800 arrests after police dupe crime groups into using backdoored phones

800 arrests after police dupe crime groups into using backdoored phones

An international operation that monitored an encrypted device company under control of the Federal Bureau of Investigation (FBI) and the Australian Federal Police (AFP) has led to a massive, coordinated string by law enforcement in several countries.

The setup

Law enforcement agencies around the world have long campaigned for encryption backdoors, so they can see what criminals are saying to each other. Unable to break the encryption of existing messaging apps, the FBI and the AFP came up with an ingenious plan to get criminals to use a device for encrypted communication that they could eavesdrop on.

The FBI created an app called AN0M, to fill the void left behind by dismantling several encrypted platforms used by criminals. Custom cellphones with the FBI-controlled platform installed were sold on underground markets and grew in popularity. Of course, not all the users interested in these devices were necessarily criminals, but the phones turned out to be very popular among criminals of all kinds, including outlawed motor gangs, Italian organized crime, Asian crime syndicates, and international drug traffickers.

As a result, law enforcement officials have been monitoring what they had to say for nearly three years.

The operation

The name of the operation was different depending on who you ask. The AFP refers to it as Special Operation Ironside, Europol ran an Operational Task Force to support the sting and called it Greenlight, and the FBI (and many others) call it Operation Trojan Shield. Which is very fitting as it pretended to offer the criminals a shield to hide their messages, but that shield was in fact a Trojan horse.

The goal of the new platform was to target global organized crime, drug trafficking, and money laundering organizations, regardless of where they operated, with an encrypted device that had features that would appeal to organized crime networks, such as remote wipe and duress passwords, to persuade criminal networks to pivot to the device.

The service is said to have provided over 12,000 encrypted devices to over 300 criminal syndicates operating in more than 100 countries.

The cooperation

The FBI had the lead in the investigation aided by the AFP which provided the systems needed to decrypt the messages. Europol supported the  operation by coordinating the international law enforcement community that was involved, by enriching the information picture and bringing the criminal intelligence into ongoing operations to target organized crime and drug trafficking organizations. The following countries participated in the international coalition: Australia, Austria, Canada, Denmark, Estonia, Finland, Germany, Hungary, Lithuania, New Zealand, the Netherlands, Norway, Sweden, the United Kingdom, and the United States.

Is it legal?

Of course it was you would say, since it was run by law enforcement. But listening in on the conversations of people that you have no evidence against is not allowed in many countries. The AFP’s prominent role may be related to Australia’s Telecommunications and other Legislation Amendment (TOLA), passed in 2018. The TOLA provides Australian law enforcement with the ability to make technical assistance requests (TARs) that oblige companies providing technical services in Australia to help them decrypt messages with technical assistance or new capabilities.

Providing a service after taking down the real enablers

It is ironic in a way that the need for a encrypted device company has arisen after the EncroChat system had been compromised so that law enforcement could eavesdrop, and the Sky ECC communication service was unlocked. After these events ANOM was welcomed in criminal circles and passed on by word-of-mouth advertising. Australian Federal Police Commissioner Reece Kershaw:

“Essentially, they have handcuffed each other by endorsing and trusting AN0M and openly communicating on it — not knowing we were watching the entire time.”

You had to know a criminal to get hold of one of these customized phones and you could only communicate with someone on the same platform. This probably helped to limit the number of customers to the “target audience” of the agencies that ran the sting operation.

The results

To say that the operation was a success would be an understatement. Law enforcement agencies report that around 800 suspects have been arrested. Searches of more than 700 houses have resulted in the seizure of over eight tons of cocaine, 22 tons of cannabis and cannabis resin, two tons of synthetic drugs, six tons of synthetic drugs precursors, 250 firearms, 55 luxury vehicles and over $48 million in cash and cryptocurrencies.

Why stop now?

Given the operation was so successful, questions have been raised about why its use wasn’t continued. The decision to stop the operation was reportedly made jointly by all the international partners. But commissioner Kershaw is reported to have hinted of “a legal time frame on this operation” about which more details might be revealed later on. We’ll keep you posted.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.