Inside Job: How a Hacker Helped Cocaine Traffickers Infiltrate Europe’s Largest Ports
Europe’s business ports are prime entry factors for cocaine flooding in at file charges. The work of a Dutch hacker, who was employed by drug traffickers to penetrate port IT networks, reveals how this sort of smuggling has turn out to be simpler than ever.
Key Findings
- Courtroom information and different paperwork obtained by reporters reveal how a person within the Netherlands hacked IT programs on the ports of Rotterdam and Antwerp and bought helpful knowledge to help cocaine traffickers.
- With entry to the ports’ container administration programs, the hacker was in a position to suggest which transport containers could be one of the best targets for hiding contraband.
- The hacker additionally used his entry to key knowledge about transport containers to assist smugglers decide up their items on the receiving finish.
- Certainly one of his hacks was facilitated by a bribed port worker in Antwerp, who inserted a USB with malware right into a port laptop.
February 14, 2020, introduced an unprecedented Valentine’s Day shock for Costa Rican police –– in a transport container of ornamental vegetation, they found 3.8 metric tons of cocaine.
Authorities mentioned little about who was behind the file bust, which was intercepted within the Caribbean port metropolis of Limón.
However not lengthy after, Dutch police made one other discovery: After breaking into the encrypted chat platform SkyECC, they discovered {that a} 41-year-old father of two had performed a key position within the operation from behind his laptop within the port metropolis of Rotterdam.
On paper, Davy de Valk had struggled to carry down a gradual job. Although he claimed to have studied laptop science, Dutch prosecutors discovered he was residing off social advantages, in keeping with his indictment.
But the encrypted chats revealed that de Valk truly had common — and well-paid — work as a “black hat” hacker, the time period used for many who hack for prison ends. His speciality was penetrating the IT programs of Europe’s main maritime ports and promoting intel to cocaine smugglers.
To maneuver their items freely, prison teams have historically needed to corrupt a protracted chain of port personnel, from crane operators to customs inspectors. However the growing digitalization and automation of transport logistics has opened up new avenues for infiltration. With the data that hackers like de Valk can assist present, traffickers want little greater than a single corrupt worker and a truck driver, consultants say.
Utilizing court docket information, police experiences, and a cybersecurity evaluation of de Valk’s hacking, OCCRP and its Czech member middle investigace.cz have pieced collectively how he and his collaborators infiltrated the IT networks of Europe’s two busiest ports utilizing strategies that have been, in some circumstances, comparatively newbie.
A Dutch court docket discovered that de Valk was in a position to monitor how transport containers have been scanned on the port of Rotterdam, thereby serving to his purchasers determine the place to position narcotics to keep away from detection.
He additionally breached the Antwerp terminal’s IT community via malware that was loaded onto a USB stick and inserted by a bribed workplace clerk, giving him entry to knowledge that might have allowed purchasers to select up medicine with out drawing consideration, the court docket discovered.
De Valk charged lots of of hundreds of euros for his companies, intercepted chats present. But his hacking strategies have been comparatively fundamental.
“That is fairly low ability work,” Ken Munro, who runs a safety consulting agency in the UK, advised OCCRP after reviewing particulars of de Valk’s cyberattack on the Antwerp terminal.
“It’s a ‘noisy’ assault that will have generated loads of alerts, had the Antwerp port programs been set as much as detect these actions,” he added.
The within view of de Valk’s hacking, which OCCRP is revealing intimately for the primary time as a part of the
NarcoFiles
, highlights how vulnerabilities at these ports have allowed them to turn out to be sieves for cocaine pouring into Europe at file charges.
In his protection, de Valk argued that he was doing undercover analysis to develop a online game in regards to the drug commerce, and solely bought his prison purchasers dangerous info. The court docket dismissed his clarification as “fully implausible,” and sentenced him in 2022 to 10 years in jail for crimes together with illegal hacking, in addition to aiding and abetting cocaine trafficking.
OCCRP despatched a number of emails and made a number of cellphone calls to de Valk’s authorized representatives requesting remark — together with about whether or not the conviction could be appealed — however acquired no response. It isn’t clear if he’s at present serving his sentence.
🔗Report Cocaine Busts
The sheer amount of transport containers dealt with by Europe’s major ports presents ample alternatives for drug traffickers to use — of the 98 million containers that handed via in 2021, solely two % are estimated to have undergone inspection.
A file quantity of practically 160 metric tons of cocaine was seized at Rotterdam and Antwerp ports in 2022 alone, a determine consultants say represents lower than a 3rd of the overall quantity getting into the ports, in keeping with an inner Europol report obtained by OCCRP and investigace.cz.
