The Decibel - The Canadian accused of building a digital den for drug dealers
Episode Date: July 17, 2024Paul Krusky is an unassuming tech nerd whose company, EncroChat, was once just one of the world’s many encrypted phone services. Now, he is in a French prison as police accuse him of building a digi...tal den for Europe’s drug dealers.Globe reporters Joe Castaldo and Alexandra Posadzki explain how EncroChat wound up at the centre of thousands of criminal arrests in Europe and what we know about Paul Krusky’s past and the charges against him.Questions? Comments? Ideas? E-mail us at thedecibel@globeandmail.com
Transcript
Discussion (0)
In recent years, there have been a series of big drug and crime busts in Europe
that resulted in more than 6,500 arrests.
More than 700 million euros have been seized,
along with nearly 1,000 weapons, 271 homes, 971 vehicles, 83 boats, and 40 planes.
And at the center of all of this is one tech company called
EncroChat. Here's how report on business journalists Joe Costaldo and Alexandra Pazadsky
describe it. EncroChat was a company that sold specialized smartphones that had added security
features on them so that users could message each
other without having to worry so much about getting hacked or having police or intelligence
agencies spying on them. So nobody, not even EncroChat itself, could spy on your conversations.
And connected to EncroChat is a Canadian named Paul Kruski,
who's also been arrested.
I think at a very high level, you could see the EncroChat story
as being about the tension between our right to privacy
and the powers of law enforcement.
And also what level of surveillance we're willing to accept as a society
in order to essentially maintain law and order. Today, Alexandra and Joe join me to explain the
fall of EncroChat and the mysterious man who ran it. I'm Maina Karaman-Wilms, and this is The Decibel
from The Globe and Mail.
Alex, Joe, thank you so much for being here.
Thanks for having us.
Thank you.
So, Joe, let's start with you. Let's just start by getting a sense of what it looks like if you actually had EncroChat on your phone. Could you describe what that would be like?
Yeah, so it wasn't like an app on your
phone. EncroChat sold actual smartphones. These were modified Android devices that had like the
GPS functionality stripped out, the camera, the microphone disabled. And it wouldn't look that
different because these phones did run Android, like lots of smartphones do.
But an EncroChat user could put in a passcode and then get to the second secret EncroChat operating system.
So this is an operating system.
So this is like an iOS or something that's on your phone.
Exactly.
So on the surface, it just looked like a regular smartphone, but it was anything but.
And so then what are you buying, I guess, as a customer?
Are you buying the software, the physical phone itself?
Like, I guess I'm wondering how EncroChat was making money here.
So if you were an EncroChat user, you would buy the EncroChat phone for about a thousand
euro because they were big in Europe.
And then you would have to get a
subscription plan for another 1500 euro. That was for about six months. And that included,
you know, customer service and things like that. So you're buying both the phone and the service
package that goes along with it. Okay. And Alex, kind of continuing on with, you know, what is actually included here in an EncroChat offer, what are some of the key features that EncroChat would
offer to its users? So like, what would you actually get from this? Yeah, so one of the
main things was that users, they're essentially buying access to other EncroChat users, right?
And so you have this messaging app where you're talking to
other people who are also on the EncroChat network. So you're sort of buying your way into this
network of people. And all of them are using aliases. And the system came with these sort of
special privacy features. So for example, you could send messages that would self-destruct.
So that if your phone were ever seized by law enforcement,
for example, or the other person's phone was seized by law enforcement, those messages that
you had sent were no longer there. And there was also this feature where you could punch in a
certain code and it would just erase the whole device. So you could look like, oh, look, I'm
just entering my password so that I can give you access to my phone.
But actually, I'm erasing everything that's on there.
And then on top of that, the same sort of panic wipe feature could be done remotely through customer service.
And do we know how many people were using EncroChat?
So at one point before it was shut down, there were more than 60,000 users on the network.
Wow. Okay. So not insignificant.
Okay. So who would want to use this kind of phone, Alex?
So 60,000, that's a lot of people.
But yeah, who does this appeal to?
