A former military facility in Germany’s Mosel region served as a hub for organized crime on the internet until 650 police shut it down in a raid. The bizarre story behind the bunker that is likely to produce countless criminal cases. By DER SPIEGEL Staff
Marcus Kaufhold/ DER SPIEGEL
Many paths lead to the small town of Traben-Trarbach, which is situated on Germany’s Mosel River and famous for its much-visited “underworld” of wine cellars. Frankfurt-Hahn is located just 30 minutes away by car, a regional airport that was, at least until the arrival of the coronavirus, a budget airline hub. Situated on the southern bank of the river, the town is also dissected by Highway 53 to Trier and Highway 42 running between southwestern Germany and Belgium. Numerous other roads wind through the vineyards that line the river.
Walkers can reach Traben-Trarbach via stage 12 of the 365-kilometer Moselsteig hiking route, which takes them up to the flat summit of Mont Royal, a mountain that is rich in history and in histrionics.
Up there, belying the picturesque setting, the biggest traffic junction — not only in Traben-Trabach, but in the whole world — was to be found, at least until 650 police officers swept in to raid an old bunker referred to the by the press as the “Cyberbunker” a few months ago. Traffic there wasn’t measured in kilometers per hour, but in bits per second. It gave a new meaning to the “underworld” moniker, because it tells the story of how a postcard-perfect old German town like Tranen-Trabach became a virtual metropolis of global crime.
Located at Über den Weinbergen 1, four of its five floors are below ground and it has 5,500 square meters (59,000 square feet) of floor space. For much of its history, it was used by the German military, and the fenced-in property aboveground includes a few structures, a guarded gate and a helicopter pad. Altogether, it’s above-ground area is about 32 acres, according to the notarized bill of sale from June 26, 2016, deed number 1136.
Eight months ago, on Thursday, Sept. 26, special police units fanned out across Traben-Trarbach, both on the mountain and below in the valley, to shut down what is thought to have been the headquarters of a crime ring up on Mont Royal and to arrest members of that suspected criminal organization in a restaurant on the Traben-Trarbach side of the river.
It was shortly after 6 p.m. when the police stormed the first floor of the restaurant, where nine suspects had just sat down for the evening meal. They were there at the invitation of a police mole, who had long since infiltrated the group. The restaurant owner’s face still goes pale today when remembering that terrible evening. And as the group was being rounded up in the restaurant, a large team of police data forensics experts secured computers, data and other evidence up in the bunker on the mountain. They must have felt like they were in a kind of digital Tora Bora.
The spectacular raid came after the kind of investigation that Germany hasn’t seen too many times before. The case involves myriad criminal proceedings, but essentially focuses on the opportunities made available to criminals by the internet and, specifically, by the darknet. Even as many of the crimes are committed in the analog world – such as forgery, drug trafficking, fraud and theft – much of it is organized and processed in virtual spaces.
At the heart of this story are two men who took over the bunker from the state with the apparent intention of using it for their criminal machinations. And it highlights the challenges facing the state when it comes to combating the spread of cybercrime – and the challenges facing online security.
They must have felt like they were in a digital Tora Bora
The Cyberbunker investigation is a cooperation among numerous government agencies, including the Federal Criminal Police Office (BKA) and two state counterparts, numerous public prosecutors and investigative courts along with myriad experts and undercover investigators, all of whom have combined to produce thousands of pages of documentation – which has now been compressed into a 275-page indictment. The case is likely to go to trial in Trier a few months from now.
The judges are not in an enviable position. While it is clear that the bunker was a kind of technical nerve center – a key darknet hosting service – for numerous criminal internet sites and dubious marketplaces, it will likely be very difficult to prove that the operators knew about and supported what was going on.
And if the state is unable to prove it, it will be a significant defeat for the rule of law. Should there be no conviction at the end of the trial, it will cast a rather dubious light on the years of surveillance of the bunker owners, the eavesdropping on their telephone conversations and email – the deep incursions on their constitutional rights.
The public prosecutor responsible for the case believes a guilty verdict is likely. He is convinced he will be able to prove that the criminal activities of the websites hosted in the Cyberbunker were not random, but were in fact the express purpose of the facility.
The main defendant, however, a man from Holland whose registered address is in Singapore, wrote to DER SPIEGEL and to German public broadcaster NDR from pre-trial detention in Trier that “we had a clean conscience … and were all convinced that we were acting legally and correctly.”
It will be an exciting trial. The prosecutors plan to call 101 witnesses, including seven experts. Their testimony will be augmented by 54 pieces of evidence and 144 court orders, transcripts, judgments and analyses.
While it will ultimately be up to the court to determine guilt or innocence, months of reporting by DER SPIEGEL in cooperation with NDR, combined with access to legal files, have provided deep insight into the case. We are able to reveal the kinds of activity that was conducted via the servers in the bunker, how that activity took place and who the main protagonists are.
