Inside the incredible phone hack that exposed some of the world’s leading criminals
It was a secret encrypted network being used by some of the UK’s biggest gangsters – but details about luxury takeaways and children’s birthday parties, among plans to hire hitmen and ship kilos of cocaine, would finally lead the police to one of the most dangerous organised crime gangs in Britain. David James Smith, who had access to the investigation, tells the incredible story of how they did it
With two vintage Ferraris on the gravel drive of his five-bedroomed mansion in Denham, a second home in Dubai, and a yacht moored nearby which he had just sold for a million pounds, Lee Hannigan had all the markings of a successful life. He was in his mid-forties, masquerading as a legitimate businessman, but his secret EncroChat phone told a different story. He was a money launderer for drug gangs, hiding in plain sight and protected, so he believed, by the unbreakable encryption on his phone.
He was not alone. There was his near neighbour Harry Hicks-Samuels, still in his twenties, whose friends and associates thought was a respectable watch dealer. In fact, he was a major cocaine importer and a key player in an organised crime group. Lee Hannigan laundered the money that Hicks-Samuels earned – £100,000s of it. Harry had an EncroChat phone too – he and Lee exchanged messages and photos, sometimes about business and sometimes just chitchat. “People just think I’m a watch dealer”, Harry crowed in one message.
Across the UK thousands of other high-level criminals were also openly chatting on their EncroChat phones too – discussing the shipment of class-A drugs, or hiring hitmen among casual chatter about joining golf clubs, ordering meals at luxury restaurants and taking their fast cars out for a spin. All of them thought they were safe from the prying eyes of law enforcement, but they were wrong. The police were listening in, during a sting lasting many weeks – the group’s chitchatting a valuable trail of breadcrumbs that would lead to their prize capture.
A new BBC podcast, Catching The Kingpins, tells the story of what it rightly calls the biggest organised crime bust in British legal history. The great EncroChat hack of 2020 was also one of the most stunning and audacious triumphs in the annals of policing. I investigated and reported on it at the time, and have contributed to the new series, which also has exclusive access to the Met Police team that conducted many of the inquiries, including, as we reveal here for the first time, identifying and arresting Hannigan and Hicks-Samuels. Like 100s of other EncroChat users, they are now serving long prison sentences. The full story has never previously been told.
Encroaching on EncroChat
EncroChat phones had come to police attention since around 2015, when they were linked to drug-related shootings in Manchester, including the assassination of gangster Paul Massey. The National Crime Agency (NCA) had tried and failed to crack the code that encrypted the phones. It seemed they really were as unbreakable as their marketing claimed.
EncroChat phones were based on familiar Android models, especially adapted and loaded with encrypted software that gave users access to the secret network through a hidden portal on the devices. They cost £1,500 to buy and a similar sum in half-yearly rental. You couldn’t buy them over the counter, of course, you needed a connection. EncroChat phones could only communicate with each other. Users adopted pseudonyms – handles – to hide their identities from each other. Lee Hannigan was known as BankBoss and Harry Hicks-Samuels was SurrealTailor.
While the NCA and UK forces struggled to crack the code, the French authorities found the EncroChat server in northern France, copied it, figured out how to hack into it and sent an update to the entire EncroChat network – believed to be around 50,000 worldwide and 8,000 in the UK. The update, when it was enacted, would send the entire contents of the phones to the Gendarmes and allow for a daily harvest of all new messaging – a real-time window on the communications of many of the world’s leading criminals.
Forming a joint investigation team with their Dutch colleagues, the French primed other agencies, including the NCA who started their hack on 1 April 2020. The phones could be associated with locations by the masts they linked to and so the Met Police had the content of around 1,400 phones to deal with. They did not know the names of the users, only their handles. The sheer volume of material was overwhelming, with millions of messages to wade through. A long road lay ahead, with uncertainty as to how soon it would be before the criminals discovered they were being listened to.
Hiding in plaintext
The Met set up a specialist command centre at a secret location to deal with the avalanche of information they were suddenly privy to. Detective Chief Inspector Driss Hayoukane delayed his retirement to take on the role. He described the extraordinary impact of what they were reading: “It was like being in a room with them and they’re talking freely and they don’t see you there.” So confident were the criminals that some would even give their name, address and date of birth over the phone to prove their identity to criminal contacts. “Thank you very much, we’ll take that”, as DCI Hayoukane puts it.
Others sent personal photos or gave tiny clues in messages that would help police to identify them. A son’s birthday would be mentioned, a view of children’s garden toys from a bedroom or a photo of a doily on a coffee table shared, all of which would give vital clues to their identity and whereabouts. Some were not so innocuous, for example, one drug gang’s messaging disclosed the use of a locksmith as a courier, with a secret drugs compartment – a “hide” – in his van.
