Darknet Diaries - 105: Secret Cells
Episode Date: November 23, 2021Joseph Cox (https://twitter.com/josephfcox), Senior Staff Writer at Motherboard (https://www.vice.com/en/topic/motherboard), joins us to talk about the world of encrypted phones.BooksAffiliat...e links to books:The Smart Girl’s Guide to Privacy: https://www.amazon.com/gp/product/1593276486/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1593276486&linkCode=as2&tag=tunn01-20&linkId=0a8ee2ca846534f77626757288d77e00Extreme Privacy:https://www.amazon.com/gp/product/B0898YGR58/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B0898YGR58&linkCode=as2&tag=tunn01-20&linkId=575c5ed0326484f0b612f000621b407fSponsorsSupport for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.Support for this show comes from Ping Identity, champions of identity for the global enterprise. Give your users a loveable login solution. Visit www.pingidentity.com/.View all active sponsors.
Transcript
Discussion (0)
I'm mad. I'm honestly really upset about the current state of our mobile phone options.
I want privacy and security when it comes to my communication devices.
And I often lie to myself and say that's the single most important feature of a phone.
I don't want anyone eavesdropping on what I do when I'm on my phone.
But the reality is every single thing I do on my phone is being recorded
and sent somewhere. See, the two biggest smartphones out there are Google's Android
and Apple's iPhone. Something like 95% of all phones out there are either Android or Apple
phones. And I'm telling you, both are huge data collectors. Google's privacy policy says it logs
your phone numbers, calling party party numbers forwarding numbers time
and date of calls duration of calls sms routing information types of calls and your ip address
apple collects your account information device information contact details browsing history
search history and your location this is not privacy on top of that there are so many apps
and websites out there that are fiendishly trying
to get all my data, and the phone's operating system could do quite a bit to stop my data from
just leaking out, but they don't do enough. Like, I can't stand using normal text messaging anymore,
or a standard browser on these phones, because neither are private. But that's all fine and good.
Actually, I don't even care if Google and Apple does that.
But here's the part where I'm mad. I'm mad that there's no good options for privacy-focused phones out there. Like you can't walk into any of the mobile phone stores and say, hey, I want a phone
that actually respects my privacy. None of the mobile phone stores carry privacy-focused phones.
We are currently facing an all-out war, and we're losing. The war is all
about our privacy. Marketing companies want to get to know us intimately so they can run targeted
ads just for you. If you have a death in the family, the OfficeMax marketing team will take
note. And if you get pregnant, Target will send you coupons for baby items. But how does Target
know that you're pregnant? Well, it's because they saw you buying unscented soaps and lotions.
And yeah, they have statisticians watching your buying habits. And some stores track your phone's
Wi-Fi signals and watch where you stop and look at certain items or sections of the store. And yes,
when you purchase things at stores, they will store all the items you buy and create a whole dossier on you and your buying habits and likes and wants and desires.
And that's just retail stores. There are actual adversaries that we have that are all trying to
find our private information too. It's an all-out war. When a war like this is waged, the very last thing I want is for my own device that's in my pocket to be on the enemy's side.
One of the first things you learn about when you're getting into information security is the CIA triad.
And this stands for confidentiality, integrity, and availability.
These are the three main pillars of security. And I believe that both Android and Apple violate our confidentiality the entire time the phone is on.
And sometimes even when the phone is off.
But I lie to myself when I say that privacy is the most important feature when it comes to buying a phone
because I always end up buying one of these phones that logs,
collects, and sells my data instead of one that's actually private. So if I'm being real,
features and functionalities really are the most important aspect of buying a phone for me,
even though I'm so privacy focused. But I'm still mad that there's a lack of options out there for an actual secure
phone that's for me. One that's stable, updated, works good, and just has some basic features that
respect my privacy. And there are some privacy focused phones out there. But unfortunately,
these privacy focused phones have some dark secrets.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites and continuously works to keep it off. Data brokers hate them because Delete.me makes sure your personal profile
is no longer theirs to sell. I tried it and they immediately got busy scouring the internet for my
name and gave me reports on what they found. And then they got busy deleting things. It was great
to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure. I know a few people
who work over there, and I can vouch they do very good work. If you want to improve the security of
your organization, give them a call. I'm sure they can help. But the founder of the company,
John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security
world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer
and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Now, I'm not the only one out there who wants a secure phone.
There's quite a market for this type of thing.
And because of that, there are companies that make private phones.
And one of the first popular ones to show up on the scene was a phone called Phantom Secure.
Yeah, like Phantom is certainly the first major one.
There were others potentially slightly earlier,
or at least around about the same time,
which were particularly popular in Europe.
Oh, and for this episode, I have the legendary Joseph Cox
to give us a tour of the world of encrypted phones.
I'm Joseph Cox, senior staff writer at Motherboard, which is the technology section of Vice.
Joseph has done amazing investigative journalism work in this area, getting deep into the world of encrypted phones.
He's spoken directly with insiders, users.
He's acquired these phones himself when he can, and he's combed through so many court cases.
He's the perfect tour guide for this.
So what is Phantom Secure?
Phantom Secure was a so-called encrypted phone firm started in the mid-naughts.
All they would do, essentially, was take a BlackBerry, load it with sort of custom PGP encrypted email software,
and then sell that to clients.
They also introduced the feature where you could remotely wipe what was stored on the phone.
Of course, we all know about Apple and iCloud
and being able to maybe define my phone feature
and maybe wipe your phone remotely.
This was more, if it lands in the wrong hands,
our company will take care of it for you.
Those were the only two features.
Let me say them again.
A way to email people securely using PGP
and a way to remotely wipe the phone.
That's it.
These phones couldn't even text someone
or make a phone call.
In fact, Phantom Secure phones were physically modified,
so that wasn't even possible.
Yes, they removed the microphone, the GPS, and the camera. That's what a lot of these companies do,
and of course they vary case by case, but they do try to lock them down in some way,
in both software and in hardware. Actually, now that I think about it,
I kind of like the idea of no microphone in my phone. I don't like making phone calls. And it gives me the peace of mind that my mic can't spy on me. Okay, but when
you have a phone that has no mic or camera, and the only thing you can do is email someone,
that should mean it's really cheap, right? Exactly the opposite. These phones could go for
anywhere between $1,000 to $2,000 to $3,000,
depending on the company. And that's for a yearly subscription to the service. These people aren't
just selling sort of a piece of hardware or a phone. They're also selling basically your spot
in the network. If your colleagues, for lack of a better way of putting it, are using a Phantom Secure phone,
well, you need to be on a Phantom Secure device as well,
and you need to buy your way into that network.
Oh, yeah. Explain that a little bit more.
So could people without Phantom Secure phones
communicate at all to people with Phantom Secure phones?
So originally, a lot of these companies did allow
phones to communicate with each other.
