The EncroChat bust: how police hacked the secret gangster messaging network

Hot property: the haulage boss Thomas Maher and his wife, Joanna, enjoyed the spoils of crime in Spain

Then he continues using simple code to describe drug runs from Europe to Ireland: “… work wise taxi ways [drug runs] are working out OK at the minute with this fella from flat [the Netherlands] to ours [Ireland] … once we get this travel ban lifted m8 we be on the pigs bk”. “On the pig’s back” is an Irish expression meaning having a prosperous time. Maher adds: “… its just going to take time pal. we be laughing. I’m telling you that’s why I’m not stressing yet.”

There was another reason Maher wasn’t stressing: he was using an EncroChat phone, a sophisticated encrypted device that had spread like wildfire among organised crime groups and their associates. These phones were disguised as ordinary Android devices, but most of the normal functionality was disabled. Instead, by pressing a secret sequence of buttons, the user could access a hidden phone within the phone: a software system called EncroChat.

That software could be used only to send text and picture messages — and only to other EncroChat users. Each device had its own EncroChat “handle” or nickname — Maher’s was “Satirical” — so that users might not even know each other’s real identities. It created an anonymous, virtual den of thieves, one that was thought to be impenetrable.

EncroChat incorporated the latest, most brilliant form of end-to-end encryption, and was further protected by various means of deleting, or “burning”, the user’s incriminating data if need be. It was perfect for criminals — and police estimated that some 9,000 EncroChat phones were in use in the UK by 2020, with more than 50,000 across the world. Each handset cost upwards of £1,500 to buy, plus a similar sum for the annual rental.

Police raid the Mahers’ unassuming three-bedroom home in Warrington, October 2019

PA

Britain’s National Crime Agency (NCA) could see the phones being deployed —notably in two gangland assassinations —but had no way of accessing the data on the devices even when they managed to seize them. It was frustrating and severely limited surveillance operations, so much so that in 2019 the police initiated a project specifically to target EncroChat and crack the code.

This is the story of how law enforcers took on the network, caught Maher — among others — and now stand to prosecute many other suspects in the greatest police intelligence coup for decades.

On the surface Maher was a road haulier. His wife had a Bulgarian haulage firm called TMT and Maher owned other trucks, also registered in Bulgaria to avoid strict UK protocols. His only conviction had come in 2008, for tampering with a tachograph. He had been fined £400.

At the same time, though, he was a fixer, a middleman for organised crime groups, arranging transport for drug consignments and money laundering. Drugs came into Ireland via the UK and money went out. It was a dangerous business and police suspected some of his associates were involved in numerous murders. The NCA believe one of the reasons Maher moved from Ireland to the northwest of England was for the safety of himself and his family. He became known to his criminal contacts as the man in Liverpool, but set up home in a modest three-bedroom house in Warrington, Cheshire, from around 2017. His wife, Joanna, had a beauty salon in the town, New Hair Don’t Care.

Despite the outward normality, Maher derived plentiful private pleasures from his criminality. He owned a Mercedes, two Range Rovers, a Chevrolet Corvette, various artworks and numerous watches, including four luxury models estimated to be worth £100,000 each. The luxury watches have not been recovered. He also spent “eye-watering sums” — in the words of the NCA — on holidays, including first-class travel to Mexico and private helicopter rides over Manhattan.

He had a second home in Spain, where he kept a Porsche Cayenne and enjoyed good living: he was once seen to order five meal deliveries in one day — not small orders either. “There were some big burgers,” observed a police source. At the same time he was living on his luck — he had survived a stroke aged 23, suffered from a rare congenital heart condition and was hobbled by other ailments including plantar fasciitis, a painful foot condition that sometimes left him struggling to walk.

In 2019 his luck began to run out. Maher had sold a truck to a fellow Irish criminal, Ronan Hughes, who used it to bring a trailer full of Vietnamese migrants from Europe to the UK. The truck was being driven by a young Irishman called Maurice Robinson when it parked up outside Purfleet port in Essex on October 22, 2019. Robinson opened the doors and found all the migrants had been asphyxiated. Both he and Hughes later pleaded guilty to 39 counts of manslaughter.

Vietnamese lorry deaths: Maurice Robinson (left) and Ronan Hughes pleaded guilty to 39 counts of manslaughter

PA

The truck turned out to be still registered in Maher’s name and the NCA came calling on him. Investigators established he had played no part in the migrant conspiracy, but they became increasingly aware of his criminal operations and set out to disrupt his activities and seize his wealth.

Despite the police heat, Maher remained confident in the security of his EncroChat phone. Investigators later learnt that, even as they began targeting Maher and making property seizures at his home, he was on his EncroChat device, pitching for, planning and organising new trade in drugs and laundered money. He thought his phone was uncrackable. Meanwhile the NCA was about to start listening in.

