Drug files: Hacker of cocaine traffickers infiltrates Europe’s largest ports

Europe’s commercial ports are the most important entry points for record levels of cocaine flooding on the continent . Действията на холандски A hacker hired by drug traffickers to break into port computer networks reveals how this type of smuggling has become easier than ever.

• Court records and other documents obtained by reporters reveal how a man in the Netherlands hacked computer systems at the ports of Rotterdam and Antwerp and sold valuable data to help cocaine traffickers.
• With access to the ports’ container management systems, the hacker was able to recommend which containers are the best options for hiding smuggling.
• The hacker also used his access to key container data to help smugglers take their goods to their recipients.
• One of his hacks was facilitated by a bribed dock worker in Antwerp who inserted a malware flash drive into a port computer.

February 14, 2020 brings an unprecedented Valentine’s Day surprise to Costa Rican police – they find 3.8 metric tons of cocaine in a container with ornamental plants. Authorities have said little about who is behind the seizure of the record shipment intercepted in the Caribbean port city of Limón.

It wasn’t long before Dutch police made another discovery: After breaking into the encrypted chat platform SkyECC, they discovered that a 41-year-old father of two had played a key role in the operation from his computer in the port city of Rotterdam. On paper Davy de Valk) had difficulty holding on to a permanent job. According to the indictment brought against him by Dutch prosecutors, he lives on welfare, although he claims to have studied computer science. The encrypted chats reveal that de Valk actually had a regular – and well-paid – job such as black hacker or “black-hat” hacker, a term used for those who hack for criminal purposes. Неговият специалитет е проникване в компютърните системи на големите морски пристанища в Европа и продажба на информация на контрабандисти на кокаин.

To move their shipments freely, criminal groups have traditionally had to corrupt a long chain of port staff, from crane operators to customs inspectors. The increasing digitalization and automation of shipping logistics has opened up new opportunities for penetration. With the information that hackers like de Valk can provide, traffickers need no more than one corrupt employee and truck driver, experts say.

OCCRP and the Czech partner investigace.cz using court records, police reports, and analysis of Davy de Valk’s hacking algorithm, reconstruct how he and his accomplices infiltrated the computer networks of two of Europe’s busiest ports. In some cases, the methods used are relatively amateur.

The Dutch court found that de Valk was able to observe how the containers were scanned at the port of Rotterdam, thus helping his clients identify where to hide the drugs in order to avoid detection. It also penetrated the computer network of the terminal in Antwerp. A malware flash drive was used by a bribed employee, giving de Valk access to data that allowed his customers to take the drugs without attracting attention. De Valk received hundreds of thousands of euros for his services, intercepted chats show. Moreover, his hacking methods are relatively simple.

“It’s a fairly low-skill job,” Ken Munro, who runs a security consultancy in the United Kingdom, told OCCRP after reviewing the details of de Valk’s cyberattack at the Antwerp terminal. “This is the so-called. ” a ‘noisy’ attack that would generate many warnings if Antwerp’s port systems were set up to detect such actions,” he added.

An inside look at the Davy de Valk hack, which OCCRP is detailing for the first time as part of the NarcoFiles, highlights how vulnerabilities in these ports have allowed them to become funnels for cocaine pouring into Europe at a record rate.

Наркофайлове: Пътят към Европа – международният наркотрафик отвътре

In his defense, Davy de Valk claims that he did undercover research to develop a video game about the drug trade and sold only low-quality information to his criminal customers. The court rejected his explanation as “completely implausible” and in 2022 sentenced him to 10 years in prison for crimes involving illegal hacking, as well as aiding and abetting cocaine trafficking.

OCCRP sent multiple emails and made multiple phone calls to de Valk’s lawyers seeking comment, including whether the verdict would be appealed, but did not receive a response. It is not clear whether he is serving his sentence.

Record quantities of cocaine seized

The huge amount of 98 million containers that passed through Europe’s main ports in 2021 offers ample opportunities for drug traffickers to take advantage – only about two percent were checked. A record nearly 160 metric tons of cocaine were seized at the ports of Rotterdam and Antwerp in 2022 alone, less than a third of the total amount of cocaine passing through the ports. according to an internal Europol report obtained by OCCRP and investigace.cz.

One challenge is that these commercial ports are designed for efficiency rather than security. They are built to “move container cargo or any cargo from A to B in the shortest possible time at the lowest cost,” Rotterdam Port Police District Chief Jan Janse told OCCRP.

De Valk’s Ship Lines

In the weeks before the blow in Costa Rica, Davy de Valk describes its services and pricing to the client through the SkyECC chat platform. By observing the scanning history of companies that regularly delivered to Rotterdam, de Valk was able to tell which shipping lines were rarely inspected and were therefore the best targets for secretly hiding cocaine, and apparently without the knowledge of the shipping companies themselves. If the container successfully reaches Rotterdam, then de Valk helps customers pick up their cargo by canceling the initial pickup service and falsifying transport orders. This allows its customers to pick up the container themselves, take it out of the port and conveniently unload the drugs. The total cost of such a package is 500,000 euros.

