The booming business of encrypted tech serving the criminal underworld

Criminals have turned to supposedly secure encrypted smartphones rather than normal messaging services - PA
Criminals have turned to supposedly secure encrypted smartphones rather than normal messaging services – PA

For the astonished detectives it was like “getting the keys to Aladdin’s cave”. Over the last few years, senior arms dealers and drug traffickers across Europe had come to rely on EncroChat, a shadowy tech company selling hyper-secure smartphones offering “guaranteed anonymity”.

Assured of their safety, crooks discussed products and prices in exhaustive detail, without the usual codewords. EncroChat’s steep subscription fees, running to thousands of pounds every year, were an offer no self-respecting contraband logistics professional could afford to refuse.

That is why EncroChat’s systematic infiltration by British and European police forces, finally made public on Thursday after more than 740 arrests, was an intelligence coup equal to the Enigma breakthroughs of the Second World War. One underworld insider, speaking to Vice News, was eloquent in their brevity: “People are f—–.”

EncroChat is far from the only encrypted smartphone system

Yet EncroChat was only the latest of many firms to profit from the patronage of rationally paranoid kingpins. Modern syndicates have far outgrown the pagers and payphones made famous by The Wire, feeding a thriving if high-turnover industry that blurs the line between legitimate privacy tech and criminal conspiracy.

“Security hardened hardware has always existed in some form,” says Dr Lukasz Olejnik, an independent cybersecurity researcher who has advised the European Union and the International Committee of the Red Cross. “You had laptops, and you had military-grade rugged laptops…

“But recently, special boutique offers for hardened smartphones are also gaining popularity in some places, because a specialised system may be more difficult to hack using standardised tools. Finding a right and trusted vendor is still tricky. Only a few come to mind – and they are not necessarily cheap…

“Such systems are not suspicious in themselves; they simply cater to users who demand and seek hardened system setups. It appears this one became very popular with a very specific user base.”

There was Phantom Secure, based in Vancouver, Canada, whose chief executive Vincent Ramos was jailed last year for supplying modified BlackBerries to customers with email addresses such as “the.killa@freedomsecure.me” and “trigger-happy@lockedpgp.com”, as well as the Mexican Sinaloa Cartel.

There was also MPC, allegedly controlled by gang lords who had decided to skip the middleman and hire their own tech team. Savvy move: their reported previous vendor, Ennetcom, was busted by Dutch police in 2016.

Governments around the world want to break encryption

The problem is that secured smartphones also have very legitimate uses. Mainstream tech companies such as Apple and Facebook happily trumpet their security features, while encrypted chat apps such as WhatsApp and Signal have become essential tools for politicians and officials around the world.

Although both the British and US governments want to curb strong encryption in consumer services by inserting controversial mandatory “backdoors”, it remains legal and widely used. Many parts of the global tech industry would fall to pieces without it.

Properly hardened phones do have some unusual features. EncroChat’s website proudly boasted of its handsets’ tamper-proof design, live customer support, remote message destruction, rapid “panic wipe” and ability to masquerade as a normal Android phone. Cameras, microphones, GPS functions and data ports were all removed. Live customer support was naturally available.

An EncroChat smartphone - YouTube
An EncroChat smartphone – YouTube

Still, phonemakers who are willing to speak to the press insist their business is reputable. One of them is Craig Buchan, a voluble 42-year-old Scott from Fraserburgh, Aberdeenshire who peppers his rapid speech with “yeah?” and “right?”. 

Now based in Dundee, he sells “security-enhanced phones” through his ominously-named company Omerta – and has recently been marketing to disgruntled EncroChat customers. He sounds almost offended by that firm’s failure to protect its users, saying: “It’s criminal!”.

As he tells it, he cut his teeth “installing touch-screen casino games all over south-east Asia” and then spent ten years as an IT manager at the University of Leeds, where he used encryption to guard sensitive research projects. 

“Privacy is a human right, for starters,” he says. “Historically the government are not always the good guys. Russia was under Stalinist rule for fifty years… I believe EncroChat probably really was the criminal’s choice of phone… I refuse to believe it was exclusively used by criminals.”

His customers have included journalists, high-end commercial solicitors, military contractors, “a political prisoner” and simple privacy enthusiasts. He also notes that his devices don’t go far beyond what is available in ordinary smartphones, in many cases just making common features obvious or mandatory.

Indeed, even the most unscrupulous phonemaker might recognise their doppelganger in the more rarified corporate market, which caters to high-end executives and senior politicians.

