The US Federal Bureau of Investigation (FBI), the Dutch National Police (Politie), and the Swedish Police Authority (Polisen), in cooperation with the US Drug Enforcement Administration (DEA) and 16 other countries have carried out with the support of Europol one of the largest and most sophisticated law enforcement operations to date in the fight against encrypted criminal activities.
Since 2019, the US Federal Bureau of Investigation, in close coordination with the Australian Federal Police, strategically developed and covertly operated an encrypted device company, called ANOM, which grew to service more than 12 000 encrypted devices to over 300 criminal syndicates operating in more than 100 countries, including Italian organized crime, outlaw motorcycle gangs, and international drug trafficking organizations.
The goal of the new platform was to target global organized crime, drug trafficking, and money laundering organizations, regardless of where they operated, and offer an encrypted device with features sought by the organized crime networks, such as remote wipe and duress passwords, to persuade criminal networks to pivot to the device.
Christoph Hebeisen, Director, Security Intelligence Research at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, says, "AN0M enabled law enforcement to surveil criminal activity on a network that the criminals themselves assumed to be completely secure. The revelation that the platform was run by law enforcement comes as part of the conclusion of a seemingly very successful campaign. However, as we have seen in the past, the end of one encrypted chat service popular with criminals usually leads to a shift to a new one. This was the case in the past with EncroChat and PhantomSecure."
Hebeisen adds, "Since there has now been a string of such takedowns, each leading to a large number of arrests, criminals might become more careful. This could lead them to use legitimate end-to-end encrypted chat services where they can hide among innocent users."
The FBI and the 16 other countries of the international coalition, supported by Europol and in coordination with the US Drug Enforcement Administration, then exploited the intelligence from the 27 million messages obtained and reviewed them over 18 months while ANOM’s criminal users discussed their criminal activities.
Operation Trojan Shield/Greenlight/Ironside will enable Europol to further enhance the intelligence picture on organized crime affecting the EU due to the quality of the information gathered. This enhanced intelligence picture will support the continued effort in identifying operating high-value criminal targets on a global scale.
Tyler Shields, CMO at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions, says that the operation had a significant impact on stopping crime. "Hardware devices being distributed and used to facilitate a man in the middle attack against more than 300+ criminal organizations is a first. Typically, software-based attacks targeting a specific person or group of people are used. The fact that this targeted literally the entire underworld is of huge importance. This was a really big deal."
Criminal networks have a huge demand for encrypted communication platforms to facilitate their criminal activities. However, the market for encrypted platforms is considered to be volatile. In July 2020, the EncroChat encrypted platform was dismantled by the Operational Taskforce EMMA (France, the Netherlands). This international operation sent shockwaves in the criminal underworld across Europe and was followed in 2021 with another takedown of a similar nature: an international group of judicial and law enforcement authorities (Belgium, France, the Netherlands) successfully blocked the further use of encrypted communications by organized crime networks via the Sky ECC communication service tool (Operational Task Force Limit).
Both operations provided invaluable insights into an unprecedented amount of information exchanged between criminals. After the takedown of Sky ECC in March 2021, many organized crime networks sought a quick encrypted replacement for a communication platform that would allow them to evade law enforcement detection. This was a deliberate and strategic aspect of OTF Greenlight / Operation Trojan Shield / Ironside resulting in the migration of some of the criminal Sky ECC customer base to the FBI-managed platform Anom.
Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, "We have seen law enforcement agencies run this type of deception before. In July of 2017, in Operation Bayonet, Europol and the US Department of Justice seized the most popular English language dark web market AlphaBay. Cybercriminal buyers and sellers flocked to an alternative market Hansa. These criminals didn't know that the Dutch police had taken over the market, and for the next month, they collected intelligence and evidence on the criminal activities. International law enforcement was able to disrupt cybercrime; however, as is always the case after law enforcement actions, cybercrime finds a way. Other criminals and services rise from the ashes."
Europol set up an Operational Task Force (OTF) for Operation Trojan Shield / Greenlight / Ironside and provided operational support for the participating countries by acting as a criminal intelligence hub, facilitating the exchange of information and coordinating with other investigations supported by Europol. Overall, 16 countries took part in this OTF and sent representatives to Europol in The Hague, the Netherlands, to coordinate their activities at the national and international levels. The following countries participated in the international coalition: Australia, Austria, Canada, Denmark, Estonia, Finland, Germany, Hungary, Lithuania, New Zealand, the Netherlands, Norway, Sweden, the United Kingdom incl. Scotland, and the United States.