One problem is that these business ports have been designed for effectivity, not safety. They have been constructed to “get a container load or any load from A to B within the quickest time for the bottom prices,” Jan Janse, Rotterdam’s district chief of the seaport police, advised OCCRP.
De Valk’s ‘Traces’
Within the weeks main as much as the Costa Rica bust, de Valk outlined his companies and value construction to purchasers over the chat platform SkyECC.
By monitoring the scanning historical past of firms that often shipped to Rotterdam, de Valk was in a position to inform which transport traces have been not often probed and have been due to this fact one of the best targets for secretly stashing cocaine, apparently unbeknownst to the transport companies themselves.
If the container efficiently reached Rotterdam, de Valk then helped purchasers retrieve their cargo by canceling the unique pick-up service and forging transport orders, which might permit his purchasers to gather the container themselves, drive it out of the port, and comfortably unload the medicine. The overall value for this package deal was 500,000 euros.
“You get an organization that doesn’t undergo scan and your tp [transport] can decide it up with none issues,” de Valk wrote in one of many SkyECC messages cited in his court docket conviction.
De Valk referred to the dependable transport firms he would suggest to purchasers as “my traces.”
For the haul intercepted in Costa Rica, he had advisable a container utilized by Vinkaplant, a widely known Dutch importer and exporter of tropical vegetation that makes common journeys to its fields in Costa Rica and different Central American international locations.
“There are vegetation in it. Is straightforward to load. Isn’t stuffed full,” de Valk wrote to his shopper, who was not recognized by the court docket.
This mode of “piggy-backing” off a authorized firm is generally finished with out their information. Vinkaplant was not accused of any wrongdoing.
But this time, de Valk’s “line” failed him. Throughout a routine verify, Costa Rican police seen a suspicious discrepancy — the container’s weight didn’t match the determine that had been declared. An inspection discovered that along with 20 towers of decorative vegetation, the container held briefcases containing 5,048 black packages, nearly all of which contained pure cocaine.
PIN Code Fraud
Key to de Valk’s work would have been the flexibility to entry the PIN codes of transport containers.
These are distinctive reference numbers which can be assigned to a container by a transport firm after its transport has been paid. To be able to decide up the container on the dock, transporters should present the right code together with different documentation.
Credit score:
JLBvdWOLF / Alamy Inventory Picture
A crane lifting a transport container onto a vessel.
In 2018, authorities on the port of Rotterdam seen a spike in experiences of transport containers being stolen, disappearing, delivered to the fallacious tackle, or showing in sudden areas. Authorities realized that prison networks had found a brand new modus operandi for drug smuggling, which Europol has dubbed “PIN code fraud.”
Traffickers had discovered that by illegally accessing the PIN codes of containers — via the assistance of corrupt port staff or by hacking — they might decide up the cargo by impersonating the transport firm assigned to retrieve it. This knowledge, in addition to the container’s quantity, additionally permits them to comply with the cargo’s standing within the port, together with when it’s prepared for launch.
With out such codes, smugglers have needed to resort to far riskier strategies, corresponding to sending a crew to interrupt into the containers contained in the port and flee with the smuggled items. There have additionally been circumstances of “Computer virus” containers, the place extraction crews sneak into the port inside a container and wait, generally for days, till their cargo arrives and so they have the prospect to retrieve it.
The comparative ease of PIN code fraud means the information comes at a excessive value: encrypted chats present criminals have paid between 20,000 and 300,000 euros for such codes, in keeping with the interior Europol report.
The massive variety of port and transport personnel who’re in a position to view these reference numbers — in some circumstances as much as 10,000 individuals in a single transport firm — offers traffickers with many targets.
“It’s fairly simple to search out somebody that has entry to this code, and pay them cash to get this,” mentioned Rotterdam’s district chief of the seaport police, Jan Janse. “If you happen to don’t say sure the primary time, while you’re within the store doing all of your purchasing, they’ll throw it into your cart once more and perhaps attempt a 3rd time to give you the cash. There are [also] circumstances, after all, [where] then they inform individuals, ‘We all know the place your children are going to highschool.’”
Any such corruption is the highest technique utilized by criminals to entry inner info together with PIN codes, he mentioned.
De Valk’s chats clarify that he and his collaborators had entry to inside details about the motion of containers on the Rotterdam port.
The Dutch court docket discovered that de Valk had fabricated a transport order, shared it along with his collaborators, and canceled the respectable transporter as a part of his effort to rearrange the consignment that was later stopped in Costa Rica. In a chat cited within the verdict, he despatched a picture of a transport order to his purchasers and wrote, “Beneath reference is the PIN code.”
Along with that bust, de Valk was convicted of serving to organize a separate cargo of greater than 200 kilograms of cocaine, which police present in Rotterdam in 2020 hidden in a transport container of wine.
