Encrypted Communication Apps: From Telegram to EncroChat

This episode of The Dark Dive focuses on encrypted communication apps, including Telegram, Tox, Signal, Session, and Jabber.

This episode of The Dark Dive focuses on encrypted communication apps, including Telegram, Tox, Signal, Session, and Jabber.

While not strictly speaking part of the “dark web”, these apps are used by the same criminals to perpetrate many of the same crimes. We start with the “mainstream”, taking a close look at the popular messaging app Telegram. We then take a look at the other end of the spectrum with the example of EncroChat, an encrypted communication network that required a special device sold on subscription.

Speakers

Aidan Murphy - Searchlight Cyber

Aidan Murphy

Host

David Osler - Searchlight Cyber

Dave Osler

Head of Product at Searchlight Cyber

Vlad

Threat Intelligence Analyst at Searchlight Cyber

This episode of The Dark Dive covers:

The fall out following recent developments on Telegram

How dark web cybercriminals have reacted to the arrest of the Telegram CEO and the subsequent privacy changes made on the instant messaging application.

Other apps used by cybercriminals that have the potential to go "mainstream"

Will Tox, Signal, or Session become the go-to encrypted communication apps for cybercrime if law enforcement crack down on Telegram?

What we can learn from the EncroChat saga

A "high end" encrypted communication network that was infiltrated by police, with thousands of cybercriminals subsequently brought to justice.

Transcript

Aidan Murphy: Hello, and welcome to another episode of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy and I’m your host as each month we look at a different aspect of the dark web. Or in the case of this episode, something that is dark web adjacent, because in the next 45 minutes or so, we’re going...

Aidan Murphy: Hello, and welcome to another episode of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy and I’m your host as each month we look at a different aspect of the dark web. Or in the case of this episode, something that is dark web adjacent, because in the next 45 minutes or so, we’re going to be taking a forensic look at encrypted communication applications, platforms like Telegram, Signal, Tox, that aren’t strictly speaking part of the dark web, but are used by the same cyber criminal underworld. I am joined by two colleagues to discuss a whole range of encrypted communication applications, from the mainstream to the incredibly niche. Dave Osler, Head of Products at Searchlight Cyber, who regular listeners will remember from our episode in series one, on dark web marketplaces, hello Dave. 

(TC: 00:00:48) 

Dave Osler: Hi Aidan. 

(TC: 00:00:49) 

Aidan Murphy: And Vlad, a Threat Intelligence Analyst at Searchlight Cyber, who appeared in the season one episode on dark web forums, hello Vlad. 

(TC: 00:00:55) 

Vlad: Hello everyone. 

(TC: 00:00:56) 

Aidan Murphy: Before we kick off, I think it would be good to give listeners a quick reminder of who you are and what you do. Dave, maybe we can start with you? 

(TC: 00:01:02) 

Dave Osler: Yes, thanks Aidan. I’m Dave Osler, I’m the Head of Product Management here at Searchlight Cyber, I’ve been in the company for three years and my background has been in product management for a long time. I spend my days working out the capabilities that we can deliver to customers through the product and building those out and getting them out to the market. 

(TC: 00:01:20) 

Aidan Murphy: Brilliant, thanks Dave, and Vlad? 

(TC: 00:01:23) 

Vlad: Yes, I’ve been a Threat Intelligence Analyst here at Searchlight for the past year and a half, but I’ve been in the industry for way more than that, about four years. I spend most of my time on cyber crime forums and monitoring the other messaging platforms like Telegram and so on and so forth. I also spend a lot of time monitoring ransomware groups. 

(TC: 00:01:42) 

Aidan Murphy: I think there’s only one place to start today’s podcast and that has to be Telegram, which I believe, and my guests can tell me if I’m wrong, is probably the most mainstream of the apps we’re going to talk about today, and it’s an app that’s recently been in the news. Vlad, let’s start at the beginning, for anyone that doesn’t know, can you give an overview of Telegram? 

(TC: 00:01:59) 

Vlad: Yes, of course. So, yes, you’re right, Telegram is definitely the most mainstream out there. First of all it’s an Eastern messaging platform, it’s been around for more than ten years, it launched in 2013. Nowadays it’s close to a billion monthly active users and when I say close, we don’t really know the exact figure, but it’s more than 950 million. Yes, threat actors use it because of its perceived focus on privacy, but however, the end-to-end encryption is only available if you select the secret chat option. A lot of users don’t know that and they use the default setting instead. 

(TC: 00:02:38) 

Aidan Murphy: Okay, interesting, I think it’s worth probably pointing out that Telegram isn’t just used by criminals, right? My understanding is this is a very popular application, especially in Eastern Europe, it’s used, kind of, like WhatsApp I guess in Western Europe and in America and things like that? 

