At the beginning of February, an encrypted messaging service that had been under investigation since 2019 was been shut down after a sweeping series of raids across Europe.
In a search of 79 properties in Germany, The Netherlands, Belgium and Poland, authorities arrested 48 people who were users, operators and administrators of the Exclu crypto communications service.
Exclu, was a heavily encrypted service which could be bought for either €500 ($537/£446) or €900 ($966/£804) for three and six month licenses, respectively, was used extensively by organized criminals and drug gangs.
Exclu made it possible to exchange messages, photos, notes and other communications with users, of which Dutch police said there were around 3,000 prior to the service’s seizure, 750 of whom were Dutch speakers.
German police said that their investigation into Exclu began in 2020 and had its origin in the seizure of an old NATO bunker dubbed “Cyberbunker” or CB3ROB, which had a reputation for hosting some of the less legitimate sites on the internet, including The Pirate Bay and Wikileaks, and was the back end server system for Exclu.
German authorities said that their investigation of the Cyberbunker gave them the data needed to decrypt Exclu’s services in order to monitor communications, which the Dutch police said they spent five months doing prior to the coordinated raids.
The data retrieved from Exclu also allowed authorities to identify and trace the developers, administrators and owners of the service, many of whom were arrested in the raids.
CyberBunker History
In 1995, Herman-Johan Xennt bought a 20,000 square foot bunker just outside the small town of Kloetinge in the south of the Netherlands, which had been formerly used by the NATO.
Built in 1955. The bunker, originally used as a wartime Provincial Military Command Center of the Dutch military, was built to withstand a nuclear attack. The bunker was de-assessed by the Dutch military in 1994.
With collaborators, Xennt formed the CyberBunker company within the bunker, to offer “bulletproof hosting” of web sites. The company’s customers during the 1990s consisted largely of pornography web sites. Its policy was to accept any web site except those related to child pornography and terrorism.
In 2002, a fire broke out in the bunker and after the fire was extinguished, it was discovered that besides Internet hosting services, an MDMA laboratory was in operation in the bunker. Three of the four men charged with the operation of the lab were convicted to three-year prison sentences; the fourth was acquitted due to a lack of evidence.
Following the fire the local town denied the company a business license, resulting in the CyberBunker servers being moved to above-ground locations, including Amsterdam.
In 2013 the company purchased its second bunker, in Traben-Trarbach, Germany.
As early as 2015, German cybercrime investigators received a warrant to investigate the company by tapping its Internet traffic in and out of the bunker.
During this time, the company’s clients are claimed to have included the dark web marketplaces Wall Street Market, Cannabis Road and Flugsvamp, as well Fraudsters, a forum for exchanging illegal drugs, counterfeit money and fake identification.
In September 2019, 600 German police, including forces from GSG 9, Germany’s federal paramilitary police unit raided the bunker.
Seven people, including Xentt were arrested in the raid where police seized 200 servers along with documents, cellphones and large quantities of cash.
Police later said that the bunker was the location from which a late 2016 denial of service attack on Deutsche Telekom was launched.
Following the raid, infosec company SANS set up a honeypot on IP addresses formerly used by cyberbunker to analyse traffic passing through them – and the results shed light on just what kind of dubious traffic was passing through the servers.
Gangland criminals
In 2015, Irish criminal mastermind George Mitchell approached Xennt about running an encrypted phone business.
Mitchell is a notorious gangland boss, originally form Ballyfermot in Dublin who has had a long criminal career.
In 1988 Mitchell was convicted and jailed for 5 years for stealing a large amount of cattle drench. While in prison he became interested in the illegal drug trade and within a few years of his release he was the largest supplier of illicit drugs in Ireland.
In the 1990s he was arrested in Luton by British police while in the possession of £575,000, a downpayment for drugs. The money was seized but Mitchell was released.
During the same period, Mitchell built up two large ecstasy processing plants in Lucan and The Ward in Co Dublin. Both plants were raided as part of operation Barbie.
Ecstasy producing laboratories had been set up in two of the five bedrooms of a house in Lucan and the ground floor rooms were stacked with jars and boxes of chemicals.
A massive tablet-pressing machine was found in a storage shed at The Ward.
The Garda raid was a major setback to Mitchell and was the second blow he had suffered in recent months – the first being the Luton arrest.
In 1998, his gunman, Michael Boyle was caught after a botched murder attempt in London. This left Mitchell feeling vulnerable and concerned that the Gardaí were focusing on him, so he moved the centre of his operations to Amsterdam.
Shortly before he moved to Amsterdam, Mitchell was taken in for questioning about the murder of Fran Preston in Baldoyle
He was arrested under the Offences Against the State Act and was taken to Howth garda station.
No information about the arrest was released to the media and very few detectives i were aware of the arrest. Mitchell was released without charge after 48 hours.
In May 2020, Garda officers arrested two men in Dublin who were found to have €400,000 in their car.
Following the arrest, searches were conducted at properties in Dublin and Meath, where a further €300,000 was found, along with €30,000 of cocaine and MDMA.
It is believed that these were operations being run by Mitchell from his European hideaway as two ledgers which were recovered in the raids detailed money transactions to Mitchell in the region of €11M
Exclu operation
Following the February 2023 raids, German police investigating the Exclu operation have formally announced Mitchell as a suspect along with four others.
German law enforcement wire-tapped 16 of Mitchell’s phones as they gathered evidence on the dark net bunker.
Officers in Europe believe Mitchell deals directly with Colombian cartels; supplies drugs and weapons to Northern Ireland; imports tonnes of cocaine into Europe, floods Holland with heroin, and is under investigation for money laundering in Spain.
They also claim he may have been involved in a Kinahan Cartel murder in 2014 and had a role in the feud between the mob and the Hutch gang, although Irish police sources claim he has stayed firmly neutral.
The wire taps and covert surveillance on Mitchell from a period from 2015 detail how he met with the head of the Bandidos biker gang and a leading figure in the Hell’s Angels in Germany to sell them encrypted phones.
Mitchell’s whereabouts are currently unknown, but it is believed he regularly travels between Holland, Germany and Spain. He has not been seen in Ireland since the mid 1990’s.
I doubt he will at liberty for much longer.