Three decades ago, the FBI began planning a complex sting that resulted in the arrests of 800 suspected organised criminals in raids around the world.
Police this week completed hundreds of hunts, seized drugs, firearms, luxury vehicles and money in co-ordinated operations across several countries.
The goals were organised crime groups which had put their trust in an encrypted mobile application called An0m to arrange drug deals, kidnappings and assassinations.
An informer working for the FBI sold An0m Android phones on the black market, claiming it offered users exceptionally secure encrypted messaging solutions.
More than 9,000 encrypted apparatus were in circulation by the time law enforcement agencies pulled the plug to the network on 7 June 2021.
Its customers had no idea that An0m was made by the FBI and their messages were being collected and analysed by specialists from the Australian Federal Police (AFP) in Canberra and the FBI at San Diego.
The FBI operation, codenamed Trojan Shield, has its roots in 2017 when the FBI office in San Diego began investigating the Canadian cryptophone firm Phantom Secure.
The investigation revealed that Phantom Secure, run by Vincent Ramos, was providing secure BlackBerry devices to criminal organisations, offering offenders secure communications which couldn’t be intercepted by law enforcement.
The FBI arrested Ramos in March 2018 within an operation with the Australian Federal Police and the Canadian Mounties.
The take down left a gap in the market for encoded phones, particularly in Australia in which there were an estimated 14,000 users of Phantom Secure involved in drug imports and money laundering.
That gap provided an opportunity for law enforcement. The Australian Federal Police resisted the idea for a follow-up surgery with FBI coworkers over beverages.
The idea, said Suzanne Turner, the FBI special agent accountable for the San Diego field office, would be to create a new encrypted mobile system to compete with others, such as Sky ECC and EncroChat, which were used by criminal groups.
“Realising the marketplace is a small close-knit community, the investigative team came up with an innovative solution to exploit the criminal organisations’ vulnerabilities, which was to make our very own closed encrypted system to offer to the criminal organisations that a Trojan horse of sorts,” she told a press conference.
Confidential Human Source
The FBI’s San Deigo office recruited a Confidential Human Source (CHS) following the Phantom Secure shutdown to put the operation into action.
The un-named source had previously supplied Phantom Secure phones and another secure phone, Sky ECC, to organised criminal groups.
The CHS had already begun developing “next-generation” encryption technology to compete in the market for cryptophones.
The app, modified phones and the An0m platform had been under development for a”significant time” before law enforcement became involved, said AFP assistant commissioner Nigel Ryan.
The FBI had developed a platform to capture encrypted communications from An0m, but lacked a way of decrypting the messages.
The AFP was able to step in, said Ryan, adding:”We had a very smart individual within the Australian Federal Police who managed to produce some technology that managed to let us access, read and interrogate these messages in real time.”
The specialist, working from the living room of his home in Canberra, cracked the problem. He was able to send encrypted messages between two phones and display the unencrypted messages on his laptop in real time.
He filmed a 96-second clip, inadvertently capturing a picture of his bare feet, but it was enough to convince senior officers in the AFT to sign up to a joint investigation with the FBI.
According to Ryan, An0m was the result of”like-minded and passionate individuals in the AFP and FBI thinking differently to address the common problem of the use of encrypted communications for offenders”.
“Those individuals did conceptualise a number of this over a beer. From that point, they worked on a plan that would work and was lawful,” he said.
The FBI and AFP were able to influence the development of the platform to ensure it remained attractive to the criminal groups.
“The developers did not understand who the consumers of the platform were that law enforcement agencies were involved in the management of this platform,” said Ryan.
The CHS agreed to offer his technology, known as An0m, to the FBI in return for the possibility of a reduced prison sentence, and received payments of $160,000.
He agreed to distribute An0m phones to his trusted network of distributors who, in turn, provided the phones to organised criminal groups.
By the autumn of 2018, the US Organised Crime Drug Enforcement Taskforce (OCDETF) had identified the operation as a priority operation, providing it with funding and resources.
The FBI’s master key
The CHS, working with the FBI and the AFP technical experts, redesigned An0m to incorporate a “master encryption key” into its software.
Every message was copied to a server outside the US where it was decrypted using the CHS’ master essential and re-encrypted having an FBI encryption key. From there, it had been passed to a FBI-owned”iBot” host where it had been decrypted and seen for the first time by FBI officers.
Each phone user was assigned a unique electronic signature, know as a Jabber identification (JID), from the covert human source or another An0m administrator. JIDs were a unique identification code composed of letters and numbers, and on more recent devices consisted of two English words joined together.
An0m users can choose and alter their own usernames, but FBI officers were still able to track them through a database that matched their usernames with their Jabber identifications.
