FBI Honeypot Phone Company Anom Shipped Over 100 Phones to the United States

Anom, the encrypted phone company secretly commandeered by the FBI and which surreptitiously provided all of its users’ messages to the authorities, shipped many more devices into the U.S. than previously understood, according to multiple files obtained by Motherboard.

The news highlights that although much of the Anom operation focused on devices overseas, Anom phones were still present in the U.S., raising questions about how many total devices were in the country during the years-long undercover operation.

For legal reasons, the FBI did not monitor outgoing messages from Anom devices determined to be inside the U.S. Instead, the Australian Federal Police (AFP) monitored them on behalf of the FBI, according to previously published court records. In those court records unsealed shortly before the announcement of the Anom operation, FBI Special Agent Nicholas Cheviron wrote that the FBI received Anom user data three times a week, which contained the messages of all of the users of Anom with some exceptions, including “the messages of approximately 15 Anom users in the U.S. sent to any other Anom device.”

The internal Anom files obtained by Motherboard show that more than 15 phones were shipped by Anom to addresses in the U.S. One included a shipment of 100 devices in March 2020 to a P.O. Box in New York. Another was for a shipment of 10 phones to a unit in San Diego; a third shipment was to the same drop-off point in San Diego.

Anom itself arranged these shipments of devices. Anom also worked with a system of distributors who used an online portal to keep track of their own sales. The files obtained by Motherboard which describe the shipments don’t include Anom phones that individual Anom distributors may have sent to the U.S.

It’s not clear whether the devices described in these files were actively used by Anom customers, whether they stayed in the U.S. or were then sent on to users in other countries, or if the phones were destined for genuine Anom customers or some other purpose, such as for the FBI itself to use. The San Diego FBI led the Anom operation, though Motherboard could not directly connect the San Diego shipment described in the files to the FBI.

“Sorry, can’t help ya,” a person in control of a phone number mentioned in the San Diego shipments told Motherboard in a WhatsApp message. When Motherboard followed up a day later and showed we had access to internal Anom files, the person said, “Still can’t help you.”

The person in control of the phone number linked to the New York shipment did not respond to a request for comment.

The national press office for the FBI declined to comment. Bill McNamara, public affairs officer for the San Diego FBI, wrote in an email: “Due to the pending nature of the case, we are unable [to] comment at this time.”

Kelly Thornton, director of media relations at the U.S. Attorney’s Office of the Southern District of California, declined to comment.

In the court records, Cheviron wrote that Anom’s creator, a convicted drug trafficker who later offered Anom to the FBI for use in its own investigations, “controlled the distribution of Anom devices in consultation with the FBI.”

Initially, Anom rolled out devices in Australia as a beta test for the backdoor’s capabilities. At the time, only the AFP had the legal authorization to monitor messages sent across the Anom platform. Later, Anom started to expand globally.

After fall 2019, an unnamed third country agreed to host a server that would receive all of the Anom message content, and then provide data to the FBI under a Mutual Legal Assistance Treaty (MLAT). Any messages sent from a device with a U.S. Mobile Country Code (MCC) were filtered from the data the FBI reviewed, the court records say.

“But if any devices landed in the United States, the AFP agreed to monitor these devices for any threats to life based on their normal policies and procedures,” the records add.

Stewart Baker, partner at Steptoe & Johnson LLP, and Bryce Klehm, associate editor of Lawfare, previously wrote that “The ‘threat to life’ standard echoes the provision of U.S. law that allows communications providers to share user data with law enforcement without legal process under 18 U.S.C. § 2702. Whether the AFP was relying on this provision of U.S. law or a more general moral imperative to take action to prevent imminent threats is not clear.” That section of law discusses the voluntary disclosure of customer communications or records.

When asked about the practice of Australian law enforcement monitoring devices inside the U.S. on behalf of the FBI, Senator Ron Wyden told Motherboard in a statement “Multiple intelligence community officials have confirmed to me, in writing, that intelligence agencies cannot ask foreign partners to conduct surveillance that the U.S. would be legally prohibited from doing itself. The FBI should follow this same standard. Allegations that the FBI outsourced warrantless surveillance of Americans to a foreign government raise troubling questions about the Justice Department’s oversight of these practices.”

Last week, Motherboard reported based on a review of a cache of thousands of pages of Anom messages sent by an alleged drug trafficker, that the Anom backdoor, as well as recording users’ messages, also sent their GPS location to authorities.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.