WILD: the @AusFedPolice & @FBI secretly ran a backdoored encrypted phone service.. for criminals.

Got thousands of users around globe

Now charges are starting to drop. THREAD

Report by @josephfcox: vice.com/en/article/akg… ImageImageImageImage
2/ A confidential human source on @FBI payroll since 2018... gifted them a nascent encrypted communications company aimed at criminal customers.

The FBI then baked in a backdoor, which sent a decryption key alongside each "encrypted" message... and began distribution. ImageImage
@FBI 3/ Trust is hard when you are a criminal.. so #trojanshield used known distributors...to get it rolling.

They even called their early project a "beta test"

Fascinating details: @FBI & @AusFedPolice coordination & MLATs to underpin this... plus a cooperating third country. ImageImageImage
4/ Ultimately, #Trojanshield's utterly-backdoored chat program was on ~11,800 devices in 90 countries... and in the pockets of people connected to 300 Transnational Criminal Organizations (TCOs)

Highest user counts in:🇩🇪🇳🇱🇪🇸🇦🇺🇷🇸 Image
5/ Observation: typically you have to balance the value of disrupting criminal infrastructure with...the attendant loss of visibility.

Apparently not so here: Enforcement actions against other criminal phone services drove users right into the arms of #trojanshield. Image
6/ Example in search warrant: Kilos of coke in the French diplomatic bag 💼

Diplomatic pouches are typically immune from search under Vienna Convention...

...but have been the subject of trafficking scandals, from Argentina to Ecuador & Russia.

Curious about backstory here... ImageImageImage
7/ The examples are the day-to-day of transnational criminality: Coke stashed among bananas..tuna...pineapples, and cash to move backwards.

The whole search warrant, uploaded by @josephfcox is worth a read.
assets.documentcloud.org/documents/2079… ImageImageImageImage
8/ The website for the backdoored Anom app was...fun.

- "Why does Anom no longer use a VPN?"
- We don't disclose where are servers are.. but promise they are outside Five Eyes jurisdiction.

Also, a cache suggests that they left parts of the site unfinished... ImageImageImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with John Scott-Railton

John Scott-Railton Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jsrailton

18 Jul
BREAKING: massive, global leak of the targets of NSO Group's Pegasus spyware. *huge deal.*

Forensic investigation by @AmnestyTech
in collaboration with @FbdnStories reporters.

We @citizenlab conducted peer review.

Here's an explainer THREAD.
washingtonpost.com/investigations… Image
2. Background: the already-notorious NSO Group makes mercenary spyware to silently & remotely hack iPhones & Androids.

Many of their government customers are authoritarians.

Most cannot resist the temptation to target their critics, reporters, human rights groups etc. Image
3. More about leaked numbers & targets in a sec, but first you need to know:

@AmnestyTech just released a report with technical analysis of NSO's infrastructure... & analysis validating w/forensics that some phones were infected with Pegasus.

Read 31 tweets
15 Jul
🚨MAJOR REPORT in collaboration with @MsftSecIntel
exposing spyware company Candiru.

Websites serving their spyware include fake #BlackLivesMatter & fake human rights groups.

Targets: journalists, human rights defenders, around world.


Report: citizenlab.ca/2021/07/hookin…
2. We @citizenlab identified a Candiru-infected, politically active individual in Western Europe.

We extracted the infection & worked with @MsftSecIntel who found two Windows 0-day exploits CVE-2021-31979 and CVE-2021-33771.

@Microsoft has now patched.
3. The @MsftSecIntel team found over 100 victims of Candiru (SOURGUM) malware, which they call *Devil's Tongue*.

Targets include:
- Academics
- Human rights activists
- Journalists
- Politicians
- Dissidents
Read 7 tweets
10 Jul
NOW #Oathkeepers leader Elmer Steward Rhodes is strolling the halls of CPAC...with an official event pass.

He didn't enjoy being spotted, and apparently got in reporter @ZTPetrizzo's face...yelling obscenities.

Story: salon.com/2021/07/09/ste…
The #Oathkeepers leader schmoozing with the GOP establishment at CPAC tells everything you need to know about the state of the Republican Party today.
Speculation: CPAC organizers don't like the bad press that the #Oathkeepers leader brings... but are afraid of blowback if they turn Elmer Stewart Rhodes away.

My takeaway? The GOP can't stand up to extremists.
Read 4 tweets
9 Jul
NEW: he breached the #Capitol with "PRESS" in big letters on his helmet & body armor.

But the FBI says Matt Purse wasn't a reporter.

Figures, since he was seen harassing *actual* journalists (Example: pic 3).

Charges against #MrExtraCreepy: justice.gov/usao-dc/case-m…
2. Matt Purse at the Capitol in his "PRESS" costume trying to intimidate and shout down a Danish reporter 👇
3. More: Matt Purse wearing his "PRESS" outfit trying to intimidate *another* reporter.

Read 6 tweets
12 Jun
Terrifying moment a man is restrained by passengers & crew near cockpit.

Based on multiple reports & a check of flight tracks, this appears to be @Delta Flight 1730 (LAX - ATL) which diverted to Oklahoma City.

Developing story, details unconfirmed.
Flight track for @Delta 1730 (Los Angeles - Atlanta) showing the diversion to Oklahoma City (OKC).
One of the reports tweeted by a passenger is that the man was attempting to open a door during flight.

I find it reassuring to know pressurization of the aircraft and the design of the doors, makes it physically impossible to do that.
Read 5 tweets
11 Jun
BREAKING: serving @Chicago_Police officer Karol Chwiesiuk breached the #Capitol.

He bragged about it...even claimed he knocked someone out night before.

Later texted: "N*** Don't snitch".
2/ Narrator: in fact, Chwiesiuk s device location history snitched on him, before his texts could...

The complaint more or less tracks his every move from Chicago to the inside of the #Capitol.
3/ Interesting: complaint makes a point of showing an email Chwiesiuk got from Stop-the-Steal promoter Ali Alexander on January 5th telling people where to meet at the #Capitol #Jan6.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!