How the FBI and AFP accessed encrypted messages in TrojanShield investigation

Over a three-year period, law enforcement agencies around the world jointly decrypted messages of criminals to foil various activities, such as plans to ship tonnes of cocaine.

trojansheild-messages.png

Image: FBI

The US Department of Justice has unsealed a warrant detailing how law enforcement agencies accessed and used the encrypted communications of criminals as part of its TrojanShield investigation, a global online sting operation.

The warrant [PDF] reveals that the Federal Bureau of Investigation (FBI) in 2018 commenced the investigation after it recruited a confidential human source to provide access to Anom, an encrypted communications product used by transnational criminal organisations (TCOs).

The confidential human source also distributed Anom devices to their already existing network of distributors of encrypted communications devices, which all had direct links to TCOs.

According to the warrant, the FBI said it recruited the source shortly after arresting Vincent Ramos, the CEO of Phantom Secure, who had sold the company's encrypted devices exclusively to members of criminal organisations.

Operation Trojan Shield was centred on exploiting Anom by inserting it into criminal networks and working with international partners, including the Australian Federal Police (AFP), to monitor the communications. In order for an Anom device to be useful for monitoring, the FBI, AFP, and the confidential human source built a master key into the existing encryption system, which surreptitiously attached to each message and enabled law enforcement to decrypt and store messages as they were transmitted. Users of Anom devices were not aware of the master key's existence. 

By design, as part of the TrojanShield investigation, for devices located outside of the United States, an encrypted "BCC" of the message was routed to an "iBot" server located outside of the United States, where it would be decrypted from the confidential human source's encryption code and then immediately re-encrypted with FBI encryption code. The newly encrypted message would then be passed to a second FBI-owned iBot server, where it was decrypted and its contents became available.  

Each Anom user was assigned to a particular Jabber Identification (JID) by the source or an Anom administrator. The JID is either a fixed, unique alphanumeric identification, or for more recent devices, a combination of two English words. Anom users could select their own usernames and change their list of usernames over time. As part of the Trojan Shield investigation, the FBI maintained a list of JIDs and corresponding screen names of Anom users.

During the testing period for using Anom devices as part of the investigation, the AFP obtained a court order to legally monitor the Anom devices that were to be distributed to individuals in Australia or those that had a clear nexus to Australia.

In Australia, intelligence and law enforcement agencies can request or demand assistance from communications providers to access encrypted communications under encryption laws that were passed at the end of 2018.  

Approximately 50 devices were distributed as part of the test which was deemed a success, the warrant said.

"Through the interception of these communications, the AFP penetrated two of the most sophisticated criminal networks in Australia. The AFP has shared generally with San Diego FBI the nature of conversations occurring over Anom, which included drug trafficking activity (including discussing the transportation of hundreds of kilograms of narcotics), firearms purchases, and other illegal activity," the warrant detailed.

After the testing in Australia, the FBI engaged a third country -- which has been left unidentified -- that agreed to join the TrojanShield investigation and set up its own iBot servers. The third country then agreed to obtain a court order in accordance with its own legal framework to copy an iBot server located there and provide a copy to the FBI pursuant to a Mutual Legal Assistance Treaty.

From infiltrating the Anom network, the law enforcement agencies translated and catalogued more than 20 million messages from a total of 11,800 devices located in over 90 countries as part of Operation TrojanShield. The top five countries where Anom devices were used, before the encrypted product's services were shut down on Tuesday, included Australia, Germany, the Netherlands, Spain, and Serbia.

In the unsealed warrant, one example of Anom devices being used to shut down criminal activities was a shipment of cocaine from Ecuador to Spain that had been concealed within a shipping container of refrigerated fish. The FBI and law enforcement officials in Spain reviewed the messages that contained specific details regarding the shipment and distribution once it arrived in Spain. Law enforcement officials in Spain then conducted a search of the container and upon completion, located approximately 1,401 kilograms of cocaine.

In addition to decrypting messages made on Anom devices, the FBI sought to seize content, including electronic mail and attachments, stored instant messages, stored voice messages, and photographs, from certain Google accounts through the warrant.

The unsealing of the document comes shortly after the AFP made public the online sting operation, which has also been dubbed as Operation Ironside. Australian Home Affairs Minister Karen Andrews labelled it as the "most significant operation in policing history" in Australia.

The law enforcement agencies decided to bring the online sting operation to light as the third country's warrant expired on June 7 along with the operation itself.

The TrojanShield operation led to 525 search warrants, 224 individuals being charged, 525 charges in total, six clandestine labs being taken down, and 21 threats to kill being averted. 3.7 tonnes of drugs, 104 firearms and weapons, and over AU$45 million in assets were also seized as part of the operation.

Related Coverage