messaging apps (along with the risk of arrest) as the cost of doing business. New services will surface and shut down in the face of law enforcement scrutiny only to reemerge in different forms in an ever-repeating cycle.

Criminal organizations have immense access to resources and an even greater demand for secrecy in their daily operations. These two forces will ensure that secure communication services will run the risk of attracting a criminal clientele and that some companies will even cater to criminals in ways that help them avoid law enforcement detection. But just as these dynamics are inevitable, so it is that law enforcement agencies will continue to find ways into ostensibly secure platforms to identify and ultimately disrupt their users. This same process plays out in the shadowy world of online criminal marketplaces, which we will discuss in part two of this series.

Next: New Marketplaces for Selling Illicit Wares

RANE
SUBSCRIBERS ONLY

Expert analysis when it matters most.

Get access to RANE's decision-grade geopolitical intelligence.

Subscribe now