In late 2019 the NCA launched Project Venetic, which it intended as an attack on EncroChat and its users in the UK. But it was a huge technical challenge and progress was slow.

The NCA, though, was not the only law enforcement agency in western Europe taking an interest in EncroChat. At almost the same time an investigation led by the Lille regional court in France had located EncroChat servers at nearby Roubaix, close to the Belgian border. The French investigators, who have never publicly identified exactly who hosted the servers, managed to obtain images of the hardware that ran the EncroChat system.

In early 2020 a British team comprising members of the NCA and Crown Prosecution Service (CPS) was invited to meet officers and prosecutors from the Netherlands and France. They were told the two countries were about to form a joint investigation team (JIT) known as Operation Emma, and French police believed the server images would enable them to develop the ability to hack into the EncroChat system. With the UK leaving the European Union the British investigators were not allowed to join the JIT — but they were invited to participate in a second-tier unit known as the “operational task force”.

Matt Horne, the NCA’s deputy director of operations, became the “gold command” for the NCA’s investigation, which was now upgraded to Operation Venetic. At a meeting in Birmingham he briefed leading lawyers in the CPS organised crime division on the scale of EncroChat use by UK criminals. He said there was no known legitimate use for EncroChat.

When NCA officers attended a further meeting with JIT representatives at Europol in the Hague they learnt that Operation Emma had developed a mechanism to collect the EncroChat phone data and expected it to go live in mid-March 2020. It would be a worldwide undertaking, including all UK phones in the sweep.

The French authorities would not put anything in writing that explained how their hack of the EncroChat system would work; but the NCA needed some sort of description in order to apply for surveillance warrants. A lead investigator in the gendarmerie, Jérémy Decou, agreed an explanation with an NCA officer and it revealed that the French had devised an update to send to all EncroChat devices through the Roubaix server. The update would implant a hidden app into every EncroChat phone, thus allowing for the collection of all the data, in two stages.

Stage one would be a historical trawl of existing data on each device, including contacts, user names, all messages and notes. Since many of the phones were set to burn their messages after a week, the data sweep would mostly collect only the last seven days of communications. Stage two would be a daily harvest of the most recent messages, on a continuing basis for as long as the app remained in use and undetected.

The gendarmerie’s digital crime unit was known as C3N. All the data — which would run to millions of messages — went to the C3N server and then on to Europol for distribution to the NCA and elsewhere. The NCA had to agree to use the information for intelligence only, in order to maintain the secrecy of the operation until the data collection came to an end. Exceptions would be made in circumstances where messages revealed an imminent threat to life.

In the event the data hack was delayed by the French and did not begin until April 1. It then continued, seemingly undetected by the users or by EncroChat itself, for more than two months, into the middle of June 2020. The NCA received data dumps every 24 hours and devised a sophisticated computer program to sift the material into “intelligence packages” that were circulated to police forces and regional organised crime units across the country. Some, however, were reserved for its own investigations — and that included the activities of Maher. The sudden opening of a window to his world changed everything.

“It was like Christmas,” one of the lead officers told me. “Every day was a pleasure.” He likened it to a soap opera in which the daily messages would end on a cliffhanger: “You were waiting to launch your operation but the drugs weren’t quite in yet, then the next day’s messages would come and there’d be another delay — and meanwhile you’d be reading through the material, saying, ‘Oh look what they’re up to now.’ ”

They learnt about Maher’s drug-running system, which relied on “hides” or “slots” on lorries where 10-20kg of Class A drugs, typically 97 per cent pure cocaine, might be hidden, such as in a toolbox, inside a spare tyre or behind the illuminating glass panel above the windscreen.

In one transaction, to which Maher later pleaded guilty, he used his phone to arrange a deal involving 10kg of cocaine. The drugs were to be delivered to a lorry driver in the Netherlands, who would bring them across to the UK and on into Ireland. On April 4, 2020, Maher sent a message that read: “Hello M8, taxi tomorrow morning or early Saturday evening in the flat [the Netherlands] to our place [Ireland], can take ten bits in the stash, 2700 Euros each part, would ten be OK …”

The reply: “OK M8 what part of the flat is the drop he won’t do service stations.” Maher: “That’s ok we can pick a place near Utrecht or near Rotterdam, he won’t have long to wait …”

The drugs were delivered to the HGV driver in Holland by a courier in a silver Hyundai; the handover took place in a lay-by just off a regular haulage route. Maher was updated later that day as the lorry travelled across the UK to Ireland, where Maher’s associate collected the drugs, identifying the correct lorry by a name displayed in the window. The messages also disclosed Maher’s fees, which might run to €4,000 (£3,400) for a typical drug run. Sometimes, according to his EncroChat communications, he co-ordinated dozens of such transactions a week.

