Analysis of Criminal Codes and Ciphers by Olson (Forensic Science Communications, January 2000)
January 2000 - Volume 2 - Number 1
Analysis of Criminal Codes and Ciphers
Cryptanalyst Forensic Examiner
Racketeering Records Analysis Unit
Federal Bureau of Investigation
Read about …
For as long as man has had the ability to communicate, secrecy has been sought. Over the centuries various methods of secret writing, or cryptography, have been developed for numerous purposes. The two major categories of cryptographic systems are ciphers and codes, both of which are used extensively by criminals to conceal clandestine records, conversations, and writings.
Cryptology is the scientific study of cryptography and includes cryptanalytics, which deals with methods of solving cryptographic systems. This article is an introduction to the variety of secret writing encountered in law enforcement and describes the role of FBI cryptanalysts in examining and deciphering these criminal codes and ciphers.
Ciphers involve the replacement of true letters or numbers (plain text) with different characters (cipher text) or the systematic rearrangement of the true letters without changing their identities to form an enciphered message. Cipher systems have been common since ancient times and vary in degree of complexity and sophistication. The Enigma Cipher Machine used by the Germans during World War II, for example, was thought to be unbreakable. Only after the fighting had concluded did it become known that the Allies had broken the cipher and had been reading secret German communications throughout the war.
Criminals have a long history of using cipher systems. During the Prohibition Era, rum runners in ships off the East and West Coasts of the United States used a variety of cipher systems, including advanced cipher machines, to communicate with their confederates on shore. The United States Coast Guard and the Department of Commerce pooled their resources to intercept and decipher the rum runners’ messages. In 1969 the Zodiac Killer, who terrorized California’s Bay Area during the 1960s and 1970s, sent a three-part cipher message to area newspapers explaining his motive for killing. This complex cipher used more than fifty shapes and symbols to represent the 26 letters of the alphabet but was broken in hours by a high school history teacher and his wife.
Criminals typically use homemade, simple substitution cipher systems which use a single cipher text character to replace a plain text character. Those most likely to use such ciphers include criminals involved in clandestine activities that require incriminating records, such as drug trafficking, loansharking, and illegal bookmaking. Incarcerated criminals also use cipher systems to communicate with cohorts inside and outside of prison.
Simple Substitution Ciphers
A relatively basic form of substitution cipher is the Caesar Cipher, named for its Roman origins. The Caesar Cipher involves writing two alphabets, one above the other. The lower alphabet is shifted by one or more characters to the right or left and is used as the cipher text to represent the plain text letter in the alphabet above it.
In this example, the plain text K is enciphered with the cipher text L. The phrase ‘Lucky Dog’ would be enciphered as follows:
Ciphers can be made more secure by using a keyword to scramble one of the alphabets. Keywords can be placed in the plain text, the cipher text, or both, and any word can be used as a key if repeated letters are dropped. Here the word SECRETLY (minus the second E) is used as the plain text keyword.
It is important to remember that the cipher text may utilize numbers, symbols, or letter combinations to represent plain text characters.
Solving Simple Substitution Ciphers
If the cryptanalyst knows which language the cipher was written in and has enough cipher text to work with, simple substitution ciphers can often be solved easily. Cryptanalysts use the following procedures when decrypting an unknown cipher:
! The cipher text message is identified from other
cipher text or plain text on the document.
! The number of different cipher text characters or combinations are counted to determine if the characters
or combinations represent plain text letters, numbers, or
both letters and numbers.
! Each cipher text character is counted to determine
the frequency of usage.
! The cipher text is examined for patterns, repeated
series, and common combinations.
After these analyses have been completed, the cryptanalyst begins to replace cipher text characters with possible plain text equivalents using known language characteristics. For example:
! The English language is composed of 26 letters. However, the nine high-frequency letters E, T, A, O, N, I, R, S, and H constitute 70 percent of plain text.