The result is a narrative about modern-day crime and the widely available technical tools that make it possible. Criminals of all stripes have left the analog streets behind and have found a digital home in the dark corners of the internet. Tools that used to only be available to highly specialized tech freaks can now be accessed from home by anyone with a modicum of digital fluency. It’s a new version of the cat and mouse game between the authorities and their quarry.
“This is not about what the accused did,” says one investigator, “but about what they knew.”
The lead figure in this bunker story is Herman Johan Xennt, who is head of the companies Calibour and Zyztm and who frequently refers to himself as “Jordan Robson” in communications with clients. Originally from the Netherlands, he is the boss of the bunker crew, born on Nov. 10, 1959 in Renkum, a town southeast of Amsterdam. He says he is 1.79 meters tall (5’10”), but his claims can’t always be taken at face value. Xennt, as it turns out, is fond of playing with facts, data and people.
His willingness to fudge goes so far that he even described the five dogs that watched over the Mt. Royal facility – barking so wildly that complaints were made to the Traben-Trarbacher town council – as mutts, even though there is a photo of four of the dogs that clearly appear to be Rottweilers.
His lawyer Ekaterina Ritter sent along a photo of Xennt dressed in a black, ankle-length leather overcoat, which contrasted peculiarly with his shoulder-length blond curls. His face bears a friendly aspect – to the point that the overall effect is that of a hippie in the wrong clothing.
Over the years, he assembled on Mt. Royal a frequently changing cast of characters that bore a closer resemblance to a commune than to a crime ring. The core leadership included Xennt’s sons Xyonn and Yennoah O., his partner Jaqueline B. and Michiel R., who joined the family in spring 2014, rapidly rising from being a mere assistant to working as a manager of the bunker. Rene G. was also part of the team, a mohawked jack-of-all-trades with a weakness for alcohol. He took care of the dogs, guarded the gate and cooked. Because the residents worked vastly different hours, with some laboring through the night and sleeping during the day, Rene made sure a warm meal was available at all times.
From the very beginning in 2013, workers and residents would come and go – some would stay for two years, while others would vanish again after just a month. Some would only work in the above-ground buildings and never enter the bunkers. The programmers, several of whom were consistently necessary, had the right to their own offices and rooms in the bunker and they seemed to quite enjoy their lives underground. Their names were Tom, José, Christoph, Konstantin and Frank, and they were responsible for keeping Xennt’s servers up and running, for programming and for communicating with clients and government agencies.
There were people working at the facility who appeared to have janitorial tasks while others were just friends with no clear duties. They, too, would come and go, many traveling in from the Netherlands as if to a vacation destination, or they might help out with a bit of gardening or painting. There was Rico, another man named René and a whole series of interns whose talent Xennt would identify in tech forums and then invite them to Traben-Trarbach for unpaid internships.
One of those who sporadically worked at the Mt. Royal site from March 2018 to September 2019 – as a laborer or gardener – was an undercover investigator, and his reports paint a rather pre-pubescent image of the goings on in the bunker. He described how they would never pick up after themselves, secretly talk behind each other’s backs at every opportunity and act self-important in front of outsiders. It is a description of moral squalor.
After work, whatever that might mean, they would head down in pairs or small groups to Traben-Trarbach to drink, smoke and watch football. At times, they would head to Xennt’s favorite restaurant in Trier.
When important business partners visited the bunker, particularly when the mysterious “Mr. Green” would drop by, Xennt would take over hosting duties himself. The Trier strip bar Booty Club was frequently part of the entertainment program, with Xennt’s son driving guests around in his father’s white BMW X6, with the license plate number BO-BO 8008.
Everyone in Traben-Trarbach is familiar with the car and with the man it belongs to. After all, he had promised jobs to the town, 100 of them, or perhaps even 200. Wearing a suit and tie, he had presented his project to a closed town council meeting, saying that the bunker was to be transformed into a no-nonsense data center for companies, banks and service providers, the perfect use for the rather expensive site.
“Our servers can be compared with safe deposit boxes in banks,” Xennt wrote.
The German military had operated the facility in cooperation with NATO for 37 years as a geo-information center. But starting in 2012, the facility was gradually moved to Euskirchen, to the displeasure of those in Traben-Trarbach. Around 400 people had worked in the “institute,” as the bunker is called here, with 200 of them living in town, most of them highly trained and well-paid technicians, engineers or researchers. The kinds of neighbors that every town wants to have. Their departure still hurts. When Xennt showed up from Holland, he was seen as someone who could perhaps revive the institute. But the mayor at the time, Ulrich Weisgerber, was skeptical. He did a bit of googling and found some rather unsettling details from Xennt’s past life, sharing them with the state criminal police office (LKA) in Mainz.
