Sky Global was a communications network and service provider founded in 2008 in Vancouver, Canada. It developed the world's largest encrypted messaging network called Sky ECC,[1] operating through three servers of the OVHcloud company in Roubaix, France.[2] A significant share of the system's users were international crime organizations involved in drug trafficking, and the company management was suspected of collusion.
In a series of police raids against criminal organizations in several countries in early 2021, a part of Sky's infrastructure in Western Europe was dismantled, and US Department of Justice issued an arrest warrant against the company's CEO Jean-François Eap.[3] [4] [5] [6] On March 19, 2021, the company apparently shut down the operations after BlackBerry, Inc. cut it off from its services. Its website has been seized by the FBI.[7]
Sky Global was founded in 2008 by Jean-François Eap, in Vancouver, Canada.
The company provided Sky ECC, a subscription-based end-to-end encrypted messaging application.[8] Originally developed for the BlackBerry platform, it uses elliptic-curve cryptography (ECC) for encryption. One of its features was "self-destruction" of messages after a user-defined expiration period.[9] The company modified Nokia, Google, Apple and BlackBerry phones.[7] Phones supplied by the company had cameras, microphones and GPS disabled.[3] [4] If a phone was not contactable by the network, the message would be retained for up to 48 hours, then deleted.[10] The phones had a kill switch: if a user entered a "panic" password, the device would delete its contents. The company website offered a US$4 million (€3.2 million Euro) prize to anyone who could break the encryption within 90 days. They support Android, BlackBerry and iPhone apps.
Messages were stored using 512-bit elliptic-curve cryptography and network connections are protected by 2048 bit SSL.[10]
171,000 SKY ECC devices were registered, mainly in Europe, North America, several central and South American countries – mainly Colombia – and the Middle East. A quarter of active users were in Belgium (6,000) and the Netherlands (12,000), and half of those were said to be in use around the port of Antwerp.
On 9 March 2021 around 16:00 Belgian police carried out about 200 raids, arrested 48 people and seized €1.2 million in cash along with 117 tonnes of cocaine.[11] Those arrested included lawyers and members of the Hells Angels,[3] serving police officers, an employee of the public prosecutor's office, civil servants, tax officials and hospital administrators suspected of providing information to the gangs, as well as people suspected of gang-related violence.[12]
Belgian federal prosecutor said that "The operation was concentrated on taking down the Sky ECC infrastructure, dismantling the distribution network and seizing the criminal assets of the distributors" and "as many Sky ECC devices as possible" were seized from identified users.[11] The federal prosecutor said about the encryption that "We succeeded. We will send Sky ECC the account number of the federal police".[3]
Belgian and Dutch authorities were alleged to have been able to access the network from 15 February 2021 up to shortly before the raids.[3] About a billion messages were intercepted, about half of which had been decrypted by April 2021—further avenues of inquiry were expected to open as decryption progressed. The Belgian police said the network they had broken into was so trusted by its criminal users that images of torture, execution orders, insider financial and operational information were freely sent.[12]
Raids in the Netherlands were part of Operation Argus, the followup to the Lermont operation used to take down EncroChat.[13]
Sky Global disputed claims that their servers and app had been compromised, claiming that they were aware of a fake "Sky ECC" app being available on unsecure phones.[14] [10]
Sky Global said they were "actively investigating and pursuing legal action against the offending individuals for impersonation, false lights, trademark infringement, injurious falsehood, defamation and fraud".[10]
Joris van der Aa, a crime reporter for Gazet van Antwerpen, noted the importance of Operation Sky, saying, "It is a big blow because, in Belgium and a great part of the criminal underworld in the Netherlands, they really trusted Sky as a system. They were so full of confidence, and the police now have so much information on how the underworld was structured, bank accounts, all the corrupt contacts are being arrested. It takes years to build these networks ... In South America they will be thinking, 'Let's not do business with these Dutch and Belgian guys any more'... Everyone is waiting for the storm and asking themselves what the police know."[12]
On March 12, 2021, the US Department of Justice in San Diego, California, issued an indictment against Sky Global's CEO, Jean-François Eap, and a former distributor, Thomas Herdman.[6] [8] They were charged with a "conspiracy to violate the federal Racketeer Influenced and Corrupt Organizations Act (RICO)", and arrest warrants were issued. The indictment states that the Sky Global's devices are "specifically designed to prevent law enforcement from actively monitoring the communications between members of transnational criminal organizations involved in drug trafficking and money laundering. As part of its services, Sky Global guarantees that messages stored on its devices can and will be remotely deleted by the company if the device is seized by law enforcement or otherwise compromised."[15]
In response, Eap has published a statement branding the allegations as false, saying that he and his company are being "targeted" because they "build tools to protect the fundamental right to privacy." "Sky Global's technology works for the good of all. It was not created to prevent the police from monitoring criminal organizations; it exists to prevent anyone from monitoring and spying on the global community. The indictment against me personally in the US is an example of the police and the government trying to vilify anyone who takes a stance against unwarranted surveillance."[8]
On March 19, 2021, the company apparently shut down the operations after BlackBerry cut it off from its Unified Endpoint Manager services. Its website has been seized by the FBI.[7]