0.0
A smartphone sells for two thousand dollars. It looks
4.425
ordinary. A Google Pixel. Android. Open the
8.519
calculator app. Enter a specific numeric sequence. Press equals.
12.93
The calculator disappears. In its place opens an encrypted
17.341
messaging client. Between late 2018 and June 2021,
21.717
approximately twelve thousand of these devices circulate through
25.824
the global criminal underworld. They are bought by
29.93
Italian mafia cells, Albanian organized crime groups, Australian
34.037
outlaw motorcycle clubs, South American drug trafficking organizations,
38.143
and public officials accepting bribes in at least
42.25
five jurisdictions. Every message sent on every one of those
46.591
phones is copied, in real time, to the Federal Bureau
50.34
of Investigation.
52.774
The phones were designed by the FBI. The network was
56.685
operated by the FBI. The encrypted brand that criminals trusted
60.597
— ANOM — was an American government front. For thirty-three
64.883
months, the United States ran a communications company for the
69.095
international drug trade.
71.412
And read everything. This is a case file
75.534
about the most successful law enforcement sting operation in the
79.524
history of digital communications. The origin of the operation sits
83.584
in an older prosecution. 2018. San Diego. The FBI
87.894
takes down Phantom Secure, a Canadian company that
91.994
had for years sold encrypted BlackBerry devices to
96.093
criminal organizations. Among its customers: the Sinaloa Cartel.
100.193
Phantom Secure's founder, Vincent Ramos, pleads guilty to
104.293
racketeering. The company is dissolved. The takedown creates
108.708
a market vacuum. Criminal organizations, suddenly without their
113.021
preferred communications platform, begin migrating to alternatives — most
117.45
notably Sky Global and EncroChat. These too come under
121.878
eventual law enforcement pressure. EncroChat is penetrated by French
126.306
and Dutch authorities in 2020. Sky Global is indicted
130.734
in March 2021. But before any of that, in
134.99
late 2018, a San Diego field office handler meets with
139.097
a confidential human source. The source is known in court
143.582
filings only by the pseudonym Afgoo. Afgoo had been
147.677
a distributor for Phantom Secure. Facing federal charges, he cooperates
151.851
in exchange for a reduced sentence. He brings with him
156.024
something more valuable than testimony — a product in development.
161.883
A new encrypted communications device. Not yet released.
166.263
Branded ANOM. The San Diego office sees the
170.628
opportunity. Afgoo will introduce the device into his existing
175.059
distribution networks. The FBI and the Australian Federal Police
179.489
will insert themselves into the architecture before launch.
183.743
Every message on the platform will be copied. The operation
187.9
is named Trojan Shield. In Australia, Ironside.
192.204
In Europe, coordinated by Europol, Greenlight.
196.21
The technical architecture is deliberate. ANOM devices are
200.625
Google Pixel smartphones, purchased at retail and then
204.819
re-flashed with a custom Android ROM called ArcaneOS.
209.012
ArcaneOS strips the device of all standard functionality.
213.521
No voice calling. No email. No camera roll
218.007
synchronization. No location services. No third-party app installation.
222.494
No Google account. What remains: a messaging application,
226.824
a basic calculator, a clock, and a settings menu.
231.337
The messaging application is hidden.
235.675
On first power-up, the user is presented with what
239.878
appears to be a locked-down secondary phone. Pressing the
244.082
calculator icon opens a functional calculator. Entering a specific
248.285
mathematical sequence and pressing the equals key triggers a
252.489
hidden handshake. The calculator closes. The encrypted messenger opens.
257.008
The app pairs with other ANOM devices through what
261.196
are advertised as secure proxy servers. Messages are end-to-end
265.383
encrypted between devices. A remote wipe is triggered if
269.571
a specific duress PIN is entered. The number pad
273.76
randomizes between uses to defeat shoulder-surfing. Every security feature
278.004
that a criminal end user would verify in marketing materials
281.795
— is real. There is one additional function. Not
285.876
in the marketing materials. Every outbound message generates a
289.992
silent duplicate. The duplicate is encrypted to a master key
294.09
held by law enforcement. It is routed to a server
298.187
the FBI designates internally as the iBot server. The iBot
302.644
server is not on U.S. soil. This is a
306.87
legal design choice. U.S. Fourth Amendment case law imposes requirements
311.273
on the interception of communications within the United States. Routing
315.675
the collection infrastructure offshore — through a third-country partner —
320.078
allows the surveillance to proceed without triggering those requirements.
