Sinaloa Cartel Used Encrypted Phone Network Hacked By Police, FBI Document Says

A bulletin written by the FBI for law enforcement agencies said that members of the Sinaloa drug cartel were likely using a brand of encrypted phones that was compromised by law enforcement earlier this year.

The FBI's “emerging intelligence report” is dated February 2020 and was exposed in the 270GB BlueLeaks data dump. It notes that traffickers from the Sinaloa transnational crime organization (TCO) were using Encrochat cryptophones as recently as October of last year, according to an unclassified case citation that was marked DEA sensitive and also law-enforcement sensitive by the FBI.

"As of October 2019, senior Sinaloa TCO leaders were using a highly sophisticated encrypted communications platform, Encrochat to communicate and facilitate criminal activity, according to a human source with direct access, much of whose information has been corroborated for the past year," the report says.

The report adds that another Mexican gang "with ties" to the Sinaloa cartel "was acquiring Encrochat phones from contacts in Europe to communicate with TCO members and a Canada-based trafficking associate … [the gang] was responsible for trafficking precursor chemicals from China and India and fentanyl to the United States."

Both the FBI and the DEA declined to comment for this story.

Encrochat was compromised and shut down by a multinational investigation led by European law enforcement, leading to at least hundreds of arrests across Europe, as Motherboard reported earlier this month. The apparent use of Encrochat by the Sinaloa cartel has not been previously reported.

Sim cards used in these phones were made by Dutch telecom firm KPN, according to earlier Motherboard reporting. Encrochat also stripped these handsets of their camera, microphone, GPS, and USB terminals, and installed proprietary encrypted messaging programs on them, which routed texts through their own servers, “located offshore” in their datacenter, according to an archived EncroPhone webpage.

Encrochat’s web marketing material also claimed its servers “never create, store, or decrypt keys, message conversations or user data.” Once stripped and reengineered, Encrochat sold these cryptophones for roughly EUR 1,000 each “at international scale” and offered subscriptions with worldwide coverage for EUR 3,000 a year.

It is currently unknown whether the compromise of Encrochat led to any specific arrests of Sinaloa cartel members or associates. But Dutch media outlet Het Parool connected the Encrochat takedown to the dismantling of 19 labs where MDMA producers in the Southern border region that straddles the Netherlands and Belgium collaborated with Mexicans to manufacture the “much more lucrative crystal meth.”

And in an article published the day of the press conference, Dutch newspaper NRC reported, “the fact that Dutch pill makers have made a union with Mexican cartels for the production of crystal meth would not have become so clear without the hack at Encro.”

The Dutch Public Prosecutor’s Office and the Dutch National Police would not comment regarding any possible links between the recent arrests of Mexican meth trafficking suspects, Encrochat, and the Sinaloa cartel.

In the past, Sinaloa cartel members used encrypted phones made by a company called Phantom Secure. The CEO of that company. Vincent Ramos, was arrested in 2018 and was sentenced to nine years in prison last year. The cartel has also used its own, custom built encrypted network to communicate.

The FBI report was among a cache of law enforcement documents called “BlueLeaks.” This data dump appears to stem from a security breach at law enforcement web-hosting firm Netsential, where hackers exfiltrated nearly 270 GB of unclassified records from 251 police departments and law enforcement fusion centers.

The data dump was sent to Distributed Denial of Secrets, a self-described “transparency collective” of journalists and freedom of information activists. German authorities seized the DDoS public data server hosting the BlueLeaks data earlier this month, but it has continued to circulate via BitTorrent and other websites.

Europol, Eurojust, and the public prosecutor of Lille—the interregional jurisdiction of France that has authority over the Encrochat case—all declined comment.

Beyond the 2018 case cited by DEA intelligence, the FBI identified senior Sinaloa cartel leaders using Encrochat phones “to communicate and facilitate criminal activity, according to a human source with direct access, much of whose information has been corroborated for the past year. The leaders claimed the platform operates much differently than other encrypted systems they had been using.”

The FBI report also cited two other cases where sophisticated communications were used by drug traffickers. Intelligence collected by the FBI in September 2019 revealed that a go-fast boat captain used Garmin Inreach Explorers, a handheld satellite device that allows two-way texting and email communications with any other mobile number or email address.

Subscribe to our cybersecurity podcast, CYBER.

Correction: An earlier version of this article stated the wrong date that German authorities seized DDoS’s server.