(TC: 00:02:53) 

Vlad: Yes, you’re absolutely right, Telegram is actually very popular in Russia, Ukraine and other Eastern European countries. It was developed by two co-founders that were previously the CEOs of VK. VK is known as the Facebook of Russia basically. So, you can imagine that the heavy focus on the Eastern European side of the world, but its been picked up way more in other parts of the world as well, in the last few years. 

(TC: 00:03:24) 

Aidan Murphy: Okay, brilliant. As you say, so it’s used by criminals because of this perceived level of encryption, but you’re suggesting that the encryption actually isn’t used by most people who use Telegram? 

(TC: 00:03:36) 

Vlad: From my experience, it’s not, to be honest the secret chat option is not even that easy to turn on. It requires more clicks than it should. So, we have to remember that this application was developed to cater to regular users after all, not to cyber criminals. So, you can imagine why the secret chat option is not really in your face. Telegram was adopted by cyber criminals because it allegedly didn’t share user IPs or other information with law enforcement and it also did not comply with the subpoenas. So yes, that’s an advantage, yes. 

(TC: 00:04:13) 

Aidan Murphy: Okay, so what type of crime-, and this is a really big question, what type of crime do we typically observe on Telegram? We can start at a high level and then maybe go further down? 

(TC: 00:04:25) 

Vlad: To be honest, we see all kind of cyber crime on Telegram. We see everything from little petty crimes, like little scams and people selling compromised accounts to streaming services and so on, but other criminals go as far as creating fully automated marketplaces. Catering to drug users and drug trafficking. This makes it very easy for anyone to purchase cocaine, marijuana, LSD and other drugs and pay them via cryptocurrency. If you go beyond drugs and other crimes like this, we also have to take into account that malware developers are using it, they promote their services, they recruit partners, they reach out to customers and so on. 

(TC: 00:05:15) 

Aidan Murphy: Regular listeners to the podcast, this will all sound very familiar, because this is similar to the type of crime we see on the dark web. Dave, I guess from your perspective, do we see customers, and us, who are interested in investigating dark web crime or protecting themselves from the type of crime on the dark web? Are they also interested in monitoring apps like Telegram? 

(TC: 00:05:37) 

Dave Osler: Yes, absolutely, and we’ve seen this kind of increase over time, that customers don’t just want coverage on the dark web, they also want coverage on sites such as Telegram, but just not exclusively just Telegram. There’s also other platforms as well they want coverage of. From their perspective they’re not looking-, they’re looking for threats, you know, they want to understand threats or investigate actors, and those people don’t necessarily belong to a strict platform, those actors can exist on multiple platforms. They can move between platforms overtime as well. So, really we cover a multitude of areas that this information happens on. So, that includes the dark web, so TOR, but also Telegram. 

(TC: 00:06:20) 

Aidan Murphy: Yes, and I think that’s why this episode is important to explain that yes, while these apps aren’t technically the dark web, listeners can’t see I’m doing quotation marks, there is a link. Vlad, does that marry with your experience as well? Do you see actors go between these apps, or for example, you know, they’re on the dark web but they’re also sharing their Telegram handles and that kind of thing? 

(TC: 00:06:40) 

Vlad: Yes, actors, they usually use whatever is easiest for them and they have to take into account the security part of it. Telegram has certain features that cannot be found anywhere else. For example, Telegram, it’s really easy for cyber criminals and malware developers to leverage the platform as a command and control tool. Which means that in platform bots can be developed and these bots, they can serve a number of purposes, and have a number of functionalities, including delivering information from stealer logs, host stolen files and the service live control panels for phishing pages and more. So, this is, kind of, a unique feature of Telegram, we cannot find it anywhere else, but other more common features like texting and having group chats and so on, they can be found in other places as well. Other places that can be more secure, but of course cyber criminals really cherish these features that Telegram has and no-one else has. 

(TC: 00:07:45) 

Aidan Murphy: That’s really interesting. So, Telegram almost has features for cyber criminals that they would have to develop themselves on the dark web for example? It’s, like, good user experience that is, kind of, ready made tools to use, is that what you’re saying Vlad? 

(TC: 00:07:59) 

Vlad: Exactly, but these features they aren’t developed for cyber criminals, they are developed for everyone, for legitimate purposes, but cyber criminals found a way to use that and given the fact that it’s generally free to use Telegram and it’s so easy to create these bots, then yes, you can see why they’re using it. 

(TC: 00:08:19) 

Aidan Murphy: I see, okay, so these are legitimate features that have been abused, let’s say, by cyber criminals rather than Telegram developing features for cyber criminals, that’s a very, very important distinction? 

(TC: 00:08:30) 

Vlad: Exactly, you’re right. 

