Law Enforcement Shuts Down Ghost Encrypted Communication Platform

This week, Europol and law enforcement agencies from nine countries (the United States, Canada, France, Italy, Ireland, Australia, Sweden, and the Netherlands) announced the successful takedown of the Ghost encrypted communication platform. Similar to Encrochat, Sky ECC, Phantom Secure, and Anom, Ghost was used by organized crime groups, primarily involved in drug trafficking and money laundering.

How Ghost Operated

Ghost had been active since 2015, offering users an advanced security and anonymization system. Subscriptions could be paid for with cryptocurrency, and the platform featured three layers of encryption and a self-destruct messaging system that wiped evidence from both the sender’s and recipient’s devices. Authorities report that thousands of people worldwide used Ghost to exchange about 1,000 messages daily, and a large global reseller network promoted the platform to potential clients.

A six-month subscription to Ghost cost $2,350, which included a modified device (typically a smartphone with the camera, microphone, GPS module, USB port, and other components physically removed) and technical support services.

Investigation and Takedown

The investigation, led by Europol, began in March 2022 with participation from law enforcement in the US, Canada, France, Italy, Ireland, Australia, Sweden, and the Netherlands. According to France’s National Cyber Command Department, they provided technical resources to the task force for several years, helping to decrypt Ghost messages. Australian police were able to modify software updates regularly released by Ghost administrators.

“Essentially, we infected Ghost devices, which allowed us to access content on devices in Australia,” said Ian McCartney, Deputy Commissioner of the Australian Federal Police. Investigators located Ghost servers in France and Iceland, identified the platform’s owners in Australia, and traced assets linked to Ghost to the United States.

Coordinated raids in multiple countries, based on years of collected evidence, resulted in 51 arrests: 38 in Australia, 11 in Ireland, one in Canada, and one in Italy (the latter reportedly played a “major role” in the Sacra Corona Unita crime group). Additional arrests are expected in Australia and other countries in the coming days. During the raids, authorities also shut down a drug lab and seized weapons, illegal substances, and over one million euros in cash. The main operators and leaders of the platform have already been charged with five criminal counts.

The alleged head of Ghost is 32-year-old Jay Je Yoon Jung, who was arrested in Sydney. According to ABC, Australian authorities had known about Ghost for seven years, but only discovered in 2021 that the suspected administrator was Australian.

If convicted, the accused could face up to 26 years in prison. The Australian Federal Police named the operation “Kraken” and claim that Ghost was used in Australia and abroad for importing illegal drugs and arranging contract killings. “Hundreds of criminals used Ghost, including Italian organized crime, biker gangs, and organized crime groups in the Middle East and Korea,” law enforcement stated.

Australian police report that 376 Ghost smartphones were active in the country. By tracking 125,000 messages and 120 video calls since March of this year, authorities prevented the distribution of over 200 kg of illegal drugs, as well as murders, kidnappings, or harm to 50 people. The takedown also resulted in the seizure of 25 illegal firearms.

The Changing Landscape of Encrypted Communications

According to 404 Media, Ghost’s official website described it as “the secure encrypted communication service of the future.” Its advertising claimed, “Rest easy and protect your confidential business information from prying eyes. Ghost offers industry-leading tools for confident communication wherever you are.”

Interestingly, Europol notes that shutting down Ghost and similar services in the past (such as Sky ECC, EncroChat, and Exlu) has led to a fragmented landscape for encrypted communications, making investigations and crime detection more difficult. “In response to our actions, criminals have started using various less common or custom-built communication tools that offer different levels of security and anonymity,” Europol explained. “This strategy helps criminals avoid exposing all their operations and networks on a single platform, reducing the risk of interception.”

404 Media journalists confirm this trend. Their sources indicate that the only major player left in the criminal encrypted communications market appears to be No. 1 Business Communication (No. 1 BC), which is actively used by the Italian mafia. Distributors of secure phones told the outlet, on condition of anonymity, that their clients have recently been switching to using Signal and the secure operating system GrapheneOS.

These changes in the encrypted communications landscape were also noted in a report (PDF) by the New South Wales Crime Commission, published in October 2023. The report states that from 2022 to 2023, the market for criminal encrypted communications in Australia “changed at an unprecedented pace.” Major organized crime groups largely stopped using traditional encrypted platforms due to concerns about their security, availability, and stability. Instead, criminals are increasingly using “encrypted messaging apps such as Threema, Signal, and Wickr, installed on ‘hardened’ phones with VPNs, secure operating systems, and gray-market SIM cards.”

The report also noted that Australian organized crime is “investing in the development of custom encrypted messaging apps for their own use and for sale to other syndicates.”