Complex military operations have one point in common with large-scale drug trafficking enterprises: they rely on swift and secured communications.

The massive development over the past 10 years of end-to-end encrypted instant messaging services has provided criminals involved in international drug trafficking with high-tech tools to contact each other and conduct their activities in a significantly more secure way. Beyond international trafficking operations, these communication tools also greatly facilitate the expansion of drug-related crime at the local level.

Most mainstream instant messaging applications (e.g., WhatsApp, Viber, Telegram, Signal) are not designed specifically for criminal use. Nonetheless, they are used to conceal criminal activities, and they pose a major challenge for police and judicial authorities around the globe regarding their capacity to conduct real-time interception.

These mainstream applications do present one vulnerability for the drug trafficking community, however. Namely, the terminals on which they are installed (e.g., phones, tablets, computers). These terminals can be seized in the course of the judicial investigation, sometimes giving access retrospectively to important pieces of evidence. This vulnerability led the top level of the drug crime underworld to promote the development of a new generation of encrypted instant messaging tools. The latter are specifically designed for criminal purposes, and distributed at a much higher price, with dedicated hardened terminals that cannot be cracked open by the regular extraction techniques used by investigators.

They are used almost exclusively by the actors of the international drug trade, their associates, their facilitators, and close relatives. Some of these tools have been successfully targeted and cracked by large-scale judicial investigations (e.g., Ennetcom, Phantom Secure, EncroChat, SkyECC, Exclu, Ghost). A significant number of them however remain active and continue to support drug-related activities that have an untold negative impact on public safety and national security across many countries.

“Encrypted communications are one of the key catalysts of the intensity, and of the expansion, of drug-related crime.”

These encrypted communications (both legal and criminal ones) are a key catalyst for the expansion and intensity of drug-related crime. Adjusting practices to this new reality is a must for police and judicial authorities. These efforts however need to be backed by an evolution of the legal framework in which the online instant messaging services operate.

Role of Secured Communications in DTOs

The success of drug trafficking organizations (DTOs) relies on several factors.

Internally, leaders need to have the capability to give instructions to their lieutenants remotely, as well as being able to receive regular and precise reporting on their drug trafficking operations (including media files). Externally, DTOs need the capability to build alliances with other organizations (across borders or continents, without having to travel for every contact) and to communicate securely with their facilitators (e.g., money brokers, contract killers, weapon or precursor providers, corrupt employees or officials). For all of those essential functions, encrypted communications are critical.

European police services have witnessed a growing trend over the past decade: the relocation of the leaders of the DTOs and their facilitators to countries outside of Europe. These relocations are motivated by three reasons: (1) the need to be far from the investigators and judges targeting them, (2) the need to protect themselves physically from rival organizations, and (3) the need to be close to partner foreign DTOs or to international underground money brokers, who are the other key catalyst of the international drug trade. Despite being distanced, leaders of the DTOs still need to ensure tight control on their collection and distribution network back home, necessitating frequent communication with their lieutenants organizing the international shipments from North and South America, Africa, the Middle East, Asia, or Oceania. These activities could not be led securely from a distance without dedicated encrypted solutions.

Police operations against the secured communications used by criminals have collected hard evidence that demonstrate their crucial role in the following DTO functions:

• the planning of contract killings and acts of torture (e.g., for the transmission of the instructions, the identification of the victim, or the transmission of very graphic evidence that the assassination took place)
• the organization of the collection of drug-related cash in Europe, and the related payment of new massive purchases in the Americas, sometimes within minutes
• the receipt of information from corrupted agents

The ability provided by these tools to communicate clearly, swiftly, securely, and across continents, accelerates drug- and money-related operations, which has led to increased drug profits and quantities over the past years, as witnessed by European authorities. Adjusting practices to this new reality is a must for efficient police and judicial action.

The Hardened Communications Landscape

The extreme difficulty to access live communication contents calls for an increased use of undercover tactics and covert video or audio-surveillance techniques. It also calls for up-to-date technical solutions to extract communication contents from the terminals once they are seized, whether these terminals are phones, tablets, laptops, gaming stations, or connected vehicles.

But beyond these resource-intensive and costly technics, the live access to the content of encrypted communications should remain a priority within a judicial framework that ensures compliance with civil liberties.

Over the past 10 years, criminally dedicated hardened communications have been further enhanced, building on the experience gained by criminals on the methods used by the policing community. Beyond the end-to-end encryption of the messages or media files sent, such devices also add features such as

• remote activation of the microphone, in case the phone is seized and stored in a police station
• automatic wiping of all messages when the phone is connected to a forensic extraction device
• criminal interface, including its contacts’ directory, hidden behind a fake standard-looking interface
• secured messaging app hidden behind another one, such as a calculator, in which a PIN code needs to be typed to access the actual messaging app
• alert PIN codes—should an investigator insert the fake PIN code provided by a suspect, the phone would then send an alert message to the community and delete contents

Such phones and applications are also sold by a network of underground resellers applying the KYC (know your customer) concept in a way that very much differs from the one expected from established telecom companies or financial institutions—phones are sold outside of regular business structures, with no collection of personal information during the process. On the contrary, prospective clients often need to be vetted by former clients, to make sure the phones are not acquired by government agencies. The purchase of such phones or applications by the police, to enter the network or analyze their technical specificities, therefore, requires the use of covert sources or agents. The resellers also often offer their services to facilitate the remote wiping of the contents in case the client faces “difficulties.”

To minimize the risk of being discovered in the course of a communication data analysis performed by the police, such phones are often unable to communicate with regular ones.

Finally, their content cannot be extracted by the usual extraction devices used by police services. There are many examples of investigators trying to access the contents of devices or apps after a wave of arrests and house searches, and watching, when they can get that far, the messages disappearing in front of them within seconds.