Investigators found encrypted SkyECC chats displaying that de Valk had ready a transport order and faux emails to facilitate the pick-up, utilizing key knowledge in regards to the container supplied by an unidentified member of a bunch chat, his conviction exhibits.
His indictment supplied additional particulars: De Valk and different members of the chat had allegedly accessed the port’s software program for container administration and, with the assistance of “attainable corrupt port contacts,” had “direct perception into the container’s entry, corresponding registration numbers and loading and unloading instances,” prosecutors wrote.
The exact particulars of how that they had accessed this info in Rotterdam usually are not identified. However de Valk’s subsequent journey in Antwerp presents one risk.
USB Hack
Days after the wine cargo was intercepted in Rotterdam, de Valk turned his sights on a brand new goal with the assistance of a person named Bob Zwaneveld, in keeping with their court docket convictions.
Zwaneveld, 57, didn’t embody the favored picture of a criminal offense boss. Earlier than his arrest in 2021, he claimed to have spent seven years residing in a camper van in a recreation park, prosecutors wrote in his indictment. Formally, he was unemployed apart from what he mentioned was the odd development job. Unofficially, he was actively concerned in cocaine and arms trafficking, resulting in a 12-year jail sentence in 2022.
OCCRP made a number of makes an attempt to contact Zwaneveld via his authorized representatives, asking for touch upon the conviction and whether or not it could be appealed, however acquired no response. It isn’t clear if he’s serving his sentence.
Chats present that Zwaneveld performed a coordinating position in a number of drug offers in 2020, together with arranging the sale to a U.Okay. buddy of 100 “colos,” a time period he and others used to explain kilos of Colombian cocaine. He was additionally having common negotiations over encrypted chat platforms in regards to the buy, sale, or supply of firearms, hand grenades, and ammunition.
Collectively, Zwaneveld and de Valk deliberate to infiltrate the Antwerp terminal, which manages the second largest quantity of transport containers in Europe after Rotterdam, in keeping with their convictions. To take action, they wanted the assistance of somebody on the within — on this case, an workplace clerk stationed on the port.
The clerk advised Belgian police she was approached by somebody who supplied her 10,000 euros to insert a USB stick into a pc at her office, in keeping with testimony cited in de Valk’s conviction. After agreeing, she was given a SKY cellphone –– a safe system with the encrypted messaging app –– to speak with a SkyECC account consumer recognized in court docket solely as 7MIOBC, who shared her queries in a bunch chat with de Valk and Zwaneveld.
The port worker was convicted in a Belgian court docket this March, in keeping with native media. The experiences didn’t give particulars of the conviction, or say whether or not it could be appealed. The worker didn’t reply to reporters’ requests for an interview.
An illustration of encrypted messages despatched by de Valk throughout his hack of the Antwerp port’s IT system that have been quoted in his court docket verdict.
As soon as de Valk completed making ready the USB stick, it handed via a number of fingers, together with Zwaneveld’s, earlier than reaching the port worker.
“Simply activate this system on the USB stick. double click on and wait 15 seconds then you may take it out once more,” de Valk instructed.
Quickly, the operation was up and operating.
“Sure, have it,” he wrote to the group chat, sending a screenshot revealing his entry to the worker’s laptop, with the phrase “consumer” displayed, adopted by a photograph of folders and drives. The consumer 7MIOBC replied with a photograph of the USB plugged into the Antwerp terminal workplace laptop.
After the port worker had opened the file on the USB and put in the malware, de Valk ran a sequence of “malicious actions” on the system, in keeping with a forensic report of the hack carried out by the Dutch cybersecurity agency Northwave, which was cited in his conviction.
🔗Chronology of a Hack
18 September,15:20:41: A port worker inserts the USB stick de Valk ready into a pc, operating a malware file that offers him distant entry to the account. Later that day, de Valk sends a message: “Hey, I’ve solely simply handed via the intrusion detection system. Was a ache within the ass. How lengthy will they keep on-line? Positively want one other 2 hours.”
19 September, 12:51:09: De Valk launches a graphic consumer interface software, referred to as “Superior IP scanner,” to map out the community of the goal laptop and search for vulnerabilities.
20 September 19:35:40: De Valk runs a extra sturdy mapping software, referred to as nmap, that’s usually utilized by hackers to search out vulnerabilities and plan future assaults. He additionally tries and fails in a number of makes an attempt to develop the account’s rights and entry throughout the community — a tactic referred to as privilege escalation. After midnight, he launches a software referred to as CVE-2016-7255.exe geared toward securing SYSTEM-level privileges, i.e. the best stage of rights accessible to a consumer within the Home windows community.
21 September 03:52:27: De Valk opens Solvo, the port’s container administration system, and begins studying a utilization handbook. Thirty minutes later, he opens a browser to entry the Human Assets Operator to view which employees members are absent.
