Tech
In EncroChat scandal, France accuses a little-known Canadian tech nerd of building a digital den for drug dealers
Before Paul Krusky was accused of operating an international criminal enterprise, he lived in the Dominican Republic with his wife, Diana Fantuz, in a gated community on the north side of the island. Their villa opened up to a clear view of the sea, where waves crashed against a rocky outcrop at the edge of their backyard. The couple had left Waterloo, Ont., years earlier for a town favoured by fellow expats who took advantage of the gold sand beaches, spa, pools and restaurants.
Ms. Fantuz pitched in at an organization that cared for stray dogs, and the couple’s place was always home to a variety of pooches, even though her husband was allergic, she wrote on Facebook. Mr. Krusky could talk with authority about most anything, but he mostly kept to himself, preferring dogs to people, according to a friend. It wasn’t entirely clear how he made a living.
He always had some kind of project on the go – building websites, speeding up Amazon shipping to the island and even trying to devise a new kind of fly trap. He once told another local in town that he earned income through online gambling. His most successful and most secretive venture, though, changed the course of his life.
Some time in May, 2022, the couple were at a local restaurant with Mr. Krusky’s parents when police officers swarmed the place. They were looking for Mr. Krusky, a clean-cut man in his early 50s with a prominent nose and brow who usually sported a T-shirt and shorts. He was arrested in front of his family, according to a friend who heard the account. The friend is one of 14 people who spoke to The Globe and Mail about Mr. Krusky. Most did not want to be identified owing to concerns about discussing a criminal case.
Eventually, Mr. Krusky was hauled to a prison in the capital of Santo Domingo. Authorities in France were seeking to extradite him to face a long list of criminal charges. He was accused of participating in drug trafficking, aggravated money laundering, aiding organized crime, possessing firearms and supplying unauthorized cryptographic devices, according to a judicial record from the Dominican Republic.
Soon he was released on house arrest, his fate in the hands of a court that would rule on his extradition. Months and months ticked by while Mr. Krusky, a fitness junkie, practised boxing at the gated community’s gym. One night earlier this year, police officers crowded through the gym’s entrance, telling a personal trainer they were searching for someone. The court had made a decision: Mr. Krusky would be turned over to France. Once apprehended, he was sent across the ocean.
Antoine Vey, his lawyer in France, says Mr. Krusky denies the charges, none of which have been proven in court.
On Feb. 5, a French public prosecutor issued a press release announcing the country now had in its custody one of the key leaders behind EncroChat, an encrypted phone service that promised ultra-secure communication, impervious to hacking and snooping. That’s why, police across Europe have said, it found a dedicated customer base with drug dealers, hit men and organized crime groups. EncroChat was itself a criminal enterprise, authorities allege, helping fuel unlawful activity around the world.
There was no reason for anyone to have an EncroChat phone, the National Crime Agency in the U.K. has said, unless they were among the tens of thousands of customers that relied on the devices to co-ordinate drug shipments, murders and other schemes without fear of getting caught.
And the guy accused of helping them do it all is a low-profile tech nerd from Ontario.
A few years ago, French police noticed a trend when arresting people with connections to organized crime: Many carried specialized smartphones running software called EncroChat. The phones, which were modified Android devices, weren’t too hard to find. They could be purchased through a network of online resellers for about €1,000, while a six-month subscription plan that included 24-7 support ran another €1,500. The devices were available far beyond France, in fact. By 2018, resellers were located across Canada and Europe. One reseller called RodTele said it was based in Vancouver and claimed to be the master franchisor for EncroChat in Latin America, including in Mexico’s Sinaloa province, home to the notorious drug cartel.
On its website, EncroChat promised “the next level of worry-free secure communications.” Messages between users were encrypted end-to-end, meaning that no one – not even EncroChat – could decode the conversations. The GPS functionality had been stripped out of the phones, and there was no way to associate a specific device or SIM card to a customer account. Users could toggle between Google’s Android operating system, masquerading as a regular device, and EncroChat’s more esoteric platform. The phones had a “panic wipe” feature that allowed a user to punch in a code to eradicate every message. A reseller could do the same remotely. Within a few years, the service had amassed more than 60,000 users.
Encrypted communication services like EncroChat straddle a fine line. There are legitimate reasons why people need to message securely, and providing these services can be a noble endeavour, such as by allowing citizens living under despotic regimes to talk more freely. But encryption can also be used to more nefarious ends.
European authorities have taken the view that services like EncroChat are “grey infrastructure,” which are immune to traditional investigative techniques such as wiretapping, and may not co-operate with law enforcement requests. Not every user may be a criminal, the argument goes, but the level of criminality associated with these services is often so high that the companies themselves could be considered criminal enterprises.
