Tech

A European Country Helped the FBI Intercept Anom Messages, But It Wants to Remain Hidden

A U.S. authored document obtained by Motherboard says that the unnamed country that was vital to the FBI being able to read messages from its honeypot phone company Anom was a “European Union member country.”
Anom phone
Image: Motherboard
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

During Operation Trojan Shield, in which the FBI secretly managed an encrypted phone company called Anom in order to spy on organized crime syndicates on a global scale, the FBI enlisted the help of an unknown third country to collect the messages from backdoored Anom devices. That country obtained court orders under its own laws and acted as the data bottleneck that allowed the FBI to monitor Anom phones. The FBI has steadfastly refused to reveal which country that was.

Advertisement

Now there is some more information on where that country is located. The FBI used a country in the European Union to collect the messages before it transferred that data to the FBI, according to a U.S. authored document obtained by Motherboard.

The news provides some extra clarity on how the operation worked. But defense lawyers are still trying to find out what specific country helped the FBI, saying that information is vital to defending those accused as part of the wide spanning operation.

The document obtained by Motherboard says that “In the summer of 2019, the FBI and the Department of Justice, United States Attorney’s Office (Southern District of California) engaged representatives from a European Union member country to receive an iBot server of its own and obtain the contents of communications occurring between Anom users.” An iBot server is part of the technical infrastructure used to monitor messages on the Anom platform. Eventually the unnamed country provided the FBI with a cache of Anom user data every Monday, Wednesday, and Friday.

Do you know anything else about Anom? Were you a user? Did you work for the company? Did you work on the investigation? Are you defending an alleged Anom user? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Advertisement

Despite receiving a court order to copy an iBot server located within its borders and then provide that copy to the FBI, “the country requested its participation be kept confidential,” the document adds. “The FBI is neither now nor in the future in a position to release the identity of the aforementioned third country.”

But if the data collection was perfectly legal, it raises the question of why the unnamed country wished to remain anonymous. Defense lawyers argue understanding which country and which legislation was used is important to determine whether the operation was legal. 

eu-country-1-crop.png

A section of the document obtained by Motherboard. Image: Motherboard.

“If another country collects evidence that is to be used in our country, I need to know on what legal basis. Therefore, I need to know the country and the court decisions so that I can check whether the basic principle of mutual recognition and trust can apply,” Christian Lödden, a criminal attorney at law firm Lödden & Barczyk, who is working on various cases involving encrypted phones, told Motherboard in an online chat. 

In April, activist blogger Matthias Monroy mentioned that an official from Germany’s federal police said when questioned in court that the unknown country was based in the European Union. When asked whether the data from Anom was sent directly to the FBI or via a server in another country, the official said “According to the information available here, the data was initially sent to a Server in an unknown member state of the European Union and only forwarded from there to an FBI server in the United States of America on the basis of a request for legal assistance,” according to a translation of a transcript of the exchange.

Advertisement

The Anom operation started in 2018 after the FBI shut down Phantom Secure, an encrypted phone company popular among organized crime. After that, a former seller of Phantom Secure and other encrypted devices offered their own phone company to the FBI for use in its investigations. That company was Anom.

During an initial beta test in Australia in conjunction with the Australian Federal Police (AFP), the FBI was not able to view the content of Anom messages itself. The AFP’s legal authorization did not allow it to share that data with international partners. The FBI launched a second phase of Anom with the help of the unknown third country, and started to receive the content of Anom messages on October 21 2019. Over time the third country obtained additional court orders under its own laws to provide the data to the FBI. The third country continued to provide this Anom data until June 7 2021, when its latest court order expired.

The Anom operation has led to over a thousand arrests worldwide, and massive seizures of drugs, weapons, and cash. 

Courts have faced legal challenges and questions in cases involving law enforcement action against other encrypted phone companies too. In February, a group of lawyers, including Lödden, penned an open letter to the European Commission and European Parliament arguing that their clients are not receiving fair trials, due to the cloud of secrecy around how French military police hacked devices on the Encrochat network.

Kelly Thornton, director of media relations at the U.S. Attorney’s Office for the Southern District of California, told Motherboard in an email “Thanks for the opportunity but I have no comment.” Bill McNamara, public affairs officer for the San Diego FBI, told Motherboard in email “We have no comment.”

Update: This piece has been updated to include a response from the San Diego FBI and the USAO for the Southern District of California.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.