Police Got Crime Intel from 115mn Conversations by Infiltrating EncroChat Comms Network

A press conference jointly arranged by law enforcement agencies from France, the Netherlands and EU has highlighted the scale of the investigation that occurred after EncroChat, an encrypted comms provider, was penetrated by police, then taken down in June 2020. This story may appear to be three years old, but statistics that summarize the police investigations that have occurred since will help to explain why it is worth revisiting.

  • 6,558 arrests so far, resulting in prison sentences that total 7,134 years
  • Seizure of cash worth EUR740mn (USD808mn) and freezing of bank accounts and other assets worth EUR154mn (USD168mn)
  • Seizure of 103.5 tonnes of cocaine, 163.4 tonnes of cannabis, 3.3 tonnes of heroin and over 30 million pills
  • Seizure of 923 weapons, 68 explosives and 21,750 bullets
  • Seizure of 271 properties, 83 boats and 40 planes

It is in the nature of police to talk up their successes when fighting crime but it is easy to see why they want to draw attention to results like these. The public may not otherwise understand why so much time has been spent trawling through the communications of the estimated 60,000 users of EncroChat and the 115 million conversations they had whilst using the service. There is also a need to explain why it is better to keep an encrypted network up and running, so intelligence can be gathered, instead of shutting it down immediately, which would only lead criminals to switch to other methods of communicating with each other.

EncroChat worked by installing new software on Android and BlackBerry handsets so messages were encrypted, and to disable functionality that might be subverted for surveillance purposes, such as cameras and GPS. The service also included a special ‘panic’ feature that would immediately erase all data on the handset. Encryption of comms should be legal in itself, but it is no surprise that criminals were attracted to EncroChat, which charged EUR1,500 (USD1,600) for a six-month contract. EncroChat’s SIMs were supplied by Dutch telco KPN and comms traffic was managed by servers located in France. Police successfully infiltrated the network for three months so they could see what the unencrypted messages said, but in June 2020 an administrator of the network sent a message warning all users to immediately dispose of their devices (pictured, right) and the service went permanently offline.

The pace of pursuing these cases is illustrated by observing that the police were only reporting 1,000 associated arrests at the end of 2020. But what the police are not saying is whether they have subverted any comms networks that have emerged more recently. Last week’s press conference occurred a few hours after the killing of Nahel Merzouk by a French traffic cop, prompting rioting across the country. This was a coincidence that means they will have received less coverage than they hoped for. It is likely that attention was being drawn to this case because either another network is currently being spied upon, and there is a need to prepare the argument for why such networks are not interrupted immediately, or else the authorities are pursuing increased power to intercept and decrypt electronic communications.

The press release associated with the conference can be found here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.