There were rumors that Xennt had fallen afoul of the authorities, that he had previously operated a data bunker in the Netherlands that had apparently burned down. The LKA passed Weisgerber’s concerns on to Germany’s federal real estate authority, which was responsible for the sale of the site, eight days before the deed of sale was to be notarized. But the real estate authority was not interested in such trifles, they just wanted to get rid of the site. They were likely just relieved at having found somebody to pay 450,000 euros for the site, on top of the costs of maintaining it.
The photos and descriptions of his office in the bunker make it sound like the command center of a power plant, with computer screens everywhere. The undercover investigator reported seeing 14 mobile phones on his desk, lined up next to each other and all of them on.
In his bunker bedroom – Xennt also had rooms in the surface buildings but liked sleeping underground – a life-sized figure of the Marvel hero War Machine stood next to his bed, which was made up in black linens. In his private quarters, he also had a facehugger figure from the “Alien” franchise, fully 70 centimeters high.
Xennt doesn’t talk much to the authorities. On the evening of his arrest, he only said a couple of things, the most important of which was his claim that the police were investigating the wrong person. He said he was only operating a data center with legal clients and had no knowledge of any legal violations. The next day, apparently in a moment of weakness, he said he was “troubled” by how much illegal activity had flowed through the bunker. He said he was sorry and hadn’t ever intended such a thing.
Months later, though, he sounded quite a bit different. DER SPIEGEL and NDR sent him a list of 65 questions in the reporting of this article, most of which he answered. Xennt’s German is almost perfect; indeed he is quite eloquent in the language.
In his responses, he rejected all accusations that he knowingly did business with criminals. He also offered up an explanation that will almost certainly be part of his defense strategy. “Our servers can be compared with safe deposit boxes in banks,” he wrote. “No bank employee checks to see what is inside. In fact, without the client’s key, they are unable to do so.”
Yet in the case of the bunker, it would have been quite possible to take a look inside. Public prosecutor Jörg Angerer, from the prosecutor’s office in Koblenz, says that in the decryption work they have thus far completed – they are investigating hard drives containing more than two petabytes of data, which is the equivalent of 2 billion megabytes – they haven’t yet found “even a single legal site.” According to what they have thus far found, exclusively “criminal sites” were operated using the servers in the bunker. Can that have escaped the attention of the Cyberbunker operator for several years?
The prosecutor says the whole purpose of the bunker was to host illegal websites. Xennt, though, insists: “We expressly told our clients that we did not want to host anything illegal, in particular sites promoting terrorism or child pornography. Had we known about them, we would have immediately shut down the server and reported them to the authorities.” Given the evidence and testimony gathered so far, that statement is at the very least questionable.
Toward the end, Xennt’s co-defendant, Michiel R. – the man who rose from assistant to manager – was responsible for complaints and so-called abuse reports. Such complaints were processed, he says, but there were rarely consequences for the client that was reported. Apparently, complaints were simply forwarded from the bunker to the client in question, but no effort was really made to make sure the problem was cleaned up. Michael R. says that he argued intensively with Xennt on the issue, because he felt Xennt didn’t take it seriously enough whereas he himself had wanted things cleaned up.
A short look into the history of the World Wide Web helps to better understand what drives people like Xennt. When the use of the internet became a mass phenomenon thanks to the first web browsers in the early 1990s, many pioneers saw it as a promising space of freedom, a boundless new continent full of endless possibilities.
No one at the time expressed that idea as clearly as John Perry Barlow a former lyricist for the Grateful Dead, who said at the World Economic Forum at Davos in 1996: “Governments of the industrial world, you tired giants of flesh and steel, I come from cyberspace, the new home of the mind.”
The libertarian, anarchic logic that knows no borders and contests the right of states to regulate the net apparently inspired Xennt as well. His earlier ally Sven Olaf Kamphuis still talks about the “Cyberbunker Republic” as though it were a sovereign “nation-state,” and he continues to refer to himself on his Facebook profile as “Minister of Foreign Affairs, Cyberbunker Republic.” At times Kamphuis, who is not a defendant in the current proceedings, also signed his mails as the “Prince of the Cyberbunker Republic.”
When asked if he viewed himself as the king of the dominion, Xennt answered in writing that it had only been a joke.
He referred to himself as “Minister of Foreign Affairs, Cyberbunker Republic.”
Monarchy, republic, whatever – the call was to join the new era and to no longer tolerate the old men from yesteryear. The property in Traben-Trarbach is a “real country,” Kamphuis posted shortly after the raid in September, which meant they also had the right to “defend themselves militarily.” That may sound megalomaniacal, almost as if the bunker crew had been indulging in the same drugs that had been distributing using their servers. But things aren’t that simple. Xennt is no dreamer, and prosecutors believe he intentionally opted for a clever business model.
In his written answers to DER SPIEGEL and NDR, he argues that the Cyberbunker is ultimately no different than Amazon in that it provides a neutral technical infrastructure and nothing more. It’s not the bunker, he argues, but the customers who are responsible for all that is hosted on the servers they rent. Facebook, which thus far hasn’t been classified as a criminal organization, has long been making similar arguments.