So maybe you'd have a phantom device and you could communicate with, just hypothetically, another one from a company called Sky, let's say.
Eventually, though, some of these companies did decide to lock each other out.
Okay, so this is worse than I thought.
You can't just email whomever you like.
You can only email other users of Phantom Secure. I wouldn't even call this email at this point. It's just a device
that has a secure way of messaging other people who have the same device.
The person who created Phantom Secure was Vince Ramos. He was a businessman from Canada. You know,
he worked for a phone company. Family members I spoke to earlier said that he won Employee of the Month awards.
By all standards, he was just an upstanding guy trying to make a buck, basically.
But of course, he wanted to be something of an entrepreneur.
And he came up with this idea for Phantom Secure, making these secure devices themselves to then sell.
He starts doing this.
He sells them just by word of mouth,
really, in the Canadian nightlife scene. So, you know, maybe VIPs would get them, some athletes,
some rappers, apparently, according to people who sold the phones at the time, that's what they told
me. And it grew from that into a larger business. So it started as this word-of-mouth thing,
but eventually it found a new market,
specifically in Australia.
And this is just where Phantom really took off.
It exploded across the country. It got introduced to organized crime elements there,
and they just went crazy for it.
And they were buying these phones.
But of course, eventually,
Ramos realized the criminals were buying these phones. But of course, eventually, Ramos realized
that criminals were buying these devices,
but he didn't do anything to stop it.
And that may have been his failing decision.
If privacy was my top concern,
I think I would consider a phone like this.
But it's just lacking too many features for me.
But let's be clear, there's nothing illegal
about making or selling or owning a secure phone. it's just lacking too many features for me. But let's be clear, there's nothing illegal about
making or selling or owning a secure phone. It doesn't even matter if criminals use it or not.
I mean, criminals use iPhones, right? So can you charge Apple with a crime? And Apple has to know
that there must be many criminals using their phones, right? So even if they're aware that
criminals use their product, it still isn't illegal to sell it to them.
And the same with Phantom Secure.
Even though they were selling these encrypted phones, no police or criminal investigation was taking place to find the owner, Vince Ramos.
Because everything was legal.
Until there was a crime committed where Phantom Secure hindered the investigation. One of the earliest published cases of this actually happening was where a phantom secure device was implicated in the assassination of somebody in a
biker gang there. And law enforcement weren't able to get information because this sort of device
had been used. But as you say, you know, selling a phone is not illegal. Making a secure communications device is not illegal.
What happened, though, is that when investigators dug in,
they found that, you know, at least some of the distributors knew
that they were providing encrypted communication devices to criminal entities,
you know, individual criminals or larger organized crime groups.
So the police discovered this Phantom Secure phone that was part of this assassination and started to investigate the company a little closer.
What are these phones? Who's selling them? Who's buying them?
Yeah, it's Australia. And then also the Canadians started to notice they were bumping into the phones as well. You know, presumably in the local crime market,
obviously, where Phantom Secure and
Vince Ramos were from in the country,
they also encountered it. And then it seems
the Americans started finding
the phones themselves in the road investigations as well.
And how were they
encountering this?
It's usually when
they will bust somebody, and
they will go and they will try to grab the phone.
You know, they want to gather evidence and see who else they've been communicating with or, of course, their own incriminating texts, perhaps.
They go to the phone and it's already been wiped.
Somebody has wiped it.
And in these cases, it's going to have been Phantom Secure.
Someone has contacted the company saying, hey, my phone has been seized by the feds,
please could you wipe it?
And Phantom Secure, as part of their business, offers that.
At one point, the Royal Canadian Mounted Police
actually went undercover
and they pretended to be a drug trafficker
whose phone had been seized.
And they said, you know, very explicitly,
hi, there are, you know,
discussions of drug deals on my phone.
Please remove them.
Of course, showing that Phantom Secure was willing to destroy evidence, essentially.
Ah, there it is.
The Canadian authorities posed as criminals, telling Phantom Secure, hey, look, I've got some criminal activity on my phone and I need you to wipe it.
Can you do it?
And Phantom Secure was happy to do it.
That means Phantom Secure knew they were destroying criminal evidence.
That's a sticky situation for them to be in.
I mean, imagine you're working at a grocery store and someone wants to buy a lighter
and they specifically tell you as you're ringing them up
that they're going to use this lighter to go burn the building down across the street.
Do you sell them the lighter?
Because that's what a store does. They sell lighters. lighter to go burn the building down across the street. Do you sell them the lighter? Because
that's what a store does. They sell lighters. Or do you refuse because they said they're going to
commit a crime with it? Perhaps a grocery store is protected in this way. But what if someone you
know asked to borrow a lighter from you to burn a building down? You could be in trouble for giving
them a lighter if you knew that's what they were going to do with it.
In this case, where the Canadian authorities asked Phantom Secure to delete criminals' evidence,
it's hard to know if this was enough to prove that Phantom Secure knowingly was helping criminals.
And it wasn't enough for the Royal Canadian Mounted Police to arrest him, because years and years go by and the company continued to operate and grow without a problem. And the team was growing too as the phones were entering
more countries. They needed more distributors to pass the phones out in those areas. And over time,
more criminals were being arrested in Canada with phantom secure phones on them. But here's the
thing. In Canada, even if you're selling phones to criminals and marketing it to them and you know they're committing crimes with your devices, there isn't a law in Canada which they would be violating. who defend people involved in the crypto phone industry in that country. And they've told me this business is legal.
Same in Canada.
As we've said, you know, the Canadians didn't just arrest Vince Ramos there and then.
But it's not legal to knowingly aid and help criminals in the USA.
And once some phones started showing up in crime scenes in California
and the U.S. authorities started investigating the company, that's when a light bulb in the San Diego FBI.
And then that's when they started much more earnestly
looking into Phantom Secure and, in their eyes,
realizing it was an actual criminal organization
that they should target in and of itself.
The FBI was not happy about these encrypted devices
and wanted to learn more.
And that's when they started investigating this company
and found heaps of evidence suggesting that Vince Ramos
and Phantom Secure knowingly met with buyers
who would say they're going to use the phones to commit crimes.
Particularly, Phantom was not vetting its distributors or its resellers enough.
So it would give these people power to sell the phones to whoever they want.
And then it would turn out
there would be criminal elements buying them, right?
And when this is brought to Vince Ramos' attention,
he kind of either doesn't do anything with it
or unfortunately puts his fingers in his ears
and sort of turns a blind eye to the issue as well.
As more crimes were committed by people using Phantom Secure,
it frustrated the authorities even more.
Australia and Canada, they basically set up a plan,
which is that, well, it's all well and good if people say
that criminals are using these phones,
but we need to show that the CEO, Vince Ramos, also knows that
and potentially will lean into that market as well.