The French Gendarmerie Nationale opened an investigation into EncroChat in 2017 and eventually hit on a startling discovery. Messages were routed through a data centre in Roubaix, a city in northern France close to the border with Belgium. European technical experts were able to write a piece of software – a Trojan horse, in effect – and ship it to EncroChat phones disguised as a software update, allowing them to crack into the service in 2020. For a period, investigators could even read messages in real-time, providing an unprecedented view of a roiling criminal underworld.
What they saw was remarkable: People hiding behind handles such as KindTailor, FeralWhale, MerrySword and BagbangBoomBoom trading messages about moving huge quantities of cocaine and heroin, bragging about drug-dealing profits, orchestrating money-laundering schemes, plotting to secure weapons and arranging murders of rivals.
Police analysts watched for weeks, trying to keep up with an unrelenting flow of messages, until one day in June, 2020, when EncroChat blasted an emergency message to users. “Today we had our domains seized illegally by government entities,” it read. “You are advised to power off and physically dispose of your device immediately.”
The following July, European authorities announced that EncroChat had been shut down and that they had been monitoring conversations for weeks. French, Dutch and U.K. police said they’d arrested hundreds of people, seized millions in cash, shut down drug labs and prevented hundreds of potential murders.
There was a lot more mundane chatter on EncroChat, too, and the personal details users let slip occasionally helped investigators unmask their true identities, stories that British media have delighted in reporting. In one case, police matched a home address to a cocaine dealer after he messaged a photo of a ham sandwich. Still, there were disturbing discoveries, such as the torture chamber Dutch police found inside a shipping container, complete with a dentist’s chair, shears, scalpels and pliers. Some of the EncroChat messages that police retrieved mentioned a tub “for waterboarding” and “cutters for fingers and toes,” according to Dutch prosecutors.
The mass arrests in 2020 were just the beginning. According to Eurojust, which co-ordinates judicial authorities in the European Union, the information retrieved through EncroChat has so far led to 6,558 arrests, 7,134 years of imprisonment for those convicted and €154-million in frozen assets.
Police have seized another €739.7-million in cash, more than 30 million pills of chemical drugs, 103.5 tonnes of cocaine, three tonnes of heroin, 923 weapons, 68 explosives, 271 homes, 971 vehicles, 83 boats and 40 planes.
Still, even as police racked up convictions, one person remained beyond their grasp: the creator of EncroChat.
Six years earlier, in June, 2014, Geoff Green showed up at a Calgary restaurant to have dinner with a potential business partner. Mr. Green was the president and chief executive of a startup called Myntex Inc., which provided encryption services to businesses and consumers. The man he was meeting with, Paul Krusky, was the lead developer of a new encrypted phone.
They had first connected months earlier, Mr. Green later wrote in a 2022 blog post, and he was considering signing on to be a reseller of the devices. More than two weeks prior, Mr. Krusky had e-mailed to apologize for not being able to meet sooner. “We added significantly more to the initial product offering we initially discussed, and now feel it offers the best, most complete, security solution on the market,” he wrote, according to screenshots included in Mr. Green’s post.
Over the course of the dinner, he peppered Mr. Krusky with questions: How much testing had been done? How many units had been sold? What happens to Myntex’s clients if you vanish? Mr. Green was impressed with Mr. Krusky, whom he found to be intelligent and someone who relished technical details. He left the dinner excited and a few days later signed an agreement to become a reseller for Mr. Krusky’s company, which was called EncroChat.
The venture was not Mr. Krusky’s first. He grew up in Guelph, Ont., and later attended a Catholic high school. There is no photo of him in the yearbook for his graduating class, but there is a quote attributed to Roman emperor Marcus Aurelius alongside his name that suggests a serious-minded teenager: “A man’s worth is no greater than the worth of his ambitions.”
After graduating from York University, he co-founded an internet service provider in Waterloo called WorldWithoutWire. The company found a niche servicing small- and medium-sized businesses in the area, “the segment that has been ignored,” Mr. Krusky told the Waterloo Region Record in 2002. His co-founder was an entrepreneur named Paul Cater, and the division of labour was typical for startups: Mr. Krusky was the tech guy, Mr. Cater the business guy.
WorldWithoutWire was a modest operation, employing roughly 35 people, and housed its headquarters in a repurposed computer store downtown. For a time, weekly poker games were held at the office. These were casual, low-stakes games, said one former attendee, but Mr. Krusky took them seriously. He didn’t like to lose. He had trouble accepting that no matter how he ran the odds or sized up opponents, according to a friend, the deciding factor – chance – was out of his control.