In contrast to content providers like online media organizations, who are generally liable for their own content, providers who merely provide infrastructure only have to react when they are notified about illegal content or learn about it in another way. It’s a standard that is rooted in the analog world. Landlords also aren’t responsible if their tenant starts an illegal drug trade in their apartment. Xennt and his defenders will adopt a version of that argument; he believes the same laws must be applied to Cyberbunker, Telekom and Facebook.
From the perspective of the prosecutors, the case is a tough nut to crack, which helps explain the lengthy investigation and the use of drastic surveillance measures. “This is not about what the accused did,” says one investigator, “but about what they knew.” The challenge is proving that Xennt and his associates were guilty of aiding and abetting crimes, that they were in no way neutral providers of server infrastructure, but rather the conscious and willing providers of the infrastructure for criminals of every type.
The public prosecutor’s office doesn’t have a smoking gun in their possession. There’s no single email or a particularly stark statement made in a wiretapped call providing clear proof that the bunker was deliberately used to collaborate with criminals. But there are some suggestive emails, messages that read as though the hosting service felt that it might be expected to issue a warning, but only did so as a formality.
There are also messages that combine an abuse report with an offer for even better protection for an additional charge. Prosecutors will try to prove that the bunker operators offered additional encryption options to conspicuous customers. They called it “stealth” service, a kind of digital invisibility cloak that makes the originators of criminal content invisible on the web.
Ultimately, the case will be based primarily on circumstantial evidence which, taken together, creates an image that the people in the bunker were by no means in the dark. After all, their marketing was aimed specifically at customers in the internet underworld. They advertised their allegedly “nuclear proof” bunker server farm and claimed that data and transactions they hosted were safe from access by investigators and legal repercussions, thus deliberately positioning themselves as service providers for all kinds of wrongdoing. Ultimately, it is their pricing that provides one of the strongest clues. Compared to other providers, storage space and server service from the bunker was anything but cheap, with prices three or four times higher than those on the legal market.
On thousands of pages, investigators have listed details regarding who is using Xennt’s service. The criminal activities of some of those customers are being pursued in legal proceedings stemming from the investigation – cases of organized, cross-border crime.
In March 2016, for example, Xennt and his helpers set up the servers for the Fraudsters platform, which was used to deal drugs, counterfeit money, prescription drugs, credit card data and fake IDs to customers with code names like “Bigsalami,” “Lunar Eclipse” or “Martin Luther” in 1,133 proven individual cases over a period of two years.
From March 2015 on, the Swedish bunker customer Flugsvamp 2.0 developed into one of the major marketplaces for drugs. By October 2018, police had counted more than 300,000 illegal transactions. Some 10,000 customers had purchased narcotics from 600 vendors and the site had generated millions in sales.
From July 2016 to March 2018, Orangechemicals.com and Lifestylepharma.com were active through Traben-Trarbach. Their specialty: the import of synthetic drugs from China, preferably via the Leipzig and Cologne/Bonn airports. The operators brokered a wide range of drugs on a grand scale. You could order with a mouse click and the goods arrived by mail.
Cyber Prince Kamphuis also enlisted the bunker to host Onions.es and Cb3rob.org, websites that linked to child pornography. In the past, he has clearly distanced himself from child pornography, but declined to respond to more recent inquiries on the issue.
The Mirai scandal also ran through Xennt’s server farm in November 2016. A hacker working on behalf of a Liberian businessman began an attempt to eliminate an unwelcome competitor through digital sabotage. The plan was to use hundreds of thousands of Speedport-brand routers used by Deutsche Telekom internet uses in order to create a virtual army and drown the victim in unwanted traffic. The hacker ultimately failed, but he did manage to temporarily disrupt 1.2 million internet connections in Germany.
When customers like that need storage space and data lines, the hosting service needs to be “bulletproof,” industry jargon referring to hosts that exercise considerable leniency regarding the kinds of activities their customers are engaged in and the kinds of data stored on their servers – which are essentially hundreds of computers stacked up in racks like bread trays in a factory bakery. Hosting services are paid to ensure that their computers always have power, that they stay connected to the internet, that they don’t get too hot and that they never break down. The law, meanwhile, provides for a “provider privilege,” meaning hosting services have limited liability for what passes through their cables.
Among the largest German hosting services are Ionos, Strato and Hetzner. When contacted for comment, all three companies said they would take immediate action if they learned of illegal content running through their data centers. If law enforcement agencies come to them with a court order, the providers release data records, but also hard disks or entire devices. Most importantly, they disclose the identity of the customer that is operating the server in question. None of the three companies allows anonymous rentals and nor do they permit payment in digital currencies or in cash.
With the darknet, it only takes a few clicks to arrive in the underworld.