So a confidential human source, you know, a CHS in the FBI and the DOJ's turn of phrase,
someone close to Ramos, who is a distributor, convinces the CEO to come to Las Vegas for a meeting saying, you know, I have these guys who are really, really big. They want to buy a large
order of phones. So they set up a meeting in a Las Vegas hotel suite. Vince Ramos goes in,
and these drug traffickers are sat there and they're saying, you know, we know you remove
the GPS functionality from the phone, but we have a problem with snitches, basically, right?
What if they hypothesize,
could you maybe also turn the phone into a tracking device
if we needed to, you know, kill one of our snitches?
They don't say it exactly like that.
I'm paraphrasing.
But when you read the transcript,
that's the quite clear context of what's going on.
And Ramos doesn't seem to really push against that idea.
But the key thing that really seals Vince Ramos' fate
is when the drug traffickers say,
you know, we don't know you.
We don't know if we can trust you.
Why should we trust you in so few words?
And Vince Ramos says, well, look, look,
I know you don't know me, but this is what I made it for.
I made it for. I made
it exactly for this. Apparently meaning drug trafficking is how the FBI said. And that was
it basically. After that quote, prosecutors and the FBI will be able to say, look, he has no
problem selling to drug traffickers deliberately and knowingly that they had what they need is
basically on tape. Around this time, it appears that Vince Ramos met with members of the Sinaloa cartel,
which is a major drug trafficking cartel in Mexico.
On February 8th, 2018,
it appears that Vince Ramos is just traveling for business
and he's just had a meeting.
And he's sending a text message to one of his associates
and he says, we are fucking rich, man.
I swear you better go fucking appreciate it.
Get the fucking Range Rover brand new, because I just closed a lot of business. This week, man,
Sinaloa cartel, that's what's up. And my boy is Punjabi cartel. Lol. So this text message
does seemingly suggest that he met with people from the Sinaloa cartel and either offered them
phones or did sell them phones or
something like that. But this is one of the key pieces of evidence that later appears
in the criminal complaint against them, a screenshot of the text message.
So by this time, the FBI has enough information to arrest Ramos,
but they sort of wait a year before they do anything, perhaps to collect even more information? My theory is that
the FBI wanted time to think about what to do with these encrypted phones. One option is to try to
arrest Vince and take down the whole company. Another option, though, might be to try to find a
way to infiltrate the network so they can read the messages and have a jump on criminals using it.
These phones were sort of a watering hole
for criminals and would be a major source of information if they could somehow get access
to the messages or customer data. But eventually, one of the FBI agents posed as a drug trafficker
and invited Vince Ramos out to Las Vegas, Nevada to discuss business. But this time, when Ramos walks into a hotel suite,
there aren't drug traffickers waiting for him.
It's the FBI and the attorney's office.
And they tell him what's happening, obviously.
We have charges ready for you,
but we want to make you an offer.
We want you to put a backdoor into Phantom Secure. We want to see who
the customers are and what they're saying. That is the ultimate goal here, right? They could try
and take down the company, but law enforcement really want to see what's actually going on there
so they can prosecute the end users. Vince Ramos declines. Some people I spoke to said it's because
he puts the privacy of his clients first.
Others said that, well, actually, he didn't have the technical know-how to do that because that's the CTO's job.
You know, he is more the business guy.
Regardless, he refuses and doesn't put the back door in.
Now, this is a part of the story which gets weird for me.
Vince actually traveled to Vegas with his wife
and child, who were staying in another room in the same hotel. This meeting with Vince went on
for a long time. They didn't quite arrest him, and he was cooperating with them by talking openly
about Phantom Secure and how the company operated. But there was something the FBI wanted and didn't want to let him go until they got it.
There were four or five agents there.
Some were FBI, some were international agents.
They ordered food to the room and he could use the toilet there.
Vince and the FBI agents spent the entire day together all in this hotel room.
At night, they even let him go see his wife and child and say goodnight
and then
bringing him back to the room for more questioning. Eventually, Vince and a few agents fell asleep
while one or two agents stood guard all night, making sure Vince didn't leave. Then the next day,
after breakfast was brought to the room, Vince was questioned more by the FBI agents. And this is just
so weird for me. For the FBI to question someone
for days in a hotel room?
Like, why not take him down
to the police station
and question him there?
Why keep him trapped in this room
without officially arresting him?
I think it was because
they really wanted
or were hoping that this would be
a more live operation.
You know, this wasn't like the end of it.
This wasn't, let's arrest him,
let's get a confession or whatever we can
and let's prosecute the guy.
They were hoping, it seems,
that this could live on for a little bit longer.
And I mean, they needed him out.
Let's say they did eventually get a backdoor
into Phantom Secure.
They needed to not raise suspicion.
He needed to be out.
He needed to be free to talk to people eventually if they did get a backdoor in.
So the FBI continued to pressure him to give them a backdoor into Phantom Secure. I presume that they showed him the evidence that they had on him and gave him hardball type options of like, hey, look, you're either going to go to prison or you're going to let us in. And even though he wasn't letting them in, it seemed like the FBI really wanted to get in.
So instead of arresting him and taking him to the police station, they just kept interrogating him
all the way through the night into day three. They gave him more breaks to see his family down
the hall. Sometimes his wife said he looked like a ghost. And maybe this is why he was
talkative and cooperative, because his wife and kids were just down the hall, and he didn't want
to lose them. The FBI continued to try to persuade him to give them some kind of access to the
network. They wanted to see who the users were and any data Phantom Secure had on them. Because
this phone did have the remote wipe capability so it was able to interact with
the customer's devices in some ways but Ramos still didn't give them access. Eventually the
interrogation went into the third night and into the fourth day. Vince fell asleep in the suite
and the agents were so tired at this point they all fell asleep at the same time too. But Vince woke up during the night and he got up
and looked around the room and saw everyone was asleep. When all of the agents are asleep,
Ramos, he sees a moment to escape. And in a seemingly quick change of heart, he flees the
hotel. And, you know, embarrassingly for these agents who have been guarding and talking to this guy for days now,
the guy they've been hunting for years has left.
He's out the door.
He stopped in one last time to say goodbye to his wife and contacted an associate who picked him up by car.
And the two of them were gone.
Vince immediately tried to get to Canada.
And he thought he wouldn't be able to get through airport security, so they decided to drive from Nevada all the way across the country
to Washington state. And when they got to Bellingham, Washington, about 20 miles from
the border of Canada, Vince parted ways with his driver and was preparing his last leg to
get across the Canadian border. He was on the run. He was trying to evade law enforcement for some time
until eventually they caught up with him in a cafe
and apparently it was a very unceremonious scene.
I spoke to the cafe owner who said that several serious men,
serious looking men came into the cafe.
They seemingly saw Vince Ramos sat in the corner.
They went outside, made a phone call.