WorldWithoutWire, meanwhile, continued to grow. By 2002, the company had 60 towers and serviced an area of roughly 10,000 square kilometres. The co-founders had their sights set on expansion, but instead sold to Richmond Hill-based TeraGo Networks Inc. for an undisclosed amount in December, 2004.
Mr. Krusky’s business partner, Mr. Cater, had a side venture at the same time called Zed Marketing that distributed satellite TV packages to consumers. In 2005, U.S. satellite provider DirecTV launched a US$20-million lawsuit against Zed Marketing, Mr. Cater and around 20 others alleging that the defendants had engaged in a complex piracy scheme to defraud the company. Among the defendants was Mr. Krusky.
DirecTV, which did not offer services to Canadians at the time, claimed that Zed Marketing and others sold subscriptions by creating fake U.S. addresses so that DirecTV would activate accounts without receiving full payment. But in the hundreds of pages of court documents – which fill up six bankers’ boxes – there is not a single allegation against Mr. Krusky specifically, other than that he was the “administrative and technical contact” for Zed Marketing’s website. The focus of the lawsuit was instead on Mr. Cater, who had also been charged by the RCMP for allegedly selling pirated satellite TV access cards, though the charges were stayed. In court filings, he denied wrongdoing and said his company was merely involved in the grey market, which refers to business activities that are not necessarily illegal, but involve selling products outside of a manufacturer’s official distribution channels. In 2010, the court issued a default judgment against Mr. Cater that included financial penalties. (The Globe could not locate him for comment.)
By the time the lawsuit was filed, Mr. Krusky was already leaving Canada behind for the Dominican Republic.
Once settled abroad, Mr. Krusky appeared to live the laid-back expat life. On Facebook, his wife posted photos of a horseback riding trip on a beach, and another of Mr. Krusky cuddling with a puppy. She posted about watching The Muppets, how they purchased a wheelchair for a dog, and how a nearby party house was ruining her enjoyment of the backyard.
Those who met Mr. Krusky described him as extremely smart; but he didn’t have much patience for anyone who couldn’t keep up with his intellect, according to a friend. He possessed a level of confidence in his own opinions that could seem like arrogance. Some found it endearing; others were put off. “Paul was one of these people that always thought they were smarter than everyone,” Mark Diekmann, president of an animal rescue organization called Dogs and Cats of the Dominican Republic, wrote in an e-mail. “I am sure he is a very smart individual,” he added. “However, he is very abrasive and most people I know didn’t like him.”
Mr. Krusky valued his privacy, avoided social media and didn’t seem to have many close friends. He was the type of guy to put tape over the camera on his laptop and ban devices like Amazon Alexa from his home. In fact, an acquaintance said Mr. Krusky once chastised him for buying one.
That intense interest in privacy may have led him to the Guardian Project, a collective of developers building open-source apps for secure messaging, with a focus on journalists and human-rights activists. In 2013, someone with the name Paul Krusky posted on the project’s online forum, complaining about one of the project’s messaging apps. The process of adding contacts was “irritating,” wrote the author, who was aggrieved that users could not employ aliases. “I would love to have the control to send someone a message with a timed erase on it,” he went on. “Then I know for sure I won’t bump into him/her a month later and see that they have never erased a single message.” These features were later standard on EncroChat phones.
The exact origins of the company are murky. In November, 2014, a company called EsoCrypt Panama SA was registered in Panama and changed its name to EncroChat a few months later, according to corporate records. The company was incorporated by a local law firm, which previously told Bloomberg that it ended the relationship in 2017 after it could no longer locate its client. There is another record of a company registered in Hong Kong that changed its name to EncroChat Ltd. in 2015. The sole director is Paul Krusky.
Around that time, a number of encrypted messaging services and phone companies had popped up, especially in the wake of Edward Snowden’s revelations in 2013 that U.S. government agencies were monitoring communications on a massive scale. The industry was competitive, and some players were not above mudslinging.
For a time, EncroChat’s website maintained a blog that sounded like it was authored by a cantankerous, opinionated privacy zealot. A long-standing encryption program known as Pretty Good Privacy was “in disrepute” and companies peddling it were “selling snake oil,” according to an archived version of a 2016 post. BlackBerry couldn’t be trusted to keep customer data safe from law enforcement agencies, the author suggested, since CEO John Chen had once said corporations should abide by lawful access requests to customer information to help thwart crime. The author wrote a long screed in response to a blog post that criticized EncroChat’s security measures. “Piece of advice,” the poster wrote, “whoever is writing your blog entries is the technical equivalent of a dumbass.” The author called out bloggers who never divulged their names, but also kept their own name hidden.