Priority was given to investigating so-called “threat to life” cases, where messages revealed that a murder was being planned. There were fears that swooping in too soon on every little thing would give the game away, but as DCI Hayoukane said, a life was worth more than EncroChat. When user NudeTrain started discussing a hit with user UsualWolf, the Met paid close attention. NudeTrain wanted “a James Bond ting” – a gun, apparently to take revenge on men who had “lit up” (shot at) his mum’s house. “Retaliation can’t be no joke” [sic], said NudeTrain. But the gun supplied to NudeTrain had a problem. He sent a photo to UsualWolf. The bullets didn’t fit the gun. “It’s the wrong size”. NudeTrain was derailed, without the police having to step in.
NudeTrain was eventually revealed as Frankie Sinclair from south Wales and UsualWolf was Paul Fontaine from London. A significant clue was Sinclair sharing a grainy CCTV image of the men who attacked his mother’s home – revealing a car on the drive with a partially visible registration number that officers traced to his mother. The Met worked with South Wales Police and both men were arrested before a revenge shooting occurred.
Busting BankBoss
Meanwhile, one of DCI Hayoukane’s colleagues, Detective Constable Sarah Wykes was poring over the messages and photos sent by BankBoss and SurrealTailor. Who were they? By now the first Covid lockdown was in place. Like her colleagues, DC Wykes was working long hours, but lockdown was helping. “I guess because they were all at home bored they were messaging each other about their personal circumstances.” They gave things away. “Small personal details that slipped out during conversations.”
Alongside the messages that disclosed planning for his huge drug importation and distribution, SurrealTailor was flashy and posted an image of the meal delivery he had ordered from a fancy Mayfair restaurant. He boasted of having just joined an exclusive golf club, usefully naming the club. The police obtained the lists of all those who had ordered meals from the restaurant and then obtained the list of new members of the golf club. After cross-checking only one name appeared on both lists: Harry Hicks-Samuels.
“He was so confident in the encrypted system that he actually gave away quite a lot about himself”, DC Wykes tells the podcast presenter, Mobeen Azhar. “He was high up in the organised crime group (OCG). He was directing others. He was making a large proportion of the money.” Hicks-Samuels had contacts in Spain and central and North America. In one exchange he talked of hiring a “rent a clump” – paying a heavy to hurt someone who was in debt to his OCG.
Meanwhile, BankBoss, who bragged of having insiders in major banks and international contacts for his money-laundering, discussed with Hicks-Samuels allowing him to drive one of his Ferraris. He was concerned it was not MOT’d. The police located the mast associated with the location of BankBoss’ messages. There was only one mansion with Ferraris on its drive and that was the home of Lee Hannigan. Police checks established that one of his cars did not have an MOT. They had him. It was later estimated that during one 77-day period he had moved around £2.5m from Hicks-Samuels’ OCG, charging 6 per cent commission.
It was not until mid-June – more than two months after the hack had begun – that EncroChat finally realised its network had been infiltrated. It sent a message to all users: “Today we had our domain seized illegally by government entities … Due to the level of sophistication of the attack and the malware code, we can no longer guarantee the security of your device. We took immediate action on our network by disabling connectivity to combat the attack. You are advised to power off and physically dispose of your device immediately.”
Four days later, the Met carried out raids on all its targets, executing 70 warrants. Both Hannigan and Hicks-Samuels were arrested. DCI Hayoukane enjoyed the raids, watching on screens at his base as the characters he had come to know through their EncroChat messages and photos were finally reeled in. It was high time the Met had something positive to speak of. “When you know you’re going through that door, and all your evidence is on there, and we’ve done our due diligence – nothing more satisfying than, you know, in a professional manner, taking out somebody who’s a dangerous individual from the community,” the DCI says.
Hannigan and Hicks-Samuels were among eight people convicted in relation to their linked offences of drug importation and money laundering. At Woolwich Crown Court in November 2022, Hicks-Samuels was imprisoned for 17 years and Hannigan for five years and six months.
They are among the 1,000 convictions resulting to date from the EncroChat bust in the UK, with 3,000 arrests, 200 threats to life averted, 173 firearms seized, along with six tons of cocaine, three tons of heroin and £80m in cash.
The evidence taken from EncroChat phones has been hotly contested in court with claims that the NCA obtained the wrong warrant to legitimise the use of the data in evidence. It is argued on behalf of those accused that the data was obtained by illegal interception of the material during transmission, rather than a legitimate hack of the phones. The legal controversy still rages as the point continues to be argued through the courts.
But DCI Driss Hayoukane perhaps has other policing controversies in mind when he says of the spectacular success of the EncroChat bust, “The police are going through a bit of a tough time at the moment but rest assured there are people that are dedicated and driven to make things better for all communities.”
‘Catching The Kingpins’ presented by Mobeen Azhar airs Sundays at 13.30pm on BBC Radio 4. All six episodes will be available on BBC Sounds