And then a large group of men arrived, go up to Vince.
And he doesn't fight.
He just stands up, puts his hands behind his back, and he's led into the police car.
And that is finally the end, for him at least, you know.
Vince was arrested and brought to court in the U.S. under RICO charges.
And RICO stands for Racketeer Influenced and Corrupt Organizations.
The case hinged on whether they could prove that Phantom Secure was knowingly helping criminals.
But the prosecutors had ample evidence showing that Vince knowingly sold phones to criminals and was helping support them.
Vince told the judge, quote, I would be lying if I said I wasn't aware of what's going on.
The reality was that I turned a blind eye and didn't want to face reality.
I was making money and providing for my wife and children, end quote.
At least according to one estimate from the Royal Canadian Mountain Police in 2016,
you know, they believe that Fanta was making something like $32 million
from the sale of these phones.
And then eventually, I believe another estimate from the FBI was closer to $80 million in selling these devices.
You know, Vince Ramos, they bought apartments, cars, cryptocurrency as well.
So they were making a lot of money from this operation.
The courts found Vince guilty and sentenced him to nine years in prison,
not for making secure phones, but for helping criminals commit crimes with them.
And, you know, I think he could have got more than that.
But he did cooperate somewhat.
And, you know, this was his first offense.
I mean, the judge even said that, you know, he appears to be a very upstanding person, a successful businessman, but he applied it to the wrong industry, ultimately.
We're going to take a quick break here, but stay with us because there's more to these encrypted phones that I think you'd be interested in hearing about. spycloud.com to check my darknet exposure and was surprised by just how much stolen identity data criminals have at their disposal, from credentials to cookies to PII. Knowing what's
putting you and your organization at risk and what to remediate is critical for protecting you
and your users from account takeover, session hijacking, and ransomware. SpyCloud exists to
disrupt cybercrime with a mission to end criminals' ability to profit from stolen data.
With Spy Cloud, a leader in identity threat protection, you're never in the dark about your company's exposure from third-party breaches, successful phishes, or info-stealer infections.
Get your free Darknet exposure report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
So Phantom Secure started somewhere around 2006, and the feds took it down in 2018. But
Phantom Secure phones did little in the way of innovation in those 12 years, sticking mainly with
secure email as their main feature.
As technology was exploding, people wanted secure phones that did more than just email.
So in 2016, a new encrypted phone company sprung up. This one is called EncroChat.
EncroChat was another encrypted phone company, but it was more clearly based on Android. And it had some of the more bells and whistles and features that Phantom was lagging behind on.
So it was much more of a instant messaging platform
when you use these devices.
Also had a wipe functionality.
Okay, this one might be more my style.
I like the idea that you can do more things with it.
But now my problem is I've never heard of this company.
Like their phones aren't in my local mobile phone shops
and there aren't many trustworthy reviews of the phone online.
And that's because EncroChat seemed to want to get these into the hands of criminals
and they weren't meant for widespread adoption.
EncroChat phones were getting distributed in Europe and in the UK
and authorities were starting to see these phones turn up in investigations.
So much that the UK police were coming up with procedures when arresting people who had EncroChat phones on them.
They've encountered these devices and they've got smart to the fact that they need to deal with them very, very quickly.
So they'll grab the EncroChat device. If it's open, they will immediately start
taking photos of the text messages, the images on there, you know, almost manually archiving the
material before it gets wiped. And then they will also put it in some sort of Faraday bag,
because they're basically against the clock when it comes to, well, we don't know if somebody has
reported this phone to EncroChat is in the hands of law enforcement and a wipe command could be coming at any time.
You know, the cops really have to act super quickly
to try to grab evidence before it disappears entirely.
Criminals were using EncroChat more and more in Europe
to communicate between other criminals
to facilitate drug trafficking and assassination plots.
The UK police, the National Crime Agency,
they had been investigating EncroChat because they keep coming across these devices in their
own investigations. The French police are then looking into the company as well, because it
turns out at least one of the servers of EncroChat is actually located in France in an OVH data
center. And the French come up with
what I think is a highly controversial plan.
They decide to,
rather than just try to identify the owners
and shut down the company,
they want to push malware to the endpoints,
to the actual EncroChat devices themselves.
So these EncroChat phones did receive updates to patch security issues and introduce new features.
And one of the servers used to update the phones was located in France.
So the French police got a warrant to access the data center and EncroChat server.
They got into it and made an exact copy of it, and they left the server running untouched.
This was a secret mission that they didn't want EncroChat knowing about.
They took their cloned copy back to the lab to study it.
They learned how this server sends updates to EncroChat phones, and this gave them an idea.
What if they could put their own update on the server that all phones would download?
This could result in the
French police having hooks in EncroChat phones. And so that was the plan that the French police
went with. They studied this clone and figured out how the updates worked and wrote some malware
and even tested this with their clone to make sure that the phone got the updates and sent the data
to the police. They figured that out. They then went back to the
server, I believe, and then pushed this malicious update to the EncroChat devices. French police
were successfully able to plant malware on thousands of EncroChat users' phones. Now,
this piece of malware, it would silently send copies of the messages sent and received.
It would potentially grab GPS locations,
but it sort of depends on, well, did this device actually have GPS?
Did this one not? That sort of thing.
But the main thing, of course, is that it captured message content.
And that would include the username of the person who sent this message.
And of course, all of the discussions about drugs and money laundering
and assassinations and Bitcoin laundering as well.
What the French authorities did here is astonishing.
They hacked into the servers of this company to spy on its users.
Well yes, you can point out that most of the users were criminals.
I still think this is controversial.
Just because a company makes a privacy-focused secure phone doesn't mean it's just for criminals.
Like I keep saying, I want a phone like this because I find the current eavesdropping done on my phone today to be disgusting.
I want peace of mind knowing that my messages are not being snooped on and they are only going to who I want them to go to.
And there's nothing illegal about having privacy.
Yet the French police have violated the privacy of EncroChat's users
because they thought this would give them an advantage while stopping crime.
It was probably the first time that law enforcement had really infiltrated
one of these companies into the content of the actual communications on a really global
scale. I mean, the French, they hacked into phones everywhere. And obviously, they didn't just limit
the malware distribution to inside France. They did it to all EncroChat devices around the world.
And in case you were wondering how the police were able to see these secure messages,
well, they had their malware on the phone itself. So when the phones send and receive messages, it has to be unencrypted so the person can read them. And that's when these
messages were copied and sent to the French police. But I've really got to hand it to the French
police here. This is some impressive high-tech police work. To be able to reverse engineer how
a server sends updates to phones and then create the update for it and push it out, and not just
any update, but a full stealthy spyware toolkit, and then create the update for it and push it out. And not just any update, but a full
stealthy spyware toolkit. And then create a collection server to receive all this data
captured from the phones, then to put this malware back onto the server and push it to users.