! EN is the most common two-letter combination, followed by RE, ER, and NT.
! Vowels, which constitute 40 percent of plain text, are often separated by consonants.
! The letter A is often found in the beginning of a word or second from last. The letter I is often third from the end of a word.
Using these and many other known language characteristics, a cryptanalyst can often decipher a simple substitution cipher with little difficulty.
Keyword Number Ciphers
Most criminal ciphers are used to conceal numbers, especially telephone numbers, addresses, weights, and money amounts. Keyword number ciphers are the most common system for encrypting numbers and are used in the same manner as keyword alphabet ciphers. Normally these keywords are ten-letter words with no repeat letters.
Foreign language keywords are often used. The following is an example of a drug ledger that used a Spanish keyword cipher:
While decrypting the cipher, the cryptanalyst made the assumption that the letters represent numbers. If A+A+A = A, as set forth on the right-hand column, then A must equal 0 or 5. Using the same logic, if A+Q+Q = A, then Q must equal 5 and A must be 0. The cryptanalyst continued until the following relationships were established:
Further analysis of other cipher text and anagramming the cipher text letters into an intelligible word revealed the following reverse order key:
Number ciphers do not require a keyword. An incarcerated drug dealer in an Arizona prison sent a letter to a cohort instructing her to mail a shipment of drugs to the following Georgia address:
GCDI Abercorn Drive
Savannah, GA 31206
The cipher text letters are all within the first nine letters of the alphabet. If
A is assumed to equal 0, then the following key would result.
The key can be verified by checking the resulting street address. If this key is proved to be invalid, try moving the 0 to the end of the number series and assume that A = 1 instead. In this example, the first assumption proved to be correct. The notation A = 0 was found in the lower right-hand corner of the prison letter, confirming the key.
Using the above telephone keypad, the criminal can substitute numbers with the letters corresponding to the telephone button. Numbers 0 and 1 can be substituted with Q and Z (older telephone keypads do not have the letters Q or Z). The telephone number (202) 324-5678, for example, could be enciphered any of the following ways:
B Q B
D A G
K M R V
C Q A
F B I
J N P X
A Q B
E C H
L O S T
Telephone keypad systems may use all 26 letters in the alphabet and thus are easily confused with enciphered words. Further analysis of the letter combinations, however, will disprove the possibility that the cipher text conceals words. Once identified, telephone keypad ciphers are easily decrypted.
The centuries old Masonic Cipher uses two tic-tac-toe diagrams and two X patterns to represent the letters of the alphabet. Letters are enciphered using the patterns formed by the intersecting lines and dots.
The name Bob Smith would be encrypted as follows:
A variation of the Masonic Cipher used to encrypt numbers is the tic-tac-toe cipher. Using this pattern, each number can be enciphered with the character that is formed by the intersecting lines surrounding each number. The 0 is enciphered using an X.
Ciphers are created by replacing individual characters of plain text with cipher text characters. Codes differ from cipher systems in that code text may represent letters, numbers, words, or phrases. Codes are typically used to add two elements to communications: secrecy and brevity. Military and espionage code systems place the greatest emphasis on secrecy; civilian agencies and corporations use technical codes for brevity, often with no concern for security. Criminals use codes for both purposes. Unlike cipher systems which can be deciphered using set procedures and techniques, codes cannot be deciphered without some knowledge of what the writer is attempting to conceal.
Sports Bookmaking Codes
Illegal bookmaking operations require detailed business records to record wagers placed, game lines and outcomes, bettor names, and account balances. On the basis of these record-keeping needs, bookmakers typically make extensive use of codes. Brevity is the main purpose for the codes, but the codes also provide an element of secrecy. Some bookmaking operations rely on specialized codes known only to the bookmaker and his clerks, but many bookmaking codes are well known among bookmakers throughout the United States.