23 September 20:15:33: De Valk launches one other vulnerability evaluation software, indicating his earlier techniques had failed.
26 September 22:16:50: De Valk makes use of a software referred to as impacket, which can be utilized to search out backdoors — methods to entry a system whereas bypassing regular safety mechanisms. Inside an hour, he exploits a backdoor on the system and units up a connection that permits him to tunnel from one machine within the community to a different.
27 September 21:48:13: De Valk writes that he has acquired the “dc admin hash” — an encrypted string which can be utilized to disclose a password for an administrative account, or “area controller” (dc). Accessing that account would offer “whole management,” de Valk writes in a message.
19 October 17:49:32: De Valk accesses the Solvo software program to view pages that monitor container autos, employees passes, and driver names. He additionally locations information within the system that comprise lists for a “brute pressure” assault — a technique that makes use of dictionaries and different phrase lists, corresponding to “male_names.txt,” to guess as many passwords as attainable.
19 January 2021 18:04:26: De Valk locations 961 suspicious information on the system over the following 14 hours, a few of which may perform duties like operating scripts and functions.
30 March 2021 05:05:24: De Valk modifies a consumer handbook for Solvo, however the adjustments he made couldn’t be recovered.
24 April 2021: After putting in varied suspicious information, that is the final date that de Valk is definitively identified to have been lively within the port’s IT system, in keeping with accessible logs. However a scan of his seized laptop computer exhibits he was nonetheless discussing transport modes and deck cargoes with others by chat as late as August 31, in keeping with prosecutors.
De Valk opened Antwerp’s container administration program, Solvo, on September 21. Exercise logs present that at 4am, he opened a consumer handbook for this system, probably “to analyze what knowledge they might get hold of via Solvo (corresponding to the right way to search for container areas),” Northwave wrote in its report.
This system would have allowed de Valk to see a big selection of knowledge referring to staffing and the administration and placement of transport containers. It might even permit him to generate PIN numbers himself, in keeping with the cybersecurity agency.
Chats present de Valk additionally tried to clone the ID badges of port employees. A number of days later, he despatched an image to the SkyECC group chat displaying a pc display with the textual content “badge” and “alfa move,” which refers to plastic playing cards that port staff use to entry totally different areas of the power.
“Assume we are going to quickly have the ability to create a card ourselves,” he wrote.
It isn’t identified whether or not de Valk ultimately managed to manufacture such IDs. The court docket didn’t word any proof that de Valk was concerned in trafficking makes an attempt after his September 2020 hack, both. But there’s proof he was lively on the Antwerp terminal’s IT system till a minimum of April 24, 2021, in keeping with Northwave’s investigation. (De Valk didn’t reply to requests for touch upon the claims.)
The logs Northwave was in a position to recuperate recommend that de Valk accessed the Solvo container software program a number of instances between October 19 and April 24, 2021, visiting pages that monitored containers, autos, employees passes, and names of transport drivers.
Whereas de Valk’s exercise after this era is unknown, the prosecution famous that, based mostly on a scan of his seized laptop computer, he continued to have “chat conversations with varied individuals about transport modes and deck cargoes” till as late as August 2021.
‘Black Harbor’
The complete extent of what de Valk achieved earlier than his arrest in September 2021 will not be identified. However European police consider that he was a part of a broader sample of PIN code fraud that has enabled the trafficking of a minimum of 200 metric tons of cocaine via Rotterdam and Antwerp since 2018.
When Belgian police began investigating the intercepted SkyECC chats, they have been hoping to close down what they known as the “black harbor” –– the chains of corrupted port staff, transport drivers and others who’ve made trafficking attainable –– mentioned Kurt Boudry, a senior officer with Belgium’s federal police.
However “we didn’t comprehend it was going to be so large,” Boudry advised OCCRP.
PIN code fraud is probably going considerably underreported, in keeping with a 2023 Europol report, and could also be occurring at different European ports as properly.
In some circumstances, after unloading their contraband outdoors the port, the transport drivers working with drug traffickers will proceed onwards and ship the container to its rightful importer, which means some circumstances are by no means detected or reported, the report says.
Janse, the Rotterdam seaport’s district police chief, mentioned the most important battle towards traffickers is their capability to deprave ports utilizing cash and intimidation.
Port authorities and transport firms are experimenting with methods to tighten safety, together with by providing coaching to employees and by limiting the quantity of people that have entry to knowledge that may be exploited by traffickers, he added.
“I’m not saying that we’re going to win this struggle, however I’m saying that we’re in a position to make it extra controllable,” Janse mentioned.
Extra reporting by Brecht Castel (Knack) and Interferencia de Radios UCR
Reality-checking was supplied by the OCCRP Reality-Checking Desk.