Encrypted phones became a favourite of the underworld

Clearly, though, some companies are focused on the illicit market. French authorities have claimed that over 90pc of EncroChat’s customers in that country were involved in some form of crime. EncroChat and two other firms had also posted adverts on various websites widely read by the crook fraternity, including the Dutch blog Vlinderscrime (usually translated as “Butterfly Crime”). 

The blogger in question, a convicted murderer and former cocaine dealer named Martin Kok, joked at the time that “advertising on a site where bicycles are offered does not make sense for this type of company”. Kok was found dead in 2016.

Some firms, too, are deeply cagey with their customers, requiring personal referrals. “Many of them are cloak and dagger operations; you can’t talk to an owner,” one secure phone maker told the Daily Beast, a US news website, in 2017. “There is no CEO. There is no corporation.” 

The cutthroat industry of encrypted phones

In this end of the industry sharp business practices are common. Buchan says he has often seen peers “bad-mouth each other” on web forums and blogs. He was once approached by a rival who claimed to have bought the rights to a well-known piece of software, offering to cut him a deal. When he contacted the software’s actual makers, they had no idea what he was talking about.

Buchan does admit that, sometimes, he has sold to someone he had a “hunch” – albeit no more – might be shady. He never asks customers what they will use his phones for (“it’s none of my business; people are entitled to privacy”), and in any case sells most of his devices through an online shop.

He is adamant, however, that he would not deal with someone if he had more solid reasons to think that they were involved in illegal activity, and says he takes “socially responsible steps” to limit such bad uses.

For example, he sells special Sim cards that let users mask their phone number behind another (helpful for people who run multiple businesses). When he realised that many customers were buying them specifically to simulate 0300 or 0800 numbers – probably to masquerade as bank employees – he blocked that ability. “That probably cost me three quarters of my sales,” he says.

He even notes that he is politically comfortable with governments installing malware on people’s phone to bypass encryption – as long as there are proper legal “checks and balances’ in place . And he disavows the “appalling” advertising tactics of fly-by-night competitors (one secure phone company promoted on Instagram with the slogan “snitches get stitches”). “That’s just crass, disgusting,” he says. “I’d like to think we’ve got some decorum.”

But hasn’t he just been advertising to EncroChat’s former customers? Sure: Buchan is certain that some of them were legitimate, and suggests that it’s those people he wants to reach. “Was it sailing close to the edge? Maybe. But this is what puts food on the table.”

As for his company’s name, Buchan acknowledges the Mafia connotations, saying it’s a “nudge nudge, wink wink” reference to public perceptions about secure devices. Yet he also argues that the original “omertà”, an Italian criminal code of silence that may be centuries old, historically sometimes meant a simple refusal to cooperate with authority – not always a bad thing in his book.

Besides, he adds, “it was a much better name than something like ‘Encryptor’ or ‘Encryptonite’… as a brand name I think that’s fantastic. It’s Italian, it’s fashionable, it gets away from this geeky language that alienates people. The academics and journalists who get it, they think it’s cool – it makes it sound a bit notorious.”

EncroChat’s downfall won’t bring down the wider market

Despite the big arrests, secure phones are likely to become more common – as long as they are not regulated out of existence. There is now a booming parallel industry devoted to state-sanctioned malware, which activists allege is regularly being sold to murderous regimes.

The Israeli firm NSO has been accused of helping Mexico and Saudi Arabia spy on dissidents via its WhatsApp-busting “Pegasus” software. US police forces, now suffering a nationwide reckoning over racism and brutality, have long used portable “Stingray” and “Graykey” devices to defeat iPhone security.

A good opportunity, then, for open-minded entrepreneurs to make an entirely metaphorical killing? Maybe not, says Olejnik, who believes the business model has one fatal weakness. 

“We can actually say that criminals catering to a fixed system en masse is a bit bizarre,” he says. “When you have a popular platform for doing nefarious things, one may expect someone would come for such a platform sooner or later.

“Whatever the guarantees, such a standard system may become a target, and it’s expected that its security may be broken.” 

Quantum computing | Why is the government worried?
Quantum computing | Why is the government worried?

In other words, any sufficiently successful encrypted phone business is a potential gold mine for the fuzz, just as EncroChat was.

And Craig Buchan sees another potential doom ahead. Five years or so from now he expects quantum computing – a nascent technology that could crack open modern encryption methods through sheer processing power – to become mainstream. Google boss Sundar Pichai has made the same prediction.

What will Buchan do then? “I don’t know, mate!” he laughs. But perhaps, he muses, there will soon be a market for quantum-encrypted mobile phones.

Source Article

Author: