Skip to main content
banner image
venafi logo

World’s Leading Encrypted Crime App Busted [Encryption Digest 44]

World’s Leading Encrypted Crime App Busted [Encryption Digest 44]

encrypted crime app
July 16, 2020 | Katrina Dobieski

There’s nowhere to run, and now there’s nowhere to hide. Earlier this year, international law enforcement secretly infiltrated one of the most secured communication networks in organized crime. By inserting malware on encrypted EncroChat, cartel plans have been laid bare, shipments have been intercepted and dealers have been put under arrest. It begs the question—what lessons can enterprises learn from cybercriminals about the importance of protecting encryption?

World’s leading encrypted crime app busted. Users busted, too.

It was “industry standard.” EncroChat was the best encrypted chat platform in the (underground) business, and whole networks of cartels, weapons trafficking and other nefarious enterprises were built on it. Until it was hacked by law enforcement and the protected chats became incriminating evidence.

Users of EncroChat were summarily rounded up and taken into custody this year. It was estimated that somewhere in the realm of 90% of its users were employing the app for illegal purposes.

“They’re just lifting people,” said a source close to criminal users of the app in a communication to Motherboard. Said Andy Kraag, head of National Criminal Investigations Department in the Netherlands. “We’ve captured messages that give us a view of daily life in the criminal world." Everything from price lists to customer profiles were laid bare for law enforcement.

EncroChat was supposed to be the best. With “customized hardware, a dedicated OS, and its own servers” it was virtually impenetrable, as any good encryption should be. However, Operation Venetic showed that with enough dedicated firepower, well supported agencies can fight back.

International law enforcement, spearheaded mainly by the French, created malware specifically designed for the devices. These were special phones with dedicated hardware, now made vulnerable. Not only could the state-made malware evade detection, it could infiltrate a device and read its messages pre-encryption, record and store the lock screen password and affect EncroChat devices all over the world. Now, having the most viable communication pathway thwarted, a source close to criminal users reported that many are deciding to “to go ground.”

Law enforcement may now have to search in many more places as they go back to catching criminals “the old-fashioned way.” Or perhaps a new encrypted model will soon take its place. However, it may be a moment before full faith is restored as technology advances on both sides and the reality of encryption breaching malware stings sinks in. In this game of cat and mouse encryption, is anything ever permanently safe?

Aside from the immediate headlines, what is interesting is that all this was done without the use of a backdoor. And that, for avid fans of privacy and encryption, might be the most salient part.

Related Posts

Certificates are for identity, not [necessarily] encryption

Just a quick refresher course on the Ps and Qs of encryption protocol in practical use, and some pitfalls to avoid.

Humans prove and protect their identities with social security numbers, passports and other documents, and continue the process online with usernames and passwords. Machines (anything from ATMs to digital containers) need to establish the same trust in identification and do so with digital keys and certificates. These TLS keys prove the machine is what it says it is, and then allows you to sell your bitcoin.

First, digital certificates establish identity—and encryption is a means by which they do so. Encrypting the information gets it safely from one machine to another, for the purpose of establishing trust. Encryption is a means, not an end, in this process.

Secondly, when establishing trust, self-signed certificates make the most sense when working internally. It’s arguably a little far-fetched to claim your identity by reference to yourself (“It’s me, honest”). So even though bypassing a Certificate Authority and spinning up your own encrypted self-signed certificate may be handy, when presenting a strong security profile to outside investors or even savvy clients, going through a CA might still be the most traditional, and trusted, route.

Related Posts



Like this blog? We think you will love this.
Featured Blog

With Rapid Rise in Funds Stolen from DeFi Protocols, Private Keys in Play

Massive heist begins with

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more