For a week in October 2020, Christian Lödden’s potential clients wanted to talk about only one thing. Every person whom the German criminal defense lawyer spoke to had been using the encrypted phone network EncroChat and was worried their devices had been hacked, potentially exposing crimes they may have committed. “I had 20 meetings like this,” Lödden says. “Then I realized—oh my gosh—the flood is coming.”
Months earlier, police across Europe, led by French and Dutch forces, revealed they had compromised the EncroChat network. Malware the police secretly planted into the encrypted system siphoned off more than 100 million messages, laying bare the inner workings of the criminal underground. People openly talked about drug deals, organized kidnappings, planned murders, and worse.
The hack, one of the largest ever conducted by police, was an intelligence gold mine—with hundreds arrested, homes raided, and thousands of kilograms of drugs seized. But it was just the beginning. Fast-forward two years, and thousands of EncroChat users across Europe—including in the UK, Germany, France, and the Netherlands—are in jail.
However, a growing number of legal challenges are questioning the hacking operation. Lawyers claim investigations are flawed and that the hacked messages should not be used as evidence in court, saying rules around data-sharing were broken and the secrecy of the hacking means suspects haven’t had fair trials. Toward the end of 2022, a case in Germany was sent to Europe’s highest court. If successful, the challenge could potentially undermine the convictions of criminals around Europe. And experts say the fallout has implications for end-to-end encryption around the world.
“Even bad people have rights in our jurisdictions because we are so proud of our rule of law,” Lödden says. “We’re not defending criminals or defending crimes. We are defending the rights of accused people.”
Around 60,000 people were signed up to the EncroChat phone network, which was founded in 2016, when it was busted by cops. Subscribers paid thousands of dollars to use a customized Android phone that could, according to EncroChat’s company website, “guarantee anonymity.” The phone’s security features included encrypted chats, notes, and phone calls, using a version of the Signal protocol, as well as the ability to “panic wipe” everything on the phone, and live customer support. Its camera, microphone, and GPS chip could all be removed.
Police who hacked the phone network didn’t appear to break its encryption but instead compromised the EncroChat servers in Roubaix, France, and ultimately pushed malware to devices. While little is known about how the hacking took place or the type of malware used, 32,477 of EncroChat’s 66,134 users were impacted in 122 countries, according to court documents. Documents obtained by Motherboard showed all data on the phones could potentially be hoovered up by the investigators. This data was shared between law enforcement agencies involved in the investigation. (EncroChat has claimed it was a legitimate company and shut itself down after the hack.)
Across Europe, legal challenges are building up. In many countries, courts have ruled that messages from EncroChat can be used as evidence. However, these decisions are now being disputed. The cases, many of which have been reported in detail by Computer Weekly, are complex: Each country has its own legal system with separate rules around the types of evidence that can be used and the processes prosecutors need to follow. For instance, the UK largely doesn’t allow “intercepted” evidence to be used in court; meanwhile, Germany has a high bar for allowing malware to be installed on a phone.