EncroChat: Deciphering of the End-to-End Encryption Service Used by Criminals

On 2 July, at a joint Europol and Eurojust press conference, the French Gendarmerie and the Dutch police announced that they had put an end to criminal networks by « neutralising » the end-to-end encryption of the EncroChat telephone network used by the latter. Beyond the technical prowess, this action led to the arrest of several hundred French, Dutch and British citizens, the seizure of drugs (more than 8,000 kilos of cocaine and 1,200 kilos of methamphetamine), the dismantling of 19 synthetic drug laboratories, the seizure of dozens of automatic weapons, of luxury watches, of 25 cars (some with hidden compartments), and of nearly 20 million euros in cash. More than 300 investigations could also be affected by rebound effect, including in Spain, Germany, and Norway,. If the result is impressive, it is the investigative technique that deserves special attention.

EncroChat is a Dutch company that offers encrypted telephone services for a subscription fee of more than 2,000 euros a year. It has about 60,000 clients, of which 90% related to criminal circles. The changes made by the company to the BQ Aquaris X2 smartphones are intended to prevent traceability of conversations and allow data to be erased in the event of an « emergency ». EncroChat’s intentions are clear in terms of the customers served and the alert messages sent to warn users of an intervention by government authorities.

The French Gendarmerie was entrusted with the case, since the company serves its global customers from the Lille region, in France. A « technical device » (covered by secrecy) has been designed to intercept and understand EncroChat’s secure telephone conversations, making it possible to capture more than one hundred million messages exchanged among criminal groups. The research work (CEREBUS project), carried out by the SCRC (Central Criminal Intelligence Service) and the INL (Electronic Informatics Department) of the IRCGN (Criminal Research Institute of the French Gendarmerie), was facilitated by European funding.

Several lessons can be learned from this exemplary investigation:

• Organised criminality uses all digital means, including the most sophisticated ones. Investigations in the digital space are now at the heart of investigators’ professional practices. Digital evidence has now become the « queen of evidence »;
• European cooperation is a reality manifested through the common investigation teams coordinated by Eurojust and provided for in Article 13 of the Convention on Mutual Assistance in Criminal Matters (29 May 2000) and in the contribution to the funding of technical research. If there is one area that should temper the ardour of the Eurosceptics, it certainly is cooperation and collaboration in the fight against cybercrime;
• End-to-end encryption is usually presented as an obstacle to digital investigations; in the present case, it is demonstrated that the best countermeasure lies in the scientific and technical competence of the investigators. The French Gendarmerie has made a strategic choice and is now reaping the benefits of it. After having dismantled the disturbing Retadup botnet (in summer 2019), it offers a new illustration of its know-how. The increase in « scientific » recruitment, in particular at the EOGN (Officer’s Training Academy), heralds an acceleration in the transformation of this military institution charged with a security mission.

EncroChat will certainly be at the heart of the debates at the FIC 2021, as a living example of « collective and collaborative » cybersecurity!