Jump to content

Operation Trojan Shield

From Wikipedia, the free encyclopedia

Operation Trojan Shield
Part of Operation Ironside

  
ANOM app logo (top), the seal of the FBI's Operation Trojan Shield (bottom left), and the logo of the AFP's Operation Ironside (bottom right)
Operation NameOperation Trojan Shield
part ofOperation Ironside
Roster
Planned byU.S. Federal Bureau of Investigation, United States Attorney's Office for the Southern District of California, Europol, Australian Federal Police, and others
Executed byUnited States, Australia, Europol+
Countries ParticipatedSweden, United States, Australia, United Kingdom, New Zealand, Germany, Netherlands,
# of Countries Participated16
Mission
Targetorganized criminal networks that use encrypted communication devices
ObjectiveSurveillance of criminal activity
MethodHoneypot communication device with security backdoor
Timeline
Date begin2018
Date end2021
Date executed
  • October 2018 (initial device distribution)
  • 8 June 2021 (search warrant execution)
Results
SuspectsGermany:150
Arrests1,119+
  • Europol:800+
  • Australia:224
  • New Zealand:35
  • Germany:60+
Miscellaneous Results
  • 40 tons of drugs (over eight tons of cocaine, 22 tons of cannabis and cannabis resin, six tons of synthetic drug precursors, two tons of synthetic drugs), 250 guns, 55 luxury cars,;[1] more than $48 million in various currencies and cryptocurrencies.
  • Australia: 104 Firearms, 45 Million AUD
  • New Zealand: $3.7 million in assets, including 14 vehicles, drugs, firearms and more than $1 million in cash.[2][3]
Accounting

Operation Trojan Shield (stylized TRØJAN SHIELD), part of Operation Ironside, was a collaboration by law enforcement agencies from several countries, running between 2018 and 2021. It was a sting operation that intercepted millions of messages sent through the supposedly secure smartphone-based proprietary messaging app ANOM (also stylized as AN0M or ΛNØM). The ANOM service was widely used by criminals, but instead of providing secure communication, it was actually a trojan horse covertly distributed by the United States Federal Bureau of Investigation (FBI) and the Australian Federal Police (AFP), enabling them to monitor all communications. Through collaboration with other law enforcement agencies worldwide, the operation resulted in the arrest of over 800 suspects allegedly involved in criminal activity in 16 countries. Among the arrested people were alleged members of Australian-based Italian mafia, Albanian organised crime, outlaw motorcycle clubs, drug syndicates and other organised crime groups.

Background

[edit]

An investigation into a Canadian secure messaging company called Phantom Secure was initiated in 2017. The FBI alleges that the investigation revealed that Phantom Secure sold its encrypted devices exclusively to members of transnational criminal organizations (TCO). Hardened encrypted devices provide an "impenetrable shield against law enforcement surveillance” and are in high demand by TCOs, thus the shutdown of Phantom Secure in March 2018 left a vacuum for TCOs in need of an alternative system for secure communication.

Around the same time, the San Diego FBI branch had been working with a person who had been developing a "next-generation" encrypted device for use by criminal networks. The person was facing charges and cooperated with the FBI in exchange for a reduced sentence. The person offered to develop ANOM and then use his contacts to distribute it to TCOs through existing networks.[4][5] Before the devices were put to use, however, the FBI, and the AFP had a backdoor built into the communication platform which allowed law enforcement agencies to decrypt and store the messages as the messages were transmitted. The first communication devices with ANOM were offered by this informant to three former distributors of Phantom Secure in October 2018.[6]

The FBI named the operation "Trojan Shield",[7] and the AFP named it "Ironside".[8] Europol set up the Operational Task Force Greenlight.[9]

Distribution and usage

[edit]
ANOM app screenshot

The ANOM devices consisted of a messaging app running on Android smartphones with a custom ROM called ArcaneOS that had been specially modified to disable normal functions such as voice telephony, email, or location services, and with the addition of PIN entry screen scrambling to randomise the layout of the numbers, the deletion of all information on the phone if a specific PIN is entered, and the option for the automatic deletion of all information if unused for a specific period of time.[10]

The app was opened by entering a specific calculation within the calculator app, described by the developer of GrapheneOS as "quite amusing security theater",[10] where the messaging app then communicated with other devices via supposedly secure proxy servers, which also – unbeknownst to the app's users – copied all sent messages to servers controlled by the FBI. The FBI could then decrypt the messages with a private key associated with the message, without ever needing physical access to the devices.[5][11] The devices also had a fixed identification number assigned to each user, allowing messages from the same user to be connected to each other.[11]

