Last Updated October 10, 1997
This database is an extension of cases first published in our paper Encryption and Evolving Technologies as Tools of Organized Crime and Terrorism, published in July 1997 by the National Strategy Information Center's US Working Group on Organized Crime.
Copyright Dorothy E. Denning and William E. Baugh, Jr., 1997. All Rights Reserved. No part of this database can be copied without our permission.
New cases will be added to the database as we learn about them. If you have information about a case that you can contribute, please contact Dorothy Denning.
Bolivian terrorists assassinate four U.S. Marines. A few years ago, AccessData Corporation of Orem, Utah, assisted in an encryption case involving a military sting operation [Thompson 97]. A Bolivian terrorist organization had just assassinated four U.S. Marines, and the company was asked to decrypt files seized from a safe house. They had twenty four hours. They decrypted the custom-encrypted files in twelve, and the case ended with one of the largest drug busts in Bolivian history. The terrorists were caught and put in jail.
Ramsey Yousef, World Trade Center and Manila Air bombings. Ramsey Yousef was part of the international terrorist group responsible for bombing the World Trade Center in 1993 and a Manila Air airliner in late 1995. When his laptop computer was seized in Manila, the FBI found that some of the files were encrypted. These files, which were successfully decrypted, contained information pertaining to further plans to blow up eleven U.S.-owned commercial airliners in the Far East [Freeh 97]. While useful to the investigation, much of the information was also available in unencrypted documents. Also, because Yousef and others were arrested, decryption was not essential to averting the scheduled catastrophes.
Terrorist attacks on businesses. A terrorist group that was attacking businesses and state officials used encryption to conceal their messages. At the time the authorities intercepted the communications, they were unable to decrypt the messages, although they did perform some traffic analysis. Later they found the key on the hard disk of a seized computer, but only after breaking through additional layers of encryption, compression, and password protection. The messages were said to have been a great help to the investigating task force.
New York Subway Bomber. In 1995, John Lucich was assigned to the Manhattan District Attorney's Office to assist with the investigation of the New York subway bomber, Mr. Leary. Mr. Leary was eventually found guilty and sentenced to 94 years in jail for setting off fire bombs in the New York subway system. He had applied his own form of encryption to numerous files on his computer, and Mr. Lucich was given the computers for analysis. After failing to break the encryption themselves, the files were sent to outside encryption experts. These efforts also failed. Eventually, the encryption was broken by a federal agency. The files contained child pornography and personal information, which was not particularly useful to the case. However, investigators retrieved other evidence from the computer that was used at trial.
James Dalton Bell. Bell was arrested and charged with obstructing and impeding the due administration of internal revenue laws, among other things, by collecting the names and home addresses of agents and employees of the Internal Revenue Service in order to intimidate them; by soliciting others to join in a scheme known as "Assassination Politics," whereby those who killed selected government employees, including tax collectors, would be rewarded; using false Social Security Numbers to hide his assets and avoid taxes; and by contaminating an area outside IRS facilities in Vancouver, Washington, with Mercaptan (a stink gas). Investigators found on his computer documents relating to a plan to destroy electronic equipment with nickel-plated carbon fiber. They also found an invoice for the purchase of the fiber at his residence, and a bundle of the material at the residence of an associate, Robert East. Bell had exchanged PGP-encrypted e-mail messages with some of his associates. As part of his plea bargan, he turned over the password to his private key, allowing investigators to decrypt messages that he had received. [http://jya.com/jimbell3.htm]
There is a rumor that the French police have been unable to decrypt the hard disk on a portable belonging to a member of the Spanish/Basque ETA, a terrorist organization. We have also heard that some terrorist groups are using high-frequency encrypted voice/data links with state sponsors of terrorism, and we received one anonymous report of a group of terrorists encrypting their e-mail with Pretty Good Privacy (PGP).
Multi-site gambling enterprise. A significant gambling enterprise operated multiple sites linked by a computer system, with drop-offs and pick-ups spanning three California counties. The head of the enterprise managed his records with a commercial accounting program, using a codeword to encrypt the files. The software manufacturer refused to assist law enforcement in breaking the code. However, the police were able to crack the codeword by exploiting weaknesses in the system. The encrypted files contained the daily take on the bets, payoffs, persons involved, amounts due and paid or owed, and so forth. After breaking the code, they printed the results of four years of bookmaking, which resulted in a plea of guilty to the original charges and a sizeable payment of back taxes, both state and federal [McMahon 97].