(TC: 00:08:33) 

Aidan Murphy: I guess one segment of the crime that goes on, on Telegram, I just wanted to ask you about Vlad because you talked to me about this in the past is hacktivism, these are cyber criminals who are motivated by political or, kind of, geopolitical causes. This mostly takes place on Telegram rather than the dark web, is that right? 

(TC: 00:08:54) 

Vlad: Yes, you’re right. So, we see a lot of financially motivated actors using Telegram to communicate with potential customers and database vendors advertising their data and so on. Of course besides these financially motivated actors, we also see hacktivists, they’re using Telegram to brag about their latest attacks. Usually these attacks are in the form of distributed denial of service, which is also known as DDOS. They use the Telegram platform to recruit others as well, but lately we’ve observed an alliance of over 70 hacktivists groups known as the Holy League. They’re using channels to promote themselves, but they were generally anti Israel and pro Russia, however in the past couple of weeks, it seems like the alliance has started to slowly break apart but it’s not fully over yet. We’ll see how it goes in the near future. 

(TC: 00:09:50) 

Aidan Murphy: Wow, okay, that’s a pretty hefty group there. So, for hacktivists I guess this is to get to the differences between the dark web and Telegram then, I guess for them Telegram holds some advantages because what they’re trying to do is publicize the attacks they’re making. If a hacktivist makes an attack and nobody knows about it, it’s less valuable to them, it’s like a tree falling in the woods, but people like the Holy League, if they attack someone for political or geopolitical reasons, they want people to know about it. So, Telegram is a better channel to get that message out there? 

(TC: 00:10:21) 

Vlad: Yes, Telegram is probably the best channel out there, the best means of transmitting this information out there because it has such a large userbase. As I’ve mentioned already, it has close to a billion users and a lot of those are regular users, they’re not really cyber criminals, but they end up in these groups. They end up seeing all this information, which means that the hacktivists advertising this has a large success that they wouldn’t have anywhere else, because other platforms like Facebook for example, they tend to ban this kind of activity. While on Telegram it’s literally free for all, you can do whatever you like, up to a certain point, but hacktivism is usually accepted. 

(TC: 00:11:07) 

Aidan Murphy: Well, let’s get to that certain point then because there was a recent development-, well, two big developments with Telegram that are linked. So, I think just to explain this a little bit, the CEO of Telegram was arrested in August in France, he was later released, but subsequently Telegram updated its privacy policy, probably linked to his arrest, saying that they were making some changes and those include sharing phone numbers and IP with law enforcement when requested. So, this is quite a significant shift because like you say, one of the benefits for threat actors or cyber criminals of using Telegram was this perception that they weren’t going to be handed over. Maybe Vlad, could you explain what’s changed over the Summer on Telegram in terms of the arrest of the CEO? 

(TC: 00:11:49) 

Vlad: Well, that change happened quite recently and we saw an initial wave of threat actors looking to change platforms, or least operate somewhere else as a back up to Telegram, but in the absence of significant law enforcement activity actors remained on Telegram, probably from inertia and comfort or because of Telegram’s unique features that we’ve already talked about. Given the change in the privacy policy, a key example of what one of these changes mean is that IPs will be shared with law enforcement and they will start communicating with the governments more closely, but so far we haven’t seen, like, any real life examples of this happening. So, I understand why the threat actors are not really moving in mass from Telegram, but some of them have started preparing alternative platforms to move in case they really need to do it in the future. 

(TC: 00:12:45) 

Aidan Murphy: My understanding is that another change that the search function was going to be altered to make more problematic content more difficult to find, but from what you’re saying Vlad, at the moment-, so these changes have been, kind of, voiced but we haven’t seen any major changes on the platform, so to speak? 

(TC: 00:13:03) 

Vlad: Exactly, apart from the search function being changed a bit. Yes, we already saw that happening. However, it makes searching within Telegram more difficult. You can’t really find-, for example, you can’t really find the ransomware groups channels anymore, if you search for them. However, threat actors are using the forums to just share the link to it, to share the link to the channel, share the link to groups directly. So, with this, you don’t have to search on Telegram, you can just click on the link on the forums and it will take you directly to the forum. So, you don’t have to use a search function. In a way it’s easily by-passable and as you can see, threat actors already found a way to bypass it. So, it really didn’t change much, but it did change a lot for regular users who don’t have access to the forums. They can’t really find problematic results anymore, but those who are really invested on the platform, who are proper cyber criminals, they will have no problem with accessing the content they like. 