“You get a company that doesn’t go through scanning, and your transport can pick it up without any problems,” de Valk wrote in one of the chat messages via SkyECC cited in his verdict by the court. Davy de Valk calls “my lines” the reliable shipping companies he recommends to customers.

For the cargo captured in Costa Rica, he recommends a container used by Vinkaplant, a well-known Dutch importer and exporter of tropical plants, making regular trips to its fields in Costa Rica and other Central American countries. “There are plants in it. It’s easy to load. It is not complete,” de Valk wrote to his client, who has not been identified by the court. This method “on the back” of a legitimate company is usually carried out without their knowledge. Vinkaplant has not been charged with any violations.

But this time de Valk’s “line” fails him. During a routine inspection, Costa Rican police noticed a suspicious discrepancy – the weight of the container did not match the declared number. During the inspection, it was found that in addition to 20 towers with ornamental plants, there were briefcases with 5048 black packages in the container, most of which were with pure cocaine.

PIN fraud

The key to Davy de Valk’s work is the ability to access the PIN codes of transport containers. These are unique reference numbers that are given to a container by a freight forwarding company after paying for its transportation. To pick up the container from the dock, carriers must provide the correct code along with other documentation.

In 2018, the authorities of the Port of Rotterdam noticed a spike in reports of stolen, missing, delivered to the wrong address or appearing in unexpected places. Authorities found out that criminal networks had discovered a new modus operandi for drug smuggling, which Europol called “PIN fraud”.

Traffickers discover that by illegally accessing container PINs – with the help of corrupt port officials or through hacking – they can pick up the cargo by impersonating the shipping company hired to pick it up. This data, as well as the container number, allows them to monitor the status of the shipment at the port, including when it is ready for release.

Without such PINs, smugglers would have to resort to much riskier methods, such as sending a group to break into the containers at the port and get away with the smuggled goods. There have also been cases of “Trojan horse” containers, where retrieval groups sneak into the port, hide in a container and wait, sometimes for days, until their shipment arrives and have the chance to retrieve it.

The relative ease of PIN fraud means that data comes at a high cost. According to an internal Europol report, encrypted chats show that criminals paid between €20,000 and €300,000 for such codes. The large number of port and transport personnel who have access to these reference numbers – in some cases up to 10,000 people in a shipping company – provides traffickers with many potential targets.

“It’s very easy to find someone who has access to this code and pay them money to get it,” says Rotterdam Port Police District Chief Jan Janse. “If you don’t say yes the first time you’re in the store shopping, they’ll throw it at you again and maybe try a third time to offer you the money. There are also cases, of course, when they then tell people, ‘We know where your children go to school.'” This type of corruption is the most used method by criminals to access inside information, including PINs, Janse says.

From de Valk’s chats, it becomes clear that he and his participants had access to inside information about the movement of containers in the port of Rotterdam. The Dutch court found that as part of an effort to organize the shipment, which was later stopped in Costa Rica, de Valk falsified a transport order, sent it to his accomplices and canceled the legitimate carrier. His sentence cited a chat with an image of a transport order sent to his customers and the text: “Below the reference is the PIN code.”

In addition, Davy de Valk He was also convicted of participating in organizing another shipment of more than 200 kilograms of cocaine hidden in a wine container that police found in Rotterdam in 2020. He used key container data provided to him by an unidentified group chat member.

His indictment reveals more details: De Valk and other members of the chat had access to the port’s container management software and, with the help of “alleged corrupt contacts at the port,” had “direct information about the container’s data, relevant license plates, and loading and unloading times.” The details of how they gained access to this information in Rotterdam are not known. But de Valk’s next adventure in Antwerp provides only one possible explanation.

Hacking with a flash drive

Days after the consignment of wine was seized in Rotterdam, Davy de Valk sets his sights on a new target with the help of a man named Bob Zwaneveld. This is clear from their sentences. The 57-year-old Zwaneveld does not embody the popular image of a crime boss. According to the indictment of the prosecutor’s office, he spent seven years in a camper in a recreation park before being arrested in 2021. Unofficially, he was actively involved in cocaine and arms trafficking, which in 2022 earned him a 12-year sentence.

OCCRP made repeated attempts to contact Zwaneveld through his lawyers, seeking comment on the verdict and whether it would be appealed, but did not receive a response. It is not clear whether he is serving his sentence.

Chats show that Zwaneveld played a coordinating role in several drug deals in 2020, including arranging the sale of his UK friend of 100 “colos” – a term he and others use to describe kilograms of Colombian cocaine. He also regularly negotiates through encrypted chat platforms the purchase, sale or supply of firearms, hand grenades and ammunition.

According to their verdicts, Zwaneveld and de Valk jointly planned to break into the Antwerp terminal, which manages the second largest volume of shipping containers in Europe after Rotterdam. To do this, they needed the help of someone from the inside – in this case, an employee in the port office. An employee testified before Belgian police that she was approached by someone who offered her 10,000 euros to put a flash drive in her workplace computer. This is clear from her testimony, cited in de Valk’s verdict.