Theft, fraud, and embezzlement of funds. An encryption case occurring in Vilseck, West Germany involved theft, fraud, and embezzlement of U.S. defense contractor and U.S. government funds over the three year period 1986-1988. The crooks had stored financial records relating to their misdeeds on a personal computer. When investigators seized the computer, they found that the hard disk had been password protected. After using hacker software to defeat the password protection, they found that some of the files listed in the directory had been encrypted. They then found the encryption program on the hard disk and used it to decrypt the files. The encryption program was unsophisticated and available from the U.S. The password-protected and encrypted evidence was deemed valuable as a condensed source of investigative leads and in obtaining a confession. Sufficient other evidence was available that the prosecution would have been successful using other records [Price 97].
National drug ring. The Dallas Police Department encountered encryption in the investigation of a national drug ring which was operating in several states and dealing in Ecstasy [Dallas 97]. A member of the ring, residing within their jurisdiction, had encrypted his address book. He turned over the password, enabling the police to decrypt the file. Meanwhile, however, the subject was out on bond and alerted his associates, so the decrypted information was not as useful as it might have been. The detective handling the case said that in the ten years he had been working drug cases, this was the only time he had encountered encryption, and that he rarely even encountered computers. He noted that the Ecstasy dealers were into computers more than other types of drug dealers, most likely because they are younger and better educated. They are using the Internet for sales, but they are not encrypting electronic mail. The detective also noted that the big drug dealers were not encrypting phone calls. Instead, they were swapping phones (using cloned phones) to stay ahead of law enforcement.
Cali cartel. The Cali cartel is reputed to be using sophisticated encryption to conceal their telephone communications. Communications devices seized from the cartel in 1995 included radios that distort voices, video phones which provide visual authentication of the caller's identity, and instruments for scrambling transmissions from computer modems [Grabosky 97].
Italian Mafia. Maria Christina Ascents, who runs the Italian state police's crime and technology center, said that the Italian mafia is increasingly looking to use encryption to help protect it from the government [Ramo 96]. She cited encryption as their greatest limit on investigations, and noted that instead of hiring cryptographers to create their codes, mobsters download copies of PGP off the Internet.
Drugs and possible counterfeiting. A police department in Maryland encountered an encrypted file in a drug case. Allegations were raised that the subject had been involved in document counterfeiting and file names were consistent with formal documents. Efforts to decrypt the files failed, however, so the conviction was on the drug charges only [Schmidt].
Many investigators reported that in organized crime and economic crime cases, the subjects typically used encryption systems that were ready-at-hand, namely those supplied with word processing, spreadsheet, and other applications software such as Word, WordPerfect, Excel, and Lotus. Encryption in these cases was used mainly to conceal financial, procurement, and other business records. It was generally broken. However, as illustrated by the cases involving the Cali cartel, Italian mafia, and Dutch organized crime, some of the more powerful groups have access to sophisticated methods of encryption.
Insider theft of proprietary software. An employee of a company copied proprietary software to a floppy disk, took the disk home, and then stored the file on his computer encrypted under PGP. Evidently, his intention was to use the software to offer competing services, which were valued at tens of millions of dollars annually (the software itself cost over a million dollars to develop). At the time we heard about the case, the authorities had not determined the passphrase needed to decrypt the files. Information contained in logs had led them to suspect the file was the pilfered software.
Kevin Poulson. Kevin Poulson was a skilled hacker who rigged radio giveaways, "winning" Porsches, trips to Hawaii, and tens of thousands of dollars in computer cash. He also burglarized telephone switching offices and hacked his way into the telephone network in order to determine who was being wiretapped and to install his own. In his book about Poulson's crime spree, Jonathan Littman reported that Poulson had encrypted files documenting everything from the wiretaps he had discovered to the dossiers he had compiled about his enemies [Littman 97]. The files were said to have been encrypted several times using the "Defense Encryption Standard" [sic]. According to Littman, a Department of Energy supercomputer was used to find the key, a task which took several months at an estimated cost of hundreds of thousands of dollars. The result yielded nearly ten thousand pages of evidence.
