In a significant blow to organized crime, European and Turkish law enforcement agencies have successfully dismantled four major encrypted communication platforms utilized by criminal networks. This coordinated effort, known as Operation BULUT (meaning cloud in Turkish), has resulted in 232 arrests and the seizure of assets exceeding €300 million.
Operation BULUT: A Coordinated Effort
The success of Operation BULUT was largely due to authorities exploiting security vulnerabilities within the targeted encryption services. Intelligence gathered from previously compromised platforms, notably Sky ECC and ANOM, provided critical data for identifying and tracking criminal users across multiple networks. Jean-Philippe Lecouffe, Europol’s Executive Deputy Director of Operations, emphasized the enduring value of such intelligence, stating, Years after their takedown, encrypted platforms like SKY ECC and ANOM are still helping law enforcement turn intelligence into action. This case shows how powerful that data remains in identifying and dismantling high-value criminal networks operating in Europe.
Technical Strategies Employed
Investigators focused on the platforms’ API endpoints to intercept communications before encryption and after decryption, effectively bypassing the end-to-end encryption (E2EE) that protected messages in transit. This approach allowed authorities to capture plaintext communications without needing to break the underlying cryptographic algorithms. Sophisticated packet sniffing tools were deployed to identify network traffic patterns and server locations. The operation also targeted zero-day vulnerabilities in the platforms’ security infrastructure, enabling access to backend databases containing user information and metadata.
Impact on Criminal Activities
The four platforms, whose names have not been publicly disclosed due to ongoing investigations, had become essential infrastructure for transnational criminal organizations. These networks were responsible for trafficking at least 21 tonnes of drugs, including 3.3 million MDMA tablets across Europe and Türkiye. The operation also uncovered extensive money laundering operations facilitated through these encrypted channels. High-value targets involved in coordinating significant drug shipments were among those arrested, significantly disrupting supply chains that had been operating with impunity behind encrypted communications.
Global Collaboration Against Encrypted Crime
The breakthrough came after French authorities shared decrypted Sky ECC data with Turkish investigators, while the Australian Federal Police provided ANOM intelligence. This data-sharing initiative exemplifies the increasing technical cooperation between international agencies tackling encrypted criminal communications. Europol facilitated real-time coordination among designated country coordinators from Belgium, France, Germany, the Netherlands, Spain, and Türkiye. The agency also deployed specialized technical units to support Dutch authorities during enforcement activities. Forensic analysis of seized servers and devices continues, with investigators using specialized digital forensics tools to recover deleted communications and map additional connections between criminal organizations.
Broader Context: Previous Operations
This operation is part of a broader trend of law enforcement disrupting encrypted platforms used by criminals. Previous operations have targeted platforms such as Ghost, Exclu, and MATRIX.
Ghost Platform Takedown
In September 2024, Europol announced the successful dismantling of the Ghost encrypted communication platform, which was extensively used by criminal organizations for drug trafficking and money laundering. This international operation resulted in the arrest of 51 suspects across several countries, with further arrests anticipated. The platform’s advanced security features had made it popular among criminal networks. The operation, which involved authorities from Australia, Canada, France, Iceland, Ireland, Italy, the Netherlands, Sweden, and the United States, halted numerous threats, dismantled a drug lab in Australia, and seized weapons, drugs, and over €1 million in cash. Europol’s Deputy Executive Director Jean-Philippe Lecouffe and Executive Director Catherine De Bolle underscored the significance of this operation in combating global organized crime. Further disruptions of criminal activities are expected as the investigation progresses.
Exclu Platform Dismantling
In February 2023, European investigators successfully dismantled an encrypted communication service called Exclu, widely employed by organized crime groups, especially in the drug trade. This operation led to the arrest of 48 individuals across Germany, the Netherlands, Belgium, and Poland, following raids on over 70 properties. The arrested individuals comprised users, operators, and administrators of Exclu. The crackdown resulted from an investigation initiated in 2020, following the 2019 closure of a military bunker in western Germany, a hub for illegal activities, including hosting Exclu. Exclu, available as a smartphone app with a six-month license fee of €800, had approximately 3,000 users, with 750 in the Netherlands.
MATRIX Platform Takedown
In December 2024, European authorities took down another sophisticated encrypted messaging app called MATRIX, describing it as a service made by criminals for criminals. MATRIX was a sophisticated encrypted messaging service that Dutch authorities discovered on the phone of a criminal who murdered a Dutch journalist in 2021. It was accessible by invitation only, with 40 servers in multiple countries. A six-month subscription, costing between €1,300 and €1,600, gave access to video calls, tracking transactions, and anonymous use of the internet. Authorities intercepted and monitored the messaging service for three months, deciphering over 2.3 million messages in 33 languages. The messages that were intercepted are linked to serious crimes such as international drug trafficking, arms trafficking, and money laundering, Europol said. The operation involved authorities from the Netherlands, France, Lithuania, Italy, and Spain. Authorities seized €145,000 in cash and half a million euros in cryptocurrencies, Dutch police said.
Conclusion
This operation demonstrates how authorities are increasingly able to penetrate supposedly secure criminal communications platforms, making criminals’ reliance on encryption vulnerable. As investigators continue to analyze the seized data, additional arrests are expected in the coming months, further dismantling the criminal networks that have long relied on encrypted communication platforms to conduct their illicit activities.
