The document obtained by Motherboard contains details of the malware used by law enforcement against Encrochat devices.
The malware, which French law enforcement agencies deployed en masse on Encrochat devices, a large encrypted network using Android smartphones, was able to collect "every data stored on the device," including messages, geolocation data, usernames, passwords, and more, according to the document. received by Motherboard.
The document details the hack and subsequent destruction of Encrochat by law enforcement earlier this year. Organized crime groups throughout Europe and the rest of the world used the network extensively prior to its takeover, in many cases to facilitate large-scale drug trafficking.
This operation is one of, if not the largest law enforcement operation against hackers to date, during which investigators received more than one hundred million encrypted messages.
“NCA has been cooperating with the gendarmerie on Encrochat for over 18 months as the servers are hosted in France. The ultimate goal of this collaboration was to identify and exploit any vulnerability in the service to obtain content," the document says. refers to the UK’s National Crime Agency and one of France’s national police forces.
In addition to geolocation, chat messages and passwords, the law enforcement malware also reported a list of Wi-Fi hotspots near the device, the document says.
"This command from the implant will cause the JIT to receive a MAC address, which is a unique number assigned to each Wi-Fi access point, and an SSID, which is a human-readable name assigned to that access point," the document added. The JIT is a Joint Investigation Team made up of various law enforcement agencies.
Encrochat was a company that offered custom-made phones that sent end-to-end encrypted messages to each other. Encrochat took a basic Android device, installed its own software, and physically removed the GPS, microphone, and camera features so they couldn’t be accessed. These changes may have affected what data the malware was actually able to obtain after deployment.
Encrochat phones had an emergency wipe feature, where if the user entered a specific PIN, it would wipe the data stored on the device. The devices also ran two operating systems, which ran side by side; one was harmless, while the other contained more sensitive messages from users.
Previously, an Encrochat spokesperson said the firm is a legitimate company with clients in 140 countries and that it aims to "find the best technologies on the market to provide reliable and secure services to any organization or individual who wants to protect their information.". The firm had tens of thousands of users around the world and decided to shut down after discovering that its network had been hacked.
Encrochat’s clients included a British hitman who killed a crime leader and an armed robber, as well as various violent gangs across Europe, including those that used so-called "torture chambers". However, some of the users may have been legitimate.
Since the shutdown, police across Europe have arrested hundreds of alleged criminals who have used the system. Motherboard previously received chat logs that prosecutors presented as evidence against a drug dealer.
In itself, the activity of an encrypted telephone company is usually not illegal. The U.S. Justice Department charged Vince Ramos, the CEO of another firm called Phantom Secure, with racketeering conspiracy and other charges after he claimed in an undercover investigation that the phones were made for the drug trade. Phantom Secure started out as a legal firm before focusing more on the criminal market. Ramos was sentenced to nine years in prison in May 2019.
French authorities said at the time of Encrochat’s shutdown that they had legal authority to roll out a massive hack, which they described as a "technical tool."