fotokitas - stock.adobe.com

Police make arrests after hacking Ghost encrypted comms app

An international police operation has penetrated an end-to-end encrypted communications service allegedly used by organised criminals in Australia, Ireland, Sweden and Italy

Police have made multiple arrests following an international police operation involving an Australian encrypted communications platform allegedly used by organised criminals.

More than 700 police in Australia took part in raids and searches following an international investigation into the Ghost encrypted messaging platform. Further police raids took place in Ireland, Italy, Sweden and Canada.

The police operation is the latest to target encrypted messaging services, known as criminally dedicated communications services (CDCS), favoured by criminal groups.

It follows police operations to penetrate the EncroChat and Sky ECC encrypted phone networks in 2020, and the FBI-run Anom (also known as An0m) supplied to criminal gangs in a sting operation until 2021.

Australia, Canada, France, Iceland, Ireland, Italy, the Netherlands, Sweden and the US have collaborated in the operation to investigate criminal users of Ghost.

The Australian Federal Police (AFP) said last night it had undertaken a significant operation across New South Wales, Victoria, Western Australia and South Australia, codenamed Kraken, targeting users of Ghost.

“AFP Operation Kraken is targeting alleged organised criminals accused of using a secret platform to import illicit drugs and plan other serious crimes in Australia and around the globe,” it said.

Police arresting the organiser of the Ghost encrypted messaging platform.
Australian police arrest the alleged organiser of the Ghost encrypted messaging platform

The Australian police force charged a 32-year-old man in New South Wales for creating and administering Ghost.

The AFP alleges that Ghost was used in Australia for trafficking illicit drugs, money laundering, ordering killings or threatening serious violence.

Up to 50 Australians face charges and significant prison sentences for trafficking drugs, money laundering, ordering killings or serious violence.

Rent-a-ghost

Ghost handsets were sold for about A$2350, which included a six-month subscription to an encrypted network and tech support through a network of resellers.

Ghost’s mobile phone and desktop app claims to offer users encrypted voice calls and messaging services secured by “military grade encryption”.

The application comes with a “duress password” that allows customers to immediately delete their sensitive communications and messages, and a function to remotely wipe sensitive data, if a phone is lost or stolen.

Other features include group chats that can be set to self-destruct with a timer, leaving no record on the recipients’ devices, a “purge function” to wipe all chat history from recipient’s devices, and anonymous group chats.

According to its creators, Ghost uses a unique secure operating system that encompasses Pretty Good Privacy encryption, elliptical curve cryptography and post-quantum encryption.

Alleged administrator charged

Police have charged the 32-year-old, described by detectives as a “computer geek”, who is alleged to be the administrator of the service, with five offences.

They include supporting a criminal organisation, dealing with the proceeds of a criminal offence, and dealing in information to commit fraud.

The AFP has also obtained restraining orders on suspected criminal assets, including cryptocurrencies and bank accounts.

Police in Australia have executed 71 search warrants, made 38 arrests, seized 25 firearms and prevented the distribution of more than 200kg of illicit drugs.

Hacking operation

Ghost has been in operation for nine years and became the subject of international police investigations in 2022.

Europol established a global taskforce, codenamed Operational Task Force (OTF) Next, led by the FBI and the French Gendarmerie.

Graphic shows a
Organisation of the criminal network around the Ghost encrypted messaging platform

The AFP, with the support of French cryptographic specialists, was able to infect Ghost handsets by hacking into the administration computers and using them to push infected software updates to Ghost devices.

The operation allowed investigators to access and read the contents of supposedly encrypted communications to identify criminal users.

It is believed criminals moved to Ghost after police dismantled the Anom cryptophone app, an FBI-run sting operation, in June 2021.

AFP deputy commissioner Ian McCartney said Operation Kraken had allowed Australian police to identify and prevent 50 threats to life.

Law enforcement from nine countries, together with Europol, have dismantled a tool which was a lifeline for serious organised crime
Catherine De Bolle, Europol

“We allege hundreds of criminals, including Italian organised crime, outlaw motorcycle gang members, Middle Eastern organised crime and Korean organised crime, have used Ghost in Australia and overseas to import illicit drugs and order killings,” he said.

The head of France’s National Cyber Command Technical Department, Florian Manet, said the unit provided technical resources focused on encryption and decryption to the taskforce.

“A technical solution was implemented over several years, which, at term, enabled the taskforce to access the communications of users on this secure platform,” he said.

Europol executive director Catherine De Bolle said the operation showed that criminals cannot hide from the collective efforts of law enforcement.

“Law enforcement from nine countries, together with Europol, have dismantled a tool which was a lifeline for serious organised crime,” she said.

Other members of Europol’s Operational Task Force include the Royal Canadian Mounted Police, the Swedish Police Authority, the Dutch National Police, the Irish Garda Síochána and the Italian Central Directorate for Anti-Drug Service. The Icelandic police also provided assistance.

Read more about An0m

Read more on Hackers and cybercrime prevention