|Owner||Central Intelligence Agency (1970–2018)|
Federal Intelligence Service (1970–1993)
Crypto AG was a Swiss company specialising in communications and information security. It was secretly jointly owned by the American Central Intelligence Agency (CIA) and West German Federal Intelligence Service (BND) from 1970 until about 1993, with the CIA continuing as sole owner until about 2018. With headquarters in Steinhausen, the company was a long-established manufacturer of encryption machines and a wide variety of cipher devices.
The company had about 230 employees, had offices in Abidjan, Abu Dhabi, Buenos Aires, Kuala Lumpur, Muscat, Selsdon and Steinhausen, and did business throughout the world. The owners of Crypto AG were unknown, supposedly even to the managers of the firm, and they held their ownership through bearer shares.
The company has been criticised for selling backdoored products to benefit the American, British and German national signals intelligence agencies, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), and the BND, respectively. On 11 February 2020, The Washington Post, ZDF and SRF revealed that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence, and the spy agencies could easily break the codes used to send encrypted messages. The operation was known first by the code name "Thesaurus" and later "Rubicon".
Crypto AG was established in Switzerland by the Russian-born Swede, Boris Hagelin. Originally called AB Cryptoteknik and founded by Arvid Gerhard Damm in Stockholm in 1920, the firm manufactured the C-36 mechanical cryptograph machine that Damm had patented. After Damm's death, and just before the Second World War, Cryptoteknik came under the control of Hagelin, an early investor.
Hagelin's hope was to sell the device to the United States Army. When Germany invaded Norway in 1940, he moved from Sweden to the US and presented the device to the military, which in turn brought the device to the Signal Intelligence Service, and the code-breakers in Arlington Hall. In the end he was awarded a licensing agreement. 140,000 units were made during the war for American troops.
During his time in America, Hagelin became close friends with William F. Friedman, who in 1952 became chief cryptologist for the National Security Agency (NSA) and who Hagelin had known since the 1930s. The same year, Hagelin's lawyer, Stuart Hedden, became deputy commander in CIA, Inspector General.
In 1948 Hagelin moved to Steinhausen in Switzerland to avoid taxes. In 1952 the company, which until then had been incorporated in Stockholm, also moved to Switzerland. The official reason was that it was transferred as a result of a planned Swedish government nationalization of militarily important technology contractors. A holding company was set up in Liechtenstein.
During the 1950s, Hagelin and Friedman had frequent mail correspondence, both personal and business alike. Crypto AG sent over new machines to the NSA and they had an ongoing discussion concerning which countries they would or would not sell the encryption systems to, and which countries to sell older, weaker systems. In 1958 when Friedman retired, Howard C. Barlow, a high-ranking NSA employee, and Lawrence E. Shinn, NSA's signal intelligence directory in Asia, took over the correspondence.
In June 1970, the company was bought in secret by the CIA and the West-German intelligence service, BND, for $5.75 million. Hagelin had first been approached to sell to a partnership between the French and West-German intelligence services in 1967, but Hagelin contacted CIA and the Americans did not cooperate with the French. At this point, the company had 400 employees and the revenue increased from 100,000 Swiss franc in the 1950s to 14 million Swiss franc in the 1970s.
In 1994, Crypto AG bought InfoGuard AG a company providing encryption solutions to banks.
In 2010, Crypto AG sold G.V. LLC, a Wyoming company providing encryption and interception solutions for communications.
In 2018, Crypto AG was liquidated, and its assets and intellectual property sold to two new companies. CyOne was created for Swiss domestic sales, while Crypto International AG was founded in 2018 by Swedish entrepreneur Andreas Linde, who acquired the brand name, international distribution network, and product rights from the original Crypto AG. Crypto International AG is also known as CRV LLC in Wyoming, USA.
The company had radio, Ethernet, STM, GSM, phone and fax encryption systems in its portfolio.
According to declassified (but partly redacted) US government documents released in 2015, in 1955, Crypto AG's founder Boris Hagelin and William Friedman entered into an unwritten agreement concerning the C-52 encryption machines that compromised the security of some of the purchasers. Friedman was a notable US government cryptographer who was then working for the National Security Agency (NSA), the main United States signals intelligence agency. Hagelin kept both NSA and its United Kingdom counterpart, Government Communications Headquarters (GCHQ), informed about the technical specifications of different machines and which countries were buying which machines. Providing such information would have allowed the intelligence agencies to reduce the time needed to crack the encryption of messages produced by such machines from impossibly long to a feasible length. The secret relationship initiated by the agreement also involved Crypto AG not selling machines such as the CX-52, a more advanced version of the C-52, to certain countries; and the NSA writing the operations manuals for some of the CX-52 machines on behalf of the company, to ensure the full strength of the machines would not be used, thus again reducing the necessary cracking effort.
Crypto AG had already earlier been accused of rigging its machines in collusion with intelligence agencies such as NSA, GCHQ, and the German Federal Intelligence Service (BND), enabling the agencies to read the encrypted traffic produced by the machines. Suspicions of this collusion were aroused in 1986 following US president Ronald Reagan's announcement on national television that, through interception of diplomatic communications between Tripoli and the Libyan embassy in East Berlin, he had irrefutable evidence that Muammar Gaddafi of Libya was behind the West Berlin discotheque bombing in 1986. President Reagan then ordered the bombing of Tripoli and Benghazi in retaliation. There is no conclusive evidence that there was an intercepted Libyan message.
Further evidence suggesting that the Crypto AG machines were compromised was revealed after the assassination of former Iranian Prime Minister Shapour Bakhtiar in 1991. On 7 August 1991, one day before Bakhtiar's body was discovered, the Iranian Intelligence Service transmitted a coded message to Iranian embassies, inquiring "Is Bakhtiar dead?" Western governments were able to decipher this transmission, causing Iranian suspicion to fall upon their Crypto AG equipment.
