Full Report
Europol on Tuesday announced the takedown of an invite-only encrypted messaging service called MATRIX that's created by criminals for criminal purposes. The joint operation, conducted by French and Dutch authorities under the moniker Passionflower, comes in the aftermath of an investigation that was launched in 2021 after the messaging service was discovered on the phone of a criminal convicted
Analysis Summary
# Incident Report: Takedown of Encrypted Messaging Service MATRIX (Operation Passionflower)
## Executive Summary
Law enforcement, under the joint operation "Passionflower," successfully dismantled an invite-only, encrypted messaging service named MATRIX, which was used by criminals for serious offenses like drug and arms trafficking. The operation, initiated in 2021, led to the seizure of over 40 servers, the arrest of key personnel including the alleged owner, and the interception of over 2.3 million messages, demonstrating a significant disruption to organized crime communication infrastructure.
## Incident Details
- **Discovery Date:** 2021 (Investigation launched after discovery on a convicted criminal's phone)
- **Incident Date:** Operation commenced on December 3, 2024 (coordinated takedown)
- **Affected Organization:** MATRIX (Criminal service, not a standard enterprise)
- **Sector:** Organized Crime Communication Infrastructure
- **Geography:** International (Infrastructure spanned France, Germany, and other countries; arrests in France, Spain, Lithuania involved)
## Timeline of Events
### Initial Access
- **Date/Time:** Investigation began in 2021. Ongoing interception/monitoring occurred prior to December 3, 2024.
- **Vector:** The initial entry point into the service's ecosystem was gained via evidence found on the phone of a criminal convicted for the murder of Peter R. de Vries.
- **Details:** Authorities managed to intercept messages for a period of three months leading up to the takedown.
### Lateral Movement
- **Details:** The methodology for law enforcement access into the service infrastructure involved coordinated international law enforcement actions targeting servers across multiple countries (France, Germany being key host locations). The service was described as technically more complex than previous targets like Sky ECC.
### Data Exfiltration/Impact
- **Details:** Law enforcement systems collected over 2.3 million intercepted messages in 33 languages, associated with crimes including international drug trafficking, arms trafficking, and money laundering. The service itself was physically shut down and its associated criminal network disrupted.
### Detection & Response
- **Details:** Detection roots back to 2021. The coordinated takedown commenced on December 3, 2024, involving French, Dutch, Italian, Lithuanian, and Spanish authorities.
- **Response actions taken:** Servers seized, arrests made, assets confiscated.
## Attack Methodology
*Note: This section describes the functionality of the criminal service being dismantled, rather than typical enterprise adversary techniques.*
- **Initial Access:** Criminals paid $1,360 to $1,700 in cryptocurrency for a Google Pixel phone with the service pre-installed and a six-month subscription.
- **Persistence:** The service maintained persistent, encrypted communication channels for its users.
- **Privilege Escalation:** Not applicable in the context of law enforcement access/disruption.
- **Defense Evasion:** Utilized end-to-end encryption and operated as an invite-only, custom-built service ("Mactrix," "Totalsec," "X-quantum," "Q-safe") to evade detection, proving more complex than previous targets like Sky ECC.
- **Credential Access:** Not applicable (focus was on decrypting/intercepting communications).
- **Discovery:** Service offered tools for criminals including video calling, transaction tracking, and anonymous internet browsing.
- **Lateral Movement:** Service maintained a network of over 40 servers globally.
- **Collection:** Intercepted millions of messages related to serious crimes.
- **Exfiltration:** Not applicable (law enforcement collected data, not the criminals).
- **Impact:** Facilitated large-scale international criminal operations.
## Impact Assessment
- **Financial:** Seizure of €145,000 cash and €500,000 in cryptocurrency.
- **Data Breach:** Interception of >2.3 million criminal communications.
- **Operational:** Disruption of a major communication backbone for organized crime operations focused on drugs, arms, and money laundering.
- **Reputational:** Neutral (Focus was on the criminal entity).
## Indicators of Compromise
*(Note: As this was the takedown of the service itself, standard IoCs are limited to seizure evidence)*
- **Network indicators (defanged):** Infrastructure primarily hosted on servers located in France and Germany.
- **File indicators:** Confiscation of over 970 mobile phones.
- **Behavioral indicators:** Criminal use of platforms named MATRIX, Mactrix, Totalsec, X-quantum, or Q-safe for encrypted messaging.
## Response Actions
- **Containment measures:** Seizure of the main service infrastructure (servers located in France and Germany).
- **Eradication steps:** Arrest of 3 suspects (one in France, two in Spain), including the alleged owner/manager (52-year-old Lithuanian national).
- **Recovery actions:** Confiscation of assets including cash, cryptocurrency, four vehicles, and over 970 mobile phones. Law enforcement actions were supplemented by Italian, Lithuanian, and Spanish counterparts.
## Lessons Learned
- Criminals are adapting to law enforcement disruptions (like Sky ECC and EncroChat) by moving to newer, potentially less established, custom-built tools.
- International, coordinated operations (like Passionflower) are crucial for successfully dismantling complex, multi-country communication networks.
- Law enforcement capabilities are keeping pace with the technologies used by criminals, even those deemed "technically more complex."
## Recommendations
- Maintain proactive intelligence gathering focused on emerging, custom-built encrypted communication platforms favored by sophisticated criminal enterprises.
- Continue fostering and executing multi-national joint operations to target the command-and-control infrastructure underpinning organized crime.