About 50 devices were distributed in Australia for beta testing from October 2018. The intercepted communications showed that every device was used for criminal activities, primarily being used by organised criminal gangs.[5] About 125 devices were shipped to different drop-off points to the United States in 2020.[12]

Use of the app spread through word of mouth,[5] and was also encouraged by undercover agents;[13] drug trafficker Hakan Ayik was identified "as someone who was trusted and was going to be able to successfully distribute this platform", and without his knowledge was encouraged by undercover agents to use and sell the devices on the black market, further expanding its use.[13][14] After users of the devices requested smaller and newer phones, new devices were designed and sold; customer service and technical assistance was also provided by the company.[6][10] The most commonly used languages on the app were Dutch, German and Swedish.[15]

After a slow start, the rate of distribution of ANOM increased from mid-2019. By October 2019, there were several hundred users. By May 2021, there had been 11,800 devices with ANOM installed, of which about 9,000 were in use. New Zealand had 57 users of the ANOM communication system.[3] The Swedish Police had access to conversations from 1,600 users, of which they focused their surveillance on 600 users.[16] Europol stated 27 million messages were collected from ANOM devices across over 100 countries.[17]

Some skepticism of the app did exist; one WordPress blog post in March 2021 called the app a scam.[18][19][5]

Law enforcement operational methodology

[edit]

The following is alleged by the FBI:

2018

[edit]

The "backdoor" built by the FBI into the system by design would send an additional encrypted copy of each message sent by the ANOM users to a third party server referred to by the FBI as an "iBot" server. Fourth amendment interpretations endangered the project if the iBot servers were located in the U.S. and so the servers necessarily were located outside U.S. borders. The first server would decrypt the copied message, process the information in the message (GPS location, text, username/Jabber-ID, password etc.) and then re-encrypt it to send it to a second "FBI-owned" iBot server (iBot2).

2019

[edit]

Because the FBI could not own the first iBot node, nor were they permitted to receive any of the seized information about U.S. citizens, they contracted with the AFP to run the first node of the server and process the data. (Australian law does not provide the same protections as U.S. law for its citizens.) Controversially the AFP did share "general" information about conversations from the ANOM messages with the FBI during this time period despite Australia’s judicial order to intercept ANOM communications did not allow for the sharing of the content with foreign partners.

Summer 2019

[edit]

Allegedly, the FBI officially had not reviewed any of the ANOM decrypted content yet by the summer of 2019. As a method of getting around the Australian court order, the FBI needed to secure a mutual legal assistance treaty (MLAT) request with a third country where the transfer of information would be legal pursuant to their national laws. While much work was done to keep the identity of the third country secret, its identity was discovered by the press as Lithuania in 2023.[20]

The FBI worked with Lithuania through the Autumn of 2019. However, the FBI alleges that the iBots had geo-fenced all messages that originated from the U.S., to prevent the FBI-owned iBot2 server from inadvertently seizing messages in violation of the Fourth Amendment.

7 October 2019 - 7 January 2020

[edit]

Lithuania created an iBOT copy (iBot3) of the FBI-owned iBOT2 server and began receiving content from the iBOT2 server every 2–3 days.

Post 7 January 2020

[edit]

A newer MLAT and court order from Lithuania allowed the FBI to receive ANOM user data every Monday, Wednesday and Friday until 7 June 2021. This encompasses all data ever generated by any ANOM user with the alleged exception of 15 (or 17) users that originated from phones in the U.S.

Arrests and reactions

[edit]
displays FBI and AFP graphics, a "Trojan Shield" graphic and a "This domain has been seized" notice, with a form inviting visitors "To determine if your account is associated with an ongoing investigation, please enter any device details below"
ANOM website screenshot, 10 June 2021

The sting operation culminated in search warrants that were executed simultaneously around the globe on 8 June 2021.[3] It is not entirely clear why this date was chosen, but news organisations have speculated it might be related to a warrant for server access expiring on 7 June.[5] The background to the sting operation and its transnational nature was revealed following the execution of the search warrants. Over 800 people were arrested in 16 countries.[21][22][1] Among the arrested people were alleged members of Australian-based Italian mafia, Albanian organised crime, outlaw motorcycle gangs, drug syndicates and other crime groups.[21][8][23] In the European Union, arrests were coordinated through Europol.[24] Arrests were also made in the United Kingdom, although the National Crime Agency was unwilling to provide details about the number arrested.[25]