(TC: 00:14:08) 

Aidan Murphy: Okay, interesting, and as you said, so there was a bit of a backlash, maybe that’s putting it mildly, against this, within the cyber criminal world, and you mentioned so, again, there hasn’t really been many examples of arrests or anything so far. So, maybe that actual impact has been delayed, but what are the alternatives out there, I guess, if we did see a migration away from Telegram, if we did start to see some law enforcement action against particular individuals, and it was definitely linked to the Telegram changes in privacy? Where else could these people go? 

(TC: 00:14:42) 

Vlad: Of course Telegram is not the only encrypted messaging platform used by cyber criminals. One of the most popular alternatives is Tox. Tox is a peer to peer protocol, it’s used by threat actors worldwide, but its especially appreciated on Russian speaking forums. While a key distinguishing feature of the platform is that it does not use any central servers and all communication is strictly peer to peer. This also means that the sender and receiver have to be online, to send and receive messages. If one of them is not online, then the message will be basically lost in transition. This tool is often used by ransomware operators, some interesting examples include the support of LockBit, RansomHub, Akira, Qilin, the list goes on. All of these are representatives of the ransomware groups. We can see that they are sometimes using for proper support, for victims, they’re using Tox to purchase initial access from initial access brokers or they’re using it to sell compromised data. So, there’s a lot of reasons why they are using it. Tox is also a reasonably basic app, realistically it’s only being used for one to one conversations. There are no channels, there are no bots, there are no fancy features like Telegram has, but for obvious reasons, threat actors do not use the video calling option. That’s a feature Tox has but obviously no-one is using it. 

(TC: 00:16:15) 

Aidan Murphy: Yes, so it sounds like again, this is on the assumption that people do start to move away from Telegram, or like you say, people already use Tox, but Tox is used for maybe one element, which is this, kind of, back and forth, one to one communication element and it’s encrypted, but it isn’t going to replace for example, a hacktivist channel with thousands of viewers. Because that’s just not how Tox is built, it’s not built for that, kind of, broadcast element I guess? 

(TC: 00:16:40) 

Vlad: Yes, that’s right, but that’s in the present. You never know how in the future it will change, especially that if Telegram does go down in terms of its userbase because of the new privacy policy, maybe developers for Tox and other apps, they’ll start increasing the number of features on their platforms. So, this can be seen as a good starting point to make their platforms even better or even more accessible to cyber criminals, but yes, that’s only speculation at this point in time. We’ll see how it goes. 

(TC: 00:17:14) 

Aidan Murphy: Okay, great. What other apps are there, that people are already using, or could become more popular? 

(TC: 00:17:21) 

Vlad: There’s quite a few, for example Jabber, Jabber is a messaging service based on XMPP. It also requires a client, Pidgin, the most popular one. One thing that I failed to mention for Tox, Tox is also just a protocol, but you need a client to access it. Or the most popular client is qTox for this. 

(TC: 00:17:43) 

Aidan Murphy: Sorry to cut in Vlad, can you just explain to me what a client is? 

(TC: 00:17:45) 

Vlad: The easiest way to compare it in a very, very high level, the client is basically your computer, your end device, while the protocol is the Internet. So, you need a device to access the Internet, the same way you need a client to access the protocol. I’m sure that purists are not going to be 100% accepting my comment, but it’s a really easy to explain this for those who are not very versed in protocols and clients. 

(TC: 00:18:13) 

Aidan Murphy: That’s helpful for me, I can understand it at that level. Sorry, continue? So, you were saying to use Jabber and to use Tox you need a certain client? 

(TC: 00:18:22) 

Vlad: Yes, exactly. Jabber used to be way more popular in the past before Tox and Telegram, but it’s userbase has since declined gradually. We also have to mention that a cryptographic protocol is often used and sometimes enforced by some threat actors when communicating with others. It’s known as off the record, OTR. Jabber is way more popular with old school threat actors and similar to Tox it doesn’t really have many features. It’s mostly used for one to have conversation, just like Tox. 

(TC: 00:18:54) 

Aidan Murphy: Okay, great. I think when you initially talked to me about the changes in privacy going on, on Telegram, you mentioned that some threat actors were talking about transiting to Signal, which is a name I’ve heard. I think it’s a slightly more mainstream app, is that right? 

(TC: 00:19:09) 

Vlad: Yes, in terms of how mainstream it is, it’s easily comparable to Telegram. It’s an encrypted messaging platform that we can all download on our phones, it works right away, you just need a phone number, a valid phone number to register your account, but then you can create a username that you can share with everyone. So, it’s very easy to use but so far I think because of the requirement for a valid phone number, it hasn’t been picked up by many threat actors however. We saw a number of hacktivist groups trying to move their communication from Telegram to Signal, but apart from that we don’t really see that many threat actors using it. There are other alternatives that are more popular than Signal. For example Session, yet another alternative, but this one is fairly new, it was launched in 2020 and it claims to employ a blockchain based de-centralized network for transmission. It uses a 66 digit number as an ID, so there’s no usernames, there’s no phone numbers involved. We saw that it was particularly popular on English speaking forums, such as BreachForums and Cracked. It’s mostly used as a back up for Telegram, rather than a replacement, but many actors shared both their Telegram and Session IDs as contact information. 