324.356
The partner is the Australian Federal Police. The collection
328.722
server operates under Australian legal authority. The intercepted content
333.087
is shared, through mutual legal assistance treaties, back to
337.454
U.S. investigators.
340.108
The architecture is a silent carbon copy. Encryption is honored
343.964
for every adversary of the user — except the one
347.819
the user does not know exists. Distribution is the
351.949
hardest part of the operation. Encrypted phone products
356.381
in this market do not advertise. They spread
360.687
entirely through word-of-mouth referral within criminal networks. A
364.993
cartel lieutenant recommends the device to a distributor.
369.3
A distributor recommends it to another organization. Trust
373.607
propagates through existing criminal trust relationships. Afgoo, the
378.085
confidential source, supplies the initial seeding. He provides the
382.285
first ANOM devices to three of his former Phantom
386.485
Secure distributors in October 2018. Adoption is slow
390.525
through 2019. By October of that year, the network
394.694
has a few hundred users. Then —
398.73
acceleration. In March 2021, French and Dutch law
402.899
enforcement penetrate EncroChat and shut it down. Sky Global
406.95
is indicted by the United States. The remaining encrypted
411.001
phone market consolidates. ANOM, perceived as uncompromised and having
415.051
operated under the radar for over two years, absorbs
419.102
a significant share of the displaced customer base. By
423.493
May 2021, the FBI affidavit states there are eleven
427.754
thousand eight hundred ANOM devices distributed across more than
432.015
one hundred countries. Approximately nine thousand are in active
436.276
use. The network has spread into Australia, Germany, the
440.702
Netherlands, Sweden, Serbia, Finland, Spain, Colombia, and parts of
444.792
the Middle East. The Swedish national police alone hold
448.881
active surveillance on six hundred users. The New Zealand
452.971
police identify fifty-seven.
456.019
Across the full network, Europol will later confirm
460.354
the collection of twenty-seven million individual messages.
464.464
Between 2019 and 2021, the FBI San Diego
468.628
field office builds the operational center. More
472.633
than one hundred agents and analysts, supported
476.601
by eighty linguists, run the daily intelligence
480.568
flow. Translators handle content in Albanian, Italian,
484.536
Mandarin, Serbo-Croatian, Spanish, Arabic, Dutch, German, and
488.503
Turkish. Collection is continuous. Analysis is triaged
492.47
for threat-to-life situations first, operational intelligence second,
496.438
prosecutorial evidence third. The operation produces explicit direct
500.881
quotes. "There is two kilos put inside french diplomatic
505.251
sealed envelopes out of Bogota."
509.047
That is one intercepted message. It refers to a specific
513.419
shipping method used by one organization on one date. In
517.79
isolation, it is useful to investigators in three countries.
522.04
Multiplied by twenty-seven million, across three years, it is
526.305
an intelligence corpus of unprecedented density on the global
530.57
drug trade. Public officials appear in the traffic. Corruption
534.969
investigations open in multiple jurisdictions based solely on ANOM-derived content.
539.447
Port authorities are named. Customs officers are named. Police officials
543.926
in at least four countries are named by the users
548.406
who are paying them.
551.882
The operation is not shut down because of failure. It
555.735
is shut down because of scale. June 7 and 8,
560.119
2021. The United States Department of Justice, Europol,
564.211
and the Australian Federal Police announce the operation
568.302
publicly. The initial numbers are staggering. More than
572.72
eight hundred arrests across sixteen countries in coordinated
576.824
raids. Eight tons of cocaine seized. Twenty-two tons
580.928
of cannabis. Two tons of methamphetamine. Fifty-five luxury
585.032
vehicles. Forty-eight million dollars in cash and cryptocurrency.
