ra2 studio - stock.adobe.com

Police crack world’s largest cryptophone network as criminals swap EncroChat for Sky ECC

Belgian and Dutch police have breached the encryption of users of Sky ECC, the world’s largest cryptophone network. There are significant parallels with the international police operation against the EncroChat cryptophone network which led to hundreds of arrests

When the French gendarmerie, Dutch police and the UK’s National Crime Agency (NCA) infiltrated the EncroChat encrypted phone network last summer, organised crime groups around the world opted to switch to a new phone supplier.

That supplier was Sky ECC, now the largest supplier of crypto communications worldwide, with 70,000 customers.

Sky ECC bills itself as the “most secure messaging platform you can buy” and is so confident of the impregnability of its systems that it offers a handsome reward for anyone who can break the encryption of one of its phones.

But in a re-run of last year’s French and Dutch operation against the EncroChat encrypted phone network, Belgian and Dutch police were able to infiltrate the platform and harvest hundreds of thousands of supposedly unbreakable messages.

They have shared the intercepted material with a “large number” of overseas investigations services after reading encrypted traffic “live”.

The NCA, which played a key role in disrupting EncroChat working with the Dutch police and the French gendarmerie, has yet to comment on whether it has benefited from intelligence from the Sky operation.

Sky ECC said in a statement last night that allegations that the Belgian and Dutch authorities had cracked the company’s communications software were “false” and that its service had been restored after an outage.

The company said its distributors had alerted it that a fake phishing application, branded Sky Ecc, had been loaded into insecure phones and sold through unauthorised channels.

“Sky ECC did not authorise or cooperate with the investigative authorities or those involved with the distribution of the fake phishing application,” said the company.

News of the attack broke on 9 March 2021 causing panic for encrypted phone users around the world as Dutch police took down and seized a Sky ECC server.

More than 1,600 Belgian police officers, in some cases accompanied by Belgian special forces, took part in simultaneous raids between 5am and 11am yesterday on 200 homes, arresting 48 suspects.

Those detained included three lawyers in Antwerp who were using Sky ECC cryptophones, according to Dutch broadcaster HLN.

Dutch police raided 75 homes and arrested more than 30 people, recovering at least 28 firearms from raids on suspected drug dealers in Rotterdam.

The haul included €1.2m in cash, along with diamonds and jewellery, eight luxury vehicles, 14 weapons, three cash machines and police uniforms.

Belgian prosecutors initially refused to confirm or deny that Sky ECC had been breached, but later confirmed at a press conference that police had obtained a datawarehouse full of supposedly secure messages from the network.

Sky ECC resellers told customers that the network had not been compromised, claiming that people had distributed a fake version of the Sky software on unauthorised phones – putting some users at risk.

Not many people believe this message as it seems rather convenient as an excuse,” one source told Computer Weekly. “It’s looking too late for their company as lots of these phones will have gone down the drain first thing this morning.”

Planning started over two years ago

Eric Van Duyse, spokesman for the Belgian Federal Prosecutor’s Office, described the operation – overseen by an investigating judge in the city of Menchlen – as the largest police investigation ever undertaken in the country.

Belgian police said they took action after cryptophones were being used in increasing numbers by criminal groups.

Some 185 encrypted phones have been recovered in police operations across the country, many of which were fitted with Sky ECC encryption software.

The operation against Sky ECC was given the go-ahead by Belgian prosecutors last year, after two and a half years of planning.

The attack mirrored the French and Dutch infiltration of EncroChat last year by conducting a two-stage attack on the network.

In the first phase, police intercepted and stored encrypted communications from the Sky ECC network, while experts worked out how to decrypt them.

In the second phase, which lasted three weeks, police were able to read “live” data sent across the Sky ECC network.

Parallels with EncroChat

The UK’s NCA uses a European investigation order to collaborate with a joint investigation team run by the French and Dutch police, in its operation to penetrate the EncroChat phone network last year.

The French gendarmerie, which led the investigation, passed on the Europol packages of messages extracted from EncroChat phones, which it assembled into UK-specific packages and passed on to the NCA.

The NCA drew on support from 10 regional and organised crime units and the Metropolitan Police to make more than 1,000 arrests, seize £55m in cash, firearms and two tonnes of drugs.

The UK side of the EncroChat operation, codenamed Venetic, has proved controversial because of UK laws that, uniquely, prevent intercept evidence being used in criminal proceedings.

On 6 February, however, three Court of Appeal judges found that the messages gathered by French and Dutch investigators and passed to the NCA were lawfully obtained through “equipment interference” while they were held in the phones’ memory, rather than through “interception” of messages while they were being transmitted.

Dutch police said in a statement yesterday that following its operation against Encrochat – codenamed Lemont – investigators were able to read “live” communications of a large number of criminals using EncroChat phones.

“Many EncroChat users switched to Sky ECC last year,” said police. “The company is now the largest provider of crypto communication worldwide, with 70,000 users.”

International collaboration

Decrypting the messages required international cooperation through research and collaboration between encryption experts, Belgian federal prosecutor Frédéric Van Leeuw said last night.

