You are here: American University School of International Service Centers Security, Innovation, and New Technology FBI Infiltrates Phones of Criminal Groups in Operation Trojan Shield

Government & Politics

The FBI’s Operation Trojan Shield: Infiltrating Criminal Groups through their Phones

By  | 

On 8 June 2021, the Federal Bureau of Investigation announced the conclusion of Operation Trojan Shield, in which for the past three years the Bureau had been secretly selling compromised phones to criminal groups. In its announcement, the FBI declassified significant operational details. This announcement was the culmination of a multi-year joint operation between the FBI and international police partners (such as the Australian Federal Police and EUROPOL) to use a confidential informant (CI) to distribute encrypted phones within criminal groups. The plan succeeded. While over 300 criminal syndicates around the world thought their phones were safe from surveillance, authorities were secretly monitoring all their communications.

Operation Trojan Shield had its roots in an older FBI case against Phantom Secure, an encrypted services company that provided phones to organizations such as the Sinaloa Cartel in the late 2010s. The phones enabled the Cartel to avoid law enforcement wiretaps and decryption efforts by using specialized encrypted devices to coordinate their operations. In 2017, the DOJ successfully prosecuted Phantom Secure, and the company was dissolved. But that gave federal officers an idea. During the investigation and prosecution of Phantom Secure, the FBI persuaded one of its employees to become a CI. Using this CI as the front person, the FBI set up a new company, called ANOM, using Phantom Secure-type technology to provide encrypted Google Pixel phones to criminal groups. 

Before the FBI could get the phones into the hands of criminals, however, the Bureau faced a major challenge to make ANOM look like a credible company so that criminals would choose its services over other companies. To do this, they manipulated well-known criminal figures to popularize the devices. Andrew Young, a former lead U.S. Department of Justice (DOJ) prosecutor on Operation Trojan Shield, explained that companies in this market routinely hack and disrupt each other to gain an advantage and discredit competitors. The FBI also had to ensure that ANOM looked like a credible criminal enterprise and market itself as such, while protecting their front company from hacking attempts by other companies. 

The FBI also had to protect the general public. In order to keep them from purchasing the devices, the FBI placed constraints on who could buy them. It was important to make sure that ANOM did not accidentally become popular amongst journalists, businesspeople, or human-rights defenders, as the point of ANOM was for the government to secretly read and listen to communications. So the FBI devised a strategy that would only enable someone to purchase a phone if they had either a prior or current criminal relationship with the provider, or a strong enough reputation in the criminal world. As mentioned above, phone providers were influential well-known crime figures, whose positions were described in an unsealed affidavit as “influencers.” These criminal figures had reputations and experience in promoting mass adoption of specific encrypted devices. If they promoted the ANOM phones, or invited someone to purchase the device, it was seen as highly credible. The criminal invitations-only strategy also gave the phones an extra appeal of security, as it would be difficult for federal police to obtain invitations. The operational strategy limited the chances that ordinary civilians would be caught up in the surveillance net. But first the phones had to be made useful to law enforcement.

Before the phones could be circulated amongst criminal groups, the FBI in coordination with the Australian Federal police built a backdoor into the encrypted Google Phones that hosted ANOM. This backdoor allowed law enforcement to see every text, photo, and video, and to hear every call that phone users made, all without their knowledge. Through a Mutual Assistance Legal Treaty, the FBI negotiated with a (still unidentified) third country to host the ANOM servers and reroute the messages back to the US. This was to avoid accidentally intercepting US-based ANOM messages, as the US has stricter legal requirements to intercept domestic communications than other countries do. It was preferable for the FBI to intercept the ANOM messages in a third country. 

In the end, the FBI decrypted and read more than 27 million messages on over 12,000 devices. At the time of the joint operation’s public unveiling for prosecution and to the media, more than 800 arrests and thousands of seizures had been made in over 16 countries, disrupting Albanian organized crime, the Italian mafia, outlaw biker gangs, drug syndicates, and arms smugglers. In a press release, the DOJ provided photos of the seizures, ranging from 8 tons of cocaine, 250 firearms, and more than $48 million in currency. The operation also dismantled more than 50 hidden drug labs. From 2018 to 2021, ANOM sold more than 12,000 phones to over 300 criminal organizations operating in more than 100 different countries.

In addition to details provided by the FBI, more information has come to light as a result of ANOM Google phones being sold secondhand in Lithuania and Australia. News organizations such as Motherboard at Vice News have obtained ANOM phones. An analysis of the encrypted phones revealed that there are two passcodes for each device--one that operates the regular phone functions and standard apps, and a second passcode accessed through a covert app, such as settings, clock, and calculator apps. By tapping on the secondary password portal, say, the calculator app, the user accesses a login screen, gaining entry to the secret encrypted communication service.

With so many specifics about how Operation Trojan Shield works made public, why ruin what seemed to be an opportunity for continued success? The FBI has said that among its reasons for closing the operation was its sheer success, as well as wiretap authorizations coming up for renewal. But there may also be other reasons the FBI and its allies closed the operation. The first is pressure from international policing partners. Political pressures for a quick “win” may have led to the unveiling of operations and indictments. The FBI may also have feared exposing a vulnerable CI. Another possibility is that the FBI is sending a covert signal to criminal organizations, intended to influence their cost-benefit calculations of criminal activity. If criminals are aware that their encrypted devices can be easily breached and that law enforcement may be watching, they might decrease their schemes and violence or even abandon parts of their business altogether. This only works if the criminal organizations deem the costs of using compromised phones to be higher than the benefits of using them to conduct business. 

A key reason why this operation was possible and successful is that criminal organizations are willing to rely on single-purpose encrypted communications devices. As a result, national police and intelligence services can easily exploit devices to gather intelligence and disrupt criminal activity. However, once an operation becomes public, what keeps criminal organizations from becoming wise to these tactics and selecting better encrypted, commonly available devices and services such as Signal or Telegram? No major shift in criminal behavior has emerged, but some in both cryptography and transnational crime studies fear it will. By moving their communications into more widely used encrypted services, the operations of criminal groups would become harder to infiltrate and disrupt without intruding on the privacy of law-abiding users. To stay ahead of the criminals, the FBI must seek new innovative ways for future monitoring.

Operation Trojan Shield illustrates that the FBI and partnering organizations have found effective and creative methods to disrupt criminal activity and prevent groups from “going dark”—i.e., shifting or ceasing communication to avoid surveillance. These solutions demonstrate that it is possible to disrupt criminal activity without having to build privacy-jeopardizing backdoors into platforms used by the public, such as iPhones. Whether this kind of operation can be replicated or not remains to be seen, but with evolving technologies the surveillance opportunities are also evolving. The FBI’s ANOM operation demonstrates the fine line between privacy rights and disrupting criminal activity. It need not be a false choice between law enforcement and privacy. 


About the Author: 

Nicholas is a graduate student in the Global Governance, Politics, and Security Program, concentrating in global security. A graduate of Oregon State University, his main research areas of interest revolve around issues of misinformation and active measures operations, irregular warfare, and strategic power competition and the evolution of grand strategy in the 21st century.