But that wasn’t the case with Mont Royal. Xennt and his team promised anyone who paid that they would in turn be provided with storage and server space, also anonymously, without verification of name or address and without consideration for the person. The fees were also payable in cash and could be placed in an envelope and handed in at the gate to the bunker facility. Other means of payment included the cryptocurrency Bitcoin and money transfers through Western Union. Contracts with general terms and conditions that customers had to sign didn’t exist.
There may be legitimate and even noble reasons for bulletproof hosting – to get around censorship or otherwise avoid persecution in dictatorial systems, for example. Xennt and his people also bragged about hosting the WikiLeaks whistleblower platform. In darknet, they advertised at times with a portrait of the young WikiLeaks founder Julian Assange, back when he still had a decent haircut. Such boasting, though, tends to raise doubts about the veracity of the claims being made. Providers who are concerned about the protection of human rights don’t seek out the limelight – they move as inconspicuously as possible to avoid unwanted attention. The Traben-Trarbach bunker, though, were eager self-promoters and Xennt himself was a master at it – and had been for a long time.
He had had several years of experience working in windowless rooms far below ground before setting up camp on Mont Royal. That experience was amassed in another NATO bunker, located in Kloetinge in the Netherlands, the actual birthplace of the virtual “Cyberbunker Republic.” Xennt and his partner Kamphuis made international headlines when they hosted the Pirate Bay, a highly controversial bastion of piracy. Back in 2002, firefighters discovered a synthetic drugs laboratory during a fire in the first Cyberbunker.
Kamphuis claimed at the time that the room had been rented out and that a Chinese triad had made pills there without their knowledge. It’s essentially the same excuse he is now using: We’re just the landlords and we don’t know anything. In 2011, the first bunker was sold to a different company, leading Xennt to move its operations to the Mosel River region.
While still operating the first Cyberbunker, Xennt promised his customers he would protect the data entrusted to him against any attack. The bunker’s website included a claim that there were 10,000 liters of drinking water in the bunker along with sufficient food and two diesel generators for a continuous emergency power supply. The team claimed it would keep all servers online, all the time and “no matter what.” It created the impression that workers were prepared to defend their customers’ computers with life and limb if worse came to worst, regardless of the kind of data that was running on those servers.
The same apparently applied at Mont Royal, and it wasn’t just criminals who entrusted their data to the bunker: The operators also targeted extremist political groups. During their bunker raid, for example, investigators found a server rental contract for the right-wing extremist, ethnonationalist Identitarian Movement, which, because of its overt racism and xenophobia, is considered a suspect case by Germany’s Office for the Protection of the Constitution, the federal agency responsible for monitoring extremism in the country. One of Xennt’s employees confirmed during interrogation that they had identified a “niche market” in supplying hosting services to extremist groups. He said he approached such a group himself using an encrypted messaging service and closed a one-year contract with them for a cloud-based server.
But the promise of total protection was broken without hesitation in several instances, especially when there were requests from the authorities – in May 2019, for example, a few months before the big police raid, when investigators paid a visit to the bunker. On May 2 at 9:30 a.m., six officers from the Federal Criminal Police Office (BKA) and the Frankfurt Public Prosecutor’s Office showed up at the front gate.
The investigators weren’t after Xennt and his colleagues. Rather, they had just uncovered Wall Street Market (WSM), which had for years been one of the biggest darknet ventures the world had seen to that point. A global investigation, comprised of the American FBI, the European police authority Europol, the BKA and several state-level offices of criminal investigation, had already done a lot of the leg work. Now, the officers were pursuing further leads in the WSM case, and one of them led to the servers in Traben-Trarbach.
Police are aware of the bunker’s ties in Colombia as well as with a German biker gang.
The international investigators had already successfully traced the money flows of the WSM businesses, following Bitcoins through wallets and blockchains. They were dealing with cunning criminals — three Germans who presented themselves on the net as “Kronos,” “TheOne” and “Coder420” – and they had built up an incredible business.
At the peak of its success, before it was uncovered, Wall Street Market had more than 1.1 million registered customers, with more than 6,200 sellers peddling their illegal wares. You could find cannabis by the ton, cocaine and speed by the hundreds of kilos, crystal meth and heroin by the kilo and hundreds of thousands of ecstasy pills and many other kinds of narcotics. Throughout its existence, WSM generated revenues amounting to 50 million euros, with 15 million euros of that ending up on the pockets of the administrators. Shortly after they were forced to shut down, police officers showed up unannounced at the gate to the bunker.
“There was no reaction when the bell at the gate was rung,” the report reads. At least not a visible one. In fact, however, the system was set up so that the buzzer rang on all five levels of the bunker. And there were also monitors in Xennt’s command center with images from the surveillance cameras.
The investigators then dialed the number listed on the Cyberbunker homepage. Several minutes passed. Then Michiel R. finally received the uninvited guests, a gifted conversationalist who enjoyed hearing himself speak in every situation, so much so that the minutes of his interrogations are among the longest documents in the entire file. He declared that he was prepared to turn the suspicious servers over to the investigators “without hesitation.”