The AFP took on the role of pilot-testing the An0m operation. Its officers had recognized distributors which could unwittingly supply compromised phones to crime groups in Australia.
The AFP has been running a covert surveillance program for 14 years to tackle criminal use of encryption, and has built relationships with business, developed tools and techniques, and hired specialized specialists.
An0m phones offered attractive attributes for anybody who wanted to communicate securely — the app was hidden on android telephones and may only be retrieved by typing a key pin into the mobile’s calculator app.
An0m telephones were modified in order that they couldn’t be used in the standard way. They operated in a closed platform, allowing users to exchange encrypted messages just with other An0m telephone users.
They featured self-deleting messages, but also included features which may be helpful to law enforcement.
While a few encoded mobile networks, for example EncroChat, intentionally disabled the telephones camera, An0m phones allowed individuals to take photographs, pixilate them and send photos to other uses. Crime bands, which trusted that the phone’s safety surely, had no qualms about sharing photos of the medication hauls, providing researchers with valuable intelligence.
The telephones also provided a push-to-talk attribute that enabled users to change their voice — another appealing feature for crime gangs.
In October 2018, the FBI’s covert supply offered An0m phones to three former Phantom Secure distributors, each with links to criminal organisations in Australia.
They agreed to take 50 apparatus to trial at a”beta test”, oblivious that the Australian Federal Police had applied court order to track the communications of every An0m telephone user with a link to Australia.
One of those goals was”a significant crime figure” from the Middle East, recognized as Joseph Hakan Ayik, that police knew could exert a strong influence over the encrypted communications market.
Ayik, an Australia-born 42 year old, was a significant figure in medication crime and was suspected of heroin trafficking. He was briefly arrested in Cyprus before jumping bond.
An investigation by 60 Minutes Australia, The Age and the Sydney Morning Herald tracked him down in Turkey, where he is alleged to lead a lavish lifestyle.
AFP’s Ryan explained:”[Ayik’s] use of the device was perceived as an endorsement, and the platform grew exponentially from there.”
This week, Australian authorities urged Ayik to hand himself in for his own security.
The test operation allowed the AFP to permeate two major criminal networks operating in Australia that used the telephones to discuss the shipping of hundreds of kilograms of narcotics and requests for firearms.
Australia’s judicial order to intercept An0m communications didn’t allow it to share the intercept substance together with foreign partners, such as the FBI.
Investigators from the AFP monitored the messages, also kept the FBI’s San Diego office informed of the progress.
Randy Grossman, acting US attorney general for the Southern District of California, said the criminals had no idea they had become a snare.
“The criminals using these devices believe they were secretly planning crimes far beneath the radar of law enforcement. But, in reality, the criminals were not underneath the radar, they were on it. The FBI was monitoring those conversations,” he explained.
The growth of An0m
An0m began spreading slowly in Australia. The phones were sold via word-of-mouth recommendations passed on by a community of criminal vendors set up by the FBI’s informant.
Sales took off during the summer of 2019, as demand increased for An0m phones equally inside Australia and from different countries.
According to a US indictment, users in Europe paid a fee of around $1,000 to $1, respectively 500 to get a six-month subscription. Payments were made in bitcoin and other cryptocurrencies to protect the users’ anonymity and were laundered through shell companies to hide the proceeds.
Specialists at the AFP developed and trained software to identify criminal themes and threats to life in the messages. The software was able to translate communications in foreign languages and to tag the content of images.
“Imminent threats resulted in an automatic alarm to analysis teams within the AFP and law enforcement partners,” said Ryan.
The investigation team began working with an un-named third country to set up an additional iBot server outside the US to supply intercepted messages to the FBI.
This additional server acted simply as a mailbox sending messages back to the FBI without law enforcement officials in the hosting country reviewing them. By October 2019, the FBI began receiving messages from the iBot from several hundred An0m users largely based in Australia.
Under the agreement, the iBot server delivered updates to the FBI every Monday, Wednesday and Friday, a US search warrant application reveals.
The end of the operation was planned form the beginning. The date ,7 June 2021, chosen to conduct co-ordinated raids around the world, was the precise date a court order for the surveillance operation expired.
Under US law, the FBI is not permitted to monitor communications of US citizens, meaning the FBI did not collect messages from devices identified as having US users. Instead, the Australian Federal Police agreed to monitor some 15 devices identified as belonging to US users for messages showing threats to life to US citizens.
Controversial surveillance law
The Australian prime minister, Scott Morrison, confirmed that the country had used its controversial”Tola legislation” for the first time to get access to encrypted communications through the surgery.
The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 lets Australia’s law enforcement and intelligence services to dictate technology companies to aid government agencies in accessing the content of encrypted information.
The government has not given any details on how it used th