Drug cash went back the other way, though always by separate arrangements. In one instance, to which Maher pleaded guilty, a photo of a €5 note was sent via EncroChat as a token so that both sides in the transaction would know they were dealing with the right person. The smuggled money was washed and vacuum-sealed to prevent detection by sniffer dogs. Maher negotiated a fee from the money launderer of 3 per cent for the haulier, with a further 1 per cent for himself. The sum being smuggled was €300,000.

Officers watching Maher then became alarmed when he switched EncroChat handsets: they wondered if he had realised that his messages were being read. His new phone carried the handle “Snacker”. In fact, as he revealed in messages, he had lost his temper and thrown his old “Satirical” phone at one of his children — and it had broken.

Even though he continually discussed drug transactions and money laundering on the phone, Maher still took precautions. Police believe he hid the phone outside his home every night when it was not in use, and he adopted slang as a code when discussing deals and arrangements. “Tops” or “posh” referred to cocaine, “bobs” was heroin, “polly” was Ecstasy and “jackets” was cannabis. At times Maher also discussed weapons, referring to “apples” or “pineapples”, meaning grenades.

Meanwhile he had not forgotten about Ronan Hughes, the migrant-smuggler who had failed to reregister the lorry he had bought from Maher — thus bringing Maher to the attention of the police. Hughes had gone on the run after the migrant lorry deaths and had finally been arrested in April 2020.

From his messages the NCA soon learnt that Maher was preoccupied with Hughes: “Seen that m8 that’s the fella that bought the wagon”, he commented to an associate on Hughes’s arrest. Maher was asked if Hughes had anything on him. Maher replied: “Only hearsay m8. I’ll know if they lift me again over the next few weeks ha ha I’ll shower every night put on clean jocks before bed in case they do ha ha be a few days without a shower but notting to keep me for.”

Still, Maher was warned to be careful of the NCA: “… them c**** from the UK they follow u to the end off the earth”.

Hughes continued to prey on Maher’s mind. The next day he circulated a message: “Have you anyone in [name of prison]”. One of the contacts replied, “I’ll ask, what’s up?” Maher: “I want to get a fella seen …” He was asked: “seen hurt you mean?” “Yes,” Maher said. “Cheers m8 I don’t want gone but want hurt see what u think …” The police suspected this meant Maher didn’t want Hughes murdered (“gone”), just wounded, although Maher later disputed that the messages implied any intention to cause harm.

The text exchange continued with Maher being told his request would be sorted and being asked if he wanted Hughes to know where it came from. “Yeah,” Maher replied, “dragging me into this mess.”

The NCA considered these messages represented a threat to life and moved to protect Hughes.

Maher became increasingly jumpy about the NCA, and investigators saw him discussing preparations for his own flight. According to messages he sent, he would not need a passport and could simply hide on a lorry to escape to mainland Europe, pick up travel documents in Spain and then head for a country with no UK extradition agreement. On one occasion Maher was actually about to go, but the plan was postponed because he couldn’t walk to the vehicle — his plantar fasciitis was too severe.

Then the great French hack unravelled: on June 13, 2020, some ten weeks after the eavesdropping had begun, EncroChat sent a message to all its users: “Today, we had our domain seized illegally by government entities … Due to the level of sophistication of the attack and the malware code, we can no longer guarantee the security of your device. We took immediate action on our network by disabling connectivity to combat the attack. You are advised to power off and physically dispose of your device immediately.”

At the NCA it was, as an officer put it to me, “all hands to the pump” as soon as they became aware of the EncroChat alert. Maher was considered a flight risk, so the sooner he was arrested the better — and the greater the chance of seizing his EncroChat phone. When police reached him in the afternoon he was still at home, observing lockdown; but his phone had disappeared.

Though the NCA never found Maher’s EncroChat phone, investigators already had weeks of data from it. That information included numerous photographs of his ailing feet and other images from within his home that made it unarguable that he had sent the messages himself. Maher declined to make any comment in police interviews, but thanks to the phone messages he was charged with two counts of importing drugs and two counts of laundering money.

He pleaded guilty and appeared for sentencing in an online hearing from Liverpool crown court three days before Christmas. He had lost weight during his time on remand and sat quietly as his fate was decided. It was noted he was among the first EncroChat cases to plead to his offences and one of the first to be sentenced.

The judge told him that drugs caused “desperation and misery” and were a “cancer in our midst”, but it mattered not to the likes of Maher as long as there was profit to be made. He had been a significant player in a highly professional and sophisticated operation — and was sentenced to 14 years and eight months in prison. A further charge of conspiring to commit grievous bodily harm against Ronan Hughes was left on file — which means police suspect him of the alleged offence but he disputed the charge and the case never went to trial.