They obtained the judicial permission required to confiscate everything by phone. According to the dispatch logs, the IT forensics team descended to the third level of the bunker – the second subterranean level – at around 11:15 a.m. The first subterranean level is where Xennt, Michiel R. and Xennt’s sons had their offices. Xennt’s office could only be opened with a numerical code, which had to be typed into a pad next to the door. But the door was often left open and anyone, including the undercover investigator, could go in and take photos unnoticed.
On May 2, 2019, between 11 a.m. and 12 p.m., officials with the BKA and the public prosecutor’s office found themselves in the bunker’s second underground level. There, they located the server racks in a central location, a large room that was always overheated. They were shown the incriminating servers, which they seized and took back to their offices.
“Many people who we arrest have no previous criminal record,” said a Frankfurt public prosecutor tracking cybercrimes.
Michiel R., who acted as the owner – Xennt remained out of sight – told the officials that the bunker company had also “cooperated with the police on several occasions in the past when it came to securing data.” Yes, R. continued, they had provided bulletproof hosting in the past, but this had “no longer been the case for quite a while.”
The hard drives investigators confiscated at Traben-Trarbach are a veritable gold mine. They are still reviewing the data today and don’t yet know how many connections they will find or how many customers or sellers will become the subjects of legal proceedings. “We now have a lot of customer data,” one official says. “We will prosecute anyone who has bought or sold drugs on this platform and whose identity we can determine. And there will be a lot of them.”
The darknet is literally a parallel world on the World Wide Web, one that is accessed through programs like the Tor browser. The browser works by concealing the connections between and computer and the sites it is visiting to the point of just about full anonymity. In normal browsing, you go directly from point A to point B when you plug a URL into your web browser. But with Tor, you take a circuitous route to a website through a number of relays to such an extent that it is no longer possible to trace where the journey began and where it ended.
The technology behind it is complicated, but the principle itself is simple: It allows people to surf without leaving a trace, even though it’s not always a question of visiting underworld websites. Often, the technology is used to protect people from surveillance and persecution, and it is also used by informants and whistleblowers. Media organizations like the New York Times, the Guardian and also DER SPIEGEL have set up virtual mailboxes for informants in the darknet. Even Facebook offers secure access to its platform using the Tor network.
The flip side of those beneficial uses, however, is the mass abuse of technology. In places where anonymity reigns, crime – some organized, some less so – is rarely far away, as has always been the case. The darknet is a place of age-old vices and human weaknesses like theft and fraud, extortion, coercion, drug trafficking, forgery, enrichment, it’s about money, sex and power. In the darkest corners of the darknet, it’s a place of disturbing perversion.
Law enforcement agencies are extremely concerned about the darknet. On the one hand, it is often extremely difficult to find what they are looking for, and on the other, the ability to commit a crime with the click of a mouse lowers inhibitions, to the point that some of those who participate in criminal activity in the darknet would likely have never done so in the analog world.
At ZIT, the Frankfurt public prosecutor’s central office for combating internet and computer crime, officials attach great importance to the fact that the darknet criminals are “among us,” that they can be found just as easily in small German towns and villages as they can in Russia or Eastern Europe, as the cliché would have it.
“Many people who we arrest have no previous criminal record,” a Frankfurt public prosecutor told DER SPIEGEL. “That’s a major difference to organized crime in the analog world, where in some cases we have had a paper trail of the criminals for some time.” With the darknet, it only takes a few clicks to arrive in the underworld.
This is one of the reasons why the case of the Traben-Trarbach bunker is so important. Regardless of the outcome of the criminal proceedings, the case sends an important signal about the power of the law. The message, to criminals and upstanding citizens alike, is that the government is by no means powerless in the digital era. Indeed, it is present even in the supposedly lawless space of the darknet and has the power to enforce the law there as well.
At the same time, the case has also been a crash course for the authorities. In cooperating with their international counterparts, German officials have found ways to work around legal restrictions at home they consider too restrictive. One experienced investigator who wished to remain anonymous told DER SPIEGEL, “When we request mutual legal assistance from foreign agencies, they can investigate according to the laws of their own country. We can then use the results of those investigations in our own cases.” In other words, criminal prosecutors in Germany can use foreign proxies to obtain information that would have otherwise been inaccessible to them under German law.
There was “no probable cause,” according to the chief public prosecutor.
The files don’t indicate how much money is earned on Mont Royal, how big sales or profit margins are. At one point, Michiel R. tells an undercover investigator that their profits were 200,000 euros a year. The costs were high. The bunker’s 403 servers, which had to be cooled and ventilated, ate up so much energy that the electricity bill alone came out to 15,000 euros a month. Nobody in Traben-Trarbach got rich off the hosting business, not even Xennt himself.