There is at least one other name, however, that turns up in EncroChat’s digital trail. Back in 2014, when Geoff Green at Myntex signed on as a reseller, Mr. Krusky sent him an e-mail telling him to check out the company at esocrypt.com, EncroChat’s former corporate name. At the time, the URL was owned by a man named Douglas Pare, who registered the address in 2011 and continued to be listed as the owner until at least 2015, according to historical domain records.
Mr. Pare previously owned one-third of a company called Esoteric Communications Inc. that had an office registered to a Vancouver condo. As part of a civil lawsuit in 2010 over a court judgment that Mr. Pare failed to pay in Ontario, he said Esoteric was about to release software applications for BlackBerry devices. So much was riding on the launch that he would either “go bankrupt or make millions,” he told the court. The company was developing encryption services for BlackBerry phones, according to an archived version of its website, which said that strengthening privacy could protect against “government and law enforcement abuses such as illegal line taps.” Corporate records show he had two partners in the business – Craig Widdifield and Jeff Chang. Both men were connected to organized crime, according to media reports.
Esoteric never took off, however. In an interview, Mr. Pare said he left the company at the end of 2011, resigning as a director and forfeiting his shares. (The Globe could not locate a corporate record indicating his departure.) Esoteric was still troubleshooting the bugs in its software at the time – which was dubbed EsoCrypt. Mr. Pare envisioned a product catering to professionals such as journalists who need private communications, but his business partners had other intentions. “It became apparent to me that they may have been involved in dealings that were not aligned with my business ethics,” he said.
Esoteric was dissolved in 2012, according to corporate records, and his two business partners were both dead within a few years. Mr. Widdifield was shot to death in 2013 in the parking lot of a shopping mall in Surrey, B.C., his body found splayed in a pool of blood. Mr. Chang died from a drug overdose in 2015, a year after he had survived a drive-by shooting in Vancouver.
Mr. Pare said he had no involvement in EncroChat and has no idea how Mr. Krusky ended up using the esocrypt.com domain. He speculated that a software engineer coding the EsoCrypt product may have continued developing it, whereas he had moved to other ventures. He never met Mr. Krusky, he said. “I’ve never talked to him,” Mr. Pare continued. “I don’t know what the man looks like.”
Geoff Green was attending a family reunion when he received a startling phone call. By July, 2016, his deal with EncroChat to resell the devices was bringing in more than $5-million in revenue each year for his company, Myntex. Business was so good, in fact, that he was in the middle of planning a grand opening party for new headquarters in Calgary.
Not everything was perfect, though. On the other end of the line that day was Mr. Krusky, who had started to become distant. He was taking longer to respond to e-mails from Myntex employees, and promised updates to EncroChat never seemed to materialize. “We assumed it was because his business was booming and he was having a hard time catching up,” Mr. Green wrote in his blog post.
During the call, Mr. Krusky told him that the company had been sold. “We were shocked as there had been no indication this was being considered,” Mr. Green wrote. That call, and a subsequent one, were odd for other reasons, as the normally loquacious Mr. Krusky was tight-lipped on details. He wouldn’t reveal the identity of the new owner, nor explain why Myntex hadn’t been given an opportunity to bid on EncroChat. But he did assure Mr. Green that the company’s reseller contract would be honoured.
The contract was not honoured, however. Myntex was eventually contacted on their EncroChat phone with a message from the anonymous new owner, who informed them that their cost had gone up significantly, according to Mr. Green. Myntex was soon dumped. The new owner claimed that Myntex was in competition with EncroChat, barred them from selling the product and remotely wiped their device.
For Myntex, that outcome may have been for the best, as it was only a year or so later that the French Gendarmerie Nationale opened its investigation into EncroChat, eventually busting it wide open three years later. Mr. Krusky did not seem worried about what would happen to him, according to a friend, even as police were arresting hundreds of people, and EncroChat dominated headlines in Europe. He is generally so confident, so sure of himself, that his house could be on fire and he would still insist that everything was fine, the person said.
But despite his nonchalance, he was indeed on the radar of authorities. At one point, he had to fly out of the country for a medical procedure. At the airport in the Dominican Republic, he was prevented from boarding the plane, according to the friend. He was arrested not long after that.
Since February, Paul Krusky has been detained in a prison in France. The case against him is being prosecuted out of Lille, a northern city just west of Roubaix, where French police were first able to infiltrate EncroChat’s server. It’s also shrouded in secrecy, to some degree. The prosecutor’s office in Lille, which declined to comment, has not even publicly released his name. (Vice first reported Mr. Krusky’s full name after his arrest in 2022.) Neither the National Police in the Dominican Republic nor Interpol, the international policing organization that assisted with apprehending Mr. Krusky, answered questions from The Globe.
