Rabbit_1990 - Adobe Stock

Europol provides detail on Ghost encrypted comms platform takedown

Law enforcement bodies from across the world have revealed how they collaborated to bring down encrypted network Ghost and the new ways of working that have been established with Europol at the centre

This article can also be found in the Premium Editorial Download: CW EMEA: CW EMEA: Legally bionic

A Europol official says the pan-European law enforcement agency is now the “go-to place” for international police investigations into the use of encryption services by criminal networks, following the takedown of the Ghost encrypted communications platform.

A three-year international police investigation into the end-to-end encrypted messaging service Ghost has culminated in police raiding and arresting a number of its users involved in organised crime, including 38 in Australia, 11 in Ireland, one in Canada and one in Italy.

One of those arrested in Australia was a 32-year-old man who is alleged to be the administrator of the Ghost service. He has been charged with five offences, which include supporting a criminal organisation, dealing with the proceeds of a criminal offence, and dealing in information to commit fraud.

The Ghost takedown represents the latest police operation targeting encrypted messaging services, following on from previously successful attempts to penetrate the EncroChat and Sky ECC encrypted phone networks in 2020, and the FBI-run Anom (also known as An0m) supplied to criminal gangs in a sting operation until 2021.

At a press conference held by Europol, Eurojust and law enforcement authorities from nine different countries involved in the Ghost investigation – which also included France, Iceland, Italy, the Netherlands, Sweden and the US – investigators provided a high-level breakdown of the operation and how it was conducted.

“This operation represents over three years of hard work … to dismantle a tool that was a lifeline for serious and organised crime,” said Jean-Philippe Lecouffe, deputy executive director of operations at Europol. “Picture this: servers hidden away in France and Iceland, company owners on opposite ends of the globe in Australia, and financial trails leading straight to the United States. This was a truly global game of cat and mouse, and today, the game is up.”

No matter how well hidden the platform, we will bring it down. This is not our first takedown, and you can be sure that it is not the last
Jean-Philippe Lecouffe, Europol

He added: “We are sending a clear message: no matter how sophisticated the technology, no matter how well hidden the platform, we will bring it down. This is not our first takedown, and you can be sure that it is not the last.”

Commenting on Europol’s central role in the investigation, Lecouffe remarked that it has built on the successes and lessons learned from its previous takedowns of the EncroChat and Sky ECC networks, noting: “We have been down this road before. Europol has become the go-to place for international law enforcement cooperation when it comes to taking down criminal encrypted platforms.”

He added that drawing on the technical expertise and capabilities of the different partners involved, together they were able to map out “the entire global infrastructure of this criminal network”, identifying key suppliers and users, as well as coordinating the takedown actions across 40 operational meetings.

According to a Europol press release, the organisation also had experts with specialised technical skills deployed in Iceland, Ireland and Australia. Further technical resources and developments were then provided by the Internal Security Fund’s (ISF) Project Overclock, which is funded by the European Commission and administered by the French Ministry of the Interior.

According to the webpage of the project, Overclock aims to achieve live encrypted network access “by exploring recent network protocols and by targeting server-side solutions that are identified as proven backbones of criminal networks’ infrastructures”.

Bertrand Michel, deputy head of the French Gendarmerie’s National Cyber Unit, told the press conference that the technical resources from Project Overclock assisted with every aspect of the investigation, but most notably in terms of “decryption advanced skills”.

He added: “Thanks to their expertise, we were able to intercept, retrieve and ultimately share data exchange by criminal users on the Ghost platform with our Operational Task Force [OTF] partners in affected countries.”

Photo of Australian police arresting the alleged organiser of the Ghost encrypted messaging platform .
Australian police arrest the alleged organiser of the Ghost encrypted messaging platform

According to superintendent Marie Eve Lavallée of the Royal Canadian Mounted Police, further technical expertise was provided by high-level organised crime investigators and cyber crime specialists from Canada, who “pioneered” a new technique for the acquisition of data from encrypted networks.

“This technique allowed investigators to seize the digital evidence that was essential for all members of the OTF,” she said, adding this collaboration between the law enforcement partners “enables us to innovate with modern investigation techniques to intercept, locate and decrypt messages linked to illicit activities on hardened secure communication platforms”.

Michel also highlighted the previous takedown of EncroChat, noting that it helped to develop both the technical and judicial skills to handle these kinds of complex cases at a global level. However, he added that since then, “the landscape of encrypted communications has become highly dynamic and segmented”, with criminal groups retreating into smaller encrypted networks.

Brendan Dunford, a supervisory special agent at the FBI, added that “such platforms have an outsized impact on facilitating criminal activity around the world, warranting a worldwide response by law enforcement” against encrypted communications platforms being used for criminal purposes.

In response to press questions about whether criminals were the only ones using the Ghost network – which has been a point of contention with the investigation into EncroChat – assistant commissioner David McLean of the Australian Federal Police said that from “hundreds of thousands of intercepted modes of communication, we’ve no evidence to suggest this platform was used by anybody other than criminals”.

Lecouffe added: “All the messages that attracted our interest were messages exchanged between criminals, for sure. If there are maybe some messages not exchanged by criminals, they didn’t attract our attention. The use of this kind of platform is really by criminals, but if somebody is not one, it has been put aside.”

Europol further claimed it is taking a “balanced approach” to stopping crime on encrypted platforms while protecting user privacy rights: “Private companies that wish to ensure their services are used in compliance with the law also have an important role to play. They must ensure that their platforms are not safe havens for criminals and should provide mechanisms for lawful data access under judicial oversight and in full respect of fundamental rights.

“Law enforcement needs access to communications among suspects to combat serious crimes. This can coexist with privacy protection, while cyber security is guaranteed and strong legal safeguards and oversight are in place.”

Read more about encrypted communications

Next Steps

Europol: Police bust cybercrime marketplace, phishing network

Read more on Big data analytics