Well, you know, if you talk to people who are selling EncroChat devices, like resellers,
they might tell you that some of their customers could include journalists who want to communicate securely
or celebrities who want to be able to communicate securely. But according to law enforcement,
particularly authorities in France, which ended up doing the big infiltration of the
AnchorChat system, it was predominantly organized crime.
Okay. So let's talk about the company behind the software now.
What do we know about the origins of EncroChat?
We don't know a whole lot, to be honest.
EncroChat was a very low-profile, secretive company.
It wasn't out there trying to drum up publicity for itself
or putting its executives out there for media interviews and so on.
We do know that it appears to have some links to another company
that predated EncroChat out of Vancouver that was called Esoteric Communications.
And it did something very similar.
It sold secure smartphones for communications.
And Esoteric's website raises fears of law enforcement,
intrusion and snooping and hacking and all of that, and sort of talked about privacy in these
ideological terms. It seems that Paul Kruski, the alleged CEO of Anchor Chat, was kind of swimming in these waters as well. We found a post made by somebody
with the name Paul Kruski in 2013 on this message board for something called the Guardian Project,
which is an open source effort to make secure communications apps for journalists and human
rights activists and things like that. And in this post, the author, Paul Kruski, is basically complaining about one of the apps,
saying that it's very cumbersome to use.
It lacks important features like self-destructing messages and things like that.
So there was some frustration there.
And this post was made around the time that it seems like EncroChat was incorporated.
But the only explanation we have for why EncroChat was started and specifically Paul
Kruski's motivations comes from his lawyer in France who told us that his only goal was
to provide a technology that would fully respect the privacy
of its users. So let's talk a little bit more about Paul Kresge then. Alex, I know that you
and Joe spoke to, I think, over a dozen people about him. What do they tell you about what he's
like as a person? We had to piece together a lot of different sources of information because
he kept a very low profile. So he was not really
out there in the public eye. He was a very private individual. And he, in fact, was very obsessed with
privacy to the point that one person we spoke to who knew Paul and his wife socially said that
they'd bought an Alexa and Paul chided him for buying a listening device that was
essentially spying on him. You know, what we know about Paul is that he grew up in Guelph, Ontario.
He attended a Catholic high school. Then he graduated from York University. And after doing
so, he co-founded this internet startup in the Waterloo area called World Without Wire,
which was serving sort of small and medium-sized businesses in the area.
And one of the things that we discovered actually was that Paul had this business partner in World
Without Wire named Paul Kater. And Paul Kater had this interesting kind of side business at the time
called Zed Marketing that was selling satellite TV packages to consumers. And in 2005, DirecTV, which is a satellite provider out of the U.S.,
ends up suing Zed Marketing for $20 million U.S., alleging that they were engaging in a
complex piracy scheme that was defrauding DirecTV. And one of the defendants is Paul Kroski.
But as far as we know, it doesn't look like Paul was particularly
involved in the business. There's not really any single allegation against him specifically.
He's simply listed as the administrative and technical contact on Zen Marketing's website.
Okay. And then around that time, Paul and his wife appear to leave Canada. They sell their home in Ontario and they move to the Dominican Republic.
And here we get this kind of window into their lives via his wife's posts on Facebook.
So they're kind of living what looks to be a very quiet sort of normal expat life in the Dominican.
His wife is volunteering with a dog rescue.
She's really passionate about dogs.
They have many dogs living in their own home.
Paul is really into horses.
There's photos of him riding a horse on the beach.
And one person that we spoke to actually said that Paul was a pretty reserved person who
actually preferred dogs to people.
And another person told us that he actually was
not particularly well liked, that he was a very smart individual and he could talk at length about
many different topics, but he kind of rubbed some people the wrong way. He could come off as pretty
arrogant. Okay. It's kind of unclear to us exactly how he was making money at this time, but some
people told us that it was through online gambling. And he had this kind of very intense poker playing style.
We spoke to a couple of people who played poker with Paul, both in Waterloo and in the Dominican
Republic. And he was a sore loser, essentially. He could not accept that he lost and would
complain and say the outcome was
unfair. He was a good poker player, but he couldn't accept that chance played a role in
whether or not he won. So he had a big ego at the table. We'll be right back.