(TC: 00:20:27) 

Aidan Murphy: Okay, interesting. I think that’s a really good overview of the landscape. Before I just move on to Dave to talk about some slightly different apps, I’m going to ask you to do something that I know threat intelligence analysts hate to do Vlad, which is to give me your prediction. Do you think Telegram will remain the go-to or do you think we’ll start to see people migrating? 

(TC: 00:20:48) 

Vlad: I think that, as long as Telegram doesn’t get involved really closely with law enforcement and government institutions, and it will just use that privacy policy as a way to keep both parties happy, and we won’t see any actual proper enforcement, we won’t see a large exodus from Telegram, because it’s such a well-built platform. But if we do, the only one that I can think of that would be become really popular is Tox, but as I said, it’s missing so many features that Telegram has. You never know. You never know. If Tox becomes more popular, maybe it’ll make developers implement more features, or maybe there’s going to be a completely new platform coming out, if Telegram really goes down, but only time will tell. 

(TC: 00:21:41) 

Aidan Murphy: Brilliant. Thanks, Vlad, that’s great. So, Dave. So, if we think of, we have Telegram on one end of the spectrum, which is pretty mainstream, very accessible, free to use, anybody can download it. On the other end of the spectrum, we have a different kind of app, I guess, and EncroChat is one really good example of this that I just wanted to, kind of, pick your brains on. So, could you maybe describe for the listeners what EncroChat is or was, as it no longer exists? 

(TC: 00:22:10) 

Dave Osler: Yes, absolutely. So, compared to the apps that Vlad’s just been discussing, EncroChat was actually a physical phone with custom software installed, rather than an application that could be installed on any phone, and for the case of EncroChat, these are actually called carbon units, and they were seen as early as 2016. These carbon units had that custom software installed, but for various different use cases. So, there was actually EncroChat, EncroTalk, and EncroNotes as well, all for different purposes. They were generally modified Android devices, with some models based on the BQ Aquaris X2 phone. Others were based on, you know, more common devices, such as Samsung, and sometimes, on Blackberries, as well. These really differed, because you had the physical phone, and therefor, you were able to actually boot them into two different modes. So, when only the power button was pressed, to turn the handset on, they booted into a dummy Android home-screen, but when the handset was switched on by pressing the power button together with the volume button, the phone actually booted to a secret encrypted partition, which then facilitated that communication by EncroChat’s servers, which were hosted in France. 

(TC: 00:23:20) 

Aidan Murphy: So, some people might know this story, but I really did just want to cover it, because I think it’s just fascinating. It’s like a crime thriller or something. So, we’ve already got a device that, there’s a special way to access it, and it links to, like you say, this encrypted chat. What type of crime took place on the EncroChat? Shall we call it the EncroChat network or EncroChat devices? 

(TC: 00:23:44) 

Dave Osler: I think you can, kind of, use it interchangeably, because, obviously, the devices were used within that EncroChat network. So, these were used for a wide variety of organized crime, and just to give it some context, these phones were very expensive, as well. You know, they’re not like free to downloads, like Telegram is. The device itself would cost around £300, with the software costing around £1,500, and these were often subscriptions as well. So, if you wanted this capability, you were going to have to pay a lot of money for it, so you really needed. You know, it was attracting those people who had money to spend on something that would protect them. 

(TC: 00:24:19) 

Aidan Murphy: It’s funny you say that was quite expensive, because my first reaction to that was, like, ‘Oh, this is pretty cheap.’ I mean, an iPhone is pretty expensive, and then, compared to the types of crime they were doing, it was a relatively cheap service. Not that ‘m advertising it. 

(TC: 00:24:31) 

Dave Osler: I know what you mean, but because it’s that subscription model, you keep paying for that, and you’re not really getting, you know, a phone as most people would class it as a phone. It was so locked down that, really, all you could do was do a very simple communication on it. You couldn’t do the wide plethora of things that we tend to do on our own, you know, personal phones. 

(TC: 00:24:49) 

Aidan Murphy: Yes, I think, sorry, you might’ve already said this, but yes, just to recap for listeners. So, they physically removed the GPS, camera, and microphone functionality, for example. Like, it was really, kind of, just a shell, by the end of it, with this. 