This is amazing work that they did. Yeah, exactly. Pushing a malicious update,
it brings up all of these arguments of, well, maybe we can't trust updates, you know,
which of course we need to do to remain secure. And of course, EncroChat is an unusual case. This
is not a mainstream popular consumer device, but it does still show the lengths to which law
enforcement will go. And I mean, here, yes, it was French law enforcement, but it appears that the
law used, at least in some capacity, was a national security law.
And it was the military, sort of the police arm of the French military that was involved as well.
So as court cases have come out and, you know, obviously defendants have tried to get information, the French basically aren't talking because they use a national security exemption to not release any information about the malware. Right. Yes. To this day, the French haven't disclosed any details about how they did this and have kept it quiet.
But that's kind of getting ahead of ourselves.
When they were doing this, they had to be extremely stealthy and secretive to not tip their hands that they were in these phones snooping on people.
And it worked. As soon as they pushed the malware to the phones, they immediately started seeing chat messages coming into their servers.
Eventually, they would collect millions of chat messages this way.
And not all of their users were French citizens.
These were chat messages from people all over the world.
And I think it's pretty crazy that the French police were planting spyware
on phones all over the world
and collecting private messages from users who weren't even in France.
The internet doesn't have physical borders,
so I can see why this is a difficult problem to solve.
But reports show that the French police infected 50% of all EncroChat users worldwide,
which is still thousands of users.
So the French figure out how to distribute
all of these messages they've been getting. And, you know, without getting too technical,
they have to navigate a load of European laws. You know, we give it to the Dutch and then we
give it to the British and they basically join some sort of task force or group so we can share
the data. But the long and short of it is that they give the content of these messages
to various law enforcement agencies around the world,
and they start digging through them.
The things that are immediately flagged are threats to life.
You know, if any sort of system that the cops are using detects,
like this person may be threatened soon or may even be potentially assassinated soon,
here's information we can act on immediately.
Whereas the rest is more used to build up cases.
And I've seen some of these documents from EncroChat cases.
They're not really court documents available in the public docket.
They're more available to the prosecution and the defense.
But it's extraordinary how detailed they are.
There is this person spoke to this person about this shipment of cocaine.
Here's a whole paragraph of them discussing,
well, we need to get our Bitcoin guy involved to launder the proceeds.
Here's another paragraph about where we're storing the cocaine.
It's just they were essentially looking over the shoulder
of organized crime in their real time.
This would be fascinating to see even if it was just an ordinary phone tap, you know, as it used to be.
But here, it's the proceeds from malware.
And clearly these people, these alleged organized criminals,
thought they could speak with such impunity that they some of them barely even use
code words it's like here's the coke here's here's all the drugs here is where we're hiding it uh
it's just extraordinary how um blatant it is still encrochat was unaware that their phones
were infiltrated business and crime went on like normal, which is just what the French police
wanted. But when some of the more serious crimes were being planned through these chat messages,
the police in the UK started arresting some users. Operation Venetic, I think, is the NCA was already
doing sort of organized crime busts under that name. And then when the EncroChat data came in,
I believe they put it under that umbrella as well.
But hundreds of people arrested, you know,
and that really follows the whole gambit of criminal hierarchy.
You'll have individual dealers and sort of mid-tier
up to allegedly the higher levels as well.
And, you know, it's a big thing in the UK
for their gangsters to leave the country. And of course, they'll either go to Spain, which is very
popular, or increasingly Dubai as well. And of course, those phones were potentially compromised
as well. So you don't just have people on the ground in the UK being investigated by the UK
police, but potentially some of the higher tier people overseas as well. After some arrests started happening, EncroChat suspected something was
wrong and began looking at their infrastructure for clues. So EncroChat or the owners of EncroChat
actually discover that something odd is going on on their network. And they do seem to discover some sort of malicious activity.
So they push out a message to their user base saying,
there's been an unauthorized takeover of our domain,
probably by law enforcement.
We recommend that you essentially destroy your device
and we're exploring what to do next.
I saw that message
prop up on some crime blogs at the time, and then somebody else sent me the same message,
and that helped verify it. And that's when I got into the story. And I thought I'd reach out
to somebody I know connected to EncroChat. And, you know, they sent a very lengthy statement,
I think it was one whole page, saying that, look, we're a legitimate company, we've been unfairly targeted, and we're going to, you know, see what we can do about this.
We didn't hear back from them after that. We don't know exactly what the owners are doing now. And
the French police actually said, we've been unable to identify the owners of EncroChat.
If you are that owner, please come forward. I don't know if that person has come forward.
It just seems kind of surprising that they can't figure out who makes these phones
because you just find, well, where do I buy them?
Okay, there's this dealer.
And where are you getting them from?
Oh, I can't say?
Or, I don't know, here, I get it from this guy here.
And then you go to that guy and say, okay, who's giving you the phones, right?
You just follow the phones yeah we published a piece after the shutdown
with some leaked emails i got which do name several people uh involved with encrochat and
i think it names the various companies involved in the corporate structure we didn't name the person
who is mentioning the emails because of course you know they could potentially face threats or harm because you know if they were heavily involved in encroach and all these
people have been arrested we don't want to contribute or amplify that name in case of harm
but yes i find it unlikely or doubtful that the police don't have any sort of need on the owners
of encroach i mean if we can get emails about
it, imagine what law enforcement can do. So once EncroChat discovered someone was in their network
and phones, they shut the whole thing down. A few days after it was shut down in the summer of 2020,
that's when the French police announced themselves that they're the ones who infiltrated EncroChat.
But still today, we don't know what happened to the owners of EncroChat.
But if they are arrested, it will be interesting to watch what happens.
Because once again, making an encrypted phone is legal.
It all comes down to whether or not they knowingly were selling to criminals.
I still think it's controversial for law enforcement to deploy malware en masse, you know, and beyond their own borders. There are just so many factors at play, hidden service. You don't necessarily know if all of the users of these devices are criminal in nature. And the
French prosecutors admitted that later when they said that, you know, only 90% were believed to be
criminal. What happened to the other 10% of people who were hacked, you know?
Oh, yes. Very interesting. I bet there were many legal disputes about whether this kind
of data collection was legal.
Criminal cases in the U.S. can be thrown out if the police illegally obtain evidence.
So yeah, what about the people who weren't criminals that got wrapped up in this and spied on?
Do they have a case on their hands that they could claim that their privacy was violated by the police?
Maybe.
But citizens going up against governments like this rarely ends in favor of the citizen.
And it definitely isn't going anywhere when the person who got spied on isn't even from France.
There are more encrypted phone companies out there.
Another one I find fascinating is called Sky ECC.
Sky is one of these encrypted phone companies, again, which kind of tries to position itself more as a platform. You know, they'll have messaging and potentially other chat functions as well,
your email. And they were particularly popular all over, really. You know, whenever you're
looking into these encrypted phone firms, Sky often comes up among criminal elements.