So we know that eventually, after a few years of operating,
EncroChat is infiltrated by police.
Joe, how did that happen?
So the national police in France opened an investigation into EncroChat in about 2017 because they noticed noticed that, you know, when they were arresting
drug dealers or people with ties to organized crime, they had these EncroChat phones that
they couldn't get into. So they opened this investigation, and eventually they learned that
EncroChat's servers are with a commercial cloud provider that has a data center in a city in northern France.
So, you know, despite EncroChat's claims of being ultra secure, they didn't own their own servers
offshore or in a bunker somewhere. They were just with a commercial cloud provider. So they were
able to copy part of EncroChat's server and And from there, write a piece of malware, essentially,
and ship it to EncroChat users and disguise it as like a software update.
And when users installed this update, what it did is it sent copies of their messages.
So they thought this was like a super secure system, which it was until the police kind of hacked it, essentially?
Exactly. And so there were kind of two phases to this. So the police could receive copies of messages and images. But then they also figured out how to read messages in real time. And they were monitoring users for about a period of two months in 2020.
Can I just ask, is that legal? Can police just do that, hack a company like that?
So far, it appears to be yes. They did have judicial authorization to do this.
But the hack or the infiltration is hugely contentious and a point of debate. If this happens to Anchor Chat,
could something similar happen to more mainstream companies and services? The other thing to point out is we don't know what kind of interaction there was between law enforcement and Anchor Chat
before this hack. So I mean, law enforcement make lawful access requests to
telecom companies, social media companies all the time as part of investigations. And usually
companies comply if it's a legal request. EncroChat may have been opposed to that kind of thing.
There was an old blog post on the EncroChat website. We don't know who at EncroChat wrote it, but it was criticizing
BlackBerry for complying with these lawful access requests. Sort of the implication there being,
well, we, EncroChat, we're not going to. We're going to keep you safe. So if a company doesn't
comply with that kind of thing, maybe that does necessitate more extreme measures.
Okay. But either way, police hacked it.
They got in to see these messages on EncroChat.
So, Alex, once the police were in, what did they find?
Once the police are inside the system, what they're seeing is these users who are hiding behind these aliases
like Kind Taylor, Feral Whale, Mary Sword, Bang Boom Boom,
and they're bragging about the huge quantities of cocaine and heroin that they're moving,
the profits that they're earning from those drug deals,
they're orchestrating money laundering schemes,
they're even plotting murders of rivals.
And at one point, Dutch police find this torture chamber inside of a shipping container.
They retrieve messages that talk about a tub for waterboarding and cutters for fingers and toes.
So some like really grotesque things there. And then one day, all of a sudden in June 2020,
Anchor Chat blasts this message to all of its users, which says that they've had their domains seized illegally by government and advising users to power off and get rid of their phones immediately.
Wow.
What did police do with all these messages?
So they're seeing all this stuff, Alex, like messages about moving drugs, maybe even like taking hits on people.
What did police do?
Well, essentially, they start arresting people,
and they start seizing money and drugs, large quantities of money and drugs. And one number that we have is that there's been more than 6,500 arrests in connection with Anchor Chat.
All right. So it makes sense that people talking about moving drugs, for example,
on Anchor Chat would get arrested. But Kruski also got arrested, right? So Joe, why did he get
arrested? Yeah, French prosecutors allege that Paul Kruski is essentially the CEO of EncroChat.
And more specifically, they are alleging that he and others knowingly sold these phones to
known criminals so that they could continue to do crimes without being caught by police.
So the allegation is he assisted organized crime. We don't know much about what evidence there is
to support that. How do they know that he knew who his customers work? How do they know that he was
knowingly assisting organized crime?
We don't know specifically what criminals or what criminal networks he was allegedly supporting.
But in one court document, it does say that the leaders of EncroChat were in direct contact with
a major Spanish drug trafficker and Dutch biker gangs. So that's one aspect to it. And the other is that
prosecutors are alleging that EncroChat itself was a criminal organization that engaged in money
laundering. Okay, well, let's talk about the money laundering then. Alex, do we know how that
allegedly worked? What authorities are essentially alleging is that money from the sale of the phones and the subscriptions was laundered through companies and banks around the world by people who are based in Spain and Dubai who didn't solely work for EncroChat.