The following are examples of how a sports bookmaking operation can encode a losing $1000 wager on the Dallas Cowboys plus 6 ½ points:
K100 is a coded account designation representing a bettor. The hyphen (-) after the numeral 6 indicates the line at 6 ½. The X indicates a multiplication by 5, thus 200X = $200 X 5, or $1000. The L indicates a losing wager.
Here the name of the bettor is given. The apostrophe after the six indicates the half point in the line. Dime means a $1,000 wager. No win or lose indicator is present. Instead the bookmaker notes the amount owed by the bettor for the losing wager.
In this example, the team name is substituted by its unique rotation number. Team rotation numbers are assigned on a weekly basis and can be found in sports schedules. The bookmaker dropped the 00 in the wager amount, thus the 10 represents a $1000 wager.
Boys is a slang name for the Dallas Cowboys. The 200T indicates 200 X 5 as in the first example. The X indicates a losing wager.
Team names are substituted by code numbers in the above sports wagers. The arrows indicate over or under wagers on the total score of the game. The bookmaker has dropped the zeros to conceal the true amounts of money wagered: the numeral 1 indicates a $100 wager and the ½ indicates a $50 wager.
Horse Race Bookmaking Codes
Horse wagering codes differ from sports wagers, because the terminology and information requirements are unique. A wager on horse #4, Lucky Star, in the third race at Pimlico Track could be written as follows.
P/3 indicates the third race at Pimlico, and #4 is the horse number. The 5-2-2 indicates a $5 wager to win and $2 wagers to place and show. The W indicates the horse won. The dollar amounts indicate payoff amounts for the win, place, and show.
Here the code BP represents the bettor. Pim-3 indicates the track and race. X5X denotes a $5 wager to place. No wager is made on the win or show positions.
Here account TICCO placed a $2 combination wager on number 435 on the midday lottery drawing.
Drug records normally consist of dates, accounts, units, prices, and sometimes drug types. Drug traffickers often use codewords to disguise their activity, and these are limited only by the imagination of the drug trafficker. Typically different codewords are used in conversation to differentiate between drug types. For example, the code white indicates cocaine, and green indicates marijuana.
Pager codes are popular among street drug dealers and are often used by regular drug customers to communicate with sellers. The following is an example of a series of coded pager messages between a drug purchaser and a seller.
|772 111||The code 772 is the identity of the customer inquiring about the price of one ounce of cocaine.|
|007 1150||The code 007 is the identity of the seller, and the price for one ounce is $1150.|
|772 222 432||Account 772 wants to purchase two ounces of cocaine, and the seller is asked to call 772’s cell telephone number (432 is the telephone number prefix).|
Pager codes can also be used by traffickers who are transporting drugs over long distances.
The code 823 is the identity of a drug courier traveling on Interstate 95 at Exit 12. The code 333 indicates everything is fine. If the driver wanted to communicate that he or she had been delayed by vehicle repairs or stopped by police, the code 999 (stopped for repairs) or 911 (under arrest) could be used.
The ciphers and codes presented are examples of the many cryptographic systems used by criminals. Many of the ciphers and codes in this article can be easily decrypted, but in some instances, deciphering a code or cipher requires special training.
The Racketeering Records Analysis Unit (RRAU) of the Federal Bureau of Investigation’s Laboratory in Washington, DC, is staffed with qualified cryptanalysts who have specialized training in the areas of cryptanalysis, drug trafficking, money laundering, and racketeering activities. The services of RRAU are available to assist federal, state, and local law enforcement agencies in the analysis of clandestine business records relating to illegal gambling, drug trafficking, money laundering, loansharking, and prostitution. RRAU examiners and analysts are available for expert testimony, pretrial advice and assistance, and on-site examinations and consultations. For additional information, contact the RRAU at the following:
Federal Bureau of Investigation
Racketeering Records Analysis Unit
935 Pennsylvania Avenue, NW
Washington, DC 20535
Telephone: (202) 324-2500
Facsimile: (202) 324-1090