Authorities Crack Ghost ECC Encrypted Messaging Used by Mafia, Bikers and Drug Traffickers

"Socalj" for Borderland Beat

The most recent takedown of a large encrypted phone service utilized by Australian outlaw motorcycle gangs and drug traffickers around the world took place after Australian police infiltrated a virus to the admin's computer system. The Ghost ECC admin had created the app and device selling network at 23 years old and over the last 9 years was deemed the 'IT guy to the underworld.'

Ghost ECC Dismantled

The market for encrypted chat apps is booming, with WhatsApp, owned by Meta being the most widely known and popular service.

These apps encrypt messages to prevent outsiders reading private chats and are not illegal.  But several features of the Ghost service, which first landed on the scene in 2021, made it much more appealing to criminals, according to Europol.

Users would buy a customised phone rather than simply downloading an app from a provider online. The police agency said in a statement that Ghost was effectively its own ecosystem "with a network of resellers based in several countries."

Users could get Ghost without giving any personal information or an existing phone number, making it 100% anonymous, Europol said.

Ghost was created about 9 years ago, however, the opportunity for law enforcement to target the platform arose in 2022. The handsets, which were a modified smart phone, were sold for about $2350, which included a six-month subscription to an encrypted network and tech support.

The service employed three separate encryption standards and users could remotely "self-destruct" all messages and reset the phone remotely if, for example, it was seized by the authorities.

Europol said Ghost used servers "hidden away" in Iceland and France, its founder was in Australia, and the money trail led to the United States.

Ghost creator and admin Jay Je-Yoon Jung.

Underworld's IT Guy

Jay Je-Yoon Jung, the alleged administrator of the Ghost network was arrested at his parents’ home in Sydney, Australia. Neighbors said he was socially awkward and did not travel, but loved karaoke.

At 32, he allegedly become the IT guy for bikie gangs including the Comancheros, Bandidos, Finks, Mongols and Hells Angels as well as infamous Italian Mafias in Victoria and Middle Eastern gangs of Sydney.

It's alleged Jung even had the final say on who could be approved to use his platform and provided technical support to those who needed it. To his family and the public, Jung held a job as general manager in his family's cleaning business, and before that as a sales representative, according to resumes found online.

Ghost had gained traction among criminal organisations due to its advanced security features. Users could purchase the tool without declaring any personal information. The solution used three encryption standards and offered the option to send a message followed by a specific code which would result in the self-destruction of all messages on the target phone.

Police allege that each time he sent out an update, a back-up of the messages was copied to the AFP, leaving more than 125,000 exchanges from the last 6 months now in the hands of law enforcement.

To infiltrate Ghost the AFP, launching Operation Kraken, had to engineer a virus-like program and get it into the Administrator’s computers.

Europol said the app had several thousand users worldwide with around 1,000 messages being exchanged each day. Jean-Philippe Lecouffe, Europol deputy executive director, said the operation had taken down "a tool that was a lifeline for serious and organised crime."

He said the police were committed to building a system that respects privacy while upholding justice. But private companies had "the responsibility to ensure their platforms are not becoming playgrounds for criminals."

"This tool enabled drug trafficking, weapons dealing, extreme violence and money laundering on an industrial scale," he said.

According to the police, Ghost was used pretty much exclusively by criminals.

"Across many months, and indeed hundreds of thousands of intercepted modes of communication, we've no evidence to suggest this was used by anyone other than criminal enterprises," said Assistant Commissioner David McLean from the Australian Federal Police.

So far, 51 people have been arrested in connection with the operation, most of them in Australia with 38. 11 were arrested in Ireland, one in Canada and one in Italy, a member of the Italian "Sacra Corona Unita" Mafia group.

As of September 17, the AFP will allege there were 376 active handsets in Australia. The alleged mastermind behind Ghost has been charged by the AFP. The NSW man is 32 years old and accused of creating and administering Ghost.

Operation Kraken

The system was infiltrated as part of a joint operation, 'Operation Kraken', by the FBI, the Australian Federal Police, the Canadian Mounted Police, the French National Gendarmerie and Ireland's An Garda Síochána. Authorities in Iceland, Italy, the Netherlands and Sweden were also involved.