And so authorities lay out this kind of web of different companies around the world.
And so you have the phones being manufactured in China and then they're being prepared in Spain, allegedly.
And so you then have a Spanish company delivering the phones to a Hong Kong based entity called Suro Limited and then Suro selling the phones to a Dubai based-based entity called Suro Limited, and then Suro selling the phones
to a Dubai-based company called Zykov, and then Zykov paying licensing fees and connection
fees to another company based in the Cayman Islands and to Nimbus Communications in Hong
Kong.
And then Nimbus is the one who's buying the SIM cards from this British company with
Paul Kruski's name on the orders. And so what law enforcement is alleging is that you have
these companies that are being set up in Hong Kong solely for the purpose of receiving funds
from EncroChat users. The companies are allegedly changing all the time and money is moving between
them and invoices are being created to justify those movements, purely with the intention of disguising the origin of those funds.
Wow. What has Paul Kresge said about all of this?
We were not able to speak directly to Paul Kresge. He is in custody in France. He was
extradited from the Dominican Republic earlier this year. But we were in touch
with his lawyer in France, this guy named Antoine Veil, who's well known in France. He was part of
Julian Assange's international defense team. And he told us that Kresge denies all of the charges
and that there's no evidence to support these charges and that he is innocent. Kresge denies all of the charges and that there's no evidence to support these charges and that he
is innocent. Kresge has been cooperating with investigators and the judge in this case. And
Antoine Veil is certain that the truth will ultimately prevail in this case.
Just in our last few minutes here, I'm wondering if we can talk about some of the big picture
issues that we've kind of been talking around here, right? We've been talking about privacy and, you know, when
law enforcement needs access to things. I guess you've both been reporting on this story. What
does this tell us about the bigger issues of when our privacy needs to be protected versus when
police, when law enforcement need access to things in order to stop criminal activity. Yeah, I mean, obviously, we do have a right to
privacy. You can't have a free functioning democracy and fear that your private conversations
could be obtained by law enforcement and used against you. But at the same time, you know,
these services are enticing to criminals. And law enforcement has to be able to do their job to, you know, thwart and
prevent organized crime and keep society safe. In Canada and other countries, like there's a
whole body of law that outlines how and when law enforcement can access private communications to
aid in investigations. But then there's a change in technology or a company like AnchorChat
comes along and all of that has to be reassessed again. I think part of the challenge is that
everything is moving online more and more. And so police do need to be able to find a way to do
their work online too. And so often the test of that is actually judicial authorization, right?
So essentially a search warrant. So in the AnchorChat case, they did have judicial authorization
to carry out this infiltration of the AnchorChat network. One of the things that critics of this
law enforcement action have been saying is just the scale of the infiltration, right? And so
we don't know how surgical it was really in terms of if you do have more than 60,000 users, how many of them are
actually doing criminal activity and how many are maybe just innocent people who are now being spied
on as a result of this police action. And so I think it's about us as a society trying to find
like, where is that line? How much surveillance is appropriate? How much surveillance is too far? How much involvement by a CEO or how much knowledge by the leader of a company is required in order to be able to say, yes, this was a criminal enterprise? have pointed out there could be you know various drug deals and criminal
activities happening via signal or iMessage and we don't see the CEOs of
those companies sitting behind bars and so you know here we have a case that
looks to be quite different this you know service had a number of features
that you know at least law enforcement allege were kind of tailor-made for
organized crime.
And so they're arguing that this is different.
This is not just your kind of run-of-the-mill encrypted chat app like Signal or Telegram.
But I think this is something that is still very much kind of playing out
through various courts around the world.
Alex, Joe, thank you so much for being here and for sharing your reporting.
Thank you.
Thanks for having us.
That's it for today.
I'm Maina Karaman-Wilms.
Our producers are Madeline White, Rachel Levy-McLaughlin, and Michal Stein.
David Crosby edits the show.
Adrienne Chung is our senior producer, and Matt Frainer is our managing editor.
Thanks so much for listening, and I'll talk to you soon.