The Iranian government then arrested Crypto AG's top salesman, Hans Buehler, in March 1992 in Tehran. It accused Buehler of leaking their encryption codes to Western intelligence. Buehler was interrogated for nine months but, being completely unaware of any flaw in the machines, was released in January 1993 after Crypto AG posted bail of $1m to Iran. Soon after Buehler's release Crypto AG dismissed him and sought to recover the $1m bail money from him personally. Swiss media and the German magazine Der Spiegel took up his case in 1994, interviewing former employees and concluding that Crypto's machines had in fact repeatedly been rigged.
Crypto AG rejected these accusations as "pure invention", asserting in a press release that "in March 1994, the Swiss Federal Prosecutor's Office initiated a wide-ranging preliminary investigation against Crypto AG, which was completed in 1997. The accusations regarding influence by third parties or manipulations, which had been repeatedly raised in the media, proved to be without foundation." Subsequent commentators were unmoved by this denial, stating that it was likely that Crypto AG products were indeed rigged. Le Temps has argued that Crypto AG had been actively working with the British, US and West German secret services since 1956, going as far as to rig instruction manuals for the machines on the orders of the NSA. These claims were vindicated by US government documents declassified in 2015.
In 2020, an investigation carried out by The Washington Post, Zweites Deutsches Fernsehen (ZDF), and Schweizer Radio und Fernsehen (SRF) revealed that Crypto AG was, in fact, entirely controlled by the CIA and the BND. The project, initially known by codename "Thesaurus" and later as "Rubicon" operated from the end of the Second World War until 2018.
- Miller, Greg (11 February 2020). "'The intelligence coup of the century'". The Washington Post. Archived from the original on 11 February 2020. Retrieved 11 February 2020.
- "Headquarters and regional offices worldwide". Crypto AG. Archived from the original on 16 May 2011. Retrieved 6 January 2008.
- Müller, Leo (18 September 2013). "Spionage: Unheimlich kooperativ". Bilanz (in German). Retrieved 30 March 2017.
- Atmani, Mehdi (21 August 2015). "Agents doubles". Le Temps (in French). p. 11. Retrieved 13 February 2020.
- Corera, Gordon (28 July 2015). "How NSA and GCHQ spied on the Cold War world". BBC News. Retrieved 9 October 2015.
- "Swiss machines 'used to spy on governments for decades'". BBC News. 11 February 2020. Retrieved 13 February 2020.
- Dugstad, Line; Kibar, Osman (2 January 2015). "Den skjulte partneren". Dagens Næringsliv (in Norwegian). Retrieved 13 February 2020.
- "Business Entity Detail - Wyoming Secretary of State". wyobiz.wy.gov. Retrieved 8 March 2020.
- "The CIA secretly bought a company that sold encryption devices across the world. Then its spies sat back and listened". Washington Post. Retrieved 8 March 2020.
- "Crypto and cipher machines - A list of popular machines and a history of Crypto AG". www.cryptomuseum.com. Retrieved 22 February 2020.
- ""Wer ist der befugte Vierte?"". Der Spiegel (in German). No. 36. 2 September 1996. pp. 206–207. Retrieved 13 February 2020.
- Madsen, Wayne (1999). "Crypto AG: The NSA's Trojan Whore?". CovertAction Quarterly. Archived from the original on 27 September 2007. Retrieved 11 February 2020.
- Schneier, Bruce (15 June 2004). "Breaking Iranian Codes". Crypto-Gram. Schneier on Security. Retrieved 9 October 2015.
- Shane, Scott; Bowman, Tom (4 December 1995). "No Such Agency, part four: Rigging the game". The Baltimore Sun. pp. 9–11. Archived from the original on 1 March 2019. Retrieved 9 October 2015.
- De Braeckeleer, Ludwig (29 December 2007). "The NSA-Crypto AG Sting". OhmyNews. Archived from the original on 29 December 2008.
- Grabbe, J. Orlin (2 November 1997). "NSA, Crypto AG, and the Iraq-Iran conflict". Associated Communications Internet. Archived from the original on 7 June 2007. Retrieved 13 February 2020.
- Schneier, Bruce (11 January 2008). "NSA Backdoors in Crypto AG Ciphering Machines". Schneier on Security. Retrieved 9 October 2015.
- Baranyi, Laszlo (11 November 1998). "The story about Crypto AG". Archived from the original on 14 December 2010 – via biphome.spray.se.
- Atmani, Mehdi (28 July 2015). "Depuis 1956, l'entreprise suisse Crypto AG collaborait avec le renseignement américain, britannique et allemand". Le Temps (in French). Retrieved 13 February 2020.
- Bammerlin, Steven (30 July 2015). "Cryptologie: un lecteur du «Temps» raconte les dessous de l'alliance entre la Suisse et les Anglo-saxons". Le Temps (in French). Retrieved 13 February 2020.
- "#cryptoleaks: Wie die Crypto AG weltweit agierte". heute (in German). ZDF. 11 February 2020. Retrieved 12 February 2020.
- "Operation Rubikon" (in German). ZDFmediathek. 11 February 2020. Retrieved 12 February 2020.
- Website of the new Crypto International AG located in the same location as the old company in Steinhausen/Zug (since 2018)
- Website of INFOGUARD AG
- Website of Cryptomuseum with history and list of popular machines.
- Website of Washington Post Greg Miller's breaking story offering numerous confirmed details on CIA's involvement with Crypto AG.
- La Suisse sous couverture, Episode 1 , Agents infiltrés, Radio Télévision Suisse , November 2019 (link to Youtube with subtitles in English)