Australia's Fake Terror Plot

A drug lab was dismantled in Australia and weapons, drugs and over €1m in cash was seized globally so far. A fake terror plot was also uncovered.

A criminal group based in Australia allegedly communicated using an encrypted mobile app to organize drug importations and plot the fake terrorism scheme between March and April 2024.

Accused drug lord Guy Habkouk allegedly used Ghost to plot to acquire machine guns, bombs, hand grenades, rocket launchers and flags with terrorist insignia.

Habkouk was allegedly using the Ghost phone from a high-security prison where he is awaiting trial for allegedly importing a massive amount of heroin. His goal, police will allege, was to source the dangerous weapons and enlist others in a terror plot.

Habkouk would then alert authorities, cutting a deal for a shorter sentence or even freedom, in exchange for the capture of the weapons, AFP sources say.

In addition to the fake plot, he attempted to smuggle 42 kilos of cocaine into Sydney, hidden in refrigerated shipping containers. Australian Border Force (ABF) officers, acting on AFP intelligence, intercepted the shipment on April 3, 2024, uncovering 42 packages of cocaine.

Habkouk and an associate were charged with conspiring to pervert the course of justice. He was also charged over the attempted cocaine importation.

Guy Habkouk had been living and working under the radar overseas for the past three years, before being picked up by Turkish police in 2023.

The syndicate is further accused of trafficking various illegal drugs, including methamphetamine, cocaine, cannabis, and MDMA. Runners were allegedly used to transport drugs from Sydney to Inverell, and cash from drug sales was sent back to Sydney.

Members of the group were involved in two online groups. The first online group, named ‘Flower Power’, trafficked and allegedly coordinated a plot to possess $170,000 worth of cocaine.

The second online group, known as ‘Pot Run Operations’, allegedly trafficked more than 125kg of cannabis between February 2023 and July 2024 and profited more than $500,000 from their ventures.

AFP and NSW Police conducted simultaneous raids across multiple suburbs, including North Rocks, Regents Park, Hassall Grove, Kellyville, Kellyville Ridge, Quakers Hill, and Inverell. The following were seized during the searches.

• 6 encrypted devices
• 200 kilograms of drugs (including 42 kilograms of cocaine)
• 25 firearms
• $19,785 in cash
• 6 arrests
• 50 threats to kill/harm prevented

Ireland

Irish Gardaí targeted 4 criminal gangs in Ireland involved in drug trafficking and money laundering. The country held the second largest Ghost user base after Australia. A total of 33 searches were carried out by 300 gardaí, with 27 premises searched last Monday as part of a coordinated international day of action, which also recovered:

• 2 crypto currency keys
• 27 laptops
• 42 Ghost ECC encrypted devices
• 126 other mobile devices
• 200 SIM cards
• 6 Rolex watches
• 2021 Range Rover
• €16 million worth of drugs (including 100 kilos of cocaine)

Underworld Tools vs Right to Privacy

WhatsApp, Signal and Telegram are part of a crowded field of apps marketing themselves on the privacy of their chats. Although their services are legal, some of the content is not.

Europol stated that they continue to prioritize the fight against encrypted communication technologies used by criminals, while also advocating for a balanced approach that respects privacy rights and upholds legal standards.

The authorities also private companies that wish to ensure their services are used in compliance with the law also have an important role to play. They must ensure that their platforms are not safe havens for criminals and should provide mechanisms for lawful data access under judicial oversight and in full respect of fundamental rights.

Recently, the founder of Telegram, which offers some encrypted services though is not private by default, was arrested recently in France for allowing criminal content on his platform.

Several other major apps have been taken down in similar operations in recent years. EncroChat was a service reputedly used almost exclusively by criminals and like Ghost came with specially altered phones. When it was taken down, police said criminals moved over to Sky ECC, which was then dismantled.

Three years ago another service, ANOM, was taken offline and hundreds were arrested. But the twist in the tail was that ANOM had been set up and run by the FBI from the start.

Police said in a news conference on Tuesday that Ghost was not as big or as widely used as these other services and that the landscape for encrypted apps had become "fragmented."

"For us, the size is not the main thing," said Lecouffe. "Sometimes the smaller networks get the most important criminals and most interesting information."

Sources BBC, Europol, RTE, RTE, Australia Today, AFP, AFP, AFP, SMH, The Age, ABC