That’s why Xennt had to expand his companies’ range of products. He began presenting himself as an international technology service provider, looking for new business partners and consulting for clients with special requests. He came up with the idea for a “high-security app” that would ultimately be programmed in Poland and was billed to customers as being impossible to surveil. It was also said to have had a panic button that allowed users to quickly delete all their data in the event of an emergency. Such a function would be ideal for criminals. Besides, who else would be willing to pay 3,000 euros a year for an app like that?
Xennt needed partners for some of his businesses, especially for the app with the panic button. The kind of people who have connections. People like the Irishman Mr. Green, which isn’t his real name, though that’s how everybody referred to him at Mont Royal.
The testimonies given about Mr. Green contradict each another. Xennt said Mr. Green visited him maybe three times in total. Michiel R. said he saw him at the complex three or four times a month at the beginning. The massive case file on the Cyberbunker dedicated hundreds of pages to George M., aka Mr. Green, and appeared to go to great lengths to portray him as the real boss of the criminal organization. But then investigators lost sight of him. It seems that despite all their efforts, investigators were unable to prove that the Irishman belonged to the organization. There was “no probable cause,” according to the chief public prosecutor. The Irishman’s lawyer says his client is an upstanding citizen who is not involved in any criminal activities.
But he was feared by the team at Mont Royal. They had heard stories. Mr. Green was older than most people here. He’s in his late 60s. When the newspapers in Ireland write about him, they refer to him as the “Godfather” and a drug lord. They call him a mafia boss and use his nickname, the “Penguin,” which he picked up while working in a Dublin chocolate factory making “Penguin” candy bars and because, as a stout man, he waddles when he walks.
It’s said that Mr. Green’s family, along with several other clans, has dominated the drug trade in Ireland and large parts of Europe for decades. Police in Ireland also suspect him of dealing in weapons, including Glock pistols, and laundering money on a large scale. He spent several years in prison in the late 1980s. In the 1990s, police in Ireland considered him one of the top five criminals in the country. Mr. Green, for his part, has always denied all accusations against him. He says he is an honest entrepreneur in the import-export business, and that all his dealings are legal.
After Ireland set up a special unit to confiscate property that had been acquired criminally, Mr. Green left for Amsterdam in the mid-1990s. But there, too, he quickly gained unwanted attention. Mr. Green was considered to be the mastermind behind a multimillion-dollar theft of computer parts. He was sentenced to two and a half years in prison by a Dutch court. His son-in-law also died of unnatural causes in the Netherlands: He was shot in front of his home. The man had been a successful football player back in Ireland, but by the time he died, he had apparently been involved in the family business for quite a while and was considered one of the island’s biggest heroin importers.
Then Mr. Green went underground. For years, there were only old photos of him. They depicted a man with dark hair and a beard, cheap old-fashioned prescription glasses on the brim of his nose, splayed across an armchair. It is likely that he commuted between the Netherlands, a property in Morocco and a beachside apartment in Malaga, where he lived with his partner, a Moroccan-born woman who was his former secretary.
For the “Penguin” alone, German investigators got a judge’s permission to monitor 16 mobile phone numbers.
The “Penguin” evidently also traveled between Wittlich in western Germany and Traben-Trarbach on the Mosel River. Some people at the bunker had apparently found him an apartment in Wittlich. His presence — he usually flew into Frankfurt-Hahn airport on Ryanair — took the activities on Mont Royal to a whole new level. Connections were established to the world of global organized crime.
Mr. Green is suspected of having conducted huge drug deals, measurable in tons, and of being in touch with cartels in Colombia. According to memos from the state office of criminal investigation in Rhineland-Palatinate, he is also believed to have been involved in a bloody clan war over supremacy in the European drug trade that left 17 people dead over the course of two years. At the same time the Irish police were busy seizing 440 kilos of cocaine in a container in an operation connected to Mr. Green, he is also believed to have been involved in an equally massive shipment of cannabis with a street value of 190 million euros. According to the Irish tabloid Sunday World, Europol had listed him as one of the top 20 European drug traffickers in 2014. Nevertheless, he apparently didn’t have any trouble traveling around Europe and Rhineland-Palatinate.
It’s possible that Xennt and the bunker never would have been discovered had the Irish “godfather” never gotten involved. According to the case files, one of the bunker’s many young interns had offered an Irish tabloid photos of a “member of the Irish mafia” in October 2015. Just a few weeks later, the Sunday World published a front-page “exclusive” and dedicated no fewer than four additional pages to its major scoop: The paper had gotten its hands on the first pictures in 20 years of the “missing godfather.”
A female reporter had confronted the “Penguin” on a street in Traben-Trarbach. Splashed across the paper were photos of a corpulent, grumpy-looking man wearing a dark jacket and holding a shopping bag. His lawyer rejects all accusations against his client out of hand. They can’t be true, he says, otherwise prosecutors would have charged his client.
