How the FBI and AFP accessed encrypted messages in TrojanShield investigation | WHAT REALLY HAPPENED X-Frame-Options: SAMEORIGIN

How the FBI and AFP accessed encrypted messages in TrojanShield investigation

Over a three-year period, law enforcement agencies around the world jointly decrypted messages of criminals to foil various activities, such as plans to ship tonnes of cocaine.

The US Department of Justice has unsealed a warrant detailing how law enforcement agencies accessed and used the encrypted communications of criminals as part of its TrojanShield investigation, a global online sting operation.

The warrant [PDF] reveals that the Federal Bureau of Investigation (FBI) in 2018 commenced the investigation after it recruited a confidential human source to provide access to Anom, an encrypted communications product used by transnational criminal organisations (TCOs).

The confidential human source also distributed Anom devices to their already existing network of distributors of encrypted communications devices, which all had direct links to TCOs.

According to the warrant, the FBI said it recruited the source shortly after arresting Vincent Ramos, the CEO of Phantom Secure, who had sold the company's encrypted devices exclusively to members of criminal organisations.

Operation Trojan Shield was centred on exploiting Anom by inserting it into criminal networks and working with international partners, including the Australian Federal Police (AFP), to monitor the communications. In order for an Anom device to be useful for monitoring, the FBI, AFP, and the confidential human source built a master key into the existing encryption system, which surreptitiously attached to each message and enabled law enforcement to decrypt and store messages as they were transmitted. Users of Anom devices were not aware of the master key.

By design, as part of the TrojanShield investigation, for devices located outside of the United States, an encrypted "BCC" of the message was routed to an "iBot" server located outside of the United States, where it would be decrypted from the confidential human source's encryption code and then immediately re-encrypted with FBI encryption code. The newly encrypted message would then be passed to a second FBI-owned iBot server, where it was decrypted and its contents became available.

Each Anom user was assigned to a particular Jabber Identification (JID) by the source or an Anom administrator. The JID is either a fixed, unique alphanumeric identification, or for more recent devices, a combination of two English words. Anom users could select their own usernames and change their list of usernames over time. As part of the Trojan Shield investigation, the FBI maintained a list of a JIDs and corresponding screen names of Anom users.