Sky's website doesn't look like it's marketing to criminals.
Like it doesn't even use a dark theme on it.
It's got a nice blue and white look and it just feels friendly and modern.
The website lists the features of the phone,
saying it's got a self-destruct messaging capability,
group chat, and can even do audio messages.
There's even testimonials from customers.
In no way, when I look at this website,
do I think it's marketed towards criminals. So yeah, a guy called Jean Francois ran Sky.
Some people call it Sky Secure. Some people call it Sky Global. It sort of depends where in the
world you're buying it with all these distant distributors and agents. But the San Diego FBI, you know, after Phantom, they start looking at
Sky as well. They're clearly highly motivated to investigate these sorts of companies.
Not only was the San Diego police investigating Sky, but other European police agencies were too.
Because once again, these encrypted phones were showing up at crime scenes over and over. So the
police started tugging at
the threads to see where these phones lead. And then we start seeing some very strange stuff
coming out of Europe and Belgium more specifically. The authorities there are claiming
that they've managed to decrypt or crack, it really depends on which translation you read,
but they've managed to get the content of messages from Skyphones. Whoa. The Belgian police were somehow able to see the contents
of these secure messages that the Skyphone users were sending? That's huge. How could they,
how did they manage to do that? It wasn't clear. We didn't know. But the Belgian police were starting to
make arrests of people based on messages they were seeing on the phones. In fact, the Belgian
police said they intercepted 500 million messages from Sky users and arrested 48 people. So Sky
began investigating to try to figure out what happened. They did not see any signs of infiltration.
So they issued a statement saying
it's not possible that the police did this and there's no evidence of infiltration.
And they told their customers that they're not working with the police in any way.
But then, you know, the reporting comes out and I speak to Sky itself, actually.
And what they say is that somebody introduced fake Sky devices to the market in Europe.
So these weren't actually the quote-unquote real Sky devices.
They were ones that had some sort of fake or malicious app
that then gathered the text messages and provided them to authorities.
The details are scarce on this, but if I were to connect the dots,
I would guess that the authorities got a hold of some brand new phones, then installed their own versions of the secure chat apps that
would collect chat logs and send that to the police. And these weren't the official Sky chat
apps that were supposed to be secure. Instead, it was the police's version they made and just
disguised it to look like the Sky chat apps. Then they somehow gave these phones to Sky distributors
to sell to their customers. I would call this a supply chain attack. Phones were somehow
intercepted between where they were made and the customers who were buying them,
which is a wild and scary attack to think that the person you're buying these devices from
might be selling you a phone that was compromised by the police and didn't even know it?
So if I'm putting one and one together here,
Belgium, you know, said they infiltrated part of the network and arrested 160 people.
And Sky is saying somebody is putting out fake phones or fake apps that has, you know, some sort of malware or something on it.
It sounds like the Belgian police may have been the ones who did that.
Potentially, yes.
But honestly, we just don't know at this point.
It's so unclear and it's one of the cases we probably know the least about,
even though it's one of the more popular encrypted phone companies for sure.
I think this is a sign that the police are becoming pretty sophisticated at fighting crime.
The French authorities are advanced enough to be able to put malware on thousands of people's phones.
And now, potentially, the Belgian police are doing supply chain attacks?
It's a wild new world we're in.
Well, after this incident, the U.S. Department of Justice indicted one of the owners of the Sky Encrypted phone company,
which means the DOJ believes they have enough evidence to bring this person to trial and prove they have violated RICO laws.
I contact a source at the company and I say, hey, can I just get a comment on this indictment?
And they say, sorry, what indictment is that?
I send them the PDF and they go silent.
Clearly, I was the one who told them there was this indictment against their company.
And we don't speak for a little while.
Eventually, Jean-Francois comes out with a statement,
provides it to us that they really vehemently deny the charges
against the company and about him specifically.
And they're going to fight it.
According to their statement,
or one of the most recent ones,
they are really actually going to try and fight this in court.
So completely different to the Phantom Secure case,
like not cooperating and really thinking
that it's an unjust charge against them.
And once again, that court case is going to hinge on one thing,
whether Sky knew they were selling to criminals to help them commit crimes.
Yes. The way that the U.S. will prosecute one of these under RICO is if they can prove that Sky or anyone else sold these phones
deliberately to facilitate criminal activity and knowingly did that. We honestly have no idea
if the DOJ has that sort of information. I'm going to guess the DOJ wouldn't file an indictment based
on absolutely nothing. But, you know, we have to see what evidence they have eventually.
And we haven't seen that yet.
And Jean-Francois is going to fight the case, is my understanding.
So we looked at Phantom Secure, EncroChat, and Sky ECC,
but there's so many more encrypted phone companies out there.
They're all coming and going.
It's hard to keep track of them, which means there's no lack of wild stories that happen with these companies.
Another story I find fascinating is one that comes from an encrypted phone company called Anetcom.
So, yeah, Anetcom was one of these early encrypted phone companies that were using BlackBerrys.
Pretty popular at the time, especially in Europe.
And this was sort of the first, for lack of a better word,
takedown of an encrypted phone company that I saw and I reported on at the time.
And in this case, Dutch police were able to get the content of the messages, which was very unusual at the time.
And eventually it came out, it appears that there was some sort of misconfiguration
with how Enicom encrypted these communications.
Authorities managed to get hold of the server.
And I think it was potentially,
the keys were also stored on the server.
And they were able to decrypt the communications like that.
So it advertises itself as end-to-end encrypted.
But, you know, that wasn't really the case if they were able to get hold of the server
and then actually obtain the contents of communications that way.
It was an implementation issue, basically.
Wow. Again, the European police are really blowing my mind here with their attack capabilities.
To find an implementation flaw in a netcom's communication network
and to exploit that to be able to relay messages back to the police,
it's really incredible work.
This resulted in the Dutch police collecting and decrypting
three million messages sent over a netcom's devices.
A netcom must have been furious over this, but were quiet about it.
We didn't hear much at all. I mean, I think the authorities, they shut down the network
themselves at the time. I remember the owner of Anitcom had some very expensive looking lawyers
when I went to their website and, you know, tried to chat to them for a bit. But no,
they kind of fizzled out and they kind of faded into obscurity
along with the owner.
Meanwhile, everybody moves on to the other companies
as well at the time.
You know, there's still business to be done for these guys.
And yes, this is offensive operations
being carried out by the police.
They are actively hacking into and infiltrating networks,
servers and phones in order to collect evidence on criminals.
This is way different than what I previously imagined the police were doing in regards to computers,
which I thought they were doing more forensic-type computer work,
trying to look through the logs of a seized device to figure out what someone did.