The seized evidence included almost 40 tons of drugs (over eight tons of cocaine, 22 tons of cannabis and cannabis resin, six tons of synthetic drug precursors, two tons of synthetic drugs), 250 guns, 55 luxury cars,[1] and more than $48 million in various currencies and cryptocurrencies. In Australia, 224 people were arrested on 526 total charges.[23] In New Zealand, 35 people were arrested and faced a total of 900 charges. Police seized $3.7 million in assets, including 14 vehicles, drugs, firearms and more than $1 million in cash.[2][3]

Over the course of the three years, more than 9,000 police officers across 18 countries were involved in the sting operation. Australian Prime Minister Scott Morrison said that the sting operation had "struck a heavy blow against organised crime". Europol described it as the "biggest ever law enforcement operation against encrypted communication".[21]

In 2022, Motherboard journalist Joseph Cox published documents stating that the FBI obtained message data through the cooperation of an unnamed country within the European Union.[26]

Australia

[edit]

About 50 of the devices had been sold in Australia. Australian Federal Police arrested 224 suspects and seized 104 firearms and confiscated cash and possessions valued at more than 45 million AUD.[27]

Germany

[edit]

In Germany, the majority of the police activity was in the state of Hesse where 60 of the 70 nationwide suspects were arrested.[28] Police searched 150 locations and in many cases under suspicion of drug trafficking.[29]

Netherlands

[edit]

In the Netherlands, 49 people were arrested by Dutch National Police while they investigated 25 drug production facilities and narcotics caches. Police also seized eight firearms, large supplies of narcotics and more than 2.3 million euros.[15]

Sweden

[edit]

In Sweden, 155 people were arrested as part of the operation.[16] According to police in Sweden which received intelligence from the FBI, during an early phase of the operation it was discovered that many of the suspects were in Sweden. Linda Staaf, head of the Swedish police's intelligence activities, said that the suspects in Sweden had a higher rate of violent crime than the other countries.[30]

United States

[edit]
Press conference announcing the Operation Trojan Shield arrests

The first search warrants were granted by judges in May 2021. Initially, no arrests were made in the United States because of 4th amendment interpretations that prevented law enforcement from collecting messages from domestic subjects.[31] However, the United States Department of Justice indicted seventeen persons (all foreign nationals, see court dockets here) under the Racketeer Influenced and Corrupt Organizations Act for their participation in "the ANOM enterprise" which spread the devices.[32]

[edit]

As of April 2023, multiple court cases have been brought in Australia to challenge the legitimacy of the ANOM sting operation. A judgment in one of the cases before the Supreme Court of South Australia has ruled in favor of the police,[33] although that judgment has, since November 2023, been appealed.[34]

See also

[edit]
  • EncroChat – a network infiltrated by law enforcement to investigate organized crime in Europe
  • Ennetcom – a network seized by Dutch authorities, who used it to make arrests
  • Sky Global – a communications network and service provider based in Vancouver, Canada

