Encrypted messaging app used by criminals was actually an FBI honeypot

It’s a trap, literally. More than 800 people around the world have been arrested in a sting operation after the suspected criminals were tricked into using a secure messaging app created by the FBI.

Europol summarized the sting, known formally as Operation Ironside, saying those arrested used the messaging app to traffic cocaine, cannabis, and firearms. Police seized 55 luxury vehicles and more than $48 million during the raids.

The encrypted messaging app in question was called ANOM, and was installed on special smartphones that couldn’t make calls or send emails. ANOM purported to be end-to-end encrypted, meaning only the sender and receiver could view messages. In reality, every single message was passed to police, who used them to make the arrests.

The FBI launched the operation in 2019 in collaboration with the Australian Federal Police, creating the app and enlisting police forces in 20 countries to distribute the app through informants. The website for Anom required invite codes to access, a decent way for law enforcement to ensure an operation is limited to targets or suspected criminals.

Be careful — This isn’t the first time that so-called “secure” messaging devices have led to the downfall of organized crime. Last year, a similar 800 people across Europe were arrested after police managed to crack the encryption of EncroChat, a company that sold encrypted Android phones with special messaging software. Apparently, the app wasn’t as secure as the company behind it claimed.

Needless to say, if you’re a criminal, it’s not a good idea to trust just any app that claims to be secure and encrypted. Unless you’re a cryptography expert, it’s hard to really know how strong the encryption is — or whether someone has built a backdoor.

And like any other software, encryption is subject to the fallibility of humans; even one mistake in its programming could leave an opening for someone to break in and unmask everyone. Silk Road mastermind Ross Ulbricht got caught because, even though his drug marketplace ran on the anonymous Tor network, a CAPTCHA form in the drug marketplace was inadvertently leaking the real IP address of his servers. It was a small mistake that led to his demise.