(TC: 00:25:03) 

Dave Osler: Yes, exactly, and that’s part of it, you know? Removing these things, it keeps it simple, and it just ensures that that privacy for that person, they’re not concerned, you know, is part of their phone going to be hacked by an organization? Do they have any vulnerabilities in any of the software they’ve got running? The less you’ve got running on that device, the more secure it is. 

(TC: 00:25:19) 

Aidan Murphy: Yes. Sorry, I side-tracked us. So, what crime took place on EncroChat? 

(TC: 00:25:25) 

Dave Osler: In the case of EncroChat, the French police actually estimated that 90% of the users were engaged with criminal activity, so it really was a high amount. After the police infiltrated the network, Dutch police arrested more than 100 suspects and seized more than eight tonnes of cocaine, 1.2 tonnes of crystal meth. They seized guns, luxury cars, and drug labs as well. So, this goes to show the type of criminality, and on top of that, on 22nd June 2020, the Dutch police also discovered a torture chamber in a warehouse east of Bergen op Zoom. So, apologies to any Dutch people listening to this, for my pronunciation, which was, actually, still under construction, at the time, but included seven cells made out of soundproof shipping containers. So, you know, the people that were on these networks and being investigated were really hardcore criminals. In the UK, actually, an operation called Op Phonetic was set up as the national response by the National Crime Agency. They believed that, in EncroChat, there were over 10,000 users in the UK alone. So, a lot of people, and in the UK, there were over 700 people arrested, and two tonnes of drugs seized, estimated to be worth over £100 million. There was £54 million in cash alone, as well as weapons, including sub-machine guns, hand grenades. There was a factory in Rochester in Kent which had 28 million tablets of etizolam, which is a sedative as well, seized. This really goes to show the sort of people who were operating on this network. 

(TC: 00:26:58) 

Aidan Murphy: Yes. So, this could be maybe even more hard core than Telegram. So, the latest numbers I could find, of the whole, kind of, operation, so these are still relatively old, these are from June 2023, from Europol, and Eurojust, published these together. I’m just going to run through some of these. I know we’re throwing a lot of numbers at the listeners, but I do think the scale of this is quite incredible. 6,500 arrests. €990 million seized or frozen. 30.5 million pills, 103.5 tonnes of cocaine, 163.4 tonnes of cannabis, 3.3.tonnes of heroine, 971 vehicles, 271 estates or homes seized. 923 weapons and 83 boats and 40 planes, which I think is a nice little detail, as well, and that was, I mean, over a year ago, and even when I was looking this up today, I mean, there was an arrest last week, in Lewisham, linked to EncroChat. So, these arrests are still going on, which is quite incredible. So, we should get this. I mean, we should get to this part of the story. Obviously, the reason we know these figures is because something happened to EncroChat. Dave, maybe could you give a little bit of a summary of what went down? 

(TC: 00:28:15) 

Dave Osler: Yes, absolutely. So, the EncroChat devices themselves were really first discovered by French police as early as, you know, 2017, as they were conducting operations against these organized crime groups, and that investigation really accelerated in early 2019, when they received some EU funding, and in January 2020, a judge in Lille, in France, authorized the infiltration of the EncroChat servers. So, by April 2020, police were sat on what they called a data tsunami of over eighteen million messages and images, exchanged between the organized crime groups. Intelligence and technical collaboration between the NCA and the national gendarmerie, the Dutch police, culminated in gaining access to these messages, after the national gendarmerie put what they called a technical tool on EncroChat servers in France. So, they kept it slightly vague, but this malware allowed them to, basically, read the messages before they were sent, record the lock-screen passwords. They estimated that around 50% of the devices in Europe were affected by June 2022. One of the key challenges for this operation was really prioritizing the response to that large amount of information, as well. So, if you think about the collection of all that data, you think that’s great evidence, you know, we can, like, take this into files, we can split it up, we can take our time to really target these actors, but actually, the police also had to manage threats to lives. So, these are known as TTLs, and you have to act on that straight-away. 

So, these TTLs involved targeted shootings, kidnap and torture, and these were, apparently, a daily occurrence in the early stages of the covert phase. They dealt with over 200 of these, meaning that they couldn’t just sit back on this data and process it in slow time, and build up these warrants and intel, and then, make the arrest when they were ready. Their hand was forced to act on some of this information much earlier. 

(TC: 00:30:11) 

Aidan Murphy: Yes, it’s a really interesting insight, isn’t it, into how these massive law enforcement operations work, I think? 