The job of defending him falls to Antoine Vey, a Cambridge-educated criminal defence lawyer in France. With a wild shock of hair that gives him the look of a man perpetually walking against a strong wind, Mr. Vey is a frequent commentator in French media and best known as one of the lawyers representing WikiLeaks founder Julian Assange in his extradition battle against the U.S.
“Mr. Krusky fully denies the allegations which are made against him,” Mr. Vey wrote in an e-mailed statement to The Globe, his first public comments about the case. There is no evidence to support the criminal charges, he added. “His current imprisonment has no other effect than damaging his physical and mental health.” His current concern, Mr. Vey said of his client, is to be placed on bail so that he can defend himself and continue to co-operate with investigators.
The statement offered, for the first time, an explanation of Mr. Krusky’s motivations. “The only goal of Mr. Krusky was to provide a technology which would fully respect the privacy of its users and he has never intended to participate or facilitate, actively or even remotely, any criminal activities.”
There are parallels between the cases of Mr. Krusky and Mr. Assange, in a way. Both are about more than the actions of the two accused, and touch on fundamental rights – freedom of information and privacy. At a high level, Mr. Assange is accused of publicizing state secrets, whereas Mr. Krusky allegedly aided people in keeping their secrets from the state.
Indeed, Mr. Krusky’s case is at the centre of a fractious debate about the right to privacy and the reach of law enforcement. The initial police hack of EncroChat amounted to a massive harvesting of personal communications, alarming civil-liberties advocates. Lawyers in various European countries have challenged the legality of the EncroChat operation and the admissibility of evidence in court, but with minimal success.
Some who work in the encryption world fear that the EncroChat bust is just the beginning and that authorities will conduct similar data surveillance operations into more mainstream services. “They have not gone after any open-source projects or more legitimate companies,” said Daniel Micay, the Toronto-based founder of secure mobile operating system GrapheneOS, but companies like EncroChat “are helping them build precedent for that.”
Authorities have in part justified targeting certain encrypted device companies because of the features these firms offer. “When we look at precedents, what we see is features that really correspond to what assists organized crime,” said Chantal Bernier, a lawyer at Dentons and a former interim Privacy Commissioner of Canada. That includes the ability to wipe devices after they’ve fallen into the hands of police. But iPhone users can just as easily delete their data from afar if they’ve lost their devices, others note.
There are other elements that police have said raise suspicions, such as the high prices associated with encrypted phones and the opaque reseller network, as was the case with EncroChat. That, too, doesn’t fly with some experts. “The judicial authorities deduced that this software was in reality almost exclusively used by criminal networks, believing that the managers of this company could not be unaware,” Guillaume Martine, a lawyer in Paris who has challenged the legality of the EncroChat operation, wrote by e-mail in French. “This reasoning seems extremely questionable to us, but it is the one which constitutes the basis of this whole affair.”
In the end, though, authorities in France have said that more than 90 per cent of EncroChat users in that country were engaging in criminal activity. It’s unclear what responsibility Mr. Krusky bears – whether the company courted a criminal user base or turned a blind eye to it, shielded by a network of resellers. Or maybe Mr. Krusky just wanted to provide a more secure way to communicate, as his lawyer contends. Elsewhere, police and courts have taken a hard line against anyone involved with EncroChat. In April, police in the British county of Bedfordshire lauded the convictions of three men who resold EncroChat phones to organized crime groups, calling the men “professional enablers” of criminal activity.
In France, Mr. Vey is determined to ensure a similar fate does not befall his client. “The firm and I will continue to take all actions to make sure the truth prevails, that Mr. Krusky’s rights are protected, and his innocence is recognized,” he wrote.
Diana Fantuz, Mr. Krusky’s wife, at first seemed conflicted about whether to say anything about his situation. She told The Globe she was not able to comment, then sent – and unsent – two messages through Facebook. She eventually sent what appeared to be a screenshot of a text message that quoted from a newspaper article about how facts can be spun into conspiracy theories. “Every effective smear campaign takes a grain of truth, then coats it in layers of innuendo,” the message reads in part. “For the target, distinguishing between truth and falsehood forces a difficult choice: silence, or a cascade of attempted explanations as the accusations evolve.”
As thousands of EncroChat users know, having been charged, convicted and imprisoned on the basis of their own words, sometimes it’s best not to say anything at all. That’s surely something Mr. Krusky knows, too, having built a company whose sole purpose was to keep information hidden. He may have no choice now but to finally open up and reveal a few secrets of his own.
With reports from Stephanie Chambers