It’s an astonishing article, especially since many of those charged today can be seen in the photos from 2015. Next to the Irishman are Xennt and his son, Xyonn, who was always available as a chauffeur as long as their guest was staying in the Mosel area. The “drug lord in exile” was doing business with Xennt, the operator of the bunker, who he knew from his time in Amsterdam, the Sunday World wrote. The paper also laid out the duo’s dubious history. But apparently nothing came of the article.
The bunker’s inhabitants were unmoved by the story and kept working as if nothing had happened. They were already under intense observation. Caught off guard by the Irishman’s presence, investigators were now using every tool at their disposal against the gang on Mont Royal. Members were followed, observed, their phones were tapped and GPS tracking devices were placed on their cars. Entire network nodes were even infiltrated in order to sift through as much data flowing in and out of the bunker as possible.
For the “Penguin” alone, German investigators got a judge’s permission to monitor 16 mobile phone numbers. They requested the contents of a Gmail mailbox from Google, including traffic data. The puzzle that investigators may soon be able to solve shows a clear picture. In their view, the Irish godfather is the real boss in Traben-Trarbach. He’s the one who makes the appointments and gives orders. In the eyes of the public prosecutor’s office, he is the alleged head of the criminal organization operating in Traben-Trarbach. It’s also possible that Xennt got the money for the bunker from Mr. Green. The “Penguin” invested 700,000 euros in an “IT project” in Germany through his “finance minister,” Kevin G., according to one police report. This could be referring to the acquisition of the bunker.
Investigators also believe the Irishman remained active in his core business, the drug trade. This is based on, among other things, a phone call and a text message from October 2016 concerning hundreds of “boxes of oranges,” a “Chinese” man and the appropriate bank for this deal. The 350 orange crates from Malaga could be sold for twice as much elsewhere, it was discussed. Mr. Green was clearly uncomfortable talking over unsecure phone lines. He told the person on the other end that he would send him a secure phone with an encrypted app. “It’s the only way. All my friends use it, everybody.”
In their requests for new methods of surveillance, investigators regularly referred to Mr. Green’s prominent role. His presence seemed to corroborate their suspicion that Traben-Trarbach is home to an active cybercrime business. This, in turn, allowed investigators to make the case for more invasive surveillance measures.
Authorities may only have chipped away at the tip of the iceberg.
Mr. Green’s primary interest in the bunker appeared to have been a technical one. Mr. Green’s associates are also keeping up with the times. As indicated in the conversation about the boxes of oranges, they were eager to keep the authorities in the dark. To that end, maintaining one’s own bulletproof hosting service would seem just as logical as developing an in-house encryption app for mobile phones.
“For Mr. Green, Xennt is like a younger brother who knows about technology and he can turn to with every single technical question,” says one former bunker employee. Many of the tapped phone calls between M. and Xennt were about “apps” financed by the “Penguin.” They bore names like “Exclu” and “Enigma.” They sold them pre-loaded onto BlackBerry phones to shady contacts around the world.
“On the basis of investigations carried out thus far, it must be assumed that drug trafficking, but also services related to drug trafficking, are carried out through these communication channels,” reads one investigation report. Unfortunately for the authorities, this could also mean that they have only chipped away at the tip of the iceberg. Discussions about the most serious crimes are likely only ever conducted over encrypted channels.
The equipment that was modified in Warsaw and Traben-Trarbach went to an illustrious group of buyers. Police assume that encryptable BlackBerrys were delivered to Bogotá and Medellín, Colombia, but also found their way to nearby buyers, like the Bandidos biker gang’s chapter in Arnheim, the Netherlands.
But not everything went smoothly between Mr. Green and Xennt. Business in the bunker evidently didn’t go as the Irishman had imagined. In one conversation at the end of 2016, he complained that the bunker’s operating costs were too high and that it wasn’t earning enough. Xennt is “just a technician, not a businessman” and doesn’t have a business plan, Mr. Green said.
Then the “Penguin’s” trail went cold. As one of the few people who stands accused, he was neither arrested nor charged. It’s astonishing. For years, investigators used the presence of this prominent criminal to justify virtually every one of their requests for surveillance. Investigators kept close tabs on him wherever possible, bugging his phones and tracking his every move. And then, one day, he was gone. Then a large police force, 650 officers in all, arrived in Traben-Trarbach and scooped up all the fish, big and small, but they let the “Penguin” go. Why?
There are both simple and complex answers to this question, but the most likely reason for Mr. Green’s departure is that the investigations against him eventually ground to a halt sometime in 2017. He never tripped up, never made a mistake and exposed himself, and even the most dedicated investigators have to operate within the unwieldy German legal system, which is only partially suitable for pursuing international mafia-like organizations. Investigators were probably under pressure to bring the case to some presentable end and not to overdo it.
It’s also likely that after Mr. Green’s last visit, he flew out of Frankfurt-Hahn. Whether he passed by the bunker again is unknown.