Cyber Incident Victim: Encrochat
Date:
May 2020
Location:
United Kingdom
Summary
Encrochat, an encrypted phone service favored by criminal groups, was compromised through a law enforcement operation involving malware that extracted data and disabled security features. This led to the service's permanent shutdown after the provider determined it could no longer ensure user security. The breach facilitated widespread arrests across Europe by enabling access to previously secure communications. The attackers deployed malicious software capable of evading detection, capturing passwords, and cloning app data, which was discovered following technical anomalies reported by users. Subsequent countermeasures failed to prevent further infiltration, prompting advisories for customers to discard their devices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2020, Encrochat, a provider of custom encrypted phones marketed with enhanced security features such as physical removal of GPS/camera functionality and remote wiping capabilities, began experiencing technical anomalies. Users reported issues with devices failing to wipe properly, prompting internal investigations by the company. By June 2020, Encrochat technicians examining an affected X2 model device discovered implanted malware designed to evade detection, disable factory resets, capture screen lock passwords, and clone application data. The company responded by deploying a software update to X2 devices in an attempt to mitigate the compromise. However, shortly after this patch, Encrochat detected another active attack against its infrastructure, leading administrators to send an urgent text message warning customers that law enforcement had seized control of portions of their systems. The message advised users to immediately power down and physically dispose of their devices to prevent further compromise.
The operational disruption escalated rapidly following these events. Encrochat announced via email on June 22, 2020, that it would permanently cease operations, citing an inability to guarantee customer security after sustained attacks attributed to a "foreign organization" believed to originate in the UK. Concurrently, European law enforcement agencies executed coordinated arrests targeting Encrochat users involved in organized crime, including drug trafficking networks and a British hitman implicated in a homicide. Judicial proceedings in jurisdictions like Ireland began referencing evidence extracted from compromised Encrochat devices, confirming the operational success of the law enforcement intrusion. The company emphasized in its closure statement that protecting user integrity had been its primary objective, but the infrastructure compromise left no viable alternative to termination. This incident marked a significant disruption to the encrypted communications niche catering to high-risk clients, with industry sources declaring "Encros finished" as a direct consequence of the coordinated takedown.