References

[edit]
  1. ^ a b c Svetlova, Anna (8 June 2021). Европол задержал более 800 преступников в рамках международной операции [Europol detained over 800 criminals as part of an international operation] (in Russian). Gazeta.ru. Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  2. ^ a b Corder, Mike; Perry, Nick (8 June 2021). "FBI-encrypted app hailed as a 'shining example' of collaboration between world cops for tricking gangs". Stuff. Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  3. ^ a b c d "Anom: The app at the heart of the FBI's major transnational sting". The New Zealand Herald. 8 June 2021. Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  4. ^ Corder, Mike; Perry, Nick; Spagat, Elliot (8 June 2021). "Global sting began by creating message service for crooks". AP NEWS. Archived from the original on 8 June 2021. Retrieved 6 April 2023.
  5. ^ a b c d e f "ANOM global phone sting: What we know". Raidió Teilifís Éireann. Agence France-Presse. 8 June 2021. Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  6. ^ a b Zhuang, Yan; Peltier, Elian; Feuer, Alan (8 June 2021). "The Criminals Thought the Devices Were Secure. But the Seller Was the F.B.I." The New York Times. ISSN 0362-4331. Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  7. ^ Harding, Luke (8 June 2021). "Hundreds arrested in global crime sting after underworld app is hacked". The Guardian. Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  8. ^ a b Westcott, Ben. "FBI and Australian Federal Police encrypted app trap ensnares hundreds of criminal suspects". CNN. Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  9. ^ Europol on Twitter
  10. ^ a b c Cox, Joseph (8 July 2021). "We Got the Phone the FBI Secretly Sold to Criminals". Vice. Retrieved 8 July 2021.
  11. ^ a b Robertson, Adi (8 June 2021). "The FBI secretly launched an encrypted messaging system for criminals". The Verge. Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  12. ^ Cox, Joseph (12 January 2022). "FBI Honeypot Phone Company Anom Shipped Over 100 Phones to the United States". Vice. Retrieved 12 January 2022.
  13. ^ a b Taouk, Maryanne (8 June 2021). "Underworld figure Hakan Ayik unwittingly helped Operation Ironside, the AFP's biggest criminal sting". Australian Broadcasting Corporation. Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  14. ^ "Hakan Ayik: The man who accidentally helped FBI get in criminals' pockets". BBC News. 8 June 2021. Archived from the original on 8 June 2021. Retrieved 8 June 2021.
  15. ^ a b "49 NL arrests in international 'encrypted phones' operation". NL Times. 8 June 2021. Retrieved 10 June 2021.
  16. ^ a b Smed, Akvelina (8 June 2021). "155 tungt kriminella gripna i Sverige i stor insats" [155 serious criminals arrested in Sweden in large operation]. SVT Nyheter (in Swedish). Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  17. ^ Chappell, Bill (8 June 2021). "Drug Rings' Favorite New Encrypted Platform Had One Flaw: The FBI Controlled It". NPR. NPR. Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  18. ^ "ANOM Encrypted Scam Exposed". ANOM Exposed. Archived from the original on 10 June 2021. Retrieved 13 June 2021.
  19. ^ "Anom Encrypted App Analysis". 9 June 2021. Archived from the original on 9 June 2021. Retrieved 9 June 2021.
  20. ^ Cox ·, Joseph (11 September 2023). "Revealed: The Country that Secretly Wiretapped the World for the FBI". 404 Media.
  21. ^ a b c "ANOM: Hundreds arrested in massive global crime sting". BBC News. 8 June 2021. Archived from the original on 8 June 2021. Retrieved 8 June 2021.
  22. ^ Cox, Joseph (8 June 2021). "Trojan Shield: How the FBI Secretly Ran a Phone Network for Criminals". Vice. Archived from the original on 8 June 2021. Retrieved 8 June 2021.
  23. ^ a b "AFP-led Operation Ironside smashes organised crime" (Press release). Australian Federal Police. 8 June 2021. Archived from the original on 8 June 2021. Retrieved 8 June 2021.
  24. ^ "Trojan Shield: Europol details massive organized crime sting". Deutsche Welle. 8 June 2021. Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  25. ^ Davis, Margaret. "UK criminals among those duped into using secret message service run by the FBI". Belfast Telegraph. ISSN 0307-1235. Archived from the original on 9 June 2021. Retrieved 8 June 2021.
  26. ^ Cox, Joseph (3 June 2022). "A European Country Helped the FBI Intercept Anom Messages, But It Wants to Remain Hidden". Vice. Retrieved 3 June 2022.
  27. ^ "Checks and balances needed for new police surveillance powers". The Sydney Morning Herald. 9 June 2021. Retrieved 11 June 2021.
  28. ^ "Nach Europol-Razzia: Verdächtige in Untersuchungshaft" [After Europol raid: Suspects in custody]. Die Welt (in German). 9 June 2021. Retrieved 10 June 2021.
  29. ^ "Nach Europol-Razzia: Dutzende Beschuldigte in Deutschland" [After Europol raid: dozens of suspects in Germany]. saarbruecker-zeitung.de (in German). 9 June 2021. Retrieved 10 June 2021.
  30. ^ Smed, Akvelina; Jönsson, Oskar; Boati, David (8 June 2021). "Underrättelsechefen: 'Sveriges användare stack ut'" [The head of intelligence: 'Sweden's users stood out']. SVT Nyheter (in Swedish). Archived from the original on 10 June 2021. Retrieved 9 June 2021.
  31. ^ Malone, Ursula (14 June 2021). "The FBI played a huge role in Operation Ironside but haven't made a single arrest – here's why". ABC News. Retrieved 15 June 2021.
  32. ^ Cox, Joseph (9 June 2021). "DOJ Charges Criminal 'Influencers' Who Worked for FBI's Honeypot Phone Company". Vice. Retrieved 23 May 2022.
  33. ^ "Why accused criminals are challenging evidence from one of the world's biggest police stings". ABC News. 17 April 2023. Retrieved 18 April 2023.
  34. ^ Mott, Mitch (17 November 2023). "The argument that could bring Operation Ironside tumbling down". The Courier-Mail.
[edit]
  • ANOM.io - Domain Seized - as of 8 June 2021, this displays FBI and AFP graphics, a "Trojan Shield" graphic and a "This domain has been seized" notice, with a form inviting visitors "To determine if your account is associated with an ongoing investigation, please enter any device details below"

Now as of October 1st 2024 the ANOM.io website does not contain information of operation Ironside.