Maher was the first mainstream crime figure to be jailed as a result of the EncroChat intelligence. Other convictions have already followed. In the weeks after June 13, police and NCA officers across the country made more than 1,500 arrests related to EncroChat and dozens of trials for serious offences are now in various stages of progress.

In addition to the arrests, police say the EncroChat hack has led to the seizure of 115 firearms, more than 5,000kg of Class A drugs and £56 million of criminal cash.

In some cases proving who used an EncroChat phone is more difficult to establish than with Maher — so difficult that in at least one case charges were dropped. There have also been arguments over the admissibility of hacked EncroChat messages as evidence in court.

To access the data from the European JIT, the NCA had to have the appropriate paperwork: it needed to submit a European investigation order and obtain a targeted equipment interference warrant from the Investigatory Powers Commissioner’s Office. But the law governing electronic surveillance is complicated and there were disputes over whether the material had been hacked while it was being stored on devices, or whether it had been intercepted during transmission. If it was the latter, the NCA had obtained the wrong warrant and the interceptions were illegal.

In February the Court of Appeal, led by the lord chief justice, found that the messages had been hacked while being stored. So the details that EncroChat users had hoped to keep secret were, after all, admissible in court. Although lawyers representing some of the accused have sought other hearings and may be hoping they can take the case to the UK Supreme Court, as things stand the cracking of EncroChat, which no longer operates at all, has been a stunning event in modern policing.

Like Thomas Maher, many of those convicted will lose not just their liberty and comfortable lifestyles but their ill-found wealth, which can be seized as the proceeds of crime. The NCA had considered charging Maher’s wife too, but ultimately decided against it. She remains innocent. But as the police said, she would lose her home and most of the assets she and Maher had enjoyed. The luxurious life that she had known with him is over too.

Additional reporting by Peter Allen in Paris

Who created the crypto-phones?

Despite EncroChat being busted open, there remains a big unanswered question: who created the secret phone system? Though it was widely assumed to be a European phenomenon, The Sunday Times has discovered its origins actually lie in the activities of a handful of Canadians.

Before the system was called EncroChat, it was known as esocrypt. That name was first registered in 2011 as an internet domain by a Canadian businessman then in his early thirties named Douglas Pare. He had set up a Canadian company called Esoteric Communications in 2009 alongside two fellow directors, Craig Widdifield and Jeffery Chang.

Both Widdifield and Chang were known to Canadian police for their gang affiliations. Widdifield was shot dead in a Vancouver shopping centre car park in 2013 and Chang died of a drug overdose in the same city in 2015, having survived a drive-by shooting there a year earlier.

Pare, originally from Ontario but later based in Vancouver, spoke about Esoteric Communications during a 2011 court hearing into an alleged fraud. He said he was the principal of the company and a 33 per cent shareholder, and described the outfit as a start-up on the verge of releasing software applications for BlackBerry devices, which were then favoured for secure communications. He told the court that he expected either to “go bankrupt or make millions”.

Esoteric Communications started to operate and promote software known as EsoCrypt. Although the Esoteric Communications company was dissolved in 2012, someone continued using the EsoCrypt brand, seeking distributors for its new phone product and appearing to be interested in legitimate uses for its encrypted devices. It was suggested that celebrities, journalists, politicians and government agents might benefit from using encrypted phones. Other individuals, all Canadian and apparently secretive, appeared to be connected to the company.

Then in 2014 EsoCrypt went offshore, registering a company called EsoCrypt SA in Panama, using a legitimate means to disguise its true ownership and accounts. A local law firm, Arias B Associates, registered the company, with its own employees shown as the directors. Only Arias B knew who the “client of record” really was. EsoCrypt had previously banked in Canada but that too moved, and vendors distributing EsoCrypt products were told to send any money due to the company to a private bank in Luxembourg.

In 2015 the Panama company was renamed EncroChat, and there was now an EncroChat website boasting of how the business “develops the next level of worry-free secure communications”. In 2016 a Dutch company began offering EncroChat, available to buy online.

Arias B Associates told The Sunday Times it had resigned as the Panamanian agents of EncroChat SA in mid-2017 as they could no longer locate their client of record. Pare, the Canadian who said he owned a third of the original Esoteric Communications firm, responded to our inquiries by email. He said he “ceased to have any relationship to Esoteric Communications at the end of 2011” and that he had resigned as a director and given up his shareholding. He said: “Jeff Chang & Craig Widdifield took over [Esoteric Communications] after my departure in late 2011” and that the company had been dissolved the following year. Pare said he had registered esocrypt.com as a domain name, but had not used it. He added that he had “never seen EncroChat or been involved with its development”.