And that's totally different work than hacking into a network covertly,
placing malware on it and collecting user data. So the police must have had to put a lot of time
and effort and resources just into building the team which would be capable of doing this.
Yeah, totally. I mean, this must be a real thorn in their side if they're willing to contribute this time, resources, expertise to disrupting
or shutting down or ultimately getting to the contents of the communications of these
phones.
You know, as I mentioned, while everybody's been looking at Facebook Messenger and WhatsApp,
this is the real stuff that's been going on with the organized crime people.
Wait, clear that up for me.
What do you mean?
What is everyone looking at Facebook and messaging?
Sure. So, sorry. I just mean very generally that when we have the so-called going dark debate
among law enforcement and civil liberties advocates and, you know, digital privacy
advocates, that sort of thing, a lot of the commentary is on popular consumer devices, you know,
the San Bernardino Apple case, where the DOJ tried to legally force Apple to unlock the phone,
the case where the DOJ tried to secretly get Facebook to somehow bug an encrypted communication,
and then, you know, various laws potentially impacting the security of WhatsApp,
let's say. There's a lot of discussion around that. And then more recently, you know, a lot
of stuff around child sexual abuse imagery and catching people who are using consumer devices
for that sort of thing. I mean, in my opinion, the so-called going dark debate is really happening
with these encrypted phones. This is
where law enforcement are being very aggressive with their techniques, both in a legislative sense,
you know, when it comes to Ricoh and using that in a technical sense, when they're deploying malware
en masse, you know, if we're going to have this conversation around what sort of access should
law enforcement have to private messages, what sort of messages should be available to authorities,
you know, what's off limits, what's on limits.
I don't know what the outcome of that discussion is.
And, you know, my place as a journalist is not really to say where it should go.
But I do think that people should be including this sort of stuff in that conversation
because it's real-world case studies of this going on.
There's another encrypted phone company called MPC, and this one is crazy.
MPC is, in my opinion, the most interesting encrypted phone company. We've had these stories of tech entrepreneurs or just business people deciding to make these encrypted phone firms,
maybe they want the money, maybe they care about privacy, maybe it's a mix, whatever.
Here, MPC is a company made by organized crime for organized crime. It's run, as we found,
talking to multiple sources, you know, in and around the industry,
that it's run by two serious top tier gangsters, colloquially known as the brothers from Scotland,
and they deal with a lot of the drug trade going into Scotland, and then, you know,
obviously beyond its borders as well. They did use Enicom for a while, but then they decided
to, well, no, we don't want to trust our security to this company. Why don't we
make our own? And they did that with MPC.
But they also see an opportunity.
If people want to work with us, they need to use
our phones. So they sell the devices as well. And that actually
became a business opportunity in its
own right, actually running this company to then sell the devices to other organized criminals as well. You instance, they didn't like the competition that was in the encrypted phone market.
So they started threatening their distributors who also sold their competitors' phones.
One of the people I spoke to was threatened to be killed
because they were selling a competitor's phones
in the same sort of area that MPC was also involved in.
And at least one person was
slashed, my understanding, where you take a knife and you slash their cheeks. So, you know,
their mouth has a very large cut on it. That's the sort of violence that these people were
perpetrating, as well as, you know, intimidating phone calls and that sort of thing.
At some point, NPC messaged Joseph out of the blue.
And they were asking me, hey, do you do reviews of encrypted phones or anything like that?
You know, just what anybody would do with an iPhone, you know,
a sort of normal tech outlet where they send you the new iPhone, you review it or whatever.
I don't do that. You know, that's just not the sort of work I do.
And I, you know, I said, if you send me the phone, I'll look at it.
But like, I'm not going to be paid for a review because they were offering payment.
And obviously that's unethical.
They said, sure.
They never ended up sending the phone.
But they were clearly trying to establish some sort of legitimacy in the space by getting, you know, a journalist or anybody else just to write what they thought
about the device. You know, and I should say that the MPC did say just do an honest review or
whatever. But that's a very unusual dynamic to then for a company you then later find out
is run by, you know, top tier organized crime. The police started investigating MPC, and they
also said this is very unusual for an organized crime group
to create their own encrypted phone business.
But the story gets even darker after that.
So one of the other ways,
beyond trying to get reviews from journalists,
that MPC was trying to get marketing
was, you know, just sort of these brand deals.
And there's a fairly famous former criminal
turned blogger turned sort of journalist in Amsterdam called
Martin Koch. And, you know, he's out of prison after murder convictions, and he writes on his
blog called Butterfly Crime. And there he, you know, he makes a lot of enemies, he will name
people, he will say what various crime elements are up to.
And there are lots of attempts on his life.
I mean, you can go on YouTube and you can check out, you know,
the Dutch police showed a car bomb that was targeted against him.
And it's a truly huge explosion that they do a controlled explosion
just to get rid of the bomb.
Anyway, MPC works with Martin for some branding
hey just tweet some photos of you
wearing this MPC shirt
and the phones and we can run adverts
on your website that sort of thing
and eventually
MPC say
well you know let's keep this business
relationship going why don't you meet with
one of our associates and him
and the associate,
they go to a sex club on the outskirts of Amsterdam.
There's CCTV footage of Martin Koch
walking around with somebody down the street of Amsterdam.
And a man in a hoodie runs up behind him,
puts a gun to Martin's head.
And for some reason, Martin isn't shot.
You know, maybe the guy freaks out,
maybe the trigger jams or whatever, but he points the gun, it doesn't work, and then he runs away.
And that's the first attempt on his life that day. And then when they eventually leave,
sort of blurry eyed from the sex club and Martin Koch is getting into his car,
a man jumps from the bushes and shoots him and kills him.
And we were told shortly after that, or sometime after that, that this was an assassination with the consent and the help of MPC, the phone company, and by extension,
the brothers who ran that company. Whoa. Now that's scary. And I suppose it means
you can't trust an encrypted phone company
that's run by criminals.
And it also means that MPC
is clearly breaking laws.
While some of these other phone companies,
it's not so clear.
Which, yeah, it's going to cause them
to be investigated by the police,
and they're going to want to probably
shut this company down.
So the police started investigating MPC
to figure
out who's running it. And this did lead them to find out it's being run by some known criminal
brothers in Scotland. And this revealed their identities. Yes. So my source provided the name
of the two brothers beforehand, you know, James Gillespie and his brother as well. And then the police do announce that.
They announce the two names of them and their various associates as well.
Later on, they arrest one of the associates in South America, I believe.
But at the moment, it seems that the brothers,
at least from my understanding, are still on the run.
Ah, so they went into hiding.
Yes, yeah. still um on the run yeah oh so they went into hiding yes yeah and you know there's some reporting on client crime blogs that they're also in south america but you know there's it's hard to say you
know that these people may move around these are these are you know highly technical highly
resourced uh individuals right i mean i doubt they're going to stay in one place for too long.
