A Real-World Law-Enforcement Hack: The Case of Encrochat

u1hcw9nx1 pts0 comments

A Real-World Law-Enforcement Hack: The Case of Encrochat – malb::blog

Skip to content

martinralbrecht

cryptography

July 1, 2026July 1, 2026

3 Minutes

Our paper A Real-World Law-Enforcement Hack: The Case of Encrochat has been accepted to CRYPTO 2026 and the full version is available; “us” is Sunoo Park, Mike Specter, Douglas Stebila and me. Here’s the abstract:

In 2020, a coordinated law-enforcement effort infiltrated Encrochat, an end-to-end encrypted service provider, exfiltrating historical and real-time data and metadata over months. Encrochat was used extensively by organised crime, and the data from the operation was used as supporting evidence in over 6,000 arrests and related prosecutions across Europe. Encrochat’s architecture was vertically integrated, with the company acting as both a device vendor and service provider; Encrochat sold modified Android smartphones with its own PKI and custom applications, including encrypted messaging based on the Signal protocol. In this work, we give the most detailed public account to date of Encrochat’s infrastructure and how it was compromised.

At the core of our work is a detailed timeline of our understanding of the hack and malware campaign by French and Dutch law enforcement agencies against Encrochat. Our understanding has significantly improved compared to our Real World Crypto (RWC) 2024 talk, also because in the meantime we managed to review more than 3,000 pages of documents that we could not verify to be publicly available.

If you care about the Encrochat story, you might find some new details in our work, as far as we know, not previously reported:

Law enforcement lost the ability to infect devices with their malware within eight days of the campaign starting (but infected devices continued to reveal data to law enforcement as intended).

We resolve the mystery of why the DNS server for encrochat.ch changed on the day the malware campaign started: the hosting provider Gandi made a mistake in implementing a court order.

We also explicitly distinguish between the malware campaign against X2 devices (that started on 1 April) and the malware campaign against the X3 (“Carbon”) devices that started on 12 June (when the infection of X2 devices also resumed). On 13 June 2020, the Encrochat developers pulled the plug on their network after discovering this attack.

A key technical question to resolve to understand the Encrochat hack is how law enforcement was able to deploy malware after compromising the Encrochat servers. The Android update mechanism (Encrochat was based on Android) is designed to be robust against such a breach: even having full control over the distribution server of software updates should not grant an attacker the ability to inject malware into a software update: the update client is designed to check a digital signature on the software update. Our interpretation of the course of events, based on the data we have reviewed, is that the Encrochat developers left the signing key for these updates on their servers, which would be a major operational security lapse. That said, we only have circumstantial evidence that this was the case.

On the other hand, we do not see how any other vulnerability would have needed to be exploited if the attackers already had the ability to push software updates to Encrochat devices; in contrast to what various online sources assume. That said, it is worth noting that according to French law enforcement, the exploitation of the X3 devices was quite different to that of the X2 devices, but most commentary on Encrochat does not distinguish between these two.

If you care about the cryptographic implications of the hack, it is worth noting that the Encrochat hack corresponds to the model of a covert adversary initially speculatively introduced by Yonatan Aumann and Yehuda Lindell at TCC 2007 as a model between semi-honest (the adversary follows the protocol faithfully but tries to learn information) and fully malicious (the adversary can act arbitrarily). A covert adversary will try to “cheat” when it has a low chance of getting caught or when it deems getting caught worth it. In the case of the Encrochat hack, law enforcement implemented a “threat to life” system where messages were scanned (using keywords, it seems) for life-threatening content which would trigger a mandatory law enforcement response (because the police is legally bound to prevent serious crimes, which may not be the case for intelligence agencies, depending on the legislation).

However, it is also worth noting that while cryptographers (sensibly) model “the adversary” as an algorithm, the Encrochat adversary was not merely an algorithm but an organisation composed of people with their own agenda (the Encrochat hack also leaked early because an analyst for the British police told a contact about it) and which relies on third parties to realise its goals (Gandi making a mistake in implementing the court order).

Share...

encrochat enforcement hack devices malware case

Related Articles