Thomas Ross QC: Legal Challenges to the EncroChat Hack – an Introduction



Thomas Ross QC

The High Court in London recently heard an application which had as its aim the exclusion of evidence obtained in the course of law enforcement activity into the EncroChat platform. For reasons which this article will hopefully make obvious, that application will in time be remembered as simply the first of many.

So what was EncroChat and why is its data likely to motivate an explosion of legal challenges in 2021? 

What was EncroChat?

EncroChat was one of the world’s largest encrypted communications services, with around 60,000 users across Europe and approximately 9,000 in the United Kingdom. 

In exchange for around £1,000 users were provided with a specially modified Android handset. The Spanish manufactured BQ Aquaris X2 is an example of the type of EncroChat handset commonly recovered by law enforcement agencies in the UK, but Samsung and BlackBerry devices were also used.

Prior to sale EncroChat would install its own encrypted messaging program designed to route messages through EncroChat’s own servers and would remove other less secure applications (such as GPS, camera and microphone). 

For an annual subscription cost of around £2,500 per the user could then exchange text and picture messages with other EncroChat users, apparently safe in the knowledge that the messages could not be intercepted by third parties. A ‘burn facility’ was also provided, allowing users to wipe phone data remotely. 

Who Used EncroChat?

Given the high capital and subscription cost EncroChat clearly was not targeted at the mass market. According to the National Crime Agency “its sole use was for co-ordinating and planning the distribution of illicit commodities, money laundering and plotting to kill rival criminals”. 

In a subsequent application for a European Investigation Order, the Crown Prosecution Service was prepared to state “EncroChat devices have been developed for and are marketed specifically for the criminal community in order to facilitate criminality”. 

Whether these claims were completely accurate or not, no reasonably informed individual would dispute that EncroChat devices were at the very least widely used in Europe in the field of Serious Organised Crime. Given the guarantees of security that EncroChat offered its customers, it could therefore be expected that the messages in circulation would be highly incriminatory. Could law enforcement agencies crack the EncroChat code? 

Early Warning Signs 

In May 2020 some EncroChat users found that the wipe feature on their handsets was not working. In response, when interrogating one of their BQ Aquaris X2 models, EncroChat found malware – proof that their systems had been hacked. The malware was on the device itself potentially allowing it to read the messages before encryption and to send the data to a third party over the internet. No sooner had EncroChat pushed an update to its X2 models than the hackers struck again – this time allowing the malware to change the lock screen password.

On 12th June 2020 EncroChat ceased all operations with the following message to its users “today we had our domains seized illegally by government entities. They repurposed our domain to launch an attack to compromise carbon units. With control of our domain they managed to launch a malware campaign against the carbon to weaken its security. Due to the level of sophistication of the attack and the malware code we can no longer guarantee the security of your device. We took immediate action on our network by disabling connectivity to combat the attack. You are advised to power off and physically dispose of your device immediately”.

Who was the mysterious hacker?

Who Hacked EncroChat?

In late 2019, as a result of investigations underway at Lille Regional Court, the French Authorities discovered that an EncroChat server was located in Roubaix – near the Belgian border. 

In January 2020 the Director of Public Prosecutions (DPP) and the National Crime Agency (NCA) were briefed by French and Dutch prosecutors who were developing a capability to enable them to collect data from EncroChat devices. The operation was to begin on 10th March 2020 and was to be conducted in two stages: first, the implanting of malware onto EncroChat devices worldwide that would create an image of all data then stored on the devices (including user names, chat messages and notes) and transmit that data to the French Authorities, and, secondly, the ongoing gathering of messages as they were stored in handsets after transmission.

All of this was done successfully and on 11th March 2020 the DPP drafted an application for a European Investigation Order. Within days the French Authorities had given UK law enforcement agencies access to all data obtained from EncroChat devices identified as located in the UK.

Operation Venetic 

The information having been handed over to UK agencies and considered enforcement action began under the codename Operation Venetic. 

Reports at the beginning of July 2020 suggested that, since April 2020, 746 suspects had been arrested, £54 million in cash had been seized, 77 firearms recovered and more than two tonnes of Class A drugs had been taken off the streets. More than 28 million Etizolam tablets – some said to be destined for the Scottish market – were found in a factory in Rochester, Kent. Similar results were reported in Holland, Norway, Sweden, Spain, France and Ireland. 

The Metropolitan Police Commissioner Dame Cressida Dick prophesied that “this is just the beginning. We will be disrupting organized criminal networks as a result of these operations for weeks and months and possibly years to come”. If this prophecy is accurate then the Scottish courts should prepare for a deluge of cases and an equal number of legal challenges to the admissibility of the evidence obtained through the hack by the French authorities.

In my next article, I will look at some of the potential objections to the admissibility of that evidence. If any legal professionals have any enquiries regarding the issues raised in this article please contact me at www.benchmarkadvocates.co.uk.

This article first appeared on the Scottish Criminal Law Blog