The Australian Federal Police gained access to an encrypted communications platform called Ghost by tampering with regular software updates pushed by its creators.
AFP officers make an arrest. (Image credit: Australian Federal Police)
The AFP on Wednesday revealed its role in the takedown of the nine-year-old Ghost platform, which police allege was made available to criminals on modified smartphones for $2350 for six months of service.
Australian authorities allege a 32-year-old man from Narwee in Sydney’s south created and administered Ghost. He was arrested and charged with a range of alleged offences.
Investigations targeting Ghost were started by international authorities in 2022.
An international task force called OTF NEXT, led by the FBI and French Gendarmerie, was set up to deal with Ghost, and the AFP became part of that operation.
However, the AFP also established its own domestic investigation under the codename Operation Kraken, to target Australian users of Ghost – and its alleged Australian creator.
It is Operation Kraken that the AFP said found a way to tamper with software updates for Ghost, such that they could observe communications on devices in Australia only.
“The administrator regularly pushed out software updates, just like the ones needed for normal mobile phones,” the AFP said.
“The AFP was able to modify those updates, which basically infected the devices, enabling the AFP to access the content on devices in Australia.”
The AFP alleged there were 376 active smartphones running Ghost as of today.
The federal police said around 700 of its members are executing warrants over the next 48 hours in connection to what it knows from communications over Ghost.
It said, “up to 50 alleged Australian offenders accused of using Ghost are facing serious charges, including significant prison sentences.”
“More Australian and international arrests are expected over the coming days,” the AFP said.
“It will be alleged the Australian offenders who used Ghost were trafficking illicit drugs, money laundering, ordering killings or threatening serious violence.”
The AFP separately said it had dismantled a drug syndicate using information gleaned from Ghost.
The takedown of Ghost is shaping as one of the largest activities of its type since a similar sting in 2021, where the AFP and FBI collaborated to take down AN0M, again an encrypted communications platform that ran on custom smartphones.
Similar policing efforts have previously targeted other encrypted communications services, including EncroChat, Sky Global and Phantom Secure.
In the case of Ghost, police allege that a “network of resellers” was used to put “specialised handsets” in the hands of “criminals across the globe.”
AFP deputy commissioner for crime Ian McCartney said in a statement that “taking down dedicated encrypted communication devices takes significant skill.”
“But the holy grail is always penetrating criminal platforms to access evidence – and this is where the AFP is world-leading,” he said.
“Because we could read these messages, the AFP, with state partners, were able to prevent the death or serious injury of 50 individuals in Australia.”
Policing authorities in other international jurisdictions indicated they had also gained access to communications sent over Ghost, though did not specify if this was through reuse of the AFP method, or via a different method altogether.
“A technical solution was implemented over several years which, at term, enabled the task force to access the communications of users on this secure platform,” the head of France’s Home Affairs Ministry national cyber command technical department Colonel Florian Manet said.
Europol is expected to provide more details on the dismantling of Ghost tonight Australian time.