With over three million messages sent every day worldwide across Sky ECC, investigators said they had to prioritise.“The highest priority was messages that showed possible danger to life,” said Van Leeuw.

Belgium’s federal judicial police set up command posts in Brussels and Antwerp to respond rapidly if decrypted messages revealed an urgent threat to life.

Investigators also attempted to identify selected users and to identify criminal activity by analysing the content of their messages.

Police have stored and examined “hundreds of millions” of messages from Sky ECC phones in a data warehouse as part of its anti-drugs operation.

“The information obtained is expected to have an impact on organised crime in the near future,” police said. “The information is also shared with a large number of foreign investigation services.”

According to Belgian prosecutors, there are more than 70,000 active Sky ECC devices worldwide, mainly in Europe, North America, Central America, particularly Colombia and the Middle East.

Van Leeuw said it is notable that about 25% of the active users of these devices are based in Belgium, which has 6,000 users, and in the Netherlands, which has more than 11,000 users.

The phones are most widely used around the port of Antwerp – an important destination for drugs crime.

Sky phones claimed to be most secure available

Sky ECC, which operates from Canada and the US, brands itself as the “most secure messaging platform you can buy”.

The company is so sure of its unbeatable security that it offered a $5m prize for anyone who could hack one of its phones within 90 days.

Its website presents a series of case studies promoting the value of encrypted phone to lawyers, universities, medical organisations, company executives, and to journalists as a tool for protecting confidential sources.

It supplies phones that offer self-destructing messages, secure audio messages, a secure encrypted vault, and an app that in “stealth mode” can disguise itself as a calculator.

Modified phones, which are available in Android, Blackberry and iOS, can be bought online or through “authorised partners” for between €900 and €2,000, depending on model.

The company says it stores the Sky ECC app in a secure container on the phone, which protects it from malware, such as keyloggers or snooping tools, such as the widely used Pegasus spyware supplied by Israeli firm NSO Group.

All messages are encrypted using 512-bit elliptical curve cryptography, while network connections are secured by 2,048-bit SSL encryption.

One of the company’s selling points is that it does not store encrypted messages on its servers.

It says: “If your contact isn’t reachable (for example if their device is off), we hold the encrypted message for up to 48 hours, then delete it. If they don’t read it in that time frame, the message cannot be retrieved.”

Sky ECC was founded in 2008 and lists its CEO and founder as Jean-François Eap. As well as offering secure mobile phones, the company promotes Moola, a secure app that allows people to buy, store and save gift cards

Sky ECC: ‘We prohibit criminal activity’

The company said in a statement last night that it firmly denies any allegation that it is the “platform of choice for criminals” and has a strict zero-tolerance policy that prohibits any criminal activity on its platforms. “Any accounts used for criminal activity are immediately deactivated,” it said.

Sky ECC said it was “actively investigating and pursuing legal action against the offending individuals for impersonation, false lights, trademark infringement, injurious falsehood, defamation and fraud”.

The company said its service experienced temporary interruptions in connection with its servers on 8 March 2021 from 4am to 12 noon GMT, but services were now back to normal.

Aim was to dismantle Sky ECC

Belgian investigators said their main purpose was to take down the Sky ECC infrastructure, dismantle it and confiscate the criminal proceeds of Sky ECC resellers.

“In the next weeks and months, several new cases will be opened or new charges will be brought to existing cases,” prosecutors said yesterday.

“Several new criminal acts have been uncovered in the chat messages in the Sky ECC telephones that have been found.”

Van Leeuw said investigators had intercepted about one million encrypted messages, half of which have been decrypted.

The decrypted messages gave “a much clearer understanding of the inner workings of the criminal organisations, their global character, unlimited financial means, their unscrupulousness and their aggressiveness”, he said.

The case started out in Belgium’s federal justice department in Antwerp, but other judicial departments were brought in because of the complexity of the investigation, including Belgium’s centre for cyber security.

Investigators attempted to show that Sky ECC phones were exclusively used for criminal communications and that Sky ECC was aware that was the case.

The Belgian investigation team has made an urgent appeal to everyone who owns a Sky ECC phone and who uses it for legal purposes to report it to the federal judiciary of Antwerp as soon as possible.

Dutch investigators said several hundred police officers who have been on standby in recent months have now been deployed to follow up on the intercepted messages.

Big data was key to investigation

Eric Snoeck, the Brussels-based director general of the federal judicial police, said the police had put an end to the activities of a telecoms company suspected to be involved in the world drugs trade.

The international criminal organisations that we fight on a daily basis make use of extremely complex digital processes,” he said. “These pose great technical and technological challenges for us. The big data that is generated by new technologies require more expertise in data management and intelligence.”

Yve Driesen, judicial director of the federal judicial police, said the investigation had provided a glimpse into the parallel criminal economy.

“In the criminal world in Antwerp, we have seen criminals that manage multiple shipments of drugs simultaneously – tonnes of cocaine at a time,” he said.

Dutch to English translations by Edda Killian

Read more on Network security strategy

Data Center
Data Management