589.452
In Sweden alone, one hundred fifty-five arrests. In
593.559
Germany, more than seventy. In the Netherlands, extensive
597.667
operations against an Albanian-linked network. By the time
601.898
prosecutions stabilize in subsequent years, the arrest figure climbs above
606.391
twelve hundred. Seventeen foreign nationals are charged in San Diego
610.883
federal court under the Racketeer Influenced and Corrupt Organizations Act
615.376
— accused of knowingly distributing the ANOM platform to support
619.869
organized crime. As of April 2025, eight of the
624.208
seventeen have been extradited to the United States. All have
628.673
pleaded guilty. The first to be sentenced, Osemah Elhassen, a
633.137
Lebanese-Australian extradited from Colombia, receives sixty-three months in federal prison
637.602
in November 2024. The remainder are in various stages
642.005
of litigation.
644.606
Several defendants have filed motions to dismiss on jurisdictional
648.881
grounds. Their argument: the United States designed a surveillance
653.157
platform, deployed it globally, and used the resulting intercepts
657.432
to prosecute crimes that occurred outside U.S. territory, by
661.708
non-U.S. citizens, under non-U.S. jurisdiction. In September 2024, U.S.
665.983
District Judge Janis Sammartino rules against them. Jurisdiction, she
670.26
finds, is established because ANOM traffic was routed through
674.535
servers that briefly touched American infrastructure — and because
678.811
some of the criminal activity coordinated over the platform
683.086
had a San Diego nexus. The ruling
687.069
establishes a precedent. Digital jurisdiction is
690.944
constructible. Two reasons are given for the public disclosure.
695.38
The first is operational. ANOM's wiretap authorizations were approaching the
699.803
end of their renewal cycle. U.S. courts had permitted the
704.225
collection on a rolling basis, but perpetual renewal of wiretap
708.648
orders against an entire platform — as opposed to individual
713.07
subjects — was legally untested ground the Department of Justice
717.493
did not want to test further. The second reason
721.804
is strategic. The FBI wanted the existence of the operation
726.28
to become public.
729.307
Jamie Arnold, assistant special agent in charge of the San
733.497
Diego field office, states the strategic goal at the announcement.
737.687
"Criminals worldwide will fear that the FBI or another law
741.877
enforcement organization may, in fact, be running their platform."
747.018
The objective was not to maximize any single operation's duration.
751.406
It was to compromise the broader market. Every encrypted phone
755.794
company — legitimate or illicit, present or future — now
760.182
operates under the implicit question of whether its architecture is
764.571
still its own. Trust in the category has structurally
768.73
shifted. Between 2018 and 2021, every major hardened
773.216
encrypted phone platform serving criminal organizations has been
777.5
either dismantled by prosecution, penetrated by intelligence services,
781.784
or secretly operated by them. The market
785.844
category is effectively closed. Criminal organizations adapt. Reporting
790.311
since 2022 indicates a migration toward widely used
794.342
end-to-end encrypted consumer messengers — Signal, Telegram, WhatsApp
798.374
— mixed with operational security practices like device
802.407
rotation and disposable accounts. None of these offers
806.439
the vertically integrated control of a dedicated hardened
810.471
device. All of them offer something better. Ubiquity.
814.504
Cover traffic. The cover of the ordinary user.
818.851
The unresolved elements of the case file are procedural
823.228
and constitutional. The jurisdictional precedent remains contested in
827.431
appellate courts. The legal question of whether a U.S.
831.804
government front company, operated extraterritorially, with collection infrastructure in
836.176
partner nations, can generate evidence admissible against non-U.S. citizens
840.549
for crimes committed abroad — has not been definitively
844.922
resolved. The next encrypted platform operation — if one
849.177
exists — will not be announced. That is the entire
853.494
operating theory. Afgoo, the confidential human source who developed
857.674
ANOM, received a reduced sentence and has never been publicly
861.961
identified. He is, by the terms of his cooperation agreement,
866.249
protected.
868.362
Seventeen defendants remain in various stages of
872.325
U.S. prosecution. Twenty-seven million intercepted messages
876.301
remain in U.S. intelligence archives. Eleven thousand
880.665
eight hundred ANOM handsets were manufactured. A small number have
885.106
surfaced in secondary markets in Lithuania and Australia, purchased secondhand
889.548
by security researchers and reporters. The units still work. The
893.989
hidden calculator function still opens the messenger. The servers no
898.431
longer respond. Fragment Zero will track the case file.
902.689
The deeper question posed by Trojan Shield is not whether
906.322
the FBI will do it again.
910.186
It is whether they already are.
913.303
And which brand it is wearing.