But when one secure phone company goes down, it just seems like two more pop up. A constant theme with these companies is that once one shuts down, either of their own volition,
or law enforcement hacks them or otherwise carries out an operation against them,
these criminal users or users in general,
they still need a phone.
So they will go to another one.
So when EncroChat was closed,
another company called Omerta
did a sort of discount offer
where you could either get phones cheap
or buy one, get one free, or something like that.
And presumably, maybe some people went over to that.
When Phantom shut down,
a lot of the user base was absorbed by Sky
and then also by Cypher as well.
Cypher is still going. It's probably
the biggest
or at least the most established
and longest living
encrypted phone company
that is still going right now.
But, you know,
is Cypher being investigated? I mean,
probably in some capacity, right? It's been going on for so long that maybe they could be the next
target. And there's another encrypted phone out there that looks really promising. It's called
Anom, kind of short for anonymous. And it has a cool dual boot thing. Check this out. When you
boot it up, it asks for a pin to unlock it.
That's normal, right?
And if you type it in, you see normal apps like Instagram, Facebook, Tinder, Netflix,
even Candy Crush.
But if you try to click on any of these apps, they just don't work.
They're just dummy apps to make the phone look normal.
What you need to do is reboot the phone, but this time enter a different pin code. When you
enter the second secret pin, it unlocks access to a secret area of the phone. But there are only
three apps in this secret area, and at first glance they look boring. One is a clock, and the other is
a calculator, and the third is device settings. The secret is to open the calculator app, which then asks you for your Anom ID and password.
And once you get in there, you can send and receive encrypted messages.
This phone is slick and stealthy and more clever than you realize.
Anom started up in, I think, 2019, and it was first introduced in Australia.
Specifically, people who typically distributed encrypted phones
were getting these and passing them around.
People were slowly adopting them and using them.
Eventually, they made their way into other countries,
and criminals, yeah, they liked these phones and started using them.
But Anam had a secret.
It wasn't what people thought it was.
It was a honeypot created entirely by the FBI
to snoop, spy, and gather incriminating evidence from criminals. They worked with the Australian
law enforcement to spy on Australian criminals too. But this posed some massive challenges for
the FBI. What are the legalities of marketing and selling spy phones like this?
How do you even create a shady underground encrypted phone company
without it being so good that it goes mainstream?
Clearly the FBI wanted in phantom secure phones, but didn't get in.
And this may have been where they got the idea.
If they can't find a way in, they can make their own phone.
This was dubbed Operation Trojan Shield in the FBI,
and their Anom phones were able to collect 27 million messages from its users.
But we don't know how many arrests this resulted in.
But it's yet another incredible amount of resources that law enforcement has spent
to try to infiltrate encrypted secure
phones. But man, now that we've taken this tour of the world of encrypted phones, I feel like I can't
trust them. In four of these stories, law enforcement infiltrated the chats. I don't want
the police reading my chats. And so many of these phones seem like it's
just for criminals to use. And I don't want that either. I just want a secure phone that doesn't
vacuum up all my data. And I'm not a criminal. I just like privacy. There's got to be some kind
of phone out there for me. There was Silent Circle, which is, of course, a slightly different
user base in that, you know, it was made by Phil Zimmerman, the creator of PGP.
And they have this platform where you have silent text,
which is obviously text messages,
and if you get encrypted email or something as well.
And they had the Blackphone.
And this communications platform, essentially,
they did try to sell to governments.
I think I've seen some, I believe it was the US Navy contracts
and that sort of thing.
So that is in the same sort of space, but I don't know if criminals will gravitate towards that
because they'll see, oh, it's working with the government, then they can't be trusted,
you know, that sort of thing.
So many of these criminals will be better off with a fully up-to-date iPhone
or a fully up-to-date Android device, if it's a higher tier one,
with Signal installed and just use that or Wicker or
whatever. So Wicker and Signal and there's Wire too. These are apps that you can get on your
Android and Apple devices that lets you call and message people. And it uses end-to-end encryption,
which means anyone in between won't be able to decipher the messages, including the companies
of Signal, Wicker, or Wire themselves.
If security and privacy is important to you,
which it should be,
you should move your communications to one of these apps.
Signal seems to be the most popular,
where you probably already have friends and family using it.
But what about securing the phone itself?
Well, I guess we're going to have to go with iPhone or Android on this.
But you should do things to lock it down.
To start with, keep them updated.
Updates fix vulnerabilities. And I think what we've learned in this story is that authorities will exploit vulnerabilities to gather evidence.
And some of these companies just weren't very good at securing their own infrastructure.
I mean, it sounds like a netcom left the keys to their server out in the open. And these little startup companies aren't going to have the resources to properly secure their networks and devices to be able to withstand
attacks from law enforcement. However, a big company like Apple and Google do have the resources
to keep things secure from outsiders getting in. Now, if you're going to get an Android device,
I recommend getting the Google Pixel over the other Android phones. Since Google makes the
Pixel phones and the Android operating system, this means the latest security updates will be
available on the Pixel first. These updates can take a long time to trickle down into other makers
like Samsung or OnePlus phones. And I've seen some phones sold in stores that are so far behind on
Android updates that the software is already end of life on brand new phones. So you
want to get closest to the source with Android, which is getting the Google Pixel. But one big
security flaw still with these phones is SIM swapping. This is where criminals will call up
your phone company and impersonate you to tell them to move your phone number to their phone.
Once a criminal gets control of your phone number, they can get into a ton of
your accounts, and it's a horrible problem to try to figure out. So because of this, I use an iPod
Touch as my phone. Joseph actually taught me this and wrote a great article on how to do this,
because the iPod Touch doesn't have a SIM card. It's Wi-Fi only, so it's impossible to SIM swap me.
And I use a combination of Google Voice and other apps to get the iPod Touch to be a
regular phone when it has a Wi-Fi signal. And this is what I use as my primary work phone. And
honestly, the only app I use on it is Signal, which allows me to text and make calls securely
using end-to-end encryption. If you want to go even deeper to lock down your phones like I do,
I highly recommend the book Extreme Privacy,
What It Takes to Disappear by Michael Bissell. This is a massive book, which is all about how
to secure your digital life. It's fantastic, and I'll have a link in the episode description if
you're interested. A big thank you to Joseph Cox, senior staff writer at Vice's Motherboard.
There's always news coming out about these encrypted phones, and Joseph is always all over it.
So you should definitely follow him on Twitter to stay updated.
If you like this show, if it brings value to you, consider donating to it through Patreon.
By directly supporting the show, it helps keep ads at a minimum, it helps get new people to make the show, and it tells me that you want more of it. This is Darknet Diaries. Theme music is by The Elliptical Curve, known as Breakmaster Cylinder. In the future, everyone will have 15 minutes of privacy.
This is Darknet Diaries.