Law enforcement agencies from multiple countries this week shut down Ghost, an encrypted messaging service whose operations were spread across the globe and was used by criminal organizations, in coordinated raids that led to 51 arrests and the seizure of more than $1.1 million.

Among those arrested were the alleged creator and administrator of Ghost – a 32-year-old Australian citizen – and more arrests are expected, according to the Australian Federal Police (AFP), which participated in the operation along with other agencies from Europe, the United States, and Canada. Law enforcement agencies also shut down a drug lab in Australia and seized weapons and drugs.

In addition, both the AFP and Europol said the operation saved dozens of people whose lives were being threatened.

“We allege hundreds of criminals, including Italian Organised Crime, outlaw motorcycle gang members, Middle Eastern Organised Crime and Korean Organised Crime have used Ghost in Australia and overseas to import illicit drugs and order killings,” AFP Deputy Commissioner Ian McCartney said in a statement.

Like other such encrypted messaging apps, Ghost offered a way for criminals to communicate secretly. It was created nine years ago solely for the use of criminals, who used the app on modified mobile phones offered by resellers for about $2,350 each, the agencies said. That cost included the handset, a six-month subscription to an encrypted network, and tech support.

Ghost’s Security Features

It came with a range of advanced security features, including allowing users to buy it without giving any personal information. It also used three encryption standards and let users send a message followed by a specific code that would lead to all of the messages on the target phone to self -destruct.

“This allowed criminal networks to communicate securely, evade detection, counter forensic measures, and coordinate their illegal operations across borders,” according to Europol.

Several thousand people worldwide used the network for a range of criminal activities, including large-scale drug trafficking and money laundering, the agency said. In addition, criminals also used Ghost to order killings or to threaten people with violence. About 1,000 messages were sent every day on the messaging service.

The AFP said that in Australia, the law enforcement effort – called “Operation Kraken” in that country – stopped about 50 threats to kill or harm people.

A Worldwide Criminal Operation

The sophisticated Ghost operation was global in scale. While the company’s operators were in Australia, they used servers in both France and Iceland, according to Europol. In addition, its financial assets were housed in the United States.

Law enforcement turned its attention to Ghost in 2022, with Europol establishing an operational taskforce that included agencies from Australia, Canada, France, Ireland, Italy, the Netherlands, Sweden and the United States. The taskforce was able to map the technical infrastructure and identified key suppliers and platform users. They also monitored how it was being used.

During that time, the AFP created a way to infiltrate Ghost.

“The administrator regularly pushed out software updates, just like the ones needed for normal mobile phones,” the agency said. “But the AFP was able to modify those updates, which basically infected the devices, enabling the AFP to access the content on devices in Australia.”

In all, in a series of coordinated raids between September 17 and 18, 38 people were arrested in Australia and another 11 in Ireland, according to Europol. In addition, one person was arrested in in Canada and another in Italy who Europol said belonged to the Italian Sacra Corona Unita mafia organization.

The alleged mastermind, Jay Je Yoon Jung of Australia, faces five criminal counts that combined could land him in prison for 26 years.

Fragmented Encrypted Messaging Space

Both Europol and AFP said law enforcement operations against encrypted messaging services used by criminals – such as EncroChat, Sky Global, and Phantom Secure – are forcing them to scramble and creating hurdles for the agencies themselves. Europol said such operations have created an increasingly fragmented encrypted communications landscape and a splintering of the market.

“Criminal actors, in response, are now turning to a variety of less-established or custom-built communication tools that offer varying degrees of security and anonymity,” the agency said. “By doing so, they seek new technical solutions and also utilise popular communication applications to diversify their methods. This strategy helps these actors avoid exposing their entire criminal operations and networks on a single platform, thereby mitigating the risk of interception.”

The resulting highly dynamic and segmented space is creating challenges for law enforcement, Europol said.