(TC: 00:30:18) 

Dave Osler: I mean, credit to Europol, I think we can all agree, this is quite an incredible operation, but like you say, the amount of data they had then gathered, and how do you sort through that, and work through, kind of, the highest priority crimes? Like you say, people who’s lives were currently at risk. That torture room thing, I think I’ve seen pictures of that, it’s very terrifying, and I think does paint a picture for people, So, yes, a, kind of, very complex law enforcement operation. That was really good. I would recommend people look at the Vice coverage of this, because I think they were one of the main publications who, kind of, were covering EncroChat at the time. A journalist called Joseph Cox, I would recommend reading that, but there is also a very, very interesting telling of how EncroChat discovered that the police had infiltrated the phones, and they sent out this panicked message, trying to get everybody to get rid of their phones, and at the same time, it’s really worth having a read of as well. 

(TC: 00:31:17) 

Aidan Murphy: That’s an example, and as you said, Dave, it’s from a little while ago now, so that was, I mean, the dismantling started in 2020, like I said, I mean, they were still publishing statistics on it lat year, and there still seem to be arrests being made today, probably working through the backlog that Dave mentioned of high-priority crimes, to ones that they can now deal with, but there have been even more recent examples, and I think it’s worth saying, just as Vlad’s laid out,t here are lots of different alternatives to Telegram out there. It’s the same for these more, shall we call them high-end encrypted applications or phones. So, a more recent example, again, we know about this from Europol, is the Ghost platform. Maybe, Dave, can you just explain Ghost and that case? 

(TC: 00:32:00) 

Dave Osler: Ghost was, in many senses, very similar to that EncroChat model, where handsets were, basically, a modified smart phone, with subscriptions costing around $2,350 for six months, including the device. I’ve seen what’s called Ghost phone accounts on Instagram, going back as far as 2015. So, what seems to have been around a long time, and the earliest trace I found of it at all was actually an actor named Devil on the Dread forum, offering access, and that was back in July 2020. Ghost really seemed to gain popularity around 2021, and that’s when it really started reaching a size to come to the attention of law enforcement. 

(TC: 00:32:45) 

Aidan Murphy: Yes, okay, brilliant, and then, the law enforcement operation, this is really recent, so September 2024. Could you give us a little but of an overview of what’s happened here? I mean, again, I think it’s very, very similar to the EncroChat story. 

(TC: 00:32:57) 

Dave Osler: It is very similar. Very similar, sort of, criminals seen acting, or criminal seen on that platform, over 50 suspects arrested. Again, this is not just within a single country, this is across wide geographical areas. There have been arrests in Australia, Ireland, Canada, Italy. In Italy, it was a member of the Mafia arrested, or one of the Mafias within Italy, as well. The Irish police seized €15 million worth of cocaine and a number of devices. It’s really, yes, very similar thread to the EncroChat use case. 

(TC: 00:33:33) 

Aidan Murphy: Yes, and I suspect these initial figures we have of, yes, the seizures, the people arrested, it may be similar to EncroChat, in that this might just be the tip of the iceberg, and we may, as we have with EncroChat get, in three years’ time, this is the total sum of the people that were arrested, right? 

(TC: 00:33:52) 

Dave Osler: Exactly. The police only have so much resource, you know, and when you give them this much information, they just have to prioritize the most important cases first and deal with the rest later. So, just because someone’s not had their, you know, door knocked in today, it doesn’t mean they’re not on a long list and will come up at some point. 

(TC: 00:34:09) 

Aidan Murphy: Something I just, kind of, want to maybe wrap together here is, we’ve talked about this about in the past few podcast episodes, so we do seem to be seeing more police action. I think it applies to both examples, actually, that the more high-end, EncroChat examples, but also, you know, the arrest of the Telegram CEO. It does feel that law enforcement are making waves here. I guess, Dave and Vlad, would you agree with that assessment? 

(TC: 00:34:35) 

Dave Osler: They are, definitely, impacting these. It’s a bit like Whack-A-Mole as, you know, they come up, you hit them back down, and then, another one pops up, and you hit it back down, and I read a really interesting quote from Paul Williamson, who was the UK Silver Commander for the operation on Op Phonetic, which was the EncroChat operation in the UK. So, he said in his words, ‘So, surely now, with the biggest organized crime bust in history, we can expect a major sustained fall in the case of the drug market, drug-related violence, drug-related deaths, exploitation through county lines, and cannabis farms, but history tells us it does not, and never will work like that. My concluding thoughts are, often hidden from sight, the true scale of organized crime, as evidenced in Op Phonetic, should be a concern to us all. As OCGs, or Organized Crime Groups, continue to exploit technology to their advantage, data-enabled investigations will be at the heart of what policing do, and the whole spectrum of law enforcement agencies need to be systematical and agile enough to meet this demand.’ So, you know, in a nutshell, what he’s saying is, this isn’t a one-and-done. You know, this was a big investigation, they had a great outcome, but this work is going to continue. 

(TC: 00:35:44) 

Aidan Murphy: I thought for a second there he was a real optimist, but that quote really took a turn in the middle. 