After agreeing, she was given a SKY phone — a secure device with an encrypted messaging app — to communicate with an account user on the SkyECC chat platform, identified in court only as 7MIOBC, who submitted the requests to her in a group chat with de Valk and Zwaneveld. According to local media, the port employee was convicted by a Belgian court in March this year. Details of the verdict are missing, as well as whether it will be appealed. The employee did not respond to reporters’ requests for an interview.

After de Valk prepared the flash drive, it passed through several hands, including Zwaneveld’s, before reaching the port employee. “Just activate the program on the flash drive. Click twice and wait 15 seconds, then you can take it out again,” de Valk instructs. Soon after, the operation is underway.

“Yes, I have it,” he wrote in the group chat, sending a screenshot revealing his access to the employee’s computer, showing the word “user,” followed by a photo of folders and disks. User 7MIOBC responds with a photo of a flash drive plugged into the terminal office computer in Antwerp.

After the port employee opened the flash drive file and installed the malware, de Valk performed a series of “malicious actions” on the system. This is shown by the forensic expertise of the hack, included in a report by the Dutch cybersecurity firm Northwave, mentioned in the verdict of the Davy de Valk.

De Valk opens Antwerp’s container management program, Solvo, on September 21. Activity logs show that at 4 a.m., he opened the program’s user guide, presumably “to explore what data they can get through Solvo (such as how to search for container locations),” Northwave wrote in its report. The program allowed de Valk to see a wide range of information related to the management and location of containers. According to the cybersecurity firm, access even allowed him to generate the container PINs himself.

The chats show that de Valk also tried to make duplicates of the badges for the identification of port personnel. A few days later, he sent a photo to the SkyECC group chat showing a computer screen with the text “badge” and “alpha pass”, which refers to the maps that port officials use to access different parts of the facility. “I think we will soon be able to make a map ourselves,” he wrote.

It is not known whether de Valk was ultimately able to forge such identity documents. There is no evidence that de Valk was involved in trafficking attempts after committing the hack in September 2020, but there is still evidence that he was active in the computer system of the Antwerp terminal until at least April 24, 2021, according to the Northwave investigation. (De Valk did not respond to requests for comment on the allegations.)

“Black Port”

European police believe he was part of a larger pattern of PIN fraud that allowed the trafficking of at least 200 metric tons of cocaine through Rotterdam and Antwerp since 2018.

When Belgian police begin investigating the intercepted chats on SkyECC, they hope to close the so-called “black port” – chains of corrupt port officials, transport drivers and others that made the traffic possible, says Kurt Boudry, a senior official in the Belgian Federal Police. But “we didn’t know it was going to be this big,” Boudrey told OCCRP.

According to a 2023 Europol report, reported PIN fraud is likely to be significantly underestimated and may also occur in other European ports. In some cases, after unloading the contraband outside the port, the drivers of transport companies working with drug traffickers continue along the route and deliver the container to the legal importer. This means that some cases were never detected or reported, the report said.

Jan Janse, district chief of Rotterdam’s port police, says the biggest battle against traffickers is their ability to corrupt ports using money and intimidation. Port authorities and shipping companies are experimenting with ways to tighten security, including by training staff and by limiting the number of people who have access to data that can be used by traffickers, he added. “I’m not saying we’re going to win this war, but I’m saying we’re able to make it more controllable,” Janse said.

NarcoFiles: Reporting by Paul May (investigace.cz), Pavla Holcova (investigace.cz / OCCRP), Brecht Castel (Knack), Interferencencia de Radios UCR Lead collage: James O’Brien/OCCRP, Photos: Alamy Stock Photo

*The method of hacking with a malware flash drive entered into a computer by a bribed customs officer was also used in Bulgaria years ago. This reveals the joint operation of several Balkan countries called Shipment/Virus, in which, according to SELEC, more than 200,000 bitcoins were found, in which the criminals invested the profits from duty-free trucks with goods. According to the Bulgarian prosecutor’s office, these bitcoins were not confiscated by the authorities. /BIRD.BG/

Наркофайлове: Новият световен престъпен ред

***

Разследващата журналистика е разузнаването на гражданите. BIRD се финансира от дарения. Ние не публикуваме реклами. Не получаваме държавни субсидии. Не разчитаме на грантове. Финансирането чрез малки дарения от читатели е гаранция за нашата независимост. Включете се, за да продължим да разкриваме злоупотреби и да държим отговорни властимащите. Използваме Вашите пари за хонорари на журналистите, командировки, изграждане и поддръжка на нашите информационни системи, такси за фирмени и имотни регистри у нас и по света, придобиване на техника и специално оборудване, осигуряване на нашата безопасност и други важни работни мисии. Важно: Ако дарявате всеки месец това ще ни даде възможност да планираме и организираме нашата работа. Благодарим Ви! Нас ни има, защото Вас Ви има!

This post is also available in: Български (Bulgarian)