Against these specific hardened communications, police and judicial services around the world (and, specifically, in the European Union and among the Five Eyes) have built experience and drawn lessons:

Technical capacities for the interceptions: At a central level, a number of national agencies have created and significantly increased the capacities of their high-tech crime units in order to target hardened communications remotely and access their contents. These efforts need to be supported and further developed, as they are crucial for the fight against organized crime.

Coordination of the operations: Successful operations, such as the ones against EncroChat or SkyECC, result in the collection of massive amounts of communications of a criminal nature, typically with a strong international dimension. It is therefore crucial to coordinate the efforts of all the countries involved, to not only review and analyze the contents captured, but to deconflict and coordinate subsequent judicial investigations. Two European agencies, Europol and Eurojust, have played significant roles in supporting this coordination.

“Investigations reveal that the mainstream encrypted apps are widely used by criminals to communicate securely.”

Review and analysis of the information collected: Another aspect to be considered by the central units and national agencies dealing with the output of major operations against criminal communications is the volume of information to be exploited, sometimes in real time. Specialized knowledge and expertise have been developed, and investments made in advanced analytical solutions to adapt to these types of investigations. Efforts in this area need to be sustained.

In addition to national efforts, local investigation services also have an important role to play against encrypted criminal communication services. Some have increased their ability to detect them. Directing covert sources toward the collection of information on the communication tools used by the DTOs is crucial in this regard. In areas such as logistical hubs, it is likely that many such phones will appear.

Once detected, the seizure of phones suspected to be hardened also calls for specific measures, such as the use of Faraday bags (or boxes), to avoid remote wiping of their content. And while the content of the secured phones might not be technically accessible right after their seizure, it has often proven useful to keep the devices for a while, as new investigations might reveal solutions to open them.

These efforts need to be backed by an evolution of the legal framework in which instant messaging services operate.

A Legislative Imperative

Encryption is a necessary technology to protect privacy and the transmission of legal sensitive information. It is an integral part of many people’s daily life.

Some countries have established a legal framework that acknowledges this idea, while making it compulsory to declare to a competent public authority the deployment and use of an encrypted communication system on their territory, with a failure to declare constituting an offense. Such regulations are a first necessary step at the disposal of the judicial authorities investigating against criminal encrypted communication systems. However, not all countries have adopted laws and regulations of this type.

Moreover, general provisions for the access to encrypted contents vary significantly from one country to another. While some allow the hacking of a suspect’s phone, others prohibit investigators’ use of a PIN code that would have been seized during a house search, for example.¹

The targeting of criminally dedicated communication services has been endorsed by case law and several positive court judgments were given in the EU Member States on the use of evidence gathered from encrypted communication channels (e.g., SkyECC and EncroChat). A ruling by the Court of Justice of the European Union on April 30, 2024, relating to the EncroChat case, has clarified conditions for the transmission and use of evidence in criminal cases with a cross-border dimension.²

The main current legislative loopholes, however, relate to mainstream instant messaging applications. As indicated earlier, these apps are less secured than the hardened communications, as their content can be accessed more easily, for instance, through the device. However, it is not always possible for police services to get hold of these devices. Additionally, post-arrest seizure is not enough, and real-time access to the messages and calls exchanged is crucial for the proper development of the investigation. It provides, for example, a strong tactical advantage for drug interceptions and subsequent arrests. But, it can also help police services in preventing potential threats to life: for example, the live capture of data from the EncroChat network or the SkyECC network enabled the police to prevent numerous homicides or acts of torture against rival criminals, members of the DTOs, or  judicial authorities and witnesses.

Investigations reveal that the mainstream encrypted apps are widely used by criminals to communicate securely. While they are not per se criminal services, they facilitate criminal activities (including the trafficking of lethal substances and violent crimes). As mentioned in Europol’s latest Serious and Organised Crime Threat Assessment (SOCTA 2025) the mainstream end-to-end encrypted communication services are abused by criminals. These communication applications, as opposed to the criminal ones, provide legitimate encryption and are therefore used by a much larger base of users. This allows criminals to blend in securely in the absence of proper measures in place to decrypt their communications.³

As legitimate service providers, these apps and the companies managing them can therefore be compared to banks receiving and transferring money on behalf of their clients or large communication companies providing SMS or voice call services. As much as for these other companies, providers of instant messaging systems should therefore be subject to an obligation to communicate upon legal request not only the metadata relating to users targeted by a criminal investigation, but also, in a readable format, contents of messages exchanged by these suspects.

The idea is not to weaken the security of the communications but to apply a lawful access by design principle, implementing protocols in a way that allows the police and judicial authorities to access data in the course of investigations.⁴

The main question here is whether countries can continue to let encrypted communications develop blindly, and at any cost, without setting up the necessary legal and technical safeguards that would ensure that police can exercise their mandate to investigate and protect society, while abiding to the rule of law and the principle of proportionality.

In the absence of legislation to regulate and condition the activities of the encrypted messaging applications, they will remain uncontrolled weapons of dissimulation, accessible freely to the criminal underworld. d

Notes:

¹Eurojust and Europol, Common Challenges in Cybercrime: 2024 Review by Eurojust and Europol (Luxembourg: Publications Office of the European Union, 2025).

²Eurojust and Europol, Common Challenges in Cybercrime, 11.

³Europol, The Changing DNA of Serious and Organised Crime – EU Serious and Organised Crime Threat Assessment 2025 (Luxembourg: Publications Office of the European Union, 2025), 18.

⁴Eurojust and Europol, Common Challenges in Cybercrime, 12.

Please cite as

Quentin Faure, “Digital Shadows: The Role of Encrypted Messaging in Transnational Organized Crime,” Police Chief Online, September 24, 2025.