(TC: 00:35:49) 

Vlad: Yes. I have to agree with Dave on this one. It’s always going to be a game of cat-and-mouse. I would compare this situation with the instant messaging platforms to the situation with cyber crime forums. We know that, a couple of years ago, Right Forums was taken down. It used to be the most used cyber crime forum out there, and it only took a few months to have a copycat of it, known as Bridge Forums. So, one gets taken down, the other one pops ups. That will also be on the market for one, two, or three, or more years, and then, that will also be taken down by law enforcement, and another one will pop up. So, it’s going to be a continuous process of taking site services down, the same with ransomware. Ransomware groups, they sometimes get arrested, they get taken down, and then, after a few months, they come back online with a different name and they’re part of a different affiliator program, and they continue business as usual. It’s really difficult to keep up with them, especially the cyber criminals are spread all over the world. 

(TC: 00:36:57) 

Aidan Murphy: So, we’ve talked about these different level of applications and devices, as Dave ha correctly pointed out. Maybe, Vlad, just to tie it all together, from your perspective, so someone who looks at this, you know, kind of, holistically, how much of a crossover is there between the dark web and these applications? Whether we’re talking about Telegram or Tox or whatever it is? For you, is this, kind of, one big problem for the cyber security and law enforcement community, or are they separate problems? How do you think about it, in your mind? 

(TC: 00:37:32) 

Vlad: Well, it’s very difficult to answer, as I think it also varies with each platform. There are platforms like Tox, for example, that the crossover is quite big. Dark web and Tox, mostly they go hand-in-hand, while Telegram, it’s also, as we discussed already, there is a huge legitimate user-base out there. There are normal people talking about their daily lives and so on. It’s very difficult to answer this with just one short answer. Dark web has always been an ever-changing environment. It really depends on the purpose of each platform. It depends on the developers and how they see their platform. 

(TC: 00:38:16) 

Aidan Murphy: Dave, how about from your perspective, I guess, maybe the same question, and you might have a different perspective, when you’re working with our customers, for example. So, again, cyber security, law enforcement professionals. Do you see this as one combined problem, and the dark web and these kinds of applications, or separate, or how do you look on it? 

(TC: 00:38:36) 

Dave Osler: I think it really differs between the law enforcement customers and the enterprise customers. Law enforcement are looking to identify individuals, they want to know who’s behind these crimes, so they can lock them up. Enterprise want to know, you know, what are the threats posed to my business? who’s the adversary? What are their capabilities? What are they targeting in my infrastructure? You know, what are their skill-sets? So, I think it’s two very different problems. So, for enterprise, you know, you need to be able to see this information, or much as possible, to make those assessments and understand that. For law enforcement, it’s that next level of having to breakthrough that encryption, where it is in place, and understand who’s operating behind these devices, so that those arrests can actually be made. So, you know, it’s two very different problems for our enterprise versus law enforcement customers. 

(TC: 00:39:28) 

Aidan Murphy: Yes, that makes sense. I guess, Vlad, another way I’m throwing at the question at you is that, so, for example, as a threat intelligence analyst, if you’re working in an organization and you only have the view of the dark web, or you only have the view of Telegram, is that an incomplete view? Do you need both to fully understand the cyber crime landscape? 

(TC: 00:39:49) 

Vlad: Yes, you need both, but it really depends on your attacked service. For some institutions, for some enterprises out there, the cyber crime forum (TC 00:40:00) environment should be enough for you to get a good idea of who’s targeting you and how, while for others, Telegram is really necessary, and as an example, I would say, for banks, for example. Banks really need both of them, because a lot of threat actors are selling compromised user accounts on Telegram. There are other initial access brokers who are selling access to banks on the forums. So, obviously, you need both. For other smaller companies, for, I don’t know, let’s say a manufacturing company, that doesn’t really have a user base, they just have their network that can be attacked, then monitoring cyber crime on forums only should be sufficient to keep themselves secure. 

(TC: 00:40:47) 

Aidan Murphy: Okay, brilliant. So, it really depends on what kind of cyber crime you’re worried about and the profile of your own organization, to assess which sources that you need to be monitoring.

(TC: 00:40:56) 

Vlad: Exactly. 

(TC: 00:40:57) 

Aidan Murphy: Brilliant. Well, thank you, both. I think that’s a good note to draw a line under this episode of The Dark Dive. A big thank you to Dave and Vlad for joining me. If you have a topic you’d like us to discuss on the podcast, please feel free to get in touch through the email address or social media accounts in the show notes, and if you can’t wait to find out more, remember you can follow us for free on Apple Podcast, Spotify, YouTube, or whatever podcast app you use, and get all of the episodes of The Dark Dive as soon as they’re released. Until next time, stay safe. 

[Read more]