International pedophile ring. Authorities in the U.K. sentenced a Durham priest to six years in jail for sexually assaulting minors and distributing child pornography [Akdeniz]. The priest was part of an international pedophile ring that communicated and exchanged images over the Internet. When authorities seized his computers, they found files of encrypted messages. We learned from an inside source that the messages had been enciphered using the built-in encryption for Psion Series 3 Word (no relationship to Microsoft Word) documents. The encryption was successfully broken, however, the decrypted data did not affect the case.
Child pornography and possible corporate espionage. A 15 year old boy came to the child abuse bureau of the Sacramento County Sheriff's Department with his mother, who desired to file a complaint against an adult who had met her son in person, befriending the boy and his friends and buying them pizza. The man had sold her son $500-$1000 worth of hardware and software for $1.00 and given him lewd pictures on floppy disks. The man subsequently mailed her son pornographic material on floppy disk and sent her son pornographic files over the Internet using America Online. After three months of investigation, a search warrant was issued against a man in Campbell, California and the adoption process of a 9 year old boy was stopped. Eventually, the subject was arrested, but by this time he had purchased another computer system and traveled to England to visit another boy. Within ten days of acquiring the system, he had started experimenting with different encryption systems, eventually settling on PGP. He had encrypted a directory on the system. There was information indicating that the subject was engaged in serious corporate espionage, and it was thought that the encrypted files might have contained evidence of that activity. They were never able to decrypt the files, however, and after the subject tried unsuccessfully to put a contract out on the victim from jail, he pled no contest to multiple counts of distribution of harmful material to a juvenile and the attempt to influence, dissuade, or harm a victim/witness [Kennedy 97].
Several law enforcement agents reported that they had encountered encrypted e-mail and files in cases involving pedophiles and child pornography, including the FBI's innocent images investigation. In many cases, the subjects were using PGP to encrypt files and e-mail. The investigators thought this group favored PGP because they are generally educated, technically knowledgeable, and heavy Internet users. PGP is universally available on the Internet, and they can download it for free.
[Blanchard 97] This was reported to us by Hugh Blanchard.
[Dallas 97] Walter W. Manning, "Should You Be on the Net?" FBI Law Enforcement Bulletin, January 1997, pp. 18-22. Additional information was provided by Detective R. J. Montemayor in the Dallas Police Department.
[Freeh 97] Statement of Louis J. Freeh, Director Federal Bureau of Investigation, before the Committee on Commerce, Science, and Transportation, United States Senate, regarding the Impact of Encryption on Law Enforcement and Public Safety, March 19, 1997.
[Grabosky 97] P. N. Grabosky and Russell G. Smith, Crime in the Digital Age: Controlling Telecommunications and Cyberspace Illegalities, 1997. Information about the English blackmailer was attributed to E. Nicholson, "Hacking Away at Liberty," Times (London), April 18, 1989.
[Kaplan & Marshall 96] David E. Kaplan and Andrew Marshall, The Cult at the End of the World, Crown Publishers, 1996.
[Kennedy 97] This case was reported by Brian Kennedy of the Sacramento County Sheriff's Department.
[Littman 97] Jonathan Littman, The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulson, Little, Brown and Co., 1997.
[McCormack 96] Michael McCormack, "Europe hit by cryptoviral extortion," Computer Fraud & Security, June 1996, p. 3.
[McMahon 97] This case was reported to us by Jim McMahon, former head of the High Technology Crimes Detail of the San Jose Police Department.
[Price 97] This case was reported to us by Dale Price, who at the time was the senior corporate security official responsible for conducting the investigation on behalf of a major U.S. defense contractor.
[Ramo 96] Joshua Cooper Ramo, "Crime Online," Time Digital, September 23, 1996, pp. 28-32.
[Schmidt] This case was reported to us by Howard Schmidt.
[Thompson 97] "Can your crypto be turned against you? A CSI interview with Eric Thompson of AccessData, Computer Security Alert, No. 167, February 1997, pp. 1+.
Dorothy E. Denning is Professor, Computer Science Department, Georgetown University, Reiss 225, Washington, DC 20057, ph: 202-687-5703, fax: 202-687-1835, denning@cs.georgetown.edu, http://www.cs.georgetown.edu/~denning.
William E. Baugh, Jr. is Vice President, Information and Technology Systems Sector, Science Applications International Corporation, 8301 Greensboro Drive, Suite 1200, McLean, VA 22102, ph: 703-749-8946, fax: 703-734-5960, WILLIAM.E.BAUGH.JR@cpmx.saic.com.